Exam CISSP topic 1 question 85 discussion

it is A for sure. If you have this account enable, you don't know how the third party manages the credentials or protects the computer or the keys. Then it is a security hole and it needs to be enable only during outages or big faults.

RBAC is the best answer. "Emergency" access - means active and available 24/7 - A is incorrect IMHO

A. Vendor access should be disabled until needed Explanation: Disabling vendor accounts until they are explicitly needed for emergency maintenance ensures that these accounts cannot be exploited when not in use. This approach minimizes the attack surface and mitigates risks associated with always-on vendor accounts, such as: Unauthorized access due to weak or stolen vendor credentials. Potential misuse by attackers exploiting dormant accounts. By enabling access only on demand, the organization significantly reduces the likelihood of unauthorized access.

This is asking about JIT - not RBAC. Answer A is right.

Disabling vendor access until it is needed is the best way to protect these accounts because it minimizes the window of opportunity for unauthorized access or misuse.

Role-based access control (RBAC) is the most effective way to protect vendor accounts for emergency maintenance. By assigning specific permissions based on roles, organizations can ensure that vendors have only the necessary access to perform their tasks. This minimizes the risk of unauthorized actions and data breaches.   Here's a breakdown of why the other options are less effective: A. Vendor access should be disabled until needed: While this can reduce risk, it can also hinder emergency response time. B. Frequent monitoring of vendor access: Monitoring is important but doesn't prevent unauthorized access. D. Encryption of routing tables: Unrelated to vendor account protection. By implementing RBAC, organizations can establish granular control over vendor access and reduce the risk of security incidents.

Dont think it would be A, would you want to have to re-enable account access in the event of an emergency.

A is a better choice than C. Answer is clearly A here. RBAC limits the role of the vendor account. but not enabling it until when its needed is the best way to ensure it gets used properly most of the time.

A for attack surface reduction

A: Emergency accounts is commonly a type of temporary accounts that needs to be disabled when not in use. Many SRGs/STIGs require these accounts be accounted for and disabled in a timely manner when not actively needed.

"Emergency" should hopefully mean rarely used. If that's the case, then A. It could be a liability to give a third-party vendor RBAC access when they are rarely needed.

Vendors ( not partners) are usaully called upon in an adhoc basis to offer intermittant serivce These vendors are usually delegated certian RBAC access within an application and possibly within a database in support of the application or service that they are vendor of. The best way is to leave the account disabeld when not in use. Partners may have tools to monitor and authorization to provide on-going support an applications, vendors would not. Vendors are much more restricted.

Answer A) According to CIS (Center for Internet Security) a. Emergency Accounts: Emergency Accounts are intended for short-term use and include restrictions on creation, point of origin, and usage (i.e., time of day, day of week). SEs may establish emergency accounts in response to crisis situations and with the need for rapid account activation. Therefore, emergency account activation may bypass normal account authorization processes. Emergency accounts must be automatically disabled after 24 hours. https://www.cisecurity.org/wp-content/uploads/2020/06/Account-Management-Access-Control-Standard.docx

I'm going with C. RBAC as oppossed to A. Disabling until needed. My reason is becuase of the keyword "Emergency". Enabling a disabled account in time of an emergency can be time consuming and challenging whereas in the case of RBAC, the needed access is all set to go. Logically C. RBAC makes more sense. I believe the correct answer here is C.

A. it is an account that vendor support engineer login and an in house engineer will monitor while he is performing his support work. account is disabled once the job is completed. RBAC for everyone - 99% of the time unless its other type of access control.

A is my answer. It says use for emergency maintenance.

C is the Best. This is how you should think to get the answer, not the real-world application. You can only apply one answer, which one will protect it. If you protect the account during disable, what about when you need to enable it for an emergency? Without any RBAC on the vendor account, there is no control when you enable it. The CISSP exam doesn't like no control.