Procedural and People Security Controls Flashcards
Procedural & People Security Controls
Three categories of security controls: Physical controls, technical controls, and procedural/administrative controls.
- Procedural controls focus on personnel and administrative procedures.
- Controls can interact with technology and physical security.
- Examples of procedural controls: Clear desk policy, password policies.
- People within the organization can introduce risk, intentionally or unintentionally.
- Administrative procedures that support securing people: Employment contracts, due care and due diligence, acceptable use policies, least privilege and need to know, separation of duties, job rotation, and culture.
Which of the following is an example of a procedural control aimed at securing people within an organization?
A) Firewalls and intrusion detection systems
B) Biometric authentication systems
C) Employment contracts
D) Security cameras
C) Employment contracts
Procedural controls focus on administrative procedures and personnel within an organization. Options A, B, and D are technical or physical controls that do not directly address securing people. Option C, employment contracts, outlines the terms and conditions of employment, including security-related obligations, and is an example of a procedural control.
Which of the following control measures promotes the principle of least privilege and need-to-know?
A) Firewalls and intrusion detection systems
B) Role-based access control (RBAC)
C) Security awareness training
D) Physical access controls
B) Role-based access control (RBAC)
The principle of least privilege and need-to-know is about granting individuals only the minimum privileges necessary to perform their job functions and providing them with access to only the information they require. Option A, firewalls and intrusion detection systems, is a technical control related to network security. Option D, physical access controls, is a physical control related to restricting access to physical locations. Option C, security awareness training, is an educational control aimed at increasing employees’ understanding of security practices.
Option B, role-based access control (RBAC), is a control measure that assigns access rights and permissions based on job roles and responsibilities. RBAC helps enforce the principle of least privilege by ensuring individuals have access to resources based on their specific job requirements.
Employment Contracts
Employment contracts establish a legal relationship between the employer and the employee, outlining their roles, responsibilities, and obligations.
The contract covers important aspects such as: salary, holidays, benefits, and working conditions.
- It sets clear expectations for both the employer and the employee, ensuring a mutual understanding of their respective responsibilities.
- The contract should include provisions regarding employee behaviour and conduct, outlining expected standards of professionalism and ethics.
- Acceptable Use Policies (AUPs) may be included in the employment contract, specifying the appropriate use of company resources, such as computer systems, networks, and data.
- Non-Disclosure Agreements (NDAs) can be part of the employment contract to protect sensitive information and trade secrets.
- Intellectual Property Issues should be addressed in the contract, clarifying ownership and rights related to any intellectual property created by the employee during their employment.
- Compliance with legal requirements, such as employment laws, data protection regulations, and industry-specific regulations, should be stated in the contract.
Understanding employment contracts is essential for organizations to establish clear expectations, protect their interests, and ensure compliance with legal and regulatory requirements.
Which of the following is typically addressed in an employment contract?
A) Technical specifications of company equipment
B) Company’s financial performance targets
C) Marketing strategies for product promotion
D) Confidentiality obligations
D) Confidentiality obligations.
Employment contracts often include provisions related to maintaining the confidentiality of sensitive information and trade secrets. These clauses help protect the company’s intellectual property and prevent the unauthorized disclosure of confidential information by employees.
Due Care & Due Diligence:
A business has a duty of care to ensure the safety and well-being of employees, customers, and others associated with the business. Due diligence is the process of identifying and addressing risks through research and preparation. Failure to provide due care as a result of not carrying out due diligence can result in negligence.
- Behaviour and Conduct:
- A code of conduct for employees extends beyond workplace behaviour to include maintaining confidentiality, integrity, and availability.
- Guidance should be provided on discussions held outside the office to prevent unintended disclosure of sensitive information.
- Social media usage should be addressed, including avoiding work-related issues in posts and being cautious about sharing company-related images.
- Corporate hospitality guidelines should be established to avoid potential allegations of bribery and corruption.
- Acceptable Use Policies:
- Establish directives for employees on the proper use of corporate resources, such as internet and email access.
- Define when the corporate internet can be used for personal purposes and ensure the avoidance of accessing or downloading inappropriate material.
- Email etiquette is important to maintain the organization’s reputation and prevent legal issues.
- Specify the actions the company may take in case of policy violations, including different levels of infringement and potential termination.
- Require employees to acknowledge that they have read and understood the Acceptable Use Policy (AUP).
What is the relationship between due care and due diligence in cybersecurity?
A) Due care is the process of identifying and addressing risks, while due diligence is the legal responsibility to protect stakeholders.
B) Due care is the legal responsibility to protect stakeholders, while due diligence is the process of identifying and addressing risks.
C) Due care and due diligence are interchangeable terms used to describe the legal responsibility to protect stakeholders.
D) Due care and due diligence are unrelated concepts in the field of cybersecurity.
B) Due care is the legal responsibility to protect stakeholders, while due diligence is the process of identifying and addressing risks.
A business has a duty of care to ensure the safety and well-being of employees, customers, and others associated with the business. Due diligence is the process of identifying and addressing risks through research and preparation. Failure to provide due care as a result of not carrying out due diligence can result in negligence.
“Need to Know” and “Least Privilege”
- Need to Know:
- Need to know is a principle used to determine whether a user should be granted access to specific information.
- Users should only be given access to information that is necessary for them to perform their job duties effectively.
- If a user does not require access to certain information, access should not be granted.
- Access should be granted based on the minimum level required to fulfil the job function.
- Access should only be provided for the minimum amount of time needed to complete the task. - Least Privilege:
- Least privilege is the practice of granting users the minimum level of privileges necessary to perform their job functions.
- Users should have access rights and permissions based on their specific roles and responsibilities.
- By granting least privilege, the potential impact of a security breach or unauthorized access is minimized.
- Permission creep should be avoided, which refers to the tendency to grant users more access privileges than necessary.
- Regular reviews and audits should be conducted to ensure that access privileges are aligned with the principle of least privilege.
Which of the following principles determines the level of access granted to users based on their job requirements and limits access to the minimum necessary?
A) Separation of Duties
B) Need to Know
C) Acceptable Use Policy
D) Role-Based Access Control
B) Need to Know.
The principle of “Need to Know” ensures that users are granted access only to the information necessary for them to perform their job duties, limiting access to the minimum required level.
Which of the following best describes the principle of “Least Privilege”?
A) Granting users access to all information and resources within the organization.
B) Restricting access to only the necessary information and resources required to perform job duties.
C) Providing users with unrestricted access to all systems and applications.
D) Assigning the highest level of privileges to all users for increased flexibility.
B) Restricting access to only the necessary information and resources required to perform job duties.
The principle of “Least Privilege” states that users should be given the minimum level of access necessary to perform their job functions effectively, reducing the risk of unauthorized access or misuse of sensitive information.
Separation of Duties
- Separation of Duties:
- Also known as segregation of duties.
- Critical functions are divided among multiple staff members to prevent a single person from having enough privilege to commit fraudulent activities.
- Examples include requiring multiple signatures for company cheques and independent testing of software development.
- Separation should be maintained between auditors, system administrators, and users to ensure independent viewpoints and limit permissions.
- Job Rotation:
- Employees rotate through different roles within the organization.
- Commonly used for interns and provides exposure to various aspects of the business.
- Benefits include improved staff motivation, better understanding of the business, and increased resilience by having staff who can cover different roles in case of absences.
Note: These concepts help reduce the risk of fraud, increase accountability, and enhance the overall security posture of the organization.
Which of the following best describes the concept of Separation of Duties?
A) Allowing employees to rotate through different roles within the organization.
B) Dividing critical functions among multiple staff members to prevent fraudulent activities.
C) Providing independent testing of software development for objective evaluation.
