Which of the following measures would best protect an organization from automated attacks whereby the attacker attempts to identify weak or leaked passwords in order to log into employees' accounts?
A.
Requiring users to change their passwords every two years.
B.
Requiring two-step verification for all users
C.
Requiring the use of a virtual private network (VPN) when employees are out of the office.
D.
Requiring the use of up-to-date antivirus, security, and event management tools.
Automated attacks that attempt to exploit weak or leaked passwords—such as credential stuffing, brute force attacks, and dictionary attacks—pose a significant cybersecurity risk. Implementing two-step verification (also known as multi-factor authentication, or MFA) is one of the most effective measures to mitigate these threats.
Why Two-Step Verification is Effective (B - Correct Answer)
Multi-factor authentication (MFA) adds an additional security layer beyond a password, requiring a second factor such as a one-time code sent to a mobile device, biometric authentication, or a security key.
Even if an attacker obtains a password, they cannot access the account without the second authentication factor.
The IIA Global Technology Audit Guide (GTAG) 1: Information Security Management emphasizes the use of multi-factor authentication to prevent unauthorized access.
Why Other Options Are Less Effective:
Option A: Changing passwords every two years
Ineffective because attackers often use compromised credentials that may be recent. Best practices recommend regular password updates but coupled with MFA.
The IIA's GTAG 16: Identity and Access Management highlights that password rotation alone does not fully protect against automated attacks.
Option C: Using a VPN when out of the office
Irrelevant to password attacks. A VPN encrypts data and secures network connections but does not prevent brute force or credential stuffing attacks.
The IIA GTAG 17: Auditing Network Security discusses VPNs for secure remote access but does not consider them a solution for password-based attacks.
Option D: Using antivirus and security tools
While important for overall security, these tools cannot prevent attacks that exploit stolen or weak passwords.
The IIA GTAG 15: Information Security Governance states that security tools should be combined with authentication controls like MFA for best protection.
GTAG 1: Information Security Management – Recommends multi-factor authentication to prevent unauthorized system access.
GTAG 16: Identity and Access Management – Highlights the limitations of password-only security and supports multi-factor authentication.
GTAG 17: Auditing Network Security – Covers VPN usage but does not consider it a solution for password attacks.
GTAG 15: Information Security Governance – Discusses the role of security tools and authentication in securing user accounts.
Step-by-Step Explanation:IIA References for Validation:Thus, requiring two-step verification (B) is the most effective control against automated password attacks.
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit