Security Controls

00:03

Hello, everyone. This is instructor Gerry Roberts, and this is risk policies and security controls.

00:08

In this video, we're gonna learn about what security controls are

00:12

the different types of controls

00:15

security, control, functionalities.

00:17

And we're gonna provide some examples of security controls by functionality in time.

00:22

First, what are security controls?

00:25

Security controls our counter measures put in place to mitigate or avoid a risk, pretty much trying to control whether or not a risk will impact you.

00:35

An example. This would be a fence that has put around a data center to try to prevent physical access.

00:42

Now there are several types of controls that you should be aware of

00:47

first of all, administrative controls.

00:50

These air considered soft controls because their administrative in nature,

00:55

and they include things like risk management documentation, security documentation, training A lot of things that you'll find an administration or HR would be considered an administrative control.

01:07

Then you have physical controls,

01:11

physical controls, air physical access, controls.

01:14

Usually they're things like fences. Man traps guard things that prevent someone from being up to physically access your facility or the equipment in your facility.

01:25

Lastly, you have technical controls,

01:27

these air logical controls you can put in place to protect your information systems.

01:33

These were things like firewalls,

01:34

intrusion detection systems, intrusion prevention systems

01:38

and encryption.

01:41

Now functionality of controls.

01:44

So security controls serve several different functionalities.

01:48

First, we have preventative controls, these air controls that prevent a risk from ever happening.

01:55

Then you have detective controls which controls it detector risk and possibly the attacker.

02:02

Corrective controls

02:05

these air controls that correct an issue after the fact.

02:08

So that would be in the case. Okay, the attack already happened. We know why the attack happened. Let's correct the reason for the attack. So it doesn't happen again.

02:19

Deterrent controls.

02:21

These were meant to try to discourage an attacker.

02:24

So that would be maybe a large fence with barbed wire at the top or something like that where the attacker looking that maybe it's just not worth getting into that

02:38

recovery controls

02:38

thes air controls. It brings an environment back up after an attack.

02:44

So that could be

02:46

your backups and things like that, and you can go and do a recover from a backup and bring everything

02:53

back to the state that it should be

02:55

compensating

02:57

these air controls. It compensate for vulnerabilities. It's an alternative approach measure.

03:04

So in some cases, instead of doing the thing that prevents the risk, you might have to find a workaround. And that work around is considered a compensation because you're compensating for the issue. But you're still trying

03:16

to mitigate the risk.

03:20

Some examples of security controls by type and function

03:23

first about preventative controls.

03:25

Civil. Those for physical might be like locks, a badge system, a security guard.

03:31

These are things that try to prevent you from physically being able to get in.

03:36

Preventative for administration might be a security policy. Separation of duties

03:42

and testing,

03:44

technical or logical

03:46

might be access control lists, encryption and anti viruses.

03:52

Now, detective

03:54

detective controls could be a number of things. Physically, they could be like motion detectors, cameras,

04:00

things that detect whether or not a person or thing isn't a place it shouldn't be.

04:06

Administration might be employee monitoring.

04:10

It might be the supervisor going around and double checking and making sure things are good.

04:15

So that way, when he walks around, he can detect an issue.

04:17

Technical or logical detective controls might be things like audit logs,

04:24

intrusion detection systems,

04:26

things like that that can detect that an issue has happened in the information systems. Corrective controls

04:34

Physical might be a repair.

04:38

So say, for example, somebody rammed your guard gate with a large truck.

04:43

Well, it already happened, but we can go back and repair

04:47

that place that the truck rammed and actually make it a little bit better. So if somebody tries that again, they can't get it.

04:56

Administration might be corrective actions such as write ups that can actually go all the way up to people being fired. And I have seen that before,

05:05

where people just completely ignored security policies and cost issues for the company. So the company let him go

05:15

technical or a logical corrective issues might be server images,

05:19

so you might have an image of the server. So oops, attack happened. Everything's damaged. Let's wipe what we have and put it back in using an image. We already have

05:30

deterrence

05:31

again. Deterrent is trying to prevent the person from coming in by making it so they don't want to come in.

