WEBVTT

00:00.780 --> 00:06.720
If there was one piece of information one bit of knowledge that I could apply to you that you could

00:06.720 --> 00:11.830
gain as a result of this course it would be the idea of security controls.

00:11.880 --> 00:16.710
I mean the whole world of security is wrapped around the idea of security control.

00:16.710 --> 00:18.540
So let me tell you what they are.

00:18.540 --> 00:25.020
A security control is a verb it's an action it's a mechanism that we apply to our I.T. infrastructure

00:25.020 --> 00:31.110
to do one of two things either one it's going to protect our infrastructure from security problems or

00:31.110 --> 00:36.310
two that's going to help remediate problems if we've already had a problem with our security.

00:36.450 --> 00:44.070
And that's really what separates an I.T. security person from a regular I.T. person and security person

00:44.070 --> 00:51.210
may not be very good at I don't know configuring WPA to encryption on a Cisco wireless access point

00:51.240 --> 00:55.190
and may not be very good at setting up a radius authentication.

00:55.200 --> 01:02.460
But what I.T. security guy can do is they understand that applying encryption applying authentication

01:02.460 --> 01:07.610
to a wireless network is a good idea and they rate those things as security controls.

01:07.620 --> 01:14.970
So that's really what a secured control is all about is we're trying to set up things to do to protect

01:14.970 --> 01:16.010
our infrastructure.

01:16.020 --> 01:21.750
Now as you can imagine there are trillions of these different types of security controls.

01:21.750 --> 01:27.840
I mean you're setting up like firewalls an easy example but how about putting a fence around our building

01:27.840 --> 01:28.970
that's a security control.

01:28.980 --> 01:34.110
How about teaching our employees to watch for social engineering attacks.

01:34.110 --> 01:36.200
That's a security control as well.

01:36.210 --> 01:44.640
So what really separates an I.T. security person from a regular technician isn't their ability to configure

01:44.640 --> 01:47.130
WPA to or set up a firewall.

01:47.130 --> 01:52.890
What separates them is that an I.T. security person understands about security controls and they can

01:52.950 --> 01:54.840
apply security controls.

01:54.840 --> 02:00.720
They can monitor security controls and they can adjust security controls based on the needs of the infrastructure.

02:00.870 --> 02:04.650
And that's what it's all about security controls are amazing.

02:04.650 --> 02:11.280
Now there's zillions of these security controls so what we do to make it a little bit easier is we break

02:11.370 --> 02:13.550
security controls into categories.

02:13.710 --> 02:17.060
Let's take a look at the different categories of security controls.

02:17.070 --> 02:22.050
First type of security control type is an administrative or what you often hear the term management

02:22.050 --> 02:22.880
control.

02:23.160 --> 02:27.720
These types of controls control actions people make towards I.T. security.

02:27.720 --> 02:32.100
This would include laws policies guidelines best practices.

02:32.430 --> 02:35.300
I don't like to think about this in terms of what do people do.

02:35.310 --> 02:41.690
The second type is a technical control this controls actions I.T. systems make towards I.T..

02:41.730 --> 02:47.970
So this is going to be computer stuff firewalls password WINX authentication encryption.

02:47.970 --> 02:54.060
Third is going to be physical physical controls actions real world actors make towards I.T..

02:54.060 --> 02:58.890
So this is going to be stuff like Gates guards keys man traps.

02:59.100 --> 03:03.380
So it's great that we can break security controls into one of these three groups.

03:03.480 --> 03:08.370
However we can take it a little bit further when we're talking about security control when we're talking

03:08.370 --> 03:14.740
about some threat actor doing something to us we can kind of break things down a little bit.

03:14.790 --> 03:18.210
Can we create controls that just prevent them from even trying.

03:18.210 --> 03:22.710
Can we create controls that prevent them from being able to succeed in what they're doing.

03:22.740 --> 03:27.660
Can we create controls that recognize that they're doing something to warn us about it.

03:27.720 --> 03:33.570
Can we create controls that allow us to compensate for it if the threat act or are successful.

03:33.570 --> 03:34.920
We absolutely can.

03:35.160 --> 03:38.730
And that's what I'm going to call the security control function.

03:38.730 --> 03:43.980
So that's march through those the first type of control function I want to talk about is what I call

03:44.010 --> 03:45.490
a deterrent.

