Choose the Right Security Control Type for the Job

Every day, an organization’s assets are exposed to a variety of security threats. These threats can damage the assets by exploiting vulnerabilities present in them. The probability of these threats exploiting the assets’ weaknesses and the resulting impact is referred to as risk. Security controls are employed to mitigate this risk. There are various types of security controls, each of which serves a distinct purpose. The article aims to explain what security controls are, their various types, and what functions they provide. It also discusses how these controls can be combined to provide the organization with defense-in-depth protection for its assets.

What are security controls?

Security controls, often known as security countermeasures, are implemented to reduce the risk posed by a threat. These controls are used to lessen the likelihood of a threat agent exploiting a security flaw, minimizing the damage as a result. The purpose of security control is to safeguard the confidentiality, integrity, and availability of an asset.

Security controls might take the shape of hardware, software, rules, or processes, and they are all tailored to achieve a specific objective. An access control list, for example, is used to limit a user’s access to certain resources. When a user attempts to access a resource, his access rights are checked in the access control list, and he is only granted access if the permissions indicated in the ACL allow it. A load balancer is another example that can be considered. A load balancer is a device that manages incoming client requests and routes them to various servers. As a result, it ensures availability by allowing timely access to resources and ensuring that none of the servers are overburdened.

The application of security controls requires a thorough examination of threats, vulnerabilities, the asset’s worth to the company, and the level of risk due to a particular threat. Based on all of these considerations, a suitable security countermeasure is then chosen to effectively mitigate the risk.

Benefits of security controls:

Following are some of the benefits of employing security controls in an organization:

  • They safeguard the organization’s most precious assets, including people, processes, and data, as well as the infrastructure that hosts this data.

  • They help ensure the continuity of critical business functions of the organization.

  • Business processes can function more effectively and efficiently with the help of security controls.

  • These controls ensure compliance with security and privacy laws/regulations.

  • These safeguards reduce the impact of the most frequent security incidents, including data breaches, social engineering attacks, malware injection, and so on.

  • By allowing the company to operate in a secure and efficient manner, these controls deliver a favorable return on investment.

Types of security controls:

Administrative, technical, and physical security controls are the three most common types of security controls. This section explains each of these types and includes examples to help you understand them.

Administrative controls:

Administrative controls are often known as soft security measures since they are more management-focused. When it comes to security, the most important thing to keep in mind is human behavior. Even if you have the strongest technical controls in place to protect your assets, one user error can jeopardize the security of your assets. As a result, it’s critical to provide employees with guidance and implement various controls that allow them to carry out their duties responsibly and safely.

Administrative security controls can take the shape of policies, standards, procedures, baselines, or recommendations. It is the responsibility of management to design these controls and delegate their implementation to relevant employees. Administrative controls govern how security will be integrated within the company in accordance with the organization’s overall business objectives.

Some examples of administrative security controls are as follows:

  • Security Policies
  • Security awareness and training programs
  • Separation of duties
  • Job Rotation
  • Personnel hiring procedures
  • Data Classification

Technical Controls:

Technical controls are sometimes known as logical controls since they are based on software, hardware, or firmware. These controls can be embedded in operating systems, software packages, or applications to provide various security services. They can also take the shape of standalone electronic devices or software/hardware security configurations. These controls are used to provid protection to the assets in an automated manner.

Some of the examples of technical security controls are as follows:

  • Firewalls
  • Network based or host based Intrusion Detection Systems
  • Intrusion Prevention Systems
  • Encryption
  • Antivirus Solutions
  • Access Control Lists
  • Data Backup
  • Smart Cards
  • SIEM(Security Information and Event Management) software

Physical Controls:

Physical security controls are those controls that are employed to secure a facility, its occupants, and its assets. These controls are used to prevent unauthorized access to sensitive areas of the facility, detect unusual actions, prevent damage to human life and the facility, and deter unwanted activities, among other things. The majority of these controls are in the form of tangible objects or people.

