Identify Types and Categories of Security Controls

0:00Hello and welcome. My name is Keith Barker and I'd like you to imagine that you

0:05and I are going

0:05into business together and we are both going to invest quite a bit of time and

0:10effort and money

0:11into a new business. Now as part of that new business we want to do everything

0:15within our power

0:16to make sure it is successful and that's the reason why also we're likely to

0:20implement

0:21a various amount of controls or in place to help influence the outcome. And

0:25besides having

0:26controls in place for different purposes we also have different categories of

0:29controls as well.

0:30So in this set of videos I'd like to discuss with you both the categories and

0:34types of controls

0:35when we would use them and why we would use them and also provide some examples

0:39of those

0:39controls in use. And again the purpose of a control is to influence the outcome

0:44to prevent

0:44something bad from happening or to help ensure that what we want to happen does

0:48happen and that's

0:48why we're going to implement control. So join me in the next video and let's

0:52take a big picture

0:52look at both categories and types of controls.

0:00So let's begin here in this column and this column, let's call it and list

0:04various categories of security controls.

0:07And one of the categories of controls would be a control that's implemented by

0:11a system.

0:12And one example of a security control category that's implemented by a system

0:16would be, for example, a firewall,

0:18whether that's a firewall that's running in software, on a computer, or whether

0:22it's a firewall as a dedicated appliance on a network.

0:25That would be a type of security control that's implemented via some kind of a

0:29technical system,

0:30and that's referred to as a technical control.

0:33Another category for a security control would be, for example, a policy or

0:37procedure that we're supposed to go ahead and follow.

0:40And for a security control that's implemented via a policy or procedure,

0:44and the difference between a policy and a procedure would be a policy would be

0:47a high level,

0:48guidelines of what should be done, and a procedure would be more of the detail

0:52step-by-step methods of how to implement that policy.

0:55And that type of a policy or procedure as far as a security control is referred

0:59to as a managerial control.

1:02So an example of a managerial control would be a standard operating procedure

1:06with step-by-step instructions regarding some aspect of security.

1:10And most of the time, the high level policies are being implemented and set up

1:14based on the senior officers of the company.

1:16Because at the end of the day, it's their responsibility from a security

1:19perspective to make sure they have the policies in place to keep the assets

1:23and the human resources and the intellectual property and the other assets of

1:28the company secure.

1:29So let's imagine that we have some policies and procedures in our organization,

1:33and then when it comes time to actually carry out those policies and procedures

1:36,

1:36oftentimes that's being done by a human or by a set of humans.

1:40And when people carry out those instructions and follow those procedures, that

1:44by itself can be categorized in a separate category called operational.

1:48And those will be operational controls.

1:50So here I'll put via, I'll go ahead and put via humans carrying out our day-to-

1:55day operations.

1:56And here's an example of that.

1:57Let's say that at our company, there's a policy that every single employee has

2:02to go through security awareness training every single year,

2:06maybe take some tests to validate they understand what the security risks are

2:10and what to do in the case of a security breach.

2:13So that'd be all part of the policy.

2:14And then the operational controls would be the implementation of that security

2:19awareness program where the actual humans actually take that course and take

2:23the associated tests and then implement and follow those security guidelines.

2:27So again, the managerial is all about policy and procedures and the operational

2:31is about humans carrying out those processes.

2:33And the final category I'd like to chat with you about here regarding security

2:37controls is the category of physical controls.

2:40So an example of a physical control would be something like a lock or if we

2:44have a parking lot, for example, maybe we have a physical guard that's at that

2:48entrance to the parking area,

2:50or maybe we have a physical gate that physically is keeping out people and cars

2:54unless they can badge in.

2:56So those are the full in the category of physical security controls.

3:00So now that we've taken a look at four broad categories regarding security

3:03controls,

3:04next, let's take a closer look at some types of controls and why we're going to

3:08implement them.

3:09So going over this way across the top from left to right, let's go ahead and

3:13make a list of types of controls.

3:16And regarding the types of controls, let's go ahead and talk about some time

3:20frames.

3:21And for this first section here, I'm going to go ahead and label it as before.

3:25So for those types in this column here, let's go ahead and jot down deterrent.

3:29So in this column, we can go ahead and list some types of deterrent security

3:32controls.

3:33And then in this column, let's go ahead and list some preventive security

3:37controls.

3:38And if we compared and contrast these two together, preventive is going to do a

3:42better job of preventing the activity

3:44or the action from happening where a deterrent is simply taking a step in that

3:47direction.

3:48And to compare and contrast these, a deterrent would be something like a

3:51warning sign, for example,

3:53that says, hey, you know, only authorized individuals or a banner message or

3:57something similar to that.

3:59But by itself, that type of security control isn't going to prevent, for

4:03example, somebody from entering.

4:05If that's the only type of security control we have is a sign that says, hey,

4:09you're not allowed to commit.

4:10And an example of a preventive control would be something like a lock to get

4:14into a physical facility

4:15or a login that's required to log into a system.

4:19And both of these types of controls deterrent and preventive, their goal is to

4:24help stop or block some negative event from happening.

4:28Whether it's an unauthorized individual trained to enter a facility or an

4:31unauthorized individual trained to log in

4:34or an individual trying to attempt fraud, etc.

4:36And again, those types of security controls are only be effective if they're

4:39implemented before the attempted breach or security compromise takes place.

4:44Now, what happens if we have some controls in place and something negative

4:48happens?

4:49There's a security breach or an incident.

4:51We also have types of controls that we would then deploy after the fact and a

4:56label this as after meaning

4:58after the security event or the security breach.

5:00One of the types of controls that we definitely want to take a look at after we

5:04have an event is a detective control.

5:06Because if we don't have detective controls in place, we might never be aware

5:11that some incident or some negative thing ever happened.

5:14So examples of detective controls would be things such as log files that are

5:18being collected that we can then go back and look at

5:21or motion sensors in a building or an area that go off in the event that there

5:26's individuals there that shouldn't be.

