CISSP · Question #486
After a breach incident, investigators narrowed the attack to a specific network administrator's credentials. However, there was no evidence to determine how the hackers obtained the credentials. Much
The correct answer is C. A periodic review of all privileged accounts actions. When a breach is traced to a privileged account with no clear evidence of credential theft, the best preventive control is monitoring and reviewing privileged account activity. This allows anomalous behavior to be detected early before a breach escalates.
Question
After a breach incident, investigators narrowed the attack to a specific network administrator's credentials. However, there was no evidence to determine how the hackers obtained the credentials. Much of the following actions could have BEST avoided the above breach per the investigation described above?
Options
- AA periodic review of network access loos
- BA periodic review of active users en the network
- CA periodic review of all privileged accounts actions
- DA periodic review of password strength of all users across the organization
How the community answered
(14 responses)- A14% (2)
- B7% (1)
- C71% (10)
- D7% (1)
Why each option
When a breach is traced to a privileged account with no clear evidence of credential theft, the best preventive control is monitoring and reviewing privileged account activity. This allows anomalous behavior to be detected early before a breach escalates.
Reviewing general network access logs is broader and less targeted than privileged account auditing; it may not highlight the specific anomalous actions taken by a compromised administrator account among the noise of all network activity.
Reviewing active users on the network addresses account lifecycle management but does not specifically detect misuse or suspicious behavior tied to a privileged account that is legitimately active.
Privileged accounts, such as those held by network administrators, have elevated access and are high-value targets for attackers. A periodic review of all privileged account actions (privileged access management/PAM auditing) would detect unusual activity, unauthorized access patterns, or credential misuse early, potentially preventing or limiting the breach. This control directly addresses the risk of compromised administrative credentials by providing an audit trail of sensitive actions.
Reviewing password strength addresses credential hygiene and could reduce the risk of brute-force attacks, but since investigators found no evidence of how credentials were obtained, enforcing password strength alone would not have addressed the specific attack vector or detected the compromise.
Concept tested: Privileged account monitoring and access auditing
Source: https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-use-audit-log
Topics
Community Discussion
No community discussion yet for this question.