WEBVTT

00:00:01.040 --> 00:00:03.320
Let's take a look at security controls,

00:00:03.550 --> 00:00:06.060
the third part of this Security Principles for

00:00:06.060 --> 00:00:09.100
Certified in Cybersecurity examination.

00:00:10.340 --> 00:00:14.720
We started this course out looking at information security concepts

00:00:14.730 --> 00:00:19.400
understanding what security was and then providing proper oversight

00:00:19.400 --> 00:00:21.680
and governance for the security program,

00:00:21.950 --> 00:00:26.330
including things like a security strategy and what we hope to accomplish,

00:00:26.340 --> 00:00:27.350
our objectives.

00:00:28.270 --> 00:00:31.070
A lot of this was influenced by risk.

00:00:31.230 --> 00:00:33.330
What are the things that could go wrong?

00:00:33.620 --> 00:00:38.350
We looked at risk from that negative perspective if something would

00:00:38.360 --> 00:00:42.040
impact business operations in a negative way.

00:00:42.450 --> 00:00:43.530
So therefore,

00:00:43.540 --> 00:00:47.990
we're going to build out and address that risk in order to meet that

00:00:47.990 --> 00:00:51.950
strategy through the deployment of security controls.

00:00:53.030 --> 00:00:56.550
We know that we have risk, it's a part of business,

00:00:56.560 --> 00:01:03.620
things can go wrong, but we then know we have the option to implement controls.

00:01:04.290 --> 00:01:09.600
Those controls that we put in place, the controls we choose,

00:01:09.610 --> 00:01:13.020
are justified by the risk we face.

00:01:13.270 --> 00:01:17.980
We should not have a control where there is no known risk nor

00:01:17.990 --> 00:01:21.130
should we have a significant risk and decide nah,

00:01:21.130 --> 00:01:23.340
we're not going to bother putting in controls.

00:01:23.860 --> 00:01:28.820
No, risk justifies the choice and deployment of controls,

00:01:29.150 --> 00:01:32.190
but just as that justification is there,

00:01:32.320 --> 00:01:37.380
those controls are there in order to address and mitigate the risk.

00:01:37.840 --> 00:01:43.040
If the control is not accomplishing that task of mitigating the risk,

00:01:43.540 --> 00:01:46.050
it's probably the wrong control actually.

00:01:47.440 --> 00:01:51.650
This is part of risk treatment or sometimes called risk response.

00:01:52.240 --> 00:01:53.630
So we look at, for example,

00:01:53.630 --> 00:01:57.520
this diagram we've examined before where we had a threat actor,

00:01:58.260 --> 00:02:04.200
some type of a threat source that exploited a vulnerability and that

00:02:04.210 --> 00:02:08.949
exploit then could come with a certain level of likelihood.

00:02:09.080 --> 00:02:09.990
Did it happen?

00:02:11.200 --> 00:02:17.620
That vulnerability allowed now some type of impact on our asset,

00:02:17.630 --> 00:02:21.290
our business process, our building, whatever it happens to be.

00:02:22.810 --> 00:02:26.040
That is the determination of our level of risk.

00:02:26.450 --> 00:02:32.600
What is the likelihood and what is the impact of this damage should it happen?

00:02:34.310 --> 00:02:35.170
From this,

00:02:35.180 --> 00:02:40.240
we know that we have recommendations of what we could do about this risk.

00:02:40.780 --> 00:02:45.430
That was the selection of a control or multiple controls.

00:02:46.110 --> 00:02:48.160
When I select a control,

00:02:48.330 --> 00:02:52.840
the purpose of the control is to try to mitigate the impact,

00:02:53.340 --> 00:02:59.360
make it less damaging, or to reduce the likelihood of this happening.

00:03:00.000 --> 00:03:05.720
So a control will usually address impact or likelihood,

00:03:06.430 --> 00:03:10.640
but it's rarely going to be able to really address the threat.

