CompTIA Security+ Exam SY0-601: Mitigating Data Exfiltration
Question
A security analyst discovers that a company's username and password database was posted on an Internet forum.
The usernames and passwords are stored in plain text.
Which of the following would mitigate the damage done by this type of data exfiltration in the future?
A.
Create DLP controls that prevent documents from leaving the network. B.
Implement salting and hashing. C.
Configure the web content filter to block access to the forum. D.
Increase password complexity requirements.
B.
Explanations
A security analyst discovers that a company's username and password database was posted on an Internet forum.
The usernames and passwords are stored in plain text.
Which of the following would mitigate the damage done by this type of data exfiltration in the future?
A.
Create DLP controls that prevent documents from leaving the network.
B.
Implement salting and hashing.
C.
Configure the web content filter to block access to the forum.
D.
Increase password complexity requirements.
B.
The correct answer to this question is B - Implement salting and hashing.
Explanation:
When a username and password database is posted on the Internet, it means that the attackers have obtained unauthorized access to the system that stores the passwords. In this scenario, the usernames and passwords are stored in plain text, which means that the attackers can use them directly to access the user's accounts on other systems that use the same username and password combination.
To mitigate the damage done by this type of data exfiltration in the future, the company should implement salting and hashing. Salting is the process of adding random data to the password before it is hashed. Hashing is the process of converting the password into a fixed-length string of characters that cannot be reversed to obtain the original password.
By implementing salting and hashing, even if an attacker obtains the password database, they will not be able to use the passwords directly. They will need to spend significant time and resources to crack the hashed passwords, which may not be feasible.
Option A, creating DLP controls that prevent documents from leaving the network, would not be effective in this scenario because the attackers have already obtained the password database. DLP controls are designed to prevent sensitive data from leaving the network, not to prevent unauthorized access to the data.
Option C, configuring the web content filter to block access to the forum, may prevent future data exfiltration, but it does not address the issue of the stolen passwords. It is also possible that the attackers may use other forums or methods to post the stolen data.
Option D, increasing password complexity requirements, may make it harder for attackers to crack the passwords, but it does not address the issue of the stolen passwords. Additionally, if the passwords are still stored in plain text, increasing complexity requirements will not provide significant protection.
Therefore, option B, implementing salting and hashing, is the best way to mitigate the damage done by this type of data exfiltration in the future.
