291 lines
6.3 KiB
Markdown
291 lines
6.3 KiB
Markdown
# SEC-1: Security Controls
|
|
|
|
Status: not started
|
|
|
|
Domain:
|
|
- 2.0 Security
|
|
|
|
Objective alignment:
|
|
- 2.1 Security controls
|
|
|
|
## What You Need To Know
|
|
|
|
Security controls reduce risk. Core 2 expects you to match the control to the problem.
|
|
|
|
Main groups:
|
|
- Physical security controls
|
|
- Physical access controls
|
|
- Logical security controls
|
|
- Authentication and access management
|
|
- Data and device management controls
|
|
|
|
## Memory Trick
|
|
|
|
Use **P-L-A-D**:
|
|
|
|
- **P**hysical: stop bodies, cars, theft, and entry
|
|
- **L**ogical: permissions, trust, and network/software rules
|
|
- **A**uthentication: prove who you are
|
|
- **D**ata/device controls: protect data and managed devices
|
|
|
|
MFA factors:
|
|
- **Know**: password, PIN
|
|
- **Have**: smart card, key fob, phone, token
|
|
- **Are**: fingerprint, face, retina
|
|
- **Where**: location
|
|
|
|
## Physical Security Controls
|
|
|
|
Bollards:
|
|
- Posts/barriers that stop vehicles.
|
|
- Exam clue: prevent cars/trucks from reaching a building.
|
|
|
|
Access control vestibule:
|
|
- Two-door controlled entry area.
|
|
- One door opens while the other remains locked.
|
|
- Exam clue: prevent tailgating or control one-person-at-a-time entry.
|
|
|
|
Badge reader:
|
|
- Reads magnetic stripe, RFID, NFC, or similar badge.
|
|
- Exam clue: employee door access or time clock.
|
|
|
|
Video surveillance/CCTV:
|
|
- Cameras and recording.
|
|
- Exam clue: monitor entrances, review incidents, license plates, faces, motion.
|
|
|
|
Alarm systems:
|
|
- Door/window/fence circuits, motion detection, duress buttons.
|
|
- Exam clue: alert when perimeter or protected area is breached.
|
|
|
|
Locks:
|
|
- Conventional key, deadbolt, electronic PIN, token-based, biometric, multifactor.
|
|
|
|
Equipment locks:
|
|
- Lock racks, cabinets, laptops, or devices.
|
|
|
|
Guards and access lists:
|
|
- Human verification of ID and visitor access.
|
|
- Often includes visitor log.
|
|
|
|
Fences and lighting:
|
|
- Fences create perimeter.
|
|
- Lighting deters attackers and improves camera visibility.
|
|
|
|
Magnetometers:
|
|
- Detect metal objects.
|
|
- Exam clue: weapons screening.
|
|
|
|
## Physical Access Factors
|
|
|
|
Key fob:
|
|
- Small RFID/proximity key.
|
|
|
|
Smart card:
|
|
- Certificate-based card, usually part of MFA.
|
|
|
|
Mobile digital key:
|
|
- Phone acts as key for building, hotel, car, or office.
|
|
|
|
Biometrics:
|
|
- Fingerprint, retina, palm, face, or voice.
|
|
- Strong but not easily changed if compromised.
|
|
|
|
## Logical Security Controls
|
|
|
|
Least privilege:
|
|
- Users get only the access needed to do their job.
|
|
- Exam clue: reduce damage from mistakes or malware.
|
|
|
|
Zero Trust:
|
|
- Trust nothing automatically.
|
|
- Verify users, devices, apps, and requests continuously.
|
|
|
|
ACL:
|
|
- Access Control List.
|
|
- Allows or denies traffic or file access based on rules.
|
|
|
|
## Authentication and Access
|
|
|
|
MFA:
|
|
- Multi-factor authentication.
|
|
- Requires two or more different factor types.
|
|
|
|
OTP:
|
|
- One-time password.
|
|
- Used once for a login/session.
|
|
|
|
TOTP:
|
|
- Time-based one-time password.
|
|
- Common authenticator app code that changes every 30 seconds.
|
|
|
|
SMS/voice codes:
|
|
- Codes sent by text or phone call.
|
|
- Better than password only, but weaker than authenticator apps or hardware tokens.
|
|
|
|
Authentication app:
|
|
- Generates codes or push approvals.
|
|
|
|
SAML:
|
|
- Security Assertion Markup Language.
|
|
- Standard for authentication/authorization between identity provider and service.
|
|
|
|
SSO:
|
|
- Single sign-on.
