Module 4: Security Controls

Glossary of Terms

A measure or safeguard put in place to protect systems and data from threats, reduce vulnerabilities, and minimize the impact of an attack.

Any potential danger or harmful event that can exploit a vulnerability. Examples include a malicious actor, malware, or a natural disaster.

A weakness or gap in a system's security posture that could be exploited by a threat. Examples include unpatched software, weak passwords, or misconfigured permissions.

The likelihood that a threat will exploit a vulnerability, combined with the potential impact or damage it could cause. Risk = Threat x Vulnerability.

A control implemented using technology, such as firewalls, encryption, and antivirus software.

A high-level control that involves policies, procedures, and strategic decisions made by management, such as risk assessments and security training programs.

A control implemented by people through day-to-day procedures and practices, such as data backups, change management, and incident handling.

A tangible measure to protect physical assets like facilities and hardware, such as locks, security guards, and surveillance cameras.

A control designed to stop a security incident before it happens. Example: A firewall blocking malicious traffic.

A control designed to identify and detect a security incident that has already occurred or is in progress. Example: An Intrusion Detection System (IDS) sending an alert.

A control designed to restore a system after a security incident has occurred. Example: Restoring data from a backup after a ransomware attack.

A control designed to discourage potential attackers through psychological means. Example: A "Protected by Video Surveillance" sign.

A control that mandates specific behaviors through policies and procedures. Example: An Acceptable Use Policy.

An alternative control used when a primary control is not feasible. Example: Using enhanced monitoring when a system cannot be patched.

A security strategy that uses multiple layers of diverse security controls to protect an asset. If one layer fails, another is in place to stop an attack.

The process of securing a system by reducing its attack surface. This includes disabling unnecessary services, applying patches, and enforcing strong configurations.

Also known as ethical hacking, it's a simulated cyberattack against your own system to check for exploitable vulnerabilities.

Risk Fundamentals

Threats, Vulnerabilities, and Risk

Understanding the relationship between these three concepts is the foundation of cybersecurity strategy.

  • Threat: The potential for harm. A threat is the "who" or "what" that could cause damage.
    Example: A hacker, a piece of malware, or a flood.
  • Vulnerability: A weakness or flaw. A vulnerability is the "how" a threat could cause damage.
    Example: Unpatched software, a weak password, or a server room in a basement.
  • Risk: The likelihood of a threat exploiting a vulnerability and the resulting impact.
    Example: The risk of a data breach is high if a hacker (threat) targets your unpatched web server (vulnerability).

The Four Strategies of Risk Mitigation

Once a risk is identified, organizations must decide how to handle it. There are four primary strategies:

  • Acceptance: Acknowledging a risk and choosing not to take action, usually because the cost of mitigation outweighs the potential impact.
    SpaceX accepted the risk of failure in its early rocket launches as a necessary part of the innovation process.
  • Avoidance: Eliminating a risk by not engaging in the activity that creates it.
    Apple avoids certain data breach risks by designing systems that limit the amount of user data stored on their servers.
  • Transfer: Shifting the financial impact of a risk to a third party, most commonly through insurance.
    After its massive data breach, Target transferred some of the financial risk by using insurance to cover a portion of the costs from lawsuits and settlements.
  • Reduction (Mitigation): Implementing security controls to reduce the likelihood or impact of a risk.
    Google actively reduces its risk of cyberattacks by implementing robust security measures like encryption, regular patching, and employing security researchers.

Control Categories

The Four Categories of Controls

Security controls can be grouped into four main categories based on their nature and how they are implemented.

Analogy - Securing a Grocery Store:
  • Technical Controls: Alarm systems that detect unauthorized entry (software/hardware-based).
  • Managerial Controls: The store's policy on which employees are allowed in the cash office (strategic/policy-based).
  • Operational Controls: The daily procedure for employees to lock the doors and set the alarm at closing time (people/process-based).
  • Physical Controls: Surveillance cameras, locks on the doors, and security guards (tangible measures).

A Deeper Look at the Categories

  • Technical (or Logical) Controls: These controls use technology to protect systems. They are implemented through hardware or software, such as firewalls, encryption, antivirus software, and Intrusion Detection Systems (IDS).
  • Managerial (or Administrative) Controls: These are high-level controls that focus on strategy, governance, and risk management. They include security policies, risk assessments, third-party vendor management, and security awareness training.
    Case Study: The 2013 Target data breach occurred because attackers exploited a vulnerability in a third-party HVAC vendor. This highlighted a failure in Target's managerial controls related to third-party risk management.
  • Operational Controls: These are the day-to-day procedures and practices implemented by people to enforce security policies. Examples include data backup procedures, change management processes, and incident handling.
  • Physical Controls: These are tangible measures used to protect facilities, hardware, and other physical assets. Examples include locks, fences, security guards, fire suppression systems, and surveillance cameras.

