The 3 Types Of Security Controls (Expert Explains) | PurpleSec
Summary
TLDRThis video script delves into the fundamental role of security controls in mitigating cyber threats and safeguarding an organization's information and assets. It explains the concept of security controls, their types, and goals, including preventative, detective, corrective, deterrent, and compensating controls. The script also covers the importance of risk mitigation, defense in depth strategies, and continuous monitoring to ensure the effectiveness of security measures. By understanding these controls, professionals can better protect their organization's valuable assets and contribute to a robust risk management program.
Takeaways
- 🛡️ Security controls are essential countermeasures to reduce the risk of threats exploiting vulnerabilities within an organization.
- 🔒 The primary goal of security controls is to prevent or reduce the impact of security incidents, ensuring the confidentiality, integrity, and availability of information.
- 🔑 Types of security controls include preventative, detective, corrective, deterrent, and compensating, each serving a specific purpose in risk mitigation.
- 🏗️ Layering security controls creates a defense in depth strategy, where multiple layers of security work together to protect against breaches.
- 🌐 Understanding cyber risks and threats is crucial for implementing effective security controls to mitigate potential vulnerabilities.
- 🔒 Technical security controls use technology to reduce vulnerabilities in hardware and software, such as encryption and firewalls.
- 📝 Administrative security controls involve policies and procedures that define practices in line with an organization's security goals.
- 👮♂️ Physical security controls deter or prevent unauthorized access to sensitive material, including surveillance cameras and biometric access systems.
- 🕵️♂️ Detective controls, like log monitoring and security audits, help identify patterns and detect incidents after they occur.
- 🚑 Corrective controls, such as intrusion prevention systems and backups, aim to reverse the impact of an incident and restore systems to normal.
- 🚨 Deterrent controls, like security guards and surveillance, discourage individuals from causing incidents by presenting a visible security presence.
- 🔄 Compensating controls serve as alternatives when primary controls are not feasible, providing a similar level of security assurance.
- 📊 Security control assessments measure the performance of an organization's security controls, identifying areas for improvement and ensuring compliance with security requirements.
Q & A
What is a security control in the context of cybersecurity?
-A security control is a countermeasure or safeguard used to reduce the chances that a threat will exploit a vulnerability in an organization's information systems.
Why is risk mitigation important in cybersecurity?
-Risk mitigation is crucial as it seeks to decrease the risk of a security incident by reducing the likelihood that a threat will exploit a vulnerability, thus protecting the confidentiality, integrity, and availability of information.
What are the common classification types of security controls?
-The common classification types of security controls are preventative, detective, corrective, deterrent, and compensating controls, each serving a specific purpose in risk management.
How does the concept of 'defense in depth' relate to security controls?
-Defense in depth is a strategy in cybersecurity where multiple layers of security controls are implemented. If one layer fails to counteract a threat, other layers provide additional protection to prevent a breach.
What are technical security controls and how do they function?
-Technical security controls, also known as logic controls, use technology to reduce vulnerabilities in hardware and software. They include measures like encryption, antivirus software, firewalls, and intrusion detection/prevention systems.
Can you explain the role of administrative security controls in an organization?
-Administrative security controls involve policies, procedures, or guidelines that define practices in accordance with the organization's security goals. They often include onboarding processes, security policy acknowledgments, and continuous monitoring for enforcement.
What are some examples of detective controls in cybersecurity?
-Examples of detective controls include log monitoring, Security Information and Event Management (SIEM) systems, trend analysis, security audits, video surveillance, and motion detection systems.
How do corrective controls assist in managing the aftermath of a security incident?
-Corrective controls, such as Intrusion Prevention Systems (IPS), backups, and recovery systems, are designed to reverse the impact of a security incident and restore normal operations after a breach has occurred.
What is the purpose of deterrent controls in a cybersecurity framework?
-Deterrent controls aim to discourage individuals from causing a security incident. They often take the form of tangible objects or measures, such as cable locks, hardware locks, video surveillance, and security guards.
What is the difference between preventative and detective controls?
-Preventative controls are implemented to reduce the likelihood and potential impact of a successful threat event before it occurs. Detective controls, on the other hand, are designed to detect errors and locate attacks against information systems that have already occurred.
How can compensating controls be beneficial in situations where primary security measures are not feasible?
-Compensating controls serve as an alternative when primary security measures are not feasible due to financial, infrastructure, or practical constraints. They should meet the intent of the original control requirement or provide a similar level of assurance.
