Security Controls Overview

Questions and Answers

What is the primary goal of access controls in data security?

• To control user and system interaction (correct)
• To enable data sharing among users
• To increase system speed
• To monitor network traffic

Which step follows identification in the access control process?

• Accountability
• Access Initialization
• Authentication (correct)
• Authorization

Which of the following represents a method of identification in access controls?

• User ID (correct)
• Fingerprint
• Access Rights
• Password

Which access control model is based on the identity of the resource owner?

Discretionary Access Control (DAC) (C)

What does strong authentication require?

At least two factors of authentication (C)

What is the main purpose of the authorization step in access controls?

To define resource access levels (C)

Which factor is NOT considered in the three authentication factors?

Something you can see (A)

Which of the following is a characteristic of a good identification method?

Unique and not shared (A)

What is the primary advantage of using an RBAC model in a high turnover company?

It allows easy mapping of new users to predefined roles. (D)

Which type of security control is designed to prevent attacks from occurring in the first place?

Deterrent controls (B)

What is a key benefit of maintaining audit trails in security management?

They help in verifying compliance with policies. (B)

Which password management approach allows users to reset their passwords without administrator intervention?

Self-service password reset (C)

Which classification of control specifically aims to restore a system after a disaster?

Recovery controls (A)

What is considered an example of corrective control in security management?

Incident handling procedures (D)

In the context of administrative controls, which of the following is a key task?

Conducting security-awareness training (C)

What is a common approach to enhance password security?

Implementing a password rotation policy (B)

What is a key characteristic of the discretionary access control (DAC) model?

Users can control access based on their identity or group memberships. (A)

In a mandatory access control (MAC) model, what is primarily used for access decisions?

Security labels based on classifications and clearances. (D)

Which type of access control model is organized around the roles held by users?

Role-Based Access Control (RBAC) (B)

How does the MAC model impact a user's ability to manage system settings?

Users cannot change file permissions or install software. (C)

What role do security administrators play in a MAC system?

They create and enforce security policies. (A)

What is a disadvantage of using the DAC model?

It may lead to unauthorized access if users improperly share access rights. (B)

What does the Role-Based Access Control (RBAC) model rely on for defining user permissions?

Operations and tasks associated with roles. (D)

What do MAC systems primarily use to ensure sensitive data is protected?

A clear hierarchy of data classifications and user clearances. (A)

Which of the following best describes the purpose of technical controls in security?

To enforce rules regarding user behavior and access permissions. (A)

What is one of the key functions of physical controls in a security environment?

Controlling access to physical facilities. (B)

Which of the following actions should be taken as part of access control practices?

Delay access after multiple failed logon attempts. (B)

Which of the following is NOT considered a technical control?

CCTV surveillance (B)

What action should be taken with obsolete user accounts according to access control practices?

Remove them as soon as the user leaves the company. (C)

What is a significant risk posed by physical security breaches compared to malware attacks?

They can involve easily concealable devices. (A)

Which of the following describes the concept of least-privilege access?

Only authorized users have elevated privileges. (C)

What should be done with inactive accounts after 30 to 60 days?

They should be suspended. (B)

Which of the following is NOT one of the top controls to manage security?

Data encryption (B)

What does the principle of least privilege emphasize?

Providing minimal necessary access required for tasks (D)

Which security method focuses on layering multiple defenses to protect systems?

Defense in Depth (D)

What is the main purpose of compartmentalization in security?

To isolate and protect separate parts of the system (A)

Which of the following emphasizes the need to minimize unnecessary applications in a system?

Minimization (A)

What does 'keeping things simple' in a security system prevent?

Complexity that leads to insecurity (A)

Which method uses specific points to analyze and control traffic effectively?

Choke points (D)

Which statement describes the concept of 'fail securely/safely'?

Designing systems that maintain security even during failures (A)

Flashcards

Access Control

Security features controlling user and system interaction with resources. It protects resources from unauthorized access.

Identity

The set of characteristics assigned to an entity to identify it in a computer system.

Identification

The process of verifying the user's identity.

Authentication

Verifying a user's claimed identity using known information.

Authorization

Determining what access levels a user gets to resources.

Discretionary Access Control (DAC)

Access control based on the owner's choices for who can access the resource.

Authentication Factors

Things a person knows, has, and is.

Strong Authentication

Combining multiple authentication factors for better security.

Mandatory Access Control (MAC)

Access control based on fixed security policies, not the owner's discretion. It restricts user control.

Security Label

A classification of data (e.g., confidential, secret) and the corresponding clearance level of the user.

Role-Based Access Control (RBAC)

Access control that grants access based on the user's role and responsibilities.

Subject

The entity requesting access to a resource (e.g., a user).

Object

The resource accessed (e.g., a file, a database).

User Identity

Unique identification of a user, as an individual user.

Group Membership

A way to group users to control access for multiple users.

Accountability

Ensuring users are responsible for their actions and that security policies are followed.

Audit Trails

Records of user activity, system events, and application actions used for security investigations and accountability.

Technical Controls

Security measures implemented and managed by computer systems, often called logical controls, to protect information assets.

Preventative Controls

Measures taken to stop security incidents before they happen, like strong passwords and firewalls.

Detective Controls

Methods used to detect security breaches after they have occurred, like logging and intrusion detection systems.

Corrective/Recovery Controls

Actions taken to recover from a security incident, including restoring data and patching vulnerabilities.

Physical Controls

Security measures that protect physical assets and environments, like locks, cameras, and security guards.

Access Control Practices

Procedures to limit and monitor access to systems and resources based on user identity and need-to-know.

Limit Administrator Accounts

Restricting access to powerful accounts that can alter system settings, minimizing the risk of unauthorized changes.

