As previously stated, access control types (administrative, physical, and technical) work at different levels, but different levels of what? They work together at different levels within their own categories. A security guard is a type of control used to scare off attackers and ensure that only authorized personnel enter a building. If an intruder gets around the security guard in some manner, he could be faced with motion detectors, locks on doors, and alarms. These layers are depicted in Figure 4-21.
Each control works at a different level of granularity, but it can also perform different functionalities. The different functionalities of access controls are preventive, detective, corrective, deterrent, recovery, compensating, and directive.
By having a better understanding of the different control functionalities, you will be able to make more informed decisions about what controls will be best used in specific kinds of situations. The seven different access control functionalities are as follows:
Deterrent Intended to discourage a potential attacker
Preventive Intended to avoid an incident from occurring
Corrective Fixes components or systems after an incident has occurred
Recovery Intended to bring controls back to regular operations
Detective Helps identify an incident’s activities
Compensating Controls that provide for an alternative measure of control
Directive Mandatory controls that have been put in place due to regulations or environmental requirements
Once you understand fully what the different controls do, you can use them in the right locations for specific risks—or you can just put them where they would look the prettiest.
When looking at a security structure of an environment, it is most productive to use a preventive model and then use detective, recovery, and corrective mechanisms to help support this model. Basically, you want to stop any trouble before it starts, but you must be able to quickly react and combat trouble if it does find you. All security controls should be built on the concept of preventive security. However, it is not feasible to prevent everything; therefore, what you cannot prevent, you should be able to quickly detect. That’s why preventive and detective controls should always be implemented together and should complement each other. To take this concept further, what you can’t prevent, you should be able to detect, and if you detect something, it means you weren’t able to prevent it, and therefore you should take corrective action to make sure it is indeed prevented the next time around. Therefore, all three types work together: preventive, detective, and corrective.
The control types described next (administrative, physical, and technical) are preventive in nature. These are important to understand when developing a security access control model and when taking the CISSP exam.
The following are soft mechanisms put into place to enforce access control and protect the company as a whole:
Policies and procedures
Effective hiring practices
Pre-employment background checks
Controlled termination processes
Data classification and labeling
Security awareness
Note
One best practice that can be incorporated would require individuals to sign a statement outlining what expectations are regarding the access they are being granted. This in turn can be used for either termination of the individual from the work environment, and possibly prosecution under the governing laws such as the Computer Fraud and Abuse Act. The improper administration and management of access controls is the main cause for most unauthorized access compromises. |
The following can physically restrict access to a facility, specific work areas, or computer systems:
Badges, swipe cards
Guards, dogs
Fences, locks, mantraps
The following are logical controls that are part of operating systems, third-party application add-ons, or hardware units:
Passwords, biometrics, smart cards
Encryption, protocols, call-back systems, database views, constrained user interfaces
Antivirus software, ACLs, firewalls, routers, clipping levels
Table 4-4 shows how these categories of access control mechanisms perform different security functions. However, Table 4-4 does not necessarily cover all the possibilities. For example, a fence can provide preventive and deterrent measures by making it harder for intruders to access a facility, but it could also be a compensative control. If a company cannot afford a security guard, it might erect a fence to act as the compensative physical control. Each control is able to meet more requirements than what is listed in the table. Table 4-4 is only an example to show the relationship among the different controls and the security attributes they could provide.
Type of Control: | Preventive | Detective | Corrective | Deterrent | Recovery | Compensative |
---|---|---|---|---|---|---|
Avoid undesirable events from occurring | Identify undesirable events that have occurred | Correct undesirable events that have occurred | Discourage security violations | Restore resources and capabilities | Provide alternatives to other controls | |
Category of Control: | ||||||
Physical | ||||||
Fences | X | X | ||||
Locks | X | X | ||||
Badge system | X | X | ||||
Security guard | X | X | ||||
Biometric system | X | X | ||||
Mantrap doors | X | X | ||||
Lighting | X | X | ||||
Motion detectors | X | X | ||||
Closed-circuit TVs | X | X | ||||
Offsite facility | X | X | ||||
Administrative | ||||||
Security policy | X | X | ||||
Monitoring and supervising | X | X | ||||
Separation of duties | X | X | ||||
Job rotation | X | X | ||||
Information classification | X | X | ||||
Personnel procedures | X | X | ||||
Investigations | X | X | ||||
Testing | X | X | ||||
Security-awareness training | X | X | ||||
Technical | ||||||
ACLs | X | X | ||||
Routers | X | X | ||||
Encryption | X | X | ||||
Audit logs | X | X | ||||
IDS | X | X | ||||
Antivirus software | X | X | X | |||
Server images | X | X | ||||
Smart cards | X | X | ||||
Dial-up call-back systems | X | X | ||||
Data backup | X | X |
Note
Locks are usually considered delay mechanisms because they only delay a determined intruder. The goal is to delay access long enough to allow law enforcement or the security guard to respond to the situation. |
Any control can really end up being a compensating control. An organization would choose a compensating control if another control is too expensive but protection is still needed. For example, a company can’t afford a security guard staff, so they erect fences, which would be the compensating control. Another reason to use a compensating control is business needs. If the security team recommends closing a specific port on a firewall, but the business requires that service to be available to external users, then the compensating control could be to implement an intrusion prevention system (IPS) that would closely monitor the traffic coming in from that port.
Several types of security mechanisms exist, and they all need to work together. The complexity of the controls and of the environment they are in can cause the controls to contradict each other or leave gaps in security. This can introduce unforeseen holes in the company’s protection not fully understood by the implementers. A company may have very strict technical access controls in place and all the necessary administrative controls up to snuff, but if any person is allowed to physically access any system in the facility, then clear security dangers are present within the environment. Together, these controls should work in harmony to provide a healthy, safe, and productive environment.