Security Controls
Security risks are out there
– Many different categories and types to consider
* Assets are also varied
– Data, physical property, computer systems
* Prevent security events, minimize the impact,
and limit the damage
– Security controls
Control Categories
- Technical controls
– Controls implemented using systems
– Operating system controls
– Firewalls, anti-virus - Managerial controls
– Administrative controls associated with security design
and implementation
– Security policies, standard operating procedures - Operational controls
– Controls implemented by people instead of systems
– Security guards, awareness programs - Physical controls
– Limit physical access
– Guard shack
– Fences, locks
Preventive control type
Preventive
Prevent the problem from ocurring in the first place
– Block access to a resource
– You shall not pass
* Prevent access
– Firewall rules
– Follow security policy
– Guard shack checks all identification
– Enable door locks
Deterrent control types
- Deterrent
– Discourage an intrusion attempt
– Does not directly prevent access - Make an attacker think twice
– Application splash screens
– Threat of demotion
– Front reception desk
– Posted warning signs
Detective Control Type
- Detective
– Identify and log an intrusion attempt
– May not prevent access - Find the issue
– Collect and review system logs
– Review login reports
– Regularly patrol the property
– Enable motion detectors
Corrective Control Type
Corrective
– Apply a control after an event has been detected
– Reverse the impact of an event
– Continue operating with minimal downtime
* Correct the problem
– Restoring from backups can mitigate a ransomware
infection
– Create policies for reporting security issues
– Contact law enforcement to manage criminal activity
– Use a fire extinguisher
Compensating Control Type
Control using other means
– Existing controls aren’t sufficient
– May be temporary
* Prevent the exploitation of a weakness
– Firewall blocks a specific application instead of
patching the app
– Implement a separation of duties
– Require simultaneous guard duties
– Generator used after power outage
Directive Control Type
- Directive
– Direct a subject towards security compliance
– A relatively weak security control - Do this, please
– Store all sensitive files in a protected folder
– Create compliance policies and procedures
– Train users on proper security policy
– Post a sign for “Authorized Personnel Only”
