2- Exploring Control Types/ Methods Flashcards

1
Q

Control Types/ Functions

A

3 Control Types: technical, management, and operational.

3 primary control functions: preventative, detective, and corrective.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

NIST (National Institute of Standards and Technology) & Publications

A

The National Institute of Standards and Technology (NIST) is a part of the U.S. Department of Commerce, and it includes a Computer Security Division with the Information Technology Laboratory (ITL). The ITL publishes Special Publications (SPs) in the 800 series.

Many IT security professionals use these documents as references to design secure IT systems and networks.

Many security-related certifications (beyond the Security + certification) also reference the SP 800 documents both directly and indirectly.

NIST’s SP 800-53 revision three provides a formal definition of security controls. They are “the management, operational, and technical safeguards or countermeasures employed within an organizational information system to protect the confidentiality, integrity, and availability of the system and its information.”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Control Type: Technical

A

Technical controls use technology to reduce vulnerabilities. Some examples include the principle of least privilege, antivirus software, IDSs, and firewalls.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Control Type: Management

A

Management controls are primarily administrative in function. They use planning and assessment methods to provide an ongoing review of the organization’s ability to reduce and manage risk. (ie. vulnerability assessments and penetration tests)

A quantitative risk assessment uses cost and asset values to quantify risks based monetary values. A qualitative risk assessment uses judgments to categorize risks based on probability and impact.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Control Type: Operational

A

Operational controls help ensure that day-to-day operations of an organization comply with their overall security plan.

  • Awareness and training.
  • Configuration management.
  • Contingency Planning
  • Media protection.
  • Physical and environmental protection.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Control-based Functions

A

Many controls are identified based on their function as opposed to the type of control. The three primary functions of controls are preventative, detective, and corrective.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Control-based Functions: Preventive

A
  • Security guards.
  • Change management.
  • Account disablement policy.
  • System hardening.

A preventative control attempts to prevent an incident from occurring. Security guards can prevent unauthorized personnel from entering a secure area. A change management control helps prevent outages from ad-hoc (or as-needed) configuration mistakes. An account disablement policy ensures that a terminated employee’s account can’t be used.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Control-based Functions: Detective

A

Detective controls can detect when a vulnerability has been exploited. Two examples are security audits and CCTV systems.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Control-based Functions: Corrective

A
  • Active IDS.

- Backups and system recovery.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Access Control Models

A

Models you’ll learn are:

  • Role-/ rule-based access control (RBAC)
  • Discretionary access control (DAC)
  • Mandatory access control (MAC)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Access Control Models: RBAC (Role-/ rule-based access control)

A

The RBAC model uses roles (often implemented as groups) to grant access by placing users into roles based on their assigned jobs, functions, or tasks. ie. Microsoft’s Project Server. Each of these roles has rights and permissions assigned to it, and to give someone the associated privileges, you’d simply add the user’s account to the role.

RBAC is also called hierarchy based or job based.

In Windows domains, groups are often created to correspond to departments of an organization.

Rule-based access control is based on a set of approved instructions, such as an access control list.

If you’re using groups as part of a role-based access model, you can also use user templates.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Access Control Models: RBAC (Role-/ rule-based access control)– summary

A

The use of roles, or groups, greatly simplifies user administration. Groups make it easier to grant appropriate permissions to new users, and they help enforce least privilege. The RBAC model can use user account templates to enforce the principle of least privilege. This ensures that new users are granted the access they need, and no more.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Access Control Models: DAC (Discretionary access control)

A

In the DAC model, every object (such as files and folders) has an owner, and the owner establishes access for the objects. Many operating systems, such as Windows and most UNIX-based systems, use the DAC model.

A common example of the DAC model is the New Technology File System (NTFS) used in Windows. NTFS provides security by allowing users and administrators to restrict access to files and folders with permissions.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Access Control Models: DAC (Discretionary access control)– summary

A

The DAC model specifies that every object has an owner, and the owner has full, explicit control of the object. Microsoft’s NTFS uses the DAC model.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Access Control Models: DAC– SIDs & DACLs

A

Each user is identified with a security identifier (SID), although you will rarely see it.

Every object (such as a file or folder) includes a Discretionary Access Control List (DACL) that identifies who can access it in a system using the DAC model. The DACL is a list of Access Control Entries (ACEs). Each ACE is composed of a SID and the permission( s) granted to the SID.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Access Control Models: DAC vs MAC

A

The DAC model is significantly more flexible than the MAC model described in the next section. MAC has predefined access privileges, and the administrator is required to make the changes. With DAC, if you want to grant me access to a file you own, you simply make the change, and I have access.

17
Q

Access Control Models: DAC (Discretionary access control)– inherent flow

A

An inherent flaw associated with the DAC model is the susceptibility to Trojan horses.

