Post

SecurityDefend - Control Types

[toc]


book: security+ 7ch CISSP chap13


Control Types

CompTIA lists the following control types in the objectives:

  • TAP principle:
  • Technical controls

    use technology.

  • Administrative controls

    use administrative or management methods.

  • Physical controls

    , controls you can physically touch.

    • Increase response time.
  • Preventive controls

    attempt to prevent an incident from occurring.

  • Detective controls

    attempt to detect incidents after they have occurred.

  • Corrective controls

    attempt to reverse the impact of an incident.

  • Deterrent controls

    attempt to discourage individuals from causing an incident.

  • Compensating controls

    are alternative controls used when a primary control is not feasible.


Types of access control

  • Identify and authenticate

    users or other subjects attempting to access resources.

  • Determine

    whether the access is authorized.

  • Grant or restrict access

    based on the subject’s identity.

  • Monitor and record

    access attempts.

Access controlgoalexample
Preventive Access Control thwart or stop occurring- data classification, penetration testing, access control methods, encryption, antivirus software, firewalls, IPS, OS hardening
- fences, locks, biometrics, mantraps, lighting, alarm, auditing, smartcards, callback procedures, security cameras, closed circuit television (CCTV), Security guards,
- separation of duties, job rotation, security policies, security awareness training
Detective Access Control discover or detect only after it has occurredExamples:
- audit trails, honeypots or honeynets, security audits, IDS, system logs
- security guards, motion detectors, recording and reviewing of events in CCTV, job rotation policies, mandatory vacation policies, violation reports, supervision and reviews of users, incident investigations,
Corrective Access Control modifies the environment to return systems to normal after an unwanted or unauthorized activity has occurred. correct any problems that occurred by security incident.Corrective controls can be simple:
terminating malicious activity,
rebooting a system,
antivirus solutions remove or quarantine a virus,
backup / restore plans, restored lost data,
active IDS, modify the environment to stop an attack in progress.
IPS
Security guard perform a post-incident review.
Alternate site
Deterrent 制止 Access Control discourage security policy violations.(deterrent controls: often depend on individuals deciding not to take an unwanted action.
preventive control: In contrast, just blocks the action.)
Examples:
policies,
security awareness training, locks, fences, security badges, guards, mantraps security cameras.
Warning signs
Lighting
Login banners
Recovery Access Control repair or restore resources, functions, and capabilities after a security policy violation.Recovery controls are an extension of corrective controls but have more advanced or complex abilities.
Examples: backups and restores, fault-tolerant drive systems, system imaging, server clustering, antivirus software, database or virtual machine shadowing.
Directive Access Control direct, confine, or control the actions of subjects to force or encourage compliance with security policies.Examples: security policy requirements or criteria, posted notifications, escape route exit signs, monitoring, supervision, and procedures.
Compensation 补偿 Access Control provides an alternative when it isn’t possible to use a primary control, or when necessary to increase the effectiveness of a primary control.The organization could issue hardware tokens to employees as a compensating control, provide stronger authentication than just a username and password.
Example, a security policy might dictate the use of smartcards by all employees but it takes a long time for new employees to get a smartcard.
Backup generator

Technical Controls

  • Take the form of sorftware or hardware devices.
  • use technology to reduce vulnerabilities.

An administrator installs and configures a technical control, and the technical control then provides the protection automatically.

Examples:

  • Encryption

    :

    • strong technical control used to protect the confidentiality of data.
    • This includes data transferred over a network and data stored on devices, such as servers, desktop computers, and mobile devices.
  • Antivirus software

    :

    • antivirus software provides protection against malware infection.
  • Intrusion detection/prevention systems (IDS IPS)

    :

    • monitor a network or host for intrusions
    • and provide ongoing protection against various threats.
  • Firewalls

    :

    • Network firewalls restrict network traffic going in and out of a network.
  • Least privilege

    :

    • The principle of least privilege specifies that individuals or processes are granted only the privileges they need to perform their assigned tasks or functions, but no more.
    • Privileges are a combination of rights and permissions
  • Proxy, permissions, auditing and similar technologies

    :

  • authentication methods
    • such as passwords, smartcards, and biometrics

constrained interfaces, access control lists, protocols, routers, and clipping levels.


Administrative / operational / management controls.

  • Take the form of use methods mandated by organizational policies or guidelines
  • Many of these assessments provide an ongoing review of an organization’s risk management capabilities.
  • controls focus on personnel and business practices.

Many administrative controls are also known as operational or management controls.

  • help ensure that day-to-day operations of an organization comply with the organization’s overall security plan.
  • People (not technology) implement these controls.