5:28And again, the purpose here would be to identify that some event has happened,

5:31whether it's looking through log files again or having alarms go off

5:35to let us know that some event has taken place.

5:37So another way of looking at these for the categories would be how they are

5:41implemented.

5:42That could be a way of looking at the general categories and for the types of

5:45categories, we could also consider that to be part of the why.

5:49Why we're implementing the controls, whether it's deterrent or preventive or

5:52detective.

5:53And another type of control that we would use after the fact in addition to a

5:57detective control would be a corrective control.

6:00And an example of a corrective control would be, let's say we have an alarm

6:04that goes off regarding a fire somewhere in the building.

6:07A corrective control might be the fire extinguishing system, whether it's in

6:11the data center or some other area of the building, to go ahead and correct the

6:15problem.

6:16Or if there was data on a disk or storage somewhere that failed, a corrective

6:19security control would be the ability to restore, for example, from a backup as

6:23a corrective action.

6:25Now, what are the challenges in the world of security is that sometimes there's

6:29new threats or new situations that arise.

6:31And we don't always have all the perfect controls in place to address every

6:35single possible issue that comes up.

6:38For example, if there's a new vulnerability on our operating system or on an

6:42application that we're using, maybe the vendor hasn't come out with a new

6:45system.

6:45The vendor hasn't come out with a patch or an update yet.

6:48So we also have another type of control that we may need to implement, and that

6:52is a compensating control.

6:54And oftentimes, a compensating control is likely to be just a temporary action

6:58or a temporary configuration until a full solution can be implemented.

7:03So here's an example.

7:04Let's imagine that we just learned about a new vulnerability against our

7:08operating system and we'll call our operating system XYZ.

7:12So that's the name of our operating system. There's a new vulnerability and the

7:16vendor who wrote the XYZ software doesn't have a patch yet.

7:19However, by taking a look at the details for the vulnerability that compromises

7:22the system, perhaps we know, oh, it's using these three or four different

7:27protocols on the network.

7:28Or it's leveraging these two or three ports.

7:31What we might do is on our network or on the system itself, we might implement

7:35some temporary rules, like firewall rules, that are preventing that type of

7:38traffic.

7:39And that way we're preventing the system from being compromised until the

7:43vendor can implement a full patch.

7:45So the temporary rules that we set up would be an example of compensating

7:49security controls.

7:51That would be the Y or the type of that security control in this example.

7:55So let me clean that up just a little bit and let's talk about one other

7:58security control type.

8:00And that's a security control type known as a directive security control type.

8:05And an example of a directive security control would be, for example,

8:08instructions that a user should follow.

8:11For example, maybe one of the directives is every time you are on your computer

8:16and you're not at the physical location, make sure you launch a VPN.

8:20So that's the example of a directive type of security control.

8:23Another example of a directive security control would be the instruction for a

8:27user that every single time they leave their computer, they need to lock their

8:31screen.

8:32And that way if they run to the bathroom or go to lunch or wherever, if they

8:35leave their computer that prevents someone else from walking up to that

8:39computer and just starting to use it without having to log in themselves.

8:43So again, if that was just given as instructions, that'd be an example of a

8:47directive type of security control.

8:49So for this column here for directive type of security controls, I'm going to

8:52go ahead and I'm going to put the word ask, meaning we're kind of asking our

8:57users in the case of directive controls.

8:59We're asking them to behave a specific way.

9:01And here's the great news as we go through this skill together, we're going to

9:05go ahead and complete this table by taking a look at specific examples of

9:09categories and control types and walking through some examples of each.

9:13[BLANK_AUDIO]

0:00So now that we've taken a look at some of the options regarding how we would

0:03implement a control

0:04with the various categories and also why we would implement various controls,

0:09which represent the

0:10types of controls. Let's go ahead and take a look at a few of these. So let's

0:14start off with some

0:14technical controls. And we'll go ahead and do examples of each of the types

0:19using this row

0:21right here. Again, a technical control would be a control that's being

0:24implemented via some

0:26type of system, like a technical system. So let's start off with a deterrent.

0:30What would be a

0:32technical control that acts as a deterrent? How about a warning message that is

0:37presented to anybody

0:39who's trying to connect to or log into a system? And an example of a warning

0:43message, like a banner

0:44message, when somebody is logging in would be something like only authorized

0:48individuals. And

0:49possibly as a deterrent, a threat of a fine or prosecution, if somebody is

0:54attempting to go

0:55ahead and log in, if they're not an authorized user. And this type of security

0:59control as a

1:00deterrent, acting as a technical control can be implemented in multiple places.

1:04It could be users

1:05logging onto their computer, it could be system administrators or auditors, etc

1:10, logging onto a

1:11system. So as an example of a security control that is a technical control

1:15being implemented as a

1:16deterrent, let's go ahead and walk through a quick example of setting up a

1:20simple banner message.

1:22So at the moment, I currently have a virtualized environment up and running

1:26with VMware vSphere.

1:28And so if we click log in, so now that I'm logged in, let me go ahead and go to

1:31the hamburger menu

1:32up here on the top left. And again, it doesn't really matter specifically what

1:36type of system

1:36we're working with. The concept we're focusing on is the types and categories

1:41of controls. So

1:42here in this vSphere client from VMware, if we go down to administration right

1:46here, and then the

1:47left, if we go in a single sign on to configuration right there. So here we go

1:52to login message,

1:53and then here with login message selected, we'll click on edit. I'm going to

1:56specify, I want to

1:56show the login message as but terms here as an example. So I agree to terms, we

2:01can also force

2:02on this platform, the user to go ahead and check that box saying that they

2:06agree. And I'll put

2:07details there for the details of the login message, we'll click on save. And

2:10then of course, we'll go

2:11ahead and test it out. So I'm going to go ahead and log out. And now for the

2:14login. And now before

2:15user is even allowed to attempt to log in, they need to go ahead and agree to

