A company is investigating a data compromise where data exfiltration occurred. Prior to the
investigation, the supervisor terminates an employee as a result of the suspected data loss.
During the investigation, the supervisor is absent for the interview, and little evidence can be
provided form the role-based authentication system in use by the company. The situation can be
identified for future mitigation as which of the following?
A.
Job rotation
B.
Log failure
C.
Lack of training
D.
Insider threat
This is a very tricky question. Note that the question asked is “The situation can be identified for future mitigation as which of the following?” At the beginning of the case description, we are told that the situation is “A company is investigating a data compromise.” So we need to identify the investigation of a data compromise, to be used in future mitigation. Note that we are identifying the investigation, not the data compromise itself. The description of the investigation is one of frustrated failure.
This is not a case of job rotation. That is the only one of the four answers we can easily eliminate as obviously incorrect. That might help with some kinds of data loss, but we don’t have anything pointing to the specific type of data loss. Without that, we don’t have anything pointing to something that job rotation might mitigate.
“Insider threat” almost certainly describes the data loss situation, as the data was apparently exposed through the actions of an employee who was terminated for it. That makes it a possible answer, but not one that fits the description of the investigation.
“Lack of training” fits the situation better. Note that the supervisor who fired someone because of the data breach doesn’t show up to help mitigate future threats. With proper user training, the supervisor would (hopefully) be aware of the importance of following up on what went wrong to address whatever vulnerability may have existed. Also with proper user training, the user might well have not leaked the data (and lost the job) in the first place. So lack of training might be how the situation would be best described. (It would not, of course, if the user data breach was malicious instead of careless or ignorant.)
Finally, I believe “Log failure” describes the situation best of all. There should have been logging that showed what happened and pointed to how to mitigate it in the future, even if the supervisor did not cooperate. Regardless of how the data was lost and what type of data it was, this describes the investigation, which is what the question is asking. Security personnel need to be able to find the answers to a suspected data loss event in the logs, and if they can’t, that is a log failure.
So the answer could be “lack of training” or even “insider threat,” but I’m betting on “log failure.”
2
0
I think D?
0
0