2- Exploring Control Types/ Methods Flashcards
Control Types/ Functions
3 Control Types: technical, management, and operational.
3 primary control functions: preventative, detective, and corrective.
NIST (National Institute of Standards and Technology) & Publications
The National Institute of Standards and Technology (NIST) is a part of the U.S. Department of Commerce, and it includes a Computer Security Division with the Information Technology Laboratory (ITL). The ITL publishes Special Publications (SPs) in the 800 series.
Many IT security professionals use these documents as references to design secure IT systems and networks.
Many security-related certifications (beyond the Security + certification) also reference the SP 800 documents both directly and indirectly.
NIST’s SP 800-53 revision three provides a formal definition of security controls. They are “the management, operational, and technical safeguards or countermeasures employed within an organizational information system to protect the confidentiality, integrity, and availability of the system and its information.”
Control Type: Technical
Technical controls use technology to reduce vulnerabilities. Some examples include the principle of least privilege, antivirus software, IDSs, and firewalls.
Control Type: Management
Management controls are primarily administrative in function. They use planning and assessment methods to provide an ongoing review of the organization’s ability to reduce and manage risk. (ie. vulnerability assessments and penetration tests)
A quantitative risk assessment uses cost and asset values to quantify risks based monetary values. A qualitative risk assessment uses judgments to categorize risks based on probability and impact.
Control Type: Operational
Operational controls help ensure that day-to-day operations of an organization comply with their overall security plan.
- Awareness and training.
- Configuration management.
- Contingency Planning
- Media protection.
- Physical and environmental protection.
Control-based Functions
Many controls are identified based on their function as opposed to the type of control. The three primary functions of controls are preventative, detective, and corrective.
Control-based Functions: Preventive
- Security guards.
- Change management.
- Account disablement policy.
- System hardening.
A preventative control attempts to prevent an incident from occurring. Security guards can prevent unauthorized personnel from entering a secure area. A change management control helps prevent outages from ad-hoc (or as-needed) configuration mistakes. An account disablement policy ensures that a terminated employee’s account can’t be used.
Control-based Functions: Detective
Detective controls can detect when a vulnerability has been exploited. Two examples are security audits and CCTV systems.
Control-based Functions: Corrective
- Active IDS.
- Backups and system recovery.
Access Control Models
Models you’ll learn are:
- Role-/ rule-based access control (RBAC)
- Discretionary access control (DAC)
- Mandatory access control (MAC)
Access Control Models: RBAC (Role-/ rule-based access control)
The RBAC model uses roles (often implemented as groups) to grant access by placing users into roles based on their assigned jobs, functions, or tasks. ie. Microsoft’s Project Server. Each of these roles has rights and permissions assigned to it, and to give someone the associated privileges, you’d simply add the user’s account to the role.
RBAC is also called hierarchy based or job based.
In Windows domains, groups are often created to correspond to departments of an organization.
Rule-based access control is based on a set of approved instructions, such as an access control list.
If you’re using groups as part of a role-based access model, you can also use user templates.
Access Control Models: RBAC (Role-/ rule-based access control)– summary
The use of roles, or groups, greatly simplifies user administration. Groups make it easier to grant appropriate permissions to new users, and they help enforce least privilege. The RBAC model can use user account templates to enforce the principle of least privilege. This ensures that new users are granted the access they need, and no more.
Access Control Models: DAC (Discretionary access control)
In the DAC model, every object (such as files and folders) has an owner, and the owner establishes access for the objects. Many operating systems, such as Windows and most UNIX-based systems, use the DAC model.
A common example of the DAC model is the New Technology File System (NTFS) used in Windows. NTFS provides security by allowing users and administrators to restrict access to files and folders with permissions.
Access Control Models: DAC (Discretionary access control)– summary
The DAC model specifies that every object has an owner, and the owner has full, explicit control of the object. Microsoft’s NTFS uses the DAC model.
Access Control Models: DAC– SIDs & DACLs
Each user is identified with a security identifier (SID), although you will rarely see it.
Every object (such as a file or folder) includes a Discretionary Access Control List (DACL) that identifies who can access it in a system using the DAC model. The DACL is a list of Access Control Entries (ACEs). Each ACE is composed of a SID and the permission( s) granted to the SID.