Fundamentals of Cybersecurity part2

Security Control Categories

In this section, we’re going to dive into security control categories. Now, when we discuss securing an organization, it’s not just about all the technical solutions like fancy firewalls or encryption techniques, instead, security is a multifaceted domain, and understanding how different controls fit into the big picture is crucial to your success as a cybersecurity professional. Now picture the networking systems in your company as a fortress from the Middle Ages. Even though walls are crucial, you also need other things like guards with plans, which are operational processes, watchtowers for observation, and a city watch leader with a strategy.

Your organizational network’s firewall or the castle walls may serve as your main line of defense, but it’s also critical to take into account all the other control categories at your disposal, such as the watchtowers that serve as physical controls that provide surveillance. The guards with plans, which are operational controls, and the leader of the city watches over the overall strategy, which is managerial control.

As you can see, we like to layer our controls across multiple categories to give us a more well-protected network overall. To do this, we use security controls spread across four broad categories. These are technical controls, managerial controls, operational controls, and physical controls. And each of these plays a pivotal role in a holistic approach to your cybersecurity. First, let’s talk about technical controls. Technical controls are the technologies, hardware, and software mechanisms that are implemented to manage and reduce risk. They operate within a systems technology layer. For example, you may want to install antivirus software on your system as a form of technical control. That way, whenever you download a questionable file, the software will spring into action, scan that file for potential threats, and then quarantine it if it’s deemed harmful. This is a technical control in action that provides an automated response that’s governed by the system itself. Other examples of technical controls include things like firewalls, encryption processes, and intrusion detection systems. Essentially, if it’s a tool or a piece of software that can automatically protect your system integrity, confidentiality, or availability, we’re going to classify it underneath the category of technical controls. Second, we have managerial controls. Now, managerial controls are sometimes also referred to as administrative controls, and they involve the strategic planning and governance side of security. These managerial controls ensure that the organization’s security strategies align with its business goals and its risk tolerance. So, let’s pretend that an organization wants to adopt a cloud storage solution.

Before they make the jump into the cloud, the managerial team is going to conduct a risk assessment to understand the potential vulnerabilities and assess whether the move into the cloud will align with the company’s broader risk strategy. Beyond risk assessments, managerial controls also encompass security policies, training programs, and incident response strategies. These managerial controls are all about making informed decisions and ensuring that the entire organization is on the same security page.

Third, we have operational controls. Now, operational controls are the procedures and measures that are designed to protect data on a day-to-day basis, and they’re mainly governed by internal processes and human actions. For example, if your organization requires that you change your password every 60 days, this would be considered an operational control. This operational control ensures that even if a password was compromised, its shelf life would be limited so the potential harm that it could cause is going to be drastically reduced. Operational controls cover a vast area including backup procedures, account reviews, and user awareness training programs.

These controls also ensure that security remains active and it becomes an ongoing process to continually adapt to meet our evolving challenges and security threats. Fourth, we have physical controls. Now, physical controls relate to the tangible real-world measures taken to protect assets. These controls exist outside of the digital realm, but they’re crucial in safeguarding both digital and non-digital assets. If you think about a large data center, these facilities house our critical servers and our infrastructure, and they often have multiple layers of physical security from surveillance cameras and biometric scanners to reinforced doors and even barbed wire fences. These controls are designed to prevent unauthorized physical access. Other physical controls include things like secure shredding of sensitive documents, the use of security guards, or even simply locking the doors to your office whenever you leave the room. Physical controls are used to protect not only external threats but also internal threats to ensure that only authorized personnel can access certain areas or assets. So, remember, security is not just about being tech savvy, it’s about appreciating the multifaceted layers of protection that come together to form a robust security posture.

Whether it’s the technology guarding against cyber threats, the managerial strategy steering the ship, the day-to-day operational procedures, or the physical barriers that keep our assets safe, each category plays a pivotal role. Just like a castle relying on its walls, watchtowers, strategy, and guards to remain secure, our organizations must implement technical, managerial, operational, and physical controls to defend against a wide variety of cybersecurity threats

Security Control Types

We’ll talk about the many kinds of security controls in this section. Similar to how a medical professional tailors their treatment to the type and stage of a patient’s illness, security experts apply different controls based on the unique risks and vulnerabilities they’re trying to resolve. It is critical to comprehend the specifics of each control kind and to employ each one when the situation calls for it to defend a corporation efficiently. Preventive, deterrent, detective, corrective, compensatory, and directive controls are the six fundamental categories of security controls that exist today.