Some common administrative controls are: policies, procedures, hiring practices, background checks, classifying and labeling data, reports and reviews, personnel controls, and testing.

  • Risk assessments

    .

    • help quantify and qualify risks in an organization so they can focus on the serious risks.
    • example:
      • a quantitative risk assessment uses cost and asset values to quantify risks based on monetary values.
      • A qualitative risk assessment uses judgments to categorize risks based on probability and impact.
  • Vulnerability assessments

    .

    • discover current vulnerabilities or weaknesses.
    • When necessary, an organization implements additional controls to reduce the risk from these vulnerabilities.
  • Penetration tests

    .

    • a stepfurther than a vulnerability assessment by attempting to exploit vulnerabilities.
    • example,
    • a vulnerability assessment might discover a server isn’t kept up to date with current patches, making it vulnerable to some attacks.
    • A penetration test would attempt to compromise the server by exploiting one or more of the unpatched vulnerabilities.
  • Security Awareness and training

    .

    • The importance of training to reduce risks cannot be overstated.
    • Training helps users maintain password security, follow a clean desk policy, understand threats such as phishing and malware, and much more.
  • Configuration and change management

    .

    • Configuration management often uses baselines to ensure that systems start in a secure, hardened state.
    • Change management helps ensure that changes don’t result in unintended configuration errors.
  • Contingency planning

    .

    • help an organization plan and prepare for potential system outages.
    • The goal is to reduce the overall impact on the organization if an outage occurs.
  • Media protection

    .

    • Media includes physical media such as USB flash drives, external and internal drives, and backup tapes.
  • Physical and environmental protection

    .

    • This includes physical controls, such as cameras and door locks,
    • and environmental controls, such as heating and ventilation systems.
    • example,
    • an access list identifies individuals allowed into a secured area.
    • Guards then verify individuals are on the access list before allowing them in.

Pysical Controls


Preventive Controls

Ideally, an organization won’t have any security incidents and that is the primary goal of preventive controls—to prevent security incidents.

  • eliminating vulnerabilities.

Some examples include:

  • Strong authentication
    • For example
    • strong authentication of cloud user’s enables only authorized personnel to access the data.
  • code that disables inactive ports
    • to ensure that there are no available entry points for hackers
  • Hardening

    .

    • Hardening is the practice of making a system or application more secure than its default configuration.
    • This uses a defense-in-depth strategy with layered security
    • This includes
    • disabling unnecessary ports and services,
    • implementing secure protocols,
    • using strong passwords along with a robust password policy,
    • and disabling default and unnecessary accounts.
  • Security awareness and training

    .

    • Ensuring that users are aware of security vulnerabilities and threats helps prevent incidents.
    • When users understand how social engineers operate, they are less likely to be tricked.
    • example,
    • uneducated users might be tricked into giving a social engineer their passwords,
    • but educated users will see through the tactics and keep their passwords secure.
  • Security guards

    .

    • Guards prevent and deter many attacks.
    • example, guards can prevent unauthorized access into secure areas of a building by first verifying user identities. Although a social engineer might attempt to fool a receptionist into letting him into a secure area, the presence of a guard will deter many social engineers from even trying these tactics.
  • Change management

    .

    • Change management ensures that changes don’t result in unintended outages.
    • instead of administrators making changes on the fly
    • submit the change to a change management process.
    • it’s both an operational control and a preventive control, which attempts to prevent incidents.
  • Account disablement policy

    .

    • An account disablement policy ensures that useraccounts are disabled when an employee leaves.
    • This prevents anyone, including ex-employees, from continuing to use these accounts.

Detective Controls

  • detect when vulnerabilities have been exploited, resulting in a security incident.

  • discover the event after it’s occurred
  • the detective control will signal the preventive or corrective controls to address an issue

Some examples of detective controls are:

  • IDS and Network security monitoring tools SIEM

    .

    • IDS is generally implemented in line with an intrusion prevention system (IPS).
    • continuously monitors computer systems for policy violation and malicious activity.
    • As soon as it detects either of them, it can alert the system administrator.
    • Advanced IDS may allow an organization to record information about security incidents and help security teams in retrieving information such as IP address and MAC address of the attack source.
  • Anti-virus/anti-malware tool
    • An anti-virus tool is generally installed on every system in an organizational network.
    • regular scanning along with real-time alerts and updates.
    • While traditional tools heavily rely on virus signatures, ideal anti-virus tools use behavior detection to discover viruses, worms, ransomware, trojan horses, and other malicious files regularly.
    • A dedicated policy may support the organization-wide implementation of an anti-virus tool.
  • Log monitoring to detect incidents

    .