Why are security control assessments important for an organization's risk management program?
-Security control assessments are critical for measuring the state and performance of an organization's security controls. They help determine if the controls are implemented correctly, operating as intended, and producing the desired outcome in meeting security requirements.
Outlines
🔒 Understanding Security Controls
This paragraph introduces the concept of security controls in cybersecurity. It highlights their importance in protecting organizational information and assets, explaining that security controls are countermeasures or safeguards to reduce the chances of a threat exploiting a vulnerability. The paragraph also covers the basics of risk mitigation and the goals of security controls, including preventing, detecting, and correcting security incidents.
🌐 Types and Goals of Security Controls
This section delves into the different types of security controls: preventive, detective, corrective, deterrent, and compensating controls. It explains how these controls aim to reduce risks by addressing specific aspects of security incidents. Examples of each control type are provided, emphasizing their roles in a layered defense strategy known as defense in depth, which combines multiple controls to prevent breaches even if one layer fails.
🔍 Cybersecurity Risks and Threats
This paragraph explains the basics of cyber risks and threats. Risks are described as the likelihood of a threat exploiting a vulnerability, leading to losses such as information, financial damage, or harm to reputation. Threats can come from external sources or insiders, and can be intentional or accidental. The paragraph also covers vulnerabilities, which are weaknesses that can be exploited by threats, potentially resulting in security incidents.
🛡️ Implementing Technical Security Controls
This section focuses on technical security controls, which use technology to reduce vulnerabilities in hardware and software. Examples include encryption, antivirus software, firewalls, and intrusion detection/prevention systems. The paragraph explains how these controls are implemented and how they help protect organizational assets by preventing, detecting, and responding to security threats.
📜 Administrative and Operational Controls
This paragraph discusses administrative and operational security controls, which involve policies, procedures, and guidelines to manage security within an organization. It highlights the importance of onboarding processes, security policies, and continuous monitoring and enforcement of these controls. The roles of management and operational controls in implementing and enforcing security measures are also explained.
🏢 Physical Security Controls
This section describes physical security controls, which involve measures to prevent unauthorized access to sensitive materials. Examples include surveillance cameras, alarm systems, security guards, and biometric systems. The paragraph explains how these controls help protect physical assets and prevent breaches by deterring or preventing unauthorized access.
🚨 Preventative and Detective Controls
This paragraph provides examples of preventative and detective controls. Preventative controls, such as security awareness training and change management, aim to prevent incidents from occurring. Detective controls, such as log monitoring and video surveillance, aim to detect incidents after they occur. The paragraph explains the differences between these control types and their roles in enhancing overall security.
🔧 Corrective and Deterrent Controls
This section explains corrective and deterrent controls. Corrective controls, like intrusion prevention systems and backups, aim to reverse the impact of incidents. Deterrent controls, such as cable locks and security guards, reduce the likelihood of deliberate attacks. The paragraph also highlights the importance of compensating controls, which are alternative measures implemented when primary controls are not feasible.
📝 Security Control Assessments
This paragraph discusses the importance of security control assessments, which measure the effectiveness of an organization's security controls. It explains different types of assessments, including risk assessments, vulnerability assessments, and penetration testing. These assessments help organizations identify and address potential vulnerabilities and improve their overall security posture.
🏆 Conclusion and Best Practices
The final paragraph summarizes the key points discussed in the video, emphasizing the importance of implementing technical, administrative, and physical security controls to reduce risks. It highlights the need for continuous monitoring and vigilance to protect organizational assets and maintain effective security programs. The paragraph encourages incorporating the discussed controls to support and enhance an organization's risk management program.
Mindmap
Keywords
💡Security Controls
💡Risk Mitigation
💡Confidentiality, Integrity, and Availability (CIA)
💡Preventative Controls
💡Detective Controls
💡Corrective Controls
💡Deterrent Controls
💡Compensating Controls
💡Risk Assessment
💡Penetration Testing
💡Defense in Depth
Highlights
Security controls are countermeasures or safeguards used to reduce the chances that a threat will exploit a vulnerability.
Risk mitigation seeks to decrease the risk by reducing the chances that a threat will exploit a vulnerability.
Preventative controls attempt to prevent an incident from occurring.
Detective controls attempt to detect incidents after they have occurred.
Corrective controls attempt to reverse the impact of an incident.
Deterrent controls attempt to discourage individuals from causing an incident.
Compensating controls are alternative controls used when a primary control is not feasible.
Layering is an approach that combines multiple security controls to develop a defense in depth strategy.
Risks in cyber security are the likelihood that a threat will exploit a vulnerability, resulting in a loss.
Threats are any event with the potential to compromise the confidentiality, integrity, and availability of information.
Vulnerabilities are weaknesses or flaws in software, hardware, or organizational processes which can result in a security incident.
Technical controls use technology to reduce vulnerabilities in hardware and software.
Administrative controls refer to policies, procedures, or guidelines that define personal or business practices in accordance with the organization's security goals.
Physical controls are the implementation of security measures in a defined structure used to deter or prevent unauthorized access to sensitive material.
The goal of continuous analysis is to prevent errors and irregularities from occurring in the first place.
Transcripts
security controls play a foundational
role in shaping the actions cyber
security professionals take to protect
an organization the lack of security
controls place the confidentiality
integrity and availability of
information at risk
these risks also extend to the safety of
people and assets within
an organization in this video i'm going
to explain what a security control is
and the differences between each type
next i'll discuss the goals that each
control is meant to achieve
with examples along the way by the end
you'll have a better understanding of
the basic security controls
in cyber security what is a security
control
security controls are countermeasures or
safeguards
used to reduce the chances that a threat
will exploit a vulnerability
for example implementing company-wide
security awareness training to minimize
the risk
of a social engineering attack on your
network people
and information systems the act of
reducing risk
is also called risk mitigation
while it's next to impossible to prevent
all threats
mitigation seeks to decrease the risk by
reducing the chances that a threat will
exploit a vulnerability
risk mitigation is achieved by
implementing different types of security
controls
depending on the goal of the
countermeasures or safeguards
the level to which the risk needs to be
minimized
the severity of damage the threat can
inflict
what are the goals of security controls
the overall purpose of implementing
security controls as previously
mentioned
is to help reduce risks in an
organization
in other words the primary goal of
implementing security controls is to
prevent or reduce the
impact of a security incident the
effective implementation of a security
control
is based on its classification in
relation to the security incident
the common classification types are
listed below
along with their corresponding
description
preventative controls attempt to prevent
an incident from occurring
detective controls attempt to detect
incidents
after they have occurred corrective
controls attempt to reverse the impact
of an incident
deterrent controls attempt to discourage
individuals from causing an
incident compensating controls are
alternative controls used
when a primary control is not feasible
implementing the controls listed is no
trivial matter
for example an organization that places
a high priority on reducing risk
usually has a risk profile which
illustrates the potential cost
of a negatively impacting risk and the
human resources required
to implement the controls
layering is an approach that combines
multiple security controls to develop
what's called
a defense in depth strategy defense and
depth
is a common strategy used in cyber
security whereby multiple layers of
controls are implemented
by combining controls into multiple
layers of security
you ensure that if one layer fails to
counteract a threat
that other that that other layers will
help to prevent
a breach in your systems each layer of
security works to counteract specific
threats
which requires cybersecurity programs to
invest in multiple technologies
and processes to prevent systems or
people
from compromise for example
endpoint detection and response
solutions are great at preventing
viruses
and malware from infecting computers and
servers
however endpoint detection is not
equipped
to log and monitor traffic on a network
like a sin
or detect and prevent an attack in real
time like an ips
before we dive into control types it's
important to first understand the cyber
risks and threats they help to mitigate
understanding the basics of risks and
threats
risks risks in cyber security are the
likelihood that a threat will exploit a
vulnerability
resulting in a loss losses could be
information
financial damage to reputation and even
harm
customer trust threats
threats are any event with the potential
to compromise the confidentiality
integrity and availability or cia of
information threats come from outside an
organization and from anywhere in the
world
connected to the internet insiders
such as disgruntled employee with too
much access
or a malicious insider also pose a
threat to businesses
no insider threats are not always
malicious for example
an employee clicking on a phishing email
that installs malware
does not mean the employee intended to
cause harm
finally threats may also take the form
of a natural disaster or a man-made risk
such as a new malware variant
vulnerabilities
vulnerabilities are a weakness or flaw
in software hardware or
organizational processes which when
compromised by a threat
can result in a security incident
security incidents are an occurrence
that actually or potentially
jeopardizes the confidentiality
integrity or availability of an
information system
or the information the system processes
stores or transmits or that constitutes
a violation or
imminent threat of violation of security
policies
security procedures or acceptable use
policies
now that we have a better understanding
of basic risk concepts
let's explore how security controls are
implemented
technical security controls
at the most basic level technical
controls also known as logic controls
