CompTIA CASP+ (CAS-003) — Question 69

An enterprise with global sites processes and exchanges highly sensitive information that is protected under several countries' arms trafficking laws. There is new information that malicious nation-state-sponsored activities are targeting the use of encryption between the geographically disparate sites. The organization currently employs ECDSA and ECDH with P-384, SHA-384, and AES-256-GCM on VPNs between sites.
Which of the following techniques would MOST likely improve the resilience of the enterprise to attack on cryptographic implementation?

Answer options

• A. Add a second-layer VPN from a different vendor between sites.
• B. Upgrade the cipher suite to use an authenticated AES mode of operation.
• C. Use a stronger elliptic curve cryptography algorithm.
• D. Implement an IDS with sensors inside (clear-text) and outside (cipher-text) of each tunnel between sites.
• E. Ensure cryptography modules are kept up to date from vendor supplying them.

Correct answer: C

Explanation

The correct answer is C because using a stronger elliptic curve cryptography algorithm can significantly enhance security against sophisticated attacks. Options A and D, while beneficial for overall security, do not directly address the cryptographic vulnerabilities, and B only improves the existing cipher suite without fundamentally changing the underlying cryptographic strength. Option E is important but does not enhance the cryptographic strength in the face of targeted attacks.