5.1 Compare and contrast various types of controls
- Control Type
A control is a mechanism that is used to prevent a behavior. There are different types of controls.
Controls prevent unsafe, illegal, or undesired behaviors. From a safety perspective, the best control is one that physically removes the hazard.
NIST Special Publication 800-53 revision 4 lists 600 controls in 18 categories and is an excellent reference. We will not cover these controls in detail.
A deterrent control is a method that discourages a behavior. For example, a user could be fired for sharing sensitive data. The deterrent control does not prevent the user from engaging in the activity, but it makes the consequences of that activity discouraging. The organization should consider the benefit that an undesired behavior will bring to the perpetrator and implement consequences that are greater than the benefit. Deterrents do not work well by themselves because there are always people who do not expect to get caught.
A preventative control is one that stops a user from engaging in a specific behavior. For example, elevator doors close and lock when the car is moving so that people do not fall into the shaft. It is physically impossible to open an elevator door while it is moving (take my word for it). Encryption is a control that prevents an eavesdropper from reading your confidential conversation.
People will try to break preventative controls. People try to pick locks and break windows all the time. The cost of the preventative control must be weighed against the asset that it is supposed to protect. A more expensive control takes more effort to bypass, but it might not be worth the money.
Preventative controls can be installed in layers. For example, a locked server room, inside a locked building, behind fence with a locked gate has three layers of preventative controls. Even if one layer fails (the thief breaks the gate, or the administrator leaves the server room unlocked, for example), the other layers will continue to protect the asset.
A Detective control only detects undesired behavior. It does not deter or prevent the behavior. It is useful when the organization wants to monitor behaviors. A detective control allows an organization to respond to undesired behavior.
The organization may follow up with individuals who engaged in the undesired behavior. The organization may have many violators and may want to monitor trends to better address the problem.
For example, the city installs a camera at an intersection to catch speeding motorists, who are later fined. Drivers who speed too often lose their licenses. The camera does not stop people from speeding. The fine could also be considered a deterrent control.
An alarm with a siren and a motion sensor is a better example of a detective control. If an intruder passes by the motion sensor, the alarm is triggered. The alarm does not prevent the intruder from trespassing, but it may alert a security guard of the violation so that he can respond and apprehend the individual.
If the intruder knew about the presence of the alarm, he may be reluctant to trespass. Thus, an alarm could also be a deterrent. Most detective controls are also deterrents.
A corrective control is one that reverses a behavior. For example, a door with a spring-loaded hinge is a corrective control. If a user leaves the door open, the hinge will automatically close it.
A corrective control may reverse the behavior quickly or slowly. A backup of a storage appliance is a corrective control. If the storage appliance fails, the data can be restored from backup.
A compensating control counteracts a behavior. If the actual control is not available, or if the organization is not able to implement the original control because of a legitimate technical or business restriction, then the organization will implement a compensating control, which
- Meets the original intent of the requirement
- Provides similar levels of control as the original requirement
- Does not cause additional risk to the organization
If the organization is unable to implement a valid control, then they may need to stop the activity.
A fire suppression system is an example of a compensating control. It won’t deter, prevent, or detect the fire, but it will reduce the damage that the fire causes (and create a flood in the process).
Another example is a rescue plan for a person working in a confined space. Confined spaces are dangerous because there is a potential for high levels of toxic gas build up, a lack of oxygen, and/or an explosion. Confined spaces exist in manholes, sewers, oil wells, mines, and many other places. Sometimes work must be performed in these places. By law, when an organization sends a person into a confined space, a dedicated rescue team must be standing by to pull him out should the conditions warrant it. The organization could not prevent the risky conditions, so they created a compensating control. If they could not assemble a rescue team (the control), they would not be able to send a worker into the confined space.
An administrative control is one that is established in policy. It is not physical.
For example, an employee could be fired if they violate a policy.
A physical control physically prevents a user from engaging in a behavior. For example, storing sensitive data in a locked filing cabinet would prevent a user from accessing or sharing sensitive data stored within.
A physical control can be bypassed if there is enough brute force. The physical control should be backed up by an administrative control so that there are consequences.
All controls can be bypassed. There should always be an administrative control, which provides legal consequences for violating or damaging a Technical or Physical control because no physical control is ever 100% human proof. Undesired behavior is a risk, and the use of a control reduces the organization’s risk.
We can group our controls into Technical, Managerial, and Operational
A Managerial Control is an overall strategy for how the organization will perform. What is our strategy and how will we achieve it? Then how will we monitor the organization to verify that we are operating within the strategy? What are key performance indicators?
These types of controls are set by the head of the organization.
For example, the CEO says that our goal is to prevent any data leaks.
An Operational control is a day-to-day control. The senior management take direction from the head of the organization about what the strategy is, and they create operational controls that will achieve those goals.
For example, the senior management team finds out that the CEO does not want to have any data leaks. They think about it and decide on the following key areas where we can protect the organization
- Ban USB drives
- Search employees when they leave to make sure that they do not take anything with them
- Make mobile devices more secure
- Protect the network from attacks and leaks
- Educate end users
A technical control is also known as a logical control. The technical control does not physically prevent a person engaging in a behavior, but it might technically prevent him.
A technical control can be bypassed if it contains a security vulnerability. It should be backed up by an administrative control. When a technical control is operating correctly, it can be as strong as, or stronger than a physical control. If you store sensitive data on a hard drive, and then encrypt that hard drive with BitLocker or the RSA algorithm, and then store the hard drive in a safe, you have used a physical control and a technical control. A thief might be able to break the safe, but he won’t be able to defeat the algorithm.
Continuing with our example, the IT department takes direction from the senior management team. They do the following
- Install a Data Leak Prevention appliance and configure it
- Implement mobile device management to encrypt all corporate devices and compartmentalize corporate data
- Create educational content about protecting the organization’s data
- Set up a hotline to report suspicious activity