Some of the examples of physical security controls are as follows:

  • Security Guards
  • Fences
  • Locked Doors
  • Bollards
  • Mantraps
  • Closed-circuit TV
  • Device locks
  • Security Badges and Swipe Card
  • Motion Detectors

Functionalities of Security Controls:

Security controls are used to accomplish specific purposes. Different types of security controls have different functions. Knowledge of these functionalities can assist security experts in making a decision about which control will most effectively address the security issue. Security controls can be divided into six categories based on their functionalities:

1. Preventive Controls:

Preventive controls, also known as preventative controls, are designed to prevent a security incident. The goal of preventive security control is to stop an unwanted action from being attempted before it has an opportunity to harm an asset. Even if an adversary successfully executes an attack, these measures can limit the effects of the damage caused by the attack.

Preventive security controls are one of the first security controls to be implemented in an environment. The use of preventive controls requires an examination of your environment and contemplation of everything that could go wrong. The implementation of appropriate preventive control depends upon the level of risk due a threat and the value of the asset.

Examples of Preventive Controls:

Firewalls are one of the most common examples of technical preventive controls. Firewalls filter incoming and outgoing traffic based upon predefined set of rules. Firewalls can be configured to block specific IP addresses, websites, connection requests, and so on, based on the organization’s security policies. As a result, depending on how well your firewalls are configured, they may be able to keep malicious traffic out of your protected internal network.

Separation of duties is one of the most commonly employed administrative preventive control. The goal of separation of duties is to distribute the responsibility for carrying out a critical task among different personnel in order to ensure that no one person has enough access or privileges to compromise an asset’s security and commit fraud.

Security badges or swipe cards are examples of preventive physical controls. These cards are used to authenticate individuals before granting them access to the facility. Thus they prevent unauthorized individuals from entering the sensitive areas of the facility.

2. Detective Controls:

Detective security controls are used to identify events connected to security incidents in your environment that may or may not be a sign of an intruder and alert the concerned personnel. It is very hard to prevent every security incident that occurs in your organization. At times, attackers are able to bypass the preventive mechanisms and successfully compromise your asset’s security. As a result, it is critical to detect any undesirable activity that you cannot prevent. Detective security controls come in handy in this situation.

An event can be detected in real time or after it has transpired using detective security controls. These measures are also used to assist in the investigation of an incident or to check the efficacy of security controls in an organization during security audits. Preventive and detective security controls should always be employed in tandem and therefore should complement one another.

Examples of Detective Security Controls:

An IDS(Intrusion Detection System) is an example of a technical detective security control. An intrusion detection system is used to monitor any suspicious activity in the network or on the endpoints and alerts the concerned security responders.

CCTV(Closed Circuit Television) cameras are used in every organization and are an example of physical detective security control. These cameras record images/videos in different areas of the facility and are also used in the investigation of security incidents.

Employee monitoring and supervision is an example of administrative detective security control. It is used to track staff productivity as well as to detect theft, malicious activity, and security policy violations.

3. Corrective Controls:

Corrective security controls are used to fix a system or its components following the occurrence of a security incident. These controls are used to deal with a security incident and reduce the impact it has on an organization’s assets.

Corrective controls are used to respond to security incidents and are sometimes in the form of procedures or guidelines that instruct the employees about how to deal with the incident.

Examples of Corrective Controls:

An incident response plan is an example of an administrative corrective control. An incident response plan is created to detect, respond to, and recover from a security incident. An IR plan is made up of explicit instructions and procedures that advise security personnel on how to carry out the activities in each phase of the plan.

Vulnerability Patching is an example of a technical corrective control. Vulnerability patching is done after the discovery of the vulnerability in a system or an application. A patch is developed to deal with the vulnerability. It is then tested and verified before its deployment on the system/application.

4. Deterrent Controls:

Deterrent controls are intended to reduce the likelihood of a deliberate attack by discouraging potential attackers or malicious insiders. These controls, which are usually in the form of a physical object or a person, thwart malicious activity by making it harder for the adversary to successfully carry out an attack.

