Security Goals and Controls | Security Plus 701

CIA Triad
- Confidentiality
  - Measures an attackers ability to get unauthorized access to data or information from an application or system.
  - It involves using techniques, often cryptography, to allow only approved subjects with the ability to view information.
  - Confidentiality includes preserving authorized restrictions on information access and disclosure.
  - It is a means for protecting personal privacy and proprietary information.
  - Confidential information can include passwords, cryptographic keys, personally identifiable information (PII), personal health information (PHI), intellectual property (P), or other sensitive information.
  - Examples:
    - VPN
    - Leveraging mutual TLS between web browser and web server or controller.
    - Storing sensitive data or credentials in a mobile device partition or secure enclave
    - AES encryption on data at rest in storage (file, block, object, database)
- Integrity
  - Safeguarding against improper modification or destruction of information
  - Quality of IT that reflects, logical correctness and reliability of the OS, and logical completeness of hardware and software that implements the protection mechanisms
  - Consistency of data structures and occurrence of stored data.
  - Examples:
  - OS performs checksum, when file is moved or copied from one volume to another.
  - Frame check sequence conducted on an Ethernet frame when sent from one MAC address to another.
  - A hashed message authentication code applied to advertisements sent between neighbor systems such as a routers or gateways.
  - Implementing a mandatory access model technique such as Biba or Clark-Wilson.
- Availability
  - Ensuring timely and reliable access to and use of information
  - It is a property of data, information, applications, systems, or services that are accessible and usable upon demand by an authorized subject
  - High availability is failover feature to ensure availability during device or component interruption both, planned and unplanned.
  - Examples:
  - Implementing security controls that protect system and services from spoofing, flooding, denial of service DDoS, poisoning, and other attacks that negatively affect the ability to deliver data, content, or services.
  - Vulnerabilities that impact availability can affect hardware, software, network resources, such as flooding large amounts of memory, CPU cycles, or unnecessary power consumption.
  - Assuring that technical controls such as firewalls, IPS sensors, anti-virus, and endpoint protection are always reliable and deployed in a failover group or cluster.
  - Determining the best disaster recovery site solution for every scenario or situation for an organization
- Nonrepudiation
  - Enforcing the inability of a subject to deny that they participated in a digital transaction, agreement, contract, or communication such as an email.
  - Non-repudiation is the property of agreeing to adhere to an obligation.
  - Example
    - Pen and sign a legal contract, your signature is a non-repudiation device.
    - IT, public/private key pair cryptosystem and digitally signed certificates between the sending and receiving parties.
AAA
- Authentication
  - Validating that an entity (user, application, or system) is who or what they claim to be
  - Confirms only those with authorized credentials gain access to secure systems.
  - Common are Usernames/webmail/email/ and password for authenticating people
    - Should always be another robust factor added to a simple credential.
  - Common ways to Authenticate people
    - Password, pin, passphrase they know.
    - Smart card token or fob that they possess
    - Digital certificate they present
    - Biometric attribute
    - QR or code they present on a device (Airline QR boarding passes)
  - Non-person entities (NPEs)
    - Laptops and pads
    - Mobile device
    - Gateways and load balancers
    - Robotic systems
    - Embedded devices
    - IoT endpoints
  - Endpoint Authentication
    - Only authorized devices can connect to a given network, site, or service.
    - M2M (machine to machine) communications and IoT
    - Endpoint fingerprinting is one way to enable authentication of non-traditional network endpoints such as smart card readers, HVAC systems, Medical equipment, and IP-enabled door locks.
  - Common Device (Endpoint) Authentication Methods
    - A shared secret key stored on endpoints (wireless) or infrastructure devices.
    - An X.509 v3 device certificate stored in a software application
    - A cryptographic key, certificate, or other credential stored at the hardware level in a trusted platform module.
    - A Key stored in a hardware security module (HSM)
    - A protected access file (PAC) in a Cisco Infrastructure.
  - Authenticating subjects is technically mandatory, even if using open or anonymous techniques.
  - Old Way - Clients would initiate a TCP three way communication handshake before the authentication process.
    - Sub-optimal and violation of "zero trust" principles.
- Authorization
- Granting an authenticated entity permission to access a resource or perform a specific function.
- Authorization is technically optional for authenticated entities and is mandatory for practical policy standpoint.
- Modern security deployments, it is desirable to implement session based tokens and attribute-base authorization mechanisms.
- Authorization Models:
  - DAC - Discretionary access control
    - Grants control decisions to the resource owners and custodians.
    - Each resource typically has an owner who determines the access permissions and shares
    - The owner can grant or revoke access rights for other users or groups
    - Offers flexibility and allows resource owners to have fine-grained control over access, but it can also result in inconsistent access control decisions.
    - It is the most prone to "privilege creep"
  - RBAC - Role-based access control
    - Grants access based on predefined roles or job titles
    - Users are assigned roles, and access rights are associated with these roles.
    - Instead of directly assigning permission to individual users, permissions are assigned to roles and user inherit the rights associated with their roles.
    - Examples
      - Various roles in hospital or medical center
      - Built-in roles in a database management system
    - RBAC streamlines access control administration by grouping users with similar job functions and offering a scalable approach to access management
  - MAC - Mandatory Access Control
    - A mandatory access control (MAC) is a strict mathematical model where access to resources is determined by the system based on predefined security labels and rules
    - Principals are assigned security clearances or classification levels (top secret, secret, confidential, etc.)
    - Resource objects are labeled with sensitivity levels.
    - Access is granted or denied by comparing these labels and rules, ensuring strict control and preventing unauthorized access
    - This is a "non-discretionary" model.
  - ABAC - Attribute-based access control
    - Grants access based on combination of characteristics associated with users, resources, and environmental conditions.
