Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:00,210 --> 00:00:01,770 Instructor: In order to protect our networks 2 00:00:01,770 --> 00:00:04,740 and information systems, we utilize various types 3 00:00:04,740 --> 00:00:06,510 of access controls. 4 00:00:06,510 --> 00:00:08,790 Now, access control measures are broken down 5 00:00:08,790 --> 00:00:12,960 into seven different categories, compensative, corrective, 6 00:00:12,960 --> 00:00:17,960 detective, deterrent, directive, preventive, and recovery. 7 00:00:18,000 --> 00:00:20,520 Now, let's discuss each of these categories briefly, 8 00:00:20,520 --> 00:00:22,530 because you're gonna be looking for ways to exploit 9 00:00:22,530 --> 00:00:26,010 all seven of these categories during your penetration test 10 00:00:26,010 --> 00:00:28,350 and then you're gonna be making recommendations 11 00:00:28,350 --> 00:00:30,660 from these seven categories to help remediate 12 00:00:30,660 --> 00:00:33,660 the vulnerabilities that you've found in your assessments. 13 00:00:33,660 --> 00:00:36,840 First, compensative access controls. 14 00:00:36,840 --> 00:00:38,880 Compensative access controls are used 15 00:00:38,880 --> 00:00:41,100 in place of primary access controls 16 00:00:41,100 --> 00:00:43,470 in order to mitigate a given risk. 17 00:00:43,470 --> 00:00:45,480 These controls can be deployed to enforce 18 00:00:45,480 --> 00:00:47,580 and support a security policy. 19 00:00:47,580 --> 00:00:50,820 For example, we might require that two system administrators 20 00:00:50,820 --> 00:00:53,400 perform a certain action, like downloading a copy 21 00:00:53,400 --> 00:00:55,320 of the database to an external device 22 00:00:55,320 --> 00:00:58,260 in order to minimize the risk of a trusted insider 23 00:00:58,260 --> 00:01:00,000 stealing that information. 24 00:01:00,000 --> 00:01:03,210 This mitigation is based on the policy of dual control, 25 00:01:03,210 --> 00:01:05,069 which might be considered an administrative 26 00:01:05,069 --> 00:01:07,110 or managerial control. 27 00:01:07,110 --> 00:01:09,960 Second, corrective access controls. 28 00:01:09,960 --> 00:01:12,660 Corrective access controls are used to reduce the effect 29 00:01:12,660 --> 00:01:15,090 of an undesirable event or attack. 30 00:01:15,090 --> 00:01:17,190 Examples of corrective access controls 31 00:01:17,190 --> 00:01:19,920 include fire extinguishers, antivirus solutions, 32 00:01:19,920 --> 00:01:21,450 and similar measures. 33 00:01:21,450 --> 00:01:24,210 If a fire broke out, then we could correct that issue 34 00:01:24,210 --> 00:01:26,940 by using fire extinguishers, for example. 35 00:01:26,940 --> 00:01:29,190 Third, we have detective measures. 36 00:01:29,190 --> 00:01:31,800 Now, detective measures are used to detect an attack 37 00:01:31,800 --> 00:01:35,310 while it's occurring and notify the proper personnel. 38 00:01:35,310 --> 00:01:37,620 This type of control includes alarm systems, 39 00:01:37,620 --> 00:01:40,110 closed circuit television systems, honey pods, 40 00:01:40,110 --> 00:01:42,090 and other such controls. 41 00:01:42,090 --> 00:01:44,550 Fourth, we have deterrent controls. 42 00:01:44,550 --> 00:01:47,490 Deterrent controls are used to discourage any violation 43 00:01:47,490 --> 00:01:51,750 of the security policies, both to attackers and insiders. 44 00:01:51,750 --> 00:01:54,780 Deterrent controls can go further than detective controls, 45 00:01:54,780 --> 00:01:56,850 because not only do they detect the event 46 00:01:56,850 --> 00:02:00,210 but they also ensure consequences for those actions. 47 00:02:00,210 --> 00:02:03,180 For example, if I posted a sign outside of my house 48 00:02:03,180 --> 00:02:06,630 that says this house has a video camera to record intrusions 49 00:02:06,630 --> 00:02:08,669 this would be a deterrent control. 50 00:02:08,669 --> 00:02:11,280 I'm trying to tell potential burglars that they should go 51 00:02:11,280 --> 00:02:14,280 to another house because if they try to break into mine 52 00:02:14,280 --> 00:02:15,900 I can give that recording to the police 53 00:02:15,900 --> 00:02:18,750 to help identify them and they might get arrested. 54 00:02:18,750 --> 00:02:21,630 In this particular example, the video recording itself 55 00:02:21,630 --> 00:02:23,670 would be considered a detective control, 56 00:02:23,670 --> 00:02:26,010 because it would be used to identify the burglars, 57 00:02:26,010 --> 00:02:28,800 but the sign is actually a deterrent control 58 00:02:28,800 --> 00:02:31,680 by trying to scare them off in the first place. 