180. Findings and Remediations (OBJ 4.2)
In this section of the course, we’re going to discuss how to make recommendations for appropriate remediations based on the findings that you found during your penetration test. As we move into this section, we’re going to be continuing to look at the fourth phase of our engagement, reporting and communication. This section of the course is going to be focused on objective 4.2, which states that, given a scenario, you must analyze the findings and recommend the appropriate remediation within a report. So this means that if the exam gives you a question that indicates a web application was vulnerable to an SQL injection, you’re going to be responsible for recommending an appropriate mitigation or remediation for that specific vulnerability. For example, let’s say there was an option to rewrite the code to support input validation. This would definitely mitigate that vulnerability, but so would implementing a web application firewall in front of the vulnerable web application server. This is the kind of thing you’re going to have to understand for questions focused on objective 4.2 because there may be multiple right answers to mitigate a given vulnerability. So you’re going to need to analyze each possible answer inside of the exam question and then select the most appropriate one based on the given situation.
Normally there’ll only be one right answer in these questions, so you have to read through them to make sure it applies to your given situation. Now, we’re going to begin this section by defining the different security control categories that are going to exist and how you can select different security controls from those categories. Then we’re going to cover physical controls, things like access control vestibules, biometric controls, and video surveillance. Next, we’re going to discuss operational controls such as the separation of duties, job rotation, mandatory vacations, termination procedures, user training, auditing programs, and the time of day restrictions. After that, we’ll move into administrative controls, such as role-based access control, minimum password requirements, policies and procedures, and the implementation of secure software development life cycle practices. Then we’ll move into some of the different technical controls, such as system hardening, patch management, secure coding practices, implementing multifactor authentication, using digital certificates, key rotation, secret management solutions, process level remediations, and network segmentation. Finally, I’m going to provide you with a short summary of some of the findings and some appropriate remediations that you recommend for them. All right, let’s continue our coverage of domain 4, reporting and communication with findings and remediations in this section of the course.
181. Security Control Categories (OBJ 4.2)
Now, as far as cybersecurity is concerned we have to go through a process of risk management to identify the different threats and vulnerabilities to our networks. Once we do that we have to find a way to mitigate those risks. And how do we do that? Well, we do that by implementing effective security controls. Now a security control is a technology or procedure that’s put in place to mitigate vulnerabilities and risk in order for us to ensure the confidentiality, integrity, availability, and non-repudiation of data and information. If you’ve taken your security plus already you’re probably familiar with these terms known as the CIA triad. Now historically, we used to take our security controls and we would just deploy them in any way that we could based on a reactive posture. So when something new came out like people trying to break into our networks we would say hey, we need a way to block that access. How do we do that? Let’s put up a firewall. And so firewalls became a big thing.
After a while we started seeing that people started going through because there was firewalls, they created viruses and worms to try to a break into our networks. So what did we do? We added antivirus and on and on it went where the attackers did something and the defenders then did something in retaliation to that trying to stop the attackers from getting in. Well, this hodgepodge way of being reactive never lets us get ahead of the game. And so we are always basically one step behind the attackers. So we have to figure out a better way to do security. And the way we do that is through using a risk management framework and being able to take our security controls and selecting them and deploying them as part of an overall framework. If we know what all of our risks are we can then prioritize them, we can mitigate them, and we can start putting it a holistic approach to be able to prevent these issues and these attackers from breaking in.
This process allows us to start selecting primary controls and complimentary controls to help work together to provide us a layered security approach known as defense in depth. Now, the way we classify these different security controls comes out of a publication known as the NIST special publication 800-53, the security and privacy controls for federal information systems and organizations. If you want to read this document you can just simply Google the name and it will come up. It is a publicly available document. For the exam you do not need to read this document and you don’t need to know everything that’s in it, but there are a couple of important things that we’re going to get from this document. For example, inside this document there are 18 families that are broken out such as access control, accountability, instant response, and risk assessment, and many others.
