Security countermeasures should be transparent to users and attackers. Which of the following does not describe transparency?
A.
User activities are monitored and tracked without negatively affecting system performance.
B.
User activities are monitored and tracked without the user knowing about the mechanism that is carrying this out.
C.
Users are allowed access in a manner that does not negatively affect business processes.
D.
Unauthorized access attempts are denied and logged without the intruder knowing about the mechanism that is carrying this out.
Explanation:
A: Unfortunately, security components usually affect system performance in one fashion or another, although many times it is unnoticeable to the user. There is a possibility that if a
system’s performance is noticeably slow, this could be an indication that security countermeasures are in place. The reason that controls should be transparent is so that users and
intruders do not know enough to be able to disable or bypass them. The controls should also not stand in the way of the company being able to carry out its necessary functions.
B is incorrect because transparency is about activities being monitored and tracked without the user’s knowledge of the mechanism that is doing the monitoring and the tracking.
While it is a best practice to tell users if their computer use is being monitored, it is not necessary to tell them how they are being monitored. If users are aware of the mechanisms that
monitor their activities, then they may attempt to disable or bypass them.
C is incorrect because there must be a balance between security and usability. This means that users should be allowed accesswhere appropriatewithout affecting business
processes. They should have the means to get their job done.
D is incorrect because you do not want intruders to know about the mechanisms in place to deny and log unauthorized access attempts. An intruder could use this knowledge to
disable or bypass the mechanism and successfully gain unauthorized access to network resources.