Geoblocking is the best mitigation technique for unusual network scanning activity coming from a country that the company does not do business with, as it can prevent any potential attacks or data breaches from that country. Geoblocking is the practice of restricting access to websites or services based on geographic location, usually by blocking IP addresses associated with a certain country or region. Geoblocking can help reduce the overall attack surface and protect against malicious actors who may be trying to exploit vulnerabilities or steal information. The other options are not as effective as geoblocking, as they may not block all the possible sources of the scanning activity, or they may not address the root cause of the problem. Official References:
https://www.blumira.com/geoblocking/
https://www.avg.com/en/signal/geo-blocking

The correct answer is A. Configure the server to prefer TLS 1.3 and B. Remove cipher suites that use CBC.
A padding oracle attack is a type of attack that exploits the padding validation of a cryptographic message to decrypt the ciphertext without knowing the key. A padding oracle is a system that responds to queries about whether a message has a valid padding or not, such as a web server that returns different error messages for invalid padding or invalid MAC. A padding oracle attack can be applied to the CBC mode of operation, where the attacker can manipulate the ciphertext blocks and use the oracle's responses to recover the plaintext12.
To remediate this issue, the organization should make the following configuration changes:
* Configure the server to prefer TLS 1.3. TLS 1.3 is the latest version of the Transport Layer Security protocol, which provides secure communication between clients and servers. TLS 1.3 has several security improvements over previous versions, such as:
* It deprecates weak and obsolete cryptographic algorithms, such as RC4, MD5, SHA-1, DES,
3DES, and CBC mode.
* It supports only strong and modern cryptographic algorithms, such as AES-GCM, ChaCha20- Poly1305, and SHA-256/384.
* It reduces the number of round trips required for the handshake protocol, which improves performance and latency.
* It encrypts more parts of the handshake protocol, which enhances privacy and confidentiality.
* It introduces a zero round-trip time (0-RTT) mode, which allows resuming previous sessions without additional round trips.
* It supports forward secrecy by default, which means that compromising the long-term keys does not affect the security of past sessions3456.
* Remove cipher suites that use CBC. Cipher suites are combinations of cryptographic algorithms that specify how TLS connections are secured. Cipher suites that use CBC mode are vulnerable to padding oracle attacks, as well as other attacks such as BEAST and Lucky 13. Therefore, they should be removed from the server's configuration and replaced with cipher suites that use more secure modes of operation, such as GCM or CCM78.
The other options are not effective or necessary to remediate this issue.
Option C is not effective because configuring the server to prefer ephemeral modes for key exchange does not prevent padding oracle attacks. Ephemeral modes for key exchange are methods that generate temporary and random keys for each session, such as Diffie-Hellman or Elliptic Curve Diffie-Hellman. Ephemeral modes provide forward secrecy, which means that compromising the long-term keys does not affect the security of past sessions. However, ephemeral modes do not protect against padding oracle attacks, which exploit the padding validation of the ciphertext rather than the key exchange9.
Option D is not necessary because requiring client browsers to present a user certificate for mutual authentication does not prevent padding oracle attacks. Mutual authentication is a process that verifies the identity of both parties in a communication, such as using certificates or passwords. Mutual authentication enhances security by preventing impersonation or spoofing attacks. However, mutual authentication does not protect against padding oracle attacks, which exploit the padding validation of the ciphertext rather than the authentication.
Option E is not necessary because configuring the server to require HSTS does not prevent padding oracle attacks. HSTS stands for HTTP Strict Transport Security and it is a mechanism that forces browsers to use HTTPS connections instead of HTTP connections when communicating with a web server. HSTS enhances security by preventing downgrade or man-in-the-middle attacks that try to intercept or modify HTTP traffic.
However, HSTS does not protect against padding oracle attacks, which exploit the padding validation of HTTPS traffic rather than the protocol.
Option F is not effective because removing cipher suites that use GCM does not prevent padding oracle attacks. GCM stands for Galois/Counter Mode and it is a mode of operation that provides both encryption and authentication for block ciphers, such as AES. GCM is more secure and efficient than CBC mode, as it prevents various types of attacks, such as padding oracle, BEAST, Lucky 13, and IV reuse attacks. Therefore, removing cipher suites that use GCM would reduce security rather than enhance it .
References:
* 1 Padding oracle attack - Wikipedia
* 2 flast101/padding-oracle-attack-explained - GitHub
* 3 A Cryptographic Analysis of the TLS 1.3 Handshake Protocol | Journal of Cryptology
* 4 Which block cipher mode of operation does TLS 1.3 use? - Cryptography Stack Exchange
* 5 The Essentials of Using an Ephemeral Key Under TLS 1.3
* 6 Guidelines for the Selection, Configuration, and Use of ... - NIST
* 7 CBC decryption vulnerability - .NET | Microsoft Learn
* 8 The Padding Oracle Attack | Robert Heaton
* 9 What is Ephemeral Diffie-Hellman? | Cloudflare
* [10] What is Mutual TLS? How mTLS Authentication Works | Cloudflare
* [11] What is HSTS? HTTP Strict Transport Security Explained | Cloudflare
* [12] Galois/Counter Mode - Wikipedia
* [13] AES-GCM and its IV/nonce value - Cryptography Stack Exchange

Mean time to contain is the metric that the cybersecurity team lead should include in the weekly executive briefs, as it measures how long it takes to stop the spread of malware that enters the network. Mean time to contain is the average time it takes to isolate and neutralize an incident or a threat, such as malware, from the time it is detected. Mean time to contain is an important metric for evaluating the effectiveness and efficiency of the incident response process, as well as the potential impact and damage of the incident or threat. A lower mean time to contain indicates a faster and more successful response, which can reduce the risk and cost of the incident or threat. Mean time to contain can also be compared with other metrics, such as mean time to detect or mean time to remediate, to identify gaps or areas for improvement in the incident response process.