nerdexam
ExamsCAS-003Questions#360
CompTIA

CAS-003 · Question #360

CAS-003 Question #360: Real Exam Question with Answer & Explanation

The correct answer is A: Add a second-layer VPN from a different vendor between sites.. Adding a second VPN layer from a different vendor introduces implementation diversity, forcing a nation-state attacker to independently defeat two unrelated cryptographic systems.

Question

An enterprise with global sites processes and exchanges highly sensitive information that is protected under several countries' arms trafficking laws. There is new information that malicious nation-state- sponsored activities are targeting the use of encryption between the geographically disparate sites. The organization currently employs ECDSA and ECDH with P-384, SHA-384, and AES-256-GCM on VPNs between sites. Which of the following techniques would MOST likely improve the resilience of the enterprise to attack on cryptographic implementation?

Options

  • AAdd a second-layer VPN from a different vendor between sites.
  • BUpgrade the cipher suite to use an authenticated AES mode of operation.
  • CUse a stronger elliptic curve cryptography algorithm.
  • DImplement an IDS with sensors inside (clear-text) and outside (cipher-text) of each tunnel
  • EEnsure cryptography modules are kept up to date from vendor supplying them.

Explanation

Adding a second VPN layer from a different vendor introduces implementation diversity, forcing a nation-state attacker to independently defeat two unrelated cryptographic systems.

Common mistakes.

  • B. AES-256-GCM already operates in an authenticated encryption mode - Galois/Counter Mode provides both confidentiality and integrity - so switching to another authenticated AES mode delivers no meaningful security improvement.
  • C. P-384 is already among the strongest standardized NIST elliptic curves, and no currently approved curve provides substantially greater resistance against nation-state cryptanalytic capabilities.
  • D. An IDS with inside and outside sensors improves detection and forensics but does not strengthen the cryptographic implementation itself or prevent a successful attack on the cipher suite.
  • E. Keeping cryptographic modules current is sound operational hygiene but only addresses known published vulnerabilities rather than building fundamental resilience against active, targeted nation-state exploitation.

Concept tested. Defense-in-depth via multi-vendor VPN cryptographic diversity

Reference. https://csrc.nist.gov/publications/detail/sp/800-77/rev-1/final

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full CAS-003 Practice