WEBVTT

00:06.920 --> 00:09.200
Within the scope of control types exist.

00:09.230 --> 00:10.130
Control functions.

00:10.130 --> 00:14.720
These different control functions help us to eliminate how to respond to different actions within our

00:14.720 --> 00:15.410
system.

00:15.410 --> 00:19.010
They're detective, responsive, corrective and preventive.

00:19.400 --> 00:24.500
Within preventive controls, these are really controls that we identify to prevent an action from occurring

00:24.500 --> 00:25.610
in the first place.

00:25.610 --> 00:30.590
This is often the best route we want to go where we don't really want the incident to occur at all.

00:30.590 --> 00:32.510
So we provide preventive controls.

00:32.510 --> 00:37.400
Preventive controls are controls that we utilize to prevent an action from occurring in the first place.

00:37.400 --> 00:41.150
This stops an incident from occurring so that we don't have to deal with it at all.

00:41.150 --> 00:42.560
And it's the best option.

00:42.560 --> 00:46.670
When it comes to cybersecurity, we have different preventive controls that we can utilize.

00:46.670 --> 00:48.500
For instance access control lists.

00:48.530 --> 00:53.990
These are usually involved within firewall sets where we have block lists or blacklisting.

00:53.990 --> 01:01.010
We also have a loud list or whitelisting those different aspects of an access control list can prevent

01:01.030 --> 01:04.840
different types of communication within our enterprise environment.

01:04.870 --> 01:11.500
We could also use antivirus software to stop viruses from injecting themselves into our system through

01:11.500 --> 01:13.720
detection and then remediation efforts.

01:13.750 --> 01:16.780
Right afterwards, we want to use secure configurations.

01:16.780 --> 01:22.900
So we want to get rid of telnet, maybe get rid of FTP or those more unsecure ports from operating at

01:22.900 --> 01:23.380
all.

01:23.380 --> 01:25.060
This would be secure configurations.

01:25.060 --> 01:28.750
We also want to ensure that we're not using default username and passwords.

01:28.750 --> 01:34.570
So unlike some telecommunication companies in the recent future or the recent past, from allowing anybody

01:34.570 --> 01:39.610
to just log on to their system, we make sure that they don't have that readily accessible entryway

01:39.610 --> 01:41.290
into our enterprise environment.

01:41.290 --> 01:47.290
Security policies and patch management also allow us to ensure that employees aren't doing things that

01:47.290 --> 01:51.790
they shouldn't be, and that we're patching to the latest and greatest secure version of the software

01:51.790 --> 01:56.680
that we're utilizing, thereby preventing vulnerabilities, flaws, and misconfigurations within our

01:56.680 --> 01:57.250
systems.

01:57.250 --> 02:02.960
All of this is designed to prevent unauthorized access or prevent an incident from occurring.

02:03.440 --> 02:07.490
Detective controls are often utilized after an incident has already occurred.

02:07.520 --> 02:12.680
We utilized audit logs or surveillance cameras to capture things that have happened in the past that

02:12.680 --> 02:15.110
allow people to gain access into our systems.

02:15.140 --> 02:17.060
This is done after the fact.

02:17.090 --> 02:23.000
Don't confuse a detective control as being a matter, in which case we're trying to detect things as

02:23.000 --> 02:23.870
it's ongoing.

02:23.870 --> 02:26.420
That's not the process of detective control.

02:26.540 --> 02:32.900
Detective control is utilized after the incident has occurred, or after the precursor to an incident

02:32.900 --> 02:33.830
has occurred.

02:33.980 --> 02:38.000
This is where students often get the two mixed up, but it's done after the fact.

02:38.030 --> 02:43.790
Audit logs, surveillance cameras, motion sensors, or physical intrusion detection devices are used

02:43.790 --> 02:48.560
after an incident has already occurred, and we want to find out how the incident took place.

02:48.560 --> 02:50.960
What, uh, door did they go through?

02:50.990 --> 02:52.250
What action do they take?

02:52.280 --> 02:54.710
Was there a specific vulnerability that they exploited?

02:54.710 --> 02:56.120
Maybe a specific port?