2:19the terms. I actually

2:20put that in the login message, then click on terms and that shows the contents

2:23there. I just put

2:24details as an example. And then once they've specified that, then they can

2:28proceed to go ahead

2:29and put a username and password in and login or attempt to log in. So the

2:33actual message here for

2:34the banner or login message would be in the category of a technical control

2:38because it's being

2:38implemented by a system. And it could also be classified as a type deterrent

2:42because we could

2:43specify that prosecution is going to happen if unauthorized individuals attempt

2:48to log in here and

2:49so forth. So that could act as a deterrent. Now on the other hand, the other

2:53component that's also

2:54right here on this login page is requiring a username and a password. And that

2:59would be an

2:59example of a preventive technical control because we're preventing access to

3:05log in to the system

3:06unless something knows what a valid username and password is. So again, just

3:11right here, we have

3:12two examples of technical controls. One is a deterrent. If we have a banner

3:16message or splash

3:17screen, and we also have a required login with the intention to prevent

3:22unauthorized individuals

3:23from logging on. So for the preventive, we're going to require a username and a

3:28password. Also,

3:29a lot of times we'll want to use something called multi factor or two factor

3:32authentication. And

3:33that's an example of when a user wants to log in, and they need to know

3:36something like a password

3:38for their username, and they also have to have something else like a physical

3:42key pop they would

3:43plug into the computer or a card that is a certificate on it, or some other

3:47option like a one time

3:48password generator, which generates a code, for example, of six characters,

3:52which they also have

3:53to put in. And the benefit of having two factor or multi factor authentication

3:57is that if a user's

3:58password is compromised, because we're requiring at least two different

4:03components for a person to

4:04log in, if the attacker only has the password, they won't have access to the

4:08second piece of the

4:10authentication. And as a result, we can help prevent the unauthorized

4:13individuals from logging in.

4:15Another example of a preventive control would be some type of a firewall rule.

4:19Now, firewalls

4:20can operate in software on an individual computer. They can also be implemented

4:25on a network that's

4:26preventing certain types of traffic to go through that network. So let me walk

4:29you through an example

4:30of using a firewall rule as a preventive technical control, again, preventing

4:36certain types of

4:37activities or in the case of a firewall, certain network traffic from going

4:40through the network.

4:41So as an example of setting up a preventive technical control in the form of a

4:46firewall

4:46rule, let's use this network topology right here. I just so happen to have this

4:50topology running

4:51behind me. So let's use that as an example. I've got a little Linux computer

4:56here on the same

4:56network segment as a little tiny web and FTP server. Now FTP is one of those

5:02protocols that by itself

5:04is not secure because it sends data in plain text. So if we had FTP services

5:09that we're running,

5:11that by itself is a security risk. So we might want to set up a firewall rule

5:15that says, you know what,

5:16the network should not allow any FTP traffic to go across. And that way, we're

5:20preventing any

5:21access using FTP to a system. Now also, ideally, it'd be great if we disabled

5:27FTP altogether,

5:29so that we didn't have that as a vulnerability. But in the meantime, we can

5:32implement a technical

5:33control in the networking the form of a firewall rule to prevent that access.

5:36So let me bring

5:37these two little VMs in. So here is a little web server, let me make sure that

5:41FTP services

5:42are running, and they aren't. So I'll go ahead and enable it. So now FTP

5:46services are running,

5:47and let me bring in the client. So this little machine here represents this

5:52little FTP server

5:53right here in our topology. Next, let me bring in this Linux computer. So here

5:58is my little

5:59Linux computer, and let me bring back in the FTP server. So there it is. And

6:03let me just do a quick

6:04verification to make sure this client here on the left can access this server

6:08on the right. So one

6:09way of quickly checking that is to go to a command prompt, and we'll type in

6:13FTP, and it will say

6:14open, and the address over here is 10 10 0 51. So go to that IP address of 10

6:19dot 10 dot 0

6:20dot 51 press center. And it is asking me to authenticate that implies that FTP

6:26and the protocols

6:28involved with FTP are allowed over the network. So they go ahead and do a

6:32control C, and I'll

6:34type in by and now let me go ahead and walk through implementing a technical

6:37control in the form of

6:38a firewall rule that's preventing FTP specifically. So the platform I'm using

6:44here is a little product

6:45from VMware called NSX, which is one of its properties can allow us to go ahead

6:50and set up

6:50firewall rules. So if we go to security tab here, and go down here to

6:54distribute firewall,

6:55we can go ahead and create a rule that says, you know what, we want to block or

6:59deny or reset any

7:00traffic. If it appears to be FTP traffic. So to do that, I'm going to go ahead

7:04and add a rule

7:05right here near the top, I'll say add rule. And for that rule, let's call it no

7:10FTP. So we'll type

7:11in no FTP. And then for the source and destination, I'll leave that wide open

7:15so it doesn't really

7:16matter what source or destination address is involved. But for the service, I

7:20want to go and

7:20click on the pencil here, and specifically match on FTP traffic. So I'm going

7:25to type in FTP,

7:27and do a little filtering here. And this will do it right there. So this is any

7:31traffic that's

7:32trying to go to the destination port of 21, which is the well known port for

7:36FTP, that's going to

7:37cause this to match. So I'll click on apply there. And then furthermore,

7:40instead of allowing that

7:41traffic, I want to go ahead and reject that traffic effectively telling the

7:45client that's

7:46trying to do the FTP connection. Sorry, I'm killing the traffic thereby

7:50preventing that

7:51traffic from being allowed on the network. So with that rejected place and the

7:54rule enabled,

7:55I'll click right here on publish, which activates the rule. So that is rule 50

8:0096 right there. So if

8:02we bring back our client server, now that we have that firewall rule in place,

8:05we can go ahead and

8:06do FTP again, we can say open to the same address of 10 dot 10 dot 51. But this

8:12time,

8:12instead of it asking for us to log in, it's now showing connection refused. And

8:16that's because

8:17the firewall rule as a technical control is preventing that traffic from

8:21flowing over the

8:22network. So if we type in by here, and then we typed in ping, just to test

8:26connectivity over to

8:2710 dot 10 dot 0 dot 51, because the firewall rule is not blocking that traffic,

8:32that's still being

8:33allowed that way we can still allow the traffic we need to have on our network.

