Exam SY0-701 topic 1 question 279 discussion

B. Patching the CA Here's why: Patching the Certificate Authorities: This involves updating the CA software to address the specific vulnerability that was exploited. Since the attack exploited a flaw in the PKI, patching the CA is crucial to fixing the vulnerability and preventing similar attacks in the future. While the other options are also important in a broader security context, they may not directly address the specific issue with the PKI flaw: -Updating the Certificate Revocation Lists (CRLs): This is important for managing revoked certificates but may not address the root cause of the PKI vulnerability. -Changing passwords: This is a good security practice but would not resolve the underlying issue with the PKI vulnerability. -Implementing SOAR (Security Orchestration, Automation, and Response): SOAR can help with automating responses and managing security operations but does not directly address the specific PKI vulnerability. -Therefore, patching the Certificate Authorities is the most effective and direct remediation task for this situatio

A. Updating the CRL It's a really bad question because you would do BOTH A and B. The only reason I'm saying A is because the question specifically says "cleanup phase". Patching the CA would TECHNICALLY fall under the Eradication Phase - we're eradicating a threat (patching a vulnerable CA server) - and then cleanup would be updating the CRL.

the ca is not a software that can be patched. its an entity/org

CRL is for revocation; this way we can reissue the certificate and resolve the issue as well. But it does not underlying vulnerability in the CA itself. The question tells to cleanup the phase, which is more accurate with just patching the existing CA.

Answer is A Update the CRL because Immediately invalidates compromised certificates Prevents further use of malicious certificates Blocks certificate-based authentication attempts Part of proper PKI hygiene after compromise WHy not B Patching the CA Important but secondary to immediate threat Doesn't address already issued certificates Long-term solution rather than immediate cleanup Doesn't stop current compromise

B. Patching the CA: The flaw in the internal Public Key Infrastructure (PKI) was exploited during the penetration test to gain domain administrator rights, which indicates a vulnerability within the Certificate Authority (CA) system. To prevent similar attacks in the future, the CA should be patched to fix any identified vulnerabilities in the certificate issuance process. This is a critical step in remediating the flaw and securing the PKI system against further exploitation. Why NOT: A. Updating the CRL (Certificate Revocation List): While updating the CRL is important to revoke any compromised or malicious certificates, it addresses only the symptom (the specific certificates) rather than the root cause (the vulnerability in the CA). The flaw that allowed for the exploitation needs to be patched first, as it could enable the attacker to issue more certificates in the future.

B. Patching the CA

The cleanup phase in a penetration test refers to the steps taken after the test has been completed to ensure that any changes made during the testing process are reversed, and the environment is restored to its original state. This phase ensures that no trace of the penetration test remains and that any potential security risks introduced during the test are mitigated. In the context of the remediation task in question, the cleanup phase focuses on fixing the vulnerabilities exploited during the penetration test and ensuring the security of the system moving forward. For example, patching the Certification Authority (CA) if it was the root cause of the domain administrator privilege escalation would be a critical task during this phase.

The correct answer is: B. Patching the CA GPT

Updating the CRL

The correct answer is: A. Updating the CRL (Certificate Revocation List) Explanation: When a flaw in the PKI (Public Key Infrastructure) is exploited, especially involving malicious or compromised certificates, the first step in remediation is to revoke the affected certificates to prevent further misuse. This is done by updating the Certificate Revocation List (CRL) or using Online Certificate Status Protocol (OCSP). This ensures that any certificate used in the attack is marked as invalid, mitigating the risk of continued exploitation.

A. Updating the CRL

Patching the CA

Updating the CRL is also important, but it primarily deals with revoking compromised certificates rather than fixing the underlying vulnerability.

This occurred during a penetration test. We should patch the CA first to prevent further exploitation, that ensures no new certificates can be issued using the same flaw. The we would update the CRL.

While patching the Certificate Authority is important to prevent a similar attack in the future, I believe that updating the Certificate Revocation List will apply more directly to the clean-up phase.

B: Patching the CA