Cyber security controls are mechanisms used to prevent, detect and mitigate cyber threats and attacks. The mechanisms range from physical controls, such as security guards and surveillance cameras, to engineering controls, including firewalls and multi-factor authentication.
Like cyber attacks against businesses As the frequency increases, security teams must continually re-evaluate their security controls. A one-sided approach to cybersecurity is simply obsolete and inefficient. And, because it’s impossible to prevent all attacks in today’s threat landscape, organizations need to assess their assets based on their importance to the business and set controls accordingly.
The challenge is that employees are unlikely to follow compliance rules whether austere controls are implemented in all of the company’s assets. The severity of a control must directly reflect the landscape of assets and threats. The consequences of a hacker exposing thousands of personal customer data through a cloud database, for example, can be far greater than if an employee’s laptop is compromised.
“There are many ways to apply controls depending on the nature of what you are trying to protect,” said Joseph MacMillan, author of Infosec strategies and best practices and global cybersecurity black belt at Microsoft. “What is the nature of the threat you are trying to protect yourself from?” Is he a malicious actor? Or is it a storm? “
The following excerpt from Chapter 2, “Protecting the Security of Assets”, of Infosec strategies and best practices explores the different types of cybersecurity controls, including the different classes of controls, such as physical or technical, and the order in which to implement them.
Securing information assets
This section is about implementing the appropriate information security controls for assets. I’ve been thinking about this section for a while, trying to figure out how to approach it best for you.
I know you probably have experience choosing and implementing controls, and I don’t want this section to end up being half the whole book, just buzzing endlessly on different types of controls or on all the big suppliers who want to sell you a quick fix to solve all your problems. Either way, I’ll cover a lot of different controls and ideologies in the following chapters.
Instead, in this chapter, I want to make sure that we focus on hard-hitting and effective ideologies to understand in order to select the appropriate controls, which means that the asset is considered “secure enough” based on its criticality and its classification.
They are different Classes which distribute the types of controls:
- Administrative / management controls are the policies and procedures that I always talk about. They aren’t as “cool” as a new software control, but they exist to give structure and guidance to people like you and others in your organization, ensuring that no one is fined or causes a violation.
- Physical checks limit access to systems physically; fences, video surveillance, dogs … and everyone’s favorite: sprinklers.
- Technical / logical controls are those that restrict access on a hardware or software basis, such as encryption, fingerprint readers, authentication or Trusted Platform Modules (TPM). These do not restrict access to physical systems like physical controls do, but rather access to data or content.
- Operational controls are those that involve people leading day-to-day processes. Examples could include awareness training, asset classification and review of log files.
There are so many specific controls, there is simply no way we can go into all of them in this chapter. Beyond the controls in Annex A of ISO 27001, other developments on controls and categories of controls can be found in the links on this page: NIST SP 800-53 Rev 5 (https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final), including control mappings between ISO 27001, and NIST SP 800-53.
What I can cover are the types of controls that you can categorize and apply as risk mitigation, based on threat and vertical:
- Preventive checks exist to prevent an action from occurring and include firewalls, fences, and access permissions.
- Detective checks are triggered only during or after an event, such as video surveillance or intrusion detection systems.
- Means of deterrence discourage threats of attempting to exploit a vulnerability, such as a “Watchdog” sign or dogs.
- Corrective checks are able to act from one state to another. This is where the open and close fail checks are addressed.
- Recovery checks recover something after a loss, such as recovering a hard drive.
- Compensatory controls are the ones who try to fill in the gaps of other controls, such as the regular review of access logs. This example is also a detective check, but the clearing checks can be of different types.
Generally, the order in which you want to place your controls for adequate defense in depth is as follows:
- Deter actors trying to access something they shouldn’t be.
- Deny / Prevent access by preventive control such as access authorizations or authentication.
- Detect risk, making sure to log detection, such as with endpoint protection software.
- Delay the process may recur, such as with a “too many attempts” feature for entering a password.
- Correct the situation by responding to the compromise, for example with an incident response plan.
- To recover from the compromised state, such as a standby generator that restores uptime on a server.
Additionally, in the field of continuous improvement, we need to monitor the value of each asset for any changes. The reason is that we may need to rethink our controls to protect these assets if they become more or less valuable over time, or during certain major events in your organization.
Also, in the footnote, when we look at the controls, we should also think about recovery. What I mean is that we want to be able to recover from any adverse situation or any change in assets and their value. As an example, we are talking about backups, redundancy, restore process, etc.
A concept to keep in mind, especially in the age of the cloud, SaaS, PaaS, IaaS, third-party solutions, and all other forms of “someone else’s computer” is to ensure that Service level agreements (SLAs) are clearly defined and have agreements for a maximum allowable downtime, as well as penalties for non-compliance with these agreements. This is an example of compensatory control.
As a consumer of third-party solutions, you’ll want to fight for SLAs that reflect your risk appetite. At the same time, you’ll also want to consider the idea that by chaining these assets together, you create a higher level of availability risk. If only one of the services is not online and you cannot complete a task, it is a loss of availability. If you are a cloud service provider, you need to consider your availability and what can realistically be offered to your customers, and what is required from a business perspective.
About the Author
Joseph MacMillan is a global cybersecurity black belt at Microsoft. Much of his job is to help businesses achieve their goals in a secure manner by removing any ambiguity surrounding risk. MacMillan holds various certifications including CISSP, CCSP, CISA, CSSLP, AlienVault Certified Engineer and ISO 27001 Certified ISMS Lead Auditor.