Preventative controls come first. Proactive steps taken to stop possible security breaches or threats are known as preventative controls. The goal of these preventive controls is to strengthen your systems before an actual issue. For instance, since it may filter incoming and outgoing traffic to stop any potentially dangerous data packets before they enter your organization’s network, a firewall is usually seen as a preventative measure. We also have restrictions that deter. These days, the goal of deterrent controls is to dissuade possible attackers by endeavoring to appear more difficult or less enticing. For instance, the business that installs the burglar alarm system at my property posts signs outside alerting people to the presence of surveillance cameras and a modest alarm system. To let the bad actors know that someone is monitoring is the main goal of this. So you may want to go break into somebody else’s house that doesn’t have these security controls in place. Now, in this example, the signs are the deterrent control, not the actual alarm system or cameras. Remember, warning signs or banners can be installed on your websites to indicate that monitoring is occurring and this can help deter potential attackers from targeting your website too. These signals let the attacker know that you will be prosecuting them, so their illegal activity will be reported and may have unfavorable consequences. And finally, there are detective controls. These days, detective controls keep an eye out for hostile activity and notify businesses of it as soon as it happens or soon after. Here, identification and alertness are their main objectives. As an illustration, the security cameras that keep an eye on my house are regarded as detective controls. You could still enter my home, yes. Although the cameras won’t stop you, I will now be aware that you broke into my home and I will know who did it because I can watch the video recordings and show them to the police, who will then be able to arrest and imprison you. Similar to this, we employ intrusion detection systems, or IDSs, in our networks to continuously monitor network traffic for unusual activities. The intrusion detection system (IDS) will alert system administrators to suspicious activity that requires further investigation if it detects something out of the ordinary, such as an unexpected data increase. This makes an intrusion detection system a detective control. Fourth, we have corrective controls. Now, once a threat has been detected using a detective control, we can then use a corrective control to mitigate any potential damage and restore our systems to their normal states. For example, if your organization is infected by malware, your antivirus software is going to be used not only to detect that malicious software but it can also quarantine and remove that malware. Now, when it’s used to detect malware, it’s a detective control. But as soon as it starts doing quarantine and removal, now it is a corrective control. So sometimes you have things that are placed in multiple categories, even though it’s a single tool. Fifth, we have compensating controls. Now, compensating controls are alternative measures that are implemented when primary security controls are simply not feasible or effective. These compensating controls ensure that protection remains intact even if the ideal control is not in place. For example, you may be running a legacy system that simply can’t support the latest form of wireless encryption known as WPA3. In this case, you might instead choose to implement WPA2 and use a VPN on top of that from your endpoint to your internal servers to act as a compensating control. Now, this isn’t as good as the perfect solution of using WPA3, but since you can only use WPA2 due to your legacy systems, you can add a compensating control by inputting that VPN on top of that WPA2 connection to mitigate potential vulnerabilities inside of the WPA2 encryption schema and this will give you higher levels of data security. Sixth, we have directive controls. Directive controls will now direct, advise, or require various actions. These directive controls, which establish the expectations for behavior inside your company, are frequently based on policies or paperwork. An acceptable usage policy (AUP) for your company, for instance, is regarded as a directive control that establishes criteria for how staff members are allowed to utilize company-owned IT assets. Most of the time, if you’re asked about a policy, you’re going to be able to categorize this under the term directive control. So remember, effective security is created by selecting the right controls across a wide range of categories, including preventative, deterrent, detective, corrective, compensating, and directive controls. Each control type helps to complement the other ones and create a higher level of overall security. Preventative controls build our foundation, deterrent controls discourage threats, detective controls keep a watchful eye, corrective controls jump in during emergencies, compensating controls offer backups and mitigations, and directive controls guide the entire process. As you navigate through the world of cybersecurity, your understanding of these roles and the importance of each type of security control will enable you to craft a more balanced and robust security strategy. Whether stopping threats in their tracks or swiftly responding to breaches, each control type is a piece of the larger puzzle that ensures our organizations maintain the security and resilience of their systems and networks.

Gap Analysis

We will talk about the idea of a gap analysis. Currently, assessing the discrepancies between an organization’s intended performance and present performance is done through gap analyses. Finding opportunities for improvement to close the gap between the desired and current states is the aim of the analysis. For businesses seeking to enhance their performance, procedures, operations, or general cybersecurity posture, conducting a gap analysis can be a very helpful tool. Now, there are several steps involved in conducting a gap analysis. The first step is to define the scope of the analysis. This includes identifying the specific areas of the organization that will be evaluated and the desired outcome of that analysis. The next step is to gather data on the current state of the organization. This can be done through surveys, interviews, or other forms of data collection. Once that data has been gathered, it should be analyzed to identify any areas where the organization’s current performance falls short of its desired performance. Once those gaps have been identified, our next step is to develop a plan to bridge those gaps. This can include changes to processes, systems, or other areas of the organization that can help to improve the performance or security of your systems and networks. A schedule for accomplishing the plan’s particular goals and objectives should also be included.

For instance, businesses should think about how their security may be impacted if they were to go from an on-premises solution to a cloud-based one for their data storage. To guarantee a seamless and safe transfer, your business may carry out an extensive gap analysis. This might begin by evaluating your on-premise security measures, which include your firewalls, intrusion detection systems, and data access controls. After documenting this current state, you can then compare it to the desired security standards for their chosen cloud provider which might be AWS or Azure. Then the gap analysis can be used to highlight that their existing data encryption methods are outdated and they’re not in line with the cloud’s more advanced encryption at rest protocols. Additionally, their on-premise access controls might not be able to be mapped directly to the cloud’s identity and access management or IAM models. So this is a gap that also needs to be addressed. Now that the company knows its current state desired state, and the difference between the two, they’re now better equipped to plan its migration while ensuring they’ve adopted enhanced encryption techniques and made the necessary modifications to its IAM policies to create an overall more secure and seamless migration into the cloud. Now, in general, you’re going to find that there are two basic types of gap analysis. We have a technical gap analysis and a business gap analysis. A technical gap analysis in the world of cloud computing would involve evaluating an organization’s current technical infrastructure and identifying any areas where it falls short of the technical capabilities required to fully utilize its security solutions. For example, an organization might find that its current network infrastructure is simply not fast enough to support data and transit encryption or a full zero trust architecture, or that its current security protocols are not robust enough to protect the data being stored at rest inside its cloud-based storage solution. Once those gaps have been identified, the organization can develop a plan to address these issues and upgrade its technical infrastructure as needed. Now, on the other hand, we have a business gap analysis that involves evaluating the organization’s current business processes and identifying any areas where they fall short of the capabilities required to fully utilize their new cloud-based solutions. For example, an organization may find that its current data management processes are not efficient enough to support cloud-based data storage and sharing, or that its current budgeting and forecasting processes are not accurate enough to support cloud-based financial management. Once the gaps have been identified then the organization can develop a plan to move its business processes forward as needed to close that gap. Now, let’s take a look at a real-world example. At one of the formal organizations that I worked at, we conducted a vulnerability assessment once per week across the entire network. This vulnerability assessment was designed to uncover weak points in our digital infrastructure and systems. The assessment often found several software vulnerabilities in our different servers, some insufficient encryption for data in transit, and a few times we found outdated database configurations too. Each week, my team and I were responsible for looking over all the findings from the assessment and then determining which ones were the highest priority for us to fix because we never had enough time, money, or resources to fix all of them in any given week. By understanding the seriousness of each finding, we could then create a Plan of Action and Milestones, known as a POA&M that would outline the specific measures to address each vulnerability allocate resources, and set up timelines for each of the remediation tasks that we needed to perform. This allowed us to prioritize the patching of critical software vulnerabilities and update those database misconfigurations first. At the same time, we now know what the level of security is that we’re trying to achieve and our POA&M was an actionable way to get us from our current state to our desired state and this helped us continually close the gap identified by our ongoing gap analysis in terms of our vulnerability management programs. So remember, a gap analysis is a powerful tool that can help your organization improve its security and performance by identifying areas where improvements can be made. Whether you’re looking to migrate into the cloud or simply want to improve the security of your systems and networks, a gap analysis can help achieve the desired outcomes and results for you. By following the steps of a gap analysis, you can ensure that you have a comprehensive plan in place to bridge the gap between your current and your desired states.

Zero Trust

We’re going to cover the concept of Zero Trust. In our current digital age, we are constantly being bombarded with digital threats that are more sophisticated than ever and this continually is putting our traditional cybersecurity strategies to the test. To keep threat actors at bay, traditional cybersecurity tactics have historically centered on deploying a robust perimeter defense, much like an old fortress that had high walls and a moat surrounding the castle. Although these antiquated tactics proved successful in the past, the issue with them is that they cannot compete with our contemporary networks. After all, a castle was the height of protection a millennium ago, but now that I could just fly above them with a drone or a helicopter, I could assault anyone within the castle and the moat and castle walls would do nothing to stop me. This is exactly how most computer networks were secured over the past few decades. Cybersecurity experts have configured networks with strong external defenses by using things like firewalls, intrusion protection systems, and other perimeter defenses. But these days, many of our network devices are pretty much decentralized. Now instead, we must protect all of our systems and data using multiple levels of encryption, secure protocols, data-level authentication, and other host-based protection mechanisms because using a perimeter-only structure is not going to keep us safe. Now, from an operational perspective, most people love reparameterization because it allows us to reduce our costs, and conduct business-to-business transactions from anywhere in the world, and has become increasingly more agile for us as organizations to use this type of reparameterization. The move to the cloud, when combined with the rise of work from home, has increased our ability to conduct secure operations within a reparameterization architecture. Now, reparameterization has occurred due to the migration into the cloud, the increase in remote work, people embracing mobile technologies along with the rapid adoption and use of wireless networks, as well as larger movements towards outsourcing and contracting. But this whole deperimeterization movement does really introduce a lot of risks to our organizations too, if we’re not careful. So to protect these decentralized networks, we can’t simply rely on boundary or perimeter defenses. Instead, we need to implement a best practice which is now known as Zero Trust. Zero Trust is used to ensure the security of your corporate network and your corporate data. Now, when we look at our traditional networks, we used to believe that our networks and our users were trusted because we gave them access to those systems. But under a Zero Trust model, that is simply not the case and that is considered a good thing in our modern world. You may have heard the old saying, trust but verify, which was made famous by President Ronald Reagan back in the 1980s. But as cybersecurity professionals, we take this a step further. When we implement Zero Trust, we want to quote our favorite mantra, which is to trust nothing and verify everything. And that does sum up the entire architecture concept behind Zero Trust systems. With Zero Trust, we demand that verification happens for every device, every user, and every transaction within our network regardless of where it came from. This means that whether a user is attempting to access a system from within our organization’s physical office or from over the internet because they’re doing it from home remotely, their identity and permissions are always going to be verified. This methodology also addresses the changing nature of work and the digital landscape that has moved to a reparameterization while acknowledging that threats can emerge from both inside or outside of your networks.