59 00:02:31,680 --> 00:02:34,020 Fifth, we have directive controls. 60 00:02:34,020 --> 00:02:36,630 Now, directive controls are used to force compliance 61 00:02:36,630 --> 00:02:38,700 with the security policy and practices 62 00:02:38,700 --> 00:02:40,320 within the organization. 63 00:02:40,320 --> 00:02:42,090 The most common directive control 64 00:02:42,090 --> 00:02:45,330 is the acceptable use policy or AUP. 65 00:02:45,330 --> 00:02:47,430 This is gonna dictate what behaviors are 66 00:02:47,430 --> 00:02:50,460 and are not allowed on a company's network systems. 67 00:02:50,460 --> 00:02:52,920 Sixth, we have preventive controls. 68 00:02:52,920 --> 00:02:55,110 Now, preventive controls are those controls 69 00:02:55,110 --> 00:02:57,030 that seek to prevent or stop an attack 70 00:02:57,030 --> 00:02:59,220 from ever occurring in the first place. 71 00:02:59,220 --> 00:03:01,170 Examples of this include protections, 72 00:03:01,170 --> 00:03:03,870 like password protection, security badges, 73 00:03:03,870 --> 00:03:07,320 antivirus software, and intrusion prevention systems. 74 00:03:07,320 --> 00:03:10,290 Seventh, we have recovery control measures. 75 00:03:10,290 --> 00:03:12,690 Now, recovery control measures are gonna be used 76 00:03:12,690 --> 00:03:14,940 to recover device after an attack. 77 00:03:14,940 --> 00:03:17,250 The best known examples of recovery controls 78 00:03:17,250 --> 00:03:19,860 are disaster recovery plans, backups, 79 00:03:19,860 --> 00:03:22,380 and continuity of operation plans. 80 00:03:22,380 --> 00:03:24,840 Now, when we develop security for our networks 81 00:03:24,840 --> 00:03:26,670 we often use the concept of defense 82 00:03:26,670 --> 00:03:28,980 in depth to layer various access controls 83 00:03:28,980 --> 00:03:31,680 on top of each other for additional security. 84 00:03:31,680 --> 00:03:33,330 This can be from the same category 85 00:03:33,330 --> 00:03:35,610 or from various categories. 86 00:03:35,610 --> 00:03:38,010 Now, in order to achieve the goals of defense in depth, 87 00:03:38,010 --> 00:03:41,250 we have to implement security through three broad categories 88 00:03:41,250 --> 00:03:42,750 of access controls. 89 00:03:42,750 --> 00:03:46,173 These are known as administrative, logical, and physical. 90 00:03:47,040 --> 00:03:48,660 The first type of access control 91 00:03:48,660 --> 00:03:50,790 is known as an administrative control. 92 00:03:50,790 --> 00:03:54,120 This is also sometimes called managerial controls. 93 00:03:54,120 --> 00:03:55,770 Now these are controls that are implemented 94 00:03:55,770 --> 00:03:57,810 to manage the organization's personnel 95 00:03:57,810 --> 00:04:01,080 and assets through security policies, standards, 96 00:04:01,080 --> 00:04:04,260 procedures, guidelines, and baselines. 97 00:04:04,260 --> 00:04:07,200 Examples of administrative or managerial controls, 98 00:04:07,200 --> 00:04:09,870 include proper data classification and labeling, 99 00:04:09,870 --> 00:04:13,290 supervision of personnel and security awareness training. 100 00:04:13,290 --> 00:04:15,630 In fact, security awareness training is one 101 00:04:15,630 --> 00:04:17,760 of the most important administrative controls 102 00:04:17,760 --> 00:04:20,010 that any organization can implement. 103 00:04:20,010 --> 00:04:21,839 Studies have shown that many incidents 104 00:04:21,839 --> 00:04:24,690 could have been prevented with proper user training up front 105 00:04:24,690 --> 00:04:26,730 and it is one of the most cost effective ways 106 00:04:26,730 --> 00:04:28,680 to increase the organization's security 107 00:04:28,680 --> 00:04:31,170 and provides the best return on investment. 108 00:04:31,170 --> 00:04:33,240 The second type of access control we have 109 00:04:33,240 --> 00:04:35,310 is known as logical controls. 110 00:04:35,310 --> 00:04:37,950 These are also called technical controls. 111 00:04:37,950 --> 00:04:39,840 These controls are implemented through hardware 112 00:04:39,840 --> 00:04:41,760 or software and they're used to prevent 113 00:04:41,760 --> 00:04:44,280 or restrict access to a given system. 114 00:04:44,280 --> 00:04:47,280 For example, we have things like installing new devices 115 00:04:47,280 --> 00:04:49,950 like firewalls intrusion detection systems, 116 00:04:49,950 --> 00:04:53,070 intrusion prevention systems, authentication schemes, 117 00:04:53,070 --> 00:04:57,210 encryption, new protocols, auditing or monitoring software, 118 00:04:57,210 --> 00:04:59,400 biometrics, and much more. 119 00:04:59,400 --> 00:05:02,670 Auditing and monitoring are both types of logical controls, 120 00:05:02,670 --> 00:05:05,130 but they vary slightly in their use. 121 00:05:05,130 --> 00:05:08,700 Auditing is a one time evaluation of a security posture, 122 00:05:08,700 --> 00:05:11,190 whereas monitoring is an ongoing process 123 00:05:11,190 --> 00:05:14,250 that continually evaluates a system or its users. 