1
00:00:00,005 --> 00:00:02,007
- [Instructor] Security
professionals spend the majority

2
00:00:02,007 --> 00:00:05,004
of their time designing, implementing,

3
00:00:05,004 --> 00:00:08,005
and managing security
controls as countermeasures

4
00:00:08,005 --> 00:00:12,000
to the risks they identify
during risk assessments.

5
00:00:12,000 --> 00:00:14,004
Security controls are the procedures

6
00:00:14,004 --> 00:00:17,002
and mechanisms that an
organization puts in place

7
00:00:17,002 --> 00:00:20,005
to address security risks in some manner.

8
00:00:20,005 --> 00:00:22,009
This might include trying
to reduce the likelihood

9
00:00:22,009 --> 00:00:25,000
of a risk materializing,

10
00:00:25,000 --> 00:00:28,000
minimizing the impact of
a risk if it does occur,

11
00:00:28,000 --> 00:00:30,009
or detecting security
issues that take place.

12
00:00:30,009 --> 00:00:34,000
Before we move into the
area of cybersecurity,

13
00:00:34,000 --> 00:00:35,006
let's think for a moment about the way

14
00:00:35,006 --> 00:00:37,006
that you secure your home.

15
00:00:37,006 --> 00:00:41,007
You probably use a variety of
different security controls.

16
00:00:41,007 --> 00:00:43,005
You certainly have locks on your doors

17
00:00:43,005 --> 00:00:46,001
and windows designed
to keep out intruders,

18
00:00:46,001 --> 00:00:48,002
minimizing the risk of a burglary.

19
00:00:48,002 --> 00:00:50,000
That's just common sense.

20
00:00:50,000 --> 00:00:52,002
You might also have a
burglar alarm designed

21
00:00:52,002 --> 00:00:54,001
to detect intrusions,

22
00:00:54,001 --> 00:00:57,006
security cameras to record
activity inside your home,

23
00:00:57,006 --> 00:01:00,001
automatic light switches
to deter a burglar

24
00:01:00,001 --> 00:01:02,003
by simulating human activity,

25
00:01:02,003 --> 00:01:04,008
and any number of other controls.

26
00:01:04,008 --> 00:01:07,000
In fact, even asking your neighbor

27
00:01:07,000 --> 00:01:09,000
to bring in your mail is an example

28
00:01:09,000 --> 00:01:10,008
of a security control.

29
00:01:10,008 --> 00:01:12,007
Some of these controls are designed

30
00:01:12,007 --> 00:01:15,001
to achieve the same purpose,

31
00:01:15,001 --> 00:01:17,006
or in the language of
security professionals,

32
00:01:17,006 --> 00:01:19,009
the same control objective.

33
00:01:19,009 --> 00:01:22,002
For example, both a burglar alarm

34
00:01:22,002 --> 00:01:24,000
and security cameras are designed

35
00:01:24,000 --> 00:01:25,007
to detect intruders.

36
00:01:25,007 --> 00:01:28,003
We sometimes use more than one control

37
00:01:28,003 --> 00:01:30,005
to achieve the same objective

38
00:01:30,005 --> 00:01:33,006
because we want to be sure
that we remain secure,

39
00:01:33,006 --> 00:01:35,009
even if one control fails.

40
00:01:35,009 --> 00:01:38,000
If a burglar manages to open a window

41
00:01:38,000 --> 00:01:40,001
without setting off the burglar alarm,

42
00:01:40,001 --> 00:01:43,006
he or she may still be caught
on your security cameras.

43
00:01:43,006 --> 00:01:47,000
This is known as the
defense in depth principle,

44
00:01:47,000 --> 00:01:50,001
applying multiple overlapping controls

45
00:01:50,001 --> 00:01:53,002
to achieve the same security objective.

46
00:01:53,002 --> 00:01:55,004
Security professionals use a variety

47
00:01:55,004 --> 00:01:59,005
of different categories to
group similar security controls.

