DeMystifying SECURITY CONTROLS

A “control” is simply anything that influences behavior. For instance, look around you right now and let’s investigate what’s currently influencing your behavior:

Are you sitting? If so, whatever you’re sitting on is a control influencing your posture and comfort.

Are you standing? If so, whatever you’re standing on is a control influencing your stance, posture, balance and all sorts of other things.

Are you hot, cold, or comfortable right now? The temperature where you are is a control that is influencing your comfort level and probably what you are wearing.

When you obey a stop sign or a green traffic light, or exit through a door marked ‘Exit,’ you are responding to controls designed to regulate your movement in a specific environment.

Controls can be intentionally created by us, like security measures, or they can exist naturally, like gravity, a force we must learn to work within.

Remember this. All controls are purposed to influence behavior.

In the realm of cybersecurity, we deal with 3 types of controls that influence behavior regarding cybersecurity outcomes:

Administrative controls — These authoritative policies and procedures guide behavior through written directives (e.g., Access control policy).

Operational controls— Also referred to as ‘non-technical’ controls, these include any security practices that involve physical implementation like fences or bollards or human intervention like security awareness training.

Technical controls — Executed via software, hardware, and/or firmware (e.g.,encryption)

Administrative, or management controls, are the authoritative controls that are created first because they are born of the business strategy and set the direction for operational and technical controls. In essence, administrative controls typically come in the form of written policies and procedures and address the specific purpose, scope, roles, and responsibilities of everyone involved.

Each NIST SP 800–53 Security Control Family begins with Administrative policies and procedures.

While administrative controls are essential for setting expectations and defining responsibilities, they’re just words until someone or something takes action. Consider a recent access control policy at one of my part time gigs that states, “All individuals, including employees and contractors, must have their access to company systems and networks terminated within 10 business days of their separation from the company.”

As a contract employee, this policy resulted in my having to renew my accesses every 10 days or risk being removed from the network. This also means that someone and/or something needs to compel me to comply, or even better, “encourage” me to act on this directive.

Administrative controls still need to be operationalized (or executed).

I mean, think about it — the IRS can write fifty ‘leven laws about paying taxes but unless there are controls in place to operationalize those laws, most of us will probably choose to keep or spend all of our gross income!!

This is where “operational” and “technical” controls come into play.

Operational controls are NON-TECHNICAL events or activities — meaning they are carried out by people or physical means — that execute the administrative controls. For example, for the administrative policy that requires me to renew my accesses at least every 10 days, I’ve actually had to come up with the following operational controls because my account was getting shut down by one of the technical controls (which I will address in a minute)

1. Weekly access verification: At my weekly Zoom check-in meeting I provide a quick verbal confirmation that I’ve re-established my accesses within the past 10 days. This provides a simple and efficient way to monitor compliance.
2. Mandatory weekly shut down: At the end of every week I completely shut down my computer, which automatically refreshes my accesses when I restart it ensuring compliance with the 10-day requirement.

Now, these were operational controls that I thought of, but typical enterprise operational security controls (or non-technical security controls ) that you may see in organizations include the following:

1. Security Awareness Training/Hands-On Phishing Simulations: Employees participate in realistic phishing exercises to hone their ability to spot fraudulent emails and report them to the security team
2. Incident Management/Incident Reporting : Employees promptly report security incidents.
3. Change Management/Change Control Process: Designated personnel carefully evaluate each proposed change to systems or configurations. They assess the potential risks and benefits before approving and implementing any changes.
4. Physical Security/Access Controls: Security guards control who can enter sensitive areas, verifying identities and ensuring only authorized personnel have access.

Technical Controls are the methods used to execute administrative controls using software, hardware and/or firmware (or some combination of those). For example, in the case of the need for me to renew my accesses every 10 days, the technical controls are (1) an automated email I receive 1 week before the looming shut-down and the (2) the automatic shut down on day 10 when I fail to comply.

There are a plethora of technical security controls. These are the controls that cyber folks are most familiar with, but here are the corresponding technical controls to the operational controls listed above:

1. Security Awareness Training/Hands-On Phishing Simulations:Anti-Phishing Software: Email filters automatically block or flag suspicious emails, helping employees avoid scams.
2. Incident Management/Incident Reporting:Security Information and Event Management (SIEM): A tool that collects information about security events and helps spot problems quickly.
3. Change Management/Change Control Process:Configuration Management Databases (CMDBs): A central record of all changes made to computer systems to ensure they’re tracked and approved.
4. Physical Security/Access Controls:Biometric Authentication: Using unique body features like fingerprints or eye scans to prove identity for secure access.

In summary, operational and technical controls operationalize or execute the directives established in administrative controls. Therefore, it follows that administrative controls are established prior to execution of operational or technical controls.

A Quick One!! The Other “Policy”

Before I end this, let me say something about the other “policies” . When I first came into the field I heard folks talk about “policies” but related to technical tools like Splunk (and other tools ). I had no idea what policies they were referring to.

I figured out that the Splunk policies they were referring to were not policies in the usual sense, but specific settings, configurations, or rules for Splunk. These rules automatically analyze the data that Splunk collects and triggers alerts or actions if something suspicious is found.

These Splunk “policies” are just rules that tells the tool how to react to different events. Here’s how such a rule might be set up in a Splunk search command line:

Explanation:

• index=security_logs: This specifies that Splunk should look into the data indexed under "security_logs."
• sourcetype=ssh_logs: This narrows down the search to logs that are categorized as SSH (Secure Shell) access logs.
• status=failed: Further filters to only consider failed login attempts.
• stats count by user, src_ip: This command counts how many failed attempts have been made grouped by user and source IP address.
• where count > 10: This is the condition set to trigger an alert if there are more than 10 failed attempts by the same user from the same IP address.

In a live Splunk environment, such a search would be part of a saved search or an alert policy, where Splunk constantly checks the log data for this pattern and triggers an alert if it finds a match. This alert could then be configured to notify security personnel via email, SMS, or another method.

I get it now. This kind of “policy” is an aspect of a technical control, distinct from traditional administrative policies..

Conclusion

Listen, I know that there are other categories of controls that you read about in CompTIA exam materials (e.g., deterrent controls, detective controls) and in RMF/CGRC materials (e.g., hybrid controls, common controls), and in other content.

I’m going to write an accompanying article about how those controls map to these main three categories shortly, but…

Cioa for Niao!!!