Cybersecurity basics: security controls

Some of the fundamental aspects of cybersecurity is learning about controls. According to IBM,

“Security controls refers to any type of safeguard or countermeasure used to avoid, detect, counteract or minimize security risks to physical property, information, computer systems or other assets.” Controls are very important to understand because layering security instruments with different controls can be used in a strategy called defense in depth. NIST defines defense in depth as an: “Information security strategy integrating people, technology, and operations capabilities to establish variable barriers across multiple layers and missions of the organization.” Using controls of various types and layering them in a defense strategy can better protect the assets of a company or organization. This brief article will describe cybersecurity controls.

The CIA triad

In the process of learning about cybersecurity it's important to review the CIA triad. The aims of effective cybersecurity are to maintain information and assets so that the data are protected. This is an explanation of the CIA triad referencing the Fortinet Cybersecurity Glossary:

C stands for confidentiality

“Confidentiality involves the efforts of an organization to make sure data is kept secret or private.”

I stands for integrity

“Integrity involves making sure your data is trustworthy and free from tampering. The integrity of your data is maintained only if the data is authentic, accurate, and reliable.”

A stands for availability

“Even if data is kept confidential and its integrity maintained, it is often useless unless it is available to those in the organization and the customers they serve. This means that systems, networks, and applications must be functioning as they should and when they should. Also, individuals with access to specific information must be able to consume it when they need to, and getting to the data should not take an inordinate amount of time.”

Understanding the CIA triad and other cybersecurity concepts can give a good basic understanding of why technologists would want to layer various types of methods of preventing attack ie. controls. The goal would be to layer controls to protect data assets from destruction, disclosure, and alteration.

The types of controls

There are several broad categories of controls: Deterrent, Preventive, Detective, Corrective, Compensating, Technical, Administrative, and Physical. If you know the broad categories of controls you can choose appropriate types of cybersecurity technologies that would complement each other for a defense in depth strategy. Each type of control is described here by helpful source cybersecurity source articles. See references for more information.

**

Deterrent controls - Craig Wright states, “Deterrent controls are administrative mechanisms (such as policies, procedures, standards, guidelines, laws, and regulations) that are used to guide the execution of security within an organization. Deterrent controls are utilized to promote compliance with external controls, such as regulatory compliance.”

Examples: visible security camera, signs that warn against trespassing

**

Preventive controls - “Preventive controls are designed to keep errors or irregularities from occurring in the first place.” Along with detective and corrective controls, preventive controls are internal controls. Internal controls are “are actions taken to make sure the right things happen and the wrong things don’t.”

Examples: strong passwords, safety training for employees

**

Detective controls - Detective controls are “designed to detect errors and irregularities that have already occurred and to assure their prompt correction. These controls represent a continuous operating expense and are often costly but necessary. Detective controls supply the means with which to correct data errors, modify controls or recover missing assets.”

Examples: checking inventory, reviewing accounts, monitoring system logs for suspicious activity

**

Corrective controls - “Corrective controls are designed to correct the errors and irregularities and ensure that similar errors are not repeated once they are discovered. Corrective controls are built in the form of procedures and manuals for the reference of the employees. Some controls are built into the system, which automatically corrects the errors or prevents the occurrence of errors.”

Examples: disciplinary actions, software patches.

**

Compensating controls - “In cybersecurity, compensating controls are measures taken to address any weaknesses of existing controls or to compensate for the inability to meet specific security requirements due to various different constraints.”

Examples: close supervision, automating processes

**

Technical controls - “The security controls (i.e., safeguards or countermeasures) for an information system that are primarily implemented and executed by the information system through mechanisms contained in the hardware, software, or firmware components of the system.”

Examples: firewalls, antivirus

**

Administrative controls -  Administrative Controls are “a set of security rules, policies, procedures, or guidelines specified by the management to control access and usage of confidential information. It includes all the levels of employees in the organization and determines the privileged access to the resources to access data.”

Examples: hiring and termination policies, assigning different tasks to multiple people so that no one person has complete control over a process.

**

Physical controls - “Physical security controls include such things as data center perimeter fencing, locks, guards, access control cards, biometric access control systems, surveillance cameras and intrusion detection sensors.”

Examples:

Fences, gates, locks

Knowing the fundamentals of cybersecurity can help in your career and daily life. Understanding cybersecurity controls can be useful in creating a defense in depth strategy for a company or even for personal cybersecurity. A reference to learn about safeguarding small networks or personal cybersecurity is Enoka’s Cybersecurity for Small Networks at https://nostarch.com/cybersecurity-small-networks

The more you expose yourself to new ideas about difficult topics, the better you can assimilate new information and learn faster. Learning about the fundamentals of cybersecurity controls can help tremendously in your pursuit of personal knowledge or learning for certifications.

References:

1. “What are security controls?” https://www.ibm.com/topics/security-controls#:\~:text=Cybersecurity controls include anything specifically,protection for data and workloads.
2. “Defense-in-depth.” https://csrc.nist.gov/glossary/term/defense_in_depth
3. CompTIA Security+ text series. https://www.comptia.org/training/books/security-sy0-601-study-guide
4. Fortinet Cybersecurity Glossary. https://www.fortinet.com/resources/cyberglossary/cia-triad
5. The IT Regulatory and Standards Compliance Handbook: How to Survive Information Systems Audit and Assessments. By Craig Wright. https://www.sciencedirect.com/book/9781597492669/the-it-regulatory-and-standards-compliance-handbook
6. Preventative and Detective Controls. https://www.sunyopt.edu/internal-control/preventative-and-detective-controls/
7. Risk Control Techniques. https://financialcrimeacademy.org/risk-control-techniques-pcdd/
8. The Importance of Compensating Controls in Cybersecurity. April 6th, 2023. By Claroty. https://claroty.com/blog/ot-icefall-vulnerabilities-underscore-the-importance-of-compensating-controls#:\~:text=What are Compensating Controls%3F,due to various different constraints.
9. Technical controls. https://csrc.nist.gov/glossary/term/technical_controls
10. Types of security controls. https://www.infosectrain.com/blog/types-of-security-controls/
11. Physical controls. https://www.ibm.com/topics/security-controls#:\~:text=Physical security controls include such,cameras and intrusion detection sensors.
12. The 3 Types of Internal Controls (With Examples) https://golayer.io/blog/finance/types-of-internal-controls/#:\~:text=Examples of Corrective Controls,sprinkler systems%2C and software patches.