D) Giving auditors the authority to oversee all business functions without bias.
B) Dividing critical functions among multiple staff members to prevent fraudulent activities.
Separation of Duties is a control mechanism that ensures no single person has enough privilege to carry out activities that could lead to damage or fraud. By dividing critical functions among multiple staff members, the risk of unauthorized actions or fraudulent activities is reduced.
What is the primary purpose of implementing separation of duties in an organization?
A) To increase collaboration and teamwork among employees.
B) To minimize the risk of fraud and unauthorized activities.
C) To streamline business processes and improve efficiency.
D) To provide employees with job rotation opportunities.
B) To minimize the risk of fraud and unauthorized activities.
The primary purpose of implementing separation of duties is to distribute critical tasks and responsibilities among different individuals to create a system of checks and balances. By ensuring that no single person has complete control over a process from start to finish, it reduces the risk of fraud, errors, and unauthorized activities. This control measure helps prevent conflicts of interest and increases accountability within an organization.
Culture:
Organizational culture has a direct impact on the functioning of the business, including security.
Security culture is cultivated through various stages: awareness of risks/threats and duties, attitude modification, intention to comply, emphasis on compliance benefits, and eventually secure behaviour.
- Training plays a crucial role in developing a security culture and should be provided at multiple levels throughout the employee life cycle.
- Training should be relevant, job-specific, and focused on behavioural change rather than just awareness.
- Effectiveness of awareness training should be measured.
*Access Controls:
- Procedural controls play a vital role in managing and regulating access to files and folders on the network.
- The main objective of access controls is to ensure that only authorized individuals can access information.
- User access controls involve mechanisms to mediate user access to files (objects).
- Principles of IAAA (Identity Authentication, Authorization, and Accounting) guide access control implementation.
- Various methods can be used for user authentication, including passwords, tokens, and biometrics.
- Access control models provide frameworks for managing access rights and permissions.
- Administering controls involves tasks such as user provisioning, access revocation, and auditing.
- File permissions are used to restrict or grant access to specific files or folders.
What is the primary objective of developing a security culture within an organization?
A) Ensuring compliance with legal regulations
B) Increasing awareness of security risks and threats
C) Implementing strict access control measures
D) Promoting job rotation and cross-training opportunities
B) Increasing awareness of security risks and threats.
Developing a security culture within an organization involves making people aware of security risks and threats and their responsibilities in mitigating them. By increasing awareness, employees are more likely to modify their attitudes towards security, comply with security policies and procedures, and exhibit secure behaviours. A strong security culture helps foster a proactive and security-conscious workforce, reducing the likelihood of security incidents and breaches.
Which of the following is an essential component of access controls in procedural controls?
A) Incident response procedures
B) User awareness training
C) Physical security measures
D) Network firewalls
B) User awareness training.
User awareness training is an essential component of access controls in procedural controls. It helps educate employees about their responsibilities, security policies, and best practices for accessing and handling sensitive information. By providing training, employees become aware of the risks, threats, and proper procedures related to access controls, which contributes to a strong security culture and reduces the likelihood of security incidents caused by human error or lack of awareness.
Which of the following is a key aspect of access controls in procedural controls?
A) Network segmentation
B) Encryption algorithms
C) Incident response plans
D) User privilege management
D) User privilege management.
User privilege management is a key aspect of access controls in procedural controls. It involves defining and managing the levels of access that users have to various resources within an organization’s network. By effectively managing user privileges, organizations can ensure that users only have access to the resources necessary for their job roles and responsibilities, reducing the risk of unauthorized access or data breaches.
Network segmentation refers to dividing a network into smaller segments to enhance security and control access between different segments.
Encryption algorithms are cryptographic techniques used to protect data during transmission or storage, but they are not directly related to user access controls.
Incident response plans are procedures and guidelines that organizations follow to address and manage security incidents. While important for overall security, they are not specifically focused on access controls.
