21. Administrative Personnel Controls

Question 1

Administrative Personnel Controls

Administrative Security

Answer 1

Means to control peoples operational access to data

Question 2

Administrative Personnel Controls

Least privilege

Answer 2

Minimum necessary access - No more, no less

• exactly the access rights they need
• Go through the adminsitrative process in the future if change of access is required in the future
• Requires a lot of time and effort to maintain - not ideal for emergency situations

Question 3

Administrative Personnel Controls

Need to know

Answer 3

Even if you have access, you do not need to know, you should not have access

*

Question 4

Administrative Personnel Controls

Separation of Duties

Answer 4

Internal control inteded to prevent fraud and error

• Large organisations. Same person entering a purchase order does not issue the check
• If one person can do all the admin controls himself, fraud is more likely
• Exam assumes large organisation

Question 5

Administrative Personnel Controls

Job Rotation

Answer 5

Detect Errors and Frauds

• Less change of collusion between individuals if they rotate jobs
• Helps avoid employee burnout
• Can be cost prohibitive IRL
• EXAM HINT: make sure cost justifies the benefit

Question 6

Administrative Personnel Controls

Mandatory Vacations

Answer 6

Ensure one person is not always performing the same task

• Accounts can be locked and audited
• Audit will discover fraud if employee has been covering it up
• Give little or not notice

Question 7

Administrative Personnel Controls

Minimise insider threats with the 5 controls

Answer 7

1. Least privilege
2. Need to know
3. Seperation of duties
4. Job rotation
5. Mandatory Vacations

Question 8

Administrative Personnel Controls

NDA

New Employee

Answer 8

Non Disclosure Agreement

• Clauses restricting employees use and dissemination of company owned confidential information

Question 9

Administrative Personnel Controls

Background Checks

New Employee

Answer 9

1. References
2. Degrees
3. Employment
4. Criminal
5. Credit history

• Typically for sensitive positions
• Can be an ongoing process

Question 10

Administrative Personnel Controls

Privilege Monitoring

New Employee

Answer 10

Monitoring highly privileged employees

• The more privilege an employee has, the more we need to keep an eye on them
• More access = more responsibility = more scrutiny
• Privileged employees can expose more risks
• Should be automated as much as possible

Question 11

Administrative Personnel Controls

PAM

Answer 11

Privileged Account/Access Management

• Account - Account safeguarded
• Access - What the account has access to
• Monitor What, when, how, why, where

PAM LIFECYCLE

Question 12

Administrative Personnel Controls

Regular Users

PAM Monitoring

Answer 12

Analyse Performance
Improve Efficiency

Question 13

Administrative Personnel Controls

Privileged Users

PAM Monitoring

Answer 13

Access Matrix
(what changed?)

• what was done, why, where, when

Question 14

Administrative Personnel Controls

All Users

PAM Monitoring

Answer 14

1. Sensitive Data
2. Critical Systems
3. Insider/Outsider threats
4. Compliance/regulatory requirements

Question 15

Administrative Personnel Controls

Systems

PAM Monitoring

Answer 15

1. All servers (incl Jumpboxes)
2. Endpoints
3. Remote workstations

Question 16

Administrative Personnel Controls

Full Monitoring

Answer 16

1. MFA changes
2. Remote connections
3. Logs and records
4. Anomaly detection
5. Full visibility of admins

Question 17

Administrative Personnel Controls

Logging and Monitoring Activity

Answer 17

1. Logging - Raw data. Logs from apps and infrastructure
2. Monitoring - Ensure apps and infrastructure are available on request, alert of any issues

• logging is raw data only, we dont do anything
• Monitoring is admins making sure infrastructure and apps are available. Use of the raw data
• You cannot have monitoring without logging

Question 18

Administrative Personnel Controls

Threat Intelligence

Answer 18

1. Threat Feeds
2. Threat Hunting

Threat Feeds
* raw data on current and potential threats
* Usable data such as suspicous domains, malware, hases, potential malicious code, flagged IPs

Threat Hunting
* Assume attackers are abel to access our network undetected

Question 19

Administrative Personnel Controls

UEBA

Answer 19

User and Entity Behaviour Analytics

• Machine/deep learning model
• Typical and atypical user behaviour, set baselines
• Deviations from baselines detects anomalies

Question 20

Administrative Personnel Controls

3 things required for UEBA

Answer 20

1. Use Cases
2. Data Sources
3. Analytics

1. Use Cases - what normal user activity looks like
2. Data Sources - Data source i.e. data lake/warehouse or SIEM
3. Analytics - Build baselines to detect anomalies
   * remember different users have different use cases
   * use automation to look for anything our of the ordinary
   * early on in implementation, there will be a lot of fasle positives