Cybersecurity Bootcamp: Module 1 Security Controls

Security Controls

• Security controls are designed to protect an organization's valuable assets, including information systems, data, devices, facilities, and people.
• The purpose of security controls is to safeguard assets from various threats, ensuring confidentiality, integrity, and availability (CIA triad).
• Goals of security controls include:
  • Preventative measures: proactive steps to avoid security incidents.
  • Detection methods: identify and alert about ongoing security issues.
  • Corrective actions: respond to and contain security incidents to minimize damage.
  • Recovery strategies: restore systems and data to normal operations after a security incident.

Categories of Security Controls

• Technical controls: use technology to protect systems, networks, and data.
• Managerial controls: involve policies, procedures, and guidelines established by management to ensure effective implementation of security measures.
• Operational controls: focus on day-to-day activities and practices that support the overall security posture of an organization.
• Physical controls: involve measures to protect physical assets, facilities, and infrastructure.

Technical Controls

• Access controls: ensure that only authorized users are granted access to systems, applications, and data.
• Encryption: converts plaintext data into ciphertext to protect it from unauthorized access.
• Intrusion Detection and Prevention Systems (IDPS): monitor network traffic for signs of malicious activity or policy violations.
• Firewalls: establish a barrier between trusted internal networks and untrusted external networks.
• Endpoint security: protect individual devices from various threats.
• Secure configurations: harden operating systems, applications, and network devices to minimize vulnerabilities.

Managerial Controls

• Security policies: define the organization's security objectives, rules, and guidelines.
• Risk management: identify, assess, and prioritize risks to the organization's assets.
• Security awareness training: educate employees about security threats and best practices.
• Incident response planning: outlines procedures and protocols for detecting, responding to, and recovering from security incidents.
• Change management: ensures that changes to systems, applications, and configurations are managed in a controlled and documented manner.

Operational Controls

• Continuous monitoring: regularly monitor systems, networks, and applications for security events and anomalies.
• Backup and recovery: ensure that critical data and systems can be restored in the event of data loss or system failure.
• Patch management: apply patches and updates to systems and software to address known vulnerabilities.
• Incident response procedures: provide guidance on how to respond to security incidents.
• Business continuity planning: ensures that the organization can continue essential operations in the event of a disruption or disaster.

Physical Controls

• Perimeter security: control access to physical premises using fencing, gates, and barriers.
• Access controls: restrict physical access to sensitive areas, equipment, and assets.
• Surveillance: monitor and record activities in and around facilities to deter unauthorized access and provide evidence in case of security incidents.
• Environmental controls: protect equipment and sensitive materials from environmental hazards.
• Secure disposal: ensure that sensitive materials and equipment are properly disposed of to prevent unauthorized access to data and information.

Control Types

• Preventive controls: proactive measures designed to reduce the likelihood of security incidents.
• Deterrent controls: aim to discourage potential attackers or intruders by increasing the perceived risk or cost of unauthorized actions.
• Detective controls: focus on identifying security incidents or policy violations that have already occurred.
• Corrective controls: aim to restore systems, data, or processes to a secure state after a security incident has occurred.
• Compensating controls: alternative measures implemented to address specific security requirements when primary controls are not feasible or effective.
• Directive controls: establish explicit policies, guidelines, or procedures that direct and guide behavior or actions related to security practices.

Fundamental Security Concepts

Confidentiality, Integrity, and Availability (CIA)

• Confidentiality: protects sensitive information from unauthorized access, disclosure, or exposure.
• Integrity: ensures that data remains accurate, reliable, and unaltered throughout its lifecycle.
• Availability: ensures that information and resources are accessible and usable by authorized users whenever needed.

Non-repudiation

• Non-repudiation: ensures that a party cannot deny their involvement or disavow the validity of an action they have taken.
• Technologies and techniques: digital signatures, public key infrastructure (PKI), timestamping, and audit trails.
• Legal implications: provides evidence that can be used in legal proceedings to enforce contracts, resolve disputes, and establish liability.
• Business applications: essential in electronic commerce, online banking, electronic contracts, and digital document signing.### Authentication, Authorization, and Accounting (AAA)
• AAA triad forms the foundation for access control within a network
• Ensures only authorized users and devices can access specific resources
• Comprises three components: Authentication, Authorization, and Accounting

Authentication

• Verification of a user's or system's identity
• Ensures the entity requesting access is who they claim to be
• Methods of authentication:
  • Passwords: users provide a secret passphrase or combination of characters
  • Biometrics: authentication based on unique physical characteristics
  • Two-Factor Authentication (2FA): combines two different authentication factors
  • Multi-Factor Authentication (MFA): involves more than two factors
• Systems also need to authenticate each other in networked environments using cryptographic protocols

Authorization

• Defining access rights and access control
• Determines what actions or resources a user or system is allowed to access after successful authentication
• Authorization models:
  • Role-Based Access Control (RBAC): permissions assigned based on predefined roles
  • Attribute-Based Access Control (ABAC): access decisions based on attributes
  • Mandatory Access Control (MAC): access determined by security labels
  • Discretionary Access Control (DAC): access decisions at the discretion of resource owners
  • Access Control Lists (ACLs): explicitly define permissions for specific users or groups

Accounting

• Tracking and logging activities related to authentication and authorization
• Provides a record of who accessed what resources, when, and for what purpose
• Purpose and benefits:
  • Forensic analysis
  • Compliance auditing
  • Incident response

