Security professionals spend the majority of their time designing, implementing, and managing security controls as countermeasures to the risks they identify during risk assessments. In this video, learn how to select appropriate security controls and how preventive, detective, and corrective controls work together to build a defense-in-depth approach to information security.
- [Instructor] Security professionals spend the majority of their time designing, implementing, and managing security controls, as countermeasures to the risks they identify during risk assessments. Security controls are the procedures and mechanisms that an organization puts in place to address security risks in some manner. This might include trying to reduce the likelihood of a risk materializing, minimizing the impact of a risk if it does occur, or detecting security issues that take place.
Before we move in to the area of cybersecurity, let's think for a moment about the way that you secure your home. You probably use a variety of different security controls. You certainly have locks on your doors and windows designed to keep out intruders, minimizing the risk of a burglary. That's just common sense. You might also have a burglar alarm, designed to detect intrusions, security cameras to record activity inside your home, automatic light switches to deter a burglar by simulating human activity, and any number of other controls.
In fact, even asking your neighbor to bring in your mail is an example of a security control. Some of these controls are designed to achieve the same purpose or, in the language of security professionals, the same control objective. For example, both a burglar alarm and security cameras are designed to detect intruders. We sometimes use more than one control to achieve the same objective because we want to be sure that we remain secure, even if one control fails.
If a burglar manages to open a window without setting off the burglar alarm, he or she may still be caught on your security cameras. This is known as the defense-in-depth principle, applying multiple overlapping controls to achieve the same security objective. Security professionals use a variety of different categories to group similar security controls. We'll talk about two different ways to categorize security controls. First, we'll discuss grouping controls by their purpose, whether they are designed to prevent, detect, or correct security issues.
Then, we'll discuss them by their mechanism of action, the way that they work. This approach groups controls into the categories of technical, management, and operational controls. Preventive controls are designed to stop a security issue from occurring in the first place. A firewall that blocks unwanted network traffic is an example of a preventive control. Detective controls identify potential security breaches that require further investigation. An intrusion detection system that searches for signs of network breaches is an example of a detective control.
Corrective controls remediate security issues that have already occurred. If an attacker breaks into a system and wipes out critical information, restoring that information from backup is an example of a corrective control. The second way we can categorize controls is by their mechanism of action. This groups controls as either technical, operational, or management controls. Technical controls are exactly what the name implies, the use of technology to achieve security objectives.
Think about all of the components of an IT infrastructure that perform security functions. Firewalls, intrusion prevention systems, encryption software, data loss prevention technology, and antivirus packages are all examples of technical security controls. Operational controls include the processes that we put in place to manage technology in a secure manner. These include many of the tasks that security professionals carry out each day, such as user access reviews, log monitoring, performing background checks, and conducting security awareness training.
It's sometimes a little tricky to tell the difference between technical and operational controls. If you get an exam question on this topic, one trick is to remember that operational controls are carried out by individuals, while technical controls are carried out by technology. For example, a firewall enforcing rules is a technical control, while a system administrator reviewing firewall logs is an operational control. Management controls are focused on the mechanics of the risk management process.
For example, one common management control is conducting regular risk assessments to identify the threats, vulnerabilities, and risks facing an organization or a specific information system. Other management controls include conducting regular security planning and including security considerations in an organization's change management, service acquisition, and project management methodologies. Of course, there's no such thing as a perfect control. That's why we follow the defense-in-depth principle.
We need to design our security controls so the organization remains secure, even if a control fails. There are two main ways that a control can fail. First, a false positive error occurs when a control triggers in a situation where it should not. For example, a false positive would occur when a detective control, such as an intrusion detection system or antivirus software, issues a false alarm, reporting a security issue when none is taking place.
False positives are dangerous because they reduce the confidence that security administrators have in the control and sometimes lead to administrators ignoring future alerts from the system. False negative errors occur when a control fails to trigger in a situation where it should. Returning to the examples of intrusion detection systems and antivirus software, a false negative error would occur if an actual security incident takes place and the system fails to detect it, giving the administrator a false sense of security.
- Using information classification
- Selecting and implementing security controls
- Conducting ongoing risk management activities
- Comparing adware, spyware, and ransomware
- Dangers posed by advanced persistent threats (APTs)
- Understanding attackers
- Types of attacks, including networking and password attacks
- Social engineering attacks
- Scanning for vulnerabilities
- Business continuity and disaster recovery planning
- Managing vendor relationships