Exam CAS-004 topic 1 question 403 discussion

The most effective solution to prevent unsecure web traffic from being redirected to a competitor’s site in this scenario is: C. Enforcing DNSSEC (Domain Name System Security Extensions) The scenario described suggests that an attacker might be intercepting or manipulating DNS requests to redirect web traffic to a competitor's site. This type of attack is known as DNS spoofing or DNS cache poisoning, where the attacker manipulates DNS responses to redirect legitimate users to malicious or unintended websites. DNSSEC is a security extension for DNS that protects against these types of attacks by ensuring that DNS responses are authentic and have not been tampered with. DNSSEC uses cryptographic signatures to verify the integrity and authenticity of DNS records. When DNSSEC is enabled, it prevents attackers from modifying DNS records, which would stop them from redirecting traffic to a malicious or competitor's site.

Prevents Downgrade Attacks: HSTS ensures that browsers only communicate with the server using HTTPS, preventing any attempt to downgrade the connection to HTTP. Eliminates Unsecure Connections: By enabling HSTS, the website will instruct browsers to automatically convert all HTTP requests to HTTPS, thereby preventing the possibility of insecure HTTP traffic being redirected or intercepted. Mitigates Man-in-the-Middle (MitM) Attacks: HSTS helps protect against MitM attacks, where an attacker might attempt to intercept traffic between the client and the server. By enforcing HTTPS, it ensures that the communication is always encrypted and secure.

A - HSTS will force the browser to use a secure connection

For the CompTIA Advanced Security Practitioner (CASP+) exam, the most suitable answer to prevent the described attack would be **A. Enabling HSTS (HTTP Strict Transport Security)**. Enabling HSTS ensures that web browsers communicate with websites only over HTTPS connections, thereby preventing attackers from redirecting unsecure traffic to a competitor's site. HSTS instructs browsers to automatically convert HTTP requests to HTTPS, making it difficult for attackers to intercept or redirect traffic. While options like configuring certificate pinning (B) and deploying certificate stapling (D) enhance security, they are not directly related to preventing the described attack scenario. Enforcing DNSSEC (C) helps prevent DNS spoofing attacks but wouldn't necessarily address the specific redirection of unsecure web traffic described in the scenario.