Now, in order to create a Zero Trust architecture, we’re going to use two different planes. These are called the control plane and the data plane. Now, the control plane refers to the overarching framework and set of components that are responsible for defining, managing, and enforcing the policies related to user and system access within an organization. It provides a centralized way to dictate and control how, when, and where access is going to be granted to ensure that only authenticated and authorized entities can access specific resources. The control plane typically encompasses several key elements, including adaptive identity, threat scope reduction, policy-driven access control, and secured zones. First, we have an adaptive identity. In Zero Trust, we assume that static one-time verifications are not sufficient, so we must use adaptive identities that rely on real-time validation that takes into account the user’s behavior, their device, their location, and other factors. By continually assessing these variables, our user identities are constantly adjusting and adapting to the environment in order to grant or restrict access to them as required. Second, we have threat scope reduction. Now in Zero Trust, we want to limit our users’ access to only what they need for their work tasks because this drastically reduces the network’s potential attack surface. This approach is focused on minimizing the blast radius that could occur in the event of a breach and ensures that the compromised credentials will not allow attackers to have unimpeded access throughout your entire network or system. Third, we have policy-driven access control. Now the policy-driven access control is going to develop, manage, and enforce user access policies based on their roles and responsibilities. By defining clear policies, organizations can ensure that users only have access to data that is pertinent to their role in order to reduce the potential for successful data breaches against your organization. Fourth, we have secured zones. Now, secured zones are isolated environments within a network that are designed to house sensitive data. Only users with the appropriate permissions can access these zones and this creates a further layer of protection. Now, in addition to the control plane, we also have something known as the data plane that we have to use to properly implement Zero Trust. While the control plane lays out the policies and procedures, the data plane is going to ensure those policies are being properly executed. The data plane is going to consist of the subject/system, the policy engine, the policy administrator, and the policy enforcement point. First, we have the subject system. The subject/system refers to the individual or entity attempting to gain access. This could be an employee, a workstation, or even a software application. The primary objective is to verify the authenticity of the subject or system before granting access to them to be able to access your sensitive data or systems. Second, we have the policy engine. Once the subject’s identity is verified, the policy engine cross-references the access request with its predefined policies. Think about it like a rule book that determines whether the request aligns with the subject’s permissions. Third, we have the policy administrator. Now the policy administrator is an essential part of the Zero Trust model that’s going to be used to establish and manage the access policies. This is the entity that dictates who gets access to what and ensures that the policies align with the organization’s security protocols and business objectives. Fourth, we have the policy enforcement point. The policy enforcement point is the final step in the process, and this is where the decision to grant or deny access is actually going to be executed. Based on the verification from the subject or system and the policy engine’s determination, the policy enforcement point will then allow or restrict access and it will effectively act as a gatekeeper to the sensitive areas of your systems or networks. So remember, Zero Trust is a cybersecurity approach that assumes no user or system is trusted by default and it requires continuous verification for access to your organization’s resources regardless of the location or origin of your network request. Zero Trust is more than just a security trend though. It really is the acknowledgment from the cybersecurity community that we’re facing an ever-evolving digital landscape where threats can come from outside or inside of your network. While traditional perimeter-based defenses still hold value and should be used, they’re increasingly going to be insufficient on their own to protect your system solely by using the perimeter. So as we navigate an age of remote work, cloud computing, and ever ever-increasing array of devices, Zero Trust principles do offer us a roadmap to creating a more robust and adaptable security posture. By integrating the Zero Trust strategies and using our control planes and data planes, organizations can proactively defend against threats by recognizing that trust is a commodity that must be earned, verified, and continuously reassessed at every enforcement point within your systems and networks.