Monday, May 14, 2018

Understanding Control Types & Functionality


A safeguard or a control or a countermeasure is implemented to reduce risk an organization faces. 

Let’s understand it through some examples.

1. A company puts in antivirus solutions to reduce the potential danger from malware.
2. Citizens put in steel gates at the entry of the streets in their areas.
3. A leading e-commerce company deploys a backup solution.
4. Person deploys a CCTV at his home.
5. Since the organization could build a perimeter wall, it deploys security guards to man the area around the building.

What do all of these examples have in common? In all of the above examples, we can sense that there is a mechanism which has been deployed to reduce the potential danger which an organization or an individual face. This mechanism reduces the level of risk and is called as a control.

There are 3 types of control which can be deployed:

1. Administrative Controls (Managerial) – Controls that are deployed from a management perspective. Also, known as soft controls as they are soft in nature. Examples of such controls include security policies, training, internal company standards etc.

2. Technical Controls (Logical) – Controls that are technical in nature and deal more from a logical perspective. Deployment of firewalls, encryption, anti-virus, access authentication etc.

3. Physical Controls – These are put in place to ensure physical security. Examples include – security guards, fences, perimeter walls, CCTV, doors, dogs etc.

All these types of controls provide the following six types of functionalities:

1. Preventive – Controls that try to prevent an incident from happening.
2. Corrective – Control that fixes things after an incident has happened.
3. Detective – Where issues can be detected in advance.
4. Recovery – Controls that help you recover from the incident
5. Deterrent -  Discourage an attacker from attacking.
6. Compensating – An alternative control put in place to compensate for the intended control.

These definitions are quite straightforward and should be applied as such. For example – Consider the second example where steel gates have been deployed. Steel gates are a preventive control deployed by the people. Your train of thought may also run in this manner. An attacker would see the steel gate and find it to be a deterrent, and hence this must be considered a deterrent control. Note that in any case, you need to understand the basic intent behind that control and you’ll get the functionality right. A steel gate has been deployed to prevent something bad from happening and hence is a preventive control.

Another point to remember is that the controls must be deployed in layered fashion like an onion. It is advisable to put preventive, detective and corrective controls in a layered fashion to ensure that you  should be able to prevent the attack from happening in the first case ; if you could not prevent it, you should be able to detect it and in case you failed to detect it, you should be able to correct what has happened.

Let’s leave you with something to work upon. 

Todd is a security specialist deployed by a leading e-commerce company. He has been asked to create a list of preventive controls which can be deployed to protect the company’s internet facing servers from being hacked. Can you list down a few preventive controls to help Todd?

No comments: