Exam CS0-002 topic 1 question 190 discussion

All given answers are corrective controls except D. It's likely the legacy apps can't support solutions A, B, and C, so they still have to use good old passwords.

Keyword LEGACY - Legacy applications were developed long before MFA technology was widely available, so they don’t natively support its implementation in their default authentication process. To integrate MFA into a legacy application, organizations would need to make changes on the application’s code which could cause friction to their operational continuity. It is therefore not considered to be a viable option by most organizations. Moreover, legacy applications typically authenticate to Active Directory over NTLM and Kerberos protocols, which – unlike modern authentication protocols that SaaS and web applications use – also don’t support MFA. This leaves legacy applications without a practical MFA protection option. https://www.silverfort.com/blog/the-mfa-blind-spot-of-legacy-applications/#:~:text=From%20the%20identity%20protection%20aspect,compromised%20credentials%20in%20their%20attacks.

None of the others beat MFA as it includes at least 2 out of 3 controls: Know, Have, Are.

Given the scenario where legacy applications are still in use and password complexity rules are inadequate for the required security posture, the best compensating control among the options provided would be B. Multifactor authentication (MFA). While options A, C, and D (smart cards, biometrics, and increased password-rotation frequency) can contribute to security, multifactor authentication is generally considered a more effective compensating control because it adds an extra layer of protection, making it more challenging for attackers to compromise accounts even if they have obtained passwords.

I see MFA as "making it better", and increasing password rotation frequency as "compensating". So I'm going with D, despite of what ChatGPT says

ChatGBT: MFA.

D is correct

B Multiple forms which can be costly

Why D? The problem is that the password rules themselves are inadequate so what’s the point of rotating bad passwords? and it may even create more risk, as users may simply choose new passwords that are easy to guess or remember, or they may reuse old passwords that they have used in the past. Yes not ‘all’ legacy systems support MFA, but question didn’t hint about this.

B. Multifactor authentication Multifactor authentication (MFA) adds an extra layer of security by requiring users to provide multiple factors of authentication, typically a combination of something they know (password), something they have (smart card or token), or something they are (biometric). By implementing MFA, even if the password complexity rules are inadequate, the additional factor(s) significantly enhance the security posture of the organization

While options like smart cards, biometrics, and increased password-rotation frequency can be effective in improving security, MFA provides the strongest compensating control in this scenario because it can supplement the weaker password complexity rules without requiring a complete overhaul of the authentication system.

B is the best answer here. Legacy apps don’t automatically mean it cannot support mfa. it would depend on the app

CySA+ Cybex Study guide (2nd ed) pg. 131/544, " Compensating controls are additional security measures that you take to address a vulnerability without remediating the underlying issue". On the basis of this they could all be regarded as compensating The best thing do whilst leaving the password issue itself unchanged would be to implement MFA

This is what NIST says about compensating controls. A management, operational, and/or technical control (i.e., safeguard or countermeasure) employed by an organization in lieu of a recommended security control in the low, moderate, or high baselines that provides equivalent or comparable protection for an information system. https://csrc.nist.gov/glossary/term/compensating_security_control#:~:text=Definitions%3A,protection%20for%20an%20information%20system. With that I'd say B.

Increased password-rotation frequency happens to be one of the password complexity rules that are inadequate. we need a compensating to control like MFA

Keyword is compensatory control. Answer is D

D causes more issues