A security team is investigating a breach where a threat actor accessed and decrypted several-months-old encrypted data backups. The investigation shows the primary encryption keys for the live database had been rotated since the backups were created. However, logs from the key management system (KMS) indicate the threat actor used a superseded, 'inactive' key to decrypt the data. Which of the following is the most likely root cause of this incident?
Lack of continuous monitoring on the KMS.
Using symmetric instead of asymmetric encryption for the data backups.
Failure to enforce the deletion of superseded cryptographic keys.
The root cause is the failure to properly delete or destroy superseded cryptographic keys after their intended lifecycle. Merely marking a key as 'inactive' or 'disabled' is insufficient, as an attacker with sufficient privileges within the KMS may be able to reactivate or use it. Proper key deletion is a critical step in a key management lifecycle to prevent unauthorized access to historical encrypted data. While key rotation was performed, the failure to delete the old key created the vulnerability. The type of encryption is irrelevant to the key management failure, and while monitoring was useful for the investigation, it did not cause the breach.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are encryption objects?
Open an interactive chat with Bash
Why is it risky to retain outdated encryption objects?
Open an interactive chat with Bash
What is the process of securely deleting encryption objects?