8:36And at the same time,

8:37denying traffic with a technical control to prevent the traffic we don't want

8:41to allow on our network.

8:42So I'll do a control C there. And let me minimize this. So again, that's an

8:46example of a technical

8:48preventive control. And just to confirm that that is really the rule that's

8:52denying that traffic,

8:53depending on the platform, they usually have tools involved that allow you to

8:57test traffic

8:57going through the network as well. And this is an example of one of those. So

9:01if we said I want to

9:02test FTP traffic, so we'll say TCP, which is the layer four protocol, going

9:07from some high

9:07numbered port like 6783, going to the well known port of 21, which should match

9:13on our FTP. And for

9:14the source VM, we'll go ahead and say that source VM is our Linux computer. And

9:20there's

9:20its IP address. And the destination virtual machine is our tiny web and FTP

9:24server. And its IP

9:26address is right there. And we'll click on trace. And this should confirm for

9:29us that this technical

9:30preventive control that we just put in the firewall rule is the reason that

9:34traffic is being denied.

9:36So there we have a red indicator that the traffic is being denied. And here in

9:39the play by play,

9:40it's also indicating that it was dropped. The traffic was dropped based on rule

9:445096,

9:45which if we go back to security and go down to our district of firewall, is the

9:49rule that we just

9:50put in place right there. And as we continue our discussion of technical

9:54controls,

9:54let's go ahead and do some examples here of detective and corrective. So

9:59detective would be

10:00things like log collection as a technical control. And for a corrective control

10:05, we may have backups

10:07that we can restore from. So an example of technical control would be restoring

10:10from a backup. So if

10:11we had a ransomware attack and we lost some data, we want to make sure that we

10:15can get back to a

10:16point where we can start doing business again. So the restore from that backup

10:20would be a

10:20corrective control in that situation. And then for the category of compensating

10:25control,

10:26again, that would be temporary in nature, where we have some vulnerability or

10:29some new thing is

10:30brought to our attention. And as a result, we put some countermeasure in place

10:35to compensate

10:36for that vulnerability. So in that sense, as far as a technical control,

10:39compensating control,

10:40once again, could be a firewall rule that is temporarily blocking or preventing

10:46certain types of traffic

10:47to help prevent a known vulnerability from being exploited by an attacker. So

10:52put new vulnerability

10:53and to compensate for that until the vendor can get a patch out for it, we

10:56could block the network

10:57traffic associated with that. Or another example of a compensating technical

11:02control would be

11:03disabling a service. So if there's some service that's not critical for our

11:06business that needs to

11:07be running, perhaps we disable that service on the system until there's a patch

11:12deployed,

11:13where we can then enable that service without the vulnerability. So put a

11:16little or there as well.

11:17And then in the column of directive regarding technical controls, that would be

11:21instructions

11:22of what we should do. For example, please use a VPN or please lock your screens

11:29. However,

11:30it's going to involve somebody following those instructions using those

11:33technical controls

11:34to make it happen. So now that we've taken a look at the category of a

11:38technical control

11:39with several types and examples of those types in the next video, let's move

11:43our attention down

11:44to the category of managerial controls.

0:00As we continue our discussion regarding the categories or how controls are

0:04implemented and also various types of controls, which pretty much boils down to

0:07why we have those controls in the first place.

0:09For example, deterring or preventing or detecting or correcting.

0:13Next, let's move our attention down to those types, but in the category of

0:17managerial control.

0:19So across the board, the main thing here is policies and procedures.

0:24So with that in mind, let's take a look at some of the types of policies and

0:28procedures that we would have or have set up at our company that fall into

0:33these various types.

0:34So as far as a deterrent, we may have a policy regarding the consequences of

0:39one's actions.

0:40An example would be a policy that says, "Hey, if you are not in compliance with

0:45the rules, such as using a VPN or locking your console or being careful with

0:50sensitive information,

0:52the consequences could be that you are going to be fired."

0:55And that type of policy could act as a deterrent for employees to have them

0:58think twice about taking an action that might compromise the company.

1:02And for the preventive column here, we may have a policy regarding onboarding.

1:07And that could be onboarding, for example, systems.

1:09For example, before you bring on your own device to the network, it has to meet

1:13a certain list of requirements and that we're enforcing those or if we're

1:17bringing on a new individual to the company or part of a team.

1:21Maybe part of the HR policy is to do a background check and to check referrals.

1:26And the objective of doing that would be preventive in nature.

1:29Trench prevent, for example, a known felon or somebody who has a history of not

1:33being careful with security from bringing them onboard.

1:36Regarding a detective type of control from a managerial perspective, maybe we

1:41have a policy about how often we should review our log files.

1:45So perhaps our policy involves not only the collecting of logs, which be a

1:49technical control, but also a policy about going through those log files

1:54looking for things that are out of the ordinary.

1:56Now, because log files are huge, we'd also very likely, as part of that policy,

2:00be using some technical tools to sort through and sift through that.

2:03But again, if we have a policy or procedure that specifies that we need to have

2:07log reviews, that type of policy would be in the category of managerial and

2:11within the category of detective.

2:14Because it can help us discover things that are happening in the environment.

2:17And for the corrective type of policies and procedures, perhaps we have some

2:22rules set up regarding who talks to the press after a security incident.

2:26For example, is just any employee allowed to go on TV or on the radio or on

2:30social media, etc.

2:31And just talk about what happened or do we have a policy and procedure in place

2:36regarding the handling and the escalation and who communicates that information

2:40to the public.

2:41So I'm going to write that down as incident reporting and escalation.

2:44And once again, that would fall into the control type of corrective, which also

2:48would be after the fact.

