Which of the following is the best to detect account compromise? (Source: Wentz QOTD)
A. Enforce the clipping level to lockout users
B. Conduct security awareness training
C. Disable privileged and service accounts
D. Review audit trail

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is D. Review audit trail.

The audit trail is typically viewed as a detective control. Reviewing the audit trail can detect or discover intrusions or uncompliant activities.

According to ISO 14641:2018 (Electronic document management — Design and operation of an information system for the preservation of electronic documents — Specifications), an audit trail is the aggregate of the information necessary to provide a historical record of all significant events associated with stored information and the information system.

Accountability, Auditing, and Audit Trail

Accountability can be achieved through auditing the audit trail to trace the activity to an entity uniquely.

• Logs are the work product of accounting.
• Audit trail refers to a set of correlated logs.
• Auditing is the process of reviewing or examining logs.

Login attempts, either success or failure, will produce logs. Enforcing the clipping level often leads to user lockouts and generate alerts. Its main purpose is to prevent account compromise.

Conducting security awareness training is administrative and preventive control.

Disabling privileged and service accounts can be recovery control if they are compromised.

Reference

• Network Access Control
• Captive portal
• Honeypot (computing)
• What is an Intrusion Prevention System – IPS
• Accountability

以下哪項是檢測帳戶入侵的最佳方法？
A. 實施用戶鎖定級別(clipping level)
B. 進行安全意識培訓
C. 禁用特權和服務帳戶
D. 審核審計線索(audit trail)