00:03:10.870 --> 00:03:12.980
The threat source will always be there,

00:03:13.380 --> 00:03:16.870
but we can make it more difficult for that threat to be

00:03:16.870 --> 00:03:20.610
effective and to be able to damage our systems.

00:03:21.220 --> 00:03:23.400
We can see here, for example,

00:03:23.610 --> 00:03:27.650
that if I wear my seatbelt and there is a car accident,

00:03:27.700 --> 00:03:31.760
hopefully there is less, should we say, personal injury.

00:03:32.060 --> 00:03:34.180
The seatbelt might save my life.

00:03:34.180 --> 00:03:36.470
In other words, the impact was reduced.

00:03:37.320 --> 00:03:39.900
If I have good tires on my car,

00:03:39.970 --> 00:03:43.460
it might reduce the likelihood of having that accident.

00:03:43.730 --> 00:03:47.000
So these are two different ways we can see that

00:03:47.000 --> 00:03:51.170
controls will reduce a known risk.

00:03:52.950 --> 00:03:58.130
There are three main types of controls, but in order to make it confusing,

00:03:58.130 --> 00:04:03.180
we always use two terms for each one, administrative controls,

00:04:03.180 --> 00:04:06.320
or sometimes called managerial controls,

00:04:07.100 --> 00:04:10.890
technical, or sometimes known as logical controls,

00:04:10.900 --> 00:04:14.850
and physical, also known as environmental controls.

00:04:15.190 --> 00:04:18.180
These are our three main types of controls.

00:04:19.459 --> 00:04:25.660
When we put controls in place, they could either be proactive or reactive.

00:04:25.960 --> 00:04:31.940
For example, a proactive control is something which is a directive control,

00:04:31.950 --> 00:04:34.250
tells us what we can or cannot do,

00:04:34.670 --> 00:04:39.390
a deterrent just to discourage somebody from doing something wrong,

00:04:39.530 --> 00:04:44.180
or preventive control to try to make sure they can't do something wrong.

00:04:44.360 --> 00:04:48.260
All of these happened before something went wrong.

00:04:48.800 --> 00:04:49.310
Therefore,

00:04:49.310 --> 00:04:51.860
we call them safeguards because they are there to

00:04:51.860 --> 00:04:54.610
safeguard our systems and assets.

00:04:55.580 --> 00:04:58.760
But we also need reactive controls.

00:04:58.960 --> 00:05:02.420
We often call these countermeasures because they are there

00:05:02.420 --> 00:05:06.050
specifically to counter some type of an event.

00:05:06.580 --> 00:05:11.520
And the three most common countermeasures are detective controls,

00:05:11.560 --> 00:05:15.300
corrective controls, and recovery controls.

00:05:17.180 --> 00:05:20.380
Let's look at how all of these controls fit together.

00:05:20.850 --> 00:05:23.580
We said there were three main types of controls,

00:05:23.590 --> 00:05:27.260
managerial, technical, and physical or environmental.

00:05:27.940 --> 00:05:31.500
And then we saw the three which were safeguards and the

00:05:31.500 --> 00:05:34.330
three which were then countermeasures.

00:05:34.980 --> 00:05:39.810
So what would be an example of a managerial directive control?

00:05:40.290 --> 00:05:45.450
An acceptable use policy that tries to tell people this is what you can do,

00:05:45.650 --> 00:05:49.490
this is what you shouldn't do, so hopefully you don't do something wrong.

00:05:49.560 --> 00:05:54.870
That's a direction that we provided to the reader of that policy.

00:05:55.530 --> 00:05:56.510
Technically,

00:05:56.600 --> 00:06:00.990
a person goes on to a computer system and they see this warning banner

00:06:00.990 --> 00:06:03.620
on their screen that says this is a private system,

00:06:03.620 --> 00:06:04.820
don't go further.

00:06:05.380 --> 00:06:09.640
That's a technical type of directive control.

