CISSP-ISSAP · Question #211
(ISC)2 CISSP-ISSAP Exam Which of the following are the countermeasures against a man-in-the-middle attack? Each correct answer represents a complete solution. Choose all that apply.
The correct answer is A. Using public key infrastructure authentication. C. Using Secret keys for authentication. D. Using Off-channel verification.. MITM Countermeasures - CISSP-ISSAP Man-in-the-middle (MITM) attacks succeed when an attacker can silently intercept communications between two parties without either detecting the intrusion. Options A, C, and D all defeat this by making impersonation verifiably impossible. Why A,
Question
(ISC)2 CISSP-ISSAP Exam Which of the following are the countermeasures against a man-in-the-middle attack? Each correct answer represents a complete solution. Choose all that apply.
Options
- AUsing public key infrastructure authentication.
- BUsing basic authentication.
- CUsing Secret keys for authentication.
- DUsing Off-channel verification.
How the community answered
(50 responses)- A76% (38)
- B24% (12)
Explanation
MITM Countermeasures - CISSP-ISSAP
Man-in-the-middle (MITM) attacks succeed when an attacker can silently intercept communications between two parties without either detecting the intrusion. Options A, C, and D all defeat this by making impersonation verifiably impossible.
Why A, C, D are correct:
- (A) PKI authentication binds identities to cryptographic certificates issued by trusted Certificate Authorities - an attacker cannot forge a valid certificate, so the intercepted session is exposed.
- (C) Secret key authentication relies on a shared secret the attacker does not possess; challenge-response protocols using symmetric keys ensure that anyone without the key cannot successfully authenticate.
- (D) Off-channel verification uses a separate, independent communication path (e.g., phone, SMS) to confirm identity - a MITM attacker would have to simultaneously compromise two unrelated channels.
Why B is wrong: Basic authentication transmits credentials as Base64-encoded plaintext with no server identity verification. It not only fails to prevent MITM attacks - it actively enables credential theft by an intercepting attacker.
Memory tip: The three correct answers all share a common theme - they prove who you're talking to. Think "PKI, Shared Secret, Second Channel = Verified Identity." Basic auth proves nothing about the server, which is exactly what MITM exploits.
Topics
Community Discussion
No community discussion yet for this question.