use technology to reduce vulnerabilities
in hardware and software
automated software tools are installed
and configured to protect these assets
examples of technical controls include
encryption
antivirus and anti-malware software
firewalls security information and event
management or sims
intrusion detection systems or idss
and intrusion prevention systems ipss
technical control types and
implementation methods
below are two common examples of
technical control types
access control lists or acls are network
traffic filters
that can control incoming or outgoing
traffic
acls are common in routers or firewalls
but they can also be configured in any
device that runs in the network
from hosts network devices and servers
configuration rules are instructional
codes
that guide the execution of the system
when information is passing through it
network equipment vendors have
proprietary configuration rules
that manage the operation of their acl
objects
administrative security controls
administrative security controls refer
to policies procedures or guidelines
that define personal or business
practices in accordance with the
organization's security goals
many organizations today implement some
type of onboarding process to introduce
you to the company
and provide you with a history of the
organization
during the onboarding process you may be
instructed to review
and acknowledge the security policy of
the organization
by acknowledging that you have read the
policies of the organization as a new
hire
you are then accountable to adhere to
the corporate policy
of the organization in order to
implement the administrative controls
additional security controls are
necessary for continuous monitoring and
enforcement
the process that monitor and enforce the
administrative controls are
management controls which are security
controls
that focus on the management of
information system security
operational controls are security
controls that are primarily implemented
and executed by people as opposed to
systems
for example a security policy is a
management control but its security
requirements are implemented by people
or operational controls and systems or
technical controls an organization may
have an acceptable use policy that
specifies the conduct of users
including not visiting malicious
websites the security control to monitor
and enforce
could be in the form of a web content
filter which can enforce the policy
and log simultaneously
the remediation of a phishing attack is
another example that employs a
combination of management and operation
controls
security controls to help attorne
phishing besides the management control
of the acceptable use policy itself
include operational controls such as
training users
not to fall for phishing scams and
technical controls
that monitor emails and website usage
for signs of phishing activity
physical security controls
physical controls are the implementation
of security measures
in a defined structure used to deter or
prevent
unauthorized access to sensitive
material
examples of physical controls are closed
circuit surveillance cameras
motion or thermal alarm systems security
guards
picture ids locked and dead bolted steel
doors
biometrics including voice face iris or
handwriting and other automated methods
used to recognize individuals
preventative controls
examples of preventative controls
include hardening
security awareness training security
guards
change management and account
disablement policy
hardening the process of reducing
secured exposure and tightening security
controls
security awareness training the process
of providing formal cyber security
education to your workforce
about a variety of information security
threats and your company's policies
and procedures for addressing them
security guards
a person employed by a public or private
company to protect the organization's
assets
security guards are frequently
positioned as the first line of defense
for businesses against external threats
intrusions and vulnerabilities to the
property and its dwellers
change management the methods and
manners in which a company describes and
implements change within both its
internal and external
processes this includes preparing and
supporting employees
establishing the necessary steps for
change and monitoring pre and post
change activities
to ensure successful implementation
account disablement policy a policy that
defines what to do
with users access accounts for employees
who leave voluntarily
immediately terminates or on a leave of
absence
detective controls
examples of detective controls include
log monitoring
sim trend analysis security audits
video surveillance and motion detection
log monitoring log monitoring is a
diagnostic method used to analyze
real-time events or stored data
to ensure application availability and
to assess the impact of the change in
state of an application's performance
sim a security information and event
management
or sim solution supports threat
detection
compliance and security incident
management through the collection and
analysis
both in near real time and historical
of security events as well as a wide
variety of other event and contextual
data sources
trend analysis the practice of gathering
information
and attempting to identify a pattern in
the information gathered from an
application's log output
the output of the trend analysis is
usually in a graphic
or table form security audit
a measurement that focuses on security
standards
guidelines and procedures as well as the
implementation of these controls
the security audit is usually conducted
by trained third-party entities
or by internal resources in preparation
for an external audit
video surveillance a system that is
capable of capturing digital
images and videos that can be compressed
stored or sent
over communication networks for on-site
or remote
monitoring motion detection a device
that utilizes a sensor to detect nearby
motion
such as a device is often integrated as
a component for a surveillance system
that automatically performs a task or
alerts a monitoring
