What are the 3 main security control types?
Managerial, operational and technical
What are managerial controls?
Written by managers. Create organisational policies and procedures to reduce risk within companies. They incorporate regulatory frameworks.
2 examples of managerial controls.
- Annual Risk Assessment - each department identifies risks and risk treatments and places them in a risk register. These are reviewed annually.
- Penetration testing / vuln. scanning (N.B Difference is that penetration testing is intrusive since it exploits vulnerabilities, rather than just detects them)
What are operational controls?
Executed by company personnel during their day-to-day.
3 examples of operational controls.
- Annual Security Awareness Training
- Change Management - Change Advisory Board (CAB) assists with prioritisation of changes and ensure that they don’t cause security risks to the company.
- Business Contingency Plan - planning to keep business up and running in events of disaster by identifying any single point of failure that many prevent a company from being operational.
What are technical controls?
Implemented by the IT Team to reduce the risk to the business.
5 examples of technical controls.
- Firewall rules.
- Antivirus/antimalware.
- Screen savers
- Screen filters
- Intrusion Prevention / Detection Systems (IPS / IDS)
Give 2 examples of deterrent controls?
- Motion sensors that switch on a light
2. CCTV warning signs
What are detective controls?
Used to investigate an incident that has happened.
2 examples of detective controls.
- CCTV
2. Log files (stored on Write-Once Read-Many (WORM) files so that they cannot be tampered with).
What are corrective controls?
Actions taken to recover from an incident.
Other names for compensating controls?
Alternative / Secondary Controls
What are compensating controls?
Controls used instead of a primary control that has failed or is not available.
What are preventative controls?
Controls that deter attack.
2 examples of preventative controls.
- Disabling User Accounts
2. Operating System Hardening - ensuring OS is fully patched and unused features are turned off.
3 Parts of Access Controls? Explain / give examples for each.
- Identification - e.g user account, smart card or fingerprint
- Authentication - password or PIN
- Authorisation - level of access or permissions that you have to apply to selected data.
What is Discretionary Access Control?
Involves New Technology File System (NTFS) by Microsoft.
These user-based controls ensure the user is only given the access that they need to perform their job.
List and describe the 8 permissions in NTFS.
- Full control - full access
- Modify - change data, read and read and execute
- Read and execute - read a file and run a program if one is inside
- List folder contents - expand a folder to see the subfolders within it.
- Read - read contents.
- Write - write to the file
- Special permissions - granular access.
- Data creator / owner - person who created the unclassified data and is responsible for authorising who has access.
What are Mandatory Access Controls (MAC)?
Classification level of data, determined by how much damage could be inflicted.
What are the MAC levels? Describe each
- Top Secret - Highest level, exceptionally grave damaging.
- Secret - causes serious damage.
- Confidential - causes damage.
- Restricted - Undesirable effects
What are the MAC roles? Describe each.
- Owner: person who writes data and only person that can determine the classification.
- Steward: person responsible for labelling the data.
- Custodian: person responsible for storing and managing data.
- Security Administrator: person who gives access to classified data once clearance has been approved.
What is role-based access conrtol?
Controls when a subset of the department carries out a subset of duties within a department
What is rule-based access control?
RBAC.
Time-based or other restriction that is applied to all people within the department.
What is Attribute Based Access Control?
ABAC.
Restricted based on an attribute in the account.
