Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated:
1
00:00:00,210 --> 00:00:01,770
Instructor: In order to protect our networks
2
00:00:01,770 --> 00:00:04,740
and information systems, we utilize various types
3
00:00:04,740 --> 00:00:06,510
of access controls.
4
00:00:06,510 --> 00:00:08,790
Now, access control measures are broken down
5
00:00:08,790 --> 00:00:12,960
into seven different categories, compensative, corrective,
6
00:00:12,960 --> 00:00:17,960
detective, deterrent, directive, preventive, and recovery.
7
00:00:18,000 --> 00:00:20,520
Now, let's discuss each of these categories briefly,
8
00:00:20,520 --> 00:00:22,530
because you're gonna be looking for ways to exploit
9
00:00:22,530 --> 00:00:26,010
all seven of these categories during your penetration test
10
00:00:26,010 --> 00:00:28,350
and then you're gonna be making recommendations
11
00:00:28,350 --> 00:00:30,660
from these seven categories to help remediate
12
00:00:30,660 --> 00:00:33,660
the vulnerabilities that you've found in your assessments.
13
00:00:33,660 --> 00:00:36,840
First, compensative access controls.
14
00:00:36,840 --> 00:00:38,880
Compensative access controls are used
15
00:00:38,880 --> 00:00:41,100
in place of primary access controls
16
00:00:41,100 --> 00:00:43,470
in order to mitigate a given risk.
17
00:00:43,470 --> 00:00:45,480
These controls can be deployed to enforce
18
00:00:45,480 --> 00:00:47,580
and support a security policy.
19
00:00:47,580 --> 00:00:50,820
For example, we might require that two system administrators
20
00:00:50,820 --> 00:00:53,400
perform a certain action, like downloading a copy
21
00:00:53,400 --> 00:00:55,320
of the database to an external device
22
00:00:55,320 --> 00:00:58,260
in order to minimize the risk of a trusted insider
23
00:00:58,260 --> 00:01:00,000
stealing that information.
24
00:01:00,000 --> 00:01:03,210
This mitigation is based on the policy of dual control,
25
00:01:03,210 --> 00:01:05,069
which might be considered an administrative
26
00:01:05,069 --> 00:01:07,110
or managerial control.
27
00:01:07,110 --> 00:01:09,960
Second, corrective access controls.
28
00:01:09,960 --> 00:01:12,660
Corrective access controls are used to reduce the effect
29
00:01:12,660 --> 00:01:15,090
of an undesirable event or attack.
30
00:01:15,090 --> 00:01:17,190
Examples of corrective access controls
31
00:01:17,190 --> 00:01:19,920
include fire extinguishers, antivirus solutions,
32
00:01:19,920 --> 00:01:21,450
and similar measures.
33
00:01:21,450 --> 00:01:24,210
If a fire broke out, then we could correct that issue
34
00:01:24,210 --> 00:01:26,940
by using fire extinguishers, for example.
35
00:01:26,940 --> 00:01:29,190
Third, we have detective measures.
36
00:01:29,190 --> 00:01:31,800
Now, detective measures are used to detect an attack
37
00:01:31,800 --> 00:01:35,310
while it's occurring and notify the proper personnel.
38
00:01:35,310 --> 00:01:37,620
This type of control includes alarm systems,
39
00:01:37,620 --> 00:01:40,110
closed circuit television systems, honey pods,
40
00:01:40,110 --> 00:01:42,090
and other such controls.
41
00:01:42,090 --> 00:01:44,550
Fourth, we have deterrent controls.
42
00:01:44,550 --> 00:01:47,490
Deterrent controls are used to discourage any violation
43
00:01:47,490 --> 00:01:51,750
of the security policies, both to attackers and insiders.
44
00:01:51,750 --> 00:01:54,780
Deterrent controls can go further than detective controls,
45
00:01:54,780 --> 00:01:56,850
because not only do they detect the event
46
00:01:56,850 --> 00:02:00,210
but they also ensure consequences for those actions.
47
00:02:00,210 --> 00:02:03,180
For example, if I posted a sign outside of my house
48
00:02:03,180 --> 00:02:06,630
that says this house has a video camera to record intrusions
49
00:02:06,630 --> 00:02:08,669
this would be a deterrent control.
50
00:02:08,669 --> 00:02:11,280
I'm trying to tell potential burglars that they should go
51
00:02:11,280 --> 00:02:14,280
to another house because if they try to break into mine
52
00:02:14,280 --> 00:02:15,900
I can give that recording to the police
53
00:02:15,900 --> 00:02:18,750
to help identify them and they might get arrested.
54
00:02:18,750 --> 00:02:21,630
In this particular example, the video recording itself
55
00:02:21,630 --> 00:02:23,670
would be considered a detective control,
56
00:02:23,670 --> 00:02:26,010
because it would be used to identify the burglars,
57
00:02:26,010 --> 00:02:28,800
but the sign is actually a deterrent control
58
00:02:28,800 --> 00:02:31,680
by trying to scare them off in the first place.
59
00:02:31,680 --> 00:02:34,020
Fifth, we have directive controls.
60
00:02:34,020 --> 00:02:36,630
Now, directive controls are used to force compliance
61
00:02:36,630 --> 00:02:38,700
with the security policy and practices
62
00:02:38,700 --> 00:02:40,320
within the organization.
63
00:02:40,320 --> 00:02:42,090
The most common directive control
64
00:02:42,090 --> 00:02:45,330
is the acceptable use policy or AUP.
65
00:02:45,330 --> 00:02:47,430
This is gonna dictate what behaviors are
66
00:02:47,430 --> 00:02:50,460
and are not allowed on a company's network systems.
67
00:02:50,460 --> 00:02:52,920
Sixth, we have preventive controls.
68
00:02:52,920 --> 00:02:55,110
Now, preventive controls are those controls
69
00:02:55,110 --> 00:02:57,030
that seek to prevent or stop an attack
70
00:02:57,030 --> 00:02:59,220
from ever occurring in the first place.
71
00:02:59,220 --> 00:03:01,170
Examples of this include protections,
72
00:03:01,170 --> 00:03:03,870
like password protection, security badges,
73
00:03:03,870 --> 00:03:07,320
antivirus software, and intrusion prevention systems.
74
00:03:07,320 --> 00:03:10,290
Seventh, we have recovery control measures.
75
00:03:10,290 --> 00:03:12,690
Now, recovery control measures are gonna be used
76
00:03:12,690 --> 00:03:14,940
to recover device after an attack.
77
00:03:14,940 --> 00:03:17,250
The best known examples of recovery controls
78
00:03:17,250 --> 00:03:19,860
are disaster recovery plans, backups,
79
00:03:19,860 --> 00:03:22,380
and continuity of operation plans.
80
00:03:22,380 --> 00:03:24,840
Now, when we develop security for our networks
81
00:03:24,840 --> 00:03:26,670
we often use the concept of defense
82
00:03:26,670 --> 00:03:28,980
in depth to layer various access controls
83
00:03:28,980 --> 00:03:31,680
on top of each other for additional security.
84
00:03:31,680 --> 00:03:33,330
This can be from the same category
85
00:03:33,330 --> 00:03:35,610
or from various categories.
86
00:03:35,610 --> 00:03:38,010
Now, in order to achieve the goals of defense in depth,
87
00:03:38,010 --> 00:03:41,250
we have to implement security through three broad categories
88
00:03:41,250 --> 00:03:42,750
of access controls.
89
00:03:42,750 --> 00:03:46,173
These are known as administrative, logical, and physical.
90
00:03:47,040 --> 00:03:48,660
The first type of access control
91
00:03:48,660 --> 00:03:50,790
is known as an administrative control.
92
00:03:50,790 --> 00:03:54,120
This is also sometimes called managerial controls.
93
00:03:54,120 --> 00:03:55,770
Now these are controls that are implemented
94
00:03:55,770 --> 00:03:57,810
to manage the organization's personnel
95
00:03:57,810 --> 00:04:01,080
and assets through security policies, standards,
96
00:04:01,080 --> 00:04:04,260
procedures, guidelines, and baselines.
97
00:04:04,260 --> 00:04:07,200
Examples of administrative or managerial controls,
98
00:04:07,200 --> 00:04:09,870
include proper data classification and labeling,
99
00:04:09,870 --> 00:04:13,290
supervision of personnel and security awareness training.
100
00:04:13,290 --> 00:04:15,630
In fact, security awareness training is one
101
00:04:15,630 --> 00:04:17,760
of the most important administrative controls
102
00:04:17,760 --> 00:04:20,010
that any organization can implement.
103
00:04:20,010 --> 00:04:21,839
Studies have shown that many incidents
104
00:04:21,839 --> 00:04:24,690
could have been prevented with proper user training up front
105
00:04:24,690 --> 00:04:26,730
and it is one of the most cost effective ways
106
00:04:26,730 --> 00:04:28,680
to increase the organization's security
107
00:04:28,680 --> 00:04:31,170
and provides the best return on investment.
108
00:04:31,170 --> 00:04:33,240
The second type of access control we have
109
00:04:33,240 --> 00:04:35,310
is known as logical controls.
110
00:04:35,310 --> 00:04:37,950
These are also called technical controls.
111
00:04:37,950 --> 00:04:39,840
These controls are implemented through hardware
112
00:04:39,840 --> 00:04:41,760
or software and they're used to prevent
113
00:04:41,760 --> 00:04:44,280
or restrict access to a given system.
114
00:04:44,280 --> 00:04:47,280
For example, we have things like installing new devices
115
00:04:47,280 --> 00:04:49,950
like firewalls intrusion detection systems,
116
00:04:49,950 --> 00:04:53,070
intrusion prevention systems, authentication schemes,
117
00:04:53,070 --> 00:04:57,210
encryption, new protocols, auditing or monitoring software,
118
00:04:57,210 --> 00:04:59,400
biometrics, and much more.
119
00:04:59,400 --> 00:05:02,670
Auditing and monitoring are both types of logical controls,
120
00:05:02,670 --> 00:05:05,130
but they vary slightly in their use.
121
00:05:05,130 --> 00:05:08,700
Auditing is a one time evaluation of a security posture,
122
00:05:08,700 --> 00:05:11,190
whereas monitoring is an ongoing process
123
00:05:11,190 --> 00:05:14,250
that continually evaluates a system or its users.
124
00:05:14,250 --> 00:05:16,320
For example, a penetration test
125
00:05:16,320 --> 00:05:18,060
is considered a type of audit,
126
00:05:18,060 --> 00:05:21,450
therefore, it is considered a logical control.
127
00:05:21,450 --> 00:05:23,340
All organizations should be aiming
128
00:05:23,340 --> 00:05:25,920
at continually improving themselves in order to become
129
00:05:25,920 --> 00:05:30,180
either more effective, more efficient, or preferably both.
130
00:05:30,180 --> 00:05:33,390
To do this though, the organization must monitor any changes
131
00:05:33,390 --> 00:05:35,550
to their networks in order to understand the risks
132
00:05:35,550 --> 00:05:37,740
associated with those changes.
133
00:05:37,740 --> 00:05:39,870
Often, this will fall under the category
134
00:05:39,870 --> 00:05:42,510
of change management where a baseline is created
135
00:05:42,510 --> 00:05:46,110
and all changes to that baseline are tracked and assessed.
136
00:05:46,110 --> 00:05:48,210
Before those changes are implemented though
137
00:05:48,210 --> 00:05:49,710
they should be analyzed for risk
138
00:05:49,710 --> 00:05:51,750
through the risk management program.
139
00:05:51,750 --> 00:05:54,060
To conduct efficient continuous monitoring,
140
00:05:54,060 --> 00:05:56,040
organizations need to automate the process
141
00:05:56,040 --> 00:05:58,020
as much as is practical.
142
00:05:58,020 --> 00:06:01,020
For example, the collection of logs from security systems,
143
00:06:01,020 --> 00:06:03,390
applications, and network suites should always
144
00:06:03,390 --> 00:06:06,390
be automatically collected, correlated and triaged
145
00:06:06,390 --> 00:06:08,250
by software before being displayed
146
00:06:08,250 --> 00:06:10,230
to a cyber security analyst.
147
00:06:10,230 --> 00:06:12,300
Continuous monitoring also includes overseeing
148
00:06:12,300 --> 00:06:13,830
the change management process,
149
00:06:13,830 --> 00:06:16,500
configuration management process, monitoring logs,
150
00:06:16,500 --> 00:06:19,080
and analyzing the status reporting that's being collected
151
00:06:19,080 --> 00:06:20,850
across the organization.
152
00:06:20,850 --> 00:06:23,280
This allows the security professionals to evaluate
153
00:06:23,280 --> 00:06:25,830
the effectiveness of their existing security controls
154
00:06:25,830 --> 00:06:27,930
and make recommendations for improved controls
155
00:06:27,930 --> 00:06:29,490
if they're warranted.
156
00:06:29,490 --> 00:06:31,200
Now, the third type of access control
157
00:06:31,200 --> 00:06:33,270
we have is physical controls.
158
00:06:33,270 --> 00:06:34,740
These are controls that are implemented
159
00:06:34,740 --> 00:06:36,600
to protect the organization's personnel
160
00:06:36,600 --> 00:06:38,160
and their facilities.
161
00:06:38,160 --> 00:06:41,790
Examples of physical controls include fences, locks,
162
00:06:41,790 --> 00:06:44,490
security badges, proximity cards for entry
163
00:06:44,490 --> 00:06:48,300
into the building guards, access control vestibules,
164
00:06:48,300 --> 00:06:51,660
biometrics, and other means of securing the facility.
165
00:06:51,660 --> 00:06:55,020
So in summary, it's important to remember the seven
166
00:06:55,020 --> 00:06:57,510
different types of access control categories,
167
00:06:57,510 --> 00:07:00,660
which are compensative, corrective, detective,
168
00:07:00,660 --> 00:07:04,770
deterrent, directive, preventive and recovery.
169
00:07:04,770 --> 00:07:08,250
Also, you wanna remember the three types of access controls,
170
00:07:08,250 --> 00:07:11,580
which are administrative, logical, and physical.
171
00:07:11,580 --> 00:07:14,160
Some controls may work across multiple categories
172
00:07:14,160 --> 00:07:16,590
and types as well, and that's okay.
173
00:07:16,590 --> 00:07:18,690
When you're doing your planning, you should think
174
00:07:18,690 --> 00:07:20,670
through each of these categories to identify
175
00:07:20,670 --> 00:07:22,890
which type of controls you're gonna be focused on
176
00:07:22,890 --> 00:07:25,530
exploiting during your upcoming penetration test
177
00:07:25,530 --> 00:07:27,480
as you work with the client to determine what things
178
00:07:27,480 --> 00:07:30,123
will or will not be tested during your engagement.
14039
Can't find what you're looking for?
Get subtitles in any language from opensubtitles.com, and translate them here.