Suspend Inactive Accounts

Temporarily disabling user accounts after a period of inactivity, making it difficult for malicious actors to exploit them.

Least Privilege

Give users and applications only the minimum permissions needed to function.

Defense-in-Depth

Multiple layers of security measures are used to protect data, ensuring even if one layer fails, others provide protection.

Minimization

Run only the essential applications on a system to reduce security risks.

Keep Things Simple

Complexity in a security system increases vulnerabilities, so keep it straightforward and easy to manage.

Compartmentalization

Divide a system into isolated compartments to limit damage if one part is compromised.

Use Choke Points

Control and monitor network traffic at specific points in the system.

Fail Securely

If a system fails, it should default to a secure state to prevent unauthorized access.

Leverage Unpredictability

Make it difficult for attackers to predict system behavior by introducing randomness and unpredictability.

RBAC Model

A system where access is granted based on user roles and responsibilities, not individual permissions.

Password Aging & Rotation

Regularly requiring users to change their passwords to prevent unauthorized access.

Self-Service Password Reset

Allowing users to reset their own passwords without contacting an administrator.

Deterrent Controls

Security measures designed to discourage attacks by making them less attractive.

Corrective Controls

Security measures that aim to recover from a security incident and minimize damage.

Study Notes

Security Controls

• Security controls are safeguards to prevent, detect, correct, or minimize security risks.
• They define actions for data security.
• Types of controls include Administrative, Technical, and Physical.

Administrative Controls

• Develop and publish policies, standards, procedures, and guidelines.
• Manage risk.
• Screen personnel.
• Conduct security awareness training.
• Implement change control procedures.
• Develop policies and procedures to ensure compliance.

Technical Controls

• Implement and maintain access control mechanisms.
• Manage passwords and resource access.
• Employ identification and authentication methods.
• Configure the infrastructure.
• Preventative examples include: encryption, network authentication, ACLs, file integrity auditing, patching, and IPS.
• Detective examples include: security logs, NIDS, HIDS, and IPS.
• Corrective/recovery examples include: restoring from backups and patching.

Physical Controls

• Control individual access to facilities and departments.
• Lock systems and remove unnecessary drives or peripheral devices.
• Protect facility perimeter.
• Monitor for intrusions.
• Employ environmental controls.
• Physical security breaches lead to more problems than just a worm attack.
• USB drives can be easily concealed and used to synchronize files across devices.
• Examples include: automated barriers, building management systems (HVAC, lifts), CCTV, electronic surveillance (EAS), fire detection systems, GIS mapping systems, intercoms, lighting, perimeter intrusion detection systems, radar-based systems, security alarms, video walls, power monitoring systems, and laptop locks.

Access Control Concepts

• Access controls manage user and system communication and interaction with other systems and resources.
• They prevent unauthorized access.
• Parts of access controls include identity, identification, authentication, authorization, accountability, and password management.

Identity

• A set of attributes related to an entity used by computer systems.
• Represents a person, organization, application, or device.
• Identification components require uniqueness, a standard naming scheme, and a non-descriptive approach.
• Attributes should not be shared between users.

Identification

• This is the first step in applying access controls.
• It confirms the entity requesting access is associated with the system's defined role.
• It binds a user to the appropriate controls based on their identity.
• Methods include: User ID, MAC address, IP address, PIN, identification badges, and email address.

Authentication

• The second step in access control, verifying a user's identity.
• Uses information only known to the user.
• Three factors of authentication are something a person knows (knowledge), something a person has (possession), and something a person is (characteristic).
• Strong authentication combines at least two factors.

Authorization

• This step determines what resources a user needs and the type of access allowed.
• Three models include:
  • DAC: Discretionary access control, based on user identity.
  • MAC: Mandatory access control, based on policy.
  • RBAC: Role-based access control, based on roles.

Access Control Models

• Discretionary Access Control (DAC): Owner decides who has access.
• Mandatory Access Control (MAC): Policy determines access.
• Role-Based Access Control (RBAC): Access based on roles.

Accountability

• Users are responsible for their actions.
• Enforces security policies.
• Tracks user, system, and application activities (e.g., audit trails, log files, audit tools).
• Investigates security incidents.

Password Management

• Password security approach considers system versus user generation, strength (length, complexity, and dynamic updates), aging and rotation, and log-in attempts.
• Password management approaches include password synchronization, self-service password reset, and assisted password reset.

Access Control Practices

• Deny access to undefined or anonymous accounts.
• Limit and monitor powerful accounts such as administrators.
• Suspend or delay access following unsuccessful log-in attempts.
• Remove obsolete user accounts.
• Suspend inactive accounts after appropriate timeframes (e.g., 30-60 days.)
• Enforce access criteria (need-to-know, least privilege).
• Disable unused system features, services, and ports.

Top 4 Security Controls

• Application whitelisting
• Patch applications
• Patch operating systems
• Restrict administrative privileges

Commonly Used Security Methods

• Least privilege: Limit access to only necessary resources.
• Defense-in-depth: Layered security mechanisms.
• Minimization: Avoid unnecessary components.
• Keep things simple: Reduce complexity
• Compartmentalization: Divide the system into smaller sections.
• Use choke points: Control access to key areas of the system.
• Fail securely/safely: Minimize damage during failure.
• Leverage unpredictability: Hide specific system details.
• Separation of duties: Different users for different tasks in security.

Midterm Test 1 Details

• Content covers weeks 1 through 5.
• Exam date: February 13, 2024
• Duration: 1 hour and 5 minutes
• Format: Open book, multiple-choice, and written questions.

Description

This quiz covers the essentials of security controls, including administrative, technical, and physical safeguards designed to protect data. Each type of control plays a critical role in preventing, detecting, and correcting security risks. Test your understanding of the policies, mechanisms, and procedures involved in implementing effective security measures.