Which of the following is an example of a technical control?
A) Security awareness training
B) Background checks for employees
C) Acceptable use policy
D) Firewall configuration
D) Firewall configuration.
Firewall configuration is an example of a technical control. Firewalls are network security devices that monitor and control incoming and outgoing network traffic based on predetermined security rules. By configuring firewall settings, such as defining allowed and blocked ports, protocols, and IP addresses, organizations can enforce network security policies and protect their systems from unauthorized access and malicious activities.
Identification and Authentication
Identification and Authentication:
- Identification refers to the unique identity of a user on a computer system, usually in the form of a username.
- Authentication is the process of validating the user’s identity through credentials, such as a password.
- Authentication mechanisms are used to verify the user’s claimed identity.
Authorisation:
- After successful authentication, the user is granted access to the system and specific resources.
- Access tokens are assigned to users, defining their access permissions and levels.
- When accessing a resource, the user’s access token is compared against the access control list (ACL) to determine if access should be granted.
Accounting:
- Accounting involves recording and documenting user actions and system activities.
- It captures information such as who logged on, when they logged on, what resources they accessed, and when they logged off.
- Accounting provides an audit trail and helps in monitoring and tracking system usage.
IAAA Model:
- The IAAA model consists of three components: Identification, Authentication, Authorisation, and Accounting.
- Identification establishes the unique identity of a user.
- Authentication validates the user’s identity.
- Authorisation determines what resources the user can access and at what level.
- Accounting records user actions and system activities.
Remember, identification is about “who,” authentication is about “proving who they are,” authorisation is about “what they can do,” and accounting is about “when and what actions are recorded.”
Which component of the IAAA model involves keeping a record of user actions and system activities?
A) Identification
B) Authentication
C) Authorisation
D) Accounting
D) Accounting.
Accounting is the component of the IAAA model that involves keeping a record of user actions and system activities. It includes logging information such as who logged on, when they logged on, what resources they accessed, and when they logged off. Accounting helps in auditing, monitoring, and tracking system usage.
Which component of the IAAA model determines what resources a user can access and at what level?
A) Identification
B) Authentication
C) Authorisation
D) Accounting
C) Authorisation.
Authorisation is the component of the IAAA model that determines what resources a user can access and at what level. Once a user’s identity has been authenticated, authorisation is the process of granting or denying access to specific resources based on the user’s permissions, privileges, or assigned roles. It ensures that users have the appropriate rights and permissions to perform their authorized tasks and activities within the system.
Which of the following is an example of an authentication factor?
A) User’s job title
B) User’s email address
C) User’s access permissions
D) User’s physical fingerprint
D) User’s physical fingerprint.
In the context of authentication, a physical fingerprint is an example of a biometric factor. Biometric authentication relies on unique physical or behavioural characteristics of an individual, such as fingerprints, iris patterns, or voice recognition, to verify their identity. By scanning and comparing the user’s physical fingerprint with stored biometric data, the system can authenticate the user based on this factor.
Passwords
Passwords have been a common authentication mechanism, but there is a shift away from them as the sole primary authentication method.
- Passwords were traditionally stored in clear text, but later advancements led to storing passwords in a hashed format to enhance security.
- Basic authentication involves sending the username and password over the network, making it vulnerable to interception or sniffing.
- Challenge-response authentication improves upon basic authentication:
- The server sends a challenge (random string) to the client.
- The client combines the challenge with the password, hashes the new string, and sends it to the server.
- The server verifies the received credential by comparing it with its own calculation.
- If the strings match, the authentication is successful.
- Challenge Handshake Authentication Protocol (CHAP) is an example of challenge-response authentication.
Which authentication mechanism involves sending a challenge from the server to the client, combining it with the password, and hashing the result for verification?
A) Basic authentication
B) Two-factor authentication
C) Challenge-response authentication
D) Biometric authentication
C) Challenge-response authentication.
