Security Control Types and Operational Security

James E. Purcell

Security Control Types and Operational Security Introduction

The purpose of this paper is to help the CISSP student understand the various security control type taxonomies and see how security controls are applied in securing information systems operations. Security controls are measures taken to safeguard an information system from attacks against the confidentiality, integrity, and availability (C.I.A.) of the information system. Note that the terms safeguard and countermeasure are sometimes used as synonyms for security control. Security controls are selected and applied based on a risk assessment of the information system. The risk assessment process identifies system threats and vulnerabilities, and then security controls are selected to reduce (mitigate) the risk.

Security Control Types

Security controls are categorized in two ways. The first way is to put the security control into administrative, technical (also called logical), or physical control categories. In this taxonomy, the control category is based on what the control is (noun) (that is, administrative policy, technical firewall, physical fence). The second way to categorize security controls is taxonomy based on what the control does (verb) (that is, direct, prevent, correct). The common categories for this taxonomy are directive, preventive, detective, corrective, and recovery security controls. Most CISSP exam questions will be based on these two taxonomies.

Administrative, Technical, and Physical Security Controls

Administrative security controls are primarily policies and procedures put into place to define and guide employee actions in dealing with the organizations sensitive information. For example, policy might dictate (and procedures indicate how) that human resources conduct background checks on employees with access to sensitive information. Requiring that information be classified and the process to classify and review information classifications is another example of an administrative control. The organization security awareness program is an administrative control used to make employees cognizant of their security roles and responsibilities. Note that administrative security controls in the form of a policy can be enforced or verified with technical or physical security controls. For instance, security policy may state that computers without antivirus software cannot connect to the network, but a technical control, such as network access control software, will check for antivirus software when a computer tries to attach to the network.

Technical security controls (also called logical controls) are devices, processes, protocols, and other measures used to protect the C.I.A. of sensitive information. Examples include logical access systems, encryptions systems, antivirus systems, firewalls, and intrusion detection systems. Physical security controls are devices and means to control physical access to sensitive information and to protect the availability of the information. Examples are physical access systems (fences, mantraps, guards), physical intrusion detection systems (motion detector, alarm system), and physical protection systems (sprinklers, backup generator). Administrative and technical controls depend on proper physical security controls being in place. An administrative policy allowing only authorized employees access to the data center do little good without some kind of physical access control.

Preventive, Detective, Corrective, and Recovery Security Controls

Preventive security controls are put into place to prevent intentional or unintentional disclosure, alteration, or destruction (D.A.D.) of sensitive information. Some example preventive controls follow: Policy Unauthorized network connections are prohibited. Firewall Blocks unauthorized network connections. Locked wiring closet Prevents unauthorized equipment from being physically plugged into a network switch.

Notice in the preceding examples that preventive controls crossed administrative, technical, and physical categories discussed previously. The same is true for any of the controls discussed in this section. Detective security controls are like a burglar alarm. They detect and report an unauthorized or undesired event (or an attempted undesired event). Detective security controls are invoked after the undesirable event has occurred. Example detective security controls are log monitoring and review, system audit, file integrity checkers, and motion detection. Corrective security controls are used to respond to and fix a security incident. Corrective security controls also limit or reduce further damage from an attack. Examples follow: Procedure to clean a virus from an infected system A guard checking and locking a door left unlocked by a careless employee Updating firewall rules to block an attacking IP address

Note that in many cases the corrective security control is triggered by a detective security control. Recovery security controls are those controls that put a system back into production after an incident. Most Disaster Recovery activities fall into this category. For example, after a disk failure, data is restored from a backup tape.

Other Security Control Types

Directive security controls are the equivalent of administrative controls. Directive controls direct that some action be taken to protect sensitive organizational information. The directive can be in the form of a policy, procedure, or guideline. Deterrent security controls are controls that discourage security violations. For instance, Unauthorized Access Prohibited signage may deter a trespasser from entering an area. The presence of security cameras might deter an employee from stealing equipment. A policy that states access to servers is monitored could deter unauthorized access. Compensating security controls are controls that provide an alternative to normal controls that cannot be used for some reason. For instance, a certain server cannot have antivirus software installed because it interferes with a critical application. A compensating control would be to increase monitoring of that server or isolate that server on its own network segment. Note that there is a third popular taxonomy developed by NIST and described in NIST Special Publication 800-53, Recommended Security Controls for Federal Information Systems. NIST categorizes security controls into 3 classes and then further categorizes the controls within the classes into 17 families (Table 1). Within each security control family are dozens of specific controls. The NIST taxonomy is not covered on the CISSP exam but is one the CISSP should be aware of. Table 1. NIST Security Control Classes and Families
CLASS Management FAMILY Certification, Accreditation, and Security Assessments Planning Risk Assessment System and Services Acquisition Operational Awareness and Training Configuration Management Contingency Planning

