-
Ch 2: Exploring Control
Types and Methods
CompTIA Security+: Get Certified Get Ahead: SY0-301
Study Guide Darril Gibson
-
Jrme Kerviel
l Rogue trader, lost 4.9 billion l Largest fraud in banking
history at
that time l Worked in the compliance
department of a French bank l Defeated security at his bank
by
concealing transactions with other transactions
l Arrested in Jan 2008, out and working at a computer consulting
firm in April 2008 n Links Ch7a, 7b
-
Understanding Basic Control Types
-
Risk
l Risk n The likelihood that a threat will exploit a
vulnerability, resulting in a
loss l Risk Management
n Using controls to reduce risk l Controls
n Also called countermeasures or safeguards
-
Types of Controls
l Technical n Uses technology to reduce vulnerabilities
l Management n Primarily administrative
l Operational n Ensure that day-to-day operations comply with
security plan
-
Functions of Controls
lPreventative nPrevent an incident from occurring
lDetective nDetect when a vulnerability has been exploited
lCorrective nReverse the impact of an incident after it has
occurred
-
Examples of Technical Controls
l Least Privilege n Users have only enough permissions to do
their job, but not more
l Antivirus software l Intrusion Detection Systems (IDSs)
n Monitors a network or host for network-based threats l
Firewalls
n Restrict network traffic with rules
-
Examples of Management Controls
l Risk Assessments n Quantitative risk assessment
uUses cost and asset values to determine monetary risk n
Qualitative analysis
uCategorizes and rates risks uHigh risk, Medium risk, Low
risk
l Vulnerability Assessments
-
Examples of Operational Controls
l Awareness and Training n Maintain password security n Clean
desk policy n Understand phishing and malware
l Configuration Management n Record performance baselines n
Change management
l Contingency Planning n Prepare for outages
-
Examples of Operational Controls
l Media Protection n Physical media like USB flash drives, hard
drives, and backup tapes
l Physical and Environmental Protection n Cameras n Door locks n
Heating and ventilation systems
-
Controls Based on Functions
l Preventative Controls n Prevent an incident from occurring
l Detective Controls n Detect when a vulnerability has been
exploited n Cannot predict an incident n Cannot prevent an
incident
l Corrective n Reverse the impact of an incident after it
occurs
-
Examples of Preventative Controls
l Security Guards n Attacker is less likely to attempt social
engineering and less likely to
succeed l Change Management
n All changes most go through a change management process n
Prevents ad-hoc configuration errors n Examples: promoting users to
Administrator casually; installing a rogue
Wi-Fi access point
-
Examples of Preventative Controls
lAccount Disablement Policy n When an employee is terminated
lSystem Hardening n Making systems more secure than default
configurations n Removing and disabling unneeded services and
protocols n Patches and updates n Enabling firewalls
lVideo Surveillance n Can prevent attack, acts as a
deterrent
-
Examples of Detective Controls
l Security Audit n Examines the security posture of an
organization n Password audit n User permissions audit
l Video Surveillance n Records activity and detects what
occurred n Visible cameras can also act as a preventative control,
deterring attacks
-
Examples of Corrective Controls l Active IDS
n Detect attacks and modifies the environment to block them l
Backups and System Recovery
n When data is lost, backups ensure that it can be recovered n
System recovery restores damaged systems to operation
-
Exploring Access Control Models
-
RBAC, DAC, MAC
l Role-Based Access Control (RBAC) l Rule-Based Access Control
(RBAC) l Discretionary Access Control (DAC) l Mandatory Access
Control (MAC)
-
Subjects and Objects
l Subjects n Users or groups that will access an object
l Object n A file, folder, share, printer, or other asset which
subjects may want to
access
-
Data Classification
l Classification detemines how much protection the data requires
n The access control model (RBAC, DAC, or MAC) helps determine
how
the data is protected l US Gov't uses these classifications
n Top Secret n Secret n Confidential n Unclassified
-
Role-Based Access Control (RBAC)
l Commonly used in Windows domains l Users are grouped into
Roles
n Example: Manager, Technician, Sales, Financial l Rights and
Permissions are assigned to Roles
n Example: Financial can access the payroll database, but Sales
cannot
-
Rule-Based Access Control (RBAC)
l Rules define what is allowed n Examples: firewall rules,
Parental Controls, Time-of-Day restrictions
-
Firewall Rules
-
Cisco ACLs
l Link Ch 2g
-
Discretionary Access Control (DAC)
l Each object has an owner l The owner assigns access rights at
their discretion l Used by Windows computers that are not in a
corporate domain
-
Windows DAC
l Owner of a folder can assign n Full Control n Read n Write n
etc.
