I.T Security professionals spend most of their time designing, executing, and managing security controls. Security controls are procedures and mechanisms that an organization puts in place to address security risks. A security control can also be defined as an action, a mechanism that we apply to our I.T. infrastructure to either to protect our systems or help remediate problems if a security breach has already occurred.
Security controls are really what separates an I.T. security person from a regular I.T. person. The true distinction between an I.T. security person and a regular I.T technician is that an I.T. security person understands security controls and they can apply security controls so they can monitor these controls and adjust them based on the needs of the infrastructure.
Types of Security Controls
- Administrative Controls. These are also known as management controls. These types of controls control actions people make towards I.T. security. Examples of administrative controls include laws, policies, guidelines and best practices, background checks, employee trainings.
- Technical Controls. These control actions I.T. systems make towards I.T. These are things like firewalls, password links, authentication and encryption.
- Physical controls. Physical controls are the actions real world threat actors make towards I.T. Here, we look at stuff like gates, guards, keys, and man traps.
When talking about security controls, we’re talking about a threat actor or malicious user doing something to us that can be catastrophic to an organization. If we take time to think deeply about security controls, we can develop controls that can prevent such actors from even trying, prevent them from being able to succeed in what they’re doing, recognize that they’re doing something and to warn us about it, and controls that allow us to fix for breaches if actors are successful. These are what we call the categories of security controls.
Categories of I.T Security Controls
I.T Security professionals use two different categorization schemes to group similar security controls. The first categorization approach organizes security controls by their purpose as deterrent, detective, preventive and corrective controls.
(a) Deterrent Controls.
These deter the actor from attempting the threat completely. Deterrent controls are designed to discourage an attacker from attempting to breach security in the first place. Putting razor wire and electricity on the fences around a facility are an example of a deterrent control. If an intruder tries to break through, an electric fence will surely give them momentary pause for reflection (that’s if they remain conscious anyway).
(b) Preventive Controls
These controls aim to dissuade the actor from performing the threat. Preventive controls endeavor to stop an attack that is already underway. An example of this would be placing a lock on a sensitive facility that houses your backups or critical servers to prevent an intruder from gaining access, the same applies when using an intrusion prevention system on a network. This stops attackers from doing whatever they’re going to do.
(c) Detective Controls
Detective controls are designed to recognize an attack in progress and alert I.T security personnel to their presence. Intrusion detection systems are a good example of detective controls. Other physical detective controls include burglar alarms and network intrusion detection systems. Imagine that loud car alarm, once it goes off, the side mirror of headlights thief can just abandon their activities.
(d) Corrective Controls
A corrective control mitigates the impact of a manifested threat. In other words, we’ve had an incident what are we going to do about it. Corrective controls are designed to help an organization recover after a successful attack or other incident like a natural disaster or fire outbreak. Backups are a great example of a corrective control as they allow administrators recover damaged systems.
(e) Compensating controls
A compensating function provides alternative or temporary fixes to any of the above functions when we can’t do them the way we want.
The Thermodynamic Miracle
If you are familiar with the popular comic Watchmen by Allan Moore, Dr. Manhattan talks about something called a thermodynamic miracle as quoted below;
Thermodynamic miracles… events with odds against so astronomical they’re effectively impossible, like oxygen spontaneously becoming gold. I long to see such a thing. And yet, in each human coupling, a thousand million sperm vie for a single egg. Multiply those odds by countless generations, against the odds of your ancestors being alive; meeting; siring this precise son; that exact daughter… Until your mother loves a man, and of that union, of the thousand million children competing for fertilization, it was you, only you, that emerged. To distill so specific a form from that chaos of improbability, like turning air to gold. That is the crowning unlikelihood – Jon Osterman (Dr. Manhattan).
Just like in the above quote, a perfect security control is an ideal situation that rarely happens in real life. That’s is why it is advisable to follow the defense in depth principle.
Security controls need to be designed so that the organization remains secure even if one control fails. Controls can fail in many ways but the two main one’s are;
- False positives. A false positive occurs when a control triggers in a situation where it should not. For example, when a detective control, such as an intrusion system or anti-virus software, issues a false alarm, reporting a security issue when none is present. False positives are dangerous because they reduce the confidence that I.T security professionals have, and sometimes lead to administrators ignoring future alerts from that system.
- False negatives. A false negative error occurs when a control fails to trigger in a situation where it should. Again, we can look at intrusion detection systems and anti-virus software, a false negative would occur if an actual security incident took place and the system failed to detect it, a pseudo sense of security. This can usually happen if there is a new threat and the virus definitions have not yet been updated to cover that exact threat.