2:50So security incident happens.

2:52Now, what are the policies regarding following up and the next steps involving

2:56that incident, which could include who talks to the press, who escalates that

3:00to law enforcement and so forth.

3:02Now, what are the controls that could fall into the managerial category and

3:06fall over here also into the type called compensating would be to help reduce

3:10fraud.

3:11For example, even though we've onboarded our individuals and we've done

3:14background checks, if we want to have a compensating control to help reduce

3:19fraud, we may have a policy in place about separation of duties.

3:23Or maybe we have a policy about forced vacation.

3:27And although forced vacations doesn't sound like a policy to help compensate

3:31against things like fraud, let me take a moment and chat with you about both of

3:35those policies.

3:36And let's start with separation of duties. If we have two people, let's say we

3:40have person A and person B and it takes both of them to complete a transaction.

3:45That means if they're going to have fraud, it would need to involve both of

3:48them.

3:48For example, maybe this individual has the responsibility and the controls

3:53regarding doing a request for some product or service.

3:55And then this person here, person B is responsible for the paying of those invo

3:59ices and paying the vendors.

4:01And that's the example of separation of duties because we have one that does

4:04the purchase request and one that pays the bill.

4:06So if we had one person who both made the request and also authorized the

4:11payments, that could lead to fraud.

4:14And I'm not implying that it's me as a responsibility for both that we're going

4:17to have fraud, but the policy of separation of duties is acting as a compens

4:22ating control to help reduce the likelihood of fraud because it would take both

4:26people working in conjunction with each other.

4:28One who's making fake invoices, for example, one who's paying on those fake inv

4:32oices for that fraud to occur.

4:34So that's an example of a policy that could be referred to as a compensating

4:37control.

4:38If we have a forced vacation policy where you have to go on vacation for at

4:42least, you know, one week or two weeks in a block and have no contact with the

4:46office or with the company,

4:48that's going to help expose if there's fraud in place.

4:51So if an individual is doing something on a daily or a weekly basis and then

4:54they're removed from that process and somebody else is taking over temporarily,

4:58there's an additional possibility that fraud or whatever that behavior was can

5:02be brought to light.

5:03And again, that'd be an example from a managerial category of a compensating

5:07control.

5:08And the argument could also be made that that type of control might also fit

5:12into the category called detective because it's going to help us discover that.

5:16So a lot of these controls based on how and when they're used could fall into

5:21two or more categories.

5:23But again, these are just examples of some of the control types in the various

5:27categories.

5:28And then regarding managerial controls and policies that are directive, these

5:32would be policies about what we've asked our users to do.

5:35So we'd have policies for example regarding VPN usage or locking your screen,

5:39etc, etc.

5:40And the policy says we need to do that would also fall in here as a directive

5:44control.

5:44So as we're filling out our bingo card here, we are halfway through.

5:49So in the next video, let's take a look at the category called operational

5:53controls.

5:54I'll see you in that video in just a moment.

0:00So as we continue our journey in the various categories, we're now going to

0:03take a look at the

0:04operational controls, that category. And again, this is where human beings are

0:09actually doing

0:09the implementation of these controls. So as we go across, we'll take a look at

0:14some examples of

0:15deterrent, preventive, detective, etc. regarding operational controls being

0:19implemented by humans.

0:21Also, once again, I just want to remind you that some of these controls,

0:24depending on why they're

0:25being implemented, could fall into one or more of these categories. So again,

0:30focusing on humans

0:31as a deterrent, we could have physical presence at our various locations. For

0:36example, we could have

0:37a guard shack that's being manned, or we could have a receptionist that's in

0:41the lobby during

0:42office hours, who would see people coming in and out. Now by itself, just

0:47having a receptionist

0:48isn't going to prevent a person from coming in, but it would act as a deterrent

0:52. Now we could also,

0:54in the preventive column, we could also use humans for that as well. And once

0:57again, the guard shack

0:59would fall into that category. If at the guard shack, the humans there, we're

1:03doing checks and

1:04verifications of allowing people in or out after checking their ID. And in

1:08those senses, then they

1:10would be preventive in nature. As far as a detective type of control, perhaps

1:14we're doing a scheduled

1:16walk of the halls or a walk of the parking facility on some type of a schedule,

1:21and hopefully not a

1:22predictive schedule, because some of his case in the place might see, oh, they

1:26check it at the top

1:27of the hour or 30 minutes after the hour. But we have a policy in place that

1:31says we need to do

1:32patrolling and walking of the halls and the parking lot by our security people.

1:36That would be an

1:37example of a detective control. Also, I would say that if somebody's watching

1:42that activity,

1:43that also could act as a deterrent as well, because this may cease that the

1:47halls are being

1:47monitored and the parking area is being monitored, and there's physical humans

1:51there,

1:52to verify that only the right people should be there. That would not only act

1:55as a detective

1:56control, but it also act as a deterrent as well from anybody who's looking at

2:00that activity.

2:01As far as humans involved in a corrective control, there are lots of options we

2:05could put here as well,

2:06including escalation of a security incident based on how they've been trained

2:10to escalate that,

2:11or we may have a human that is manually doing the restore from a backup, which

2:16would involve a

2:17technical control and also a operational control, because it's involving a

2:21human. And then for a

2:22compensating control, I'm going to go ahead and just put an arrow down here

2:25because separation of

2:26duties and force vacations, if those are being done by humans, which they would

2:30be, that could

2:30fall into the category of a managerial control because of the policy for doing

2:34that, and then

2:34an operational control, because it's actually humans carrying that out. So the

2:38actual compensating

2:39aspect here would be compensating for the fact that humans, even though they've

2:43been instructed to

2:45act and behave a certain way, may do otherwise. And so these types of controls

2:50of separation of

2:50duties and force vacations can also fall into the type of a compensating

2:54control, maybe just

2:55compensating for, unfortunately, a few of the population that might try to do

3:00something illegal,

3:01or from a security perspective that could harm the company. And then for the

3:05category of operational

3:06control and the type of directive, again, that'd be like instructions of what

3:09we want the users to do.

3:11So as part of a yearly process, we might ask our users to attend security

3:16awareness training,

3:17and that would start off as a policy and then be implemented by humans as they

3:21go to the security

3:22awareness training. And also, ideally, we'd want to do some testing at some

3:26minimum level,

3:27just to make sure that the users who go to security awareness training are

3:31actually learning from it

3:32and are going to behave in a way that's consistent with the best interest of

3:36the security of the

3:37company. And if we do have a successful security awareness training, that also

3:41could fall into these

3:42types of deterrent and preventive as well, or as part of the security awareness

3:47training.

3:47If we've trained our users that if they see something, they should say

3:50something that would

3:51also cause it to fall into the detective type of control as well.

0:00So as we complete the last category here, which is the physical controls, let's

0:04do some examples

0:05for each of the types. So on the deterrent spectrum, what would really be a

0:10deterrent

0:11for an individual as a physical control? Again, physical represents something

0:15that is physical

0:16in nature. So one of those things might be a sign. Maybe we have a sign, a

0:20physical sign,

0:21either before a user enters a building, or before they go into a restricted

0:25area. If we have a physical

0:26sign there, that could act as a deterrent. I would also say a fence also might

0:31be a physical

0:32deterrent because people could scale a fence, probably not preventive. But

0:37again, these are two

0:38examples of the category of physical controls that can act as a deterrent. Now,

0:43as far as a physical

0:44control that is preventive in nature, let's take a look at a few examples of

0:48that. One really kind

0:50of obvious example would be some type of a lock. For example, before I enter a

0:54room, if that door is

0:55locked, I need to go ahead and unlock it. Now today, a lot of buildings and

1:00doors are not just

1:01unlocked with a physical key. They have a physical lock, but it also may

1:05involve a technical control

1:06with a badge reader that's linked to some mechanical mechanisms associated with

1:11that lock. So in

1:12that sense, the actual preventive control would be an example of a lock in

1:15combination with a

1:17technical control, which might involve a thumb reader or a badge reader or some

1:21other type of

1:22technical control used in conjunction with the physical control. Another

1:26example of a physical

1:27control that could be preventive in nature would be a barricade. So if there's

1:32a physical barricade

1:33that's preventing vehicles from entering an area, or if there's a physical

1:38barricade into a building

1:40that can't be overcome, it fall in the category of physical controls. As we

1:44proceed across here,

1:45let's take a look at a physical control that would be detective in nature. How

1:49about a motion

1:50sensor? Now, one of the challenges I have as I think of a motion sensor is I

1:53think, you know,

1:54a motion sensor has some technical aspects to it, right? That actually detect

1:58the motion with the

1:59ways it looks. But at the end of the day, a motion sensor would be to detect

2:03something physical. So

2:04we probably have some physical components to a motion sensor, but also some

2:07technical aspects to

2:08a motion sensor. But the idea here is just to understand that some of our

2:12control types,

2:13like physical controls, have different purposes regarding why we would

2:17implement them,

2:18and a physical control such as a motion sensor would be detective in nature,

2:23because it can alert us

2:24to something happening in the physical world with some motion that's being

2:28sensed. Now, perhaps a

2:30motion sensor goes off or some other alarm goes off, and we want to lock down a

2:34portion of the

2:35building or we want to lock down a room. So another type of control we could

2:38use is a corrective control.

2:40So maybe there's an additional deadbolt or bars or something else that's

2:44activated as a result

2:46of the motion being detected. So I'll put here deadbolt triggered by motion

2:52acting as a corrective

2:53control or another example of the corrective type of control from a physical

2:56nature would be if

2:58there's a fire and you have a system that is used to put out fires, whether it

3:02's a physical fire

3:03extinguisher or it's a system that's using water or some kind of chemical

3:08mixture to put out that

3:10fire. Again, that would be a corrective in nature trying to correct the problem

3:13in that case of a

3:14fire that's broken out. So as we proceed to the right here to the category of a

3:18compensating control

3:19from a physical nature, let's talk about power. Now most of our buildings and

3:24data centers,

3:25they use quite a bit of power. So in the event we have a power disruption,

3:30maybe we have a brown out

3:31or we lose power altogether, a compensating physical control would be backup

3:36power. So perhaps

3:37we have two unique power supplies coming into all of our systems, and then

3:41behind that we have

3:42some UPSs on the neurofibable power supplies. And then because those are going

3:46to be short term

3:46with batteries, maybe we also have a generator that kicks in as a compensating

3:51control in the event

3:52we have a power issue. And for our last type here is directive regarding

3:55physical controls.

3:57I'm going to go ahead and say we have some instructions that are written and

4:01maybe they're

4:02written on a sign. Although we use the sign over here as a deterrent, we could

4:06also have a sign

4:07that's giving instructions regarding what to do. For example, in the event of a

4:11fire do this,

4:12or in the event of an alarm going off do that. So if those are written on a

4:17sign that would be

4:18example of a physical control, that would be the category. And regarding the

4:22type, it would be

4:22directive in nature.

0:00The benefit of understanding four of the general categories for security

0:04controls and also

0:05various types of why we would implement those controls, which boils down to the

0:10types of controls

0:10right here, is that it gives us a big picture or a bigger picture view of those

0:15types of controls

0:16that we might want to use. Now in our examples here, we listed a few types of

0:21controls in each

0:22of these categories and it helped reinforce the concepts that we've learned in

0:26this set of videos.

