A company's bank has reported that multiple corporate credit cards have been stolen over the past several weeks.
The bank has provided the names of the affected cardholders to the company's forensics team to assist in the cyber-incident investigation.
An incident responder learns the following information: -> The timeline of stolen card numbers corresponds closely with affected users making Internet-based purchases from diverse websites via enterprise desktop PCs.
-> All purchase connections were encrypted, and the company uses an SSL inspection proxy for the inspection of encrypted traffic of the hardwired network.
-> Purchases made with corporate cards over the corporate guest WiFi network, where no SSL inspection occurs, were unaffected.
Which of the following is the MOST likely root cause?
A.
HTTPS sessions are being downgraded to insecure cipher suites Most Voted B.
The SSL inspection proxy is feeding events to a compromised SIEM C.
The payment providers are insecurely processing credit card charges D.
The adversary has not yet established a presence on the guest WiFi network.
C.
A company's bank has reported that multiple corporate credit cards have been stolen over the past several weeks.
The bank has provided the names of the affected cardholders to the company's forensics team to assist in the cyber-incident investigation.
An incident responder learns the following information: -> The timeline of stolen card numbers corresponds closely with affected users making Internet-based purchases from diverse websites via enterprise desktop PCs.
-> All purchase connections were encrypted, and the company uses an SSL inspection proxy for the inspection of encrypted traffic of the hardwired network.
-> Purchases made with corporate cards over the corporate guest WiFi network, where no SSL inspection occurs, were unaffected.
Which of the following is the MOST likely root cause?
A.
B.
The SSL inspection proxy is feeding events to a compromised SIEM
C.
The payment providers are insecurely processing credit card charges
D.
The adversary has not yet established a presence on the guest WiFi network.
C.
Based on the information provided, the most likely root cause of the stolen corporate credit cards is that the payment providers are insecurely processing credit card charges. This conclusion is based on the following factors:
Option A, HTTPS sessions being downgraded to insecure cipher suites, is unlikely to be the root cause because all purchase connections were encrypted and the company uses an SSL inspection proxy for the inspection of encrypted traffic.
Option B, the SSL inspection proxy feeding events to a compromised SIEM, is also unlikely because there is no indication that the SIEM has been compromised.
Option D, the adversary not yet establishing a presence on the guest WiFi network, is irrelevant to the root cause of the stolen credit cards because the purchases made over the guest WiFi network were unaffected.
Therefore, based on the information provided, the most likely root cause of the stolen corporate credit cards is that the payment providers are insecurely processing credit card charges.