What Are Technical Controls in Cybersecurity? A Complete Guide

Technical controls in cybersecurity are tools like firewalls, encryption, and IDS that protect systems from cyber threats. They prevent unauthorized access, detect breaches, and secure data in storage or transit. These controls are key to keeping networks safe.

Imagine a shield for your data—technical controls in cybersecurity are tools like firewalls and encryption that block hackers and detect threats. They keep systems safe by controlling access and protecting sensitive information.

What Is A Security Control?

Security controls are safeguards that protect information systems, networks, and data from threats. They include preventive, detective, and corrective measures to reduce risks and address vulnerabilities. These controls ensure sensitive data stays secure, available, and confidential.

Importance

• Technical controls prevent unauthorized access and detect security violations in systems.
• They are critical for cybersecurity but must be used alongside other essential elements.
• These controls protect both data at rest (stored data) and data in motion (data moving across networks).
• The defense-in-depth strategy layers multiple controls for added security, ensuring protection even if one control fails.

Intersections With Other Building Blocks

The organizational security policy sets the objectives for technical controls, guiding decisions on which controls to deploy and how they integrate into the overall security architecture. The team responsible for technical controls makes these decisions, ensuring that controls align with risk management, compliance, and governance needs.

Balancing Security Controls
In smaller, under-resourced organizations, it’s common to see overbuilt security in some areas and underbuilt in others. To avoid this, an effective organizational security policy helps prioritize technical control deployment, ensuring a balanced approach to security across the organization.

Process and Actions

Deploying Technical Controls
Deploying technical controls requires various technologies and expertise, with network security often being the priority. Firewalls, for example, are crucial protective devices, as seen in India’s response to a malware attack in 2020.

Key Security Functions
Access control and network monitoring are vital for securing networks. Access controls, like passwords, ensure only authorized users connect, while network monitoring detects suspicious activities, which is essential as networks expand into remote areas like SCADA systems.

Network monitoring tools detect suspicious activity using signature or anomaly detection methods. While many commercial tools exist, high-quality open-source alternatives, like Snort, Bro, and Kismet, also provide effective network security (Drolet, 2018).

• Snort: Highly configurable, allows users to specify threats and responses.
• Bro: Powerful analysis engine, that automates threat response but with a steeper learning curve.
• Kismet: Detects wireless intrusions (Wi-Fi/Bluetooth), and tracks unauthorized access points for access control.

SCADA networks require specialized security measures because they control physical devices and processes. Responding to cyber threats must be handled carefully to avoid real-world consequences, such as cascading outages, making it crucial for utilities to understand SCADA security needs.

Adapted from 21 Steps to Improve Cybersecurity of SCADA Networks, these steps offer guidance that can also apply to enterprise networks, ensuring the digital and physical integrity of critical infrastructure.

• SCADA Security Needs: SCADA networks control physical processes, requiring careful responses to cyber threats to avoid real-world consequences (e.g., cascading outages).
• Isolation: Minimize touchpoints between SCADA and other networks (e.g., LANs, and the Internet) and strengthen the remaining ones with firewalls and IDS.
• Device Management: Remove unnecessary devices and services to reduce attack surfaces; activate built-in security features like encryption and authentication.
• Deploy IDS: Use IDS tools (e.g., Snort, Bro, Kismet, OSSEC) to monitor for malware and network anomalies.
• Red Teams: Use external or internal teams to identify vulnerabilities through penetration tests and fresh perspectives.
• Physical Security: Secure remote SCADA sites to prevent physical access, which could compromise cyber defenses.

Essential Data

Utilities seeking to improve the technical controls for their SCADA networks should collect the following information:

1. Touchpoints between SCADA network, enterprise network, and internet
2. Physical security of remote SCADA access sites
3. Asset management data for SCADA devices and their services
4. Security features of devices connected to the SCADA network
5. Data repositories on SCADA and enterprise networks and their protection controls

Additional Resources and References

Harris, Shon, and Fernando Maymi. 2016. CISSP All-in-One Exam Guide 7th ed. New York: McGraw Hill Education.

Stouffer, Keith, Victoria Pillitteri, Suzanne Lightman, Marshall Abrams, and Adam Hahn. 2015. Guide to Industrial Control Systems (ICS) Security. NIST Special Publication 800-82. National Institute of Standards and Technology.

Encryption

Encryption is a security measure that transforms readable data (plaintext) into unreadable text (ciphertext) to protect it from unauthorized access. This process uses algorithms to scramble the information, making it appear as random characters.

Only those with the correct decryption key can revert the data back to its original form, ensuring its confidentiality and security against unauthorized users.

Firewalls

• A firewall monitors and controls incoming and outgoing network traffic.
• It acts as a barrier between a private network and the internet.
• Firewalls inspect data packets and block those that violate preset rules.
• They serve as both detective and preventative controls, identifying and blocking potential threats.

