After completing this video, the learner will be familiar with the concept of security controls. The learner will understand the difference between technical, management and operational controls as well as how controls may generate false positive and false negative errors.
- [Voiceover] Security professionals spend the majority of their time designing, implementing, and managing security controls. Security controls are procedures and mechanisms that an organization puts in place to address security risks in some manner. This might include, trying to reduce the likelihood of a risk materializing, trying to minimize the impact of a risk if it does occur, or trying to detect security issues that actually do take place. Before we move into the area of cyber security, let's think for a moment about the way that you secure your home.
You probably use a variety of different security controls. You certainly have locks on your doors and windows, designed to keep out intruders, minimizing the risk of a burglary. That's just common sense. You might also have a burglar alarm, designed to detect intrusions, security cameras to record activity inside and outside your home, automatic light switches to deter a burglar by simulating human activity, and any number of other security controls. In fact, even asking your neighbor to bring in your mail is an example of a security control.
Some of these controls are designed to achieve the same purpose, or in the language of security professionals, the same control objective. For example, both a burglar alarm and security cameras are designed to detect intruders. We sometimes use more than one control to achieve the same objective, because we want to be sure that we remain secure, even if one control fails. If a burglar manages to open a window, without tripping the burglar alarm, he or she may still be caught on your security cameras. This is known as the Defense in Depth principle, applying multiple overlapping controls to achieve the same security objective.
Security professionals use a variety of different categories to group similar security controls. In some cases, we organize them by their purpose, such as preventive, detective, and corrective controls. We might also organize them by the way they work, the technology they use, or the function responsible for implementing them. Fortunately for you, the Security+ exam uses one straightforward approach to grouping security controls into three categories, technical, management, and operational controls.
Those are the ones you'll need to know on the exam, so those are the ones we'll cover in this course. Technical controls are exactly what the name implies, the use of technology to achieve security objectives. Think about all the components of an IT infrastructure that performs security functions, firewalls, intrusion prevention systems, encryption, data loss prevention, and anti-virus software are all examples of technical security controls. Operational controls, include the processes that we put in place to manage technology in a secure manner.
These include many of the tasks that security professionals carry out each day, such as user access reviews, log monitoring, performing background checks, and conducting security awareness training. It's sometimes a little tricky to tell the difference between technical and operational controls. If you get an exam question on this topic, one trick is to remember that operational controls are carried out by individuals, while technical controls are carried out by technology. For example, a firewall enforcing rules, is a technical control, while a system administrator reviewing firewall logs, is an operational control.
Management controls are focused on the mechanics of the risk management process. For example, one common management control is conducting regular risk assessments to identify the threats, vulnerabilities, and risks facing an organization, or a specific information system. Other management controls include, conducting regular security planning, and including security considerations in an organization's change management, service acquisition, and project management methodologies.
Of course, there's no such thing as a perfect control. That's why we follow the defense in depth principle. We need to design our security controls, so that the organization remains secure, even if a control fails. There are two main ways that a control can fail. A false positive error occurs when a control triggers in a situation where it should not. For example, a false positive would occur when a detective control, such as an intrusion detection system, or anti-virus software, issues a false alarm, reporting a security issue when none is present.
False positives are dangerous, because they reduce the confidence that security administrators have in the control, and sometimes lead to administrators ignoring future alerts from that system. A false negative error occurs when a control fails to trigger in a situation where it should. Returning to the examples of intrusion detection systems, and anit-virus software, a false negative would occur if an actual security incident took place, and the system failed to detect it, giving the administrator a false sense of security.
- Implementing security controls and policies
- Performing a risk assessment
- Understanding the five risk management actions
- Managing third-party relationships (vendors, etc.)
- Mitigating risk with change management, audits and assessments, and more
- Building an incident response program
- Understanding digital forensics
- Providing security and compliance training
- Ensuring physical security
- Planning for business continuity and disaster recovery
- Matching controls to security goals