Security controls play a fundamental role in shaping the actions cybersecurity professionals take to protect an organization. There are three main types of IT security controls: technical, administrative, and physical. A security control’s primary purpose can be preventive, detecting, corrective, compensatory, or deterrent.Controls are also used to protect people, as is the case with social engineering awareness training or policies. The lack of security controls compromises the confidentiality, integrity, and availability of information. These risks also extend to the safety of people and assets within an organization. In this article, I’m going to explain what a security check is and the differences between each type. Then I discuss the goals each control should achieve, with examples along the way. By the end, you will have a better understanding of the basic security controls in cybersecurity.
What is a security check?
Security controls are countermeasures or safeguards used to reduce the likelihood of a threat exploiting a vulnerability. For example, implementing company-wide security awareness training to minimise the risk of a social engineering attack on your network, people, and information systems Reducing risk is also known as “risk mitigation.” While it is nearly impossible to prevent all threats, mitigation attempts to reduce risk by reducing the likelihood of a threat exploiting a vulnerability. Risk mitigation is achieved by implementing different types of security controls, depending on:
- The purpose of the countermeasure or protection
- The level to which the risk should be minimized
- The severity of the damage the threat can cause
What are the purposes of security controls?
The overall goal of implementing security controls, as mentioned earlier, is to help mitigate risk in an organization. In other words, the primary purpose of implementing security controls is to prevent or mitigate the impact of a security incident. The effective execution of a security audit is based on its classification in relation to the security incident. The common classification types are listed below along with their corresponding descriptions:
- Preventive checks try to prevent an incident.
- Detective checks try to detect incidents after they occur.
- Corrective controls try to undo the impact of an incident.
- Deterrent controls try to discourage individuals from causing an incident.
- Compensatory controls are alternative controls used when a primary control is not feasible.
Implementing the mentioned controls is not a trivial matter. For example, an organisation that places a high priority on risk mitigation will typically have a risk profile that illustrates the potential cost of a risk with an adverse impact and the human resources required to implement the control(s).
Layered security controls
Layering is an approach that combines multiple security controls to develop a defense-in-depth strategy. Defense in depth is a common security strategy that implements multiple layers of control. Combining controls across multiple layers of security ensures that if one layer fails to fend off a threat, other layers will help prevent a breach of your systems. Each layer of security works to counter specific threats, requiring cybersecurity programmes to invest in multiple technologies and processes to avoid compromising systems or people. For example, endpoint detection and response solutions are great for preventing viruses and malware from infecting computers and servers. However, endpoint detection is not equipped to log and monitor traffic on a network like a SIEM or to detect and prevent an attack in real time like an IPS.
Understand the fundamentals of risk and threats.
Before we dive into control types, it’s important to first understand the cyber risks and threats they help mitigate.
Risks
Cybersecurity risk is the likelihood that a threat will exploit a vulnerability, resulting in a loss. Losses can harm information, cause financial loss, harm a company’s reputation, and even undermine customer trust.
Hazards
Threats are all events that can compromise the confidentiality, integrity, and availability (CIA) of information. Threats come from outside an organisation and from anywhere in the world that is connected to the Internet. Insiders, such as a disgruntled employee with too much access or a malicious insider, also pose a threat to companies. Note: Insider threats are not always malicious. For example, if an employee clicks on a phishing email that instals malware, it does not mean that the employee intended to cause harm. Finally, threats can also take the form of a natural disaster or be a man-made hazard, such as a new malware variant.
Vulnerabilities
Vulnerabilities are a weakness or flaw in software, hardware, or organisational processes that, when compromised by a threat, can lead to a security incident.
Security incidents
Security incidents are events that actually or potentially compromise the confidentiality, integrity, or availability of an information system or the information it processes, stores, or transmits, or that constitute a violation or an imminent threat of violation of any security policy, security procedure, or acceptable use policy. Now that we have a better understanding of basic risk concepts, let’s look at how security controls are implemented.
Technical security controls
At the most basic level, engineering checks, also known as logic checks, use technology to mitigate vulnerabilities in hardware and software. Automated software tools are installed and configured to protect these assets. Examples of technical checks are:
- Encryption
- Antivirus and antimalware software
- Firewalls
- Security Information and Event Management (SIEM)
- Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS)
Technical control types and implementation methods
Below are two common examples of technical control types:
- Access Control Lists (ACL) are network traffic filters that can control incoming or outgoing traffic. ACLs are commonly found in routers and firewalls, but they can be configured in any network device, from hosts to network devices to servers.
- Configuration Rules: Instruction codes that guide the execution of the system as information passes through it. Network equipment vendors have their own configuration rules that control the behaviour of their ACL objects.
Administrative security controls
Administrative security controls refer to policies, procedures, or guidelines that define personnel or business practises consistent with the organization’s security goals. Many organisations these days implement some kind of onboarding process to introduce you to the company and give you a history of the organization. During the onboarding process, you may be instructed to review and acknowledge the organization’s security policies. By acknowledging that you have read the organization’s new hire policies, you are responsible for complying with the organization’s corporate policies. To perform the administrative controls, additional security controls are necessary for continuous monitoring and enforcement. The processes that monitor and enforce administrative controls are:
- Management Controls: The security controls that focus on managing risk and the security of information systems
- Operational Controls: The security controls are primarily implemented and executed by humans (as opposed to systems).
For example, a security policy is a management control, but the security requirements are implemented by people (operational controls) and systems (technical controls). An organisation may have an acceptable use policy that specifies user behavior, including not visiting malicious websites. The security control to monitor and enforce can be in the form of a web content filter, which can enforce the policy and log at the same time. Recovery from a phishing attack is another example that uses a combination of administrative and operational checks. Security measures to help deter phishing include, in addition to the management control of the acceptable use policy itself, operational controls, such as training users not to fall for phishing attacks, and technical controls that monitor email and website usage for signs of phishing activity.
Physical security controls
Physical controls are the implementation of security measures in a defined structure used to deter or prevent unauthorised access to sensitive material. Examples of physical checks are:
- Closed-circuit surveillance cameras
- Motion or thermal alarm systems
- Guards
- Photo-ID’s
- Locked steel doors with a deadbolt
- Biometrics (including fingerprints, voice, face, iris, handwriting, and other automated methods used to identify individuals)
Preventive checks
Examples of preventive checks are:
- Hardening
- Security awareness training
- Guards
- Change management
- Policy on Account Disablement
Hardening
is the process of reducing security exposure and tightening security controls.
Security awareness training
The process of providing formal cybersecurity education to your workforce about a variety of information security threats and your company’s policies and procedures for addressing them
Guards
A person employed by a public or private party to protect an organization’s assets Security guards are often positioned as the first line of defence for businesses against external threats, intrusions, and vulnerabilities to the property and occupants.
Change management
The methods and ways in which a company describes and implements change within both its internal and external processes This includes preparing and supporting employees, identifying necessary steps for change, and monitoring activities before and after the change to ensure successful implementation.
Policy on Account Disablement
a policy that defines what to do with user access accounts for employees who leave voluntarily, with immediate termination, or on leave.
Detective controles
Examples of detective checks are:
- Log monitoring
- SIEM
- trend analysis
- Security audits
- Video surveillance
- Motion detection
Log monitoring
Log monitoring is a diagnostic method used to analyse real-time events or stored data to ensure application availability and assess the impact of a change in an application’s performance state.
SIEM
Security Information and Event Management (SIEM) is a set of tools and services that provides a holistic view of an organization’s information security through operational logs from various systems.
trend analysis
The practise of collecting information and trying to identify a pattern in the information gathered from an application’s log output The output of the trend analysis is usually in graph or tabular form.
Security audit
a measurement that focuses on cyber security standards, guidelines, and procedures, as well as the implementation of these checks. The security audit is usually performed by trained external entities or by internal resources in preparation for an external audit.
Camera surveillance
a system that can capture digital images and videos that can be compressed, stored, or transmitted over communications networks for on-site or remote monitoring.
Motion detection
a device that uses a sensor to detect nearby motion. Such a device is often integrated as part of a surveillance system that automatically performs a task or alerts a surveillance analyst when motion is detected.
