EDUCATION · TECHNOLOGY

⚙️ Technological security

Technological (technical) controls are security mechanisms built into technology that automatically implement security policies - authentication, encryption, segmentation, logging. Based on ISO/IEC 27002 Chapter 8 (34 controls), NIST SP 800-53 and CIS Controls v8. Examples are fictional, intended for teaching.

Legend: codes in brackets (e.g. 8.24) refers to the (technological) controls of Chapter 8 of ISO/IEC 27002:2022.

What are technical controls

Classification of controls - type and function

Drošības kontroļu klasifikācija Matrica: trīs kontroļu veidi (tehniskās, administratīvās, fiziskās) pret trim funkcijām (preventīvās, detektīvās, koriģējošās), ar tehnisko rindu izceltu. Drošības kontroļu klasifikācija Veids (tehniskās / administratīvās / fiziskās) × funkcija + atturošās un kompensējošās Preventīvās Detektīvās Koriģējošās Tehniskās (loģiskās) MFA · šifrēšana ugunsmūris · RBAC segmentācija IDS/IPS · SIEM žurnāli · FIM monitorings dublējumi · patch izolācija · rollback karantīna Administratīvās politikas · apmācība audits · pārskati incidentu plāns Fiziskās slēdzenes · badge CCTV · signalizācija remonts · atjaunošana

Technical = logical controls: they are technology-based mechanisms that implement policies automatically and consistently (as opposed to administrative ones that rely on human action). This guide covers the technical controls of Chapter 8 of ISO/IEC 27002.

Functions

Preventive (prevented), detective (discovered), corrective (rejuvenating). In addition: dissuasive (abstains from attempted) and compensatory (alternative when basic control is not possible).

Defense in purity

Technical controls are placed in several layers - network, host, use, data, identity - so that one violation does not detect everything. See 'Defence depth' tab.

Relationship to the NIS2

The risk management measures of Article 21 of the NIS2 (EU 2022/2555) are largely technical controls: cryptography, access control, MFA, incident detection and business continuity.

Defense

Layers of technical controls - from network to data

Tehnisko kontroļu slāņi Pieci tehniskie aizsardzības slāņi no tīkla līdz datiem, ar identitāti un monitoringu kā šķērsslāņiem. Aizsardzība dziļumā (tehniskie slāņi) Tīkls / perimetrs ugunsmūris · VPN · DDoS · IPS · 8.20/8.21 Segmentācija VLAN · mikrosegmentācija · NAC · 8.22 Resursdators / galiekārta EDR · hardening · patch · 8.1/8.7/8.8 Lietojumprogramma WAF · droša kodēšana · SAST/DAST · 8.26/8.28 Dati šifrēšana · DLP · maskēšana · dublējumi · 8.24/8.12 Identitāte un piekļuve IAM · MFA PAM · RBAC Zero Trust aptver visus slāņus 8.2 · 8.3 · 8.5

Journaling and monitoring (8.15/8.16) cover all layers - they shall ensure that the infringement is noted. Identity is a cross-layer: each layer must be checked who accesss (Zero Trust - never trust by location).

Why Layers

No single control is infallible. Independent layers means that the attacker has to overcome several - network, host, use, data - before reaching the target.

The smallest privileges

Each layer is allocated only as necessary (lat pribilige, need-to-know). This limits how far an attacker can spread after a single layer of violation.

Accepts the infringement

The modern approach (size break) assumes that the perimeter will be violated. Therefore, important segmentation, monitoring and data encryption - so that the infringement is not detected all at once.

International practice

ISO/IEC 27002:2022 Chapter 8 - 34 technological controls

ISO 27002:2022 kontroļu tēmas Četras ISO 27002:2022 kontroļu tēmas. Tehnoloģiskās kontroles (8. nodaļa, 34 kontroles) ir izceltas. ISO/IEC 27002:2022 - 4 kontroļu tēmas Organizatoriskās nodaļa 5 · 37 kontroles Personāla nodaļa 6 · 8 kontroles Fiziskās nodaļa 7 · 14 kontroles Tehnoloģiskās nodaļa 8 · 34 kontroles ← šī sadaļa ISO 27001 Pielikums A.8 atspoguļo šīs 34 kontroles · NIST SP 800-53 (AC/IA/SC/SI/AU/CM/CP) · CIS Controls v8
8.1Endpoint
8.2Reserved access rights
8.3Limitation of access to information
8.4Access to source
8.5Safe authentication
8.6Capacity management
8.7Protection against malware
8.8Management of technical vulnerabilities
8.9Configuration management
8.10Deletion
8.11Data masking
8.12Data leakage prevention (DLP)
8.13Duplication of information
8.14Processor redundancy
8.15Journaling
8.16Monitoring of operations
8.17Clock Synchronization
8.18Use of preferential utility
8.19Software installation in systems
8.20Network security
8.21Network service security
8.22Network separation (segmentation)
8.23Web filtering
8.24Use of crypto
8.25Life cycle of safe development
8.26Application safety requirements
8.27Safe architecture and engineering
8.28Safe coding
8.29Safety testing in development
8.30Outsourcing
8.31Distinction of the senses (dev/test/prod)
8.32Management of changes
8.33Test information
8.34Protection during audit

NIST SP 800-53 flocks

Technical controls are mainly: AC (access control), IA (identity and authentication), SC (protection of systems and communications), SI (system and information integrity), AU (audit), CM (configuration), CP (continuousity).

CIS Controls v8

Practical implementation list: CIS 3 (data protection), 4 (secure configuration), 5.

NIS2 and MK 397

NIS2 Article 21 and Latvian Cabinet Regulation No. 397 require technical measures - cryptography, MFA, access control, vulnerability management, logging and backup - proportionate to the risk.

Compliance in Latvia - main requirement MK 397: Cabinet Regulations No.397 is the binding regulation in Latvia, which determines what must be done (in the national cybersecurity framework, implementing the NIS2). Implementing Regulation (EU) 2024/2690 and GDPR complement the requirements. International standards (ISO 27001/27002, COBIT, SABSA, TOGAF, NIST) provide a recognised auditable method for their implementation.

Atbilstības slāņi - no ES tiesībām līdz ieviešanai Trīs slāņi: ES tiesiskais pamats (NIS2, Īstenošanas regula 2024/2690, GDPR), Latvijas saistošā prasība MK 397, un starptautiskie ieviešanas standarti (ISO, COBIT, SABSA, TOGAF, NIST). No prasības līdz ieviešanai: MK 397 nosaka KO, standarti - KĀ ES TIESISKAIS PAMATS NIS2 direktīva (ES) 2022/2555 Īstenošanas regula (ES) 2024/2690 GDPR (ES) 2016/679 transponē nacionāli MK noteikumi Nr. 397 - Latvijas saistošā prasība KO obligāti jāizdara · nacionālais kiberdrošības tiesiskais ietvars ievieš ar atzītiem standartiem STARPTAUTISKIE IEVIEŠANAS STANDARTI - KĀ ISO 27001 / 27002 COBIT SABSA TOGAF NIST CSF / 800-53

MK 397 determines the result required by law. The international standard is a verifiable way to achieve it - without it compliance remains declarative.

MK 397 - National requirement

The binding regulation in Latvia establishes mandatory technical measures. The implementation is based on ISO 27002 Chapter 8, NIST SP 800-53 and CIS Controls v8 - they give a specific, measurable configuration that MK 397 requires as a result.

Implementing Regulation (EU) 2024/2690

The Annex details the technological requirements: cryptography, access control, secure system purchase/development/maintenance and asset management - direct ISO 27002 Chapter 8 controls.

Article 32 COD

GDPR requires 'appropriate technical measures' for the security of personal data - encryption, pseudonymisation, confidentiality, integrity and robustness. Technological controls (8.24, 8.11) are direct implementation.