-
Windows 7 ACL
-
Windows 7 ACL
-
SID (Security Identifier)
l Windows identifies users by SID l Unique value
n Link Ch 2b
-
Mandatory Access Control (MAC)
l Most restrictive, used by military l Subjects and objects are
classified by a higher authority
n Top Secret n Secret n Confidential n Unclassified
-
Mandatory Access Control (MAC)
l Top Secret data must stay on "Top Secret" devices, and only
seen by personnel cleared for "Top Secret" access
-
l Link Ch 2a
31
-
Understanding Physical Security Controls
-
Boundaries
l Perimeter n Example: Fence around campus
l Building l Secure work areas
n Example: Clean room l Server and network devices
n Example: Server room
-
Door Access Systems
l Cipher locks nImage from mssparky.com
l Proximity Cards nimage from beresfordco.com
-
ID Badges
l Image from pimall.com
-
Physical Access List and Logs
l Access List n Specifies who is allowed to enter n Enforced by
guards
l Log n Records who went in and out n Video surveillance is most
reliable
-
Chain of Custody
l Image from nij.gov
-
Tailgating
l Following a person through a secure door l Also called
piggybacking l To prevent this, use mantraps, turnstiles, or
security guards
-
Man Trap
l Image from flaglerchat.com
-
Turnstile
l Image from sunshinetek.en.made-in-china.com
-
Video Surveillance (CCTV)
n Reliable proof of a person's location and activity l Only
record in public areas l Notify employees of the surveillance l Do
not record audio
n It's often illegal without consent of all parties
-
Camera Types
l Wireless l Wired l Low-light
n Often infrared n Image from pvs4.com
l Color l Black and white
-
Hardware Locks
l Inexpensive access control l No record of who entered or when
l Cable locks for laptops
n Image from technologytell.com l Locked cabinets or safes
-
Understanding Logical Access Controls
-
Least Privilege
l A technical control that uses access controls l Individuals
and processes are granted only the rights and
permissions they need n Don't let everyone log on as
Administrator
-
User Account Control Cruel Mac Video
l Link Ch 2c
-
Access Control Lists
l Implicit deny n A user who is not on
the list gets no access
-
Group Policy
l Implemented on a Windows domain controller l Security settings
affect all computers and users in the domain l Central point of
administration
-
Password Policy
-
Device Policy
l Disable Autorun l Prevent use of USB devices l Detect use of
USB devices l IEEE 1667: USB device authentication
n Link Ch 2e
-
l Link Ch 2d
-
Account Management
n Creating, Management, Disabling, or Terminating user accounts
l Centralized Account Management
n One point of administration n Windows domain controller, using
LDAP
l Decentralized n Accounts stored on each workstation locally n
Windows workgroup
-
Disabling and Deleting Accounts
l Disable inactive accounts l Terminated employees
n Often old accounts are left active l Leave of Absence
n Disable account temporarily
-
Time-of-Day Restrictions
l Logon hours in Windows 7 n Link Ch 2f
-
Account Expiration and Access Review
l Account Expiration n Appropriate for temporary contract
employees
l Account Access Review n Log and audit times of logon and
logoff n Detect password-guessing attacks n Monitor remote access
logins