Incident Response Maintenance Media Protection Personnel Security Physical and Environmental Protection System and Information Integrity Technical Access Control Audit and Accountability Identification and Authentication System and Communications Protection

Control Transparency is an important characteristic of security controls. A transparent security control is one that does not require the user to perform extra steps or get in the way of user productivity. A good transparent security control also does not give the user any information about how it works. This helps prevent the user from circumventing the security controls. Transparency is a goal of security controls but is hard to accomplish in real life.

Operational Security
In this section, common operational security controls are described and categorized within the security control taxonomies previously described. The goal of operational security is resource protection. Information system resources include the systems hardware, software (OS, applications, utilities), network components, databases, and people.

Privileged-Entity Controls
A privileged entity is a person or process with elevated systems access. The best example is a system administrator (person) or kernel-level program (process). Because they have special system privileges, these people and processes can do more damage if a deliberate or accidental security incident occurs. Some example privileged-entity security controls are policies and procedures (preventive/administrative) that describe what actions privileged entities can do, and audit logs and monitoring processes (detective/technical) to check their actions.

Hardware Controls
Hardware security controls keep unauthorized hardware out of the environment and control access and modification to authorized hardware. Examples are server rack locks (preventive/physical), configuration management (preventive/administrative), and rouge wireless access point monitoring (detective/technical). Administrative controls describing when and who can perform hardware maintenance is another hardware security control.

Software Controls
Software security controls is a broad category because software is at the heart of all information systems. Software includes the system operating system, applications programs, database management system, and network software. Software security controls are implemented to keep unauthorized software out and to control the installation and modification of authorized software. Antivirus systems are an example of a preventive technical control to prevent the installation of malicious code on to a system. A policy requiring a software

change control process is a preventive administrative control. File integrity checking systems are detective technical controls that detect unauthorized changes to system files. Backup and Restore software and processes are recovery controls. (Backup process is administrative; backup system hardware and software is technical).

Input, Processing, Output Controls

All information systems take some input and process it to produce output. Security controls are put into place to ensure that as data moves through the system it is processed correctly according to the rules of the system. An example of input security controls is to have a policy to allow only authorized users to input data. Another input security control is to have the system validate all input. For example, if a name is put into the system, it should not contain special characters, or if a month number is entered, it should be between 1 and 12 (bounds checking). Processing controls ensure that transactions are completed correctly. If processing is interrupted, processing controls ensure the system recovers and transactions are not left hanging. Output security controls guard who has access to the output and also guards the integrity of the output. An example output control is to allow printing only to certain printers in secure locations. Marking and numbering output copies is another control used to track and control distribution of sensitive output.

Media Controls
At first glance, media controls sound identical to input and output controls. But the difference is that media controls are concerned with protecting sensitive information while it is stored outside the information system. For the CISSP exam, unless otherwise stated in the question, media is generally considered to be tapes. Other types of media are floppy, CD, WORM, DVD, USB device, or any other removable media. Examples of media security controls are to log (or catalog) all media, control access to media by locking it up and logging use, and to control reuse and destruction of media. Media protection is the job of the Media Librarian (or Tape Librarian).

Summary
Hundreds of security controls are available to help secure sensitive information. You can categorize these security controls several ways. The challenge for the CISSP student is to correctly match the security controls to the appropriate control category. This can be difficult because depending on the context, one security control can fall into multiple control categories. For instance, a security

guard can be a preventive control if the attacker is scared away by the guards presence. The guard could also be a detective control if the guard sees the attacker on a CCTV system and raises an alarm. If the guard catches the attacker in the act and recovers the information, the guard is a corrective control. The trick to getting these questions right is to carefully examine the context of the question. What action (verb) is the control doing? For example, what is the difference between a preventive control and a deterrent control? Think about a fence. A 4-foot fence deters; a 12-foot fence with barb-wire prevents. Again, think of the context of the question, and pick the best answer that fits that context. It is recommended that for building and operating an organizational security program that the NIST security control taxonomy be adopted. It is less ambiguous about classifying security controls and, therefore, communicates better to all concerned in planning and implementing security for an information system.