Which of the following techniques would MOST likely improve the resilience of the enterprise to attack on cryptographic implementation?

An enterprise with global sites processes and exchanges highly sensitive information that is protected under several countries’ arms trafficking laws. There is new information that malicious nation-state-sponsored activities are targeting the use of encryption between the geographically disparate sites. The organization currently employs ECDSA and ECDH with P-384, SHA-384, and AES-256-GCM on VPNs between sites.
Which of the following techniques would MOST likely improve the resilience of the enterprise to attack on cryptographic implementation?
A. Add a second-layer VPN from a different vendor between sites.
B. Upgrade the cipher suite to use an authenticated AES mode of operation.
C. Use a stronger elliptic curve cryptography algorithm.
D. Implement an IDS with sensors inside (clear-text) and outside (cipher-text) of each tunnel between sites.
E. Ensure cryptography modules are kept up to date from vendor supplying them.

How to PASS CAS-004 in First Attempt?

FULL Printable PDF and Software. VALID exam to help you PASS.

comptia-exams

9 thoughts on “Which of the following techniques would MOST likely improve the resilience of the enterprise to attack on cryptographic implementation?

  1. My choice: A.

    I don’t like this question. Anyway, according to this website, benefits with double-VPN would offer resiliency, as described in the article: https://www.comparitech.com/blog/vpn-privacy/double-vpn/. Next, NIST recommends ECDSA and ECDH with 384bit keys, exactly what we have listed in the question, so that eliminates C – again, in my opinion. All other options seem as nonsense anyway.

  2. A…..
    Double VPN also adds double encryption.
    The second VPN is from a different vendor….redundacy
    If the first vendor is compromised…
    Second one is hopefully still secure

    1
    1
  3. Answer is A. Add a second-layer VPN
    A. Add a second-layer VPN from a different vendor between sites. (Yes, double VPN. Data goes from source to VPN1 (ExpressVPN) to VPN2 (HideMyAssVPN) to final destination. If one VPN fails, you use the other one. Don’t necessarily have to use both. You can actually use multiple VPN.)
    B. Upgrade authenticated AES. (No, what? We are talking about encryption, not authentication.)
    C. Use a stronger elliptic curve cryptography algorithm. (Maybe, yes it adds strength to the VPN, but it offers no redundancy. When it’s hacked, it’s game over.)
    D. Implement an IDS (clear-text)(cipher-text). (No, sounds absurd to put clear-text and encryption in one sentence.)
    E. Update cryptography modules. (No, although this is a good practice, it does not help here.)

    1. Traditional meaning of resiliency is the ability to keep your guts together in the face of aversity (not loose your composure) or recover from a traumatic events.
      In computer networking, we have to think of resiliency as Resilience to failures and deliberate attacks.

      By the way I failed CASP twice and costed me $900 bucks. I didn’t loose my mind and gave up. I press on with reading books, watching CASP videos, doing practice test, writing comments. If you are struggling like me, don’t give up. We will make it.

      network resilience – the ability to provide and maintain an
      acceptable service level in the presence of (random or deliberate) failures – One of the ways is to have redundancy.

  4. The answer is AES (b). The question asks “…MOST likely improve the resilience of the enterprise to attack on cryptographic IMPLEMENTATION…”

    1. Well… Scratch that AES-256-GCM is authenticated.

      AN IDS would let you know that something is happening, but I don’t know about the outside part. These questions suck.

  5. The question is asking about Cryptographic implementation. We know that those encryption algorithm used are not broken. Hence, the hacker will target on implementation by the vendor.

    The question is also asking on improving resiliency. ” E” makes no sense in terms of resiliency if the sole vendor supplying you somehow has a flaw in the implementation, the hackers will exploit and and this will expose all your websites.

    I think we are also looking at defense in depth (Correct me if I’m wrong).

    Hence, the answer should be A.

  6. second-layer VPN makes no sense to me (I may just not be familiar with that existing), Ensure cryptography modules are kept up to date from vendor supplying them answers the question of ‘would MOST likely improve’

    E

Leave a Reply

Your email address will not be published. Required fields are marked *


The reCAPTCHA verification period has expired. Please reload the page.