Last month, we discussed the importance of practicing “defense-in-depth” within an organization. This system of redundant defenses helps protect against a huge array of potential threats. One of the core aspects of this defensive philosophy is that an attack will happen. A company needs to be prepared for the possibility that their perimeter defenses fail.
Previously, we listed the three “areas” of security controls as administrative, physical, and technical. All types of security policies and products fit within these three implementation categories. The implementation domain that we will focus on in this post is the administrative controls that can be utilized by a company to help prevent breaches and remediate the incident.
In the last post, three control types were covered that encompassed all the implementation areas for cybersecurity defenses. While these three categories do cover all security products, they do not properly express the goals of these security controls. Below you will find a list of the most common goals of the previously outlined controls. These goals are used in conjunction with the controls. For example, a firewall would primarily be a technical control with preventative goals.
Note that many solutions will not fit into a single control and goal category. This firewall example may also be an administrative control if the policies surrounding its implementation are considered.
Solutions or policies with the goal of detecting incidents after they have occurred. This goal is usually achieved primarily via technical or physical controls. Many products achieve both detective and preventative goals simultaneously in order to reduce the amount of security products required within an organization.
Preventative controls are based around the concept of stopping an attack before it can cause damage. These are some of the most well-known products such as firewalls, AV, IPS, etc.
Whenever an incident causes impact, corrective controls will intervene in order to remediate the issue. One of the most vital administrative corrective controls is a proper Incident Response Plan, outlined later in this post.
This is a rather unusual security goal, but deterring possible attackers is a viable method for defending an enterprise. There is a common belief that an unlocked door invites trouble. A proper “bug bounty” program can deter by offering greater incentives to report the issue.
Controls that are implemented solely as a substitute for a more effective method. A commonly used example would be a new employee that is not registered with the existing badge reader system. A compensating control would be to escort the associate until a proper solution is achieved.
Critical Administrative Controls
Now that we have defined the goals of our security controls, we can get to the real meat and potatoes of this post. Administrative controls are vitally important for a company’s defenses but are often the most overlooked control. Almost all security actions come from an administrative decision at some point. Nothing happens within a vacuum. But some of the more complex goals and examples are rarely even entertained until it is too late. Below we will define a few of the most critical administrative controls and the categories in which they fit. Remember that a single solution will likely fit into multiple control categories and goals so we will simply emphasize certain examples below.
Administrative Control – Corrective
Incident Response Plan - This is the big one. Incident Response Plans are a corrective administrative control that provides incalculable value in the form of disaster preparedness. It is fairly common knowledge that companies need a plan when dealing with an incident, but very few companies have documentation that details their exact goals and strategy should an incident occur. “How did this happen? Who should we call? How long have the attackers been in our network? What have they taken?” These questions may have extremely complex answers that require full-fledged investigations. Obviously not every business can afford an Incident Response Team that is available 24/7. However, every single business can afford to take the time to develop a solid Incident Response Plan.
Administrative Control – Detective
Auditing – Most products contain thorough logs that allow owners to audit the users and data involved with the system. By setting up a regular review of these events, companies may detect an attack that was never seen by other tools. For example, reviewing badge-reader access logs to a restricted area may reveal evidence of a potential incident.
Administrative Control – Preventative
User Training – As technology gets better and better, the human has proved to be the weakest link in the chain. Attackers have started targeting employees for easy access into the most critical assets. User training helps combat this strategy by shoring up defenses where they matter most. The best training engages users with timely exercises and simulations in order to drive home the effectiveness of some of the new attack techniques.
Administrative Control – Determent
“Bug Bounty” – This control falls under many categories, but we feel it is administrative-focused on deterring negative behavior. Placing a large bounty for outside users that discover security threats helps to incentivize attackers by giving rewards when vulnerabilities are discovered. Without a system to reward the discovery of a vulnerability, the attackers may launch an actual attack instead of reporting the issue.
We’ve taken a deeper look at one of the primary controls for proper Defense in Depth while defining the specific goals of all security controls. The list in this post barely scratches the surface of the available administrative controls. Next month, we are going to publish an article emphasizing the importance of disaster preparedness and proper IR policies in order to expand upon some of the examples given above.
In the following months, keep an eye out for an article covering technical controls and physical controls. We will use the expanded definitions and goals provided in this post to cover these final two control types and give specific examples regarding their implementation and importance.
For more details on current security standards, be sure to check out the NIST documentation on security controls: https://nvd.nist.gov/800-53.