Trojan horses are executable files that masquerade as something useful but are actually malicious software.

Trojan horses are executable files that masquerade as something useful but are actually malicious software.

18
Q

Access Control Models: MAC

A

The MAC model uses labels (sometimes referred to as sensitivity labels or security labels) to determine access. Both subjects (users) and objects (files or folders) are assigned labels. When the labels match, the appropriate permissions are granted.

Military units make wide use of this model to protect data. You may have seen movies where a folder is shown with a big red and black cover page with a label of “Top Secret.” The cover page identifies the sensitivity label for the data contained within.

19
Q

Access Control Models: MAC– summary

A

The MAC model uses sensitivity labels for users and data. SELinux (deployed in both Linux and UNIX platforms) is a trusted operating system platform using the MAC model that prevents malicious or suspicious code from executing on the system.

20
Q

Access Control Models: MAC– Labels and Lettice

A

The MAC model uses different levels of security to classify both the users and the data. These levels are defined in a lattice. The lattice can be a complex relationship between different ordered sets of multiple labels that define upper-level bounds and lower-level bounds.

21
Q

Physical Security Controls: Access Controls

A

Access controls are used to control entry and exit at different boundary points.

  • Perimeter
  • Building
  • Secure work areas.
  • Server and network devices.
22
Q

Physical Security Controls: Door Access Systems

A

Door access systems include cipher locks and proximity cards. In the event of a fire, they should allow personnel to exit the building without any form of authentication. Access points to datacenters and server rooms should be limited to a single entrance and exit whenever possible.

Proximity cards are credit-card-sized access cards, and users pass the card near a proximity card reader. The card reader then reads data on the card. Proximity cards are used as access control in some areas to electronically unlock doors, and fall into the something you have factor of authentication. However, if users swap cards, it results in authorization verification without authentication. In other words, they are granted access (authorization) but their identity hasn’t actually been proved (authentication).

23
Q

Physical Security Controls: Tailgating

A

Tailgating occurs when one user follows closely behind another user without using credentials. Mantraps and security guards are effective controls against tailgating.

24
Q

Physical Security Controls: Mantraps

A

Mantraps control the access between a secure area and a nonsecure area. They are very effective at preventing unauthorized access to sensitive areas of a building. They can prevent the social engineering tactic known as tailgating or piggybacking. Mantraps can be highly technical, including rooms made of bulletproof glass, or simplistic, similar to a turnstile used in subways.

25
Q

Physical Security Controls: CCTV (Video Surveillance)

A

Video surveillance provides reliable proof of a person’s location and activity. It can be used by an organization to verify if any equipment or data is being removed.

Multiple different camera types can be used depending on your needs.

Video surveillance cameras are classified as:

  • Fixed
  • PTZ (Pan, Tilt, Zoom)
26
Q

Logical Access Controls: Principle of Least Priviledge

A

The principle of least privilege is an example of a technical control that uses access controls.

The RBAC model uses roles (often implemented as groups) to grant access by placing users into roles based on their assigned jobs, functions, or tasks. A user account is placed into a role, inheriting the rights and permissions of the role. Rule-based access control is based on a set of approved instructions, such as an access control list.

27
Q

Logical Access Controls: ACLs (Access Control Lists)

A

Access control lists (ACLs) are used to specifically identify what is allowed and what is not allowed.

ACLs typically operate using an implicit deny policy. For example, NTFS uses a DACL to identify who is allowed access to a file or a folder. Unless someone explicitly grants permission for a user to access the file (either directly through a user account or through group membership), permission is implicitly denied.

Routers also use ACLs.

28
Q

Logical Access Controls: Group Policy

A

Group policy is implemented on a domain controller within a domain. Administrators use it to create password policies, lock down the GUI, configure host-based firewalls, and much more.

29
Q

Logical Access Controls: Password Policy

A

Password policies include several elements. The password history is used with the minimum password age to prevent users from changing their password. Maximum password age causes passwords to expire and requires users to change their passwords periodically. Minimum password length specifies the minimum number of characters in the password. Password complexity increases the key space, or complexity, of a password by requiring more character types.

