Study Guide: Security Controls
Overview
Security controls are essential measures to safeguard systems, networks, and data. These controls help prevent, detect, and respond to cybersecurity incidents. They are categorized based on their purpose, implementation, and function.
1. Categories of Security Controls
A. Administrative Controls
- Definition: Policies, procedures, and guidelines to manage the organization's security.
- Purpose: Govern employee behavior and organizational practices.
- Examples:
- Security awareness training
- Incident response policies
- Acceptable use policies (AUP)
- Background checks
- Risk assessments
B. Physical Controls
- Definition: Measures to protect physical access to facilities, systems, and resources.
- Purpose: Deter or prevent unauthorized physical access.
- Examples:
- Fences, gates, and security guards
- Locks, badge systems, and biometric access
- Surveillance cameras (CCTV)
- Environmental controls (e.g., fire suppression, HVAC systems)
C. Technical (Logical) Controls
- Definition: Hardware or software mechanisms used to enforce security policies.
- Purpose: Protect systems and networks from unauthorized access or attacks.
- Examples:
- Firewalls, intrusion detection/prevention systems (IDS/IPS)
- Encryption and access control lists (ACLs)
- Multi-factor authentication (MFA)
- Endpoint protection (antivirus, EDR solutions)
2. Security Control Types by Function
A. Preventive Controls
- Definition: Measures to stop incidents before they occur.
- Examples:
- Firewalls and network segmentation
- Access control policies (e.g., least privilege)
- Security guards and locked doors
B. Detective Controls
- Definition: Measures to identify and detect incidents in progress or after they occur.
- Examples:
- Security Information and Event Management (SIEM) systems
- Intrusion detection systems (IDS)
- Audit logs and monitoring tools
C. Corrective Controls
- Definition: Measures to limit damage and restore normal operations after an incident.
- Examples:
- Data backups and recovery processes
- Patching and system updates
- Incident response plans
D. Deterrent Controls
- Definition: Measures to discourage potential attackers.
- Examples:
- Warning signs and legal notices
- Visible surveillance cameras
- Security guards
E. Compensating Controls
- Definition: Measures implemented to fulfill security requirements when the primary control is unavailable.
- Examples:
- Temporary MFA using a token if biometrics fail
- Manual monitoring when automated tools are down
F. Recovery Controls
- Definition: Measures to bring systems back to operational status after an incident.
- Examples:
- Disaster recovery plans (DRP)
- Hot/cold/warm backup sites
- Restoration of data from backups
3. Practical Applications of Security Controls
Layered Security (Defense-in-Depth):
- Combining multiple controls across categories (administrative, physical, technical) and functions (preventive, detective, corrective) to create a robust defense.
Example Scenario:
- A data center might have:
- Physical controls: Locked doors, biometric scanners
- Technical controls: Firewalls, IDS/IPS
- Administrative controls: Visitor log policies and employee training
Key Terms to Remember
- Risk Mitigation: The process of reducing risk through security controls.
- Control Objectives: Specific goals that security controls aim to achieve (e.g., confidentiality, integrity, availability).
- Policy vs. Control: Policies outline the rules; controls enforce them.
4. Study Tips
- Create Flashcards: Use key terms and definitions to reinforce concepts.
- Practice Scenarios: Apply the categories and types of controls to real-world situations.
- Watch Videos: Review educational videos and demonstrations (e.g., CompTIA videos on security controls).
- Take Notes: Summarize the purpose and examples of each control category and type.
- Quiz Yourself: Test your knowledge by identifying controls in hypothetical security setups.