4.2 Reporting & communications: Findings & remediation Flashcards
Security Control Categories: define a security control
▪ A technology or procedure put in place to mitigate vulnerabilities and risk in order to ensure the confidentiality, integrity, availability, and nonrepudiation of data and information
▪ Security controls should be selected and deployed in a structured manner using an overall framework
Security Control Categories: explain the class of control as per NIST SP 800-53 (6)
● Technical (Logical) Controls: A category of security control that is implemented as a system (hardware, software, or firmware)
● Operational Controls: A category of security control that is implemented primarily by people rather than systems
● Administrative Controls: A category of security control that provides oversight of the information system
● Preventative Control: A control that acts to eliminate or reduce the likelihood that an attack can succeed
● Detective Control: A control that may not prevent or deter access, but will identify and record any attempted or successful intrusion
● Corrective Control: A control that acts to eliminate or reduce the impact of an intrusion event
Security Control Categories: what are the other class of control that are not mentioned in the NIST
▪ Physical Control: A type of security control that acts against in-person intrusion attempts
▪ Deterrent Control: A type of security control that discourages intrusion attempts
▪ Compensating Control: A type of security control that acts as a substitute for a principal control
Physical Controls: list the type of physical controls (6)
o Access Control Hardware: Badge reader, Biometric reader
o Access Control Vestibule (Mantrap): An area between two doorways that holds people until they are identified and authenticated
o Smart Locker: A fully integrated system that allows you to keep your laptop, tablet, smartphone, or other valuables inside
o Locking Racks/Cabinets: Controls physical access to networking equipment
o Employee Training: 69% ROI for SMBs, 248% ROI for large enterprises
o Video Surveillance: Used to figure out what happened on a certain area
Operational Controls: list the type of operational controls (7)
o Separation of Duties
o Job Rotation: Different users are trained to perform the tasks of the same position to help prevent an identity fraud that could occur if only one employee had that job
o Mandatory Vacation: An employee is required to take a vacation at some point during the year
o Employment and Termination Procedures: An administrative control that is focused on what to do when hiring and firing employees (e.g. security training)
o Auditing Requirements and Frequency
o Time of Day Restriction: Limits user access during non-business hours
Administrative Controls: list the type of administrative controls (4)
o Role Based Access Control
o Minimum Password Requirements: Complexity, Password Aging, Password History
o Policies and Procedures: Enables an organization to operate normally for minimizing cyber security incident
o Software Development Life Cycle
System Hardening: what is hardening?
o The process by which a host or other device is made more secure through the reduction of that device’s attack surface
o Any service or interface that is enabled through the default installation and left unconfigured should be considered a vulnerability
System Hardening: what item should you have in the system hardening checklist (10)
▪ Remove or disable devices that are not needed or used
▪ Install OS, application, firmware, and driver patches regularly
▪ Uninstall all unnecessary network protocols
▪ Uninstall or disable all unnecessary services and shared folders
▪ Enforce Access Control Lists on all system resources
▪ Restrict user accounts to the least privileges needed
▪ Secure the local admin or root account by renaming it and changing password
▪ Disable unnecessary default user and group accounts
▪ Verify permissions on system accounts and groups
▪ Install antimalware software and update its definitions regularly
▪ Consider how to also harden systems against availability attacks
Secure Coding: explain Input Validation
Any technique used to ensure that the data entered into a field or variable in an application is handled appropriately by that application
Secure Coding: where Input Validation should be conducted (client/ server)? Is there a risk if the input validation is done on client or server?
▪ Input validation can be conducted locally (on client) or remotely (on server)
▪ Client-side input validation is more dangerous since it is vulnerable to malware interference
▪ Input should still undergo server-side validation after passing client-side validation
Secure Coding: how input validation and normalization or sanitization are related?
▪ Input should also be subjected to normalization or sanitization:
● Normalization: A string is stripped of illegal characters or substrings and converted to the accepted character set
● Canonicalization Attack: Attack method where input characters are encoded in such a way as to evade vulnerable input validation measures
Secure Coding: explain Output Encoding
Output encoding mitigates against code injection and XSS attacks that attempt to use input to run a script
Secure Coding: explain Parameterized Queries
▪ A technique that defends against SQL injection and insecure object references by incorporating placeholders in a SQL query
▪ Parameterized queries are a form of output encoding
Implementing MFA: explain Single Sign-On (SSO) and Multifactor Authentication (MFA)
o Single Sign-On (SSO): An authentication technology that enables a user to authenticate once and receive authorizations for multiple services
o Multifactor Authentication (MFA): An authentication scheme that requires the user to present at least two different factors as credentials, from something you know, something you have, something you are, something you do, and somewhere you are
Implementing MFA: what is advantage and disadvantage of SSO?
o Advantage: User does not need multiple user accounts and passwords
o Disadvantage: If the user account is compromised, the attacker has access to everything