Skip to content

Page042

Recovery

After a security incident has occurred, recovery controls may need to be taken in order to restore functionality of the system and organization. Recovery means that the system must be recovered: reinstalled from OS media or image, data restored from backups, etc.

The connection between corrective and recovery controls is important to understand. For example, let us say a user downloads a Trojan horse. A corrective control may be the antivirus software “quarantine.” If the quarantine does not correct the problem, then a recovery control may be implemented to reload software and rebuild the compromised system.

Deterrent

Deterrent controls deter users from performing actions on a system. Examples include a “beware of dog” sign: a thief facing two buildings, one with guard dogs and one without, is more likely to attack the building without guard dogs. A large fine for speeding is a deterrent for drivers not to speed. A sanction policy that makes users understand that they will be fired if they are caught surfing illicit or illegal websites is a deterrent.

Compensating

A compensating control is an additional security control put in place to compensate for weaknesses in other controls. For example, surfing explicit websites would be a cause for an employee to lose his/her job. This would be an administrative deterrent control. However, by also adding a review of each employee’s Web logs each day, we are adding a detective compensating control to augment the administrative control of firing an employee who surfs inappropriate websites.

Comparing Access Controls

Knowing how to categorize access control examples into the appropriate type and category is important. The exam requires that the taker be able to identify types and categories of access controls. However, in the real world, remember that controls do not always fit neatly into one category: the context determines the category.

Exam Warning

For control types on the exam, do not memorize examples; instead, look for the context. A firewall is a clear-cut example of a preventive technical control, and a lock is a good example of a preventive physical control.

Other examples are less clear-cut. What control is an outdoor light? Light allows a guard to see an intruder (detective). Light may also deter crime (criminals will favor poorly-lit targets).

What control is a security guard? The guard could hold a door shut (prevent it from opening), or could see an intruder in a hallway (detect the intruder), or the fact that the guard is present could deter an attack, etc. In other words, a guard could be almost any control: the context is what determines which control the guard fulfills.

Here are more clear-cut examples:

  • Preventive
  • Physical: Lock, mantrap
  • Technical: Firewall
  • Administrative: Pre-employment drug screening
  • Detective
  • Physical: CCTV, light (used to see an intruder)
  • Technical: IDS
  • Administrative: Post-employment random drug tests
  • Deterrent
  • Physical: “Beware of dog” sign, light (deterring a physical attack)
  • Technical: Warning Banner presented before a login prompt
  • Administrative: Sanction policy