A report delivered to the Chief Information Security Officer (CISO) shows that some user credentials could be exfiltrated. The report also indicates that users tend to choose the same credentials on different systems and applications. Which of the following policies should the CISO use to prevent someone from using the exfiltrated credentials?
To prevent someone from using exfiltrated credentials, the CISO should implement Multi-Factor Authentication (MFA). While users might choose the same credentials across different systems, MFA provides an additional layer of security beyond just the username and password. Even if an attacker obtains passwords, they would still need the second factor (such as a mobile phone for an OTP, or biometric verification) to gain access. Therefore, implementing MFA would effectively mitigate the risk of unauthorized access using exfiltrated credentials.
is the only one that obligate to have more info than a password to login in the system
Prevent users from using the exfiltrated account. MFA would better security not prevent.
You can’t “use” the account if you can’t log into it without the 2nd part of authentication. The problem with this question that I really hate is it leads to 2 different answers because it says prevent use but yet also talks about “policy”. Password History won’t do anything to prevent stolen credentials unless the policy being implemented instantly forces everyone to change their password “right now” which password history normally just means you can’t reuse the same password again after you are forced to change it be it a 30 days or 60 days later. MFA may not be a policy but it insantly prevents the issue of stolen credentials being used to log in after MFA has been enabled. It’s a stupid catch 22 question because MFA would fix the stolen credentials problem instantly. The moment the thieves use the password, a prompt for a Token digit (or whatever the 2nd authentication is) will be requested. MFA would definitely prevent.
CompTIA Sec+ Objectives 3.7 Account policies: - Password complexity - Password history - Password reuse - Network location - Geofencing - Geotagging - Geolocation - Time-based logins - Access policies - Account permissions - Account audits - Impossible travel time/risky login - Lockout - Disablement 2FA is not an account policy, has to be D
Answer: MFA "The report also indicates that users tend to choose the same credentials on different systems and applications." Even with password history in place, if users continue to reuse the same password across different systems and applications, it still poses a significant security risk. Implementing MFA would be the best option to mitigate the risk, since it adds an extra layer of authentication beyond just the password.
If you see me pop up with explanations... I use MS Copilot.. I have friends who have used it to with Comptia tests
If you read the question carefully, the answer would be obvious. Lets say we use the "password history" in this scenario. That will prevent users from re-using the same passwords right? Now think about this: The user uses a brand new password, but what's to prevent them from using that same password with the other applications/systems? Don't be mistaken: "Re-using a reset password" is not the same as "using a password across systems/apps/websites." Even if the password is changed, it can also be changed on the other platforms just as easily, despite being "new". The answer is obviously: A. MFA
the question is what would keep "someone from using the exfiltrated credentials". MFA does not do this. Password history can. MFA obviously is better in real world application, but password history is the answer to the given question
The key is to understand the question. The report shows two different scenarios, but the question concerns the first scenario, which is preventing the usage of exfiltrated credentials. This has nothing to do with password history. It is how to prevent the password from being used if it is exfiltrated (Refer to "could be exfiltrated). So, the correct choice is MFA.
"prevent someone from using the exfiltrated credentials"
I think a good way to approach answering this questions would be, which would you implement first? (A) MFA (D) Password history They're both correct answers. Me I would remove the threat of the credentials ever being a threat again first (D) Password history. For an additional layer of protection I would implement (A) MFA... It's (D) Password History for me...
unless you can choose both A and D Recommendation: MFA should ideally be implemented before enforcing password history. Start by enabling MFA to enhance security immediately. Then, introduce password history to prevent users from reverting to previously compromised passwords.
MFA is the only answer that adds something other than just the password. Lockout is only applied if the password is wrong. Password history will only matter if you require a password change.
Honestly its either one but I think its D because you can't use exfiltrated credentials
A is the clear choice. Get all questions at <a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="02766a67632c716f6b766a3032426d77766e6d6d692c616d6f">[email protected]</a>
A. MFA
MFA should be enforced
Multi-Factor Authentication (MFA) adds an additional layer of security beyond just the username and password. Even if an attacker obtains user credentials, they would still need the second factor (which could be something the user has, like a mobile phone for an OTP, or something the user is, like a fingerprint) to gain access. This significantly reduces the risk of credential-based attacks.
MFA is the correct one!
I was stuck on this one for a while. Implementing password history alone does not force an immediate password change. If it did then it would clearly be the better option, as MFA is just added security and is and will continue to be bypassed every single day depending on how dedicated the attacker is and how much resources they have. Regardless of how we think Password history should be implemented, functionally, it's a policy that ONLY prevents the use of previously used passwords, nothing about an immediate password change. MFA has to be the answer.