If you’re planning to take the Security+ exam, you should have a good understanding of appropriate controls to ensure data security. This includes technical, operational, and management controls.
For example, can you answer this question?
Q. Which of the following is a management control?
A. Encryption
B. Security policy
C. Least privilege
D. Change management
More, do you know why the correct answer is correct and the incorrect answers are incorrect? The answer and explanation is available at the end of this post.
Security Policies as Management Controls
Security policies are written documents that lay out a security plan within a company. They are one of many management controls used to reduce and manage risk. When created early enough, they help ensure that personnel consider and implement security throughout the life cycle of various systems in the company. When the policies and procedures are enforced, they help prevent incidents, data loss, and theft.
Policies include brief, high-level statements that identify goals based on an organization’s overall beliefs and principles. After creating the policy, the organization creates guidelines and procedures to support the policies. Although the policies are often high-level statements, the guidelines and procedures provide details on policy implementation.
Security controls enforce the requirements of a security policy. For example, a security policy may state that internal users must not use peer-to-peer (P2P) applications. A firewall with appropriate rules to block these applications provides a technical implementation of this policy. Similarly, administrators can use port-scanning tools to detect the applications running on internal systems and violating the security policy.
A security policy can be a single large document or divided into several smaller documents, depending on the needs of the company.
Remember this
Written security policies are management controls that identify a security plan. Other security controls, such as technical, operational, and additional management controls, enforce security policies.
Account Management Policies
Account management policies provide direction for administrators to address and prevent vulnerabilities. Elements often included in an account management policy are:
- Require administrators to use two accounts
- Never use shared accounts
Require Administrators to Use Two Accounts
It’s common to require administrators to have two accounts. They use one account for regular day-to-day work. It has the same limited privileges as a regular user. The other account has elevated privileges required to perform administrative work, and they use this only when performing administrative work. The benefit of this practice is that it reduces the exposure of the administrative account to an attack.
For example, when malware infects a system, it often attempts to gain additional rights and permissions using privilege escalation techniques. It may exploit a bug or flaw in an application or operating system. Or, it may simply assume the rights and permissions of the logged-on user.
If an administrator logs on with an administrative account, the malware can assume these elevated privileges. In contrast, if the administrator is logged on with a regular user account, the malware isn’t able to escalate its privileges through this account.
This also reduces the risk to the administrative account for day-to-day work. Imagine Homer is an administrator and he’s called away to a crisis. It is very possible for him to walk away without locking his computer. If he was logged on with his administrator account, an attacker walking by can access the system and have administrative privileges. Although systems often have password-protected screen savers, these usually don’t start until about 10 minutes or longer after a user walks away.
Never Use Shared Accounts
Account management policies often dictate that personnel should not use shared accounts. Instead, each user has at least one account, which is only accessible to that user. If multiple users share a single account, you aren’t able to implement basic authorization controls. Chapter 1, “Mastering Security Basics,” discusses authentication concepts in depth. As a reminder, three key concepts are:
- Identification. Users claim an identity with an identifier such as a username.
- Authentication. Users provide their identity using an authentication method such as a password.
- Authorization. Users are authorized access to resources, based on their proven identity.
Imagine that Bart, Maggie, and Lisa all used a Guest account. If you want to give Lisa access to certain files, you’d grant access to the Guest account, but Bart and Maggie would have the same access. If Bart deleted the files, logs would indicate the Guest account deleted the files, but you wouldn’t know who actually deleted the files. In contrast, if users have unique user accounts, you can give them access to resources individually. Additionally, logs would indicate exactly who took an action.
Remember this
Requiring administrators to use two accounts, one with administrator privileges and another with regular user privileges, helps prevent privilege escalation attacks. Users should not use shared accounts.
Q. Which of the following is a management control?
A. Encryption
B. Security policy
C. Least privilege
D. Change management
Answer is B. Written security policies are management controls.
Encryption and the principle of least privilege are technical controls.
Change management is an operational control.
You might like to view the blog post about Security Controls Implementation Methods.