ISC2 Certified Secure Software Lifecycle Professional (CSSLP) Practice Question

WPA3-Personal replaces the WPA2 pre-shared-key handshake with Simultaneous Authentication of Equals (SAE). SAE performs a password-authenticated key exchange that provides forward secrecy and prevents attackers from capturing a single handshake and then running offline dictionary or brute-force attacks. In addition, WPA3 mandates the 802.11w Protected Management Frames (PMF) feature, which cryptographically protects de-authentication and other management frames frequently spoofed by rogue or "evil twin" access points to force clients to connect to them. Using a long WPA2 pre-shared key improves guessing resistance but still allows offline attacks if an adversary captures the four-way handshake, and it does not protect management frames. Disabling SSID broadcast and enabling MAC filtering offer only obscurity; attackers can easily discover hidden SSIDs and spoof MAC addresses, so they provide little defense against rogue APs or eavesdropping. Captive portals focus on user acknowledgement or web-based authentication and do not add encryption or management-frame protection. Therefore, enabling WPA3-Personal with SAE and PMF is the most effective standards-based solution for the stated goals.