48
00:01:59,005 --> 00:02:01,001
We'll talk about two different ways

49
00:02:01,001 --> 00:02:03,007
to categorize security controls.

50
00:02:03,007 --> 00:02:07,006
First, we'll discuss grouping
controls by their purpose,

51
00:02:07,006 --> 00:02:10,004
whether they are designed
to prevent, detect,

52
00:02:10,004 --> 00:02:12,007
or correct security issues.

53
00:02:12,007 --> 00:02:15,005
Then we'll discuss them by
their mechanism of action,

54
00:02:15,005 --> 00:02:17,002
the way that they work.

55
00:02:17,002 --> 00:02:20,001
This approach groups
controls into the categories

56
00:02:20,001 --> 00:02:24,007
of technical, management,
and operational controls.

57
00:02:24,007 --> 00:02:26,008
Preventive controls are designed

58
00:02:26,008 --> 00:02:30,005
to stop a security issue from
occurring in the first place.

59
00:02:30,005 --> 00:02:33,006
A firewall that blocks
unwanted network traffic

60
00:02:33,006 --> 00:02:36,005
is an example of a preventive control.

61
00:02:36,005 --> 00:02:40,001
Detective controls identify
potential security breaches

62
00:02:40,001 --> 00:02:42,006
that require further investigation.

63
00:02:42,006 --> 00:02:44,008
An intrusion detection
system that searches

64
00:02:44,008 --> 00:02:47,006
for signs of network
breaches is an example

65
00:02:47,006 --> 00:02:49,004
of a detective control.

66
00:02:49,004 --> 00:02:52,003
Corrective controls
remediate security issues

67
00:02:52,003 --> 00:02:54,001
that have already occurred.

68
00:02:54,001 --> 00:02:55,009
If an attacker breaks into a system

69
00:02:55,009 --> 00:02:58,003
and wipes out critical information,

70
00:02:58,003 --> 00:03:01,004
restoring that information
from backup is an example

71
00:03:01,004 --> 00:03:03,003
of a corrective control.

72
00:03:03,003 --> 00:03:05,007
The second way we can
categorize controls is

73
00:03:05,007 --> 00:03:08,000
by their mechanism of action.

74
00:03:08,000 --> 00:03:12,002
This groups controls as
either technical, operational,

75
00:03:12,002 --> 00:03:14,003
or management controls.

76
00:03:14,003 --> 00:03:18,000
Technical controls are
exactly what the name implies,

77
00:03:18,000 --> 00:03:22,001
the use of technology to
achieve security objectives.

78
00:03:22,001 --> 00:03:23,007
Think about all of the components

79
00:03:23,007 --> 00:03:27,009
of an IT infrastructure that
perform security functions.

80
00:03:27,009 --> 00:03:31,005
Firewalls, intrusion prevention systems,

81
00:03:31,005 --> 00:03:35,008
encryption software, data
loss prevention technology,

82
00:03:35,008 --> 00:03:38,007
and antivirus packages are all examples

83
00:03:38,007 --> 00:03:41,004
of technical security controls.

84
00:03:41,004 --> 00:03:44,001
Operational controls include the processes

85
00:03:44,001 --> 00:03:46,005
that we put in place to manage technology

86
00:03:46,005 --> 00:03:48,000
in a secure manner.

87
00:03:48,000 --> 00:03:49,006
These include many of the tasks

88
00:03:49,006 --> 00:03:52,007
that security professionals
carry out each day,

89
00:03:52,007 --> 00:03:56,007
such as user access
reviews, log monitoring,

90
00:03:56,007 --> 00:03:58,007
performing background checks,

91
00:03:58,007 --> 00:04:01,006
and conducting security
awareness training.

92
00:04:01,006 --> 00:04:03,000
It's sometimes a little tricky

93
00:04:03,000 --> 00:04:04,007
to tell the difference between technical

94
00:04:04,007 --> 00:04:06,009
and operational controls.

