A penetration tester was able to obtain elevated privileges on a client workstation and multiple
servers using the credentials of an employee. Which of the following controls would mitigate these
issues? (Select TWO)
A.
Separation of duties
B.
Least privilege
C.
Time of day restrictions
D.
Account expiration
E.
Discretionary access control
F.
Password history
i believe it should be B & E , D is not correct
0
0
Password history, time of day restrictions, and account expiration would have no effect upon the ability to cause damage with current employee credentials. Discretionary access control is about allowing one employee to grant another employee access, and would actually increase the risk rather than mitigate it.
Least privilege means the employee can’t do anything not required by his/her job. Separation of duties means that two people are required to do anything which could be really damaging. Those are the two that are needed.
0
0
Brian G is correct. The question states that “A penetration tester was able to obtain elevated privileges on a client workstation and multiple servers using the credentials of an employee.” The keyword here is “multiple servers”.
Assuming the employee is an email administrator, then he would only has access to the workstation and the email server (not multiple servers such as email server, database server, authentication server, etc).
If the company implement separation of duties, then the company would have one employee doing email server, and another employee doing database server, etc.
Account expiration does NOT make any sense about mitigate the issues.
0
0
A and B
0
0
I will go with A and B.
0
0
A and B correct
0
0
I always start with a process of elimination:
C- Time of day restrictions. This is self-explanatory. It allows employees to only access the system during certain hours (9 to 5 for example). The pen tester could still do his work from 9 to 5.
D- Account expiration is set to determine when in the future the account will expire. It could be days, weeks or years from now. So if the pen tester is doing his job in January 2018, what does it matter that the account is set to expire come August 2018?
F- Password history – This feature keeps a list of all your passwords and stops you from using the same one x times in a row.
So far, out of 6 possible answers we have eliminated 3. So we must find 2 answers from the remaining 3:
A- Separation of Duties
B- Least privilege
E- Discretionary Access control
From the above – B: Least privilege – is one of the correct answers. That is a given.
So we now have a tossup between A- separation of Duties and E-Discretionary Access Control.
Separation of duties (SoD)(Also known as Segregation of Duties) is the concept of having more than one person required to complete a task. In business the separation by sharing of more than one individual in one single task is an internal control intended to prevent fraud and error
In computer security, discretionary access control (DAC) is a type of access control defined by the Trusted Computer System Evaluation Criteria “as a means of restricting access to objects based on the identity of subjects and/or groups to which they belong.
So based on the above analysis, my money is on:
B- Least privilege
E- Discretionary Access control
0
0