Access Control Defensive Categories and types
6 access control types
- Administrative (directive) – Created by following company policy, procedure or regulation. User training
- Technical Control – Software, Hardware, firmware that restricts logical access. Ex Firewalls, routers, encryption
- Physical Control – Implemented with physical devices like locks, fences, gates, security guards
Preventive controls prevent actions from occurring. Example assigning limited privileges prevents users from performing unauthorized actions. Administrative preventive control drug screening to prevent hiring employees with illegal drugs
Detective controls are controls that alert during or after a successful attack. Example, IDS, CCTV, Building Alarm.
Corrective controls works by “correcting” a damaged system or process. AV works as both detective and corrective by scanning the virus and placing them in quarantine.
Recovery controls take place after a security incident has occurred. Example is reinstallation of OS, or restore from backup.
Deterring controls deter users from performing actions on a system. Example “beware of dog” sign, large fine for speeding, sanction policies for surfing illicit websites.
A compensating control is an additional security control put in place to compensate for a weakness in other controls. Example: Surfing illicit website causing an employee to lose his job is an administrative deterrent control. By reviewing logs each day, is a adding a detective compensating control to augment the administrative control.
Assets are valuable resources you are trying to protect. Examples, Data, systems, people, buildings, property etc.
Threats and vulnerabilities
Threat – Potentially harmful occurrence – Example Earthquake, Power outage, Network based worm
Vulnerability – A weakness that allows a threat to cause harm. Examples, buildings not built to withstand earthquake, DC without backup power, Microsoft XP system that has not been patched in a few years.
RISK = THREAT x VULNERABILITY
Risk = Threat x Vulnerability
Impact is the severity of damage, sometimes expressed in dollars. Aka Consequences or cost.
Risk = Threat x Vulnerability x Impact
Impact of losing human life is near infinite in CISSP exam
Risk analysis Matrix
Australia/New Zealand ISO31000:2009 Risk Management Principles and Guidelines
The Risk Analysis Matrix allows you to perform Qualitative Risk Analysis (likelyhood vs consequences).
L – Low risk handled via normal processes
M – Medium risk require management notification
H – High risk require senior management notification
E – Extreme risk require immediate action including detailed mitigation plan
Annualized Loss Expectancy (ALE)
Determines annual cost of a loss due to a risk.
- Asset Value (AV) – The value of the asset you are trying to protect.
- Tangible assets – such as computers or buildings
- Intangible assets
- Market Approach – Fair value of asset compared to assets purchased under similar circumstances
- Income Approach – Present value of future earning capacity that an asset will generate over it’s remaining life
- Cost Approach – Fair value of asset by reference to cost that would be incurred in order to recreate or replace asset
- Exposure factor (EF) – Percentage of value exposed to risk
- Single Loss Expectancy (SLE) – AV x EF – Asset value x exposure factor
- Annual Rate of Occurrence (ARO) – Number of losses you suffer per year
- Annual Loss Expectancy (ALE) – Yearly cost due to risk . SLE x ARO
- Total Cost of Ownership (TCO)- Total cost of mitigating a safeguard (Annual)
- Return on Investment (ROI) – Amount of money saved by implementing the safeguard. If TCO > ALE = Positve ROI. If TCO < ALE = negative ROI