Control Design

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Course
Time
8 hours 25 minutes
Difficulty
Advanced
CEU/CPE
9
Video Transcription
00:00
>> Our last section, we talked about
00:00
>> cost-benefit analysis,
00:00
>> we talked about return on
00:00
investment and we know that we want control to
00:00
be implemented that's going to give
00:00
us more bang for the buck, basically.
00:00
We also have to realize that often
00:00
a single control is not going to
00:00
provide enough mitigation,
00:00
so when we're talking about designing controls,
00:00
we may have to think about layer
00:00
>> after layer after layer.
00:00
>> Then we also want to consider control risk or
00:00
secondary risk because we
00:00
know that sometimes when we implement the control,
00:00
it could wind up causing problems
00:00
down the line that could actually even
00:00
be larger problems in the risk we set off to mitigate.
00:00
In this control design section,
00:00
we want to talk about the need for
00:00
defense in depth and layered defense.
00:00
The idea, like I just said a minute ago,
00:00
is that one singular control may not
00:00
mitigate risks enough, so what do I do?
00:00
I add another control,
00:00
perhaps another control,
00:00
ultimately until I get to
00:00
the point where the residual risk is acceptable.
00:00
Now, there are different types,
00:00
different functions of controls.
00:00
Well, the first thing I want to mention is that
00:00
controls are either proactive or reactive.
00:00
It's not that one is
00:00
necessarily better than the other we need both.
00:00
When we talk about proactive controls,
00:00
we sometimes refer to these as safeguards,
00:00
so we'll safeguard a resource.
00:00
We put some control in place to reduce the risk.
00:00
We want to, if possible,
00:00
prevent the risk event from happening in the first place.
00:00
But we also know that no controls are a 100 percent
00:00
effective so we have reactive controls in place.
00:00
Those reactive controls are what we
00:00
implement if the risk materializes anyway.
00:00
It's really going to be a combination of
00:00
both that gives us the best protection.
00:00
Now, I also want to mention that rarely are you going to
00:00
walk into an organization where they
00:00
have absolutely no controls in place,
00:00
that just doesn't happen.
00:00
As we come in and we're maybe being asked to assess
00:00
the current environment or to
00:00
recommend a strategy for improving security,
00:00
we start with current state.
00:00
We look at the controls that we currently have in place,
00:00
and we look at the residual risks,
00:00
these current controls, and we determine,
00:00
is that residual risk acceptable.
00:00
When it's not, that's when we continue on,
00:00
we analyze the residual risk since it's not acceptable,
00:00
what controls can we put in place that'll
00:00
have the highest benefit to cost ratio?
00:00
Secondary risk, I've already mentioned.
00:00
This is the risk that happens when you
00:00
implement a risk response.
00:00
For instance, in this example,
00:00
some form of access control system,
00:00
maybe we're introducing
00:00
a new multi-factor authentication system.
00:00
Now the good thing is that
00:00
ideally is going to lessen the likelihood
00:00
that we have unauthorized users accessing a resource.
00:00
The downside is that with multi-factor,
00:00
that's one more thing for a user to lose or forget.
00:00
That's one more thing to fail.
00:00
Firewalls, the pro of
00:00
a firewall is you can limit traffic.
00:00
The downside of a firewall is you can limit traffic.
00:00
If we don't have proper configurations,
00:00
if we don't play the tape forward enough to think about,
00:00
okay, now I'm going to implement this,
00:00
what are the downsides?
00:00
What could happen as a result of the change that I make?
00:00
We have to make sure we consider
00:00
secondary risks when we implement risk responses.
00:00
Now, there are various control groups,
00:00
groups of controls that we want to look at.
00:00
Again, the idea here is having
00:00
a balanced, layered response.
00:00
Again, it's not one over
00:00
the other, they're all important.
00:00
We tend to overlook physical security and quite honestly,
00:00
we don't talk much about physical
00:00
security in this course.
00:00
But out of all the technical controls
00:00
you can put in place and all the policies,
00:00
procedures, standards, and guidelines,
00:00
if I can walk into
00:00
your server room and walk right out with your server
00:00
underneath my arm a lot
00:00
of those controls are irrelevant now,
00:00
so we can't overlook physical security.
00:00
But we do tend to think of security in three categories.
00:00
We have our technical controls,
00:00
our physical controls,
00:00
and managerial or administrative controls.
00:00
Now, for our technical controls,
00:00
they can also be referred to as logical controls.
00:00
I don't know which one you would see on the exam,
00:00
but you could see either.
00:00
These are the controls that we put in
00:00
place to protect our digital assets.
00:00
Firewalls, encryptions, access
00:00
control lists, authentication methods.
00:00
I could go on and on and on about the different types of
00:00
technical controls but these tend to be
00:00
the things that we think about in IT.
00:00
Physical controls, lock your doors,
00:00
security guards get restricting
00:00
access to sensitive areas,
00:00
man traps which prevent piggybacking if
00:00
one employee coming in on another card swipe.
00:00
Then your managerial controls,
00:00
policies, procedures, standards, guidelines.
00:00
Those have to be in place.
00:00
As a matter of fact, you really have to
00:00
have the managerial controls in
00:00
place before you can even think about
00:00
technical or physical controls.
00:00
They all come together.
00:00
It's not one rather than the other like I've said,
00:00
it's a well-rounded approach to security.
00:00
Now in addition to the different categories of control,
00:00
we also want to think about
00:00
different functions of control as well.
