Upload
edwinmandalaputra
View
215
Download
0
Tags:
Embed Size (px)
Citation preview
Ch 2: Exploring Control
Types and Methods
CompTIA Security+: Get Certified Get Ahead: SY0-301
Study Guide Darril Gibson
Jrme Kerviel
l Rogue trader, lost 4.9 billion l Largest fraud in banking history at
that time l Worked in the compliance
department of a French bank l Defeated security at his bank by
concealing transactions with other transactions
l Arrested in Jan 2008, out and working at a computer consulting firm in April 2008 n Links Ch7a, 7b
Understanding Basic Control Types
Risk
l Risk n The likelihood that a threat will exploit a vulnerability, resulting in a
loss l Risk Management
n Using controls to reduce risk l Controls
n Also called countermeasures or safeguards
Types of Controls
l Technical n Uses technology to reduce vulnerabilities
l Management n Primarily administrative
l Operational n Ensure that day-to-day operations comply with security plan
Functions of Controls
lPreventative nPrevent an incident from occurring
lDetective nDetect when a vulnerability has been exploited
lCorrective nReverse the impact of an incident after it has occurred
Examples of Technical Controls
l Least Privilege n Users have only enough permissions to do their job, but not more
l Antivirus software l Intrusion Detection Systems (IDSs)
n Monitors a network or host for network-based threats l Firewalls
n Restrict network traffic with rules
Examples of Management Controls
l Risk Assessments n Quantitative risk assessment
uUses cost and asset values to determine monetary risk n Qualitative analysis
uCategorizes and rates risks uHigh risk, Medium risk, Low risk
l Vulnerability Assessments
Examples of Operational Controls
l Awareness and Training n Maintain password security n Clean desk policy n Understand phishing and malware
l Configuration Management n Record performance baselines n Change management
l Contingency Planning n Prepare for outages
Examples of Operational Controls
l Media Protection n Physical media like USB flash drives, hard drives, and backup tapes
l Physical and Environmental Protection n Cameras n Door locks n Heating and ventilation systems
Controls Based on Functions
l Preventative Controls n Prevent an incident from occurring
l Detective Controls n Detect when a vulnerability has been exploited n Cannot predict an incident n Cannot prevent an incident
l Corrective n Reverse the impact of an incident after it occurs
Examples of Preventative Controls
l Security Guards n Attacker is less likely to attempt social engineering and less likely to
succeed l Change Management
n All changes most go through a change management process n Prevents ad-hoc configuration errors n Examples: promoting users to Administrator casually; installing a rogue
Wi-Fi access point
Examples of Preventative Controls
lAccount Disablement Policy n When an employee is terminated
lSystem Hardening n Making systems more secure than default configurations n Removing and disabling unneeded services and protocols n Patches and updates n Enabling firewalls
lVideo Surveillance n Can prevent attack, acts as a deterrent
Examples of Detective Controls
l Security Audit n Examines the security posture of an organization n Password audit n User permissions audit
l Video Surveillance n Records activity and detects what occurred n Visible cameras can also act as a preventative control, deterring attacks
Examples of Corrective Controls l Active IDS
n Detect attacks and modifies the environment to block them l Backups and System Recovery
n When data is lost, backups ensure that it can be recovered n System recovery restores damaged systems to operation
Exploring Access Control Models
RBAC, DAC, MAC
l Role-Based Access Control (RBAC) l Rule-Based Access Control (RBAC) l Discretionary Access Control (DAC) l Mandatory Access Control (MAC)
Subjects and Objects
l Subjects n Users or groups that will access an object
l Object n A file, folder, share, printer, or other asset which subjects may want to
access
Data Classification
l Classification detemines how much protection the data requires n The access control model (RBAC, DAC, or MAC) helps determine how
the data is protected l US Gov't uses these classifications
n Top Secret n Secret n Confidential n Unclassified
Role-Based Access Control (RBAC)
l Commonly used in Windows domains l Users are grouped into Roles
n Example: Manager, Technician, Sales, Financial l Rights and Permissions are assigned to Roles
n Example: Financial can access the payroll database, but Sales cannot
Rule-Based Access Control (RBAC)
l Rules define what is allowed n Examples: firewall rules, Parental Controls, Time-of-Day restrictions
Firewall Rules
Cisco ACLs
l Link Ch 2g
Discretionary Access Control (DAC)
l Each object has an owner l The owner assigns access rights at their discretion l Used by Windows computers that are not in a corporate domain
Windows DAC
l Owner of a folder can assign n Full Control n Read n Write n etc.
Windows 7 ACL
Windows 7 ACL
SID (Security Identifier)
l Windows identifies users by SID l Unique value
n Link Ch 2b
Mandatory Access Control (MAC)
l Most restrictive, used by military l Subjects and objects are classified by a higher authority
n Top Secret n Secret n Confidential n Unclassified
Mandatory Access Control (MAC)
l Top Secret data must stay on "Top Secret" devices, and only seen by personnel cleared for "Top Secret" access
l Link Ch 2a
31
Understanding Physical Security Controls
Boundaries
l Perimeter n Example: Fence around campus
l Building l Secure work areas
n Example: Clean room l Server and network devices
n Example: Server room
Door Access Systems
l Cipher locks nImage from mssparky.com
l Proximity Cards nimage from beresfordco.com
ID Badges
l Image from pimall.com
Physical Access List and Logs
l Access List n Specifies who is allowed to enter n Enforced by guards
l Log n Records who went in and out n Video surveillance is most reliable
Chain of Custody
l Image from nij.gov
Tailgating
l Following a person through a secure door l Also called piggybacking l To prevent this, use mantraps, turnstiles, or security guards
Man Trap
l Image from flaglerchat.com
Turnstile
l Image from sunshinetek.en.made-in-china.com
Video Surveillance (CCTV)
n Reliable proof of a person's location and activity l Only record in public areas l Notify employees of the surveillance l Do not record audio
n It's often illegal without consent of all parties
Camera Types
l Wireless l Wired l Low-light
n Often infrared n Image from pvs4.com
l Color l Black and white
Hardware Locks
l Inexpensive access control l No record of who entered or when l Cable locks for laptops
n Image from technologytell.com l Locked cabinets or safes
Understanding Logical Access Controls
Least Privilege
l A technical control that uses access controls l Individuals and processes are granted only the rights and
permissions they need n Don't let everyone log on as Administrator
User Account Control Cruel Mac Video
l Link Ch 2c
Access Control Lists
l Implicit deny n A user who is not on
the list gets no access
Group Policy
l Implemented on a Windows domain controller l Security settings affect all computers and users in the domain l Central point of administration
Password Policy
Device Policy
l Disable Autorun l Prevent use of USB devices l Detect use of USB devices l IEEE 1667: USB device authentication
n Link Ch 2e
l Link Ch 2d
Account Management
n Creating, Management, Disabling, or Terminating user accounts l Centralized Account Management
n One point of administration n Windows domain controller, using LDAP
l Decentralized n Accounts stored on each workstation locally n Windows workgroup
Disabling and Deleting Accounts
l Disable inactive accounts l Terminated employees
n Often old accounts are left active l Leave of Absence
n Disable account temporarily
Time-of-Day Restrictions
l Logon hours in Windows 7 n Link Ch 2f
Account Expiration and Access Review
l Account Expiration n Appropriate for temporary contract employees
l Account Access Review n Log and audit times of logon and logoff n Detect password-guessing attacks n Monitor remote access logins