An organization's existing infrastructure includes site-to-site VPNs between datacenters. In the past year, a sophisticated attacker exploited a zero-day vulnerability on the VPN concentrator. Consequently, the Chief Information Security Officer (CISO) is making infrastructure changes to mitigate the risk of service loss should another zero-day exploit be used against the VPN solution.
Which of the following designs would be BEST for the CISO to use?
To mitigate the risk of service loss due to a zero-day exploit on the VPN concentrator, the best design is to add a second redundant layer of alternate vendor VPN concentrators. This approach provides both redundancy and diversity in the VPN infrastructure. Using concentrators from different vendors decreases the likelihood that a single zero-day vulnerability will affect both simultaneously, ensuring continuous VPN service even if one vendor’s product is compromised.
If on VPN concentrator goes down due to a zero day threat, having a redundant VPN concentrator of a different vendor should keep you going.
Agree.
the same recon that the attacker did would detect the redundant VPN conc and hit the 2.
Yes, but two zero days on two seperate VPN conc is unlikely.
Nobody says here VPN goes down with the attack.
"service loss"
so my deal is that this question is referring to "interruption in service" which makes me this we are talking about an HA solution. However I don't know in practice of a HA pair with sperate vendor product, although I bet you could figure something out with BGP routing with some public facing routers. that being said, that is a lot to assume outside of the context of this question, and this version of CASP seems to like to talk about containerizing services as well as other cloud services, so D might be the right answer here.
Adding a second redundant layer of VPN concentrators from an alternate vendor can provide a level of redundancy and failover protection for the organization's VPN infrastructure. If one VPN concentrator is exploited by an attacker, the other concentrator can continue to provide VPN services to the organization. This can help ensure that the organization's VPN infrastructure remains available and that there is minimal disruption to services.
Given the scenario, the BEST design for the Chief Information Security Officer (CISO) to use to mitigate the risk of service loss in case of another zero-day exploit against the VPN solution is to add a second redundant layer of alternate vendor VPN concentrators. Therefore, the correct option is A.
"infrastructure changes" "should another zero-day exploit be used against the VPN Solution" Having a different vendor means that the zero-day exploit on the first VPN concentrator wouldn't work on the second one. Source: Verifying each answer against Chat GPT, my experience, other test banks, a written book, and weighing in the discussion from all users to create a 100% accurate guide for myself before I take the exam. (It isn't easy because of the time needed, but it is doing my diligence)
Answer A. Two VPNs from different vendors solve the issue. Why is NOT D: “ Zero day exploits cannot be detected by conventional means, such as antimalware or IDS/IPS devices, because signatures have not yet been created.” https://logrhythm.com/use-cases/zero-day-exploits/
A makes the most sense in this question.
A. Adding a second redundant layer of alternate vendor VPN concentrators This design would provide a fail-safe in case a zero-day exploit is used against the VPN solution, as the alternate vendor VPN concentrators can be used in place of the existing ones if needed. This would reduce the risk of service loss and ensure continuity of service.
A makes sense to me
A is the correct answer because an IDS will help you detect Zero-day vulnerabilities or odd behaviors. while redundancy does nothing to prevent Zero-day attacks. the sophisticated attacker can easily take down the second VPN. you want to learn about the Zero-day vulnerability and an IDS will tell you everything about what just happened.
Redundancy: By adding a redundant layer of VPN concentrators from an alternate vendor, you create a failover solution that can take over if the primary VPN concentrator is compromised. Diversity: Using a different vendor reduces the likelihood that a single zero-day vulnerability will affect both layers simultaneously, as different vendors' products will have different codebases and potentially different vulnerabilities. High Availability: This approach ensures high availability of VPN services, as the redundant concentrators can maintain service continuity if the primary concentrators are taken offline for security reasons.
Sorry I meant D is the correct answer because an IDS will help you detect Zero-day vulnerabilities or odd behaviors. while redundancy does nothing to prevent Zero-day attacks. the sophisticated attacker can easily take down the second VPN. you want to learn about the Zero-day vulnerability and an IDS will tell you everything about what just happened.
Tricky question, although having two VPN is a better solution it still not mitigate the risk of a zero day exploit. Although have an IDS service in each VPN (can be two vpn of different vendor) will mitigate the possibility of a zero day exploit. I officially remember how much i hate taking CompTIA test.
I would assume the second VPN would be configured the same and they would take that one down too. Sure the company will be up a little longer, but once the vulnerability is found it will be exploited. I am leaning towards this answer as well, but still see a major issue since it is redundant. IDS would lead to a better understanding but would most likely lead to down time, but a remediation could be derived quickly. Either answer would most likely lead to downtime in my opinion.