There is a wide variety of different security controls that are used to mitigate the risk of being attacked; the three main categories are managerial, operational, and technical. We are going to look at these in more detail; you need to be familiar with each of these controls and when each of them should be applied. Let's start by looking at the three main controls.
Managerial Controls
Managerial Controls are written by managers to create organizational policies and procedures to reduce risk within companies. They incorporate regulatory frameworks so that the companies are legally compliant. The following are examples of management controls:
- Annual Risk Assessment: A company will have a risk register where the financial director will look at all of the risks associated with money and the IT manager will look at all of the risks posed by the IT infrastructure. As technology changes and hackers get more sophisticated, the risks can become greater. Each department will identify their risks and the risk treatments, and place them in the risk register. These should be reviewed annually.
- Penetration Testing/Vulnerability Scanning: A vulnerability scan is not intrusive as it merely checks for vulnerabilities, whereas a penetration test is more intrusive and can exploit vulnerabilities. These will be explained further later in this book.
Operational Controls
Operational controls are executed by company personnel during their day-to-day operations. Examples of these are the following:
- Annual Security Awareness Training: This is an annual event where you are reminded about what you should be doing on a daily basis to keep the company safe:
a. Example 1 – When you are finished for the day, you clear your desk and lock all documents away; another employee would remind you that your identity badge should be worn at all times and you should challenge anyone not wearing a badge.
b. Example 2 – Companies need their employees to complete annual cybersecurity training as the risk is getting greater each day.
- Change Management: This is a process that a company adopts so that changes made don't cause any security risks to the company. A change to one department could impact another department. The Change Advisory Board (CAB) assists with the prioritization of changes; they also look at the financial benefits of the change and they may accept or reject the changes proposed for the benefit of the company. IT evolves rapidly and our processes will need to change to cope with the potential security risks associated with newer technology.
- Business Continuity Plan: This is contingency planning to keep the business up and running when a disaster occurs by identifying any single point of failure that would prevent the company from remaining operational.
Technical Controls
Technical Controls are those implemented by the IT team to reduce the risk to the business.
These could include the following:
- Firewall Rules: Firewalls prevent unauthorized access to the network by IP address, application, or protocol. These are covered in depth later in this book.
- Antivirus/Antimalware: This is the most common threat to a business, and we must ensure that all servers and desktops are protected and up to date.
- Screen Savers: These log computers off when they are idle, preventing access.
- Screen Filters: These prevent people that are walking past from reading the data on your screen.
- Intrusion Prevention Systems (IPS)/Intrusion Detection Systems (IDS): An IDS monitors the network for any changes and an IPS stops the attacks. If you do not have an IDS, the IPS has the ability to fulfill the role of the IDS.
Let's now look at other control types, from deterrents to physical controls, when we try and stop attacks at the source.
Deterrent Controls
Deterrent Controls could be CCTV and motion sensors. When someone is walking past a building and the motion sensors detect them, it turns the lights on to deter them. A building with a sign saying that it is being filmed with CCTV prevents someone from breaking into your premises, even though there may not be film inside the camera—but they don't know that!
Detective Controls
Detective Controls are used to investigate an incident that has happened and needs to be investigated; these could include the following:
- CCTV records events as they happen and from that, you can see who has entered a particular room or has climbed through a window at the rear of a building. CCTV can capture motion and provide non-repudiation.
- Log Files are text files that record events and the times that they occurred; they can log trends and patterns over a period of time. For example, servers, desktops, and firewalls all have event logs that detail actions that happen. Once you know the time and date of an event, you can gather information from various log files. These can be stored in Write-Once Read-Many (WORM) drives so that they can be read but not tampered with.
Corrective Controls
Corrective Controls are the actions you take to recover from an incident. You may lose a hard drive that contained data; in that case, you would replace the data from a backup you had previously taken.
Fire Suppression Systems are another form of corrective control. There may have been a fire in your data center that destroyed many servers, therefore when you purchase a replacement, you may install an oxygen suppressant system that will starve a fire of the oxygen needed. This method uses argon/nitrogen and carbon dioxide to displace the oxygen in the server room.
Compensating Controls
Compensating Controls can also be called Alternative or Secondary Controls and can be used instead of a primary control that has failed or is not available. Once a primary control has failed, we need a secondary control. This is similar to when you go shopping and you have $100 in cash—once you have spent your cash, you will have to use a credit card as a compensating control.
Example: When a new employee arrives, they should log in using a smart card and PIN. It may take 3–5 days to get a new smart card, so during the waiting period, they may log in using a username and password.
Preventative Controls
Preventative Controls are in place to deter any attack; this could be having a security guard with a large dog walking around the perimeter of your building. This would make someone trying to break in think twice about doing so. Some of the preventive measures that can be taken are as follows:
- Disable User Accounts: When someone leaves a company, the first thing that happens is that their account is disabled, as we don't want to lose information that they have access to, and then we change the password so that they cannot access it. We may also disable an account while people are on secondment or maternity leave.
- Operating System Hardening: This makes a computer more secure, where we ensure that the operating system is fully patched and turn off unused features and services. This will ensure that there will be no vulnerabilities.
