Basic Security Control

Sesi 7
DigiTalent Scholarship 2018
 Security Controls

“
technical or administrative safeguards or
counter measures to avoid, counteract or
minimize loss or unavailability due to threats
acting on their matching vulnerability, i.e.,
security risk
https://www.sans.edu/cyber-research/security-laboratory/article/security-controls
Types of Controls
(environment based)
Administrative controls technical controls
• process of developing and • controls in security that are
ensuring compliance with policy carried out or managed by
and procedures computer systems
• tend to be things that
employees may do, or must
always do, or cannot do

https://www.sans.edu/cyber-research/security-laboratory/article/security-controls
Types of Controls
(phase based)
Prevention controls: Help to prevent a threat or attack from
exposing a vulnerability.
Detection controls: Help to discover if a threat or vulnerability has
entered a computer system.
Correction controls: Help to mitigate the consequences of a threat
or attack from adversely affecting a computer system.

OR Preventative, Detective,
Corrective according SANS

Prevention Control Detection Control Correction Control

 Compensating controls

“
alternate controls designed to accomplish
the intent of the original controls as closely
as possible, when the originally designed
controls can not be used due to limitations
of the environment.
https://www.sans.edu/cyber-research/security-laboratory/article/security-controls
Illustration of controls
Preventative Detective Corrective Compensatory
Security System OS Upgrade Backup
Awareness Monitoring Generator
Training
Firewall IDS Backup Data Hot Site
Restoral
Anti-virus Anti-Virus Anti-Virus Server Isolation
Security Guard Motion Detector Vulnerability
Mitigation
IPS IPS

https://www.sans.edu/cyber-research/security-laboratory/article/security-controls
Example
Physical controls include locks, fences, mantraps and even
geographic specific controls.

Access controls that limit or detect access to computer resources

(data, programs, equipment, and facilities), thereby protecting these
resources against unauthorized modification, loss, and disclosure.
Application software development and change controls that prevent
unauthorized programs or modifications to an existing program from
being implemented.
https://www.sans.edu/cyber-research/security-laboratory/article/security-controls
Example
The management framework. Entity Wide security program planning
and management that provides a framework and continuing cycle of
activity for managing risk, developing security policies, assigning
responsibilities, and monitoring the adequacy of the entity’s computer-
related controls
System software controls that limit and monitor access to the powerful
programs and sensitive files that (1) control the computer hardware
and (2) secure applications supported by the system.

https://www.sans.edu/cyber-research/security-laboratory/article/security-controls
Example
Segregation of duties that are policies, procedures, and an
organizational structure established so that one individual cannot
control key aspects of computer-related operations and thereby
conduct unauthorized actions or gain unauthorized access to assets or
records.
Service continuity controls to ensure that when unexpected events
occur, critical operations continue without interruption.

https://www.sans.edu/cyber-research/security-laboratory/article/security-controls
Security Management Process
• Identification: Detecting
problems and determining how
best to protect the system.
Monitoring Identification • Implementation: Installing
control mechanisms to prevent
problems in a system.
• Monitoring: Involves detecting
Implementation and solving any security issues
that arise after security controls
are implemented.
 Identify security controls
Principle Description
Prevents intentional or unintentional disclosure of communications between sender and
recipient
Confidentiality
• Includes trade and military secrets, personnel, health, and tax records.
• Controlled via encryption, access control, and steganography.
Ensures the accuracy and consistency of information during all processing
Integrity • Includes modification of test scores or other information stored on network servers.
• Controlled via hashing, digital signatures, certificates, and change control.
Assurance that authorized users can access resources in a reliable and timely manner
• Includes ensuring that vital data such as radar images are both captured and distributed
Availability
to airports.
• Controlled via redundancy, fault tolerance, and patching.
 Identify security controls (cont’d)
Principle Description
Ensuring that the party that sent a transmission or created data remains associated with
Non-
the data and cannot deny sending or creating the data.
Repudiation
• Controlled via Digital signatures, certificates, and change control.
Determining who to hold responsible for a particular activity or event.
Accountability
• Controlled via role and logging monitor
Identification, Authentication, and
Authorization
Identification
Authentication
The process by Authorization
which a claim A method of
is made about validating a The process of
the nature of a particular determining
particular entity’s or what rights
entity. individual’s and privileges
unique a particular
credentials. entity has.
Authentication Factors
Something you are
◦ Fingerprints, handprints, and retinal patterns

