The 3 Types Of Security Controls (Expert Explains) | PurpleSec

00:01

security controls play a foundational

00:03

role in shaping the actions cyber

00:04

security professionals take to protect

00:07

an organization the lack of security

00:09

controls place the confidentiality

00:12

integrity and availability of

00:14

information at risk

00:16

these risks also extend to the safety of

00:18

people and assets within

00:20

an organization in this video i'm going

00:23

to explain what a security control is

00:25

and the differences between each type

00:28

next i'll discuss the goals that each

00:30

control is meant to achieve

00:31

with examples along the way by the end

00:35

you'll have a better understanding of

00:36

the basic security controls

00:38

in cyber security what is a security

00:42

control

00:45

security controls are countermeasures or

00:47

safeguards

00:48

used to reduce the chances that a threat

00:50

will exploit a vulnerability

00:52

for example implementing company-wide

00:55

security awareness training to minimize

00:57

the risk

00:58

of a social engineering attack on your

01:00

network people

01:01

and information systems the act of

01:04

reducing risk

01:05

is also called risk mitigation

01:10

while it's next to impossible to prevent

01:13

all threats

01:14

mitigation seeks to decrease the risk by

01:16

reducing the chances that a threat will

01:18

exploit a vulnerability

01:21

risk mitigation is achieved by

01:23

implementing different types of security

01:25

controls

01:26

depending on the goal of the

01:28

countermeasures or safeguards

01:30

the level to which the risk needs to be

01:32

minimized

01:33

the severity of damage the threat can

01:35

inflict

01:38

what are the goals of security controls

01:42

the overall purpose of implementing

01:44

security controls as previously

01:46

mentioned

01:47

is to help reduce risks in an

01:49

organization

01:50

in other words the primary goal of

01:52

implementing security controls is to

01:54

prevent or reduce the

01:56

impact of a security incident the

01:59

effective implementation of a security

02:01

control

02:01

is based on its classification in

02:04

relation to the security incident

02:06

the common classification types are

02:09

listed below

02:10

along with their corresponding

02:11

description

02:13

preventative controls attempt to prevent

02:16

an incident from occurring

02:17

detective controls attempt to detect

02:20

incidents

02:21

after they have occurred corrective

02:23

controls attempt to reverse the impact

02:25

of an incident

02:27

deterrent controls attempt to discourage

02:29

individuals from causing an

02:30

incident compensating controls are

02:33

alternative controls used

02:35

when a primary control is not feasible

02:39

implementing the controls listed is no

02:42

trivial matter

02:43

for example an organization that places

02:46

a high priority on reducing risk

02:48

usually has a risk profile which

02:50

illustrates the potential cost

02:52

of a negatively impacting risk and the

02:54

human resources required

02:56

to implement the controls

03:00

layering is an approach that combines

03:02

multiple security controls to develop

03:04

what's called

03:05

a defense in depth strategy defense and

03:08

depth

03:09

is a common strategy used in cyber

03:11

security whereby multiple layers of

03:14

controls are implemented

03:17

by combining controls into multiple

03:18

layers of security

03:20

you ensure that if one layer fails to

03:22

counteract a threat

03:23

that other that that other layers will

03:26

help to prevent

03:27

a breach in your systems each layer of

03:30

security works to counteract specific

03:33

threats

03:33

which requires cybersecurity programs to

03:36

invest in multiple technologies

03:38

and processes to prevent systems or

03:40

people

03:41

from compromise for example

03:44

endpoint detection and response

03:46

solutions are great at preventing

03:48

viruses

03:49

and malware from infecting computers and

03:51

servers

03:52

however endpoint detection is not

03:55

equipped

03:55

to log and monitor traffic on a network

03:58

like a sin

03:59

or detect and prevent an attack in real

04:01

time like an ips

04:03

before we dive into control types it's

04:05

important to first understand the cyber

04:07

risks and threats they help to mitigate

04:11

understanding the basics of risks and

04:13

threats

04:16

risks risks in cyber security are the

04:19

likelihood that a threat will exploit a

04:20

vulnerability

04:21

resulting in a loss losses could be

04:24

information

04:25

financial damage to reputation and even

04:28

harm

04:29

customer trust threats

04:32

threats are any event with the potential

04:34

to compromise the confidentiality

04:36

integrity and availability or cia of

04:39

information threats come from outside an

04:42

organization and from anywhere in the

04:44

world

04:44

connected to the internet insiders

04:48

such as disgruntled employee with too

04:50

much access

04:51

or a malicious insider also pose a

04:53

threat to businesses

04:55

no insider threats are not always

04:57

malicious for example

04:58

an employee clicking on a phishing email

05:00

that installs malware

05:02

