Hello, everyone. This is instructor Gerry Roberts, and this is risk policies and security controls.
In this video, we're gonna learn about what security controls are
the different types of controls
security, control, functionalities.
And we're gonna provide some examples of security controls by functionality in time.
First, what are security controls?
Security controls our counter measures put in place to mitigate or avoid a risk, pretty much trying to control whether or not a risk will impact you.
An example. This would be a fence that has put around a data center to try to prevent physical access.
Now there are several types of controls that you should be aware of
first of all, administrative controls.
These air considered soft controls because their administrative in nature,
and they include things like risk management documentation, security documentation, training A lot of things that you'll find an administration or HR would be considered an administrative control.
Then you have physical controls,
physical controls, air physical access, controls.
Usually they're things like fences. Man traps guard things that prevent someone from being up to physically access your facility or the equipment in your facility.
Lastly, you have technical controls,
these air logical controls you can put in place to protect your information systems.
These were things like firewalls,
intrusion detection systems, intrusion prevention systems
Now functionality of controls.
So security controls serve several different functionalities.
First, we have preventative controls, these air controls that prevent a risk from ever happening.
Then you have detective controls which controls it detector risk and possibly the attacker.
these air controls that correct an issue after the fact.
So that would be in the case. Okay, the attack already happened. We know why the attack happened. Let's correct the reason for the attack. So it doesn't happen again.
These were meant to try to discourage an attacker.
So that would be maybe a large fence with barbed wire at the top or something like that where the attacker looking that maybe it's just not worth getting into that
thes air controls. It brings an environment back up after an attack.
So that could be
your backups and things like that, and you can go and do a recover from a backup and bring everything
back to the state that it should be
these air controls. It compensate for vulnerabilities. It's an alternative approach measure.
So in some cases, instead of doing the thing that prevents the risk, you might have to find a workaround. And that work around is considered a compensation because you're compensating for the issue. But you're still trying
to mitigate the risk.
Some examples of security controls by type and function
first about preventative controls.
Civil. Those for physical might be like locks, a badge system, a security guard.
These are things that try to prevent you from physically being able to get in.
Preventative for administration might be a security policy. Separation of duties
technical or logical
might be access control lists, encryption and anti viruses.
detective controls could be a number of things. Physically, they could be like motion detectors, cameras,
things that detect whether or not a person or thing isn't a place it shouldn't be.
Administration might be employee monitoring.
It might be the supervisor going around and double checking and making sure things are good.
So that way, when he walks around, he can detect an issue.
Technical or logical detective controls might be things like audit logs,
intrusion detection systems,
things like that that can detect that an issue has happened in the information systems. Corrective controls
Physical might be a repair.
So say, for example, somebody rammed your guard gate with a large truck.
Well, it already happened, but we can go back and repair
that place that the truck rammed and actually make it a little bit better. So if somebody tries that again, they can't get it.
Administration might be corrective actions such as write ups that can actually go all the way up to people being fired. And I have seen that before,
where people just completely ignored security policies and cost issues for the company. So the company let him go
technical or a logical corrective issues might be server images,
so you might have an image of the server. So oops, attack happened. Everything's damaged. Let's wipe what we have and put it back in using an image. We already have
again. Deterrent is trying to prevent the person from coming in by making it so they don't want to come in.
Physical things might be that fences, lighting warning signs.
If it's lit up pretty brightly, they're not gonna will come in because you're definitely going to see them.
Ah, warning signs. Sometimes we'll say, Hey, look, you're gonna be prosecuted if you come in here. And some people might see that as a reason not to go forward
the threat of corrective action.
So if somebody knows that based on the policy, they can't do this thing and if they do this thing, they're gonna get written up,
they might be less likely to take an action which they should not.
Technical or logical,
this could be like system messages or warning messages. There's actually a story about this. A few years ago,
a, uh and I actually got into a company's system.
The company took him to court to try to press criminal charges.
Ah, the guy said,
Hey, you're you're landing page. It said, Welcome to the company. I thought I was allowed in because it said it's welcome.
So after that,
Ah, the judges like, Well,
he's not wrong.
And the guy actually did with his case by using that are you? So
it's changed. So your messages for your different systems on your landing pages, like in your Cisco routers and in your Web servers and then your servers and things like that.
I should say something like, Hey, authorized users only.
And those warning messages are sometimes enough for somebody say, Oh, wait, I'm in the wrong spot. I shouldn't go there.
Recovery is where something's happened, and we're trying to get back to normal status
It might be like an off site facility, and you have several different types of offsite facilities. You have cold facilities, which would be just a location. You can go, too, but you have to rebuild everything. You get everything up and running.
You have a warm site where some of the stuff is there, but not everything. And you'd have to still do some things to get it up and running.
But because there's already some things there, it's gonna take less time than a cold.
And then you have hot site
where it's all ready to go. You basically have to go and they say, like a flick of a switch, she'll be able to get back up and running.
Administration recovery. Usually you have, like a disaster recovery team, our team that helps handle putting things back together.
Technical backups, backups, air huge, one of the things with backups that you work. Todo
is You want to make sure that you have copies of your backups and a secure
Otherwise, the backups might not do you any good. Great example. This Sandy came through New York, flooded every basement in New York.
Guess where people start their backups. So nature, your backups are stored in a secure facility somewhere else,
these their controls that are meant to
help you still mitigate risk. If you can't do the thing that actually gets rid of the risk. So, for example,
Maybe you have a badged entry in Louisville. Guard,
uh, one of the facilities I've worked at on their parking garage.
Only authorized users are allowed in the parking. Brash,
but they don't have a guard.
They have a bad gentry and step administration.
You might send out some security do's and don'ts, e mails
and little security awareness training. Obviously, you want your security awareness training,
but if you can at least get out some information to your employees, you might be able to help them and prevent some issues.
Technical or logical,
you might use host it or H ID's. Those air intrusion detection in lieu of network and host.
So in some cases it's not feasible to put intrusion detection on the network,
so you might put it on the hosts instead.
Now, that point, if it's gotten to the host, you're probably not in a very good situation,
but at least you might be able to
have that control in place. So that way, if something does happen, you'll be able to detect it.
All right, so time for a post assessment question.
Which of the falling is a detective control?
A security policy?
A. C L's
or a backup?
I'll give you a few moments to figure that out,
and then we'll come back to the answer.
As usual, you may pause if you'd like to.
The answer is B security cameras.
Yeah, security cameras help you detect when someone or something is in an area. It's not supposed to be.
So that could be, for example,
on employee has walked into the accounting area when they're not in accounting employees,
or that could be somebody left a weird package in the parking garage, but because we have cameras were able to see that and call the proper authorities