    - Attributes can include user attributes (Job title, department), resource attributes ( think sensitivity level, classification), and environmental attributes (time of access, location)
    - Authorization policies are defined using these combinations, and decisions are made based on evaluating the attributes against the define policies.
  - ABDAC - Attribute-based dynamic access control
    - Attribute based dynamic access control (ABDAC) combines the principles of attribute based access control with dynamic access control (DAC)
    - It considers dynamic factors such as risk assessment, user attributes, resource attributes, and contextual information to make access control decisions in real time
    - ABDAC provides more fine-grained and context-aware access control needed in "zero trust" environments when compared to traditional static access control models.
      - May include dynamic machine learning techniques such as user behavioral analytics (UBA) in next-generation environments.
  - RBAC - Rule based access control
    - Determine access
    - Access control rules define conditions or criteria that must be met for access to be granted.
    - These rules can be based on seral factors, such as user attributes, resource attributes, time of access, and more.
    - Access decisions are made by comparing these rules against the context of the access request - usually IP transport and network layer header metadata.
- Accounting
- When did the entity begin, when did it end, how long did they do it?
- Implemented for two use cases
  - Monitoring, visibility, and reporting
  - Billing, chargeback, and reporting
- RADIUS is one of the most popular IETF-based AAA services, and its known for exceptional accounting capabilities.
- DIAMETER is the next generation of RADIUS
- AAA - Character Mode vs Pack Mode
- Character mode sends keystrokes and commands (characters) to a network admission device for the purpose of configuration or administration on that same device.
- Pack ( or network ) mode occurs when the network admission device serves as an authentication proxy on behalf of services in other networks such as web, FTP, DNS, etc.
Describe control categories
- Technical controls
  - Security mechanisms that the specific systems run - either manually or, more often, automated and orchestrated.
  - These controls deliver confidentiality, integrity, authenticity, and availability protections
  - They define against unauthorized access or misuse
  - They also facilitate the detection of security violations and support security requirements for applications and data.
  - Common Technical controls
    - Infrastructure security and device hardening
    - Identity and access (IAM) management engines
    - Cryptographic key management and HSMs
    - Cloud based threat modeling tools
    - SIEM and SOAR systems.
- Managerial
  - Managerial (also administrative) controls define policies, procedures, best practices, and guidelines
  - They are usually more logical in nature
  - Should be published or printed definition of policies
    - No piggybacking (tailgating)
    - Acceptable use policies
    - Best practices and guidelines
    - Password policies
    - Screening, hiring, and termination procedures
    - Mandatory vacations
    - Training and awareness
- Operational
  - Support ongoing maintenance, due care, and continual improvement
  - Optimizing the change and configuration management database
  - Preforming tested patch management
  - Conducting awareness and training.
  - Monitoring physical and environmental controls
  - Incident response and disaster planning testing and drills.
  - Preforming software assurance initiatives
  - Ongoing mobile device and mobile application management
- Physical
  - Protect the campus, facility, environment, and people
    - Various physical barriers
    - Guards and security teams
    - Cameras and surveillance equipment
    - Different types of sensors and alarms
    - Locking mechanisms
    - Secure safes, cabinets, cages, and areas.
    - Mantraps and Faraday cages
    - Fire detection and suppression systems.
    - Environmental Controls
Define control types
- Preventive
  - Stop an attacker from successfully conducting an exploit or advanced persistent threat
    - Fences, gates, locks
- Deterrent
  - Discourages an attacker from initiating or continuing an attack.
    - Sticker on window, security guard
- Detective
  - Identifies an attack that is occurring as well as the steps of the kill chain.
    - IPS or IDS sensor, to detect an attack, or camera.
- Corrective
  - Restores a system to state before the negative event occurred; can simply rectify or correct identified problem. Recovery point, or Recovery point objective. You can reimage machine to recover data.
- Compensating
  - Aids controls that are already in place or provides a temporary stopgap solution.
- Directive
  - Mandatory policies and regulations that are in place to maintain consistency and compliance.
Quiz:

1 Question: Which of these are common ways to authenticate people?
- [v] A QR or other code they present on a device
- [ ] A network interface MAC address
- [v] A biometric attribute
- [v] A smart card token or fob that they possess
- [ ] An X.509 device certificate
- [v] A password, PIN, or passphrase they know
2 Question: Which type of security control is made up of mandatory policies and regulations that are in place to maintain consistency and compliance?
- [v] Directive
- [ ] Deterrent
- [ ] Corrective
- [ ] Preventative
3 Question: Which security control enforces the inability of a subject to deny that they participated in a digital transaction, agreement, contract, or communication such as an email?
- [ ] Availability
- [ ] Integrity
- [ ] Confidentiality
- [v] Non-repudiation
4 Question: Which category of controls supports ongoing maintenance, due care, and continual improvement such as conducting tested patch management?
- [v] Operational
- [ ] Physical
- [ ] Technical
- [ ] Managerial
5 Question: Which security goal controls an attacker's ability to get unauthorized access to data or information from an application or system?
- [ ] Non-repudiation
- [ ] Availability
- [v] Confidentiality
- [ ] Integrity
6 Question: What is a strict mathematical model where access to resources is determined by the system based on predefined security labels and rules?
- [ ] ABAC
- [ ] RBAC
- [ ] DAC
- [v] MAC
7 Question: What is one way to enable authentication of non-traditional network endpoints such as smart card readers, HVAC systems, medical equipment, and IP-enabled door locks?
- [ ] Protected access files
- [ ] Packet mode
- [ ] Repudiation
- [v] Endpoint fingerprinting
8 Question: What is the process of granting an authenticated entity permission to access a resource or perform a specific function?
- [v] Authorization
- [ ] Availability
- [ ] Accounting
- [ ] Authentication