does not mean the employee intended to

05:04

cause harm

05:05

finally threats may also take the form

05:07

of a natural disaster or a man-made risk

05:10

such as a new malware variant

05:13

vulnerabilities

05:14

vulnerabilities are a weakness or flaw

05:16

in software hardware or

05:18

organizational processes which when

05:20

compromised by a threat

05:22

can result in a security incident

05:27

security incidents are an occurrence

05:29

that actually or potentially

05:31

jeopardizes the confidentiality

05:33

integrity or availability of an

05:35

information system

05:36

or the information the system processes

05:39

stores or transmits or that constitutes

05:42

a violation or

05:43

imminent threat of violation of security

05:46

policies

05:47

security procedures or acceptable use

05:50

policies

05:52

now that we have a better understanding

05:53

of basic risk concepts

05:55

let's explore how security controls are

05:57

implemented

05:59

technical security controls

06:04

at the most basic level technical

06:06

controls also known as logic controls

06:08

use technology to reduce vulnerabilities

06:10

in hardware and software

06:12

automated software tools are installed

06:14

and configured to protect these assets

06:17

examples of technical controls include

06:20

encryption

06:21

antivirus and anti-malware software

06:24

firewalls security information and event

06:27

management or sims

06:29

intrusion detection systems or idss

06:32

and intrusion prevention systems ipss

06:37

technical control types and

06:38

implementation methods

06:40

below are two common examples of

06:42

technical control types

06:45

access control lists or acls are network

06:48

traffic filters

06:50

that can control incoming or outgoing

06:52

traffic

06:53

acls are common in routers or firewalls

06:56

but they can also be configured in any

06:57

device that runs in the network

07:00

from hosts network devices and servers

07:04

configuration rules are instructional

07:06

codes

07:07

that guide the execution of the system

07:09

when information is passing through it

07:11

network equipment vendors have

07:13

proprietary configuration rules

07:15

that manage the operation of their acl

07:18

objects

07:20

administrative security controls

07:24

administrative security controls refer

07:26

to policies procedures or guidelines

07:28

that define personal or business

07:30

practices in accordance with the

07:32

organization's security goals

07:35

many organizations today implement some

07:37

type of onboarding process to introduce

07:40

you to the company

07:41

and provide you with a history of the

07:42

organization

07:44

during the onboarding process you may be

07:46

instructed to review

07:47

and acknowledge the security policy of

07:49

the organization

07:51

by acknowledging that you have read the

07:52

policies of the organization as a new

07:54

hire

07:55

you are then accountable to adhere to

07:57

the corporate policy

07:58

of the organization in order to

08:01

implement the administrative controls

08:03

additional security controls are

08:05

necessary for continuous monitoring and

08:07

enforcement

08:08

the process that monitor and enforce the

08:10

administrative controls are

08:13

management controls which are security

08:15

controls

08:16

that focus on the management of

08:18

information system security

08:21

operational controls are security

08:23

controls that are primarily implemented

08:25

and executed by people as opposed to

08:28

systems

08:30

for example a security policy is a

08:32

management control but its security

08:34

requirements are implemented by people

08:36

or operational controls and systems or

08:39

technical controls an organization may

08:42

have an acceptable use policy that

08:44

specifies the conduct of users

08:47

including not visiting malicious

08:48

websites the security control to monitor

08:51

and enforce

08:52

could be in the form of a web content

08:54

filter which can enforce the policy

08:56

and log simultaneously

08:59

the remediation of a phishing attack is

09:02

another example that employs a

09:03

combination of management and operation

09:05

controls

09:07

security controls to help attorne

09:09

phishing besides the management control

09:11

of the acceptable use policy itself

09:13

include operational controls such as

09:16

training users

09:17

not to fall for phishing scams and

09:19

technical controls

09:20

that monitor emails and website usage

09:22

for signs of phishing activity

09:26

physical security controls

09:29

physical controls are the implementation

09:31

of security measures

09:33

in a defined structure used to deter or

09:35

prevent

09:36

unauthorized access to sensitive

09:38

material

09:39

examples of physical controls are closed

09:42

circuit surveillance cameras

09:44

motion or thermal alarm systems security

09:48

guards

09:48

picture ids locked and dead bolted steel

09:51

doors

09:52

biometrics including voice face iris or

09:56

handwriting and other automated methods

09:58

used to recognize individuals

10:01

preventative controls

10:04

examples of preventative controls

10:06

include hardening

10:08

security awareness training security

10:10

guards

10:11

change management and account

10:13

disablement policy

10:15

hardening the process of reducing

10:18

secured exposure and tightening security

10:20

controls

10:22

security awareness training the process

10:24

of providing formal cyber security

10:26

education to your workforce

10:28

about a variety of information security

10:30

threats and your company's policies

10:32

and procedures for addressing them

10:35

security guards

10:36

a person employed by a public or private

10:38

company to protect the organization's

10:41

assets

10:41

security guards are frequently

10:43

positioned as the first line of defense

10:45

for businesses against external threats

10:47

intrusions and vulnerabilities to the

10:49

property and its dwellers

10:52

change management the methods and

10:54

manners in which a company describes and

10:56

implements change within both its

10:58

internal and external

11:00

processes this includes preparing and

11:02

supporting employees

11:03

establishing the necessary steps for

11:05

change and monitoring pre and post

11:08

change activities

11:09

to ensure successful implementation

11:13

account disablement policy a policy that

11:16

defines what to do

11:17

with users access accounts for employees

11:20

who leave voluntarily

11:22

immediately terminates or on a leave of

11:25

absence

11:26

detective controls

11:30

examples of detective controls include

11:32

log monitoring

11:34

sim trend analysis security audits

11:38

video surveillance and motion detection

11:41

log monitoring log monitoring is a

11:44

diagnostic method used to analyze

11:46

real-time events or stored data

11:48

to ensure application availability and

11:51

to assess the impact of the change in

11:53

state of an application's performance

11:56

sim a security information and event

11:59

management

12:00

or sim solution supports threat

12:02

detection

12:03

compliance and security incident

12:05

management through the collection and

12:07

analysis

12:08

both in near real time and historical

12:11

of security events as well as a wide

12:13

variety of other event and contextual

12:15

data sources

12:18

trend analysis the practice of gathering

12:21

information

12:22

and attempting to identify a pattern in

12:24

the information gathered from an

12:25

application's log output

12:27

the output of the trend analysis is

12:29

usually in a graphic

12:30

or table form security audit

12:34

a measurement that focuses on security

12:37

standards

12:38

guidelines and procedures as well as the

12:40

implementation of these controls

12:42

the security audit is usually conducted

12:44

by trained third-party entities

12:47

or by internal resources in preparation

12:49

for an external audit

12:52

video surveillance a system that is

12:54

capable of capturing digital

12:56

images and videos that can be compressed

12:59

stored or sent

13:00

over communication networks for on-site

13:03

or remote

13:04

monitoring motion detection a device

13:07

that utilizes a sensor to detect nearby

13:10

motion

13:10

such as a device is often integrated as

13:13

a component for a surveillance system

13:16

that automatically performs a task or

13:18

alerts a monitoring

13:19

analysts of detected movement

13:22

corrective controls

13:25

examples of corrective controls include

13:27

ips

13:28

backups and recovery systems

13:32

ips an intrusion prevention system

13:35

is a network security technology that

13:37

monitors network traffic to detect

13:39

anomalies and traffic flow ips security

13:42

systems intercept network traffic

13:44

and can quickly prevent malicious

13:46

activity by dropping packets

13:48

or resetting connections backups and

13:51

system recovery

13:53

backups and system recovery is the

13:54

process of creating and storing copies

13:56

of data

13:57

that can be used to protect

13:58

organizations against data loss

14:02

deterrent controls deterrent controls

14:06

reduce the likelihood of a deliberate

14:08

attack

14:08

and is usually in the form of a tangible

14:10

object or person

14:12

example of deterrent controls include

14:14

cable locks

14:15

hardware locks and video surveillance

14:18

and guards

14:19

what is the difference between

14:20

preventative and detective controls

14:24

a preventative control is designed to be

14:26

implemented prior to a threat event

14:28

and reduce and or avoid the likelihood

14:32

and potential impact of a successful

14:34

threat event

14:36

a detective control is designed to

14:38

detect errors

14:39

and locate attacks against information

14:41

systems that have already occurred

14:44

the routine analysis of the detective

14:46

control output

14:47

provides input to further enhance the

14:49

preventative control

14:51

the goal of continuous analysis is to

14:54

prevent

14:54

errors and irregularities from occurring

14:57

in the first

14:58

place compensating controls

15:03

an alternative method that is put in

15:05

place to satisfy the requirement for

15:07

security measure

15:08

that cannot be readily implemented due

15:10

to financial

15:11

infrastructure or simply impractical to

15:14

implement at the present time

15:16

the compensating control should meet the

15:18

following criteria

15:20

meet the intent of the original control

15:22

requirement or

