Chapter 2: Control Types and Methods
What is a "Rights and Permissions Review?"
A review that investigates the privileges (rights and permissions) of a user account and compares this to the privileges they need to perform their job. This prevents "privilege creeps" or "permission bloats." This can also be prevented using Role-BAC
What is a "User Access Review?"
A review that investigates what the user account has accessed and has access to
What is Account Management used for?
Account management is used to create, manage, disable, and terminate accounts.
As an admin, should you disable or delete an account after an employee has been terminated or left for any reason?
Admins should always disable the account first. Only after the org. has determined that the account is no longer needed is when they can delete it (typically 60 to 90 days). Even when the user is taking a temporary leave of absence, the account should still be disabled Why? Imagine an employee encrypted his files before he left and the admin deleted the account. These files will remain encrypted forever unless the org. has a key escrow or recovery agent that can access the files.
What is Discretionary Access Control (DAC)?
DAC: Every "object" (e.g., file or folder) has an "owner." The owners are responsible for assigning rights and permissions to these objects. Admins also have the power of assigning rights and permissions. This makes DAC an unsafe access control model for organizations or enterprises. DAC uses Discretionary Access Control Lists (DACLs) to define what users can access an object. Windows NT File System (NTFS) uses DAC
What is "Job Rotation?"
Job Rotation is a type of access control that cycles through users to rotate their job assignments. In other words, employees change roles on a regular basis. This is the most expensive access control since it requires multiple people to perform the same task, but it increases user insight, reduces employee boredom, and enhances employee skill level.
What is Mandatory Access Control (MAC)?
MAC: Security admins assign "data labels" (e.g., Top Secret, Secret, Confidential, or For Official Use) to BOTH "subjects" (a user) and "objects" (files and folder). Levels are defined in a "lattice." Higher level labels will include lower level labels, but lower level labels will not include higher level labels.
What is NAP?
Network Access Protection (NAP) is Microsoft's implementation of Network Access Control
There are 6 ways we can classify controls types based on their goals in relationship to security incidents. What are they and give some examples for each on
Preventative Controls = Anything that prevents a security incident Detective Controls = Anything that detects a security incident Corrective Controls = Anything that corrects a security incident, such as a backup Deterrent Controls = Anything that deters a security incident, such as a guard or camera Physical Control = Any physical mechanism that is tangible, like a lock. Compensatory Controls = Any alternative control used in place (or to compensate) for a primary control
Name 5 ways we can properly manage accounts
Prohibit generic accounts - This means disabling the Guest account or any account that doesn't identify who the user is. "ThatGuy" is too generic. Use Time-of-Day Access control - We can restrict the the time of day user's can log on to their accounts. Set Expiring Accounts: In some situations, it is necessary to set an expiration date on an account. For example, it is common to create a temporary account for contractors who will only need to work on the system for 90 days. Once the 90 days is up, the account should automatically expire. Review Account Access: Configure logging of logon attempts for every account and when each account accesses a resource. "User Rights and Permissions" reviews is one way is one way we can verify that accounts have the proper privileges they need, and no more. Credential Management - Credential management systems help users store their credentials securely. "Credential Manager," available on Windows 7, will store credentials in special folders, called "Vaults."
What is Role-Based Access Control (Role-BAC)?
Role-BAC uses "roles" to manage rights and permissions (privileges). It is very common. When users enter an org., they are placed inside a role, which is usually similar to their job function or department (e.g., sales, HR, Accounting, Students, etc.). Admins grant these roles access to the proper resources the role needs.
What is Rule-Based Access Control (Rule-BAC)?
Rule-BAC use rules to manage access control. Rule-BAC is used in devices, such as routers and firewalls using an ACL. Admins create the rules. Note: Rule-BAC devices can often cause rules to "trigger" in response to an event. For example, an IPS might detect a flood attack from a specific IP, and in response, it will then modify the rules to block that IP. Admins can also configure database rules to trigger a change to permissions to give Homer additional access to a database when a system recognizes that Marge is absent.
There are 3 ways we can classify control types based on their implementation. What are they? Name examples or each
Technical Controls = anything requiring technology Management Controls = anything using by management or the administration, such as audits, risk assessments, and vulnerability assessments. Operational Controls = anything that is NOT technological or Management. It deals with day-to-day operations or anything involving people, such as awareness training and physical locks. Interestingly, contingency planning and incident response are considered operational controls. So, I guess DRPs and BCPs are operational?
What is the "Need to Know Principle?"
The "Need to Know Principle" means users are granted access only to the data and information that they need to know in order to do their job. This is more focused on data and information rather than rights and permissions.
What is the "Principle of Least Privilege?"
The "Principle of Least Privilege" is a technical control. A user's privilege consists of his rights (e.g., change the system time, install an application, access a resource, or join a domain) and permissions (e.g., the permissions on a file). Users are granted only the rights and permissions NEEDED to perform their assigned tasks or functions, but no more.
What is the "Separation of Duties Principle?"
The Separation of Duties Principle" is the concept of having more than one person to complete a task or job function. This is intended to prevent fraud and error, so that the rotating employees can catch these errors. It also prevents employee boredom. The Security+ app: "when more than one person is required to complete a particular operation. This distributes control over a system, infrastructure, or particular task. It's a "checks and balances" system for security. This access control limits the power of one user to control processes. The more people involved, the less the company relies on one user for all the job tasks and the less chance the job can be compromised."
What are "Mandatory Vacations" used for?
The org. forces an employee to take several days of vacation. Another employee takes over their role, which helps the org. discover any long-term malicious activity.
What is a "Cipher Lock?"
This is a type of lock, usually with number pads, that you must press in a specific order. You can have an "electronic" cipher lock or a "manual" cipher lock in which you must turn the handle after entering the code. A main issue with cipher locks is that they never identify the user.
What is Time-of-Day access control?
Time-of-day access control specifies when users can log on to a computer. For example, it could be 8:00AM to 5:00PM Monday - Friday only.
What is a network security best practice for access control?
To set up an implicit deny (deny all) rule for any service or system. In other words, security access must be explicitly granted, otherwise it is denied by default. Implicit deny should always be set. If users do not fit an explicit allow, all these specific users will be implicitly denied.
What is an explicit allow?
You allow a specific user(s) access to an object.
What is an implicit allow?
You allow all users access to an object
What is an explicit deny?
You block a specific user(s) access to an object
What is an implicit deny?
You block all users access to an object