Section 2.3 Security Controls
As you study this section, answer the following questions:
- What factors should you consider when evaluating security controls?
- What are the differences between preventative and deterrent controls?
- What are the three categories of security controls?
In this section, you will learn to:
- Identify different security control categories
- Understand the role of Standards and Frameworks
The key terms for this section include:
| Term | Definition |
|---|---|
| Security controls | Measures taken to protect against threats. They can be deployed quickly, often as a reactive response to newly identified threats. |
| Security control categories | Classification of security controls into different classes based on their dominant characteristics. The three categories are Managerial, Operational, and Technical. |
| Standards and frameworks | Guidelines and structures that help practitioners understand practical control types. Examples include NIST Special Publications and ISO 27001. |
| Security control testing | Evaluation of an organization's security controls to ensure they function as intended and effectively protect against threats. It can include vulnerability assessments, penetration testing, and security audits. |
This section helps you prepare for the following certification exam objectives:
| Exam | Objective |
|---|---|
| CompTIA CySA+ CS0-003 | 2.1 Given a scenario, implement vulnerability scanning methods and concepts
2.5 Explain concepts related to vulnerability response, handling, and management
|
| TestOut CyberDefense Pro | 5.1 Implement Identity and Access Management (IAM)
|
2.3.1 Security Control Categories and Types
Click one of the buttons to take you to that part of the video.
Security Control Categories and Types 00:00-00:38 In this video, we'll go over security control categories and types. We use security controls to reduce the risk of system threats. Part of your role as a security analyst is to be proactive and not reactive. You don't want to wait until it's too late to decide how to respond to an attack. You want to have controls in place that deter attackers and mitigate any attack's impact. These controls should be well-planned and align with your risk management strategy, which is why categories and control types provide an effective way to structure your controls.
Security Control Categories 00:38-01:16 The National Institute of Standards and Technology, or NIST, has set up a method for classifying security controls. There are three security control categories: managerial, operational, and technical controls.
Managerial controls provide system oversight. Examples include security assessments, risk identification, and control-selection evaluation. Operational controls are usually implemented by people and could include security guards, employee training, or other non-technical procedures. Technical controls are system implementations and include software, hardware, and firmware.
Security Control Types 01:16-03:14 We further classify security controls by function. For example, we have preventative, detective, corrective, deterrent, physical, and compensating control types. Let's go through each one.
The goal of preventative controls is to harden a system against attacks and recognize and stop attacks as they occur. Access control lists, or ACLs, and anti-malware applications are examples of technical preventative controls. Administrative preventative controls could include policies and procedures.
Detective controls don't prevent access; they identify, log, and report incidents as they happen.
Corrective controls are things like a backup system to limit damage in the case of an incident.
Deterrent controls don't prevent access but discourage attackers from attempting access. Examples could be legal signs or warnings citing potential repercussions.
Physical controls are things like alarms, security cameras, and lights that could scare off attackers.
Gateways and guards are practical ways to use physical controls as well.
Compensating controls are a little different because they can use one or more of the other control types. Compensating controls are used when a recommended security control isn't practical. These compensating controls must provide equivalent protection.
For example, let's say a bank is required to have a separation of duties when it comes to deposits, but in one branch, there aren't enough employees to meet the requirement.
A compensating control might be specific accounting procedures regularly audited by another employee.
Most controls are preventative, detective, or corrective—but a few fall into the deterrent, physical, or compensating categories. While no combination is impenetrable, layering various controls can help delay an attack until it's detected.
Also, know that the term control efficiency refers to how long a control can delay an attack. This is a helpful measurement in the field of security analytics.
Security Control Evaluation 03:14-05:28 Evaluating security controls starts with looking at risks within your organization. After that, you can determine which security controls best mitigate the risks you've identified. Your goal is to reduce all these risks to acceptable levels. Any activity dealing with computer networks—especially internet-connected ones—involves some form of risk. Depending on how you set a network up, there might be a lot of risk or not much at all. Here are a few factors to consider when determining the best security controls to implement.
The first is compatibility. You should assess whether the security control works with the existing infrastructure or requires new hardware or software.
Next is effectiveness. Does the control work well in your environment? If the control is only partially effective or doesn't provide much benefit, it might not be worth the cost.