Antivirus Software

• Antivirus software runs in the background, monitoring for potential threats.
• It scans files upon download or opening to detect viruses and malware.
• Regular comprehensive scans are performed for deeper security.
• If threats are detected, antivirus software notifies the user and prompts action.
• It serves as both a detective and preventative control.
• Many modern operating systems include antivirus software and firewalls by default.

Password Management

• Password management combines administrative and technical controls.
• Password policies enforce requirements like complexity to prevent brute force attacks.
• Multi-factor authentication adds an extra layer of protection, making account access harder for attackers.
• Locking users out after multiple failed attempts acts as a deterrent control.
• Alerts sent after failed attempts serve as a detective control, notifying of potential attacks.

Backups

• Backups are corrective controls that help restore lost data after incidents like server failure.
• Organizations may perform full backups daily or incremental backups for only changed files.
• While a technical control, backups can also be an administrative control with a clear backup policy in place.

Access Control Models

Access control models determine who can access specific data or systems, often following the principle of least privilege, where users are granted only the access necessary for their tasks. The most common model, discretionary access control, allows object owners to decide who can access their resources.

These models are both administrative and technical controls, aiming to prevent unauthorized access. They can also extend to physical security measures, such as security guards verifying IDs before granting access.

Physical Security Systems

Physical security systems, like security cameras and motion sensors, serve both as technical controls that detect threats and as deterrents to prevent intrusions. The presence of cameras not only helps in spotting intruders but also discourages potential attackers.

Beyond preventing trespassing, physical security systems like fire alarms and sprinkler systems are also corrective controls, helping to mitigate risks and protect against damage.

What Are The Goals Of Security Controls?

The main goal of implementing security controls is to reduce risks within an organization and minimize the impact of security incidents.

Security controls are classified based on their function:

• Preventive controls aim to stop incidents from happening.
• Detective controls identify incidents after they occur.
• Corrective controls help mitigate the damage caused by incidents.
• Deterrent controls discourage people from attempting incidents.
• Compensating controls serve as alternatives when primary controls are not feasible.

Implementing these controls requires careful planning, often guided by a risk profile that evaluates potential costs and resources needed.

Layering Security Controls

Layering security controls involves using multiple layers of defense to protect systems, known as a defense-in-depth strategy. By combining different controls, organizations can ensure that if one layer fails, other layers will still work to prevent a breach.

Each layer addresses specific threats, requiring organizations to invest in various technologies and processes. For instance, while endpoint detection can stop malware, it doesn’t monitor network traffic like an SIEM or prevent real-time attacks like an IPS, making it important to have multiple security layers.

READ MORE: Why Are You Interested in Cybersecurity? Passion for Data Protection

Understanding The Basics Of Risks & Threats

Before we dive into control types, it’s important to first understand the cyber risks and threats they help to mitigate.

Risks:

In cybersecurity, risks refer to the probability that a threat will exploit a vulnerability, leading to a loss. These losses can include data breaches, financial damages, harm to reputation, and the erosion of customer trust.

Threats:

Threats are events that could compromise the confidentiality, integrity, and availability (CIA) of information. These can originate externally, from hackers or other entities on the internet, or internally, such as from a disgruntled employee or an insider with too much access. Not all insider threats are malicious; for example, clicking on a phishing link can unintentionally cause harm.

Vulnerabilities:

Vulnerabilities are weaknesses in the software, hardware, or processes of an organization that, when exploited by a threat, lead to security incidents.

Security Incidents:

Security incidents refer to events that threaten the confidentiality, integrity, or availability of information systems, or that violate security policies or procedures, either already happening or about to occur.

Technical Security Controls

Technical controls, or logic controls, rely on technology to mitigate vulnerabilities within hardware and software. These controls are typically implemented through automated tools that help safeguard digital assets.

Common examples of technical security controls include:

• Encryption
• Antivirus and Anti-Malware Software
• Firewalls
• Security Information and Event Management (SIEM)
• Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS)

Technical Control Types And Implementation Methods

Below are two common examples of technical control types:

• Access Control Lists (ACLs): Filters that control incoming and outgoing network traffic, commonly used in routers, firewalls, and other network devices.
• Configuration Rules: Instructional codes that guide system operations when data passes through, often specific to network equipment vendors.

Administrative Security Controls

Administrative security controls include policies and procedures that align business practices with the organization’s security objectives. As part of onboarding, new hires often acknowledge the company’s security policies, making them accountable for adhering to these standards.

To ensure these administrative controls are effective, continuous monitoring and enforcement mechanisms are required.

The processes that monitor and enforce the administrative controls are:

• Management controls: Focus on managing risk and overseeing information system security.
• Operational controls: Executed by people and involved in the day-to-day operations of security measures.

A security policy is a management control that sets rules, while operational controls enforce those rules, and technical controls monitor compliance. For example, an acceptable use policy can be supported by web content filters that block malicious sites and log violations.

In the case of phishing attacks, management controls like an acceptable use policy are complemented by operational controls such as user training and technical controls that detect phishing emails and suspicious website activity.

