Documente Academic
Documente Profesional
Documente Cultură
James E. Purcell
Technical security controls (also called logical controls) are devices, processes, protocols, and other measures used to protect the C.I.A. of sensitive information. Examples include logical access systems, encryptions systems, antivirus systems, firewalls, and intrusion detection systems. Physical security controls are devices and means to control physical access to sensitive information and to protect the availability of the information. Examples are physical access systems (fences, mantraps, guards), physical intrusion detection systems (motion detector, alarm system), and physical protection systems (sprinklers, backup generator). Administrative and technical controls depend on proper physical security controls being in place. An administrative policy allowing only authorized employees access to the data center do little good without some kind of physical access control.
Notice in the preceding examples that preventive controls crossed administrative, technical, and physical categories discussed previously. The same is true for any of the controls discussed in this section. Detective security controls are like a burglar alarm. They detect and report an unauthorized or undesired event (or an attempted undesired event). Detective security controls are invoked after the undesirable event has occurred. Example detective security controls are log monitoring and review, system audit, file integrity checkers, and motion detection. Corrective security controls are used to respond to and fix a security incident. Corrective security controls also limit or reduce further damage from an attack. Examples follow: Procedure to clean a virus from an infected system A guard checking and locking a door left unlocked by a careless employee Updating firewall rules to block an attacking IP address
Note that in many cases the corrective security control is triggered by a detective security control. Recovery security controls are those controls that put a system back into production after an incident. Most Disaster Recovery activities fall into this category. For example, after a disk failure, data is restored from a backup tape.
Incident Response Maintenance Media Protection Personnel Security Physical and Environmental Protection System and Information Integrity Technical Access Control Audit and Accountability Identification and Authentication System and Communications Protection
Control Transparency is an important characteristic of security controls. A transparent security control is one that does not require the user to perform extra steps or get in the way of user productivity. A good transparent security control also does not give the user any information about how it works. This helps prevent the user from circumventing the security controls. Transparency is a goal of security controls but is hard to accomplish in real life.
Operational Security
In this section, common operational security controls are described and categorized within the security control taxonomies previously described. The goal of operational security is resource protection. Information system resources include the systems hardware, software (OS, applications, utilities), network components, databases, and people.
Privileged-Entity Controls
A privileged entity is a person or process with elevated systems access. The best example is a system administrator (person) or kernel-level program (process). Because they have special system privileges, these people and processes can do more damage if a deliberate or accidental security incident occurs. Some example privileged-entity security controls are policies and procedures (preventive/administrative) that describe what actions privileged entities can do, and audit logs and monitoring processes (detective/technical) to check their actions.
Hardware Controls
Hardware security controls keep unauthorized hardware out of the environment and control access and modification to authorized hardware. Examples are server rack locks (preventive/physical), configuration management (preventive/administrative), and rouge wireless access point monitoring (detective/technical). Administrative controls describing when and who can perform hardware maintenance is another hardware security control.
Software Controls
Software security controls is a broad category because software is at the heart of all information systems. Software includes the system operating system, applications programs, database management system, and network software. Software security controls are implemented to keep unauthorized software out and to control the installation and modification of authorized software. Antivirus systems are an example of a preventive technical control to prevent the installation of malicious code on to a system. A policy requiring a software
change control process is a preventive administrative control. File integrity checking systems are detective technical controls that detect unauthorized changes to system files. Backup and Restore software and processes are recovery controls. (Backup process is administrative; backup system hardware and software is technical).
Media Controls
At first glance, media controls sound identical to input and output controls. But the difference is that media controls are concerned with protecting sensitive information while it is stored outside the information system. For the CISSP exam, unless otherwise stated in the question, media is generally considered to be tapes. Other types of media are floppy, CD, WORM, DVD, USB device, or any other removable media. Examples of media security controls are to log (or catalog) all media, control access to media by locking it up and logging use, and to control reuse and destruction of media. Media protection is the job of the Media Librarian (or Tape Librarian).
Summary
Hundreds of security controls are available to help secure sensitive information. You can categorize these security controls several ways. The challenge for the CISSP student is to correctly match the security controls to the appropriate control category. This can be difficult because depending on the context, one security control can fall into multiple control categories. For instance, a security
guard can be a preventive control if the attacker is scared away by the guards presence. The guard could also be a detective control if the guard sees the attacker on a CCTV system and raises an alarm. If the guard catches the attacker in the act and recovers the information, the guard is a corrective control. The trick to getting these questions right is to carefully examine the context of the question. What action (verb) is the control doing? For example, what is the difference between a preventive control and a deterrent control? Think about a fence. A 4-foot fence deters; a 12-foot fence with barb-wire prevents. Again, think of the context of the question, and pick the best answer that fits that context. It is recommended that for building and operating an organizational security program that the NIST security control taxonomy be adopted. It is less ambiguous about classifying security controls and, therefore, communicates better to all concerned in planning and implementing security for an information system.