Deterrent controls can also be in the form of disciplinary sanctions that are imposed if an organization’s employee is found to be in violation of its rules and policies.

Examples of deterrent controls:

Fences are an example of physical deterrent control. Fences are erected around the organization’s perimeter to serve as a physical barrier. Fences act as a deterrent to trespassers and intruders, ensuring the protection of the facility and its occupants.

Warnings, fines, and demotions are some examples of administrative deterrent controls. They are used to deter violations of the organization’s rules, policies, and agreements, as well as any conduct that could be detrimental to the company.

5. Recovery Controls:

These controls are used to recover a system or an environment to bring it back to normal operations. These controls must be planned around the critical business functions or the systems that support these functions. Recovery security controls are used to ensure that critical systems or services are restored in a timely manner and that the operational downtime losses are reduced.

Examples of Recovery Controls:

Business Continuity Planning is an example of administrative recovery control. A business continuity plan consists of detailed procedures for emergency response, backup operations, and post-disaster recovery. This plan ensures that the critical business functions are maintained and minimize damage to human life, business operations, and systems.

Data backup is an example of technical recovery control. Data backup is the process of creating a copy of the original data in one or more alternate locations so that it may be recovered in a timely manner in the event of a disaster or attack.

6. Compensating Controls:

Compensating controls are employed as alternatives to primary controls. Compensating controls perform comparable functions to primary controls, however, they are utilized when primary controls are either too expensive or obstruct a specific business function. These rules are used as a workaround to defend against security threats and guarantee that security requirements are met.

Examples of compensating controls:

There are no fixed examples of compensating controls as these controls are applied in the context of primary controls.

Let’s look at a scenario to better comprehend this concept. Imagine that a company still uses legacy systems in its environment since they provide critical business functionality and removing them is not possible. The use of these systems can expose your system or network to a variety of threats. In order to detect and prevent these threats, you’ll need to use a sophisticated monitoring and logging system. Therefore these controls will act as compensating controls in this situation.

Consider another accounting scenario in which a single individual is in charge of bank reconciliation and vendor payments. Assume that your company has limited resources and the implementaton of separation of duties control isn’t feasible. As a result, in order to reduce the risk of fraud, a company decides to adopt rigorous monitoring and logging of employee actions. These monitoring and logging controls, in this case, are compensating controls that are meant to provide the same level of protection as the primary control.

Defense-in-Depth Security Strategy:

Defense-in-Depth refers to a security strategy that uses multiple security controls in a layered approach. The purpose of using this multilayered defense system is to make it very difficult for the attacker to penetrate your environment and reduce the likelihood of a successful attack. An attacker will have to pass through several layers of security countermeasures before he has a chance to access your valuable resources.

With the number and sophistication of cyber-attacks on the rise around the world, it’s more important than ever for businesses to put in place a security program that can withstand such attacks. Various security frameworks, such as the NIST CSF (Cyber Security Frameworks) and ISO 27001, provide organizations with direction on how to build a security management program that can prevent, detect, and respond to a variety of security threats. To provide effective asset protection, administrative, technical, and physical security controls must be employed together to provide preventative, detective, corrective, deterrence, and recovery control functionality. Physical and logical access controls, monitoring and logging, data, endpoint and network protection, and personnel management controls are some of the most essential categories of security controls that must be used to accomplish a defense-in-depth security strategy.

This security strategy is used to provide protection to your assets from different attack vectors. One of the greatest benefits of using this security strategy is that even if one of the security control fails, the rest of the controls can still protect your resources. The implementation of Defense-in-Depth requires the analysis of various vulnerabilities, threats, and risks to the assets as well as the organization’s resources. Following this study, cost effective security controls can be applied that protect these resources efficiently.

Do you want to get practical skills to work in cybersecurity or advance your career? Enrol in MCSI Bootcamps!