Preventative Controls

Examples of preventative controls include:

• Hardening: Securing systems by reducing vulnerabilities, such as disabling unnecessary services.
• Security Awareness Training: Educating employees to recognize security threats like phishing.
• Security Guards: Physical security personnel to prevent unauthorized access.
• Change Management: Managing system changes to prevent errors or vulnerabilities.
• Account Disablement Policy: Automatically disabling accounts when employees leave or roles change.

Detective Controls

Examples of detective controls include:

Log Monitoring:

Log monitoring is a diagnostic tool that tracks real-time or stored data to ensure the proper functioning of applications. It helps assess the impact of any changes in an application’s performance. By analyzing logs, it enables quick detection of issues, ensuring system stability and availability.

SIEM:

SIEM (Security Information and Event Management) provides a comprehensive view of an organization’s security by collecting and analyzing operational logs from different systems. It helps detect and respond to security threats in real time. SIEM tools aggregate data to offer insights, improving overall security posture and compliance.

Trend Analysis:

Trend analysis involves collecting and examining data to identify patterns or trends over time from an application’s log output. The results are often visualized in graphs or tables, making it easier to spot anomalies or recurring issues. This analysis helps in proactive monitoring and improving system performance.

Security Audit

A security audit evaluates an organization’s adherence to cybersecurity standards, procedures, and policies. It ensures the proper implementation of controls and identifies areas for improvement. This audit is typically performed by external experts or internal teams preparing for external review.

Video Surveillance

Video surveillance systems capture images and videos that can be compressed, stored, or transmitted over networks for real-time or remote monitoring. They enhance security by providing visual evidence of activities and monitoring high-risk areas.

Motion Detection

Motion detection devices use sensors to identify movement in an area. Often integrated into surveillance systems, they can trigger automatic actions or alert security personnel, helping to detect unauthorized activities or potential threats promptly.

Compensating Controls

Compensating controls are alternative measures implemented when a required security control cannot be applied due to financial, infrastructure, or practical limitations. These controls must meet the intent of the original security requirement and offer a similar level of assurance.

Examples of Compensating Controls:

• Time-based One-Time Password (TOTP): A temporary passcode generated using the current time, often used as a temporary authentication method until the full authentication process is in place.
• Encryption: While full data encryption may not be feasible, alternative security tools or processes can be used to provide equivalent protection, such as database security or email encryption.

Performing A Security Control Assessment

A Security Control Assessment (SCA) is essential for evaluating how well an organization’s security controls are functioning. It involves testing management, operational, and technical controls to determine if they are correctly implemented, working as intended, and meeting security requirements.

Regular security control assessments are crucial for maintaining a strong security posture. While some organizations are legally required to conduct assessments, all businesses should perform them to protect their systems from hackers targeting vulnerabilities in their networks.

Common Security Assessments

• Risk Assessment: Identifies and evaluates potential risks to an organization’s assets, systems, and operations, helping to prioritize security measures.
• Vulnerability Assessment: Scans and analyzes systems for known vulnerabilities that could be exploited by attackers, providing insight into areas that need improvement.
• Penetration Testing: Simulates a cyberattack on systems to identify weaknesses and test how well the security defenses can withstand real-world threats.

Security Risk Assessments

• Security Risk Assessment Steps: Involves identifying assets, evaluating risks, assessing vulnerabilities, and determining the potential impact of threats.
• Purpose: Helps prioritize areas that present the highest risk, vulnerability, or exposure to an organization.
• Risk Identification: Focuses on identifying potential risks that could affect critical assets or operations.
• Importance: Serves as the foundation for developing a comprehensive risk management plan to mitigate threats.

Vulnerability Assessments

• Vulnerability Identification: Process of identifying risks and weaknesses in networks, systems, applications, and hardware.
• Critical Role: Key component of the vulnerability management lifecycle, helping to protect systems and data.
• Tools Used: Typically employs vulnerability scanners to detect potential threats and weaknesses.
• Risk Exposure: Helps identify areas in an organization’s IT infrastructure that could lead to unauthorized access or data breaches.

Penetration Testing

• Purpose: Penetration testing identifies security vulnerabilities in web applications, networks, or systems by simulating a malicious attack.
• Objective: Aim to prevent unauthorized access, data changes, or exploitation, replicating the actions of a bad actor.
• Importance: Helps organizations learn how to handle security breaches and assess the effectiveness of their security policies.
• Benefit: Provides insights and solutions to detect, prevent, and expel intruders efficiently, ensuring better overall security.

Conclusion

Technical controls in cybersecurity are tools and systems designed to protect data and networks from unauthorized access or harm. These controls use technology to prevent, detect, and respond to security threats. Examples include firewalls, encryption, and intrusion detection systems. They help protect sensitive information and ensure that only authorized users can access certain resources. 

Technical controls are often automated and work continuously to monitor systems for any security breaches. They are an essential part of any cybersecurity strategy, as they help maintain the confidentiality, integrity, and availability of data. By using these tools, organizations can effectively manage and reduce security risks.

Frequently Asked Questions: