Security Controls - CompTIA Security+ SY0-701 - 1.1

00:01

If you've spent any amount of time in IT security,

00:04

you know there are many different security risks

00:06

that you need to prepare for.

00:08

The attackers are looking for different ways

00:11

to gain access to our systems.

00:12

And we need to find different ways to prevent them

00:15

from getting that access.

00:17

But of course, we're not just protecting data.

00:19

We're also protecting physical systems, buildings, people,

00:23

and everything in our organization.

00:26

In this video, we'll look at different security controls

00:29

and how they can be used to prevent events from occurring

00:32

in the first place.

00:33

We can minimize the impact of events

00:35

that ultimately do occur.

00:37

And in many cases, we can limit the damage

00:40

if someone does find a way into our computing environment.

00:44

Let's look at some very broad categories

00:47

of security controls.

00:48

The first category we'll look at are technical controls.

00:52

These are controls that we implement using

00:54

some type of technical system.

00:56

So if you're someone who is managing an operating system,

01:00

you might set up policies and procedures

01:02

within the operating system that would allow or disallow

01:06

different functions from occurring.

01:07

We can also put firewalls, antivirus,

01:10

and other types of software into this category

01:13

of technical controls.

01:15

As a security administrator, you'll

01:17

also want to create a series of policies that explain to people

01:21

the best way to manage their computers, their data,

01:24

or their other systems.

01:25

We refer to these as managerial controls.

01:28

So if you are creating a series of policies and procedures

01:32

or you're creating an official security policy documentation,

01:35

you'll often put these managerial controls inside

01:39

of your security policies.

01:40

You might also see these managerial controls implemented

01:43

into day-to-day processes as part of your standard operating

01:47

procedures.

01:49

Another important control category

01:50

are the operational controls.

01:52

Unlike using technology to manage these controls,

01:56

operational controls are using people

01:58

to be able to set these controls.

02:00

So if you have security guards at your place of work,

02:02

you're doing monthly lunch and learns,

02:04

or you have some type of posters or awareness program

02:07

at work to help explain the best practices for IT security,

02:12

then you can put these into the category

02:14

of operational controls.

02:16

And the last category that we have are physical controls.

02:19

As the name implies, these are controls

02:22

that would limit someone's physical access to a building,

02:25

a room, or a device.

02:27

This might be something like a guard shack.

02:29

So they can check everyone coming into a particular area.

02:32

Maybe there are fences and locks to keep people out.

02:35

Or maybe use badge readers to limit the access

02:39

into certain areas within your building.

02:41

So in this video, we'll focus on these four categories

02:45

of controls-- the technical, managerial,

02:48

operational, and physical.

02:49

And in this video, we'll look at a number of different control

02:53

types and determine where we would fit certain control

02:56

types into certain categories.

02:59

The first control type we'll look at

03:00

is a preventive control type.

03:02

This is a control type that limits someone access

03:05

to a particular resource.

03:07

You can think of this as something

03:09

like a firewall rule, which would prevent somebody

03:11

from gaining access to a particular area

03:14

of your network.

03:15

Or it may be something that's more tangible, such as a guard

03:18

shack checking everyone's identification

03:20

as they come into your facility.

03:23

A good way to test yourself with these different control types

03:25

is to determine what category will a certain type fit into.

03:30

So when we deal with preventive control types,

03:32

we can look at firewall rules.

03:34

And since those are handled at a technical level,

03:36

then those would fit into the technical category.

03:39

As we hire people, we may want to set a certain type of policy

03:43

for onboarding.

03:44

And those would be policies set as part

03:47

of a managerial category.

03:48

We've already mentioned a guard shack

03:50

checking everyone's identification.

03:52

And since that's done by a person,

03:54

we can fit that into an operational category.

03:57

And lastly, we have door locks, which

03:59

are physical devices preventing access to a room.

04:02

So that would fit into the physical category.

04:05

Another important control type is a deterrent.

04:08

And although a deterrent may not prevent someone

04:10

from accessing a resource, it may give them a discouragement

04:14

or have them think twice about the attack

04:17

that they're planning.

04:18

For example, when you start an application,

04:20

there may be a splash screen that

04:21

provides security information and restricts

04:24

people who are not authorized from gaining access

04:27

to that system.

04:28

Or there might be the threat of a demotion or a dismissal

04:31

if somebody gains access to data that they should not

04:34

be accessing.

04:35

There might also be a front reception desk

04:37

greeting everyone who walks in or warning signs telling people

04:41

that if they gain access to this facility

04:43

that there would be consequences.

04:45

These fit perfectly into our four categories.

04:48

A splash screen is a deterrent that fits

04:50

into the technical category.

04:52

A demotion is a managerial category.

04:55

The reception desk fits into the operational category.

04:58

And the warning signs are a physical deterrent.

05:02

A detective control type can identify and, in some cases,

05:06

warn us when a particular breach has occurred.

05:09

This may not prevent access.

05:11

But it would give us a warning and log information

05:14

about that particular attack.

05:16

An example of a detective control type

05:19

may be a process of collecting, reviewing,

05:21

and going through system logs.

05:23

Or you may be reviewing log-in reports about who's

05:26

gained access to your systems.

05:28

There might be someone patrolling the property,

05:30

looking for cases where someone might

05:32

have broken into your facility.

05:34

And you might have motion detectors

05:35

so that you're automatically notified

05:37

if something is moving in an area

05:40

where normally there should be no motion.

