Types of Security Controls

Questions and Answers

Which of the following security controls is primarily focused on day-to-day procedures within an organization?

• Technical Security Controls
• Managerial Security Controls
• Operational Security Controls (correct)
• Physical Security Controls

An organization wants to implement a security measure that ensures a party cannot deny their actions in a digital transaction. Which security principle should they implement?

• Confidentiality
• Non-Repudiation (correct)
• Availability
• Integrity

Which of the following is an example of a detective security control?

• Log Monitoring (correct)
• Encryption
• Warning Signs
• Data Backups

Which of the following is NOT a component of the AAA framework?

Auditing (A)

An organization wants to create decoy files to attract attackers. What type of file would be best suited for this purpose?

Honeyfile (C)

Which of the following security measures is designed to prevent unauthorized physical access, theft, damage, or destruction of material assets?

Physical Security Controls (A)

Which of the following protocols is considered deprecated or insecure and should not be used for secure communications?

SSL (A)

An organization needs to store copies of encryption keys with a trusted third party. Which cryptographic technique should they use?

Key Escrow (D)

Which security concept involves replacing sensitive data with non-sensitive substitutes, allowing processing without exposing the original data's value?

Tokenization (C)

Which of the following is a key exchange protocol that generates temporary keys for each session, providing forward secrecy?

DHE (D)

Flashcards

Technical Security Controls

Security measures executed by computer systems using technology.

Managerial Security Controls

Security measures focusing on reducing security incident risks via written policies.

Operational Security Controls

Security measures focused on day-to-day organizational procedures, implemented by the people.

Physical Security Controls

Security measures designed to prevent unauthorized access, theft, or damage to physical assets.

Non-Repudiation

Ensuring that a party cannot deny their actions in a digital transaction.

AAA Framework

Verifying identity, granting/denying access, and tracking resource usage.

Gap Analysis

The process of identifying gaps between current and desired security posture.

Zero Trust Security

Eliminating implicit trust, requiring continuous verification for resource access.

Business Impact Analysis (BIA)

Evaluates the impact of disruptive incidents on business functions and operations.

Public Key Infrastructure (PKI)

Hierarchical system managing the lifecycle of digital certificates.

Study Notes

Technical Security Controls

• Known as logical security controls
• Executed by computer systems
• Implemented using technology
• Examples include encryption, Intrusion Detection Systems (IDS), and firewalls

Managerial Security Controls

• Also known as administrative controls
• Focuses on reducing the risk of security incidents
• Documented in written policies
• Examples include organizational security policy, risk assessments, and security awareness training

Operational Security Controls

• Focuses on day-to-day procedures of an organization
• Used to ensure equipment continues to work as specified
• Primarily implemented and executed by people
• Examples include configuration management, system backups, and patch management

Physical Security Controls

• Designed to deter, detect, and prevent unauthorized access, theft, damage, or destruction of material assets
• Examples are not data backups, firewalls and asset management

Preventive Security Controls

• Examples include encryption, firewalls and Antivirus (AV) software

Deterrent Security Controls

• Examples include warning signs, lighting, and fencing/bollards

Detective Security Controls

• Examples include log monitoring, security audits, CCTV, Intrusion Detection Systems (IDS), and vulnerability scanning

Corrective Security Controls

• Examples include recovering data from backup copies, applying software updates and patches, developing and implementing Incident Response Plans (IRPs), and activating Disaster Recovery Plans (DRPs)

Compensating Security Controls

• Examples include backup power systems, Multi-Factor Authentication (MFA), application sandboxing, and network segmentation

Directive Security Controls

• Refers to security controls implemented through policies and procedures
• Examples include Incident Response Plans (IRP) and Acceptable Use Policies (AUP)

Basic Principles of Information Security

• CIA (Confidentiality, Integrity, Availability)

Non-Repudiation

• Ensures a party in a digital transaction cannot deny their actions
• Achieved using digital certificates

AAA Framework

• Authentication verifies identity
• Authorization grants or denies access
• Accounting tracks resource consumption
• Solutions include TACACS+ and RADIUS
• Common authentication methods include usernames, passwords, biometrics, and MFA
• Device authentication methods include digital certificates, IP addresses, and MAC addresses

Gap Analysis

• Identifies differences between an organization's current and desired security posture

Zero Trust Security

• Eliminates implicit trust from networks
• Requires continuous verification for resource access
• Components include the Data Plane (defines/manages policies) and Control Plane (enforces policies)

Adaptive Identity

• Considers user identity, device security, network conditions, and contextual information
• Enables dynamic access decisions

Policy Decision Point (PDP)

• Key components include a policy engine and policy administrator (PA)

Policy Enforcement Point (PEP)

• Enforces security policies defined by the PDP
• Is a Data Plane component

Access Control Vestibule (Mantrap)

• Physical security system to prevent unauthorized access to restricted areas

Honeypots

• Mimic real systems to attract cyber attackers
• Monitored for vulnerabilities
• Examples include fake websites, servers, databases, and file shares

Honeyfile

• Decoy file designed to appear valuable to attackers

Honeytoken

• A unique identifier that tracks attackers
• Active user account credentials and URLs to live websites or resources should not be used as honeytokens

Business Impact Analysis (BIA)

• Assesses the impact of incidents on business functions

Public Key Infrastructure (PKI)