00:06:09.730 --> 00:06:12.850
Physical is where you have a sign at the edge of the

00:06:12.850 --> 00:06:15.060
property that says do not enter,

00:06:16.110 --> 00:06:20.500
but some people don't take direction very well, so we

00:06:20.500 --> 00:06:22.720
need to also sometimes have a deterrent.

00:06:22.720 --> 00:06:27.560
A deterrent is the type of control which would discourage

00:06:27.560 --> 00:06:29.250
somebody from doing something wrong.

00:06:29.840 --> 00:06:31.560
Look, we told you don't do it,

00:06:31.570 --> 00:06:34.370
but this is also telling you what's going to happen if you do.

00:06:34.770 --> 00:06:38.160
For example, if a person doesn't abide by policy,

00:06:38.280 --> 00:06:40.260
they could face disciplinary action.

00:06:41.300 --> 00:06:42.460
Technically,

00:06:42.630 --> 00:06:47.070
we have a little note that says all actions on this system are monitored,

00:06:47.690 --> 00:06:50.490
and so people realize I better not do something wrong

00:06:50.490 --> 00:06:53.000
because somebody will have a record of that.

00:06:54.140 --> 00:06:56.790
Physically, we had a sign that says do not enter,

00:06:56.790 --> 00:07:01.050
but underneath that sign is a second one that says beware of dog.

00:07:01.510 --> 00:07:05.830
You know, sometimes you could socially engineer maybe a security guard,

00:07:05.970 --> 00:07:09.690
but it's very hard to socially engineer a German Shepherd

00:07:09.690 --> 00:07:15.060
or a Rottweiler with a bad attitude, so that that's a deterrent we could say.

00:07:15.910 --> 00:07:19.300
Preventive controls are things like separation of duties.

00:07:19.610 --> 00:07:23.750
We saw earlier how having separation of duties can actually help

00:07:23.750 --> 00:07:26.980
us to then prevent fraud or even mistakes.

00:07:27.810 --> 00:07:31.840
Technically, well we told you that this is a private system,

00:07:31.840 --> 00:07:33.570
and we told you we're going to monitor,

00:07:33.570 --> 00:07:38.460
but we also have a password and that password would stop

00:07:38.460 --> 00:07:41.870
you or prevent you from being able to log in if you didn't

00:07:41.870 --> 00:07:43.110
have the correct password.

00:07:43.670 --> 00:07:45.880
And physically, the fence.

00:07:46.310 --> 00:07:48.590
Yeah, it's a sign, but of course,

00:07:48.590 --> 00:07:51.030
the fence can make it a little bit more difficult

00:07:51.180 --> 00:07:53.190
to get on that property as well.

00:07:53.750 --> 00:07:58.440
So those are examples of all three types of controls from the

00:07:58.440 --> 00:08:01.540
perspective of what we called here safeguards.

00:08:02.560 --> 00:08:06.510
The three types of reactive controls, such as,

00:08:06.520 --> 00:08:10.200
should we say, here a detective reactive control,

00:08:10.600 --> 00:08:15.060
would be something like an audit done by management to see if

00:08:15.060 --> 00:08:17.860
there was something that was done incorrectly or not in

00:08:17.860 --> 00:08:20.150
accordance with policies or procedures.

00:08:21.100 --> 00:08:21.950
Technically,

00:08:22.340 --> 00:08:26.550
we have systems like obviously logs that record everything that

00:08:26.550 --> 00:08:32.039
happened and an intrusion detection system that would then pick up any

00:08:32.039 --> 00:08:34.929
activity that seems suspicious on the system.

00:08:35.690 --> 00:08:36.510
Physically,

00:08:36.520 --> 00:08:40.240
a very good example of a detective controller would be a smoke detector,

00:08:40.539 --> 00:08:43.690
would detect where there is obviously some type of

00:08:43.700 --> 00:08:45.460
should we say serious incident.