Challenge-response authentication involves the server sending a challenge or nonce to the client, which is then combined with the password and hashed to create a credential string. This credential string is sent back to the server for verification. It is a more secure method compared to basic authentication as the actual password or hash does not travel over the network.
Which authentication mechanism involves sending the username and password in plain text over the network?
A) Basic authentication
B) Challenge-response authentication
C) Biometric authentication
D) Token-based authentication
A) Basic authentication
The authentication mechanism that involves sending the username and password in plain text over the network is Basic authentication (option A). In Basic authentication, the credentials are not encrypted or hashed before transmission, making them susceptible to interception and unauthorized access.
Which authentication mechanism improves upon Basic authentication by using a challenge-response process?
A) Two-factor authentication
B) Biometric authentication
C) Certificate-based authentication
D) Challenge Handshake Authentication Protocol (CHAP)
D) Challenge Handshake Authentication Protocol (CHAP).
CHAP is an authentication protocol that improves upon Basic authentication by using a challenge-response mechanism, where the server sends a random challenge to the client, and the client combines it with the password to generate a response. This process helps to prevent the exposure of passwords during authentication.
Threats against passwords
- Weak, easy-to-guess passwords:
- Weak passwords are vulnerable to dictionary attacks and brute-force attacks.
- Users often choose simple passwords such as “123456” or “password,” which are easily guessed.
- Passwords that include personal information like birthdates or names are also risky.
- Technical attacks - password cracking:
- Password cracking involves using software or tools to systematically guess passwords.
- Attackers can employ techniques like dictionary attacks, where common words or phrases are tried, or brute-force attacks, where all possible combinations are attempted.
- Rainbow tables, precomputed tables of password hashes, can also be used to crack passwords quickly.
- Social engineering:
- Social engineering attacks aim to manipulate individuals into revealing their passwords.
- Techniques include phishing emails, where attackers impersonate legitimate entities to trick users into providing their passwords.
- Shoulder surfing, dumpster diving, and impersonation are other social engineering tactics used to obtain passwords.
Weak Passwords
- Users often choose passwords that are easy to remember, such as common words or phrases.
- Common passwords are often based on easily guessable information, like children’s names.
- Password length plays a crucial role in password strength. A password of eight characters is no longer considered secure.
- Passphrases are recommended as they provide increased security. A passphrase is a string of easily remembered words.
- Passphrases are harder to crack due to their length and complexity compared to shorter passwords.
Technical attacks against passwords
Password cracking involves using software programs to systematically guess passwords until the correct one is found.
Common techniques used in password cracking include:
*Dictionary attacks - involve comparing passwords against a dictionary file or list of common words to find a match.
*Hybrid attacks - modify word lists by adding numbers or changing letters to increase the likelihood of finding a match.
*Brute force attacks - try every possible combination of characters and numbers until a match is found. The time required increases with the length of the password.
*Rainbow tables - are precomputed tables of password hashes, making password comparisons faster. However, they require significant storage space to store all possible combinations.
Countermeasures against password threats
- Enforce strong password policies:
- Require passwords to have a minimum length and a combination of uppercase and lowercase letters, numbers, and special characters.
- Educate users about the importance of creating unique, complex passwords that are not easily guessable.
- Implement multi-factor authentication (MFA):
- MFA adds an extra layer of security by requiring users to provide additional verification, such as a one-time password or biometric authentication, in addition to a password.
- Use password hashing and salting:
- Passwords should be stored in hashed form, where they are transformed into a fixed-length string of characters.
- Salting involves adding a random value to the password before hashing, making it harder for attackers to crack passwords using precomputed tables.
- Regularly update and patch systems:
- Keep systems and applications up to date with the latest security patches to mitigate vulnerabilities that could be exploited to compromise passwords.
- Conduct user awareness training:
- Educate users about password best practices, such as avoiding password reuse, regularly changing passwords, and being cautious of phishing attempts.