Next, consider any regulatory compliance requirements impacted by the control. In other words, make sure you aren't breaking any laws. For example, if federal law requires you to maintain an archive of all email messages that come into your network, a spam reduction security control might delete messages that the law requires to be archived. Ensure the control doesn't violate your company policies, either.
Lastly, look at the security control's feasibility. This requires you to perform a cost-benefit analysis. For example, let's say you invest in some software and implement a security control that eliminates the risk of system malware. However, doing so makes systems so difficult to run that user productivity is severely affected. In addition, the malware protection is a resource hog and slows down even the fastest systems. On top of that, it also has a subscription model that charges per system per month.
Even though this security control is 100 percent effective, it isn't practical in cost or performance. In this scenario, the security control's impact drastically outweighs its benefits. You can identify issues immediately by performing a cost-benefit analysis beforehand and not wasting time.
Remember, it's impossible to eliminate all risk. Security is a tradeoff between usability and security. But by identifying the factors we discussed in this lesson and performing a cost-benefit analysis, you can find a balance between convenience and protection.
Summary 05:28-05:48 That's it for this lesson. In this lesson, we discussed managerial, operational, and technical security control categories. We reviewed six security control types: preventative, detective, corrective, deterrent, physical, and compensating. We also discussed factors to consider when you're evaluating security controls.
2.3.2 Security Control Categories Facts
This lesson covers the following topics:
- Security controls
- Security control categories
- Standards and frameworks
- Security control testing
Security Controls
It is common to identify that many security controls are deployed quickly, often as a reactive response to newly identified threats. In the early years of cyber defense, this approach was practical. For example, firewalls provided quick and effective protection and were straightforward to deploy; the level of protection a simple firewall provided was much more comprehensive than what is needed today. As viruses and worms began to infect computer systems through the 1990s, organizations deployed antivirus software on workstations and servers. This approach was simple, effective, and solely focused on preventative measures. At the time, this approach worked.
As modern cyber threats have become increasingly sophisticated, the ability to implement relatively simple controls with high levels of protection is becoming much rarer. Current infrastructures are complicated and require layered security controls deployed structured and systematically. Additionally, in the early years of computing, organizations were far less dependent on technology resources, and technology risks were less severe.
Security Control Categories
Security controls reduce the risk of loss and damage to an organization, including its computer systems. The National Institute of Standards and Technology (NIST) has designed methods for classifying security controls. In this first method, each control is organized into different classes based on the dominant characteristics of the control. The significance of these classes is that they are referenced when measuring how effectively assets are protected. The objective is to implement controls in each of the three classes. The three categories are as follows:
Security controls are categorized by function. These functional control types are:
| Category | Control |
|---|---|
| Managerial | Managerial controls provide oversight of the information system. Examples include:
|
| Operational | Operational controls are usually implemented by people instead of systems. Operational controls include:
|
| Technical | Technical controls are implemented as a system (hardware, software, or firmware). They may also be described as logical controls. Technical controls include:
|
Standards and Frameworks
A modern approach to security requires integrating several different types of controls, not only preventative but also detective, corrective, compensating, and responsive. While a single security control is not impenetrable, layering various controls can help to delay an attack. Several standards and frameworks exist to help practitioners better understand practical control types. Some examples include:
- NIST Special Publication 800-53 Security and Privacy Controls for Federal Information Systems and Organizations ( https://csrc.nist.gov/pubs/sp/800/53/r5/upd1/final )
- NIST Special Publication 800-171 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations ( https://csrc.nist.gov/pubs/sp/800/171/r2/upd1/final )
- ISO 27001 is a proprietary standard ( https://www.iso.org/standard/27001 )
- CIS Controls ( https://www.cisecurity.org/controls )
The National Institute of Standards and Technology (NIST) Special Publications discussed in this course are available at csrc.nist.gov/publications/sp . There is no formal requirement to read them as part of exam preparation. However, they are referenced to help provide a deeper understanding of the various topics.
Security Control Testing
Security control testing involves evaluating an organization's security controls to ensure they function as intended and effectively protect against threats. Security control testing can include:
- Vulnerability assessments
- Penetration testing
- Security audits
The results of these tests can be used to improve security controls and to address any issues that may have been identified before a breach can occur.
