nerdexam
(ISC)2

CISSP · Question #486

After a breach incident, investigators narrowed the attack to a specific network administrator's credentials. However, there was no evidence to determine how the hackers obtained the credentials. Much

The correct answer is C. A periodic review of all privileged accounts actions. When a breach is traced to a privileged account with no clear evidence of credential theft, the best preventive control is monitoring and reviewing privileged account activity. This allows anomalous behavior to be detected early before a breach escalates.

Submitted by chen.hong· Mar 5, 2026Security Operations

Question

After a breach incident, investigators narrowed the attack to a specific network administrator's credentials. However, there was no evidence to determine how the hackers obtained the credentials. Much of the following actions could have BEST avoided the above breach per the investigation described above?

Options

  • AA periodic review of network access loos
  • BA periodic review of active users en the network
  • CA periodic review of all privileged accounts actions
  • DA periodic review of password strength of all users across the organization

How the community answered

(14 responses)
  • A
    14% (2)
  • B
    7% (1)
  • C
    71% (10)
  • D
    7% (1)

Why each option

When a breach is traced to a privileged account with no clear evidence of credential theft, the best preventive control is monitoring and reviewing privileged account activity. This allows anomalous behavior to be detected early before a breach escalates.

AA periodic review of network access loos

Reviewing general network access logs is broader and less targeted than privileged account auditing; it may not highlight the specific anomalous actions taken by a compromised administrator account among the noise of all network activity.

BA periodic review of active users en the network

Reviewing active users on the network addresses account lifecycle management but does not specifically detect misuse or suspicious behavior tied to a privileged account that is legitimately active.

CA periodic review of all privileged accounts actionsCorrect

Privileged accounts, such as those held by network administrators, have elevated access and are high-value targets for attackers. A periodic review of all privileged account actions (privileged access management/PAM auditing) would detect unusual activity, unauthorized access patterns, or credential misuse early, potentially preventing or limiting the breach. This control directly addresses the risk of compromised administrative credentials by providing an audit trail of sensitive actions.

DA periodic review of password strength of all users across the organization

Reviewing password strength addresses credential hygiene and could reduce the risk of brute-force attacks, but since investigators found no evidence of how credentials were obtained, enforcing password strength alone would not have addressed the specific attack vector or detected the compromise.

Concept tested: Privileged account monitoring and access auditing

Source: https://learn.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-how-to-use-audit-log

Topics

#Privileged account management#Security auditing#Accountability#Breach prevention

Community Discussion

No community discussion yet for this question.

Full CISSP Practice