Now as we go through these give us different ways to classify our different controls. For instance, is this control focused on accountability? Is it focused on access control? Is it focused on our ability to do an incident response? Whatever those things are. Now as I said this is a federal government, US government publication. This National Institute of Standards and Technology. But there’s also a framework that is used around the world known as the ISO 27001. This framework is a proprietary framework though and it does cost money to use it. Now because of thi the NIST standard is actually widely used both here in the United States and around the world because it is free and it is a great resource that anyone can use. Now in earlier versions of the 800-53 each of these different families belonged to a class and we were able to categorize things based on these different controls and categories and families that we had.
For instance we used technical, operational, and administrative as three big classes or families of controls. Now as we look at these we can define each one. As we talk about a technical control this is going to be a category where we’re going to implement it as a system. So we’re going to have some kind of hardware or software or firmware. This is also known as a logical control. Now for example, if I take a firewall and I install it in your network, that is a technical control. If I put in antivirus or I patch your operating system, these are all different logical or technical controls. Next we have operational.
Now operational is a control that’s implemented primarily by people instead of using systems. So in this case we might be looking at adding security guards to make sure people don’t break into our building. We might train all our employees on how to not fall for phishing scams. Both of these are operational controls not to technical controls. The third category we have is administrative controls. And these are controls that give oversight of your information system. So we might have things like risk identification or using different tools to be able to evaluate and select different controls by using things like vulnerability scans and remediations.
All of these would be an oversight or an assessment and therefore administrative. Now, while these three categories of controls are very useful for us to think about our different controls and where they fit inside the organization of our network, they actually were removed from the NIST special publication 800-53 in revision four, and all of the newer versions of the 800-53 no longer classify families of controls in this way of calling them technical, operational, or administrative. But this is still a useful way to think of things. And so CompTIA has chosen to still use these in the exam objectives. Now, one more thing that often confuses students is that sometimes these controls seem to merge together.
And this is one of the reasons that NIST actually has done away from these families of controls. For example, let’s say you have a vulnerability management program inside your organization. Now I’m not talking about a program like the thing you run on your computer. I’m talking about a program such as the organizational framework of the policies and the procedures and all the things that it takes to do vulnerability management. Well, if you have that in your organization this is going to be governed by the managerial process. That’s the oversight of the information system. But it also has operational controls that tells your technicians what they need to do and when.
How do they perform a scan? How do they respond to a scan? What do they do if something bad happens? And then there’s also the technical part of this too, right? Because on the technical side you have a program like Nessus that you’re using to run these scans and you’re running your reports and doing your automated scanning. All of these things work together, which is one of the reasons that Nessus started to break away from these categories because a single control like a vulnerability management program could actually fit into operational, administrative, or even technical as well if you’re talking about the technical and logical side of this program. these are the kind of things that start seeing things mixed up and a lot of students have trouble separating them out into individual categories because of this. Now for the exam you’re not going to see a question that says, here’s a control, which of these three is it, but you need to think about the way that these controls could be categorized because it could help you as you’re figuring out what the solution is to a given problem especially in the real world. Now as far as the exam goes let me give you one quick tip.
You do not need to go and read the entire 800-53 as I said before. But it is a good thing to use as an on the job resource. And so it’s something you should be aware of but you don’t need to go and read it and know all of the different designations out there. Also don’t fight the exam. I know that from RAV4, the NIST 800-53 does not have these control families anymore. But the exam will still talk about these control families.
And so I don’t want you to get hung up on that when you take the exam. Remember, for the exam you do need to memorize the different family designations but you should be familiar with the basic concepts that are presented inside the 800-53 and different types of controls that you can use to protect your networks. Now, you may remember back in security plus you talked about some other types of security control types and these are known as functional types. Now just because we’ve abandoned the idea of categories or families it’s still helpful to be able to categorize these things according to the goal or function they may perform. And so we have three different types here. We have preventative, detective, and corrective.
Now, when we talk about a preventative control this is a control that acts to eliminate or reduce the likelihood that an attack can succeed. So for example, if I put in an access control list on my firewall, I am using a preventative type control. I’m trying to prevent you from accessing my network. Now will it stop you a hundred percent of the time? No, but it is going to help prevent a lot of the attacks before they can take place.
