An organization stores highly sensitive financial records in an on-premises relational database. Role-based access control (RBAC) already limits each employee to only the tables required for their job duties. Security analysts are concerned that an attacker could still read the data if they steal a legitimate user's password. Which of the following additional controls would BEST mitigate this risk?
Enable full-disk encryption on the database server.
Disable verbose SQL error messages returned to clients.
Require multi-factor authentication (MFA) for all database logins.
Increase the minimum password length for all database users from 8 to 12 characters.
RBAC restricts what an authenticated account can see, but if the account credentials are stolen the attacker gains the same database access. Requiring multi-factor authentication (MFA) adds a second, independent factor the attacker is unlikely to possess, making stolen passwords alone insufficient. The other options improve security but do not address the stolen-credential threat as effectively: longer passwords still fail once the password is known, full-disk encryption protects only when the system is powered off, and suppressing SQL errors mainly reduces information disclosure during reconnaissance rather than blocking authenticated access.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are role-based permission settings?
Open an interactive chat with Bash
Why is encryption necessary for protecting financial records?