Access Controls
The three main parts of access controls are identifying an individual, authenticating them when they insert a password or PIN, and then authorization, where an individual is granted permission to the different forms of data. For example, someone working in finance will need a higher level of security clearance and have to access different data than a person who dispatches an order in finished goods:
- Identification: This is similar to everyone having their own bank account; the account is identified by the account details on the bank card. Identification in a security environment may involve having a user account, a smart card, or maybe a fingerprint reader—this is unique to each individual. Each person has their own Security Identifier (SID) for their account, which is like an account serial number.
- Authentication: Once the individual inserts their method of identification, they next have to be authenticated, for example, by inserting a password or a PIN.
- Authorization: This is the level of access or permissions that you have to apply to selected data. You are normally a member of certain groups, for example, a sales manager could access data from the sales group and then access data from the managers group. You will only be given the minimum amount of access required to perform your job; this is known as least privilege.
Discretionary Access Control
Discretionary Access Control involves New Technology File System (NTFS) file permissions, which are used in Microsoft operating systems. The user is only given the access that they need to perform their job. They are sometimes referred to as user-based or user-centric. The permissions are as follows:
- Full Control: Full access.
- Modify: Change data, read, and read and execute.
- Read and Execute: Read the file and run a program if one is inside it.
- List Folder Contents: Expand a folder to see the subfolders inside it.
- Read: Read the contents.
- Write: Allows you to write to the file.
- Special Permissions: Allows granular access; for example, it breaks each of the previous permissions down to a more granular level.
- Data Creator/Owner: The person that creates the unclassified data is called the owner and they are responsible for authorizing who has access to that data.
The following diagram shows a user called Ian who had Read and Read & execute permissions:
Figure 1.3 – DAC file permissions
Mandatory Access Control
Mandatory Access Control (MAC) is based on the classification level of the data. MAC looks at how much damage could be inflicted to the interests of the nation. These are as follows:
- Top secret: Highest level, exceptionally grave damage
- Secret: Causes serious damage
- Confidential: Causes damage
- Restricted: Undesirable effects
Examples of MAC based on the classification level of data are as follows:
- Top secret: Nuclear energy project
- Secret: Research and development
- Confidential: Ongoing legal issues
MAC Roles
Once classified data has been written, it is owned by the company. For example, if a Colonel writes a classified document, it belongs to the Army. Let's look at three roles:
- Owner: This is the person who writes data, and they are the only person that can determine the classification. For example, if they are writing a secret document, they will pitch it at that level, no higher.
- Steward: This is the person responsible for labeling the data.
- Custodian: The custodian is the person who stores and manages classified data.
- Security Administrator: The security administrator is the person who gives access to classified data once clearance has been approved.
Role-Based Access Control
Role-based access control is a subset of the department carrying out a subset of duties within a department. An example would be two people within the finance department who only handle petty cash. In IT terms, it could be that only two people of the IT team administer the email server.
Rule-Based Access Control
In Rule-Based Access Control (RBAC), a rule is applied to all of the people within a department, for example, contractors will only have access between 8 a.m. and 5 p.m., and the help desk people will only be able to access building 1, where their place of work is. It can be time-based or have some sort of restriction, but it applies to the whole department.
Attribute-Based Access Control
In Attribute-Based Access Control (ABAC), access is restricted based on an attribute in the account. John could be an executive and some data could be restricted to only those with the executive attribute. This is a user attribute from the directory services, such as a department or a location. You may wish to give different levels of control to different departments.
Group-Based Access Control
To control access to data, people may be put into groups to simplify access. An example would be if there were two people who worked in IT who needed access to IT data. For example, let's call them Bill and Ben. We first of all place them into the IT group, and then that group is given access to the data:
Figure 1.4 – Group-based access
Another example is where members of a sales team may have full control of the sales data by using group-based access, but you may need two new starters to have only read access. In this case, you would create a group called new starters and give those people inside that group only read permission to the data.
Linux-Based Access Control
In this section, we are going to look at Linux file permissions. These appear frequently in the Security+ exam even though they are not covered in the exam objectives.
Linux File Permissions (not SELinux)
Linux file permissions come in a numerical format; the first number represents the owner, the second number represents the group, and the third number represents all other users:
a. Permissions:
- Owner: First number
- Group: Second number
- All other users: Third number
b. Numerical values:
- 4: Read
- 2: Write
- 1: Execute
Unlike a Windows permission that will execute an application, the execute function in Linux allows you to view or search. A permission of 6 would be read and write. A value of 2 would be write, and a value of 7 would be read, write, and execute. Some examples are as follows:
- Example 1: If I have 764 access to File A, this could be broken down as follows:
a. Owner: Read, write, and execute
b. Group: Read and write
c. All other users: Read
Another way the permissions can be set is by alphabetical values, as shown:
a. R: Read
b. W: Write
c. X: Execute
When using alphabetical values, each set of permission is shown as three dashes. Full control for the three entities are as follows:
a. Owner Full Control: rwx --- ---
b. Group Full Control: --- rwx ---
c. User Full Control: --- --- rwx
- Example 2: If a file has an access level of
rwx rwx rw-
, what does this mean?a. Owner has read, write, and execute (full control).
b. Group has read, write, and execute (full control).
c. Others have only read and write permissions.