General Security Concepts (12%) Flashcards
What are the four Security Controls
Technical Controls
Managerial controls
Operational control
Physical control.
Technical Controls
- Controls implemented using systems
- Operating systems controls
- Firewalls, anti-virus
Managerial Controls
- Administrative controls associated with security design and implementation
- Security Policies, standard operating procedures
Operational Controls
- Controls implemented by people instead of systems,
- Security guards, awareness programs
Physical Controls examples
- Limit physical access
-Guard Shack - Fences, locks
- Badge readers
Preventative control type examples for each control category
Firewall - (Technical)
On boarding Policy (Managerial)
Guard Shack (Operational
Physical (door lock)
Deterrent control type examples for each category
Splash Screen (Technical)
Demotion (Managerial)
Reception Desk (Operational)
Warning Signs (Physical)
Detective control type examples for each category.
System Logs (Technical)
Review login reports (Managerial)
Property Patrols (Operational)
Motion detectors (Physical)
Corrective control types for each category
Back up recovery (Technical)
Policies for reporting issues (Managerial)
Contact authorities (Operational)
Fire extinguisher (Physical)
Compensating control types for each category.
Blocking instead of patching (Technical)
Separation of duties (Managerial)
Require multiple security staff (Operational)
Power Generator (Physical)
Directive control types for each category
File storage Policies (Technical)
Compliance Policies (Managerial)
Security Policy training (Operational)
Sign: Authorised Personal Only (Physical)
What is a compensating control type
Control using other means, Existing controls aren’t sufficient, may be temporary
Directive control types
- Direct a subject towards security compliance
- A relatively weak security control
Preventive control types
Block access to a resource
Deterrent control types
Discourage an intrusion attempt.
Detective
Identify and log an intrusion attempt.
May not prevent access.
Corrective control types
Apply a control after an event has been detected.
Reverse the impact of an event
Continue operating with minimal downtime
The CIA triad
Combination of Principles:
- Confidentiality (Prevent disclosure of information to unauthorised individuals or systems)
-Integrity (Messages cant be modified without detection)
-Availability (Systems and networks must be up and running.
Confidentiality
Certain information should only be known to certain people.
Encryption (Encode messages only certain people can read it)
Access Controls (Selectively Restrict access to a resource).
Two factor authentication (Additional confirmation before information is disclosed)
Integrity
Data is stored and transferred as intended
Hashing ( Map data of an arbitrary length to data of a fixed length)
Hashing (Map data of an arbitrary length to data of a fixed length).
Digital signatures (Mathematical scheme to verify the integrity of data)
Certificates (Combine with a a digital signature to verify an individual).
Non-Repudiation (Provides proof of integrity can be asseted to be genuine
Availability
Information is accessible to authorised user
Redundancy (Build services that will always be available)
System will continue to run, even when a failure occurs
Patching, Stability Close Security holes
Non Repudiation
Confirmation of integrity and proof or origin, with high assurance of authenticity.
Proof of integrity
Verify data does not change - The data remains accurate and consistent.
In Cryptography, we use a hash to prove integrity. If the data changes the hash changes. Doesn’t necessary associate data with an individual only tells you if the data has changed.
Proof that the message was not changed
Integrity
Prove the source of the message
Authentication
Make sure the signature isn’t fake
Non-Repudiation.
Sign with a private key
This is only known to person sending the data, verified by the private key associated with this public key.
Explain the digital signature/hashng process to send a message.
- Alice attaches digital signature to her plain text which creates a Hash of the plaintext.
- Alice then uses her private key to encrypt the hash of the plain text.
- Encrypted hash is attached to the plain text.
- Bob is going to use Alices public key to decrypt the the encrypted hash and see the original hash sent by Alice.
- Once the decryption takes place Bob will have the original hash of the plain text.
- Bob then uses the same hashing algorithm to see if the plain text is the same as the one sent by Alice.