05:42

The system logs that are detailing everything that's

05:45

going on in your systems would fit

05:47

into the technical category.

05:49

Someone reviewing log-in reports every day or every week

05:52

would fit into the managerial category.

05:55

Someone patrolling the property would

05:57

be an operational category.

05:59

And then the motion detectors provide us

06:01

with a physical category.

06:03

If there is a notification that someone has breached a system

06:07

or gained access into a certain area of your business,

06:11

then you want to apply a corrective security control.

06:14

A corrective security control is something

06:16

that occurs after the event has been detected.

06:19

This is sometimes able to reverse the impact

06:22

of that particular event.

06:24

Or you may be able to continue operating

06:26

with your business with minimal downtime,

06:29

thanks to these corrective controls.

06:31

For example, if a computer has been infected with ransomware

06:35

and it has encrypted everything on that system

06:37

and made all of the data inaccessible,

06:39

you can simply erase everything on that computer

06:42

and restore it back to a known good system using your backups.

06:46

You might also want to create policies so

06:48

that if there are security issues

06:50

or something unusual that you see happen,

06:53

then those would be rolled up into an alert

06:56

or some type of notification.

06:58

And if you find that someone has jumped your fence

07:00

or they've tried to get in through a door

07:01

in your building, you may need to contact law enforcement

07:04

to be able to correct that particular incident.

07:07

And if something is caught on fire,

07:09

you can grab a fire extinguisher and make sure

07:11

that that fire doesn't spread any further, thereby correcting

07:15

that particular event.

07:17

And as you might expect, those are four events

07:20

that certainly fits into the four categories that we have.

07:23

For example, recovering from a backup

07:25

would be a technical category.

07:27

Being able to have policies for reporting issues

07:30

when they occur would be in the managerial category.

07:33

Contacting authorities for some type of legal issue

07:36

would be an operational category.

07:38

And your fire extinguisher is a physical category.

07:42

You might also find yourself in a situation

07:45

where a security event has occurred,

07:47

but you don't have the resources or means

07:49

to be able to reverse what that particular event has caused.

07:53

In those cases, you may want to use a compensating control

07:56

type, which provides you with using other means in a way

08:00

to control that particular security event.

08:02

This may be something you use on a temporary basis

08:05

until you're able to put together a plan to resolve

08:08

the overall security incident.

08:10

For example, you might have an application

08:12

that is important for your organization.

08:14

But the application developer has told you

08:16

that they've identified a significant security

08:18

vulnerability in that software.

08:20

Since the application developer is

08:22

going to provide you with a patch sometime in the future,

08:25

you may want to set some type of firewall rule today that

08:29

would prevent somebody from exploiting

08:31

that particular vulnerability.

08:33

Or this might be a case where you

08:34

can separate different duties between different individuals

08:38

and limit the scope of any type of security concern.

08:41

Or you might have multiple security guards

08:43

all working at the same time to make sure

08:46

that no single security guard has

08:48

complete access to everything in your environment.

08:51

And if you lose power in your building,

08:53

you might want to have a generator so that while you're

08:56

waiting for main power to be restored,

08:58

you can compensate by turning on your generator.

09:01

Those are our four different categories

09:03

of a compensating control.

09:05

We have a technical category of blocking that traffic

09:08

instead of patching the application.

09:10

There may be a separation of duties for the people

09:12

that work in your organization.

09:14

And that fits into the managerial category.

09:16

You might require multiple security staff

09:19

working simultaneously.

09:20

And that would be the operational category.

09:23

And lastly, having a power generator

09:25

to compensate for a power outage fits

09:27

into the physical category.

09:29

The last control type we'll look at is a directive control type.

09:34

This is a relatively weak security control

09:36

because it is one where you are directing someone

09:39

to do something more secure rather than less secure.

09:43

For example, you may require everyone

09:45

to store sensitive information into a protected and encrypted

09:49

folder on their system.

09:51

This requires the user to make a decision

09:53

about what data may be sensitive and what

09:55

data may be nonsensitive.

09:57

And then they are directed to store the sensitive information

10:00

in the protected folder.

10:02

As part of our security policies,

10:03

we may want to add compliance policies and procedures so

10:06

that everyone understands the proper processes to use

10:10

for security in your environment.

10:12

You might also train users on what the proper security

10:15

policies might be.

10:16

And another example of a directive control

10:19

may be a sign that you put on a door that says

10:21

"authorized personnel only."

10:23

There might not be a lock on the door.

10:25

But the sign saying "authorized personnel only"

10:28

directs people to either enter or not

10:31

enter that particular door.

10:33

So to summarize these, our file storage policies

10:36

will direct people to this technical category.

10:40

A compliance policy fits into a managerial category.

10:43

Someone performing a security policy training course

10:47

would be a directive control type fitting

10:49

into the operational category.

10:51

And a sign on a door that says "authorized personnel only"

10:54

fits into the physical category.

10:57

The examples I provided for the different security

10:59

controls and the categories where they fit

11:02

are simply one single example.

11:04

And you can probably think of a number of different examples

11:07

that you could fit into any of those squares in our matrix.

11:11

You could probably also think of different security controls

11:14

that might fit into a different category of control

11:17

or a different type of control.

11:19

You might also find as our technology changes

11:22

and our security processes evolve

11:24

that there might be new control types that we

11:26

could fit into our chart.

11:28

And of course, not everybody uses the same security

11:31

controls.

11:32

So the ones that you use in your organization

11:34

may be very different than someone else's organization.