Security controls can be physical or virtual, policies, training, techniques, methodologies, action plan, devices, and customised solutions to avoid, detect, and prevent intruders and minimise the security risk befalling the individual or organisational proprietary information systems, etc.
This topic will explore the basics of security controls, the different types of security controls, and standard information security controls in use today.
What is security control?
Security control is an organisation’s parameter and action to protect data and sensitive information from invasion and various cyber-attacks and reduce and mitigate existing security risks or threats on critical assets (i.e., data, system, network or cloud risks).
Antivirus software, Host-based IDS, SIEM solutions, hardware or software firewalls, surveillance systems, security guards, smart door locks, CASB security for the cloud, are some of the significant examples of security controls.
Confidentiality Integrity and Availability
The CIA triad, known as confidentiality, integrity, and availability, is the core of information security principles. Data protection risks are calculated based on these principles’ attack likelihood and impact. The security controls responsible for protecting data are validated and improved after considering these three information security principles.
To view a concise version of this article, we invite you to watch our video on the same topic.
What is the purpose of security controls?
Appropriate cyber security controls are fundamental to reducing the outcome and probability of cyber security incidents. In addition, information or cyber security controls help ensure that all the necessary and required actions are in place to hold the business’s proprietary information’s CIA triad.
Along with protecting against cyber threats, security controls majorly help linger away from hefty fines and penalties that regulatory bodies such as the General Data Protection Regulation (GDPR) impose 20 million to 4% global turnover in case of cyber attack ending in sensitive data exposure.
To cope with the security controls and guarantee countermeasures, data protection regulatory bodies have shared the guidelines and make it mandatory for organisations to implement relevant information security controls for robust data and assets protection.
The pandemic and exponential growth of online businesses have greatly influenced the cybersphere. In all economic sectors, 77% of large enterprises that utilise network-connected devices for their day-to-day activity saw an increased cyber-attack by 67% in 2020. Furthermore, according to the statistics, 83% of businesses encounter phishing emails daily. These factors have driven the average cost of data breaches to 3.86 million globally.
In addition to the increased cyber-attack ratio, the emerging technological landscape with the development of advanced IoT devices, 5G deployment, more and more threats and vulnerabilities are regularly encountered in the form of 0-day vulnerabilities.
Which of the following are categories of security measures or controls?
There are three primary classifications of security controls.
There are 3 ways security is provided i.e. management, operational and physical security.
- Operational security controls
- Management security controls
- Physical security controls
What are the types of security controls?
In the cyber security domain, there are a variety of security controls that facilitate guarding business assets. Cyber security controls are classified into three function levels on a broad level. Those are:
- Preventive Controls
- Detective Controls
- Corrective Controls
However, according to the controls’ nature and characteristics, the same cyber security controls can be categorised as
- Physical Controls
- Technical Controls
- Administrative Controls
- Deterrent Controls
- Compensating Controls
- Regulatory Controls
Now, let’s understand all of the information security controls individually.
Cybersecurity controls examples
The following section includes information about each of the control types, followed by examples of cybersecurity controls:
Preventive Controls: Preventive security controls refer to the countermeasure limiting cyber events from happening and stopping the incident before they occur.
Examples of preventive controls include antivirus, software firewalls, blocking malicious traffic communication, and blocking unauthorised access.
Detective Controls: These controls refer to information security countermeasures that identify the cyber events and notify the concerned authorities about the real-time event or suspicious action.
Log monitoring, security alerts, intruder alarms, SIEM solutions, Video surveillance, etc., are some examples of detective controls.
Corrective Controls: These information security controls are those countermeasures that every organisation must have in advance. This control refers to the actions and plans that help reduce the impact and damage of the data breach or any cyber incident. These controls are a response or recovery control that facilitates the business to continue its operation with minimum downtime.
Incident response plan, backup, etc., are some of the corrective security controls examples.
Physical Controls: Physical controls prevent unauthorised physical access and enhance the physical security of sensitive assets and data.
Depending upon the implementation nature, the physical controls can include physical security keys, security guards, perimeter fences, surveillance cameras, IDS (Intrusion detection sensors), access control cards, digital access cards, biometric access controls, motion or thermal alarm systems and any related physical security control systems.
Technical Control: Technical controls are sometimes considered logical controls in information security. Such security controls utilise technical measures to mitigate risks and reduce vulnerabilities exposure in the real world. These controls can be automated software tools, technical configuration, or any physical device depending upon the countermeasure.
Network traffic filters to block malicious traffic or control incoming, outgoing traffic, Access control lists on routers, firewalls, servers, hosts to manage and maintain access to devices and networks, and secure configuration to manage operation and access are some of the primary examples of technical controls.
Furthermore, some mechanisms such as user authentication, password management, data encryption, antivirus, software firewalls, anti-malware, SIEM (Security Information and Event Management), IDS (Intrusion Detection System), IPS (Intrusion Prevention Systems), network authentication, file integrity auditing software is used explicitly for technical controls. IDS, for example, is also a technical security control that discourages entities from policy violations and sends warning signs if any policy violations are reported.
Administrative Controls: Administrative controls refer to the security measures associated with human factors. It involves procedures, policies, awareness, training, guidelines and best practices, frameworks and standards that organisations and their employees follow individually to meet the business security goals.
These information security controls address how well an organisation and individuals possess security awareness and are prepared to prevent, detect and correct cyber incidents on their defined level. It includes resource management, disaster recovery plan, security training, implementation of security culture and policies following the business objectives, remediation of risk and other relative events.
Deterrent Controls: Deterrent controls reduce the likelihood of a deliberate attack and are usually in the form of a tangible object or person. They attempt to discourage individuals from causing an incident.