Proactive Control Types: Preventing & Deterring

Preventive Controls

Preventive controls are designed to stop a security incident before it can happen. They are the first line of defense.

  • Hardening & Patching: The process of making systems more secure by reducing their attack surface. This includes applying security patches, disabling unneeded services, and enforcing secure configurations.
    Case Study: The 2017 WannaCry ransomware attack primarily affected organizations that had failed to apply a critical Windows security patch. A simple preventive control (timely patching) could have stopped a global incident.
  • Security Awareness Training: Educating employees to recognize and avoid threats like phishing reduces the risk of human error.
  • Firewalls & Intrusion Prevention Systems (IPS): Firewalls act as a barrier to block unauthorized traffic, while an IPS actively monitors the network and can automatically block detected threats.
  • Change Management: A formal process for managing changes to IT systems to ensure they don't introduce new vulnerabilities.

Deterrent & Directive Controls

  • Deterrent Controls: These controls are designed to discourage potential attackers through psychological means. Their goal is to make an attacker think twice. Examples include warning signs, visible security cameras, and policies outlining severe penalties for security violations.
  • Directive Controls: These controls mandate specific actions and behaviors through formal policies and procedures. They provide guidance to ensure compliance. Examples include an Acceptable Use Policy (AUP), security standards, and legal regulations like HIPAA or GDPR.

Reactive Control Types: Detecting & Correcting

Detective Controls

Detective controls are used to identify and alert on security incidents that are in progress or have already occurred. They are crucial for timely incident response.

  • Log Monitoring & SIEM: A Security Information and Event Management (SIEM) system collects and correlates log data from across the network to detect suspicious patterns and generate alerts.
  • Intrusion Detection Systems (IDS): An IDS is a passive system that monitors network traffic and alerts administrators when it detects a potential threat. Unlike an IPS, it does not block the threat itself.
  • Security Audits & Video Surveillance: Regular audits check for policy violations and security gaps, while video surveillance can provide evidence of a physical breach after the fact.
Case Study: During the 2013 Target data breach, the company's detective controls (a SIEM system) actually generated alerts about the suspicious activity. However, due to a failure in operational processes, these alerts were missed or ignored, allowing the attack to continue for weeks.

Corrective & Compensating Controls

  • Corrective Controls: These controls are implemented after an incident to fix the damage and restore systems to normal. The goal is to correct the problem and prevent it from happening again.
    Case Study: After the shipping giant Maersk was crippled by the NotPetya malware in 2017, their recovery was a massive corrective action. They had to rebuild their entire global network, a process made possible only by a single offline backup of a domain controller that had survived the attack.
  • Compensating Controls: These are alternative measures used when a primary control is not feasible. For example, if an old legacy system cannot be patched (a preventive control failure), a compensating control might be to place it on an isolated network segment and apply enhanced monitoring (a detective control).

Assessments & Defense-in-Depth

Defense-in-Depth: The Layered Approach

Defense-in-Depth is a core cybersecurity strategy that acknowledges that no single control is perfect. It involves implementing multiple, overlapping layers of different security controls throughout the infrastructure.

The goal is to create a resilient defense where if an attacker bypasses one layer, they will still be stopped by subsequent layers. A robust strategy combines various categories (Technical, Managerial, etc.) and types (Preventive, Detective, etc.) of controls to protect critical assets from diverse threats.

Security Control Assessments

Assessments are systematic evaluations used to verify the effectiveness of security controls and identify weaknesses. Regular assessments are crucial for maintaining a strong security posture.

  • Risk Assessment: A high-level process to identify, analyze, and prioritize potential risks to the organization. It helps determine where to focus security efforts and resources.
  • Vulnerability Assessment: A technical process that uses scanning tools (like Nessus) to identify known vulnerabilities and misconfigurations in systems and applications. It answers the question, "What are our weaknesses?"
  • Penetration Testing (Ethical Hacking): A simulated, real-world attack on an organization's defenses. Testers actively try to exploit vulnerabilities to determine the real-world effectiveness of existing controls. It answers the question, "Can an attacker get in, and what can they do?"

Fill in the Blank Questions

True/False Questions

Multiple Choice Questions