SY0-601: CompTIA Security+ - Mitigating Risk in Web Applications with Limitations in Encryption Standards

Mitigating Risk in Web Applications with Limitations in Encryption Standards

Prev Question Next Question

Question

A recent audit uncovered a key finding regarding the use of a specific encryption standardin a web application that is used to communicate with business customers.

Due to the technical limitations of its customers, the company is unable to upgrade the encryption standard.

Which of the following types of controls should be used to reduce the risk created by this scenario?

A.

Physical B.

Detective C.

Preventive D.

Compensating.

D.

Explanations

A recent audit uncovered a key finding regarding the use of a specific encryption standardin a web application that is used to communicate with business customers.

Due to the technical limitations of its customers, the company is unable to upgrade the encryption standard.

Which of the following types of controls should be used to reduce the risk created by this scenario?

A.

Physical

B.

Detective

C.

Preventive

D.

Compensating.

D.

The scenario mentioned in the question is that a recent audit found that a specific encryption standard used in a web application that communicates with business customers is not secure and needs to be upgraded. However, due to the technical limitations of the customers, the company is unable to upgrade the encryption standard.

In such a situation, the organization must implement compensating controls to reduce the risk created by the scenario. Compensating controls are alternative measures that are put in place when a primary control is not feasible or cannot be implemented. These controls are used to compensate for the deficiency in the primary control and mitigate the risk associated with it.

In this case, the primary control is the encryption standard used in the web application, which is not secure. The organization cannot upgrade this encryption standard due to the technical limitations of its customers. Therefore, the organization needs to implement compensating controls to reduce the risk created by the use of an insecure encryption standard.

Examples of compensating controls that could be used in this scenario include:

  • Increasing the frequency of vulnerability scans and penetration testing of the web application to identify any potential security vulnerabilities.
  • Implementing additional security measures such as firewalls, intrusion detection and prevention systems (IDPS), and security information and event management (SIEM) systems to detect and respond to any security incidents.
  • Restricting access to the web application to only authorized users and implementing multi-factor authentication to ensure that only authorized users can access the application.
  • Implementing security awareness and training programs for employees and customers to educate them on the importance of security and how to avoid potential security risks.

In summary, compensating controls should be used in situations where a primary control is not feasible or cannot be implemented. In this scenario, the organization cannot upgrade the encryption standard used in the web application due to the technical limitations of its customers. Therefore, compensating controls should be implemented to reduce the risk associated with the use of an insecure encryption standard.

Prev Question Next Question