Q: 3
An externally facing system containing sensitive data is configured such that users have
either read-only or administrator rights. Most users of the system have administrator access.
Which of the following is the GREATEST risk associated with this situation?
Options
Discussion
Nah, B is tempting because of the sensitive data, but it's C. Admin rights let users make unauthorized changes, way riskier on an external system.
C or D. Both are risky but I'm leaning to C since unauthorized changes can break stuff or cause breaches. Not totally sure though, could see an argument for D.
I don’t think it’s B. C is the bigger issue here because admin rights let users make unauthorized changes, which messes with both integrity and availability. B just covers viewing data, but C can lead to way worse breaches. Some might pick D for open-licensed software but that risk usually isn’t greater than allowing anyone to change configs. Open to other takes though.
Anyone else find the official guide hammers home least privilege for these? Similar practice questions almost always put C as the biggest risk.
Would C still be right if most users only had read-only access instead of admin?
Its C since admin access means users can change configs or data, intentionally or accidentally. That risk outweighs just seeing data (B) or installing stuff (D). Least privilege is totally ignored here. I saw a similar question in practice exams, and unauthorized changes were always flagged as highest risk when admin rights are overused. Anyone disagree?
Be respectful. No spam.