0:27Here's the challenge I'd like to give you right now. Using this framework with

0:31our four categories

0:32here on the left and our six different types of controls, here's the challenge

0:36I'd like to give

0:37you right now. I'd like you to go through and except for this section right

0:40here, which is all about

0:42policies and procedures, I'd like you to go through the technical controls,

0:45operational controls,

0:46using humans, and also physical controls. And for these three remaining

0:51categories, technical,

0:52operational involving humans and physical controls, I'd like you to list an

0:56example of each of these

0:58six types, deterrent, preventive, detective, corrective, compensating, and

1:02directive. And here's

1:03the rub. Instead of using the ones that we did together up to this point, I'd

1:07like you to go

1:08ahead and think of at least one control for each of these remaining spots that

1:13we did not already

1:14used. And that exercise will help you reinforce the concepts of the four main

1:19categories here,

1:20as well as the reasons why we would implement those type of controls, whether

1:24it's for helping to

1:25deter or prevent an activity from happening, or whether it's to discover and

1:29correct the activity

1:31or activate compensate and control. In fact, you know what, I'm going to go

1:33ahead and remove

1:34this column as well, because the directive is all about just asking effectively

1:37asking individuals

1:39to do this or to do that. But all by itself, it's not a very strong control

1:43because it's just

1:44giving instructions. So that leaves us with technical controls with these five

1:48columns and operational

1:50controls involving humans for these five, and also five examples of these types

1:55of controls,

1:56which are in the category of physical. So if you want to make a list on your

1:59computer or if you

2:00want to use some physical media like pencil and paper, any way you want to do

2:04it is great because

2:05it'll all help reinforce the categories and the types of controls. And when you

2:09're done with this

2:10exercise, which I believe will be very helpful for you, join me in the next

2:14video, and I will do it

2:15as well and we can walk through it together. So have some fun with this

2:18exercise, fill in all

2:20the blank spaces, and I'll see you when you're ready.

2:22[BLANK_AUDIO]

0:00All right, so now that you've had an opportunity to fill in some examples of

0:04technical controls,

0:06operational controls, and physical controls, let me go ahead and walk through

0:09it myself,

0:10and that way we can both benefit from this exercise.

0:12And again, the goal is to list an example of these types of controls, but not

0:16repeat

0:17what we did previously.

0:18So I'm going to go ahead and choose to do this based on the type.

0:20I'm just going to go down the list this way, column by column.

0:23So a technical control that could act as a deterrent.

0:26How about a capture statement?

0:29That's where if you're logging into a website, for example, you have to

0:32identify the three

0:33pictures of where bicycles are or where roads are or stairs are, or something

0:37else that

0:38helps identify that it's a real human, and it's not a robot or a machine that's

0:43trying

0:43to log in or continue.

0:45So a capture could be an example of a technical control that's acting as a

0:48deterrent.

0:49And for managerial control, we might want to have a policy in place that says

0:52we need

0:53to use capture.

0:54So again, we're going to go ahead and just say that for managerial controls, it

0:57's all

0:58about policies and procedures, and then for operational controls for a

1:01deterrent.

1:02As a deterrent, I'm going to say let's have the user sign an agreement, which

1:05specifies

1:06that they know about and they are willing to comply with our security policies

1:10and our

1:10operational procedures.

1:12So that can act as a deterrent because if they sign the policy, it hopefully

1:15confirms

1:15that they understand what's in the policy.

1:18And if there's any consequences in that policy, that can act as a deterrent.

1:22And then as far as physical controls as a deterrent, let's go ahead and use bar

1:26bed wire.

1:27Now with barbed wire or razor wire, it's possible that could still be

1:31circumvented.

1:32However, it certainly would act as a deterrent for somebody who is going to

1:36have to challenge

1:37that barbed wire to go on to the next location or to get past that barbed wire.

1:41So that's my three that I'm coming up with, knew that we didn't cover

1:44previously.

1:45So let's go on to the next column, which is the type called preventive.

1:49So preventive as a technical control, we could do encryption.

1:53So for encryption, we could encrypt things like disks, so we can encrypt the

1:57data on

1:57a disk or if we have traffic that's going back and forth over a network, we

2:01could encrypt

2:01that traffic.

2:02And if we encrypt the traffic, that would prevent anyone who doesn't have the

2:06keys to

2:07unlock that data from being able to see it.

2:10And that would be an example of a technical control that is preventive in

2:13nature and

2:14for a preventive type of control in the operational category involving humans,

2:19let's go ahead

2:19and use the policy of no piggybacking.

2:23What that means is that if a user is entering a facility and they're using

2:27their badge,

2:28for example, to authenticate or to swipe in, they are not allowed to let

2:32anybody else in

2:34on that pass, meaning everybody has to do their own swiping or their own login

2:37or their own

2:38getting into the building or to the room and that we're not allowing a second

2:41or third

2:41person to come in off of that first person's badge.

2:45And that could prevent an unauthorized individual from getting into the

2:48building and also in

2:49combination with that as we go down to physical controls.

2:52Next we have a door mechanism where the user steps in, they then present their

2:58badge and

2:58once they successfully present that badge, the second door opens.

3:02So in the old days, they used to call that a man trap and there are other names

3:05for that

3:05kind of mechanism.

3:06But as a physical control, that would allow one person to go into this small

3:11area, authenticate

3:12or present their badge, then go into the building and then the next person

3:15could do it.

3:16And that'd be a physical control to help implement the no piggyback policy that

3:20's being implemented

3:21by the humans.

3:22All right, so we have two types down, deterrent and preventive.

3:25Let's go on to detective and corrective.

3:28So for detective controls, we haven't mentioned the technical control of an IDS

3:33or IPS and

3:34this is an acronym for intrusion detection system or intrusion prevention

3:38system that's

3:39analyzing and looking at network traffic or if it's on a local computer, it's

3:43looking

3:43what's going on on that computer and it identifies or hopefully identifies if

3:48malicious activity

3:49or malicious network traffic is occurring on that system.

3:53Another example of a detective control there that's technical would be antiv

3:57irus or anti-malware

3:58software as well that could be used to identify or detect problems and antiv

4:02irus anti-malware

4:04software can also be used as a preventive measure as a technical control as

4:08well.

4:09As far as operational controls, we could have a see something, say something,

4:15policy

4:15that users have agreed to.

