CompTIA Security+; Ch 2: Exploring Control Types and Methods

Proximity Card

A proximity card can electronically unlock a door and helps prevent unauthorized personnel from entering a secure area. By themselves, proximity cards do not identify and authenticate users. Some systems combine proximity cards with PINs for identification and authentication.

Technical Control

A technical control is one that uses technology to reduce vulnerabilities. Encryption, antivirus software, IDSs, firewalls, and the principle of least privilege are technical controls.

Account Logon Events

Account logon events include when a user logs on locally, and when the user accesses a resource such as a server over the network. These events are logged and can be monitored.

Account Disablement Policy

An account disablement policy ensures that inactive accounts are disabled. Accounts for employees who either resign or are terminated should be disabled as soon as possible. Configuring expiration dates on temporary accounts ensures they are disabled automatically.

Barricades

Barricades provide stronger physical security than fences and attempt to deter attackers. Bollards are effective barricades that allow people through, but block vehicles.

Cipher Locks

Cipher locks require users to enter a code to open doors. Shoulder surfers can discover the code by watching users enter it, and uneducated users might give out the code to unauthorized personnel. Training reduces these risks.

Closed-Circuit Television (CCTV)

Closed-circuit television (CCTV) systems provide video surveillance. They provide reliable proof of a person's identity and activity, and can be used to identify individuals entering and exiting secure areas.

Compensating Controls

Compensating controls are alternative controls used when it isn't feasible or possible to use the primary control.

Corrective Controls

Corrective controls attempt to reverse the impact of an incident or problem after it has occurred. Examples include active intrusion detection systems, backups, and system recovery plans.

Detective Controls

Detective controls attempt to detect when a vulnerability has been exploited. Examples include log monitoring, trend analysis, security audits (such as a periodic review of user rights), video surveillance systems, and motion detection systems.

Deterrent Controls

Deterrent controls attempt to prevent incidents by discouraging threats.

Door Access Control Systems

Door access control systems should allow personnel to exit without any form of authentication, especially if the systems lose power such as during a fire. Controlled areas such as data centers and server rooms should only have a single entrance and exit point.

Group Policy

Group Policy manages users and computers in a domain, and it is implemented on a domain controller within a domain. Administrators use it to create password policies, lock down the GUI, configure host-based firewalls, and much more.

Group-based privledges

Group-based privileges are a form of role-BAC. Administrators create groups, add users to the groups, and then assign permissions to the groups. This simplifies administration because administrators do not have to assign permissions to users individually.

Discretionary Access Control (DAC) model

In the discretionary access control (DAC) model, every object has an owner. The owner has explicit access and establishes access for any other user. Microsoft NTFS uses the DAC model, with every object having a discretionary access control list (DACL). The DACL identifies who has access and what access they are granted. A major flaw of the DAC model is its susceptibility to Trojan horses.

Management Controls

Management controls are primarily administrative and include items such as risk and vulnerability assessments.

Mandatory Access Control (MAC) model

Mandatory access control (MAC) uses security or sensitivity labels to identify objects (what you'll secure) and subjects (users). It is often used when access needs to be restricted based on a need to know. The administrator establishes access based on predefined security labels. These labels are often defined with a lattice to specify the upper and lower security boundaries.

Maximum Password Age

Maximum password age or password expiration forces users to change their password periodically. When administrators reset user passwords, the password should be immediately expired.

Minimum Password Age

Minimum password age is used with password history to prevent users from changing their password repeatedly to get back to the original password.

Operational Controls

Operational controls help ensure that day-to-day operations of an organization comply with their overall security plan. Some examples include security awareness and training, configuration management, and change management.

Password Complexity

Password complexity ensures passwords are complex and include at least three of the four character types, such as special characters.

Password History

Password history remembers past passwords and prevents users from reusing passwords.

Password Length

Password length specifies the minimum number of characters in the password.

Password Policy

Password policies provide a technical means to ensure users employ secure password practices:

Password Policies

Password policies should apply to any entity using a password. This includes user accounts and accounts used by services and applications. Applications with internally created passwords should still adhere to the organization's password policy.

Physical Security

Physical security also includes basic locks. Cable locks secure mobile computers such as laptop computers in a training lab. Server bays include locking cabinets as an additional security measure within a server room. Small devices can be stored in safes or locking office cabinets to prevent the theft of unused resources.

Preventive Controls

Preventive controls attempt to prevent security incidents. Examples include system hardening, user training, guards, change management, and account disablement policies.

Security Gaurds

Security guards are a preventive physical security control and they can prevent unauthorized personnel from entering a secure area. A benefit of guards is that they can recognize people and compare an individual's picture ID for people they don't recognize.

Tailgating

Tailgating occurs when one user follows closely behind another user without using credentials. A mantrap can prevent tailgating. Security guards should be especially vigilant to watch for tailgating in high-traffic areas.

Principle of Least Priviledge

The principle of least privilege is a technical control that uses access controls. It specifies that individuals or processes are granted only the rights and permissions needed to perform assigned tasks or functions, but no more.

Role-Based Access Control (role-BAC) model

The role-based access control (role-BAC) model uses roles to grant access by placing users into roles based on their assigned jobs, functions, or tasks. A matrix matching job titles with required privileges is useful as a planning document when using role-BAC.

Rule-Based Access Control (rule-BAC) model

The rule-based access control (rule-BAC) model is based on a set of approved instructions, such as ACL rules in a firewall. Some rule-BAC implementations use rules that trigger in response to an event, such as modifying ACLs after detecting an attack.

Three Primary Security Control Types

The three primary security control types are *technical* (implemented with technology), *management* (using administrative methods), and *operational* (for day-to-day operations).

Time Restrictions

Time restrictions can prevent users from logging on or accessing network resources during specific hours.