And so when we deal with things like ACLs and firewalls, anti malware solutions or intrusion protection systems, these are all things that go inside the preventative category. Now, another thing we have is what’s known as a detective control. A detective control is any control that may not prevent or deter access, but it will help identify and record any attempted or successful intrusion. The most common one is what’s known as logs. Anytime you log something that’s happening you are using a detective control because you can go back in those logs, identify what happened, and put the pieces back together. Another good example of this in the physical world would be a security camera. If you have a security camera in your house it doesn’t stop me from smashing the window and jumping in and stealing your TV.
But you can record the fact that I did it. And then you can go back afterwards, put the pieces back together and say Jason broke in my house and he stole my TV and here’s the proof. I have the detective evidence from it because I was able to see what happened ’cause I recorded that attempt. The third one we have is what’s known as a corrective control. Now this is a control that acts to eliminate or reduce the impact of an intrusion event. So in the idea of a corrective control we might have something like a backup system. If I back up all my files to an offsite backup, even if my system was compromised I still have all my data successfully stored offsite. And then I can correct the issue by restoring the system and restoring that data back onto the system just like it was before the intrusion occurred. Another good example of this would be things like patch management systems.
Once we know that we have a vulnerability and it’s been exploited, we can push out a patch to correct that across all of our systems and all of our network to prevent that from being exploited again. Now the big thing you have to think about when you deal with security controls is that there is no single security control that is going to be perfect. Everything has some kind of vulnerability to it. And so when we measure security controls’ effectiveness we really need to determine how long it can delay an attack.
The longer it can delay the attack, the more effective that security control is going to be for us. And that way we can actually use all these controls together to build a good defense in depth posture. Now in addition to these preventative, detective, and corrective controls, there’s a couple other ones that we need to talk about. These are physical, deterrent, and compensating. Now when I talk about a physical control these are types of security controls that act against an in-person intrusion attempt. Things like alarms, gateways, locks, bollards, lighting, security system, security guards. All of these things can deter and detect access to our premises and the hardware that’s contained within our buildings. So these, when you think about a physical control, they can be detective. They can be preventative. They can be corrective.
These are an additional category. They’re not an either or so you can be preventive and physical. For instance a lock. You can be detective and physical. For instance a security camera. The second one we have is a deterrent control. Now this is any type of security control that discourages an intrusion attempt. Now the control may not be physically or logically there that can prevent access but they can try to tell the person hey, you shouldn’t attack us here. For instance, have you ever gone through a neighborhood and you see the sign in front of somebody’s house that says this house protected by ADT Security? Whether or not they actually have an alarm system doesn’t matter.
That sign is a deterrent control. It tells a burglar this house may be protected and you may not want to go here. That’s the idea of a deterrent control. Now the next one we have is what’s known as a compensating control, and this is a type of security control that acts as a substitute for a principal control. Now, what do I mean by that? Well, when I talk about a principal control this would be the best level of protection you can get but maybe you can’t afford that. And so you need to do something else that isn’t quite as good but it will still give you some benefit. That’s the idea of a compensating control. Generally, a compensating control is going to be recommended by a security standard and it’ll give you equivalent protection to what the better technology might be but it’s a different way of achieving that. For instance, let’s say that you wanted to make sure your password security was good so that you can have good authentication in your systems.
Well, you can achieve that two different ways. You can have very long and complex passwords that are changed every 30 days. For instance something that’s 16 characters, has uppercase, lowercase, and all that crazy stuff. But that’s really hard for your users to remember, or you might give them a smart card and a pin. And by doing that, they have to remember a four digit number and put their card into the system. That’s a lot easier for the user and it’s actually equivalent or better to the original control of that 16 character long strong password because it’s two factor authentication. So even though the standard might have said you must have a long strong password. If you substitute that with a compensating control of a smart card and a pin number, that’s equivalent or better protection and so you can substitute that as a compensating control instead. Now whatever you do all of these different security controls one of the big things you have to do is you have to pick which controls you want to use. For instance, do you want to use that long strong password or that smart card and pin number? And that’s what we’re going to talk about when we start talking about how we select our different security controls.
