Security Notes

Security Controls

There are various types of security controls that an organization can utilize, and these controls are categorized by factors such as who or what implements them and what they are designed to protect. These categories include technical, managerial, operational, and physical controls.

Technical controls, also known as logical controls are implemented using systems rather than manually executed by human beings. Some examples include OS settings, firewalls, antvirus software, IPS or IDS, and the use of encryption.

Managerial controls, also known as administrative controls are controls that are meant to manage how people use technology and other resources. These controls take the form of policies and documentation such as an AUP. Some other examples of administrative controls include security awareness training and risk assessments.

On a similar note, operational controls are a type of control implemented by people rather than systems, focused on the day-to-day operation of systems. Some examples include configuration management, system backups, and patch management.

Lastly, we have physical controls. These controls are used to physically limit someone's access to a builing, room, device, or othe resource. For example, this could include a security guard, fences, locks, or badge readers.

Security Control Types

Security controls can be sorted not only into categories, but also into types. These types include preventative, deterrent, detective, corrective, compensating, and directive.

The goal of a preventive control type is to outright block access to a resource. Examples include firewall rules, a guard who checks identification, or locks on a door.

A deterrent control type, on the other hand, focuses on discouraging someone from accessing a resource. Examples may include warnings in the form of application splash screens, signs, or warnings within a document. Deterrents may also include a reception desk.

Detective control types identify and potentially log breaches when they occur. Examples include collecting and reviewing system logs, login reports, patrolling the area, or motion sensors. Detective controls generally do not resolve issues on their own, and further action may be necessary to resolve the incident.

After detective controls alert someone or something of an incident, that's when corrective controls swoop in. Corrective controls are used to apply a control after an event has been detected, recover from the impact of an event, or to continue operation with minimal downtime. Some examples include recovering an infected device from a backup, contacting law enforcement in the event that someone infiltrates the building, or using a fire extinguisher.

If there's some sort of issue that can't be resolved, you can use compensating controls to instead work around it. For example, if you have an application with a known vulnerability that doesn't have a patch yet, you might create a firewall rule to prevent someone from exploiting that vulnerability. Or, you might hire multiple security guards at once to make sure no sole security guard has access to everything in your environment. Or, in the event of a power outage, you might use a generator so systems will continue to be available.

Lastly, we have the directive control type. This is a weaker security control, because all you're doing is directing someone to do something. On its own, there's nothing directly stopping them from simply ignoring your instructions. For example, you might instruct someone to store all sensitive files in a protected folder, create certain policies and procedures that employees must follow, train users on security practices, or put up a sign that says something like "Authorized Personnel Only."

Data Obfuscation

Data obfuscation is when data in a dataset is transformed into a format that is unreadable. One method is by hashing the data. However, hashing the data still leaves it vulnerable to rainbow table attacks. You can prevent these rainbow table attacks by salting the data.

Another method of data obfuscation is tokenization. With this method, sensitive information is replaced with a unique string using a lookup table. For example, you might replace a name or parts of a name with a randomly generated number and add that number and the name to the lookup table. However, you need to keep the lookup table very secure if you use this method.

Lastly is masking. This method works great if you don't actually need to retrieve this data later. With this method, you replace the sensitive information with blank values. You may recognize this method from shopping receipts--oftentimes, receipts will print credit/debit card numbers with asterisks or x's replacing all but the last four numbers.

Symmetrical Encryption

Symmetrical encryption methods are encryption methods where the same key is used for both encryption and decryption. One example of a very well-known symmetric encryption method is Data Encryption Standard (DES), a historic algorithm made in the 1970s. It works on 64-bit blocks, only taking 64-bit input and pushing out 64-bit output. When using this method, the input is put through the Feistel function 16 times, combining it with a 56-bit key each time. However, DES is now considered insecure.

A variation of DES is Triple DES (3DES), which is exactly the same as DES except you run it three times over the same data, using a different key each time. It is decrypted by using the keys in opposite order. However, this method is still limited to the vulnerabilities of DES, and is therefore still considered insecure.

Let's finally get to some more modern methods. Advanced Encryption Standard (AES) came about through a competition held by National Insitute for Standards and Technology (NIST) with the goal of replacing DES. AES was the winner of this competition. AES is widely used today, and you may recognize it if you've ever set up a home router. Much like DES, AES is a symmetric algorithm and a block cipher. However, it works with 128-bit blocks and allows three different key lengths: 128-bit, 192-bit, or 256-bit. All of these key lengths are considered secure.

Another example of a modern symmetric encryption algorithm is Blowfish. This algorithm works on 64-bit blocks, much like DES, however you can use any key length between 32 and 448 bits. However, blowfish is no longer considered secure due to known attacks against some weak encryption keys.

An alternative to Blowfish is Twofish. This algorithm is still considered secure and was even recommended by Bruce Schneider, the creator of Blowfish. This algorithm is also public domain. It works on blocks of 128-bits (like AES) and uses keys that are 128, 192, or 256 bits long.

Assymmetrical Encryption

Unlike symmetric cryptography, assymmetric cryptography produces a pair of keys instead of just one. This solves many scalability issues present with symmetric encryption. RSA is an encryption method published in 1977 and still used today. It was named after its creators: Ron Rivest, Adi Shamir, and Len Adleman. When a new user wants to use RSA, they create a key pair. This pair is made using complex math involving prime numbers. From the resulting two keys, one is selected as the public key, and the other is made the private key. This public key can be shared with others freely, while the private key is to be kept secret and secure.

When someone wants to use RSA to encrypt a message, they will use the receiver's public key to encrypt it before sending it. This is because only the private key can decrypt something that was encrypted with the public key and vice versa. Since only the reciever has the private key, this means only they can decrypt the message.

The main drawback of RSA is that it's slow. To get around this, RSA is not often used for directly encrypting long messages. It can instead be used to safely exchange a symmetric key, and then that symmetric key can be used to encrypt communications for the rest of that session.

Some key facts on RSA: it uses a key length range of 1024-4096 bits. However, only key lengths of 2048 bits or higher are still considered secure.