Corrective checks
Examples of corrective actions are:
- IPS
- Backup and System Restore
IPS
a network security technology that monitors network traffic to detect anomalies in traffic flow. IPS security systems intercept network traffic and can quickly prevent malicious activity by dropping packets or resetting connections.
Backup and System Restore
Backup and system recovery is the process of making and storing copies of data that can be used to protect organisations against data loss.
Deterrent controls
Deterrent controls reduce the likelihood of a deliberate attack and usually take the form of a tangible object or person. Examples of deterrent checks are:
- Cable locks
- Hardware locks
- Video surveillance and security guards
What is the difference between preventive and detective checks?
A preemptive check is designed to be implemented prior to a threat event to reduce and/or avoid the likelihood and potential impact of a successful threat event. A detective check is designed to detect errors and pinpoint attacks on information systems that have already occurred. The routine analysis of the detection check output provides input to further improve the preventive check. The goal of continuous analysis is to prevent errors and irregularities in the first place.
Compensatory controls
An alternative method was introduced to meet the requirement for a security measure that cannot be easily implemented due to financial reasons, infrastructure, or is simply impractical to implement at this time. The compensatory check must meet the following criteria:
- Meet the intent of the original audit requirement.
- Provide a comparable level of security.
Examples of compensatory measures are:
- time-based one-time password (TOTP): A temporary passcode is generated by an algorithm that uses the current time of day as one of the authentication factors. Providing a new employee with a TOTP until the authentication is fully delivered is an example of a compensating check.
- Encryption: database security applications, email encryption, and other tools An organisation cannot encrypt all electronic data in a PCI assessment. To compensate, they can use other existing tools to implement encryption.
Conduct a security assessment.
A security control assessment is a critical component of measuring the health and performance of an organization’s security controls. Note the following definition of the security control assessment: testing and/or evaluating the management, operational, and technical security controls in an information system to determine the extent to which the controls are properly implemented, operating as intended, and delivering the desired result in terms of meeting the system’s security requirements. Security control testing is a critical part of the overall management of an organization’s information security management system. Depending on the type of organization, legal requirements mandate consistent and continuous reviews, while non-public organisations are not bound by legal requirements. Today, it is not only a good practise to check security controls but also a necessary requirement to keep systems safe and free from the target of hackers, who try to penetrate any network with weak perimeter and internal security.
General security ratings
Examples of security ratings are:
- Risk assessment
- Vulnerability assessment
- Penetration testing
Security risk assessments
A security risk assessment consists of many steps and is the backbone of your overall risk management plan. Risk assessments are important because they are used to identify assets or areas that pose the greatest risk, vulnerability, or exposure to the company. It then identifies the risks that could affect those assets.
Vulnerability Assessments
A vulnerability assessment refers to the process of identifying risks and vulnerabilities in computer networks, systems, hardware, applications, and other parts of the IT ecosystem. Vulnerability assessments are a critical part of the vulnerability management and IT risk management lifecycles, helping to protect systems and data from unauthorised access and data breaches. Vulnerability assessments typically use tools such as vulnerability scanners to identify threats and flaws within an organization’s IT infrastructure that represent potential vulnerabilities or risk exposures.
Penetration testing
Penetration testing is a method of testing a web application, network, or computer system to identify security vulnerabilities that can be exploited. The primary purpose of security as a whole is to prevent unauthorised parties from accessing, modifying, or misusing a network or system. It’s meant to do what a bad actor would do. The main reason why penetration testing is critical to an organization’s security is that it helps staff learn how to deal with any type of intrusion by a malicious entity. Pen testing serves as a way to examine whether an organization’s security policies are truly effective. They serve as a kind of fire drill for organizations. Penetration testing can also provide solutions that help organisations not only prevent and detect attackers but also efficiently expel such an intruder from their system.
Conclusion
In this article, we’ve explored the three basic security controls: technical, administrative, and physical. Several critical sub-controls were also considered: deterrent, corrective, and compensatory. While it is important for security professionals to understand the definition of the controls, they should also recognise that the ultimate goal of implementing the controls is to strengthen their organization’s defences to mitigate the risks. Information security should be treated as a programme that must be continuously monitored to defend and protect the most valuable assets. Stay vigilant by incorporating the controls in this article, and you’ll be equipped to support and contribute to your organization’s risk management program.