Which of the following is the best to detect account compromise? (Source: Wentz QOTD)
A. Enforce the clipping level to lockout users
B. Conduct security awareness training
C. Disable privileged and service accounts
D. Review audit trail
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is D. Review audit trail.
The audit trail is typically viewed as a detective control. Reviewing the audit trail can detect or discover intrusions or uncompliant activities.
According to ISO 14641:2018 (Electronic document management — Design and operation of an information system for the preservation of electronic documents — Specifications), an audit trail is the aggregate of the information necessary to provide a historical record of all significant events associated with stored information and the information system.
Accountability, Auditing, and Audit Trail
Accountability can be achieved through auditing the audit trail to trace the activity to an entity uniquely.
- Logs are the work product of accounting.
- Audit trail refers to a set of correlated logs.
- Auditing is the process of reviewing or examining logs.
Login attempts, either success or failure, will produce logs. Enforcing the clipping level often leads to user lockouts and generate alerts. Its main purpose is to prevent account compromise.
Conducting security awareness training is administrative and preventive control.
Disabling privileged and service accounts can be recovery control if they are compromised.
- Network Access Control
- Captive portal
- Honeypot (computing)
- What is an Intrusion Prevention System – IPS
A BLUEPRINT FOR YOUR SUCCESS IN CISSP
My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.
A. 實施用戶鎖定級別(clipping level)
D. 審核審計線索(audit trail)