Cybersecurity controls are mechanisms used to prevent, detect and mitigate cyber threats and attacks. Mechanisms range from physical controls, such as security guards and surveillance cameras, to technical controls, including firewalls and multifactor authentication.
As cyber attacks on enterprises increase in frequency, security teams must continually reevaluate their security controls continuously. A unilateral approach to cybersecurity is simply outdated and ineffective. And, because it's impossible to prevent all attacks in the current threat landscape, organizations should evaluate their assets based on their importance to the company and set controls accordingly.
Adding to the challenge is that employees are unlikely to follow compliance rules if austere controls are implemented across all company assets. The severity of a control should directly reflect the asset and threat landscape. The consequences of a hacker exposing thousands of customers' personal data via a cloud database, for example, may be far greater than if one employee's laptop is compromised.
"There are many different ways to apply controls based on the nature of what you're trying to protect," said Joseph MacMillan, author of Infosec Strategies and Best Practices and cybersecurity global black belt at Microsoft. "What is the nature of the threat you're trying to protect against? Is it a malicious actor? Or is it a storm?"
The following excerpt from Chapter 2, "Protecting the Security of Assets," of Infosec Strategies and Best Practices explores the different types of cybersecurity controls, including the varying classes of controls, such as physical or technical, as well as the order in which to implement them.
Securing information assets
This section is all about implementing the appropriate information security controls for assets. I've been thinking about this section for a while, trying to understand how to tackle it best for you.
I know you probably have experience with choosing and implementing controls, and I don't want this section to end up being half of the entire book, just droning on and on about different types of controls or all of the great vendors out there who want to sell you a silver bullet to fix all of your issues. I'm going to go into many different controls and ideologies in the following chapters, anyway.
Instead, in this chapter, I want to make sure that we focus on heavy-hitting, effective ideologies to understand in order to select the appropriate controls, meaning that the asset is considered "secure enough" based on its criticality and classification.
There are different classes that split up the types of controls:
- Administrative/Managerial Controls are the policies and procedures I'm always talking about. They aren't as "cool" as a new software control, but they exist to give structure and guidance to individuals like you, and other members of your organization, ensuring nobody gets fined or causes a breach.
- Physical Controls limit the access to systems in a physical way; fences, CCTV, dogs... and everybody's favorite: fire sprinklers.
- Technical/Logical Controls are those that limit access on a hardware or software basis, such as encryption, fingerprint readers, authentication, or Trusted Platform Modules (TPMs). These don't limit access to the physical systems the way physical controls do, but rather access to the data or contents.
- Operational Controls are those that involve people conducting processes on a day-to-day level. Examples could include awareness training, asset classification, and reviewing log files.
There are so many specific controls, there's just no way we can go into each of them in this chapter. Beyond the Annex A controls from ISO 27001, further expansion on controls and the categories of controls can be found in the links on this page: NIST SP 800-53 Rev 5 (https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final), including control mappings between the ISO 27001 standard, and NIST SP 800-53.
What I can cover are the types of controls that you'll be able to categorize and apply as mitigation against risk, depending on the threat and vertical:
- Preventative Controls exist to not allow an action to happen and include firewalls, fences, and access permissions.
- Detective Controls are only triggered during or after an event, such as video surveillance, or intrusion detection systems.
- Deterrents discourage threats from attempting to exploit a vulnerability, such as a "Guard Dog" sign, or dogs.
- Corrective Controls are able to take an action from one state to another. This is where fail open and fail closed controls are addressed.
- Recovery Controls get something back from a loss, such as the recovery of a hard drive.
- Compensating Controls are those that attempt to make up for the shortcomings of other controls, such as reviewing access logs regularly. This example is also a detective control, but compensating controls can be of various different types.
Generally, the order in which you would like to place your controls for adequate defense in depth is the following:
- Deter actors from attempting to access something that they shouldn't be.
- Deny/Prevent Access through a preventative control such as access permissions or authentication.
- Detect the risk, making sure to log the detection, such as with endpoint protection software.
- Delay the process of the risk from happening again, such as with a "too many attempts" function for a password entry.
- Correct the situation by responding to the compromise, such as with an incident response plan.
- Recover from the compromised state, such as a backup generator restoring availability to a server.
Furthermore, in the realm of continual improvement, we should monitor the value of each asset for any changes. The reason being that we may need to rethink our controls for protecting those assets if they become more or less valuable over time, or in certain major events at your organization.
Additionally, as a footnote, when we're looking at controls, we should also be thinking about recovery. What I mean is that we want to be able to recover from any adverse situations or changes to assets and their value. Just as examples, we're talking about backups, redundancy, restoration processes, and the like.
A concept to keep in mind, especially in the era of the cloud, SaaS, PaaS, IaaS, third-party solutions, and all other forms of "somebody else's computer" is to ensure that Service-Level Agreements (SLAs) are clearly defined, and have agreements for maximum allowable downtime, as well as penalties for failing to deliver on those agreements. This is an example of a compensating control.
As a consumer of third-party solutions, you'll want to fight for SLAs that reflect your risk appetite. Simultaneously, you'll also want to consider the idea that by chaining those assets together, you are creating a higher level of risk to availability. If just one of the services isn't online, and you can't perform a task, that's a loss of availability. If you're a vendor of cloud services, you need to consider your availability and what can be offered to your customers realistically, and what is required from a commercial perspective.
About the author
Joseph MacMillan is a global black belt for cybersecurity at Microsoft. Most of his work revolves around helping businesses achieve their goals in a secure manner by removing any ambiguity surrounding risk. MacMillan holds various certifications, including the CISSP, CCSP, CISA, CSSLP, AlienVault Certified Engineer and ISO 27001 Certified ISMS Lead Auditor.