Security+ Training Online | Risk and Controls (1/2)

controls risk Jan 22, 2018

At this point should know what confidentiality, integrity and availability are.  If not, make sure you jump back into those topics for you dig into this beast.

Before we talk about the super awesome stuff related to firewalls, vulnerabilities and hacking we need to talk about risk.

In this guide we're going to look at the following items:

  • Risk (what it is)
  • How to reduce risk using various controls
  • Technical, Administrative and Physical Controls
  • Preventive vs Detective Controls
  • Deterrent, Corrective and Compensating Controls

I know that looks like a lot but once you get through this you'll ba step ahead of the rest.

What exactly is Risk anyway?

How would would you describe sky diving in terms of risk? Is too risky?

I actually went skydiving with my girlfriend (now wife) a few years ago and it was one of the most exhilarating experiences I ever had.  I think part of the reason for that is because there is a possibility of danger... there's a chance you could die!

I don't know why risk makes skydiving so fun but it did.  It honestly scared the crap out of me.  

Now when it comes to cybersecurity risk we are talking about the likelihood of a something taking advantage of some weakness in your organization. 

This is risk: what's the probability of a threat actor seizing a vulnerability in your infrastructure?  How realistic is it that a hacker could delete all the tables in the payroll database?

That's risk.

The weaknesses in the company are known as vulnerabilities.  These could be bone headed humans that click on any link you send them or it could be a Windows XP box sitting in your DMZ that's waiting to get attacked.

In either case. there is a weakness that needs to be address.  The thing that's responsible for taking advantage of the vulnerability is known as a threat actor or threat agent and the way the threat actor does his dirty work is known as exploitation.

So the proper way to describe this would be to say that threat actors try to exploit vulnerabilities in their victims network architecture and the risk to the organization is how realistic a specific attack is.  How feasible is it that the bad guys could infect your CEO with malware and take control of his system?

That's risk.

Okay, I hope that makes sense.

The bad guy could be in North Korea or Iran or he would reside in your company.  Heck, he could even be a really pissed off employee who is mad that he didn't get a promotion he was promised.  This is known as an evil insider and if the threat actor is able to successfully compromise a system or damage the confidentiality, integrity or availability of a network resource, then security team would have a security incident to deal with.

That's what an incident is.  I used to work these at one of my former jobs and I can tell you it can be very stressful. (especially in the heat of the moment)

Since risk is a reality businesses try to reduce risk through risk mitigation strategies.  The Chief Information Security Officer (CISO) might implement various countermeasures to offset the possibility of disaster striking.  For example, he might install technical controls such as a new firewall or he might implement stronger security training policies as administrative controls.

We're going to dig into the controls you need to know for the exam alright?  Let's jump in.

  • Technical
  • Administrative
  • Physical Controls

Technical Controls (The hardware!)

Technical controls are all about the hardware.  You know - all the cool stuff.

So let's start at the host level.  If a system administrator installs Windows 10 for an end user she might make sure Windows Defender is enabled and she might install McAfee ePO to make sure the host is protected from malware.  In this case, McAfee is antivirus technical control.  She could also make sure the end user doesn't have permission (or isn't authorized) to uninstall McAfee.  This is basically what the principle of least privilege is.  It means end users only have just enough rights and permissions to do their jobs but never more.  Excessive permissions are off limits.

Our scrupulous admin might also decide to encrypt the entire hard drive to prevent an attacker from booting the system from a Linux LiveCD and accessing sensitive files from the disk.  Something like BitLocker Full Disk Encryption could provide another technical control to secure the Windows 10 host.

The administrator might also make sure various hardware intrusion prevention systems and network firewalls are properly configured and protecting the end user workstation from various threats.

These are technical controls.  Now worries there right?

Administrative Controls (Policies)

Administrative controls are just policies put in place by management to make sure the day-to-day operations of the company align with its security requirements.  

So for example, management might pay for an external security firm to conduct a penetration test of several critical web servers. 

A penetration test (also known as a pen-test) is when an organization grants a security firm specific permission to hack specific servers in a specific way for a specific amount of time.  I keep saying specific because it is

Hacking without permission is illegal, hacking with permission is a pen-test.

Conversely, a vulnerability assessment is less involved.  Usually the testing team scans the target sites for vulnerabilities and reports them to management.  The difference here is that the testing team won't actually try to exploit any weaknesses.  Penetration testers take it to another level by actively trying to compromise vulnerable hosts.

Okay, I hope that makes sense.

In both cases, management is trying to risk levels for the organization.  These risk assessments can give leadership a better idea of the threats they face and how susceptible they are to being breached. (and ending up on the front page of the Wall Street Journal because they got p0wnd)

P0wnd = Hacked in case you didn't know.

Anyway, administrative controls are really important and it includes everything from security awareness training to media protection.  It includes everything from change control management to contingency planning.  

Employees need to be aware of how attackers might target them so security awareness training can keep employees sharp and ready to report evil when they see it.  Media protection can establish policies that prohibit the use of plugging in USB drives or external hard drives.  

Change control management is critical because if companies don't control changes then anyone can make any change without approval.  This is really bad because, well it means anyone can create a mess and there's no accountability for it.  So you need change control administrative controls.  And that's what contingency planning does: it's whee management tries to reduce the impact of an adverse event in the organization. 

So these things may not be as cool as hardware but they are just as important.

Physical Controls (stuff you can touch)

The last control in this regard are Physical Controls.  This refers to security guards, security cameras, fences, locks, key pads and all that cool 007 James Bond stuff that's used to keep bad guys out of server rooms.  Administrative and Technical Controls are kind of useless if I can just walk into your server room and steal the firewall right? 

Alright so how are you doing so far?  Hanging in there?

In the next article we'll talk about the remaining controls you need to know about then we'll dive into virtualization before finishing off with some really kick ass command line tricks.

It's all coming up so hang in there!  You're going to pass this exam.

See you next week.

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Cras sed sapien quam. Sed dapibus est id enim facilisis, at posuere turpis adipiscing. Quisque sit amet dui dui.

Call To Action

Stay connected with news and updates!

Join our mailing list to receive the latest news and updates from our team.
Don't worry, your information will not be shared.

We hate SPAM. We will never sell your information, for any reason.