124 00:05:14,250 --> 00:05:16,320 For example, a penetration test 125 00:05:16,320 --> 00:05:18,060 is considered a type of audit, 126 00:05:18,060 --> 00:05:21,450 therefore, it is considered a logical control. 127 00:05:21,450 --> 00:05:23,340 All organizations should be aiming 128 00:05:23,340 --> 00:05:25,920 at continually improving themselves in order to become 129 00:05:25,920 --> 00:05:30,180 either more effective, more efficient, or preferably both. 130 00:05:30,180 --> 00:05:33,390 To do this though, the organization must monitor any changes 131 00:05:33,390 --> 00:05:35,550 to their networks in order to understand the risks 132 00:05:35,550 --> 00:05:37,740 associated with those changes. 133 00:05:37,740 --> 00:05:39,870 Often, this will fall under the category 134 00:05:39,870 --> 00:05:42,510 of change management where a baseline is created 135 00:05:42,510 --> 00:05:46,110 and all changes to that baseline are tracked and assessed. 136 00:05:46,110 --> 00:05:48,210 Before those changes are implemented though 137 00:05:48,210 --> 00:05:49,710 they should be analyzed for risk 138 00:05:49,710 --> 00:05:51,750 through the risk management program. 139 00:05:51,750 --> 00:05:54,060 To conduct efficient continuous monitoring, 140 00:05:54,060 --> 00:05:56,040 organizations need to automate the process 141 00:05:56,040 --> 00:05:58,020 as much as is practical. 142 00:05:58,020 --> 00:06:01,020 For example, the collection of logs from security systems, 143 00:06:01,020 --> 00:06:03,390 applications, and network suites should always 144 00:06:03,390 --> 00:06:06,390 be automatically collected, correlated and triaged 145 00:06:06,390 --> 00:06:08,250 by software before being displayed 146 00:06:08,250 --> 00:06:10,230 to a cyber security analyst. 147 00:06:10,230 --> 00:06:12,300 Continuous monitoring also includes overseeing 148 00:06:12,300 --> 00:06:13,830 the change management process, 149 00:06:13,830 --> 00:06:16,500 configuration management process, monitoring logs, 150 00:06:16,500 --> 00:06:19,080 and analyzing the status reporting that's being collected 151 00:06:19,080 --> 00:06:20,850 across the organization. 152 00:06:20,850 --> 00:06:23,280 This allows the security professionals to evaluate 153 00:06:23,280 --> 00:06:25,830 the effectiveness of their existing security controls 154 00:06:25,830 --> 00:06:27,930 and make recommendations for improved controls 155 00:06:27,930 --> 00:06:29,490 if they're warranted. 156 00:06:29,490 --> 00:06:31,200 Now, the third type of access control 157 00:06:31,200 --> 00:06:33,270 we have is physical controls. 158 00:06:33,270 --> 00:06:34,740 These are controls that are implemented 159 00:06:34,740 --> 00:06:36,600 to protect the organization's personnel 160 00:06:36,600 --> 00:06:38,160 and their facilities. 161 00:06:38,160 --> 00:06:41,790 Examples of physical controls include fences, locks, 162 00:06:41,790 --> 00:06:44,490 security badges, proximity cards for entry 163 00:06:44,490 --> 00:06:48,300 into the building guards, access control vestibules, 164 00:06:48,300 --> 00:06:51,660 biometrics, and other means of securing the facility. 165 00:06:51,660 --> 00:06:55,020 So in summary, it's important to remember the seven 166 00:06:55,020 --> 00:06:57,510 different types of access control categories, 167 00:06:57,510 --> 00:07:00,660 which are compensative, corrective, detective, 168 00:07:00,660 --> 00:07:04,770 deterrent, directive, preventive and recovery. 169 00:07:04,770 --> 00:07:08,250 Also, you wanna remember the three types of access controls, 170 00:07:08,250 --> 00:07:11,580 which are administrative, logical, and physical. 171 00:07:11,580 --> 00:07:14,160 Some controls may work across multiple categories 172 00:07:14,160 --> 00:07:16,590 and types as well, and that's okay. 173 00:07:16,590 --> 00:07:18,690 When you're doing your planning, you should think 174 00:07:18,690 --> 00:07:20,670 through each of these categories to identify 175 00:07:20,670 --> 00:07:22,890 which type of controls you're gonna be focused on 176 00:07:22,890 --> 00:07:25,530 exploiting during your upcoming penetration test 177 00:07:25,530 --> 00:07:27,480 as you work with the client to determine what things 178 00:07:27,480 --> 00:07:30,123 will or will not be tested during your engagement. 14039