|
|
- Authenticate once and access multiple approved resources.
|
|
|
|
Just-in-time access:
|
|
- Grants elevated/admin access only temporarily.
|
|
- Exam clue: reduce standing admin privileges.
|
|
|
|
PAM:
|
|
- Privileged Access Management.
|
|
- Broader system for controlling, vaulting, auditing, and granting privileged access.
|
|
|
|
## Data and Device Controls
|
|
|
|
MDM:
|
|
- Mobile Device Management.
|
|
- Centrally manages phones/tablets/laptops, policies, screen lock, apps, wipe, and BYOD controls.
|
|
|
|
DLP:
|
|
- Data Loss Prevention.
|
|
- Detects/prevents sensitive data from leaving approved locations.
|
|
- Exam clue: block SSNs, credit cards, medical records, or confidential files from being emailed/uploaded.
|
|
|
|
IAM:
|
|
- Identity and Access Management.
|
|
- Gives the right access to the right identities at the right time.
|
|
|
|
Directory services:
|
|
- Central database of users, computers, groups, printers, and resources.
|
|
- Windows example: Active Directory.
|
|
|
|
## Commands To Enter
|
|
|
|
Windows:
|
|
|
|
```powershell
|
|
whoami
|
|
```
|
|
|
|
What it does:
|
|
- Shows the current signed-in user.
|
|
|
|
```powershell
|
|
whoami /groups
|
|
```
|
|
|
|
What it does:
|
|
- Shows groups for the current user.
|
|
- Useful for checking whether the user has elevated group membership.
|
|
|
|
```powershell
|
|
whoami /priv
|
|
```
|
|
|
|
What it does:
|
|
- Shows privileges assigned to the current user.
|
|
|
|
```powershell
|
|
net user
|
|
```
|
|
|
|
What it does:
|
|
- Lists local user accounts.
|
|
|
|
```powershell
|
|
net localgroup
|
|
```
|
|
|
|
What it does:
|
|
- Lists local groups.
|
|
|
|
```powershell
|
|
net localgroup administrators
|
|
```
|
|
|
|
What it does:
|
|
- Shows members of the local Administrators group.
|
|
- Use this to check for excessive admin access.
|
|
|
|
Linux:
|
|
|
|
```bash
|
|
whoami
|
|
```
|
|
|
|
What it does:
|
|
- Shows current user.
|
|
|
|
```bash
|
|
id
|
|
```
|
|
|
|
What it does:
|
|
- Shows user ID, group ID, and group membership.
|
|
|
|
```bash
|
|
groups
|
|
```
|
|
|
|
What it does:
|
|
- Shows groups for the current user.
|
|
|
|
```bash
|
|
sudo -l
|
|
```
|
|
|
|
What it does:
|
|
- Shows what commands the current user can run with `sudo`, if allowed.
|
|
|
|
macOS, if available:
|
|
|
|
```bash
|
|
whoami
|
|
id
|
|
groups
|
|
```
|
|
|
|
What it does:
|
|
- Shows user and group identity information.
|
|
|
|
## Mini Lab
|
|
|
|
Goal:
|
|
- Identify authentication factors and local privilege level.
|
|
|
|
Windows:
|
|
1. Run `whoami`.
|
|
2. Run `whoami /groups`.
|
|
3. Run `whoami /priv`.
|
|
4. Run `net localgroup administrators`.
|
|
5. Record whether your user appears to have admin rights.
|
|
|
|
Linux:
|
|
1. Run `whoami`.
|
|
2. Run `id`.
|
|
3. Run `groups`.
|
|
4. Run `sudo -l`.
|
|
5. Record whether your user has sudo/admin rights.
|
|
|
|
Physical control walk-through:
|
|
1. Pick a building you know.
|
|
2. Identify one physical control, such as lock, camera, guard, badge reader, or lighting.
|
|
3. Identify what risk it reduces.
|
|
4. Identify what it does not protect against.
|
|
|
|
Scenario practice:
|
|
- A user needs admin access for 30 minutes to patch a server. Which control fits?
|
|
- A company wants to stop credit card numbers from being emailed. Which control fits?
|
|
- A company wants all phones to require PINs and allow remote wipe. Which control fits?
|
|
|
|
## Quick Check Before Quiz
|
|
|
|
You are ready for the SEC-1 quiz when you can answer these without looking:
|
|
- What does least privilege mean?
|
|
- What is the difference between SSO and MFA?
|
|
- What does DLP protect against?
|
|
- What does MDM manage?
|
|
- What is just-in-time access?
|
|
- Which physical control stops vehicles?
|
|
|