Exam PT0-001 topic 1 question 53 discussion

A B D is the correct answer

A B D is the correct answer

bcf correct

looks good to me

A B D is correct

Correct answer

Im going with BCD. A will help but that doesn't stop dictionary attacks from being successful. Thus the purpose of D. BCD will address all the front issues with the pentest. Best to assume your users will be phished regardless of training/awareness. MFA should always be in place, an IPS will prevent the intrusion from occurring and prevent attacks, password complexity will assume users will be targeted and hashes stolen but prevent easily cracking with dictionary attacks. A will come later, same with E. G only addresses the VPN and nothing to do with cracking the password hashes of the end users.

You can have the best and brightest and flashiest tools. If users are not aware of phishing then boom your whole castle crumbles.

diorg kata ABD. Cohort 1-2021

A, B, and D. - (A), retraining is needed because employees respond to phished emails. (B), implementing 2FA would remedy any possible leaks from the phished email (i.e., RSA tokens). (D), the ciphers in this scenario were not compromised (eliminates G as an answer). So, the only logical answer is D. Which makes passwords more complex, so they would not be susceptible to dictionary attacks.

The following cryptographic algorithms are used throughout the life of a TLS/SSL‑encrypted connection: Key establishment—This algorithm is used to exchange or agree on the symmetric keys to be used for encrypting and decrypting the data payload during the session. Examples: RSA, Diffie-Hellman (DH), Ephemeral Diffie-Hellman (DHE), and Elliptic Curve Diffie-Hellman (ECDH). Authentication—This algorithm is the digital signature used by the certificates passed between the client application and server. Examples: RSA and Digital Signature Standard (DSS). Encryption—This algorithm encrypts and decrypts payload passed on the secure session. Examples: RC4, 3DES CBC, and Advanced Encryption Standard (AES). Digest—This algorithm is used to maintain message integrity. Tampering with the message would render the digest invalid. Examples: SHA1, MD5. The combination of these four cryptographic algorithms is known as a cipher suite. Encryption ciphers are at the heart of VPN technology. They help determine how the secure tunnel is formed, but that has nothing to do with obtaining a hash over a VPN. I'm going ABD

I would go for A, D, G as the CompTIA Pentest+ Practice Test, Sybex mantioned in Question 124 - Chapter 5, --- In this scenario, the tester should recommend that the client increase their password complexity requirements since the tester was able to crack them by using a dictionary attack. The tester should also recommend that all employees take security awareness training, since it was a member of the IT department who gave up pertinent information when the tester used a phishing technique. The tester should also recommend upgrading the cipher suite that is used for the VPN solution. A cipher suite is a set of algorithms that help secure network connections that uses Transport Layer Security (TLS) or Secure Socket Layer (SSL). The set of algorithms that cipher suites usually contain includes a key exchange algorithm, a bulk encryption algorithm, and a message authentication code (MAC) algorithm. ---

A B D is correct. Here is the key point; attacker can connect to the VPN with victim's credentials. We ensure this with two factor authentication.

Those of you arguing against the cipher suite answer don't understand VPNs. The hashes should be encrypted not available to see. If you can see the hashes, you've already broken the encryption.

I would say ABD. I think the argument for A&B is covered enough here. My argument for D instead of G, is the dictionary attack. Increasing the cipher doesn't defend against the dictionary attack, but creating stronger passwords would.

I would go for A & G, I'm happy for B however, authentication for remote access is bugging me. If it is authentication in email i'll go for B. Otherwhite, i'll stick with ADG

People, Process, Technology. A - People B - Technology D - Process