After a user has been identified and authenticated, the next security measure involves authorization and access control. From a broad standpoint, there are three main security control classifications that cybersecurity professionals base on their implementation. They are technical, management, and operational.
Technical controls are any controls (both hardware and software) utilizing technology; thus, you can think of firewalls, IDS/IPS, UTMs, Web security gateways, encryption, and anti-virus software as technical controls. These several examples are all technological. A security administrator can configure these devices and install them on the network or a host on the network. Once installed, they provide a specific form of security.
Management controls are any administrative method used by management. One way to control access is through policies or procedures. Your organization probably has an acceptable use policy or network access policy, for example. These policies concern themselves with how users access the network and what they are allowed and not allowed to do on the network. Another great example of a management control are risk assessments. Management use risk assessments as a way to assess and manage risk for their organization or business. Audits would also be classified as a management control.
Operational controls are implemented by people. No technology is involved in operational controls. Proper awareness training would be considered an operational control because by enforcing good password security, following a clean desk policy, and understanding e-mail attachment attacks, we can restrict access to only authorized people in our environment.
Control types can also be classified according to their goals in relation to security incidents. They are preventative, detective, corrective, deterrent, and compensatory control types.
Preventative controls are any security control that prevents a security incident. With that being said, an IPS would fit into this category quite well. IPS stands for Intrusion Prevention System. These systems sit inline of traffic and once they notice any suspicious or malicious traffic, they write new rules on the fly to stop the traffic from its source. They can also redirect malicious traffic to a honeypot or honeynet. Firewalls are another example of preventative controls since they are bit similar to IPSs. Preventative controls don’t have to be technical in nature. A preventative control can also be a security guard. Since security guards prevent unauthorized access into a building or secure area inside of a building, they are in fact a preventative control.
Detective controls detect security incidents; however, they do not prevent it. An IDS, or Intrusion Detection System, is a prime example of a detective control. IDSs detect malicious or suspicious traffic on the network. Typically, network IDS sensors are placed in key locations on the network (usually at switches, firewalls, or routers). They receive copies of traffic and report back to a central monitoring server hosting an IDS console that network and security administrators can easily manage from one location. Other detective controls include security audits and trend analysis. If you are a network or security administrator, you probably know that logs can be extensively long. Every device on the network is a logging device that most likely sends its logs over the network to a central location. By analyzing these logs, we can detect when suspicious activity occurred, such as failed login attempts or system errors. If we graph these trends, we might be able to detect an emerging pattern of malicious activity. CCTV cameras can also be considered a detective control.
A corrective control is a control that seeks to reverse a security incident when it occurs. Backups are perhaps the best example of a corrective control. If, for instance, your organization suffers from an outage or major disaster, your organization should be able to restore all lost data from your backup tapes.
Deterrent controls discourage would-be attackers or malicious insiders. Door locks, lighting, CCTV cameras, suspensions, and fines, are all deterrent controls. For example, knowing that you are being closely monitored by a camera should deter you from stealing a laptop. Additionally, if you see that the laptop is secured to the table with a hardware lock, you probably wouldn’t even attempt to steal the laptop in the first place. Suspensions and fines can be used as warnings to employees who do not wish to follow the data agreements of their organization.
Compensatory controls are also referred to as “workarounds.” These are alternative controls that compensate for a primary control. If an organization wishes to use smart cards as a form of authentication or dual-factor authentication, they can use a hardware token or a TOTP to serve as the authentication factor until the smart cards are finished and dispersed to each employee.
And the last control type consists of physical controls, or anything tangible that attempts to restrict access to entries and exits. Hardware locks, bollards, fencing, lighting, ID badges, and signs are all physical controls.
You might have noticed I used a couple of the same examples in different control type classifications. One important thing to remember is each control type is not mutually exclusive. Many controls will have more than one classification. For instance, motion detectors are technical. But, they are also detective and physical controls as well. Therefore, you could classify a motion detector as a technical-detection-physical control.
Gibson, D. (2017). CompTIA SECURITY+ Get Certified Get Ahead SY0401 Study Guide. Virginia Beach, VA: YCDA, LLC