Professional Documents
Culture Documents
Support Skills
1.1 Security Controls
This courseware is copyrighted © 2015 gtslearning. No part of this courseware or any training material supplied by gtslearning International Limited to accompany
the courseware may be copied, photocopied, reproduced, or re-used in any form or by any means without permission in writing from a director of gtslearning
International Limited. Violation of these laws will lead to prosecution. All trademarks, service marks, products, or services are trademarks or registered trademarks
of their respective holders and are acknowledged by the publisher.
All gtslearning products are supplied on the basis of a single copy of a course per student. Additional resources that may be made available from gtslearning may
only be used in conjunction with courses sold by gtslearning. No material changes to these resources are permitted without express written permission by a director
of gtslearning. These resources may not be used in conjunction with content from any other supplier.
If you suspect that this course has been copied or distributed illegally, please telephone or email gtslearning.
Objectives
• Understand why security
policies and procedures are
critical to protecting assets
• Distinguish the types of
security controls that can be
deployed to protect assets
• Describe the basis of access
control systems:
Identification,
Authentication,
Authorization, and
Accounting
• Know the use of different
access control models
3
1.1 Security Controls
Why is Security Important?
• Increasing computer crime
o Theft
o Fraud
o Vandalism
3
1.1 Security Controls
Assets
• Tangible
• Intangible
• People (employees)
• Market value
• Practical value
4
1.1 Security Controls
Why is Data Important?
• Business functions
o IT / administration
o Product development
o Sales / marketing
o Financial information
4
1.1 Security Controls
The CIA Triad
• Confidentiality
• Integrity
• Availability
• (Non-repudiation)
5
1.1 Security Controls
The CIA Triad
• Confidentiality:Kerahasiaan data terjaga dari
pihak yang tidak berhak
• Integrity:Kepercayaan data terjaga; data dapat
dipastikan tidak dimodifikasi oleh pihak yang
tidak berhak
• Availability:Ketersediaan data bagi pihak yang
berhak
• Non-Repudiation: Transaksi yang sudah
dilakukan tidak dapat ditolak terjadi oleh pihak
yang melakukan transaksi tersebut (someone
cannot deny something)
TBC
1.1 Security Controls
Security Policy
• Commitment to secure working practices
• Risk assessment
• Tested, documented procedures and security
controls
• Compliance
6
1.1 Security Controls
Roles and Responsibilities
• Overall responsibility
• Managerial
• Technical
• Non-technical
• Legal / regulatory
• Security professional role
6
1.1 Security Controls
Security Controls
• A security control (or countermeasure) is something
designed to make a particular asset or information
system secure (that is, give it the properties of
confidentiality, integrity, availability, and non-
repudiation).
• Countermeasures deployed against threats or
vulnerabilities to protect assets
• Types (NIST SP 800-53)
o Families
− Basic function (access control, configuration management, incident response, etc)
o Classes
− Technical – implemented in hardware or software
− Operational – implemented by people
− Management – oversight and evaluation
7
1.1 Security Controls
Physical Security Control Types
• As with the NIST classification, controls can be
divided into two broad classes:
o Administrative - controls that determine the way people act,
including policies, procedures, and guidance.
o Technical - controls implemented in operating systems,
software, and hardware devices.
8
1.1 Security Controls
• Goal / function
• Whether administrative or technical, controls can also be
classified according to the goal or function of the control
in a simpler schema than the families identified by NIST.
o Preventive - the control physically or logically restricts unauthorized access
o Deterrent - the control may not physically or logically prevent access, but
psychologically discourages an attacker from attempting an intrusion
o Detective - the control may not prevent or deter access, but it will identify
and record any attempted or successful intrusion.
o Corrective - the control responds to and fixes an incident and may also
prevent its reoccurrence.
o Compensating - the control does not prevent the attack but restores the
function of the system through some other means, such as using data
backup or an alternative site.
TBC
1.1 Security Controls
• As no single security control is likely to be
invulnerable, it is helpful to think of them as
delaying or hampering an attacker until the
intrusion can be detected. The efficiency of a
control is a measure of how long it can delay an
attack
TBC
1.1 Security Controls
Access Control and ACLs
• Subjects
o Users or software that request
access
• Objects
o Resources such as servers, data,
etc
• Issuance / Enrollment
• Identity Management
10
1.1 Security Controls
Authentication
• Proves that a user or
process is who it
claims to be
• Something you know
o Password
o PIN
o Personally Identifiable
Information (PII)
12
1.1 Security Controls
Something You Have / Are / Do
• Something you have
o Smart card
o Fob (one-time password)
13
1.1 Security Controls
Multifactor Authentication
• Strong authentication requires two (or three)
types
• Something you know AND something you HAVE
• Something you know AND something you are
• NOT something you know AND something else
you know
14
1.1 Security Controls
Authorization
• Least privilege
o Assign the minimum possible rights
• Single Sign On
o Authenticate once – authorize many
− User authenticates to obtain an access token
− Token is used to authenticate silently to other applications
− User and application both trust token provider
o Simplifies account management
o But compromising an account may compromise multiple applications
o Difficult to implement on public networks
17
1.1 Security Controls
Accounting
• Logging
o Account for actions
o Detect intrusions
o Choosing what to log
• Surveillance
• Incident reporting
o What?
o When?
o Who?
18
1.1 Security Controls
Review
• Understand why security
policies and procedures are
critical to protecting assets
• Distinguish the types of
security controls that can be
deployed to protect assets
• Describe the basis of access
control systems:
Identification, Authentication,
Authorization, and Accounting
• Know the use of different
access control models
20
1.1 Security Controls
Labs
• Lab 1 / Hyper-V