182. Selecting Security Controls (OBJ 4.2)
There are lots of different security controls out there. There are hundreds and thousands of different controls. And lots of these controls will do the same thing or give you the same benefit. So how do you select the security controls you want to use? Well, one of the best ways to do that is to think in terms of CIA. If you think about the confidentiality, integrity and availability, you can make sure you have proper coverage over each of those areas to make sure you’re creating security for your system.
Let’s consider the following example of some technical controls. First, what if I had an encrypted hard drive on a laptop? Which type of control is this? Am I upholding confidentiality, integrity or availability? Well, if you think back to your Security+ studies, you’ll remember that anytime we’re dealing with encryption, we really are dealing with confidentiality because we’re trying to make sure that nobody’s prying eyes can see our data. If we encrypt our drive, nobody can access the information on that drive without that encryption key. And that is going to maintain confidentiality.
But, it doesn’t really do anything for integrity or availability. So it only upholds the C in CIA. What if I decided I wanted to use digital signatures on my emails? Well, again, thinking back to Security+, a digital signature is essentially a hash of the email you’re going to send encrypted with your digital private key. Now if you remember, a digital signature doesn’t encrypt the email itself, it encrypts the hash. And when we talk about hashes, we’re always talking about integrity. And so what we’re dealing with here is upholding integrity by using a digital signature. It doesn’t do anything for confidentiality and it doesn’t do anything for availability. So again, we’re only dealing with the I in CIA.
How about a third example? What if I’m dealing with a cloud product and it has the ability to instantly scale up or scale down, using its elasticity to able to meet demand? Which would it be? Would it be confidentiality, integrity, or availability? Well, it would be availability, right? Because we have the ability to take on as much traffic as somebody can send to us because we can instantly scale up and accept that load. So again, this doesn’t give me anything for confidentiality, gives me nothing for integrity, but it’s all about availability. So each of these three things in their own can give me C, I or A, but they can’t give me all three. And that’s the idea here, is none of these technologies alone can give us confidentiality, integrity, and availability.
But, if I combine them all together, I can get the tenants of security. And that is why using your risk management framework is really important to figure out what risk you’re trying to solve. Is it a confidentiality risk? Is it an integrity risk, or is it an availability risk? Or, is it all three? And if so, you may need to select multiple controls to be able to deal with that. So how do you decide at which security control you’re actually going to apply? Well again, this is going to depend on your risk and what you’re trying to mitigate.
Let’s walk through an example together. Dion Training, my company, has recently implemented routine backups of our databases to ensure that we can quickly recover if a database is ever corrupted or infected. Now, our backup solution also uses hashing to validate the integrity of each entry as it’s being written to that backup device. Which technical control would you recommend adding to ensure the tenants of CIA are upheld? Now, I’m not even giving you multiple choice here, but I want you to think about this. If you have a backup solution and that backup solution is backing up a database, that’s going to be availability, right?
And then, if we’re dealing with the hashing, that’s going to give us integrity. So I have the I and the A covered but I don’t have confidentiality. So what could I do to give me confidentiality? There’s lots of answers out there but I’m going to present you with just two. First, I might think about adding an access control system. By having an access control system, I can control which users can access that backup and be able to have access to the data. Because remember, that backup has all of our live data as well. And so by using the right user permissions, that would be one way to maintain confidentiality. Now, another way we could do it is we could encrypt those backups. Because if those backups get lost and somebody could read them, that would be bad. That would breach our confidentiality.
So we can use encryption as a way to uphold confidentiality. Or, we might use both of these controls because we’re worried about the wrong people accessing the data. And we’re worried about the loss of the data if somebody took the database out. And by having it encrypted, that would solve that problem too. So that’s the idea when you start thinking about these security controls. You’re going to look at a problem, you’re going to look at a vulnerability, and then you’re going to have to decide, what can I do to solve this vulnerability? How can I mitigate this risk? And by going through and thinking through the CIA part of it, you can think of what controls can help in each of these areas and give you a more holistic coverage over the entire vulnerability and how you can best mitigate it.