Technical controls.
Controls that are operated using systems. Firewalls, Antivirus.
Managerial controls.
Administrative controls associated with security design & implementation. Security polices & standard operating procedures (SOP).
Operational controls
Use people for these. Security guards, Awareness programs,
Physical controls
Limiting physical access. guard shack, fences, badge readers
Preventive controls
Block access to a resource. Firewall rules, follow security policy, guard shack checks identifications, door locks on.
Deterrent controls.
Gives someone trying to access a resource second though or trouble. Splash screens, threat of demotion, posted warning signs, front reception desk.
Detective control
Identifies and logs an intrusion attempt. May not prevent access. Reviews system logs, enable motion detectors, review login reports.
Corrective control
Applies after an event has occurred. Can sometimes reverse the effect of the event. Continue operating with minimal downtime. Correct the problem by restoring backups that can mitigate a ransomware infection, create policies for security issues, contact law enforcement or use a fire extinguisher.
Compensating control
Control using other means for security event. Can be use don temp basis to resolve. Prevent the exploitation of a weakness. Firewall blocks an application instead of patching it. implement separation of duties, require simultaneous guard duties, generator used after power outage.
Directive control type
Relatively weak control cause your directing someone toward security compliance. Store all sensitive files in a protected folder, create compliance policy and procedures, train users on correct policy, makes “authorized users only” sign.
how are security controls managed?
There are many categories of control some that some companies will combine. New control types are created. Each org will use different controls.
-
Security controls 1.111
-
Preventive Control types (1.1)4
-
Deterrent control types (1.14
-
Detective control types (1.1)4
-
Corrective control (1.1)4
-
Compensating control (1.1)4
-
Directive control type (1.1)4
-
CIA Triad 1.24
-
Confidentiality (1.2)4
-
Integrity (1.2)5
-
Availability (1.2)4
-
Non repudiation (1.2)5
-
Acronyms324
-
Authentication, Authorization, & Accounting 1.27
-
Gap Analysis 1.25
-
Zero Trust 1.28
-
Physical Security 1.27
-
1.2 Deception & Disruption4
-
Change management steps 1.39
-
Technical change management steps 1.39
-
Public Key Infrastructure 1.46
-
Encrypting data 1.410
-
Key Exchange 1.46
-
Encryption technologies 1.47
-
Obfuscation 1.47
-
Hashing & digital signatures 1.49
-
Blockchain technology 1.42
-
Certificates 1.412
-
2.1 Threat Actors15
-
2.2 Common Threat Vectors13
-
2.2 Phishing4
-
Impersonation 2.26
-
Watering Hole Attacks 2.24
-
Other Social engineering attacks (2.2)3
-
Memory Injections 2.33
-
Buffer Overflows 2.31
-
Race Conditions 2.33
-
Malicious Updates 2.33
-
2.3 Operating system vulnerabilities3
-
2.3 SQL Injection4
-
2.3 Cross Site Scripting7
-
2.3 Hardware Vulnerabilities4
-
2.3 Virtualization Vulnerabilities4
-
2.3 Cloud specific Vulnerabilities.3
-
Supply chain vulnerabilities 2.37
-
Misconfiguration vulnerabilities 2.35
-
Mobile device vulnerabilities 2.34
-
Zero-day vulnerabilities 2.33
-
An overview of Malware 2.46
-
2.4 Viruses and worms5
-
2.4 Spyware and Bloatware5
-
2.4 Other Malware Types6
-
2.4 Physical attacks4
-
2.4 Denial of Service4
-
2.4 DNS attacks4
-
2.4 Wireless Attacks5
-
2.4 On Path Attacks2
-
2.4 Replay attacks6
-
2.4 Malicious Code3
-
2.4 Application attacks11
-
2.4 Cryptographic Attacks5
-
2.4 Password attacks6
-
2.4 Indicators of compromise9
-
2.5 Segmentation and Access Control3
-
2.5 Mitigation techniques6
-
2.5 Hardening techniques9
-
3.1 Cloud Infrastructure6
-
3.1 Network Infrastructure concepts4
-
3.1 other Infrastructure concepts10
-
3.1 Infrastructure Considerations12
-
3.2 Secure Infrastructures5
-
3.2 Intrusion prevention5
-
3.2 Network appliances10
-
3.2 Port Security4
-
3.2 Firewall Types6
-
3.2 Secure communication11
-
3.3 Data types and classifications3
-
3.3 States of Data5
-
3.3 Protecting data9
-
3.4 Resiliency11
-
3.4 Capacity planning4
-
3.4 Recovery Testing5
-
3.4 Backups8
-
3.4 Power resiliency3
-
4.1 Secure Baselines4
-
4.1 Hardening targets10
-
4.1 Securing wireless & Mobile8
-
4.1 Wireless Security settings11
-
4.1 Application Security7
-
4.2 Asset management6
-
4.3 Vulnerability scanning5
-
4.3 Threat intelligence5
-
4.3 Penetration testing5
-
4.3 Analyzing Vulnerabilities9
-
4.3 Vulnerability remediation9
-
4.4 Security monitoring8
-
4.4 Security tools11
-
4.5 Firewalls6
-
4.5 Web filtering8
-
4.5 Operating system security3
-
4.5 Secure Protocols5
-
4.5 email security5
-
4.5 Monitoring data7
-
4.5 Endpoint Security8
-
4.6 Identity and Access Management10
-
4.6 Access controls8
-
4.6 Multifactor Authentication7
-
4.6 Password Security7
-
4.7 Scripting and automation4
-
4.8 Incident response10
-
4.8 Incident planning5
-
4.8 Digital Forensics7
-
4.9 Log data12
-
5.1 Security policies10
-
5.1 Security Standards5
-
5.1 Security procedures7
-
5.1 Security considerations4
-
5.1 Data roles & Responsibilities2
-
5.2 Risk Management4
-
5.2 Risk Analysis6
-
5.2 Risk Management Strategies2
-
5.2 Business impact analysis1
-
5.3 Third Party Assessment10
-
5.3 Agreement types2
-
5.4 Compliance7
-
5.4 privacy6
-
5.5 Audits and Assessments3
-
5.5 Penetration tests6
-
5.6 Security Awareness5
-
5.6 User training2
-
1.1 Compare and contrast types of secuirty controls1
