Security Controls Overview
40 Questions
0 Views

Choose a study mode

Play Quiz
Study Flashcards
Spaced Repetition
Chat to lesson

Podcast

Play an AI-generated podcast conversation about this lesson

Questions and Answers

What is the primary goal of access controls in data security?

  • To control user and system interaction (correct)
  • To enable data sharing among users
  • To increase system speed
  • To monitor network traffic
  • Which step follows identification in the access control process?

  • Accountability
  • Access Initialization
  • Authentication (correct)
  • Authorization
  • Which of the following represents a method of identification in access controls?

  • User ID (correct)
  • Fingerprint
  • Access Rights
  • Password
  • Which access control model is based on the identity of the resource owner?

    <p>Discretionary Access Control (DAC)</p> Signup and view all the answers

    What does strong authentication require?

    <p>At least two factors of authentication</p> Signup and view all the answers

    What is the main purpose of the authorization step in access controls?

    <p>To define resource access levels</p> Signup and view all the answers

    Which factor is NOT considered in the three authentication factors?

    <p>Something you can see</p> Signup and view all the answers

    Which of the following is a characteristic of a good identification method?

    <p>Unique and not shared</p> Signup and view all the answers

    What is the primary advantage of using an RBAC model in a high turnover company?

    <p>It allows easy mapping of new users to predefined roles.</p> Signup and view all the answers

    Which type of security control is designed to prevent attacks from occurring in the first place?

    <p>Deterrent controls</p> Signup and view all the answers

    What is a key benefit of maintaining audit trails in security management?

    <p>They help in verifying compliance with policies.</p> Signup and view all the answers

    Which password management approach allows users to reset their passwords without administrator intervention?

    <p>Self-service password reset</p> Signup and view all the answers

    Which classification of control specifically aims to restore a system after a disaster?

    <p>Recovery controls</p> Signup and view all the answers

    What is considered an example of corrective control in security management?

    <p>Incident handling procedures</p> Signup and view all the answers

    In the context of administrative controls, which of the following is a key task?

    <p>Conducting security-awareness training</p> Signup and view all the answers

    What is a common approach to enhance password security?

    <p>Implementing a password rotation policy</p> Signup and view all the answers

    What is a key characteristic of the discretionary access control (DAC) model?

    <p>Users can control access based on their identity or group memberships.</p> Signup and view all the answers

    In a mandatory access control (MAC) model, what is primarily used for access decisions?

    <p>Security labels based on classifications and clearances.</p> Signup and view all the answers

    Which type of access control model is organized around the roles held by users?

    <p>Role-Based Access Control (RBAC)</p> Signup and view all the answers

    How does the MAC model impact a user's ability to manage system settings?

    <p>Users cannot change file permissions or install software.</p> Signup and view all the answers

    What role do security administrators play in a MAC system?

    <p>They create and enforce security policies.</p> Signup and view all the answers

    What is a disadvantage of using the DAC model?

    <p>It may lead to unauthorized access if users improperly share access rights.</p> Signup and view all the answers

    What does the Role-Based Access Control (RBAC) model rely on for defining user permissions?

    <p>Operations and tasks associated with roles.</p> Signup and view all the answers

    What do MAC systems primarily use to ensure sensitive data is protected?

    <p>A clear hierarchy of data classifications and user clearances.</p> Signup and view all the answers

    Which of the following best describes the purpose of technical controls in security?

    <p>To enforce rules regarding user behavior and access permissions.</p> Signup and view all the answers

    What is one of the key functions of physical controls in a security environment?

    <p>Controlling access to physical facilities.</p> Signup and view all the answers

    Which of the following actions should be taken as part of access control practices?

    <p>Delay access after multiple failed logon attempts.</p> Signup and view all the answers

    Which of the following is NOT considered a technical control?

    <p>CCTV surveillance</p> Signup and view all the answers

    What action should be taken with obsolete user accounts according to access control practices?

    <p>Remove them as soon as the user leaves the company.</p> Signup and view all the answers

    What is a significant risk posed by physical security breaches compared to malware attacks?

    <p>They can involve easily concealable devices.</p> Signup and view all the answers

    Which of the following describes the concept of least-privilege access?

    <p>Only authorized users have elevated privileges.</p> Signup and view all the answers

    What should be done with inactive accounts after 30 to 60 days?

    <p>They should be suspended.</p> Signup and view all the answers

    Which of the following is NOT one of the top controls to manage security?

    <p>Data encryption</p> Signup and view all the answers

    What does the principle of least privilege emphasize?

    <p>Providing minimal necessary access required for tasks</p> Signup and view all the answers

    Which security method focuses on layering multiple defenses to protect systems?

    <p>Defense in Depth</p> Signup and view all the answers

    What is the main purpose of compartmentalization in security?

    <p>To isolate and protect separate parts of the system</p> Signup and view all the answers

    Which of the following emphasizes the need to minimize unnecessary applications in a system?

    <p>Minimization</p> Signup and view all the answers

    What does 'keeping things simple' in a security system prevent?

    <p>Complexity that leads to insecurity</p> Signup and view all the answers

    Which method uses specific points to analyze and control traffic effectively?

    <p>Choke points</p> Signup and view all the answers

    Which statement describes the concept of 'fail securely/safely'?