00:00
Now on this slide before we move forward,
00:00
I've gone just a little bit more in-depth to
00:00
each of the control types, admin,
00:00
technical and physical, giving you some examples,
00:00
just in case you want to make sure
00:00
that you understand them,
00:00
you can always do a screenshot here.
00:00
Now, we've got those three categories of controls.
00:00
Let's talk about the functions of controls.
00:00
What do the controls actually do?
00:00
What type of control are they?
00:00
Well, you can see over on the left side in
00:00
our column, directive, deterrent,
00:00
preventive, detective,
00:00
corrective, recovery, and compensating.
00:00
These are the seven functions of control,
00:00
and I would be familiar with each of these.
00:00
Also realize that within the categories,
00:00
you have all seven functions.
00:00
In managerial you can have directive, deterrent,
00:00
preventive, detective, corrective
00:00
>> recovery, compensated.
00:00
>> Same thing with technical and physical.
00:00
I've tried to give you a good example.
00:00
Also, keep in mind that controls
00:00
often or fall in more than one category.
00:00
Like for instance, if you think about a security guard,
00:00
security guard deters crime,
00:00
he can also prevent crime,
00:00
he can also detect that a crime has happened,
00:00
recover lost property or lost merchandise from a thief.
00:00
A security guard could fall in
00:00
multiple categories as lots can,
00:00
so I don't want you to get
00:00
too tied up in well, what is this?
00:00
Couldn't it also be a deterrent and a directive?
00:00
Sure. That no trespassing
00:00
sign that we see under physical directive,
00:00
that's also a deterrent.
00:00
Don't get too worried about that,
00:00
they're not going to put you in a situation
00:00
where you really have
00:00
to splice hairs on where it's going to go.
00:00
Most of these should be fairly self-explanatory,
00:00
deterrent and preventive, are your proactive controls.
00:00
Those are the two that are proactive.
00:00
Deterrent will discourage an attack,
00:00
preventive will stop an attacker,
00:00
even if it's just temporarily
00:00
preventive will stop someone.
00:00
Whereas a deterrent might be aware of dogs
00:00
sign a preventive control would be a fence.
00:00
Now you can compromise a fence.
00:00
You can climb a fence or cut a fence,
00:00
but it will stop you temporarily,
00:00
so deterrent and preventive.
00:00
Well-lit facility is a deterrent.
00:00
Door locks, fences, encryption, those are preventive.
00:00
But they're both proactive.
00:00
They would both be considered safeguards.
00:00
Now in the reactive category,
00:00
we have detective and corrective.
00:00
Really detective, corrective, and recovery.
00:00
Detective means we want to
00:00
discover that there has been a loss.
00:00
Corrective is we want to fix
00:00
the problem that allowed the loss and then recovery,
00:00
we want our assets back.
00:00
For instance, an intrusion detection system
00:00
detects that there's malware on the network.
00:00
We're going to correct that problem maybe by
00:00
removing the impacted network
00:00
from the rest of the network,
00:00
we're going to pull them off for the switch,
00:00
we're going to isolate them.
00:00
Then, so that malware is no
00:00
longer spreading throughout the network, that's great,
00:00
but we've got to get our data recovered,
00:00
and we have data backups that we can restore from.
00:00
Detective, corrective,
00:00
and recovery are countermeasures,
00:00
they are after the fact.
00:00
Then last but not least, is compensating.
00:00
Compensating controls are your plan B.
00:00
Maybe your first choice of control isn't available.
00:00
For instance, I wanted
00:00
a security guard to protect my home,
00:00
but that's too expensive so I get a guard dog.
00:00
That's a compensating control.
00:00
Turns out I can't even afford a guard dog,
00:00
so I buy pug.
00:00
That's definitely compensating.
00:00
Plan A isn't available,
00:00
I have to choose other options for whatever reason.
00:00
It can also be
00:00
additional controls when the control
00:00
that you had foment primarily isn't enough.
00:00
Here I am with an attack pug,
00:00
well, I better make sure that I have a fence.
00:00
I want a motion detector,
00:00
lighting, I want a home alarm.
00:00
I'm going to have to add a lot of compensating
00:00
control if my primary control is the attack pug.
00:00
Let me tell you, if you knew this pug,
00:00
you would understand why.
00:00
This is the type of
00:00
dog that when you come into the house,
00:00
comes in and says, Hi,
00:00
I'm so glad you're here, let me show
00:00
you where all the valuables are.
00:00
Not great defense,
00:00
add some compensating controls to
00:00
residual risk is at
00:00
the degree that's acceptable by senior management.
00:00
Our three categories, the
00:00
various functions in which they can operate.
00:00
Take a little bit of time and review this chart and
00:00
make sure you're comfortable with where things are.
00:00
I can see them asking something
00:00
like CCTV is what type of control?
00:00
Well CCTV is inherently a detective control.
00:00
It's used after the fact to correlate events.
00:00
There's been a robbery at the bank we go back
00:00
and we look at the CCTV recording and see what happened.
00:00
Or they could ask you,
00:00
the conspicuous placement of
00:00
CCTV is what type of control?
00:00
Well, we place it in a very conspicuous part so
00:00
that people know we're recording, that's a deterrent.
00:00
Or they could say something like
00:00
the CCTV camera in the parking lot no longer works,
00:00
however, your supervisor
00:00
has asked that you leave it up,
00:00
what type of control will the supervisor be implementing?
00:00
That's a deterrent, doesn't work but it
00:00
is there to put the thought in people's heads.
00:00
That's a deterrent control.
Up Next