There are a wide variety of different security controls that are used to mitigate the risk of being attacked; the three main security controls are technical, administrator, and physical. In this section, we are going to look at these in more detail; you need to be familiar with each of these controls and when each of them should be applied. Let's start by looking at the three main controls.
Administrative controls are mainly written by managers to create organizational policies to reduce the risk within companies. Examples could be an internet-use policy so that the employees realize that the internet can only be used for company business and not used for social media during the working day. Another administrative control would be completing a form if you want to apply for a holiday; the form would be available from the forms library:
Note
Administrative controls could be writing a policy, completing a form, and getting your ID badge re-keyed annually.
- Annual security awareness training: This is an annual event where you are reminded about what you should be doing on a daily basis to keep the company safe. An example would be when you are finished for the day that you clear your desk and lock all documents away; another would remind you that your identity badge should be worn at all times and you should challenge anyone not wearing a badge. Another example is that companies now need their employees to complete cyber security training as the risk is getting greater each day.
- Annual risk assessment: A company will have a risk register where the financial director will look at all of the risks associated with money and the IT manager will look at all of the risks posed by the IT infrastructure. As technology changes and the hackers get more sophisticated, the risks can become greater.
- Penetration testing/vulnerability scanning: A vulnerability scan is not intrusive as it merely checks for vulnerabilities, whereas a penetration test is more intrusive and can exploit vulnerabilities. These will be explained further into this book.
- Change management: This is a process that a company adopts so that any changes don't cause any security risks to the company. A change to one department could impact another department. The Change Advisory Board (CAB) assists with the prioritization and priority of changes; they also look at the financial benefits of the change and they may accept or reject the changes proposed for the benefit of the company. Information technology (IT) evolves rapidly and our processes will need to change to cope with potential security risks associated with the newer technology.
Deterrent controls could be CCTV and motions sensors. When someone is walking past a building and the motion sensors detect them, it turns lights on to deter them.
A building with a sign saying that it is being filmed with CCTV prevents someone from breaking into your premises, as they think they are being filmed, even though there may not be a camera inside—but they don't know that.
Note
CCTV and motion sensors as deterrents. CCTV is a form of detective control following an incident, where you review the footage to see how the incident happened.
Corrective controls are the actions you take to recover from an incident. You may lose a hard drive that contained data; in that case, you would replace the data from a backup you had previously taken.
Fire-suppression systems are another form of corrective control. You may have had a fire in your data center that has destroyed many servers, therefore when you purchase a replacement, you may install an oxygen-suppressant system. This method uses argon/nitrogen and sometimes a small element of CO2 to displace the oxygen in the server room. The basis of this method is to reduce the oxygen level to below 15% because it will suppress a fire.
Compensating controls can be called alternative controls; this is a mechanism that is put in place to satisfy the requirements of a security measure that is deemed too difficult or impractical to implement at the present time. It is similar to when you go shopping and you have $100 in cash—once you have spent your cash, you will have to use a credit card as a compensating control.
An example of this is where a new person has just been employed by the company where the normal way to log in is to use a smart card and PIN. This resembles a bank card with a chip where you insert it into your laptop or keyboard and then insert a PIN to log in. Maybe it takes 3-5 days to get a new smart card, so during the waiting period, they may log in using a username and password:
The three main parts of access controls are identifying an individual, authenticating them when they insert a password or PIN, and then authorization, where an individual has different forms of access to different data. For example, someone working in finance will need a higher level of security clearance and have to access different data than the person who dispatched an order in finished goods:
- Identification: This is similar to everyone who has their own bank account; the account is identified by the account details on the bank card. Identification in a security environment may involve having a user account, a smart card, or maybe a fingerprint reader—this is unique to that individual.
- Authentication: Once the individual inserts their method of identification, they next to be authenticated, for example, by inserting a password or a PIN.
- Authorization: This is the level of access you have to selective data. You are normally a member of certain groups, for example, a sales manager could access data from the sales group and then access data from the managers group. You will only be given the minimum amount of access required to perform your job; this is known as least privilege.
