Alright, the last time we met we talked about risk and defined administrative, technical and physical controls. Now we're going to wrap up our segment on controls by diving into the following controls:
You really need to know these for the exam so I want to make sure you get this.
What do you think preventive controls are?
You already know what these are.
Preventive controls prevent incidents.
Can you think of some examples? What's something a sys admin could do to a server to prevent a security incident from happening?
Well he could harden the box right? To harden a server is to make it more secure by uninstalling unnecessary software, disabling unneeded services and accounts, using strong passwords, and avoiding the default configuration. The idea is to make it harder for a bad guy to drop the box. So, for example, by having a working account disablement policy you could prevent a fired employee from logging back into the system and deleting all the cat videos stored on the accounting department's finance server.
haha. okay enough of cat jokes.
Another way to prevent an incident would be to have a robust change control process in place. You simply can't run an IT department like the wild west and expect it to function. I know some places do this (heck I worked in one) and although it's liberating to make your own decisions without approval it can result in chaos very quickly. You need a way to control changes in the organization through an appropriate chain of command - that's what the change control process does (or at least tries to do).
Detective controls are in place to reactive to incidents.
Prevent controls are proactive detective controls are reactive.
So for example, some large organizations have a team of security analysts known as the Blue Team. These guys might sit in front of a Splunk or ArcSight console monitoring logs from thousands of systems, correlating events and trying to detect evidence of intrusion. I worked on a team like this for a large client and it was one of the most awesome experiences I ever had. The network was so large that I always had a new adventure to jump into when I came into work.
The point here is that log monitoring should make it easy to detect an event when it happens.
By reviewing firewall, web server, and DHCP logs an experienced analyst can detect is something is amiss.
You can also look for trends. Trend analysis might see a consecutive range of IP addresses being scanned with a tool that has the nmap user agent string. Then a few minutes later, you see a port scan coming in from the same source IP address against the same target IPs.
What does this mean?
Well a ping sweep followed by a port scan is evidence of a mounting attack. The bad guys are doing network reconnaissance on your network and are looking for a way to break in. Trend analysis can help you see danger as it happens so you can take appropriate action.
So preventive controls are proactive, detective controls are reactive and corrective controls are are you clean up controls. After a breach has occurred you need a way to get business running back to normal.
Restoring backups after a ransomware incident might be a good example of a corrective control or blocking network requests from a hostile foreign IP after it attacked a web server might be another corrective control.
Some controls are in place to simply make your network look less appetizing to hungry hackers. These are known as deterrent controls.
For example, plopping in a bunch of buff security guards holding big heavy machine guns will make anyone think twice before trying to piggyback inside the building. And cable locks on monitors would discourage poor employees from stealing company assets and selling them on eBay.
The last control type we need to talk about here are compensating controls.
Think of compensating control as alternative controls when primary controls aren't available. So a physical control for a data center server room might be a keypad but the compensating control could be a siren. So if the attack disables the keypad or removes it a siren blares and lights start flashing until the bad guys gets the heck out of there.
Alright so that's it for controls. Make sure you take notes - if you've been following the training in order, step by step so far, then you are on the right path!
Next week we'll look at virtualization so you definitely don't want to miss that. And don't forget to join our newsletter. If you liked this article you'll love our newsletter. We'll send you more stuff like this including test prep content that isn't on the main site. So make sure you check that out.
I'll see you next week.
Join our FREE mailing list to get FREE Security+ training online. You'll get tons of Security+ videos, braindump PDFs, lab simulations and more.
Pop in your first name and best email address and we'll send you:
The latest updates on the CompTIA Security+ SY0-501 exam
Proven tips and tricks for passing the exam
Hands on video labs with complete step-by-step walk-throughs
And don't forget to refresh your inbox. You should see us there in about 3 minutes.