A large enterprise with thousands of users is experiencing a relatively high frequency of malicious activity from the insider threats.
Much of the activity appears to involve internal reconnaissance that results in targeted attacks against privileged users and network file shares.
Given this scenario, which of the following would MOST likely prevent or deter these attacks? (Choose two.)
Click on the arrows to vote for the correct answer
A. B. C. D. E. F.CD.
In this scenario, the organization is experiencing insider threats where malicious activity is being carried out by privileged users who are performing internal reconnaissance and targeting network file shares. To prevent or deter such attacks, the organization can take the following two steps:
A. Conduct role-based training for privileged users that highlights common threats against them and covers best practices to thwart attacks:
The first step is to provide role-based training to privileged users. The training should highlight common threats that they might face and cover best practices that they can adopt to prevent and thwart such attacks. This would help users to identify and avoid potential attack vectors, which in turn would reduce the risk of successful attacks. The training should also emphasize the importance of good security practices and adherence to the organization's security policies.
D. Modify the existing rules of behavior to include an explicit statement prohibiting users from enumerating user and file directories using available tools and/or accessing visible resources that do not directly pertain to their job functions:
The second step is to modify the existing rules of behavior to explicitly prohibit users from enumerating user and file directories using available tools and/or accessing visible resources that do not directly pertain to their job functions. This would help to limit the ability of malicious insiders to gather information that they can use to carry out targeted attacks against privileged users and network file shares. The policy should be communicated to all users and strictly enforced.
Option B, increasing the frequency of host operating system vulnerability scans and decreasing the time between vulnerability identification and patch application, is a good security practice but is less likely to prevent or deter insider threats. This is because insider threats have insider knowledge and access to the systems and data, which means that they can exploit vulnerabilities before they are detected and patched.
Option C, enforcing command shell restrictions via group policies for all workstations, is a good security practice but is less likely to prevent or deter insider threats. This is because insiders with administrative privileges can bypass such restrictions.
Option E, implementing full-disk encryption and configuring UEFI instances to require complex passwords for authentication, is a good security practice but is less likely to prevent or deter insider threats. This is because insiders with legitimate access to the systems and data can still carry out malicious activities.
Option F, implementing application blacklisting enforced by the operating systems of all machines in the enterprise, is a good security practice but is less likely to prevent or deter insider threats. This is because insiders with administrative privileges can bypass such restrictions.