15:24

provide a similar level of assurance

15:28

examples of compensating controls

15:30

include

15:31

time-based one-time passwords or totp

15:35

a temporary passcode generated by an

15:37

algorithm

15:38

that uses the current time of day as one

15:40

of its authentication factors

15:42

providing a new hire with the totp until

15:46

authentication fully delivered is an

15:48

example of a compensating control

15:51

encryption database security

15:54

applications

15:55

email encryption and other tools an

15:58

organization

15:59

cannot encrypt all electronic data in a

16:01

pci assessment

16:02

to compensate they may use other

16:04

existing tools to implement

16:06

encryption performing a security control

16:10

assessment

16:13

a security control assessment is a

16:15

critical component

16:16

to measure the state and performance of

16:18

an organization's security controls

16:20

note the following definition of the

16:22

security control assessment

16:24

the testing and or evaluation of the

16:27

management

16:28

operational and technical security

16:30

controls in an information system

16:32

to determine the extent to which the

16:34

controls are implemented correctly

16:36

operating as intended and producing the

16:39

desired

16:39

outcome with respect to meeting the

16:42

security requirements

16:43

for the system testing of security

16:46

controls is a critical component of the

16:48

overall governance of an organization's

16:50

information security management system

16:53

depending upon the organization type

16:55

regulatory requirements

16:57

mandate consistent and continuous

16:59

assessments whereas

17:00

non-public organizations are not held to

17:02

regulatory

17:03

requirements today it is not only best

17:07

practice to monitor security controls

17:09

but a necessary requirement

17:11

in order to keep systems secure and free

17:13

from target practice of hackers

17:15

looking to penetrate any network that

17:17

has weak security at the perimeter

17:19

and internally examples of security

17:22

assessments include

17:24

risk assessment vulnerability assessment

17:27

and penetration testing

17:29

a risk assessment involves many steps

17:31

and forms

17:32

the backbone of your overall risk

17:34

management plan

17:36

risk assessments are important because

17:38

they are used to identify assets or

17:40

areas

17:41

that present the highest risk

17:43

vulnerability or exposure

17:45

to the enterprise it then identifies the

17:48

risk

17:49

that could affect those assets

17:52

vulnerability assessments a

17:54

vulnerability assessment

17:56

refers to the process of identifying

17:58

risks and vulnerabilities

17:59

in computer networks systems hardware

18:02

applications and other parts of the ite

18:05

ecosystem

18:06

vulnerability assessments are a critical

18:08

component of the vulnerability

18:10

management and i.t risk management life

18:12

cycles

18:13

helping protect systems and data from

18:15

unauthorized access

18:17

and data breaches vulnerability

18:19

assessments typically leverage tools

18:20

like vulnerability scanners to identify

18:22

threats and flaws within an

18:24

organization's it infrastructure

18:26

that represents potential

18:27

vulnerabilities or risk exposures

18:31

penetration testing is a method for

18:33

testing a web application

18:35

network or computer system to identify

18:37

security vulnerabilities that could be

18:39

exploited

18:40

the primary objective for security as a

18:42

whole is to prevent

18:44

unauthorized parties from accessing

18:46

changing or exploiting a network or

18:48

system

18:49

it aims to do what a bad actor would do

18:53

the primary reason penetration tests are

18:56

crucial

18:57

to an organization's security is that

18:59

they help personnel

19:00

learn how to handle any type of break-in

19:03

from a malicious

19:04

entity pen tests serve as a way to

19:06

examine whether an organization's

19:08

security policies are genuinely

19:10

effective

19:11

they serve as a type of fire drill for

19:13

organizations

19:14

penetration tests can also provide

19:17

solutions that will help organizations

19:19

to not only prevent

19:20

and detect attackers but also to expel

19:22

such an intruder from their system in an

19:24

efficient way

19:27

conclusion in this video we have

19:31

examined the three basic security

19:33

controls

19:34

technical administrative and physical a

19:36

review of various

19:38

critical sub controls was also reviewed

19:41

deterrent

19:42

corrective and compensating although it

19:44

is important for security professionals

19:46

to understand the definition of security

19:47

controls

19:48

they must also recognize that the

19:50

ultimate goal of implementing the

19:52

controls

19:53

is to strengthen the organization's

19:54

defenses in order to reduce

19:56

risk information security must be

19:59

treated as a program

20:00

which requires continuous monitoring in

20:03

order to defend and protect

20:04

its most valuable assets remain vigilant

20:08

by incorporating the controls listed

20:10

in this video and you will be equipped

20:12

to support and contribute to the success

20:14

of your organization's risk management

20:17

program