Picture This: A visual guide to security controls
There is a new word du jour that you can’t help but stumble across as you study for a number of security-related exams (such as CompTIA’s Security+), and that word is “control.” In this article, we will first define it from the standpoint of the testing body, then walk through two analogies on controls: one exaggerated a bit, and the other something you are likely to encounter on a regular basis.
What are Controls?
One of the most generic terms in security is control. The word is used so many different ways that its meaning can become blurred. The best thing to do is to equate the word with whatever entity is charged with the task at the moment. That task can be preventing something from happening, logging when something does, responding to it, or any variety of other possibilities.
The National Institute of Standards and Technology (NIST) places controls into various types. Their control types fall into three categories: Management, Operational, and Technical, as defined in Special Publication 800-12. The following table lists the control types and the controls they are associated with per the NIST:
|Management||System and Services Acquisition|
|Management||Certification, Accreditation, and Security Assessment|
|Operational||Physical and Environmental Protection|
|Operational||System and Information Integrity|
|Operational||Awareness and Training|
|Technical||Identification and Authentication|
|Technical||Audit and Accountability|
|Technical||System and Communication Protection|
For the Security+ exam, CompTIA has expanded on the NIST foundation and categorized controls into six types as follows:
A deterrent control is anything intended to warn a would-be attacker that they should not attack. This could be a posted warning notice that they will be prosecuted to the fullest extent of the law, locks on doors, barricades, lighting, or anything can delay or discourage an attack.
As the name implies, the purpose of preventive controls is to stop something from happening. These can include locked doors that keep intruders out, user training on potential harm (to keep them vigilant and alert), or even biometric devices and guards that deny access until authentication has occurred
The purpose of a detective control is to uncover a violation. The only time that they would be relevant is when a preventive control has failed and they need to sound an alarm. A detective control can range from a checksum on a downloaded file, an alarm that sounds when a door has been pried open, or an anti-virus scanner that actively looks for problems. It could also be a sonic detector, motion sensor, or anything that would detect that an intrusion is underway.
Compensating controls are backup controls that come into play only when other controls have failed. An office building may have a complex electronic lock on the door (preventive control) and a sign that you will be arrested if you enter (deterrent control), but it is a safe bet they will also have an alarm that sounds (a compensating control) when the door is jimmied as well as a backup generator (another compensating control) to keep that electronic lock active when the power goes out.
Technical controls are those controls implemented through technology. They may be deterrent, preventive, detective, or compensating (but not administrative), and include such things as firewalls, IDS, IPS, and such.
An administrative control is one that comes down through policies, procedures, and guidelines. An example of an administrative control is the escalation procedure to be used in the event of a break-in; who is notified first, who is called second, and so on. Another example of an administrative control is the list of steps to be followed when a key employee is terminated: disable their account, change the server password, and so forth.
ANALOGY NUMBER ONE
To prepare for the certification exam, it often helps to use analogies to put topics in context. In light of that, consider a residential home I own in the middle of town. I grow prized tomato plants in the backyard, and it very important to me that no one goes back there for fear that they might do something — anything — to harm the tomatoes. Thus I implement the following controls:
Administrative — I establish a number of policies to keep the tomatoes safe:
- Preventive: I instruct every member of my family that they are not to go into the back yard, and they are not to let anyone else go back there either.
- Deterrent: I tell the kids that if I ever hear of any of them — or their friends — being the backyard, I will take away their allowance for month.
- Detective: As a matter of routine, I want each member of the family to look out the window on a regular basis to see whether anyone has wandered in to the yard.
- Compensating: Every member of the family is instructed on how to call the police the minute they see anyone in the yard.
Technical — Not trusting that the administrative controls will do the job without fail, I implement a number of technical controls:
- Preventive: I put up a fence around the yard, and the door that leads out from the garage is locked.
- Deterrent: Beware of Dog warning signs, even though I have no dog, are posted all over the fence.
- Detective: Sensors are placed on the gate to trigger an alarm if the gate is opened.
- Compensating: Triggered alarms turn on the backyard sprinklers at full volume to douse any intruder that wanders in.
These controls work in conjunction with one another to help keep individuals who should not be there out of the backyard and away from the tomatoes. Naturally, as the owner/administrator, I have the ability to override all of them as needed. I can ignore the warning signs, turn off the sprinklers, and get full access to the garden when I desire. The controls are not in place to hinder my access, but only to obstruct and prevent others from accessing the yard.
ANALOGY NUMBER TWO
For the second analogy, think of parking. Almost everywhere you go, parking spaces are a limited commodity. In some locations, such as college campuses, they are so scarce that they need to be rationed. If everyone were allowed to park where they wanted to, chaos would ensue. In order to establish order and try to use the limited spaces as efficiently as possible, controls are created and put in place.
Administrative controls are the policies that determine how the spaces will be allocated. Individuals wanting to park on campus are grouped together and segmented based on position, status, and so on. Each segment is issued a different color parking sticker and available spots are identified by that color as illustrated in Figure One.
Figure One: Administrative controls are the policies dictating who can park in this lot.
As a preventive control, every individual must register their vehicle at the safety office and pick up a flier that explains the color system and identifies where they are can and cannot park. As a deterrent control, signs such as that shown in Figure Two are plentifully posted in the lots as well.
Figure Two: Deterrent controls attempt to keep violators from parking in this lot.
It is a safe bet that someone will be running late to a meeting and see the first two signs, but choose to ignore them on the basis of not seeing any security around. Additional deterrent controls can be worded more to this sector as illustrated by the sign shown in Figure Three.
Figure Three: Additional deterrent controls attempt to speak to those who may ignore the first.
The administrative controls can only do so much to stop the problem. If the sense is that they are not enforced and/or that others are ignoring them then a problem can escalate quickly out of hand. To prevent that, technical controls must be put in place.
Compensating controls include actually patrolling the lot and writing tickets or having vehicles towed. You can also stop vehicles from entering a lot by going to something stronger than a color scheme and using technical controls, as illustrated by Figure Four. Other technical controls that can be used include posting guards at the entrance to each lot or installing cameras that regularly scan the lot.
Figure Four: This technical preventive control works better than the colored parking stickers.
To have a truly effective solution to the parking problem, it is necessary to have controls of every type in place. The policies (administrative) need to be logical and enforceable. Technology (technical) needs to help curtail the problem, and the punishments for violating (compensating) need to be feared.
Summing It Up
Whether controls are divided into three categories, six categories, or even more, they are the items put in place for working with threats and risks. Since that is the case, you should regularly audit them to make certain each is accomplishing what it was created to correct.