95
00:04:06,009 --> 00:04:09,004
If you get an exam question on this topic,

96
00:04:09,004 --> 00:04:12,006
one trick is to remember
that operational controls

97
00:04:12,006 --> 00:04:15,002
are carried out by individuals,

98
00:04:15,002 --> 00:04:17,006
while technical controls are carried out

99
00:04:17,006 --> 00:04:19,001
by technology.

100
00:04:19,001 --> 00:04:22,001
For example, a firewall enforcing rules

101
00:04:22,001 --> 00:04:24,001
is a technical control,

102
00:04:24,001 --> 00:04:27,005
while a system administrator
reviewing firewall logs

103
00:04:27,005 --> 00:04:29,007
is an operational control.

104
00:04:29,007 --> 00:04:32,005
Management controls are
focused on the mechanics

105
00:04:32,005 --> 00:04:34,008
of the risk management process.

106
00:04:34,008 --> 00:04:38,001
For example, one common management control

107
00:04:38,001 --> 00:04:40,001
is conducting regular risk assessments

108
00:04:40,001 --> 00:04:43,001
to identify the threats, vulnerabilities,

109
00:04:43,001 --> 00:04:45,005
and risks facing an organization

110
00:04:45,005 --> 00:04:48,000
or a specific information system.

111
00:04:48,000 --> 00:04:50,003
Other management controls
include conducting

112
00:04:50,003 --> 00:04:52,002
regular security planning

113
00:04:52,002 --> 00:04:54,007
and including security considerations

114
00:04:54,007 --> 00:04:57,003
in an organization's change management,

115
00:04:57,003 --> 00:04:58,008
service acquisition,

116
00:04:58,008 --> 00:05:01,005
and project management methodologies.

117
00:05:01,005 --> 00:05:03,000
Of course, there's no such thing

118
00:05:03,000 --> 00:05:04,008
as a perfect control,

119
00:05:04,008 --> 00:05:07,009
that's why we follow the
defense in depth principle.

120
00:05:07,009 --> 00:05:10,006
We need to design our security controls

121
00:05:10,006 --> 00:05:13,005
so the organization remains secure,

122
00:05:13,005 --> 00:05:15,009
even if a control fails.

123
00:05:15,009 --> 00:05:19,003
There are two main ways
that a control can fail.

124
00:05:19,003 --> 00:05:22,004
First, a false positive error occurs

125
00:05:22,004 --> 00:05:24,009
when a control triggers in a situation

126
00:05:24,009 --> 00:05:26,006
where it should not.

127
00:05:26,006 --> 00:05:29,006
For example, a false positive would occur

128
00:05:29,006 --> 00:05:31,003
when a detective control,

129
00:05:31,003 --> 00:05:33,001
such as an intrusion detection system

130
00:05:33,001 --> 00:05:37,001
or antivirus software
issues a false alarm,

131
00:05:37,001 --> 00:05:40,009
reporting a security issue
when none is taking place.

132
00:05:40,009 --> 00:05:42,009
False positives are dangerous

133
00:05:42,009 --> 00:05:44,007
because they reduce the confidence

134
00:05:44,007 --> 00:05:47,009
that security administrators
have in the control

135
00:05:47,009 --> 00:05:49,009
and sometimes lead to administrators

136
00:05:49,009 --> 00:05:53,000
ignoring future alerts from the system.

137
00:05:53,000 --> 00:05:56,004
False negative errors
occur when a control fails

138
00:05:56,004 --> 00:05:59,007
to trigger in a situation where it should.

139
00:05:59,007 --> 00:06:02,005
Returning to the examples of
intrusion detection systems

140
00:06:02,005 --> 00:06:06,006
and antivirus software, a false
negative error would occur

141
00:06:06,006 --> 00:06:09,006
if an actual security incident takes place

142
00:06:09,006 --> 00:06:12,000
and the system fails to detect it,

143
00:06:12,000 --> 00:06:15,003
giving the administrator
a false sense of security.