03:45.510 --> 03:48.960
This actually deters the actor from attempting the threat completely.

03:48.960 --> 03:51.470
I mean it stops him from even trying.

03:51.480 --> 03:53.370
Second is preventative.

03:53.370 --> 03:56.510
This deters the actor from actually performing the threat.

03:56.520 --> 03:59.690
This stops them from doing whatever they're going to do.

04:00.610 --> 04:07.540
Third is detective Detective recognizes the threat and may or may not do something about it but he does

04:07.540 --> 04:08.430
recognize it.

04:09.630 --> 04:16.160
Fourth is corrective a corrective function mitigates the impact of the manifested threat.

04:16.160 --> 04:19.700
In other words we've had an incident what are we going to do about it.

04:19.700 --> 04:26.700
At 15 he's the weird one is compensating a compensating function provides alternative or temporary fixes

04:26.970 --> 04:31.200
to any of the above functions when we can't do them the way we want.

04:31.200 --> 04:37.140
Now the interesting thing about this is that we can almost make sort of like a grid a table where we

04:37.140 --> 04:41.310
can organize by physical administrative technical.

04:41.400 --> 04:46.140
And then we can look at the different types of functions and kind of put them together if we do this

04:46.350 --> 04:50.960
we can do a pretty good job of defining just about any type of security control.

04:51.030 --> 04:52.910
The best way to do it is to actually try it.

04:52.920 --> 04:58.800
So here's a little table where I have the different types of security controls across the top and the

04:58.800 --> 05:01.160
different functions coming down on the left.

05:01.170 --> 05:03.960
So let's put some examples in here and see how this works.

05:03.960 --> 05:06.720
First of all let's start off with a background check.

05:06.990 --> 05:14.070
A background check is very much an administrative type of control but it's in my opinion it's detective

05:14.070 --> 05:15.720
we're looking for bad people.

05:15.810 --> 05:22.020
So in that particular case this is an administrative detective control how about employee training with

05:22.020 --> 05:22.920
employee training.

05:22.920 --> 05:27.300
It's certainly administrative But what we're doing is we're trying to prevent things from happening

05:27.300 --> 05:28.980
by making our employees smarter.

05:28.980 --> 05:32.000
So to me that's an administrative preventive control.

05:32.010 --> 05:35.580
Third is a firewall certainly a technical control.

05:35.730 --> 05:37.380
But what is it designed to do.

05:37.390 --> 05:41.010
Well it's designed to stop people from coming into our network.

05:41.010 --> 05:43.490
So that would be a preventative control.

05:43.590 --> 05:47.210
A backup is definitely technical but it's designed.

05:47.220 --> 05:51.060
We've had a data loss or something so we need to get our data back.

05:51.090 --> 05:58.540
So that would be a corrective control a warning sign sitting outside telling people not to come in would

05:58.540 --> 06:03.970
be a physical control but it's designed to be a deterrent it won't actually stop them from trying but

06:04.030 --> 06:06.740
at least it will help motivate them to not do it.

06:06.790 --> 06:11.110
If you really want to stop them though how about offense offenses of physical control.

06:11.110 --> 06:12.100
But it's preventative.

06:12.100 --> 06:14.380
It stops people from doing something.

06:14.380 --> 06:16.780
Now these are pretty easy but let's throw in one more.

06:16.780 --> 06:19.060
How about closed circuit television.

06:19.060 --> 06:22.790
We've got a big camera sitting outside of our fence.

06:22.900 --> 06:25.660
Is this a detective or a deterrent.

06:25.660 --> 06:30.900
Now it's certainly a physical control but is it designed to detect people.

06:30.900 --> 06:34.480
It would certainly detect people or is it a dirt.

06:34.530 --> 06:37.950
Does it stop people from doing naughty things.

06:37.950 --> 06:41.340
There's not always a perfect answer to every one of these.

06:41.340 --> 06:46.920
Even though the I.T. security industry is still a little bit fragmented on whether these are controls

06:46.920 --> 06:54.240
or functions or classifications or whatever the actual words we use are always there for the exam.

06:54.240 --> 06:59.910
Be comfortable looking at particular scenarios and being able to determine what type of security control

06:59.940 --> 07:07.290
needs to be applied for that type of situation

07:10.200 --> 07:14.970
in

07:17.880 --> 07:21.900
an.