Security Controls Overview

Questions and Answers

What is the primary goal of access controls in data security?

To control user and system interaction (correct)

To enable data sharing among users

To increase system speed

To monitor network traffic

Which step follows identification in the access control process?

Accountability

Access Initialization

Authentication (correct)

Authorization

Which of the following represents a method of identification in access controls?

User ID (correct)

Fingerprint

Access Rights

Password

Which access control model is based on the identity of the resource owner?

Discretionary Access Control (DAC)

What does strong authentication require?

At least two factors of authentication

What is the main purpose of the authorization step in access controls?

To define resource access levels

Which factor is NOT considered in the three authentication factors?

Something you can see

Which of the following is a characteristic of a good identification method?

Unique and not shared

What is the primary advantage of using an RBAC model in a high turnover company?

It allows easy mapping of new users to predefined roles.

Which type of security control is designed to prevent attacks from occurring in the first place?

Deterrent controls

What is a key benefit of maintaining audit trails in security management?

They help in verifying compliance with policies.

Which password management approach allows users to reset their passwords without administrator intervention?

Self-service password reset

Which classification of control specifically aims to restore a system after a disaster?

Recovery controls

What is considered an example of corrective control in security management?

Incident handling procedures

In the context of administrative controls, which of the following is a key task?

Conducting security-awareness training

What is a common approach to enhance password security?

Implementing a password rotation policy

What is a key characteristic of the discretionary access control (DAC) model?

Users can control access based on their identity or group memberships.

In a mandatory access control (MAC) model, what is primarily used for access decisions?

Security labels based on classifications and clearances.

Which type of access control model is organized around the roles held by users?

Role-Based Access Control (RBAC)

How does the MAC model impact a user's ability to manage system settings?

Users cannot change file permissions or install software.

What role do security administrators play in a MAC system?

They create and enforce security policies.

What is a disadvantage of using the DAC model?

It may lead to unauthorized access if users improperly share access rights.

What does the Role-Based Access Control (RBAC) model rely on for defining user permissions?

Operations and tasks associated with roles.

What do MAC systems primarily use to ensure sensitive data is protected?

A clear hierarchy of data classifications and user clearances.

Which of the following best describes the purpose of technical controls in security?

To enforce rules regarding user behavior and access permissions.

What is one of the key functions of physical controls in a security environment?

Controlling access to physical facilities.

Which of the following actions should be taken as part of access control practices?

Delay access after multiple failed logon attempts.

Which of the following is NOT considered a technical control?

CCTV surveillance

What action should be taken with obsolete user accounts according to access control practices?

Remove them as soon as the user leaves the company.

What is a significant risk posed by physical security breaches compared to malware attacks?

They can involve easily concealable devices.

Which of the following describes the concept of least-privilege access?

Only authorized users have elevated privileges.

What should be done with inactive accounts after 30 to 60 days?

They should be suspended.

Which of the following is NOT one of the top controls to manage security?

Data encryption

What does the principle of least privilege emphasize?

Providing minimal necessary access required for tasks

Which security method focuses on layering multiple defenses to protect systems?

Defense in Depth

What is the main purpose of compartmentalization in security?

To isolate and protect separate parts of the system

Which of the following emphasizes the need to minimize unnecessary applications in a system?

Minimization

What does 'keeping things simple' in a security system prevent?

Complexity that leads to insecurity

Which method uses specific points to analyze and control traffic effectively?

Choke points

Which statement describes the concept of 'fail securely/safely'?

Designing systems that maintain security even during failures

Study Notes

Security Controls

• Security controls are safeguards to prevent, detect, correct, or minimize security risks.
• They define actions for data security.
• Types of controls include Administrative, Technical, and Physical.

Administrative Controls

• Develop and publish policies, standards, procedures, and guidelines.
• Manage risk.
• Screen personnel.
• Conduct security awareness training.
• Implement change control procedures.
• Develop policies and procedures to ensure compliance.

Technical Controls

• Implement and maintain access control mechanisms.
• Manage passwords and resource access.
• Employ identification and authentication methods.
• Configure the infrastructure.
• Preventative examples include: encryption, network authentication, ACLs, file integrity auditing, patching, and IPS.
• Detective examples include: security logs, NIDS, HIDS, and IPS.
• Corrective/recovery examples include: restoring from backups and patching.

Physical Controls

• Control individual access to facilities and departments.
• Lock systems and remove unnecessary drives or peripheral devices.
• Protect facility perimeter.
• Monitor for intrusions.
• Employ environmental controls.
• Physical security breaches lead to more problems than just a worm attack.
• USB drives can be easily concealed and used to synchronize files across devices.
• Examples include: automated barriers, building management systems (HVAC, lifts), CCTV, electronic surveillance (EAS), fire detection systems, GIS mapping systems, intercoms, lighting, perimeter intrusion detection systems, radar-based systems, security alarms, video walls, power monitoring systems, and laptop locks.

Access Control Concepts

• Access controls manage user and system communication and interaction with other systems and resources.
• They prevent unauthorized access.
• Parts of access controls include identity, identification, authentication, authorization, accountability, and password management.

Identity

• A set of attributes related to an entity used by computer systems.
• Represents a person, organization, application, or device.
• Identification components require uniqueness, a standard naming scheme, and a non-descriptive approach.
• Attributes should not be shared between users.

Identification

• This is the first step in applying access controls.
• It confirms the entity requesting access is associated with the system's defined role.
• It binds a user to the appropriate controls based on their identity.
• Methods include: User ID, MAC address, IP address, PIN, identification badges, and email address.

Authentication

• The second step in access control, verifying a user's identity.
• Uses information only known to the user.
• Three factors of authentication are something a person knows (knowledge), something a person has (possession), and something a person is (characteristic).
• Strong authentication combines at least two factors.

Authorization

• This step determines what resources a user needs and the type of access allowed.
• Three models include:
  • DAC: Discretionary access control, based on user identity.
  • MAC: Mandatory access control, based on policy.
  • RBAC: Role-based access control, based on roles.

Access Control Models

• Discretionary Access Control (DAC): Owner decides who has access.
• Mandatory Access Control (MAC): Policy determines access.
• Role-Based Access Control (RBAC): Access based on roles.

Accountability

• Users are responsible for their actions.
• Enforces security policies.
• Tracks user, system, and application activities (e.g., audit trails, log files, audit tools).
• Investigates security incidents.

Password Management

• Password security approach considers system versus user generation, strength (length, complexity, and dynamic updates), aging and rotation, and log-in attempts.
• Password management approaches include password synchronization, self-service password reset, and assisted password reset.

Access Control Practices

• Deny access to undefined or anonymous accounts.
• Limit and monitor powerful accounts such as administrators.
• Suspend or delay access following unsuccessful log-in attempts.
• Remove obsolete user accounts.
• Suspend inactive accounts after appropriate timeframes (e.g., 30-60 days.)
• Enforce access criteria (need-to-know, least privilege).
• Disable unused system features, services, and ports.

Top 4 Security Controls

• Application whitelisting
• Patch applications
• Patch operating systems
• Restrict administrative privileges

Commonly Used Security Methods

• Least privilege: Limit access to only necessary resources.
• Defense-in-depth: Layered security mechanisms.
• Minimization: Avoid unnecessary components.
• Keep things simple: Reduce complexity
• Compartmentalization: Divide the system into smaller sections.
• Use choke points: Control access to key areas of the system.
• Fail securely/safely: Minimize damage during failure.
• Leverage unpredictability: Hide specific system details.
• Separation of duties: Different users for different tasks in security.

Midterm Test 1 Details

• Content covers weeks 1 through 5.
• Exam date: February 13, 2024
• Duration: 1 hour and 5 minutes
• Format: Open book, multiple-choice, and written questions.

Description

This quiz covers the essentials of security controls, including administrative, technical, and physical safeguards designed to protect data. Each type of control plays a critical role in preventing, detecting, and correcting security risks. Test your understanding of the policies, mechanisms, and procedures involved in implementing effective security measures.