00:08:47.200 --> 00:08:48.800
When something goes wrong,

00:08:49.260 --> 00:08:52.850
we talked about this in incident management that we want

00:08:52.850 --> 00:08:56.590
to be able to contain the problem.

00:08:57.120 --> 00:09:00.500
That's where we put in place corrective controls,

00:09:00.730 --> 00:09:06.150
and this does not fix the problem, but at least it stops it from spreading.

00:09:06.660 --> 00:09:11.490
So a managerial corrective control could be sometimes that we will

00:09:11.490 --> 00:09:14.420
remove that employee from the workplace until we've done the

00:09:14.420 --> 00:09:18.520
investigation so they can't delete any, should we say,

00:09:18.530 --> 00:09:20.390
logs or activity they had.

00:09:21.620 --> 00:09:24.070
Technically, we isolate the system.

00:09:24.360 --> 00:09:27.350
Of course, physically, if the smoke detector goes off,

00:09:27.360 --> 00:09:29.390
it's really good to have a fire extinguisher.

00:09:30.060 --> 00:09:33.200
A fire extinguisher is a very good example of a corrective

00:09:33.200 --> 00:09:36.480
control and that it contains and stops the fire,

00:09:36.840 --> 00:09:39.660
but it certainly doesn't fix up the damage.

00:09:40.210 --> 00:09:42.860
We could also have something like a man trap,

00:09:42.950 --> 00:09:46.700
which means that if a person was trying to steal from a

00:09:46.700 --> 00:09:48.880
jewelry store and they go rushing out,

00:09:49.190 --> 00:09:52.750
they get stuck between the two different doors so that

00:09:52.750 --> 00:09:56.560
they are unable to exit from that area.

00:09:58.220 --> 00:10:00.360
When we talk about recovery controls,

00:10:00.360 --> 00:10:03.650
we're trying to get back to normal and fix things up.

00:10:03.740 --> 00:10:04.740
Managerially,

00:10:04.740 --> 00:10:08.180
we do things like awareness sessions so people know what to watch

00:10:08.180 --> 00:10:11.340
out for so it doesn't happen again, technically,

00:10:11.340 --> 00:10:16.330
we might have to rebuild that system from our backups, and physically,

00:10:16.330 --> 00:10:18.990
after a fire, of course, rebuild as well.

00:10:19.680 --> 00:10:23.350
These are just examples of some of the many types of controls we

00:10:23.350 --> 00:10:27.700
can use to help us to understand how we have all these different

00:10:27.700 --> 00:10:32.750
combinations that we can use to address risk in what we would say

00:10:32.750 --> 00:10:34.360
is an appropriate manner.

00:10:35.220 --> 00:10:38.180
So how do we know which controls to choose?

00:10:38.380 --> 00:10:42.290
Well, we quite often will look at what is available,

00:10:42.300 --> 00:10:45.130
what has been recommended, or in some cases,

00:10:45.130 --> 00:10:46.520
what has been mandated.

00:10:46.700 --> 00:10:50.950
We have some cases where it'll say you must deploy this type of a control.

00:10:52.580 --> 00:10:56.100
And there are some very good sources for this from NIST,

00:10:56.310 --> 00:11:00.700
a document known as the special publication 800‑53,

00:11:00.870 --> 00:11:04.800
hundreds of pages of recommended controls we should put in

00:11:04.800 --> 00:11:08.390
place depending on what our level of risk is.

00:11:09.560 --> 00:11:14.510
The payment card industry has the document known as the data security standard,

00:11:14.840 --> 00:11:18.850
and it has a list of over 130 different controls that we

00:11:18.850 --> 00:11:21.600
should put in place if we're dealing with something

00:11:21.600 --> 00:11:24.560
sensitive such as a payment card, a credit card,

00:11:24.560 --> 00:11:25.380
or debit card.

00:11:27.270 --> 00:11:30.300
We also have to know what controls are even available,

00:11:30.350 --> 00:11:33.690
what tools and technologies are available,

00:11:33.700 --> 00:11:38.360
and certainly that are available within a reasonable timeframe.