05:39

Physical things might be that fences, lighting warning signs.

05:44

If it's lit up pretty brightly, they're not gonna will come in because you're definitely going to see them.

05:48

Ah, warning signs. Sometimes we'll say, Hey, look, you're gonna be prosecuted if you come in here. And some people might see that as a reason not to go forward

05:58

administration

06:00

the threat of corrective action.

06:01

So if somebody knows that based on the policy, they can't do this thing and if they do this thing, they're gonna get written up,

06:10

they might be less likely to take an action which they should not.

06:15

Technical or logical,

06:17

this could be like system messages or warning messages. There's actually a story about this. A few years ago,

06:26

a, uh and I actually got into a company's system.

06:30

The company took him to court to try to press criminal charges.

06:34

Ah, the guy said,

06:36

Hey, you're you're landing page. It said, Welcome to the company. I thought I was allowed in because it said it's welcome.

06:46

So after that,

06:47

Ah, the judges like, Well,

06:50

he's not wrong.

06:54

And the guy actually did with his case by using that are you? So

06:59

it's changed. So your messages for your different systems on your landing pages, like in your Cisco routers and in your Web servers and then your servers and things like that.

07:12

I should say something like, Hey, authorized users only.

07:16

And those warning messages are sometimes enough for somebody say, Oh, wait, I'm in the wrong spot. I shouldn't go there.

07:24

Recovery

07:26

Recovery is where something's happened, and we're trying to get back to normal status

07:30

off physical.

07:32

It might be like an off site facility, and you have several different types of offsite facilities. You have cold facilities, which would be just a location. You can go, too, but you have to rebuild everything. You get everything up and running.

07:46

You have a warm site where some of the stuff is there, but not everything. And you'd have to still do some things to get it up and running.

07:53

But because there's already some things there, it's gonna take less time than a cold.

07:57

And then you have hot site

07:59

where it's all ready to go. You basically have to go and they say, like a flick of a switch, she'll be able to get back up and running.

08:07

Administration recovery. Usually you have, like a disaster recovery team, our team that helps handle putting things back together.

08:16

Technical backups, backups, air huge, one of the things with backups that you work. Todo

08:24

is You want to make sure that you have copies of your backups and a secure

08:30

offsite facility.

08:31

Otherwise, the backups might not do you any good. Great example. This Sandy came through New York, flooded every basement in New York.

08:41

Guess where people start their backups. So nature, your backups are stored in a secure facility somewhere else,

08:50

compensating

08:50

these their controls that are meant to

08:54

help you still mitigate risk. If you can't do the thing that actually gets rid of the risk. So, for example,

09:03

physical.

09:03

Maybe you have a badged entry in Louisville. Guard,

09:07

uh, one of the facilities I've worked at on their parking garage.

09:13

Only authorized users are allowed in the parking. Brash,

09:16

but they don't have a guard.

09:18

They have a bad gentry and step administration.

09:22

You might send out some security do's and don'ts, e mails

09:26

and little security awareness training. Obviously, you want your security awareness training,

09:31

but if you can at least get out some information to your employees, you might be able to help them and prevent some issues.

09:39

Technical or logical,

09:41

you might use host it or H ID's. Those air intrusion detection in lieu of network and host.

09:50

So in some cases it's not feasible to put intrusion detection on the network,

09:56

so you might put it on the hosts instead.

10:01

Now, that point, if it's gotten to the host, you're probably not in a very good situation,

10:07

but at least you might be able to

10:11

have that control in place. So that way, if something does happen, you'll be able to detect it.

10:18

All right, so time for a post assessment question.

10:20

Which of the falling is a detective control?

10:24

A security policy?

10:26

Security cameras?

10:28

A. C L's

10:31

or a backup?

10:33

I'll give you a few moments to figure that out,

10:35

and then we'll come back to the answer.

10:37

As usual, you may pause if you'd like to.

10:43

The answer is B security cameras.

10:46

Yeah, security cameras help you detect when someone or something is in an area. It's not supposed to be.

10:52

So that could be, for example,

10:54

on employee has walked into the accounting area when they're not in accounting employees,