CSSLP Tutorial: Module 07,Part 03 – Access Control Types




As we finished wrapping up about operations and security in our operations, we then look at part three with making sure we have appropriate controls in place.  These controls will help protect our system as well as our applications and other sources. There are seven basic types of access control.  These are: preventative, detective, corrective, deterrent, recovery, compensation, and directive.  Things to look out for when studying over this material and preparing for the test are what are the different controls and then description. You might also see controls listed that really are not on this list and not really meant to be included, so definitely need to memorize this list.

Some of the controls are proactive, in that they help to prevent an attack before it ever happens.  There are other controls which are of a reactive nature.  They will, instead, wait until the security event has happened, and then have a response. So, reactive controls are after the fact of the event happening.  The third kind of controls are in a kind of a catch-all category.  These are the three control mechanisms which are left over which are not necessarily proactive nor reactive and may involve normal procedures and processes as well as involve certain aspects of the application or system.  Also, these controls can often perform multiple functions. So, for example, having one process may end up being both a directive and a deterrent controls at the same time.

So, the first kind of control is the proactive type.  These are all about stopping the attack before it ever happens.  The biggest difference between preventative and deterrent is that the deterrent is more of a psychological factor and more of provoking someone to think about getting caught as opposed to any of the other controls which may directly lead to someone getting caught.  For example, the sign that warns us there’s a dog in the yard is a whole other thing than say the fence altogether.  I can walk right past it and it physically would not stop me.

The second kind of control is the reactive type. This is the type of control mechanism which waits until after something has already happened before providing a response.   Detective controls allow for us to review and see when a security event has happened. For example, mandatory vacations, job rotations, closed circuit cameras and TV, and so on.  Corrective control means that the attack may have been successful to some point. For example, if our system is infected with a file, moving that file to a quarantined location, then this would be the example of a corrective control.  We also have for example intrusion detective systems, which will detect when the security event is happening or perhaps after it has happened and then of course, the intrusion preventative systems which would then terminate the attack.

The third kind of control is the catchall mechanisms. These will include the recovery, directive, and compensation controls.  The recover controls involves when we have lost our data, and we are attempting to access a backup, so we don’t end up losing our information completely.  This is where we have as another example that there are multiple hard drives that can be started up when device #1 failed, for example.  Directive controls, on the other hand, are more of giving direction. For example, in the employee handbook, where there are controls in place to help keep track of people’s behaviour in terms of the initial CSSLP training.  Also, like a sign that “No trespassing”.

This also gives direction to individuals. Last, is the compensation control. Basically, this is the contingency plan of what happens if what was decided ends up being out of reach.  For example, if you have it in place that you are going to hire a security guard.  However, when looking a little closer, find out that the security guard is too expensive.  So, then as a contingency plan, then get a security dog.  Then, if the dog is too expensive, then get a dog that hasn’t had the training or nearly as tough on trespassers but will still at least let out a warning bark .  So, all of these possibilities are essentially other plans when the first one is out of reach.This compensation control also allows layers of defense.  We don’t look just for  the access controls which will terminate an attack, once it has already happened.

Rather, we are looking to try to incorporate proactive controls which will allow us to possibly to prevent an attack from happening. Two of these proactive controls are the preventative and the deterrent controls.  Then of course, there are those kinds of controls which are both reactive in nature.  They are the detective and the corrective controls.   There are also those kinds of controls which affect the data on multiple layers such as the directive, compensation and recovery controls..  We want to use as many layers as is warranted by how much value we have placed on the data.