4:17So if a user sees something out of the ordinary or if someone else in the

4:21company is presenting

4:22an idea about causing fraud or harm to the company in the category of

4:26operational, they

4:27see something, say something, detective control because being implemented by

4:31humans could fall

4:32under the category of an operational control.

4:34And then for a physical detective control, I'm going to go ahead and put tape.

4:38You know, I get a crime scene where they put tape around it.

4:40If we had some kind of a tape that if it got broken that could identify that

4:45someone has

4:46been in or out of that space.

4:48And then for corrective controls, again, trying to focus on items that we haven

4:52't already

4:52covered up to this point, an example of a corrective technical control could be

4:57restoring

4:58a port, more specifically restoring a switch port.

5:01So let's imagine we have a control in place that if somebody attempts to log on

5:05or some

5:06type of activity on the network is seen as malicious, let's imagine that we

5:10have a rule

5:10in place, a technical control in place that's going to lock down that port or

5:14bring down

5:15that port.

5:16Well, another type of corrective technical control would be after that port has

5:20been brought

5:21down and after there is a timeout, we can have that port automatically be

5:25brought up

5:25and that'd be an example of a corrective control.

5:28So if an attacker is trying to compromise our system, we've effectively closed

5:31that

5:31port off for a period of time and then bringing that port up at a later point.

5:36And again, that can all be automated with technical controls not requiring a

5:39human to

5:40be involved.

5:41However, if we took a look at the logging that we included earlier, that

5:44logging could

5:44capture that information to make us aware that it's all happening.

5:48And for an operational control involving a human, perhaps we had some policies

5:52that

5:52were in place that weren't quite up to snuff.

5:55So we identified from a managerial control perspective that we need to update

5:59our policies.

6:00And then we have our users start using that updated policy.

6:03That'd be an example of a corrective control.

6:06So effectively, some new policy or procedure is now being carried out and done

6:10as a result

6:10of an identified previous vulnerability or weakness or security flaw, which is

6:15now going

6:15to be corrected by the new policies and procedures.

6:18And then for physical controls, let's imagine that we had a situation where

6:23somebody was

6:23able to enter the building on the second floor simply by accessing a window on

6:28the second

6:29floor.

6:30So a corrective control there in the physical category could be windows that

6:35don't open,

6:36that we implement on the second floor or we could just put locks on those

6:39windows, but

6:40we already covered locks in our previous discussions.

6:42So I'm just targeting something slightly different so we can meet the

6:45requirements of this additional

6:47security controls review.

6:48All right, so let's move on to the compensating type of controls.

6:52And so for compensating, let's imagine that we've identified that people are

6:56trying to

6:56do a brute force login attempt against our systems where they log in over and

7:01over, attempt

7:01to log in over and over with either a long, long list of possible passwords or

7:06trying

7:06every possible combination, which is referred to as a brute force attack to

7:10compensate for

7:10that we could implement in the category of technical control, we could limit

7:14the number

7:14of login attempts and maybe we limit to five, for example, within 60 seconds.

7:19So if somebody is trying or a system is trying or a hacker is trying to log in

7:23and it's unsuccessful

7:25five times within 60 seconds, we automatically disable that account or we give

7:30it a timeout

7:31where no login is possible for a period of five or 10 or 15 minutes and that

7:35prevents

7:36the attacker from continuing on with a relentless brute force attack.

7:40So in that context, that would be in the category of a technical control and it

7:43can be compensating

7:44for an operating system or some other system that on its own, perhaps maybe it

7:48can't limit

7:49the number of attempts.

7:51So maybe we have a device or a firewall or something in front of that as a

7:54compensating

7:55control that is limiting the number of login attempts and protecting that end

7:59system.

8:00And as we go down here in the column of compensating control types and we look

8:03at operational controls,

8:05perhaps we had a situation where somebody left information on their physical

8:09workspace,

8:10on their desk or in their drawer and somebody walked by and either took it or

8:14saw it and

8:14they shouldn't have.

8:15And to compensate for that, that problem, maybe we sit up a new policy and we

8:19specify

8:20that you know what, we're going to have a clean desk policy.

8:23Absolutely nothing is to be left out, no papers, no anything on your desk and

8:27also that those

8:28desks need to be locked.

8:29So the clean desk policy would be a managerial control and the actual

8:33implementation of that

8:34clean desk policy would be in operational control regarding how our users are

8:38handling

8:38and working with documents and data at their work areas.

8:42And as we complete our bingo card here in the type of compensating controls,

8:45let's imagine

8:46that we have some data that was stolen from our trash.

8:50Now if that information that was stolen from the trash, for example, in a dump

8:54ster, behind

8:54the building, what have you, if that was not disposed of properly, that's what

8:58could have

8:58led to that data being stolen.

9:00So perhaps we once again, as a managerial control, set up a new policy that

9:04specifies

9:05the proper disposal of media and paper so that if somebody does get to it, it

9:10won't

9:10be discernible, meaning for example, shredding paper or destroying CDs, less

9:15DVDs or a hard

9:16disc that has to be physically compromised before it's disposed of so the data

9:20can't

9:21be retrieved.

9:22So here in the compensating control, I'm going to go ahead and put shred.

9:25And maybe that's just a temporary control that's going to be put in place until

9:29we

9:29can have a company that's in charge of our disposal.

9:32And then we can have bins, for example, once that full policy has been

9:35implemented, where

9:36employees can put sensitive documents that are no longer needed or other

9:40material in

9:41a bin and then periodically a company that does that work comes by and destroys

9:46it.

9:46But as a compensating control, until we hire that company, we can have a

9:50control of shredding

9:51the documents as part of disposal.

9:54And again, that would be in the category of a physical control.

9:56So thanks for joining me.

9:58In this set of videos and in the skills regarding security controls, including

10:02categories and

10:02types.

10:03And I'll see you in the next skill very, very soon.

10:06Until then, I hope this has been informative and I'd like to thank you for

10:09viewing.