SAM - ISO 8.2 / 8.3 / 8.5

Identity and access - authentication, authorisation, record keeping

AAA - autentifikācija, autorizācija, uzskaite Lietotājs iziet autentifikāciju, tad autorizāciju, līdz resursam. Uzskaite žurnalē visu plūsmu. AAA - autentifikācija · autorizācija · uzskaite Lietotājs / ierīce identitāte Autentifikācija kas tu esi? - MFA FIDO2 · passkey · 8.5 Autorizācija ko drīksti? - RBAC/ABAC least privilege · 8.3 Resurss dati · API Uzskaite (Accounting) kurš · ko · kad - žurnalēšana (8.15) · neatsaucamība

Zero Trust: never trust for network location - each request is authenticated and rewritten (NIST SP 800-207). MFA against stolen passwords. The least privilege to the excess of rights.

Safe authentication (8.5)

Multifactor authentication (MFA), preferably phishing-resistant (FIDO2/WebAuthn, passkey). Passwords - long, checked against leaks, stored as Argon2/bcrypt mixing amounts.

Advanced access (8.2 / CVT)

Administrative rights separately: just-in-time allocation, session recording, separate admin accounts, vault secrets. Excessive privileges are the main route of spreading.

Access limitation (8.3)

Need-to-know and let privatege: the user sees only what he needs. Roles (RBAC) or attributes (ABAC), regular access review and immediate withdrawal when changing roles.

ISO 8.24 / 8.11 / 8.12

Cryptography and data protection - three data states

Datu trīs stāvokļi un kriptogrāfija Dati miera stāvoklī, pārraidē un lietošanā, katrā ar atbilstošu kriptogrāfisko kontroli. Atslēgu pārvaldība zem visiem. Datu trīs stāvokļi un to aizsardzība Miera stāvoklī (at rest) diska / DB šifrēšana AES-256 · FDE atslēgas KMS / HSM Pārraidē (in transit) TLS 1.3 · mTLS VPN · IPsec sertifikāti · HSTS Lietošanā (in use) konfidenciālā skaitļošana enclaves · maskēšana tokenizācija Atslēgu pārvaldība (key management) ģenerēšana · rotācija · atsaukšana · droša glabāšana (HSM) - bez tās šifrēšana ir tikai šķietama

Cryptography (8.24) protects confidentiality and integrity, but is as strong as key management. Used tested algorithms and protocols (AES, TLS 1.3), not invented.

Data leakage prevention (8.12 / DLP)

DLP detects and blocks the output of sensitive data (email, USB, cloud). Combined with classification and labelling to know what to protect.

Masquerade and deletion (8.11 / 8.10)

Data masking and tokenisation reduces exposure in non-production environments. The Safe Deletion Policy shall ensure that data are permanently removed when no longer required.

Duplication and durability (8.13 / 8.14)

Duplicates on the 3--2-1 principle (3 copies, 2 carriers, 1 off-site), encrypted and tested with renewal tests. Redundance critical systems shall be made available.

ISO 8.7 / 8.8 / 8.9 / 8.16

Hardening, vulnerability management and monitoring

Ievainojamību pārvaldības cikls Nepārtraukts cikls - atklāt, prioritizēt, novērst, pārbaudīt - ar atgriešanos uz sākumu. Ievainojamību pārvaldības cikls (8.8) 1 · Atklāt skenēšana · inventārs 2 · Prioritizēt CVSS · KEV · risks 3 · Novērst patch · konfigurācija 4 · Pārbaudīt re-skenēšana nepārtraukts cikls - jaunas ievainojamības parādās pastāvīgi Hardening - pamati droša bāzes konfigurācija (CIS Benchmark) · least functionality · ļaunatūras aizsardzība (8.7) tīmekļa filtrēšana (8.23) · izmaiņu pārvaldība (8.32) · noklusējuma paroļu maiņa

Monitoring (8.15 / 8.16): centralized logging → SIEM → correlation → warning → response. Without monitoring, other controls work blindly. Synchronize time (NTP, 8.17), otherwise events cannot be correctly correlated.

Configuration management (8.9)

Safe base configuration (hardening by CIS Benchmark), version control, deviation detection and change management. Default settings are rarely safe.

Protection against malware (8.7)

EDR/AV, application authorisation lists, email and web filtering, macro restrictions. In combination with user training and backups against ejectors.

Journaling and SIEM (8.15 / 8.16)

Windows are collected centrally and outside the host to be tested, kept append-only and long enough (NIS2 - at least 12 months). For more details, see the guide'Jurnalfail (windows) analysis'.