02:56.150 --> 02:59.390
These are all detective controls to find out when the incident occurs.

02:59.390 --> 03:05.930
How did they utilize technology or practice is to get into our system for unauthorized access.

03:06.470 --> 03:11.660
Our responsive control is in direct relation to an incident having occurring, and it's a permanent

03:11.660 --> 03:15.350
fix to that response or to that incident, I should say.

03:15.380 --> 03:20.360
So, for instance, if I've got a door that doesn't lock necessarily on the first time, I may provide

03:20.360 --> 03:26.000
a responsive control to replacing the lock or installing a lock that automatically locks the door upon

03:26.000 --> 03:26.690
it closing.

03:26.690 --> 03:33.410
I may provide a spring or a mechanical function to that door to automatically close it and lock it to

03:33.440 --> 03:35.720
where you have to badge into the system after the fact.

03:35.750 --> 03:41.300
Remember, responsive control is a control that we utilize to provide a permanent fix or to fix a vulnerability

03:41.300 --> 03:42.290
within the system.

03:42.290 --> 03:48.110
We're doing system restoration to bring that system back to its original working state as a responsive

03:48.110 --> 03:48.770
control.

03:48.800 --> 03:53.870
Maybe I have a business continuity plan or a disaster recovery plan in action to provide corrective

03:53.870 --> 03:54.650
actions.

03:54.650 --> 04:01.220
If a vulnerability is exploited, I may utilize such things as an antivirus program or an intrusion

04:01.260 --> 04:07.500
prevention system to correct the fact that an incident has occurred and provide updates to those systems

04:07.500 --> 04:13.350
to make sure that if that virus or if that incident occurs again, to identify it and quickly remediate

04:13.350 --> 04:13.650
it.

04:13.680 --> 04:21.780
In point of context, to the actual event occurring for the first time, a corrective control is a immediate

04:21.810 --> 04:24.570
knee jerk reaction to the incident occurring.

04:24.600 --> 04:31.110
This is usually a temporary fix, or a system shutdown, or some type of temporary policy that we utilize

04:31.110 --> 04:36.600
to fix the issue in its in its entirety, but it's not designed as a permanent fix.

04:36.600 --> 04:41.610
For instance, when I was with a different company, we had an issue where people were leaving their

04:41.610 --> 04:44.070
trucks unlocked and equipment was getting stolen.

04:44.070 --> 04:49.380
And so a temporary policy is that you had to drop your truck, back off at a yard, and then take your

04:49.380 --> 04:52.650
personal vehicle back home on a nightly basis.

04:52.650 --> 04:57.690
They utilize this corrective control or this temporary policy to get it across to their employees,

04:57.690 --> 05:04.750
to stop leaving your trucks unlocked as kind of a hand slapped policy to say, hey, we don't have to

05:04.750 --> 05:06.610
allow you to take your trucks home every night.

05:06.610 --> 05:11.110
And if you continue to be stupid and not lock your trucks at night to allow people to take advantage

05:11.110 --> 05:15.580
of that, we're going to make you drop your trucks off at the yard every single night, which makes

05:15.580 --> 05:17.620
it more difficult for you as the employee.

05:17.620 --> 05:19.330
That's a knee jerk reaction.

05:19.330 --> 05:26.140
To fix a problem, a temporary data backup may be more facilitated for a technology control where we've

05:26.140 --> 05:30.370
got an issue and we're starting to see signs of an incident occurring.

05:30.370 --> 05:37.750
And as a very quick temporary solution, we're going to back up all those data files temporarily on

05:37.750 --> 05:43.450
a device so that if the incident does occur and wipe all of our drive drives, we have immediate access

05:43.450 --> 05:45.520
to up to date backup information.

05:45.520 --> 05:47.800
This could be temporary network restrictions.

05:47.800 --> 05:50.980
It could be a temporary shut down where we're shutting down systems.

05:51.190 --> 05:56.200
If an incident is occurring and trying to attack those systems, it's just an immediate response that

05:56.200 --> 06:01.300
is temporary in nature to provide a corrective control, to stop something from happening very, very

06:01.300 --> 06:02.110
quickly.