00:11:38.540 --> 00:11:39.950
In a number of cases,

00:11:39.950 --> 00:11:45.580
the challenge I'm going to have is that there could be new controls coming,

00:11:45.580 --> 00:11:47.260
but they're not ready yet.

00:11:47.350 --> 00:11:52.580
We need controls that will be effective when this incident happens,

00:11:52.580 --> 00:11:54.820
not, you know, the problem with a log.

00:11:54.820 --> 00:11:57.250
A log tells us that something happened,

00:11:57.250 --> 00:11:59.540
but it might be that it happened a year ago.

00:12:00.300 --> 00:12:01.950
We want, in many cases,

00:12:01.950 --> 00:12:06.180
a control that can tell us as it's happening in near real time.

00:12:07.080 --> 00:12:08.260
Very often,

00:12:08.520 --> 00:12:13.530
we will look at put in new controls or it could well be we just need to

00:12:13.530 --> 00:12:18.360
enhance or should we say improve the controls we currently have.

00:12:19.720 --> 00:12:23.200
In many cases, we may require more than one control.

00:12:23.610 --> 00:12:28.790
We need a policy, and we need a firewall, and we need to put a lock on the door.

00:12:28.800 --> 00:12:32.620
All three of these might be necessary in order to be

00:12:32.620 --> 00:12:35.360
able to mitigate a significant risk.

00:12:36.920 --> 00:12:39.830
The other thing is, what does the control cost?

00:12:40.280 --> 00:12:41.180
As we know,

00:12:41.180 --> 00:12:45.270
the general rule is don't pay more to protect something than it's worth.

00:12:45.900 --> 00:12:50.500
So we have to look at what we often call cost‑benefit analysis.

00:12:50.940 --> 00:12:54.750
What is the cost of this control as compared to the

00:12:54.750 --> 00:12:56.900
benefit that that control will provide?

00:12:57.510 --> 00:13:01.560
Now this is not easy because the cost of control is not

00:13:01.560 --> 00:13:05.140
just the purchase price of the control, but instead,

00:13:05.140 --> 00:13:10.140
we also have to look at what is the ongoing impact on productivity,

00:13:10.240 --> 00:13:12.090
maintenance of the control.

00:13:12.760 --> 00:13:13.690
For example,

00:13:13.690 --> 00:13:17.670
you put a password on a system, that didn't really cost much to

00:13:17.670 --> 00:13:20.370
check that little box that says require a password,

00:13:20.970 --> 00:13:24.730
but how many calls is this going to result to the help desk?

00:13:25.280 --> 00:13:27.980
How much productivity is going to be impacted

00:13:27.980 --> 00:13:29.980
because people forgot their password?

00:13:30.210 --> 00:13:32.940
They came in on a Monday and it took an hour before

00:13:32.940 --> 00:13:34.100
they could get on the system.

00:13:34.830 --> 00:13:39.600
So the cost of the control should be considered from

00:13:39.600 --> 00:13:42.630
that larger perspective as well.

00:13:42.900 --> 00:13:45.330
But then, of course, we have to look at the benefit.

00:13:46.180 --> 00:13:49.760
Would that benefit justify that cost?

00:13:50.590 --> 00:13:55.980
Then we document the controls we have in place and where we've reduced a risk,

00:13:55.990 --> 00:14:02.090
we'll go back to our risk register that had all of our known risk and now note

00:14:02.220 --> 00:14:06.780
that this risk has been reduced through the use of a control.

00:14:08.730 --> 00:14:10.090
The key points review.

00:14:10.960 --> 00:14:13.000
Risk justifies controls.

00:14:13.530 --> 00:14:18.010
We can see here that controls are selected based on what

00:14:18.010 --> 00:14:23.110
is the risk appetite of management, what controls are even available,

00:14:23.450 --> 00:14:26.300
and cost benefit analysis.