30
Q

Logical Access Controls: Device Policy

A

Many companies employ two protections against this threat, both of which can be enforced with Group Policy:

  • Disable Autorun. Autorun causes an application to run as soon as a user inserts a device into a system. Malware adds a virus to the device and modifies the autorun.inf file to run this virus each time the user inserts the device. When Autorun is disabled, the executables identified in the autorun.inf file cannot execute by default.
  • Prevent the installation of small devices. Administrators can prevent the installation of drivers such as for USB flash drives or MP3 players. This prevents systems from recognizing the devices and reduces the risks from these devices.
  • Detect the use of small devices. You can enforce a written policy through automatic detection.
31
Q

Account Management

A
  • Centralized: that Lightweight Directory Access Protocol (LDAP) is a protocol that supports centralized management.
  • Decentralized: On Windows systems, the local database storing local user accounts is the Security Accounts Manager (SAM). The SAM provides a decentralized user account database.
32
Q

Account Management– summary

A

Account management will specify what to do with an account for employees on a leave of absence or terminated. An account disablement policy ensures that inactive accounts are disabled. This is useful to ensure that terminated employee accounts cannot be used. Normally, accounts are disabled so that access to account data is maintained until the company is sure it is no longer needed.

You can identify when a user logs on to a local system and when a user accesses a remote system by monitoring account logon events. Configuring account logon monitoring is an important security step for system monitoring.

33
Q

Chapter 2 Exam Topic Review

A

When preparing for the exam, make sure you understand these key concepts covered in this chapter.

Basic Control Types

  • A technical control is one that uses technology to reduce vulnerabilities. The principle of least privilege is a technical control.
  • Management controls are primarily administrative and include items such as risk and vulnerability assessments.
  • Operational controls help ensure that day-to-day operations of an organization comply with their overall security plan. Some examples include training, configuration management, and change management.
  • Preventative controls attempt to prevent an incident from occurring. Examples include change management plans, security guards, account disablement policies, and user training.
  • Detective controls can detect when a vulnerability has been exploited. Examples include security audits, such as a periodic review of user rights, and a CCTV system that can record and provide proof of a person’s actions, such as theft of resources.
  • Corrective controls attempt to reverse the impact of an incident or problem after it has occurred. Examples include active intrusion detection systems, backups, and system recovery plans.

Access Control Models

  • The role based access control (RBAC) model uses roles (often implemented as groups) to grant access by placing users into roles based on their assigned jobs, functions, or tasks. Roles, or groups, simplify administration. RBAC supports the use of user templates to enforce least privilege.
  • The rule based access control (RBAC) model is based on a set of approved instructions, such as access control list rules in a firewall.
  • In the discretionary access control (DAC) model, every object has an owner. The owner has explicit access and establishes access for any other user. Microsoft’s NTFS uses the DAC model, with every object having a Discretionary Access Control List (DACL). The DACL identifies who has access and what access they are granted. A major flaw of the DAC model is its susceptibility to Trojan horses.
  • Mandatory access control (MAC) uses security or sensitivity labels to identify objects (what you’ll secure) and subjects (users). The administrator establishes access based on predefined security labels that are typically defined with a lattice to specify the upper and lower security boundaries.

Physical Security Controls

  • Cipher locks and proximity cards are two examples of systems that control access at a door. In the event of a fire, they should allow personnel to exit the building without any form of authentication. Datacenters and server rooms should have only a single entrance and exit.
  • A proximity card can electronically unlock a door and helps prevent unauthorized personnel from entering a secure area. It falls into the something you have factor of authentication. If users swap cards, it results in authorization verification without authentication, since they are granted access without ever being authenticated.
  • Security guards are a preventative physical security control, and they can prevent unauthorized personnel from entering a secure area.
  • Closed-circuit television (CCTV) systems provide video surveillance. They provide reliable proof of a person’s location and activity, and can be used by an organization to verify if any equipment or data is being removed.
  • Tailgating (also called piggybacking) occurs when one user follows closely behind another user without using credentials. A mantrap can prevent tailgating. Security guards should be especially vigilant to watch for tailgating in high traffic areas.
  • Physical security also includes basic locks on doors and cabinets. Locked cabinets can prevent the theft of unused resources. Cable locks secure mobile computers.

Logical Access Controls
-The principle of least privilege is a technical control that uses access controls. It specifies that individuals or processes are granted only the rights and permissions needed to perform assigned tasks or functions, but no more.
-Group policy manages users and computers in a domain, and it is implemented on a domain controller within a domain. Administrators use it to create password policies, lock down the GUI, configure host-based firewalls, and much more.
-Password policies provide a technical means to ensure users employ secure password practices.
• Password length specifies minimum number of characters.
• Password history remembers past passwords and prevents users from reusing passwords.
• Minimum password age is used with password history to prevent users from changing their password repeatedly to get back to the original password.
• Maximum password age or password expiration forces users to change their password periodically. When administrators reset user passwords, the password should be immediately expired.
-An account disablement policy ensures that inactive accounts are disabled. Accounts for employees that either resign or are terminated should be disabled. Temporary accounts should be set to automatically disable when possible.
-Time restrictions can prevent users from logging in or accessing network resources during specific hours.
-Account logon events include when a user logs on locally, and when the user accesses a resource such as a server over the network. These events are logged and can be monitored.