Discretionary access control
Discretionary access control involves New Technology File System (NTFS) file permissions, which are used in Microsoft operating systems. The user is only given the access that he/she needs to perform their job.
The permissions are as follows:
- Full control: Full access
- Modify: Change data, read, and read and execute
- Read and execute: Read the file and run a program if one is inside it
- List folder contents: Expand a folder to see the subfolders inside it
- Read: Read the contents
- Write: Allows you to write to the file
- Special permissions: Allows granular access; for example, it breaks each of the previous permissions into a more granular level
- Data creator/owner: The person that creates the unclassified data is called the owner and they are responsible for checking who has access to that data:
Least privilege is where you give someone only the limited access level required so that they can perform their job role; this is known as the need to know basis. The company will write a least privilege policy so that the administrators know how to manage it.
Mandatory Access Control (MAC) is based on the classification level of the data. This looks at how much damage they could cause to the interest of the nation. These are as follows:
- Top secret: Highest level, exceptional grave damage
- Secret: Cause serious damage
- Confidential: Cause damage
- Restricted: Undesirable effects
Examples of Mandatory Access Control (MAC):
- Custodian: The custodian is the person who stores and manages classified data.
- Security administrator: The security administrator is the person who gives access to classified data once clearance has been approved.
- Security enhanced Linux: SELinux is a project that was created with the intention of providing stricter security measures for access control and user permits, processes, files, and devices in Linux systems. The National Security Agency (NSA) in the United States published this as an open code under the GNU PNL license. This project was integrated in Linux's (LSM) security modules from the 2.6.0 version of the Linux kernel that was published in 2003.
Linux permissions (not SELinux)
File permissions: Linux permissions come in a numerical format; the first number represents the owner, the second number represents the group, and the third number represents all other users:
- Permissions:
- Owner: First number
- Group: Second number
- All other users: Third number
- Numerical values:
- 4: Read (r)
- 2: Write (w)
- 1: Execute (x)
Unlike a Windows permission that will execute an application, the execute function in Linux allows you to view or search.
A permission of 6 would be read and write. A value of 2 would be write, and a value of 7 would be read, write, and execute. Some examples are as follows:
- Example 1: If I have 764 access to File A, this could be broken down as:
- Owner: Read, write, and execute
- Group: Read
- All other users: Read
- Example 2: Determine which of the following permissions to File B is the highest and which is the lowest:
- 776 File B, also shown as
_rwx _rwx _rw
- 677 File B
- 777 File B
- 577 File B
- 576 File B
When selecting the highest, you look at the value on the left, therefore the highest is the value of 777 is full control.
When selecting the lowest, you look at the lowest value on the left. There are two options here: d and e start with the lowest number, and then you look at the others. From here, you can see that answer e is the lowest.
Note
The higher the number, the higher the permissions; the lowest number is the one with the lesser permissions.
You can also change permissions in Linux: If the permission to File C is 654 and we wish to change the permissions, we will run the Chmod 777 File A
command, which changes the permissions to File C.
Role-based access control
This is a subset of duties within a department. An example would be two people with the finance department who only handle the petty cash. In IT, terms it could be that only two of the IT team administer the email server.
Rule-based access control
In Rule-Based Access Control (RBAC), a rule is applied to all of the people within, for example, contractors will only have access between 8 a.m. and 5 p.m., and the help desk people will only be able to access Building 1, where their place of work is. It can be time-based or have some sort of restriction, but it applies to the whole department.
Attribute-based access control
In Attribute-Based Access Control (ABAC), access is restricted based on an attribute in the account. John could be an executive and some data could be restricted to only those with the executive attribute.
To control access to data, people may be put into groups to simplify access. An example would be if there were two people who worked in Information Technology (IT) who needed access to the older IT data. These people are called Bill and Ben:
Everyone in the sales team may have full control of the sales data by using group-based access, but you may need two new starters to have only read access. In this case, you would create a group called new starters and give those people inside that group only read permission to the data.
Note
If access to data is done via group-based access, then any solution in the exam will be a group-based answer.