So let's really quickly talk about technical controls
and some of the things that you might consider implementing
access control policies.
You understand the concept of separation of duties. So the idea that, you know, I should only have access to what I need to know to do my job. If I'm in engineering, do I really need access to accounting data?
If I'm not an administrator, do I really need administrative credentials on my
laptop or on my particular system? So separation of duties on lease privilege? You see these getting implemented on moderate and high level systems as a as a requirement,
that. Sorry, at least four. Um, you know, high level systems administrative counts have to be separate.
You can't have one user account that functions both as administrator and a regular user account.
That's why if you're an administrator, usually have two accounts. One for administrative duties, one for user duties,
non repudiation. If you have to implement this, it's because you want to prove that John sent a communication to David and David received it.
David knows that John sent it. You can't, uh,
repudiate. You can't deny that fact so low and moderate systems. You don't have to do this, but for high risk systems, you're looking at things like digital signatures or logging or message receipts. You typically see this with P K I implementations. So you send a sign encrypted message.
I know that you sent it and you only sent it
for somebody to compromise your
certificate in your pin number
the idea that you're able to distinguish between people logging into a system and this is very common on just about every other I t system that's out there.
You can you have accountability here on who logged in when they logged in, and you can assign people rights or privileges based on this authentication or sorry, this identification of people,
the flip side of that is authentication. So how do you know that I'm Chris? Well, either because I have a password or because of my thumbprint or because of my retina scan, or have a token or something.
So generally what you see here is if identification is user, i d authorization number will be a pet, or authorization will be a pin number.
We're a token or something like that.
There are multi factor authentication systems out there again. Something You know something? You have something you are
so multi factor means pick two or more. Pick two out of those three. And they have to be different types, so can't be too user names. That's not
multi factor authentication.
So for moderate level systems, this is kind of a separation that says you're going tohave. Privileged accounts will use multi factor authentication
general user accounts. Not a big deal.
Um, hi, wrist systems. Now you're talking about multi factor authentication for everybody privileged and non privileged accounts.
So high risk system. They really want to make sure that you are John and you are really logging into this system.
The way they do that is through the multi multi factor authentication
again. All this is saying is that you have you control the communication between the outside and the inside
of your network. You manage. The interface is such that you can look at that traffic and control. Who can do what
This is commonly implemented through proxy devices, gateways, firewalls, routers, encrypted tunnels like I P sec or something like that. But your implementation of the boundary protection control will be technical. It'll be one of these devices here
at the moderate risk. They say that you have to step up a little bit. You have to have a demilitarized zone or separation between public information. What should be public information and what should not be cannot reside on the same system. So this is why you see D M Z
very common now tohave demilitarized zone, where your Web servers and your public information is all hanging out here in no man's land, you know, compared to the inside of your network.
for again, for moderate risk, you're trying to limit the number of access points you have. You don't wanna have 20 different gateways out to the Internet because that means 20 different points that you have to monitor.
You need to have some type of traffic flow policy on that it denies. By exception. That's pretty standard nowadays on firewalls
for high risk systems. They step this up a little bit more in, say that boundary protection mechanisms must fail close. So if there's a failure or a breach or something like that, the system goes
and shuts off boundary so that they're no external connections are allowed.
You also have to use proxy servers now eso either with Web proxies, application proxies or something like that. The idea here is that you're using these systems to proxy your connections and you're hiding
systems on the internal network
firewalls. I don't think I need to belabor this. It's just an access control point. This is a technical implementation of a boundary protection requirement.
So keep in mind for all of these that as you're going through this, your particular control requirement may say boundary protection.
How do you implement that control
Maybe, just ah, router with access control list on it. That's up to you.
But their specific GYNs in 800-53 which will tell you these are the requirements you need to meet. So you might need to do like Mac filtering or I p filtering based on whether you're a low, medium or high risk system
Cryptography. This is how confidentiality is implemented. You have to do this across all the baselines
insures that whatever information you're transmitting is not, ah, viewable by others. You have authentication and non repudiation. If you're using certain crystal cryptography methods,
how would you implement this in your systems?
If you came across a control that said security control cryptography
again, implementation is left up to you as a risk manager. How would you implement cryptography in your organization?
P k I A way. A lot of people do it
because with p k, Iike an encrypted e mails,
Um, I can sign email so people know I have I have authentication, usually those air tied to, like, a cat card or something. So now I've got my log on information in there as well.
That's how you validate my identity.
How else would you do it?
right? Virtual private network. So I've got a VPN tunnel from the outside i p sec tunnel.
Any of those sorts of things
you might decide that your requirements are stringent enough that you actually have to have a dedicated crypto device. Like, you know,
kg, 84 kids, seven or one of those bulk encrypt er's that transmit or it. Sorry. Bulk encrypt transmission, pass
which ones you pick is gonna be up to you. The requirement the control requirements says you have to have cryptography.
how you implement it again as the responders kind of up to you is how you want to meet these particular requirements.
All wrist baseline love, certain risk. Certain levels of cryptography are required at
not saying that you have to go out and implement P k I for a low impact system. But there will be requirements in there for cryptography, like protecting information or like Social Security numbers at rest or something like that.
If you have, ah, low impact system, that process is that
So one of the last things we'll talk about here, you don't have to implement this at any level. But why would you want to implement this?
Because you want visibility into attacks that are coming your way. So this is a good example of a technical control that you're not required to dio. But some of the more robust security programs out there will implement. This is part of a risk management strategy. They'd much rather have the honeypot compromised by an attacker than alive system.