Something you have

◦ Key or ID card

Something you know

◦ Password or PIN

Somewhere you are or are not

◦ IP address or GPS location

Something you do
◦ Keystroke patterns or tracing picture passwords
 Passwords
• User name and password combination is probably the most widely authentication schemes (what
you know).
• Credentials are compared to those stored in a database.
• Match -> Authenticated
• No Match -> Access is denied
• No guarantee that the correct user is supplying the credentials.
• When credentials are not encrypted for transmission, they are susceptible to an attacker.

Password

User name

Source: Comptia S+
 Tokens
Physical or virtual objects that store authentication information. Common
examples include smart cards, ID badges, and data packets.

• Can store PINs, user information, and passwords (what you have).
• Token values can be generated to respond to authentication server challenges.

PIN

User Information Unique value

Password
Token

Source: Comptia S+
Biometrics

Authentication schemes based on the identification of individuals by

their physical characteristics.

Fingerprint scanners
Retinal scanners
Hand geometry scanners
Voice-recognition software
Fingerprint Scanner
Facial-recognition software

Source: Comptia S+
Geolocation
The process of identifying the geographic location of an object.

Authentication Approved

Association of street addresses with:

◦ IP addresses
◦ Wi-Fi positioning systems Authentication
Request
◦ GPS coordinates
Approved
Locations
Authentication requests from approved
locations are granted. Authentication Denied

Source: Comptia S+
 Keystroke Authentication
An authentication type that relies on detailed information describing
exactly when a key is pressed and released as someone types information
into a computer or other electronic device.
• Uses your personal typing
tendencies (what you do).
• Records and stores your typing
for comparison purposes.
• Keystroke logger and other
metrics are collected to derive
a keystroke pattern that is Keystroke
Pattern Detector
unique to a user.

Source: Comptia S+
 Multi-factor Authentication

An authentication scheme that requires validation of two or more distinct

authentication factors.
• Bank debit card: card (token) and PIN
(password). Password
• Some chip cards might not be multi-factor, if
you don’t have to enter the PIN.
• Authenticator app for email or other
applications.
ID card
• Key in a validation code from a text message as
part of logging into email or another
application.
• Make sure the factors are different!

Source: Comptia S+
 Mutual Authentication
A security mechanism that requires that each party in a communication
verifies the identity of every other party in the communication.

• The service or resource verifies the client’s credentials, while the client verifies the
credentials of the service or resource.
• Prevents clients from sending confidential information to non-secure servers.
• Helps to avoid man-in-the-middle attacks.

Source: Comptia S+
Terminology

Access Control Accounting Auditing:

The process of determining and The process of tracking and The portion of accounting that
assigning privileges to resources, recording system activities and entails security professionals
objects, and data. resource access. examining logs of what was
recorded.
Principle of Least
Privilege
• The principle that establishes that users and
software should have the minimal level of
access that is necessary for them to
perform the duties required of them.
• Applies to access to facilities, computer
hardware, software, and information.
• Assign only the level of access required
to perform the necessary tasks.
 Privilege Management
Privilege management: The use of Accounting/Auditing

authentication and authorization

mechanisms to provide centralized or
decentralized administration of user
and group access control.
SSO: An aspect of privilege Authorization
management that provides users with
one-time authentication to multiple Access Control Administrator

resources, servers, or sites.

Authentication

Source: Comptia S+
Further Reading
1. NIST Special Publication 800-18 Revision 1, Guide for
Developing Security Plans for Federal Information Systems
2. NIST Special Publication 800-30 Revision 1, Guide for
Conducting Risk Assessments
3. NIST Special Publication 800-53 Revision 4, Security and
Privacy Controls for Federal Information Systems and
Organizations
Thank you