CompTIA CASP+ (CAS-004) — Question 188

An investigator is attempting to determine if recent data breaches may be due to issues with a company's web server that offers news subscription services. The investigator has gathered the following data:

• Clients successfully establish TLS connections to web services provided by the server.
• After establishing the connections, most client connections are renegotiated.
• The renegotiated sessions use cipher suite TLS_RSA_WITH_NULL_SHA.

Which of the following is the MOST likely root cause?

Answer options

• A. The clients disallow the use of modem cipher suites.
• B. The web server is misconfigured to support HTTP/1.1
• C. A ransomware payload dropper has been installed.
• D. An entity is performing downgrade attacks on path.

Correct answer: D

Explanation

The correct answer is D because the use of the weak cipher suite TLS_RSA_WITH_NULL_SHA suggests that an attacker may be forcing the clients to downgrade their security settings, allowing for potential exploitation. Option A is incorrect since the clients allowing the connection indicates they support the cipher suite. Option B is unrelated to the specific security issue indicated by the cipher suite used. Option C does not directly explain the renegotiation of connections and the cipher suite being used.