Embarrassed to ask this... but...

shoey

:::hang my head in shame:::

These concepts are stupid easy (therefore, I must be really dumb) but I... for the life of me... keep screwing it up. Hopefully someone can shed some light as to what I'm doing wrong...

Question: "What security control is directly focused on preventing collusion?"
Answers: 1) Least Privilege, 2) <throw away>, 3) Separation of Duties, 4) <throw away>
Correct: Separation of Duties
My Answer: Least Privilege

Thought process:

Collusion "two or more people working together to commit fraud, blah blah blah."

Separation of Duties "two or more people required to complete a single task - prevent any one individual from being a single point of failure."

By implementing SoD aren't you essentially forcing collusion?! Now two people MUST work together IOT commit fraud/illegal activity/etc.

Least Privilege "employees given lowest amount of access/blah blah blah, required to do their job."

By implementing the concept of least privilege, wouldn't that mean even if employees attempted to collude they wouldn't have the necessary privileges to commit such activity, thereby preventing collusion?

Appreciate the assistance - I'm just trying to figure out a way to look at this differently, and am just... so embarrassed about asking this question.

rwmidl

shoey wrote: »

:::hang my head in shame:::

These concepts are stupid easy (therefore, I must be really dumb) but I... for the life of me... keep screwing it up. Hopefully someone can shed some light as to what I'm doing wrong...

Question: "What security control is directly focused on preventing collusion?"
Answers: 1) Least Privilege, 2) <throw away>, 3) Separation of Duties, 4) <throw away>
Correct: Separation of Duties
My Answer: Least Privilege

Thought process:

Collusion "two or more people working together to commit fraud, blah blah blah."

Separation of Duties "two or more people required to complete a single task - prevent any one individual from being a single point of failure."

By implementing SoD aren't you essentially forcing collusion?! Now two people MUST work together IOT commit fraud/illegal activity/etc.

Least Privilege "employees given lowest amount of access/blah blah blah, required to do their job."

By implementing the concept of least privilege, wouldn't that mean even if employees attempted to collude they wouldn't have the necessary privileges to commit such activity, thereby preventing collusion?

Appreciate the assistance - I'm just trying to figure out a way to look at this differently, and am just... so embarrassed about asking this question.

The idea of Least Privilege is you are giving the person the bare minimum to do their job. If you have someone on help desk and their sole job is password reset, you are not going to give them full rights to your domain (just enough to reset passwords). Least privilege can also help prevent permission creep (people switching positions but retaining their previous permissions).

SoD the idea is you have more than one person to complete the task. So take for example finance, you have one person "approve" a voucher but you need another person to verify the voucher is correct and approve for payment. Having two different people in different collude (while possible) is much less likely to happen vs one person having the keys to the entire kingdom, so to speak. Plus it gives more oversight to the whole process (the person verifying the voucher will probably track to ensure the same PO/voucher is not being submitted multiple times).

TechGuru80

They probably are trying to think along the lines of overlapping privileges...hence SOD in a way prevents that. You are correct in that SOD forces people to collude to accomplish something...to be honest a lot of practice questions stink around SOD and collusion because the wording is always poor like that. SOD and collusion are always related terms...least privilege usually isn't the focus.

shoey

Thanks for the help rwmidl and TechGuru80. When I saw this question I knew the answer was SoD, but inside of my head I'm thinking "well... technically...blah..." and assume they're trying to trip me up.

Really appreciate the help! Also, for anyone reading this - the question came from the sybex book, not a ****.

jt2929

In your original question, you are assuming both employees want to and would be willing to participate in the collusion. Don't assume anything on this test. Go on what the question asks.

the_Grinch

Also, if you think about it, the ISC2 also talks about "vacations" or rotation of duties. Thus when you factor in separation of duties with the idea that the duties will rotate then collusion becomes that much more difficult. I find in the grand scheme of things their thought process is most people will want to work alone and forcing collusion is more likely to mean it won't happen.

TranceSoulBrother

OP,
Since I'm also studying for the test, I will remind you what others have posted here: "For the CISSP, think like a manager and not like a technician"
SOD will do more to prevent collusion (from a managerial perspective) than Least Privilege (Technical solution) since 2 employees will be more hard pressed to mount a collusion conspiracy than someone with privilege creep. Just a thought.
I aim to apply it to most questions presented in the test bank or the test itself.

Clm

SOD is the answer because it easier to do naughty things if you have all the accesses and control but a normal person is less likely to do naughty things if they know they have to trick or convince a coworker to help them do naughty things

beads

If it helps think of these questions like antonyms or opposites and this family of questions should become a breeze. I wish I could find a single page or site explaining how to write and understand answering multiple (guess) choice questions really work but my Google-Fu has thus failed me on this one.

- b/eads

shoey

beads wrote: »

If it helps think of these questions like antonyms or opposites and this family of questions should become a breeze. I wish I could find a single page or site explaining how to write and understand answering multiple (guess) choice questions really work but my Google-Fu has thus failed me on this one.

- b/eads

Has helped me a bunch with these type of questions. I'm having a hard time not going to deep into the questions and really appreciate this tip! Thanks!

beads

Shoey;

Don't be. This and many like it have been asked before. My personal lament is finding a source that can succinctly identify how these questions are really written from the test takers view. Really, there are maybe 7-8 types of questions and learning to identify them seems more daunting than need be.

Sigh, to take my own advice if you can't find it on your own write a paper on it and let the collective throw tomatoes until its perfect. Got it. I know what needs to be done.

- b/eads

netdoc99

think of separation of duties in a good literal example...

one person is responsible for entering new vendors. Another person is responsible to pay their invoice.... a fake vendor would get noticed prior to payment of a fake invoice.

A better example would be one person printing the checks, another person signing them or have two people co-sign each check.

The goal is to keep one person from having the ability to commit fraud.

Your confusion is not unfounded nor stupid.

Another concept that is EASY to confuse is due diligence and due care.
In the most literal meaning, due diligence is detecting a problem and due care is ongoing maintenance.

Due Diligence = Do Detect Due Care = Do Correct

I saw that explanation on CCCure and it stuck with me. Depending on the wording of the question - your mileage may vary.

If you want the experience of questions being asked in a convoluted way - Check out Eric Conrad's tests. I am sure the questions are worded that way on purpose based on some of the comments made in other topics. When I first saw them... I was like what the hell?

Good luck!

luisbee

Since am studying for my ISSAP, i have encountered this area and would want to give my 2 cents on it..

I would want to propose Separation of Duties as Isolation of Duties. The crust of it being that you would want to isolate duties that when combined with other duties may give rise to undesirable access or power that could lead to undesirable consequences incl. collusion and fraud. Once isolated, you would be able to put into place systems to keep those duties isolated from one another.

Some lovely ideas that have been thrown out on this topic...#think like a Manager not a Technician!!!

ecuison

SoD for sure. Least privilage should always be taken into account for any authorization granted to a provisioned account. The issue with collusion is when people have been in the same function for a long period of time where the actors end up knowing and friending their colleagues in said same function where the long and slow act of collusion could occur. Mandatory vacations and "frequent" job rotations help mitigate the likely hood of this happening. But I have seen in my career, where an entire shift was fired for collusion (Public Safety officers, Cashiers, Video Technicians, Surveillance, Cage managers. I worked for a Casino at the time this happend)

Good luck on your studies to becoming a CISSP!