• Hierarchical system for managing digital certificates

Public-Private Key Pair

• One key for encryption, one for decryption
• Used for data encryption

Key Escrow

• Stores encryption key copies with a trusted third party for recovery
• Ensures encrypted data can be decrypted if the owner loses their key

SED and FDE

• SED is hardware-encrypted storage
• FDE is software for whole data storage device confidentiality

Encryption Software Applications

• GPG,PGP are designed to secure data communication and storage

HTTPS, SMTPS, and SHTTP

• HTTPS secures web traffic via SSL/TLS encryption
• SMTPS is deprecated for secure email transmission
• SHTTP is an obsolete protocol for securing data transfer

MIME and S/MIME

• MIME extends email format for graphics, audio, and video files
• S/MIME enhances MIME with encryption, authentication, and security features

Secure File Transfer Protocols

• SFTP is a secure file transfer protocol using SSH
• Enables secure file transfer over insecure networks

Cryptographic Network Protocol - SSH

• SSH provides secure data communication and remote command execution
• Used to establish secure connections between networked computers

IPSec Suite

• IPSec provides encryption, authentication, and integrity for network traffic
• Includes ESP for authentication, integrity, and confidentiality

Virtual Private Network - VPN

• VPN uses public networks to create private encrypted connections

Secure Real-time Transport Protocol - SRTP

• SRTP secures real-time delivery of audio and video over IP
• Provides encryption and authentication for multimedia streams

Encryption Protocols

• CCMP is used in Wi-Fi networks implementing WPA2
• TKIP is used to improve the security of existing WEP implementations

Deprecated/Insecure Encryption Protocols/Cryptographic Hash Functions

• DES, MD5, SHA-1, SSL, and RC4 are considered deprecated or insecure

TLS

• Designed to provide secure communications over a computer network
• The successor to SSL

Cryptographic Concepts

• Symmetric Encryption: uses the same key for both encryption and decryption (e.g., AES, DES, IDEA, RC4)
• Asymmetric Encryption: uses a public-private key pair for encryption and decryption (e.g., RSA, ECC)

Additional Notes On Cryptography

• DHE (Diffie-Hellman Ephemeral) is a key exchange algorithm, not a symmetric cipher
• ECC (Elliptic Curve Cryptography), RSA and other algorithms are asymmetric encryption methods

Cryptographic Key Types and Protocols

• KEK adds an additional layer of security when encrypting other cryptographic keys
• Used in key management systems

Authentication Methods

• PSK is used in WPA, WPA2, and EAP for secure connections

Key Exchange Protocols

• IKE sets up secure connections and exchanges keys in IPSec VPNs
• DHE generates temporary keys for each session
  • Provides forward secrecy
  • Enhances security by preventing compromise of previous sessions

Cryptographic Algorithms

• ECDHE uses ECC for enhanced security and efficiency
  • Ideal for high-speed applications requiring strong encryption
• RSA is used for digital signatures, secure key exchange, and encryption
• ECC is best suited for low-powered devices

Security Considerations

• PFS strengthens the security of session keys by regularly updating or rotating them
  • Minimizes exposure to potential attacks

Cryptographic Algorithm Comparison

• AES is least vulnerable to attacks, making it reliable for data encryption

Cryptographic Algorithms & Concepts

• Symmetric-Key Block Ciphers:
  • AES is recommended replacement for DES
    • Provides strong encryption
    • 256-bit key offers the highest level of security
  • DES is legacy and deprecated
  • IDEA is deprecated, largely replaced by AES
  • ECB is the simplest, weakest block cipher mode
  • CBC chains ciphertext blocks
    • Enhances security
  • CFB transforms a block cipher into a stream cipher
  • CTM generates a pseudorandom stream of data blocks for encryption
  • GCM combines CTM for encryption with an authentication mechanism

Stream Ciphers

• RC4 is deprecated, used in legacy applications like WEP

Key Concepts

• Key Size/Length determines strength
  • Longer keys = stronger security
• IV ensures unique ciphertext outputs for the same plaintext
• XOR is a logical operation used in encryption and obfuscation

Cryptographic Functions & Techniques

• Hash Functions:
  • Mathematical algorithms that map data to a fixed-size hash value
  • Used for cryptography, data integrity, password verification, digital signatures, and blockchain
  • MD5 is deprecated
  • Due to vulnerabilities
• Obfuscation techniques hide the true meaning of data
• Steganography hides data within other data
• Tokenization replaces sensitive data with non-sensitive tokens
• Data Masking replaces sensitive data with masked characters
  • For example password characters with asterisks

Security Hardware & Systems

• TPM is embedded for secure boot, disk encryption, and system integrity
• HSM is for cryptographic and key management
• KDC distributes cryptographic keys and authenticates users
• TGT is a Kerberos token for accessing multiple network services without re-authentication
• Secure Enclave is a protected environment for secure data and cryptographic operations

General Security Principles

• IV is used to ensure that same key does not produce the same cipher output
• secure enclave is a protected and isolated hardware or software environment where sensitive data is secured
• Obfuscation techniques obscure or hide the true meaning or nature of data
• Tokenization is replacing sensitive data with non-sensitive information which holds a reference to the original data
• Hash functions find applications in Cryptography, Data integrity verification, Password verification and storage, Digital signatures, Blockchain Technology