adam's notes

Security Control

Information security and cybersecurity assurance is met by implementing security controls.

security control is a technology or procedure put in place to mitigate vulnerabilities and risk and to ensure the confidentiality, integrity, availability (CIA), and nonrepudiation of information.

Security Control Categories

  • can be divided into 3 broad categories based on the way the control is implemented:
  • CompTIA uses Managerial + Operational instead of Administrative
    • Managerial
      • control gives oversight of the information system
      • e.g.,
        • risk identification
        • tool allowing the evaluation and selection of other security controls
    • Operational
      • control is implemented primarily by people
      • e.g., security guards, training programs, standard operating procedures, security policies (AUP)

Info

Security Control Function Types

Info

Adopting a functional approach to security control selection allows you to devise a Course of Action (CoA) matrix that maps security controls to known adversary tools and tactics.

A security control can be defined according to the goal or function it performs:

Preventative Control

Preventative control acts before an incident to eliminate or reduce the likelihood that an attack can succeed.

  • operates before an attack can take place
  • e.g.,
    • access control lists prevent access
    • antimalware software prevents malicious processes from executing

Detective Control

Detective control acts during an incident to identify and record an attempted or successful intrusion.

  • detect, and sometimes report, a security incident while it is in progress
  • e.g., logs

Corrective Control

Corrective control acts after an incident to eliminate or minimize its impact.

  • limit the damage caused by a security incident
  • e.g.,
    • backup system that restores data damaged during an intrusion
    • patch management system that eliminates the vulnerability exploited during the attack

Directive Control

Directive control enforces a rule of behavior through a policy or contract.

  • e.g.,
    • employee’s contract will set out disciplinary procedures or causes for dismissal if they do not comply with policies and procedures
    • Training and awareness programs
    • SOPs

Deterrent Control

Deterrent control discourages intrusion attempts.

  • deter an action that could result in a violation
  • merely attempt to suggest that an action not be taken, but does not block it
  • e.g.,
    • signs and warnings of legal penalties against trespass

Compensating Control

Compensating control substitute for a primary control, as recommended by a security standard, and affords the same (or better) level of protection but uses a different methodology or technology.

  • takes on risk mitigation when a primary control fails or cannot completely meet expectations
  • address a threat in place that does not have a straight-forward risk-mitigating solution
  • PCI DSS identifies that a compensating control is needed when an overriding business or technical reason prevents deploying the primary control recommended by the standard
  • Leadership must approve the control’s deployment
  • require detailed documentation to show that the compensating control
    • is deployed as part of the process
    • is applied consistently by employees
    • and is monitored for effectiveness

Responsive Control

Responsive control type of security control that serves to direct corrective actions after an incident has been confirmed.

  • e.g., in an SOC:
    • response playbook
      • well-defined actions to be taken by an analyst
    • Disaster recovery plans (DRPs)

Controls, Safeguards, and Countermeasures

  • These are not interchangeable, different
    • Control limits or constrains behavior
    • Safeguards and countermeasures are controls that exercise restraint on or management of an activity
      • countermeasure counts, or addresses, the loss from a specific incident

Example

  • Control: a safe for storage of valuables
  • Safeguard: a human guard who watches the safe
  • Countermeasure: insurance against the loss of the valuable contents of the safe

Countermeasures

  • the number of possible countermeasures is unlimited
  • must have a clearly defined purpose:
    • must address a risk
    • must reduce a vulnerability
  • otherwise it is a solution seeking a problem, bad

Choosing Controls

  • Reference guide for controls:
    • ISO/IEC 27002:2013, Information Technology—Security Techniques—Code of Practice for Information Security Controls (2013)
      • practical guide for developing security standards and best practices
    • NIST Special Publication 800-53 (Rev. 5), Security and Privacy Controls for Federal Information Systems and Organizations (2013)
      • states the minimum safeguards required in order to create an effective information security program

Assessing Security Controls

ITIL Security KPIs

  • Decrease in breaches
  • Decrease in breach impact
  • Increase in strong SLAs
  • Number of new controls
  • Time

Key Risk Indicators (KRIs)

  • selected based on
    • business impact
    • effort to implement, measure, and support
    • reliability
    • sensitivity

Control Standards and Frameworks

  • NIST SP 800-53 Security and Privacy Controls for Federal Information Systems and Organizations
  • NIST SP 800-171 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
  • ISO 27001 Standards
  • CIS Controls

Graph View

Backlinks