2.3.3 Security Control Functional Types Facts
This lesson covers the following topics:
- Security control functional types
- Evaluating security controls
- Prioritization and escalation
Security Control Functional Types
Though classified as a category or family, controls can also be described according to the goal or function they perform. The functional control types are:
| Type | Description |
|---|---|
| Preventative | The control acts to eliminate or reduce the likelihood that an attack can succeed, such as system hardening. A preventative control operates before an attack can take place. Access control lists (ACLs) configured on firewalls and file system objects are preventative-type controls. Anti-malware software also acts as a preventative control by blocking processes identified as malicious from executing. Directives, policies, and standard operating procedures (SOPs) are administrative versions of preventative controls. |
| Detective | The control may not prevent or deter access but will identify, record, and report any attempted or successful intrusion. A detective control operates during the progress of an attack. Logs provide one of the best examples of detective-type controls. |
| Corrective | Corrective controls occur after an attack and are used to reduce the likelihood of the incident happening again. An example would be making an access control list more restrictive. |
| Responsive | Responsive controls direct corrective actions enacted after an incident has been confirmed. They are often overlooked and underestimated. A security event can spiral out of control without responsive controls. In a Security Operations Center (SOC), responsive controls might include several very well-defined actions to be taken by an analyst after identifying a specific issue. These actions are often documented in a playbook. |
| Deterrent | Deterrent controls make the system more difficult to attack and, therefore, decrease attacks. These controls do not prevent access, but discourage attackers from attempting access. Examples could be complex password policies, legal signs, or warnings citing potential repercussions. |
| Physical | Physical controls such as alarms, security cameras, and lights can deter attackers. Controls such as mantraps and guards can help to prevent attacks. |
| Compensating | Compensating controls serve as substitutes for principal controls, as recommended by a security standard, and afford the same (or better) level of protection but use a different methodology or technology. |
Evaluating Security Controls
While a single security control is not impenetrable, layering various controls can help to delay an attack. As no single security control provides complete protection, each is like a link in a chain, with each control contributing to the overall strength of the chain. A link's weakness impacts the overall effectiveness of the chain. Still, unlike an actual chain, a failure in one control should not result in a complete loss. It might be practical to think of each control type as an individual chain comprised of a series of individual controls of that same type.
The amount of time a particular control can delay an attack is its control efficiency. This is an important measurement when evaluating various controls. However, there are additional factors that many overlook, such as:
| Factor | Description |
|---|---|
| Compatibility | Assess whether the security control works with the existing infrastructure or requires new hardware and software to make it work. |
| Effectiveness | Will control work well in your environment? If the control is only partially effective or does not provide much benefit, it may not be worth the cost to implement. |
| Regulations | Consider any regulatory compliance requirements impacted by the control. Make sure you are not breaking any laws. |
| Policies | Make sure that security control does not violate any company policies. |
| Feasibility | Consider the feasibility of security control by completing a cost-benefit analysis. |
Prioritization and Escalation
Vulnerability response prioritization and escalation are integral to managing security risks. After identifying vulnerabilities, they must be classified according to their severity and potential impact on the organization. Vulnerabilities with the highest severity and potential impact must be prioritized and addressed first. In contrast, those with lower severity and potential implications can be addressed later.
Adopting a functional approach to security control selection allows you to devise a Course of Action (CoA) matrix that maps security controls to known adversary tools and tactics, matching your cybersecurity defensive capabilities to the offensive capabilities of potential cyber adversaries.
It is also essential to ensure that any high-severity vulnerabilities are escalated to all relevant stakeholders to ensure they are informed and can contribute to the response as necessary. Additionally, it is vital to have an established process for escalating vulnerabilities in case the severity of the vulnerability changes or the vulnerability is exploited before remediations are implemented.
2.3.4 Implement Physical Security Countermeasures
Based on your review of physical security, you have recommended several improvements. Your plan includes smart card readers, IP cameras, signs, and access logs.
Implement your physical security plan by dragging the correct items from the shelf into the various locations in the building. As you drag the items from the shelf, the possible drop locations are highlighted.
In this lab, your task is to:
- Install the smart card key readers in the appropriate locations to control access to key infrastructure.
- Install the IP security cameras in the appropriate locations to record which employees access the key infrastructure.
- Install a Restricted Access sign in the appropriate location to control access to the key infrastructure.
- Add the visitor log to a location appropriate for logging visitor access.