    • Several different logs record details of activity on systems and networks.
    • Some automated methods of log monitoring automatically detect potential incidents and report them right after they’ve occurred.
    • example,
      • firewall logs record details of all traffic that the firewall blocked.
  • Log monitoring to detect trends, Trend analysis

    .

    • example,
    • an intrusion detection system (IDS) attempts to detect attacks and raise alerts or alarms.
    • By analyzing past alerts, you can identify trends,
      • such as an increase of attacks on a specific system.
  • Security audit

    .

    • Security audits can examine the security posture of an organization.
    • example,
    • a password audit can determine if the password policy is ensuring the use of strong passwords.
    • a periodic review of user rights can detect if users have more permissions than they should.
  • Video surveillance

    .

    • A closed-circuit television (CCTV) system can record activity and detect what occurred.
    • It’s worth noting that video surveillance can also be used as a deterrent control.
  • Motion detection

    .

    • Many alarm systems can detect motion from potential intruders and raise alarms.

Detection vs Prevention Controls

the differences between detection and prevention controls.

  • detective control can’t predict when an incident will occur and it can’t prevent it.
  • prevention control prevent the incident from occurring at all

Corrective Controls

  • attempt to reverse the impact of an incident or problem after it has occurred.

Some examples of corrective controls are:

  • intrusion prevention system IPS

    .

    • attempts to detect attacks and then modify the environment to block the attack from continuing.
  • Backups and system recovery

    .

    • Backups ensure that personnel can recover data if it is lost or corrupted.
    • system recovery procedures ensure administrators can recover a system after a failure.

Deterrent Controls

  • attempt to 劝阻
    • discourage a threat.
    • discourage potential attackers from attacking,
    • discourage employees from violating a security policy.
  • often describe many deterrent controls as preventive controls.
    • Example: imagine an organization hires a security guard to control access to a restricted area of a building. This guard will deter most people from trying to sneak in simply by discouraging them from even trying. This deterrence prevents security incidents related to unauthorized access.

The following list identifies some physical security controls used to deter threats:

  • Cable locks

    .

    • Securing laptops to furniture with a cable lock deters thieves from stealing the laptops. Thieves can’t easily steal a laptop secured this way. If they try to remove the lock, they will destroy it. Admittedly, a thief could cut the cable with a large cable cutter.
    • However, someone walking around with a four-foot cable cutter looks suspicious.
  • Hardware locks

    .

    • Other locks such as locked doors securing a wiring closet or a server room also deter attacks.
    • Many server bay cabinets also include locking cabinet doors.

Compensating Controls

  • are alternative controls used instead of a primary control

  • example,
  • an organization might require employees to use smart cards when authenticating on a system.
  • However, it might take time for new employees to receive their smart card.
  • To allow new employees to access the network and still maintain a high level of security, the organization might choose to implement a Time-based One-Time Password (TOTP) as a compensating control.
  • The compensating control still provides a strong authentication solution.

Types of Security in Cloud Computing

  • Network Segmentation
    • in multi-tenant SaaS environments, determine, assess, and isolate customer data
  • Access Management
    • Using robust access management and user-level privileges
    • Access to cloud environments, applications, etc. should be issued by role, and audited frequently.
  • Password Control
    • never allow shared passwords.
    • Passwords should be combined with authentication tools to ensure the greatest level of security.
  • Encryption
    • to protect your data at rest and transit.
  • Vulnerability Scans and Management
    • revolves around regular security audits and patching of any vulnerabilities.
  • Disaster Recovery
    • have a plan and platforms in place for data backup, retention, and recovery.
  • Security Monitoring, Logging, and Alerting
    • Continuous monitoring across all environments and applications is a necessity for cloud computing security.
  • Procedural controls
    • such as security awareness education, security framework compliance training, and incident response plans and procedures
  • Compliance controls
    • such as privacy laws and cybersecurity frameworks and standards designed to minimize security risks.
    • These typically require an information security risk assessment, and impose information security requirements, with penalties for non-compliance.
    • The National Institute of Standards and Technology (NIST) Special Publication 800-53, Security and Privacy Controls for Federal Information Systems and Organizations
    • The International Organization for Standardization (ISO) standard ISO 27001, Information Security Management
    • The Payment Card Industry Data Security Standard (PCI DSS)
    • The Health Insurance Portability and Accountability Act (HIPAA)

.

This post is licensed under CC BY 4.0 by the author.

Comments powered by Disqus.