AAA Framework
Authentication (Prove you are who you say you are)
Authorisation (Based on your identification and authentication, what access do you have).
Accounting (Resources used: Login time, data sent and received, log out time).
Certificate authority
An organisation that creates a certificate for a device and digitally signs the certificate with the organisation CA.
The certificate can now be included on a device as an authentication factor.
Certificate based authentication
If the device certificate made by the CA was signed by the by CA.
We can compare the device certificate with the CA certificate and see that the device certificate was signed by the CA.
Authorisation (Abstractions) benefits
- Reduce complexity
- Create a clear relationship between the user and the resource.
Administration is streamlined.
How the authorisation model works
User devices added to a specific group. Group members would have access to all of the necessary information required for them to work.
Gap analysis
Where you are compared to where you want to be. This may require extensive research - there is a lot to consider.
Zero trust.
Nothing is trusted, everything is subject to security checks. Multi-factor authentication, encryption, system permissions, additional firewalls, monitoring and analytics.
Many networks are relatively open on the inside, once you’re through the firewall, there are few security controls - this is not an example of zero trust.
Planes of operation. (Zero trust) (Applies to physical, virtual and cloud components)
Split the network into functional planes
Data plane - Process the frame, packets and network data. Processing, forwarding. trunking and encrypting NAT.
Control plane - Manages the actions of the data plane, Define policies and rules, Determines how packets should be forwarded, routing tables, session tables, Nat tables.
Controlling trust using Adapting identity
Consider the source and the requested resources.
Multiple risk indicators - relationships to the organisation
Make the authentication stronger, if needed.
Controlling trust using threat scope reduction
Decrease the number of possible entry points
Controlling trust using policy driven access control
Combine the adaptive identity with a predefined set of rules.
Security zones
Used to see where a person is connecting from.
Security zones look at where we’re connecting from and where we are trying to connect to.
Zones can be used to deny access - for example from and untrusted to a trusted zone of traffic.
Zones can be used to implicitly trust. For example, trusted to internal zone traffic.
Policy enforcement point
Any subject and systems communicating through this network will be subject to scrutiny by the PEP (Policy enforcement point).
Doesn’t make the decision on whether traffic is allowed or denied just gathers information and provides it to the policy decision point. (PDP)
Policy decision point is made up of what two points -
Policy Engine, Policy Administrator
Policy engine
Evaluates each access decision based on policy and other information sources
Policy Administrator
- Communicates with the policy enforcement point
- Generates access tokens or credentials
- Tells the PEP to allow or disallow access
Physical Security - Bollards
Prevent access
Channel people through a specific access point
Identify safety concerns
Physical Security - Vestibules
Doors which lock in a specific sequence or in a specific way, or require an ID card.
Physical Security - Fence
Build a perimeter, Usually very obvious, but prevent access.
Physical Security - Video Surveillance
CCTV, Motion detection,
Physical security - guards and badges
Security guard - Physical protection at the reception area of a facility.
Two-person integrity/control
Access badge, picture, name other details must be worn at all times, electronically logged.
Physical control - Lighting
More light means more security. Attacks avoid the light
Specialised design consider overall light levels.
Physical control - Sensors
Infrared - Detects infrared radiation in both light and dark. Common in motion detectors.
Pressure, detects a change in force, floor or window sensors
Microwave - detects movement across large area.
Ultrasonic - send ultra sonic signals receive reflected sound waves.
Honeypot
Attract criminals, attract automated machines (sometimes real people) which creates a virtual display of attacking methods.
Honeynets
A real network which includes more than one single device
- Servers, workstations, routers, switches, firewalls.
Honeyfiles
Files with fake information which appear to have fake information. Bait the attacker to go into honey files.
An alert will be set up if the file is accessed.
Honey token.
traceable data being added to the honey pot so if this data is disrupted you know where it came from.
- API credentials (Fake)
-Fake email addresses (constantly monitor for them to come up on the internet).
Any type of data to find.
