An organization stores highly sensitive financial records in an on-premises relational database. Role-based access control (RBAC) already limits each employee to only the tables required for their job duties. Security analysts are concerned that an attacker could still read the data if they steal a legitimate user's password. Which of the following additional controls would BEST mitigate this risk?
Require multi-factor authentication (MFA) for all database logins.
Increase the minimum password length for all database users from 8 to 12 characters.
Enable full-disk encryption on the database server.
Disable verbose SQL error messages returned to clients.
RBAC restricts what an authenticated account can see, but if the account credentials are stolen the attacker gains the same database access. Requiring multi-factor authentication (MFA) adds a second, independent factor the attacker is unlikely to possess, making stolen passwords alone insufficient. The other options improve security but do not address the stolen-credential threat as effectively: longer passwords still fail once the password is known, full-disk encryption protects only when the system is powered off, and suppressing SQL errors mainly reduces information disclosure during reconnaissance rather than blocking authenticated access.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is multi-factor authentication (MFA) and why does it improve security?
Open an interactive chat with Bash
How does RBAC (Role-Based Access Control) limit access to sensitive data?
Open an interactive chat with Bash
Why doesn't full-disk encryption protect against stolen credentials in this case?