    <p>Designing systems that maintain security even during failures</p> Signup and view all the answers

    Study Notes

    Security Controls

    • Security controls are safeguards to prevent, detect, correct, or minimize security risks.
    • They define actions for data security.
    • Types of controls include Administrative, Technical, and Physical.

    Administrative Controls

    • Develop and publish policies, standards, procedures, and guidelines.
    • Manage risk.
    • Screen personnel.
    • Conduct security awareness training.
    • Implement change control procedures.
    • Develop policies and procedures to ensure compliance.

    Technical Controls

    • Implement and maintain access control mechanisms.
    • Manage passwords and resource access.
    • Employ identification and authentication methods.
    • Configure the infrastructure.
    • Preventative examples include: encryption, network authentication, ACLs, file integrity auditing, patching, and IPS.
    • Detective examples include: security logs, NIDS, HIDS, and IPS.
    • Corrective/recovery examples include: restoring from backups and patching.

    Physical Controls

    • Control individual access to facilities and departments.
    • Lock systems and remove unnecessary drives or peripheral devices.
    • Protect facility perimeter.
    • Monitor for intrusions.
    • Employ environmental controls.
    • Physical security breaches lead to more problems than just a worm attack.
    • USB drives can be easily concealed and used to synchronize files across devices.
    • Examples include: automated barriers, building management systems (HVAC, lifts), CCTV, electronic surveillance (EAS), fire detection systems, GIS mapping systems, intercoms, lighting, perimeter intrusion detection systems, radar-based systems, security alarms, video walls, power monitoring systems, and laptop locks.

    Access Control Concepts

    • Access controls manage user and system communication and interaction with other systems and resources.
    • They prevent unauthorized access.
    • Parts of access controls include identity, identification, authentication, authorization, accountability, and password management.

    Identity

    • A set of attributes related to an entity used by computer systems.
    • Represents a person, organization, application, or device.
    • Identification components require uniqueness, a standard naming scheme, and a non-descriptive approach.
    • Attributes should not be shared between users.

    Identification

    • This is the first step in applying access controls.
    • It confirms the entity requesting access is associated with the system's defined role.
    • It binds a user to the appropriate controls based on their identity.
    • Methods include: User ID, MAC address, IP address, PIN, identification badges, and email address.

    Authentication

    • The second step in access control, verifying a user's identity.
    • Uses information only known to the user.
    • Three factors of authentication are something a person knows (knowledge), something a person has (possession), and something a person is (characteristic).
    • Strong authentication combines at least two factors.

    Authorization

    • This step determines what resources a user needs and the type of access allowed.
    • Three models include:
      • DAC: Discretionary access control, based on user identity.
      • MAC: Mandatory access control, based on policy.
      • RBAC: Role-based access control, based on roles.

    Access Control Models

    • Discretionary Access Control (DAC): Owner decides who has access.
    • Mandatory Access Control (MAC): Policy determines access.
    • Role-Based Access Control (RBAC): Access based on roles.

    Accountability

    • Users are responsible for their actions.
    • Enforces security policies.
    • Tracks user, system, and application activities (e.g., audit trails, log files, audit tools).
    • Investigates security incidents.

    Password Management

    • Password security approach considers system versus user generation, strength (length, complexity, and dynamic updates), aging and rotation, and log-in attempts.
    • Password management approaches include password synchronization, self-service password reset, and assisted password reset.

    Access Control Practices

    • Deny access to undefined or anonymous accounts.
    • Limit and monitor powerful accounts such as administrators.
    • Suspend or delay access following unsuccessful log-in attempts.
    • Remove obsolete user accounts.
    • Suspend inactive accounts after appropriate timeframes (e.g., 30-60 days.)
    • Enforce access criteria (need-to-know, least privilege).
    • Disable unused system features, services, and ports.

    Top 4 Security Controls

    • Application whitelisting
    • Patch applications
    • Patch operating systems
    • Restrict administrative privileges

    Commonly Used Security Methods

    • Least privilege: Limit access to only necessary resources.
    • Defense-in-depth: Layered security mechanisms.
    • Minimization: Avoid unnecessary components.
    • Keep things simple: Reduce complexity
    • Compartmentalization: Divide the system into smaller sections.
    • Use choke points: Control access to key areas of the system.
    • Fail securely/safely: Minimize damage during failure.
    • Leverage unpredictability: Hide specific system details.
    • Separation of duties: Different users for different tasks in security.

    Midterm Test 1 Details

    • Content covers weeks 1 through 5.
    • Exam date: February 13, 2024
    • Duration: 1 hour and 5 minutes
    • Format: Open book, multiple-choice, and written questions.

    Studying That Suits You

    Use AI to generate personalized quizzes and flashcards to suit your learning preferences.

    Quiz Team

    Related Documents

    Security Controls PDF

    Description

    This quiz covers the essentials of security controls, including administrative, technical, and physical safeguards designed to protect data. Each type of control plays a critical role in preventing, detecting, and correcting security risks. Test your understanding of the policies, mechanisms, and procedures involved in implementing effective security measures.

    More Like This

    5_1_Security Controls
    12 questions

    5_1_Security Controls

    UnmatchedMandolin avatar
    UnmatchedMandolin
    Use Quizgecko on...
    Browser
    Browser