Embarrassed to ask this... but...

shoeyshoey Member Posts: 111 ■■■□□□□□□□
:::hang my head in shame:::

These concepts are stupid easy (therefore, I must be really dumb) but I... for the life of me... keep screwing it up. Hopefully someone can shed some light as to what I'm doing wrong...

Question: "What security control is directly focused on preventing collusion?"
Answers: 1) Least Privilege, 2) <throw away>, 3) Separation of Duties, 4) <throw away>
Correct: Separation of Duties
My Answer: Least Privilege

Thought process:

Collusion "two or more people working together to commit fraud, blah blah blah."

Separation of Duties "two or more people required to complete a single task - prevent any one individual from being a single point of failure."

By implementing SoD aren't you essentially forcing collusion?! Now two people MUST work together IOT commit fraud/illegal activity/etc.

Least Privilege "employees given lowest amount of access/blah blah blah, required to do their job."

By implementing the concept of least privilege, wouldn't that mean even if employees attempted to collude they wouldn't have the necessary privileges to commit such activity, thereby preventing collusion?

Appreciate the assistance - I'm just trying to figure out a way to look at this differently, and am just... so embarrassed about asking this question.
"I have missed more than 9,000 shots in my career. I have lost almost 300 games. 26 times, I've been trusted to take the game winning shot and missed. I've failed over and over and over again in my life. And that is why I succeed." - Michael Jordan

Comments

  • rwmidlrwmidl CISSP, CISM, MCSE, MCSA, MCPxAlot Worldwide AvailabilityMember Posts: 807 ■■■■■■□□□□
    shoey wrote: »
    :::hang my head in shame:::

    These concepts are stupid easy (therefore, I must be really dumb) but I... for the life of me... keep screwing it up. Hopefully someone can shed some light as to what I'm doing wrong...

    Question: "What security control is directly focused on preventing collusion?"
    Answers: 1) Least Privilege, 2) <throw away>, 3) Separation of Duties, 4) <throw away>
    Correct: Separation of Duties
    My Answer: Least Privilege

    Thought process:

    Collusion "two or more people working together to commit fraud, blah blah blah."

    Separation of Duties "two or more people required to complete a single task - prevent any one individual from being a single point of failure."

    By implementing SoD aren't you essentially forcing collusion?! Now two people MUST work together IOT commit fraud/illegal activity/etc.

    Least Privilege "employees given lowest amount of access/blah blah blah, required to do their job."

    By implementing the concept of least privilege, wouldn't that mean even if employees attempted to collude they wouldn't have the necessary privileges to commit such activity, thereby preventing collusion?

    Appreciate the assistance - I'm just trying to figure out a way to look at this differently, and am just... so embarrassed about asking this question.

    The idea of Least Privilege is you are giving the person the bare minimum to do their job. If you have someone on help desk and their sole job is password reset, you are not going to give them full rights to your domain (just enough to reset passwords). Least privilege can also help prevent permission creep (people switching positions but retaining their previous permissions).

    SoD the idea is you have more than one person to complete the task. So take for example finance, you have one person "approve" a voucher but you need another person to verify the voucher is correct and approve for payment. Having two different people in different collude (while possible) is much less likely to happen vs one person having the keys to the entire kingdom, so to speak. Plus it gives more oversight to the whole process (the person verifying the voucher will probably track to ensure the same PO/voucher is not being submitted multiple times).
    CISSP | CISM | ACSS | ACIS | MCSA:2008 | MCITP:SA | MCSE:Security | MCSA:Security | Security + | MCTS
  • TechGuru80TechGuru80 Member Posts: 1,539 ■■■■■■□□□□
    They probably are trying to think along the lines of overlapping privileges...hence SOD in a way prevents that. You are correct in that SOD forces people to collude to accomplish something...to be honest a lot of practice questions stink around SOD and collusion because the wording is always poor like that. SOD and collusion are always related terms...least privilege usually isn't the focus.
  • shoeyshoey Member Posts: 111 ■■■□□□□□□□
    Thanks for the help rwmidl and TechGuru80. When I saw this question I knew the answer was SoD, but inside of my head I'm thinking "well... technically...blah..." and assume they're trying to trip me up.

    Really appreciate the help! Also, for anyone reading this - the question came from the sybex book, not a ****.
    "I have missed more than 9,000 shots in my career. I have lost almost 300 games. 26 times, I've been trusted to take the game winning shot and missed. I've failed over and over and over again in my life. And that is why I succeed." - Michael Jordan
  • jt2929jt2929 Member Posts: 244 ■■■□□□□□□□
    In your original question, you are assuming both employees want to and would be willing to participate in the collusion. Don't assume anything on this test. Go on what the question asks.
  • the_Grinchthe_Grinch Member Posts: 4,165 ■■■■■■■■■■
    Also, if you think about it, the ISC2 also talks about "vacations" or rotation of duties. Thus when you factor in separation of duties with the idea that the duties will rotate then collusion becomes that much more difficult. I find in the grand scheme of things their thought process is most people will want to work alone and forcing collusion is more likely to mean it won't happen.
    WIP:
    PHP
    Kotlin
    Intro to Discrete Math
    Programming Languages
    Work stuff
  • TranceSoulBrotherTranceSoulBrother Member Posts: 215
    OP,
    Since I'm also studying for the test, I will remind you what others have posted here: "For the CISSP, think like a manager and not like a technician"
    SOD will do more to prevent collusion (from a managerial perspective) than Least Privilege (Technical solution) since 2 employees will be more hard pressed to mount a collusion conspiracy than someone with privilege creep. Just a thought.
    I aim to apply it to most questions presented in the test bank or the test itself.
  • ClmClm CISSP | CISM | CCSP | CCSK | AWS Architect Professional | Terraform Associate | PSM Member Posts: 444 ■■■■□□□□□□
    SOD is the answer because it easier to do naughty things if you have all the accesses and control but a normal person is less likely to do naughty things if they know they have to trick or convince a coworker to help them do naughty things
    I find your lack of Cloud Security Disturbing!!!!!!!!!
    Connect with me on LinkedIn https://www.linkedin.com/in/myerscraig

