A penetration tester was able to obtain elevated privileges on a client workstation and multiple
servers using the credentials of an employee. Which of the following controls would mitigate these
issues? (Select TWO)
A.
Separation of duties
B.
Least privilege
C.
Time of day restrictions
D.
Account expiration
E.
Discretionary access control
F.
Password history
i believe it should be B & E , D is not correct
Password history, time of day restrictions, and account expiration would have no effect upon the ability to cause damage with current employee credentials. Discretionary access control is about allowing one employee to grant another employee access, and would actually increase the risk rather than mitigate it.
Least privilege means the employee can’t do anything not required by his/her job. Separation of duties means that two people are required to do anything which could be really damaging. Those are the two that are needed.
Brian G is correct. The question states that “A penetration tester was able to obtain elevated privileges on a client workstation and multiple servers using the credentials of an employee.” The keyword here is “multiple servers”.
Assuming the employee is an email administrator, then he would only has access to the workstation and the email server (not multiple servers such as email server, database server, authentication server, etc).
If the company implement separation of duties, then the company would have one employee doing email server, and another employee doing database server, etc.
Account expiration does NOT make any sense about mitigate the issues.
A and B
I will go with A and B.
A and B correct