1B - Comparing Control Types

Question 1

What are the 3 main security control types?

Answer 1

Managerial, operational and technical

Question 2

What are managerial controls?

Answer 2

Written by managers. Create organisational policies and procedures to reduce risk within companies. They incorporate regulatory frameworks.

Question 3

2 examples of managerial controls.

Answer 3

1. Annual Risk Assessment - each department identifies risks and risk treatments and places them in a risk register. These are reviewed annually.
2. Penetration testing / vuln. scanning (N.B Difference is that penetration testing is intrusive since it exploits vulnerabilities, rather than just detects them)

Question 4

What are operational controls?

Answer 4

Executed by company personnel during their day-to-day.

Question 5

3 examples of operational controls.

Answer 5

1. Annual Security Awareness Training
2. Change Management - Change Advisory Board (CAB) assists with prioritisation of changes and ensure that they don’t cause security risks to the company.
3. Business Contingency Plan - planning to keep business up and running in events of disaster by identifying any single point of failure that many prevent a company from being operational.

Question 6

What are technical controls?

Answer 6

Implemented by the IT Team to reduce the risk to the business.

Question 7

5 examples of technical controls.

Answer 7

1. Firewall rules.
2. Antivirus/antimalware.
3. Screen savers
4. Screen filters
5. Intrusion Prevention / Detection Systems (IPS / IDS)

Question 8

Give 2 examples of deterrent controls?

Answer 8

1. Motion sensors that switch on a light

2. CCTV warning signs

Question 9

What are detective controls?

Answer 9

Used to investigate an incident that has happened.

Question 10

2 examples of detective controls.

Answer 10

1. CCTV

2. Log files (stored on Write-Once Read-Many (WORM) files so that they cannot be tampered with).

Question 11

What are corrective controls?

Answer 11

Actions taken to recover from an incident.

Question 12

Other names for compensating controls?

Answer 12

Alternative / Secondary Controls

Question 13

What are compensating controls?

Answer 13

Controls used instead of a primary control that has failed or is not available.

Question 14

What are preventative controls?

Answer 14

Controls that deter attack.

Question 15

2 examples of preventative controls.

Answer 15

1. Disabling User Accounts

2. Operating System Hardening - ensuring OS is fully patched and unused features are turned off.

Question 16

3 Parts of Access Controls? Explain / give examples for each.

Answer 16

1. Identification - e.g user account, smart card or fingerprint
2. Authentication - password or PIN
3. Authorisation - level of access or permissions that you have to apply to selected data.

Question 17

What is Discretionary Access Control?

Answer 17

Involves New Technology File System (NTFS) by Microsoft.

These user-based controls ensure the user is only given the access that they need to perform their job.

Question 18

List and describe the 8 permissions in NTFS.

Answer 18

1. Full control - full access
2. Modify - change data, read and read and execute
3. Read and execute - read a file and run a program if one is inside
4. List folder contents - expand a folder to see the subfolders within it.
5. Read - read contents.
6. Write - write to the file
7. Special permissions - granular access.
8. Data creator / owner - person who created the unclassified data and is responsible for authorising who has access.

Question 19

What are Mandatory Access Controls (MAC)?

Answer 19

Classification level of data, determined by how much damage could be inflicted.

Question 20

What are the MAC levels? Describe each

Answer 20

1. Top Secret - Highest level, exceptionally grave damaging.
2. Secret - causes serious damage.
3. Confidential - causes damage.
4. Restricted - Undesirable effects

Question 21

What are the MAC roles? Describe each.

Answer 21

1. Owner: person who writes data and only person that can determine the classification.
2. Steward: person responsible for labelling the data.
3. Custodian: person responsible for storing and managing data.
4. Security Administrator: person who gives access to classified data once clearance has been approved.

Question 22

What is role-based access conrtol?

Answer 22

Controls when a subset of the department carries out a subset of duties within a department

Question 23

What is rule-based access control?

Answer 23

RBAC.

Time-based or other restriction that is applied to all people within the department.

Question 24

What is Attribute Based Access Control?

Answer 24

ABAC.

Restricted based on an attribute in the account.

Question 25

What is Group Based Access Control?

Answer 25

People are put into groups to simplify access.

Question 26

What are the Linux File Permissions?

Answer 26

3 numbers: owner, group, all other users

Numerical values assigned:
1 - execute
2- write
4- read
(added up for multiple permissions)

OR alphabetical values assigned:
R: read
W: write
X: execute
(dashes replacing lack of permission)

Question 27

What is the permissions of a file with the following access level:

rwx rwx rw-

Answer 27

Owner has read, write and execute (full control|)
Group has read, write and execute (full control|)
All others have read and write permissions

Question 28

What is 764 access to a file?

Answer 28

Owner (7) has read, write an execute access.
Group (6) has read and write access.
All others (4) have read access.