Security Gap Analysis

• Systematic process of comparing an organization's existing security measures against industry standards, best practices, or regulatory requirements
• Identifies weaknesses, vulnerabilities, and areas for improvement
• Steps involved:
  • Define goals and scope
  • Collect information
  • Identify requirements
  • Perform gap analysis
  • Develop remediation plan
  • Implement and monitor
• Techniques:
  • Self-assessment questionnaires
  • Vulnerability scans
  • Penetration testing
  • Security audits
• Benefits:
  • Proactive security posture
  • Improved risk management
  • Enhanced compliance
  • More efficient resource allocation

Zero Trust

• Security model that emphasizes continuous verification for every user and device trying to access an organization's resources
• Assumes all users and devices are potential threats
• Core principles:
  • Verify every access request
  • Least privilege access
  • Assume breach
  • Continuous monitoring and risk assessment
• Control plane:
  • Adaptive identity
  • Threat scope reduction
  • Policy-driven access control
  • Policy administrator
  • Policy engine
• Data plane:
  • Implicit trust zones (microperimeters)
  • Dynamic perimeters
  • Micro-segmentation
  • Subjects and systems
  • Dynamic trust evaluation
  • Continuous monitoring
  • Policy enforcement point (PEP)

Physical Security

• Measures and protocols designed to safeguard physical assets, facilities, and resources
• Importance:
  • Protects sensitive information
  • Ensures business continuity
  • Maintains a secure environment
• Components:
  • Bollards
  • Access control vestibules
  • Fencing
  • Video surveillance### Applications of Physical Security
• Deterring crime and vandalism
• Monitoring building entrances and exits
• Identifying suspicious activity
• Providing evidence after a security incident
• Monitoring high-risk areas like loading docks or cash handling areas

Security Guards

• Trained professionals providing a visible security presence
• Enforcing security policies
• Performing duties like:
  • Patrolling buildings and grounds
  • Monitoring security cameras
  • Escorting authorized personnel
  • Responding to alarms or security incidents
  • Access control (checking IDs, verifying credentials)

Access Badges

• Physical credentials used to electronically grant or deny access to secured doors, gates, or other access points
• Contain a chip storing a unique identifier linked to the user's access privileges
• Benefits:
  • More secure than traditional keys, as lost badges can be deactivated
  • Simplify access control management by allowing or revoking access electronically
  • Can be integrated with other security systems for a more comprehensive security solution

Lighting

• Illumination of indoor and outdoor spaces using artificial light sources
• Proper lighting deters crime by improving visibility and making it harder for intruders to operate in the dark
• Considerations:
  • Strategically placed lighting around building perimeters, entrances, and walkways
  • Use of motion-activated lights to deter nighttime activity
  • Balancing security needs with energy efficiency

Sensors

• Devices that detect and respond to changes in their environment or surroundings
• Types of sensors:
  • Infrared Sensors: detect heat signatures (body heat) for motion detection
  • Pressure Sensors: detect changes in pressure caused by someone stepping on a designated area
  • Microwave Sensors: detect movement behind walls or objects
  • Ultrasonic Sensors: detect high-frequency sound waves for perimeter security
• Choosing the right sensor depends on the specific location and security needs, considering factors like area being protected, desired detection range, and potential for false alarms

Deception and Disruption Technology

• Deception Technology:
  • Involves deploying decoys, traps, and false information to deceive and detect attackers
• Disruption Technology:
  • Involves active defensive measures to disrupt or neutralize cyber threats and adversaries
  • May include offensive tactics, countermeasures, or defensive actions aimed at disrupting attacker operations or infrastructure

Honeypot

• A decoy system or network segment intentionally deployed to attract, detect, and analyze unauthorized access or malicious activity
• Mimics legitimate services, applications, or data to lure attackers
• When attackers interact with the honeypot, security teams can analyze their tactics, techniques, and procedures (TTPs) to improve defensive strategies and mitigate risks
• Types of Honeypots:
  • Production Honeypots: deployed within the production environment to detect and respond to attacks targeting specific assets or services
  • Research Honeypots: isolated or controlled environments used for research purposes to study attacker behavior, collect threat intelligence, and develop countermeasures

Honeynet

• A network of interconnected honeypots and decoy systems deployed to simulate a realistic environment for attracting, monitoring, and analyzing malicious activity
• Provides a comprehensive view of attacker behavior and tactics by capturing interactions across multiple systems and services
• Enables security teams to gain insights into attack patterns, identify emerging threats, and enhance threat detection capabilities

Honeyfile

• A decoy or bait file intentionally placed within a file system to detect unauthorized access or data exfiltration
• Contains fictitious or benign data that is of no value to legitimate users but may attract and reveal the presence of unauthorized activity
• Monitored for access or modification, triggering alerts or defensive actions if interacted with
• Used to detect insider threats, data breaches, or unauthorized access attempts by external attackers

Honeytoken

• A unique, fake, or intentionally leaked credential or token used to detect unauthorized access or misuse
• Similar to a honeypot but focuses specifically on credentials or authentication mechanisms
• Distributed across various systems, applications, or data repositories and monitored for any attempts to use or access them
• If a honeytoken is accessed or used, it indicates unauthorized activity, credential theft, or insider abuse