  • beadsbeads Senior Member Member Posts: 1,521 ■■■■■■■■■□
    If it helps think of these questions like antonyms or opposites and this family of questions should become a breeze. I wish I could find a single page or site explaining how to write and understand answering multiple (guess) choice questions really work but my Google-Fu has thus failed me on this one.

    - b/eads
  • shoeyshoey Member Posts: 111 ■■■□□□□□□□
    beads wrote: »
    If it helps think of these questions like antonyms or opposites and this family of questions should become a breeze. I wish I could find a single page or site explaining how to write and understand answering multiple (guess) choice questions really work but my Google-Fu has thus failed me on this one.

    - b/eads

    Has helped me a bunch with these type of questions. I'm having a hard time not going to deep into the questions and really appreciate this tip! Thanks!
    "I have missed more than 9,000 shots in my career. I have lost almost 300 games. 26 times, I've been trusted to take the game winning shot and missed. I've failed over and over and over again in my life. And that is why I succeed." - Michael Jordan
  • beadsbeads Senior Member Member Posts: 1,521 ■■■■■■■■■□
    Shoey;

    Don't be. This and many like it have been asked before. My personal lament is finding a source that can succinctly identify how these questions are really written from the test takers view. Really, there are maybe 7-8 types of questions and learning to identify them seems more daunting than need be.

    Sigh, to take my own advice if you can't find it on your own write a paper on it and let the collective throw tomatoes until its perfect. Got it. I know what needs to be done.

    - b/eads
  • netdoc99netdoc99 Member Posts: 8 ■□□□□□□□□□
    think of separation of duties in a good literal example...

    one person is responsible for entering new vendors. Another person is responsible to pay their invoice.... a fake vendor would get noticed prior to payment of a fake invoice.

    A better example would be one person printing the checks, another person signing them or have two people co-sign each check.

    The goal is to keep one person from having the ability to commit fraud.

    Your confusion is not unfounded nor stupid.

    Another concept that is EASY to confuse is due diligence and due care.
    In the most literal meaning, due diligence is detecting a problem and due care is ongoing maintenance.

    Due Diligence = Do Detect Due Care = Do Correct

    I saw that explanation on CCCure and it stuck with me. Depending on the wording of the question - your mileage may vary.

    If you want the experience of questions being asked in a convoluted way - Check out Eric Conrad's tests. I am sure the questions are worded that way on purpose based on some of the comments made in other topics. When I first saw them... I was like what the hell?

    Good luck!
  • luisbeeluisbee CISSP / CRISC / CISM / CISA / ISO 27001:2013 LA LondonMember Posts: 28 ■■■□□□□□□□
    Since am studying for my ISSAP, i have encountered this area and would want to give my 2 cents on it..

    I would want to propose Separation of Duties as Isolation of Duties. The crust of it being that you would want to isolate duties that when combined with other duties may give rise to undesirable access or power that could lead to undesirable consequences incl. collusion and fraud. Once isolated, you would be able to put into place systems to keep those duties isolated from one another.

    Some lovely ideas that have been thrown out on this topic...#think like a Manager not a Technician!!!
    Certs Achieved: CISA / CISM / CISSP / ISO 27001 Lead Auditor / CRISC
    Currently Studying: ISSAP / Python

    "Be silly. Be fun. Be different. Be crazy. Be you, because life is too short to be anything but happy." - Anon
  • ecuisonecuison CISSP, CCSP, TOGAF v9 Certified, Security+, Network+ Member Posts: 131 ■■■■□□□□□□
    SoD for sure. Least privilage should always be taken into account for any authorization granted to a provisioned account. The issue with collusion is when people have been in the same function for a long period of time where the actors end up knowing and friending their colleagues in said same function where the long and slow act of collusion could occur. Mandatory vacations and "frequent" job rotations help mitigate the likely hood of this happening. But I have seen in my career, where an entire shift was fired for collusion (Public Safety officers, Cashiers, Video Technicians, Surveillance, Cage managers. I worked for a Casino at the time this happend)

    Good luck on your studies to becoming a CISSP!
    Accomplishments: B.S. - Business (Information Management) | CISSP | CCSP | TOGAF v9.2 Certified | Security + | Network +
Sign In or Register to comment.