Understanding Security Controls 1

Summary

Security controls are integral to detecting, preventing, responding to, and mitigating damage from cyber-attacks. They aim to reduce the attack surface by identifying compromised devices, hardening configurations, and disrupting the control of malicious code. The effectiveness of a cyber defense system hinges on five key concepts: offense informs defense, prioritization, metrics, continuous diagnostics and mitigation, and automation.

Core Content

Security controls are not just about preventing initial compromises but also addressing already compromised devices and potential after-attacks. They're designed to reduce the attack surface by identifying compromised devices, hardening configurations, disrupting control of malicious code.

Key concepts related to an effective cyber defense system include:

• Offense informs defense: Use existing knowledge about previous attacks to build effective defense measures.
• Prioritization: Invest in controls that provide the greatest risk reduction and can be feasibly implemented in your environment.
• Metrics: Use a shared language among all stakeholders for measuring the effectiveness of security controls.
• Continuous diagnostics and mitigation: Regularly test and validate security controls for potential improvements.
• Automation: Employ automated systems for maintaining continuous cyber defense efforts.

Security controls are categorized into operational controls (actions taken by people), management controls (policies), and technical controls (hardware/software-driven).

These safeguards are further classified into detective controls (identify threats), corrective controls (reduce impact of threats), and preventive controls (stop threats from reaching your environment).

Security controls are meant to detect, prevent, respond, and mitigate damage from common and advanced attacks.  They're not just about preventing initial compromises.  They also address already compromised devices and potential after attacks.  Security controls are designed to reduce what's known as the Understanding Attack Surfaces in Cybersecurity (Links to an external site.)](https://en.wikipedia.org/wiki/Attack_surface). This is done by identifying compromised devices, hardening configurations, disrupting control of malicious code, etc.

There are five important concepts related to an effective cyber defense system which are:

• Offense informs defense
• Prioritization
• Metrics
• Continuous diagnostics and mitigation
• Automation

First, it's important to use what we already know about other attacks that have compromised systems so we learn what works and what doesn't work.  This is the only way we can build effective and practical defense measures.  Cybersecurity is expensive.  As such, we should only include controls that can be shown to stop attacks--not controls that are theoretical or unproven.  As such, we should prioritize controls that will get us the biggest bang for our buck.  Invest in controls that will provide the greatest risk reduction and can be most feasibly implemented in your environment.

The use of a shared language among all stakeholders is important in sustaining an continuous cyber defense effort.  We must be able to measure the effectiveness of security controls and so by having common metrics and lingo, we can provide the necessary language for your cabinet members, risk management team, and IT professionals to engage one another informatively when adjustments need to be made and implemented.  As such, security controls need to be continuously tested and validated through various diagnostic measures so that improvements may be put in place as needed.  This can best be done by way of automated systems.

There are three classes of security controls-- operational controls, management controls, and technical controls.  Operational controls are about actions taken by people (e.g. training for end users, the configuration of a network area by an engineer, what an incident response team does, etc).  Management controls are about policies.  They include the development of regulations as well as processes so that your district adheres to the law.  Technical controls are those that most people associated with the IT department--antivirus software, firewalls, authentication protocols, IPS/IDSs, etc.  These are controls that are driven by hardware and software.

Further, these safeguards come in different types, often referred to as detective controls, corrective controls, and preventive controls.  Detective controls are pretty straightforward--they identify threats in your environment.  For example, an IDS system is a form of a detective control.  Corrective controls are those that reduce the impact of threats.  For example, if a workstation is hit by malware, wiping and reinstalling the OS on that workstation is a corrective control.  Finally, preventive controls or those that stop the bad stuff from getting to your environment in the first place.  Your firewall is a preventive control.  It can actively block attacks.

Connections

Related Notes:
Understanding Cybersecurity
Importance of Cyber Defense Systems
References:
Attack Surface - Wikipedia

Reflection

Understanding security controls is crucial as they form an integral part of any cybersecurity strategy. A robust set of security measures not only prevent attacks but also help in mitigating damage if a system is compromised. This knowledge is essential in today's digital age where cyber threats are a constant concern.