analysts of detected movement
corrective controls
examples of corrective controls include
ips
backups and recovery systems
ips an intrusion prevention system
is a network security technology that
monitors network traffic to detect
anomalies and traffic flow ips security
systems intercept network traffic
and can quickly prevent malicious
activity by dropping packets
or resetting connections backups and
system recovery
backups and system recovery is the
process of creating and storing copies
of data
that can be used to protect
organizations against data loss
deterrent controls deterrent controls
reduce the likelihood of a deliberate
attack
and is usually in the form of a tangible
object or person
example of deterrent controls include
cable locks
hardware locks and video surveillance
and guards
what is the difference between
preventative and detective controls
a preventative control is designed to be
implemented prior to a threat event
and reduce and or avoid the likelihood
and potential impact of a successful
threat event
a detective control is designed to
detect errors
and locate attacks against information
systems that have already occurred
the routine analysis of the detective
control output
provides input to further enhance the
preventative control
the goal of continuous analysis is to
prevent
errors and irregularities from occurring
in the first
place compensating controls
an alternative method that is put in
place to satisfy the requirement for
security measure
that cannot be readily implemented due
to financial
infrastructure or simply impractical to
implement at the present time
the compensating control should meet the
following criteria
meet the intent of the original control
requirement or
provide a similar level of assurance
examples of compensating controls
include
time-based one-time passwords or totp
a temporary passcode generated by an
algorithm
that uses the current time of day as one
of its authentication factors
providing a new hire with the totp until
authentication fully delivered is an
example of a compensating control
encryption database security
applications
email encryption and other tools an
organization
cannot encrypt all electronic data in a
pci assessment
to compensate they may use other
existing tools to implement
encryption performing a security control
assessment
a security control assessment is a
critical component
to measure the state and performance of
an organization's security controls
note the following definition of the
security control assessment
the testing and or evaluation of the
management
operational and technical security
controls in an information system
to determine the extent to which the
controls are implemented correctly
operating as intended and producing the
desired
outcome with respect to meeting the
security requirements
for the system testing of security
controls is a critical component of the
overall governance of an organization's
information security management system
depending upon the organization type
regulatory requirements
mandate consistent and continuous
assessments whereas
non-public organizations are not held to
regulatory
requirements today it is not only best
practice to monitor security controls
but a necessary requirement
in order to keep systems secure and free
from target practice of hackers
looking to penetrate any network that
has weak security at the perimeter
and internally examples of security
assessments include
risk assessment vulnerability assessment
and penetration testing
a risk assessment involves many steps
and forms
the backbone of your overall risk
management plan
risk assessments are important because
they are used to identify assets or
areas
that present the highest risk
vulnerability or exposure
to the enterprise it then identifies the
risk
that could affect those assets
vulnerability assessments a
vulnerability assessment
refers to the process of identifying
risks and vulnerabilities
in computer networks systems hardware
applications and other parts of the ite
ecosystem
vulnerability assessments are a critical
component of the vulnerability
management and i.t risk management life
cycles
helping protect systems and data from
unauthorized access
and data breaches vulnerability
assessments typically leverage tools
like vulnerability scanners to identify
threats and flaws within an
organization's it infrastructure
that represents potential
vulnerabilities or risk exposures
penetration testing is a method for
testing a web application
network or computer system to identify
security vulnerabilities that could be
exploited
the primary objective for security as a
whole is to prevent
unauthorized parties from accessing
changing or exploiting a network or
system
it aims to do what a bad actor would do
the primary reason penetration tests are
crucial
to an organization's security is that
they help personnel
learn how to handle any type of break-in
from a malicious
entity pen tests serve as a way to
examine whether an organization's
security policies are genuinely
effective
they serve as a type of fire drill for
organizations
penetration tests can also provide
solutions that will help organizations
to not only prevent
and detect attackers but also to expel
such an intruder from their system in an
efficient way
conclusion in this video we have
examined the three basic security
controls
technical administrative and physical a
review of various
critical sub controls was also reviewed
deterrent
corrective and compensating although it
is important for security professionals
to understand the definition of security
controls
they must also recognize that the
ultimate goal of implementing the
controls
is to strengthen the organization's
defenses in order to reduce
risk information security must be
treated as a program
which requires continuous monitoring in
order to defend and protect
its most valuable assets remain vigilant
by incorporating the controls listed
in this video and you will be equipped
to support and contribute to the success
of your organization's risk management
program
استعرض المزيد من الفيديوهات ذات الصلة
5.0 / 5 (0 votes)