Compensating Control: Such information security controls refer to those countermeasures used as a substitute for the time being to fulfil the necessity of demanded security measures or reduce the business risk. The compensated controls are often used due to financial limitations, infrastructure complexity, impractical implementation, or limited remediation time frame.
Regulatory Security Controls: Regulatory controls refer to the countermeasures that are made mandatory by the legal and regulatory bodies such as PCI-DSS, GDPR, HIPAA, and ISO 27001 to meet the compliance requirements. It includes making relevant policies within the organisation to address data security and protection, individual privacy, security awareness, and cyber assessments.
What are common security controls?
Numerous cyber security controls frameworks, standards, and best practices guidelines ease the organisation in identifying and rectifying vulnerabilities with security controls implementation. Some of the common cyber security controls frameworks are:
National Institute of Standards and Technology (NIST) Framework – Special Publication 800-53
The National Institute of Standards and Technology (NIST) Framework facilitates small to big enterprises by providing them guidance on whether their implemented security controls are implemented correctly, working as intended, and producing the desired outcome or not. In addition, NIST helps the organisation understand and manage the security risk while preventing, detecting and responding to cyber-attacks.
NIST has various publications to address cyber risk and attack management, one of them is NIST Special Publication 800-53, which provides security and privacy controls for US information systems. The National Institute of Standards and Technology (NIST) issues standards and procedures to help the organisation manage the cost-effective solution to protect their data and assets.
Center for Internet Security (CIS) Top 18
Center of Internet Security controls, famous as CIS controls, is a non-profit organisation security framework and standard that helps small, mid and large businesses to protect their information systems and minimise the attack surface from internet and physical threats. CIS assists businesses to design a protected cyber surface for their online activities with security controls. It is a set of 18 cyber security best practices guidelines to prevent intrusion and battle cyber threats.
Center for Internet security controls provides real-world risk management and cost-effective, practical measurements to make information systems and assets resilient against known-unknown cyber attacks. The prioritised 18 controls assist the organisation build a solid foundation. With the appropriate implementation of Top 18 CIS controls, an organisation can mature their security posture and significantly increase its secure growth, mitigating multiple attack vectors.
Cyber Essentials Scheme
Cyber Essential Scheme is a UK government-supported framework issued by the National Cyber Security Center, which helps Small-midsize businesses to large enterprises to protect against the most common cyber attacks with five sets of basic information security controls. By adhering to the five necessary security control areas, an organisation can prepare itself by uplifting its security posture and reducing risks. These five control areas are:
- Secure configuration
- User access control
- Malware protection
- Patch management
Another level of the certification known as Cyber Essentials Plus contains onsite audits and coverage across more areas such as secure communication and secure hardening standards.
Control Objectives for Information and Related Technologies (COBIT)
COBIT is an information system and technological controls created by ISACA to manage IT systems and governance utilities. It offers practical guidance, training, resources, regulation and best practices to enhance its online and physical security.
COBIT framework aligns the IT objectives with the business requirements, offers practical solutions and management with each IT process, assigns responsibilities and helps address the gaps with cost-effective solutions and capabilities.
PAS 555 is another cyber security framework, but unlike other frameworks, it provides physical, behavioural, governance, and cultural guidance along with the technical guidance aspect. As a result, this framework dramatically helps identify security control gaps and potential weak points within the organisation’s information systems and supply chain.
PAS 555 guides businesses of all sizes and domains, including SMBs, startups, large enterprises, public sector, non-profit, commercial, etc. It develops the business’s resiliency capabilities by improving cyber security plans, incident response and management plans, remediating risk and providing adaptable approaches to enhancing the business process with relevant security requirements.
Minimum Cyber Security Standard (MCSS)
Minimum cyber security standards are a common and fundamental security control policy introduced by the United Kingdom (UK) government relevant to the National Institute of Standards and Technology security (NIST) framework in 2018. This is one of the common standards in the UK that serves security control with the five fundamental functions and mandates all government departments, agencies to incorporate relevant security controls around the five functions in their business strategy.
The MCSS sets the security requirements for all sizes of organisations and businesses and presents guidelines for a solid and sound security posture.
Security Controls Assessment
Cyber security control assessment greatly helps an organisation analyse security gaps and attack surfaces and determine the current security position. Through the security control assessment result, the management and security teams can design customised security controls. However, there is no hard and fast rule for security control assessment.
By evaluating the result of all the preventative, detective, corrective, and technical security controls, they can determine whether the current security measures are working according to their intended operation. Along with it, the security control testing evaluates the overall Information Security Management System and decides whether or not they are appropriate enough to combat cyberattacks and resilient to any security incident or not.
Depending upon the organisation’s size and business nature, an organisation can follow security industry best practices, frameworks and standards to conduct the information security control assessment or create their security assessment by undertaking the following critical steps in their security control assessment procedure.
Step # 1: Determine the targeted network
First, to analyse the security controls on the organisation’s assets and data, determine which system’s security controls you want to evaluate. Then, create a list of all IP addresses connected to your network, information systems, devices in the organisation’s network and infrastructure.
Step # 2: Determine the targeted application:
Once you determine the network, step ahead with selecting the application and services which security controls you want to assess. For this, list down all the services, web servers, web applications, databases, technologies, devices, web-app servers, third-party components and other related things connected or used in building the organisation’s network, infrastructure and application.
Step # 3: Choose relevant security testing
This is the critical step in the cyber security control assessments. At this point, you perform actual cyber security testing on your targeted network and application. But, again, it depends on the organisation whether they want to perform one security testing or multiple, following what the security testing organisation can do to evaluate the posture of current security controls.
a) Vulnerability Assessment
Vulnerability assessment is a systematic approach to identifying risk and security weaknesses in an information system (i.e., computer network, server, network device, application and other components of the IT ecosystem). It is a critical and fundamental approach to any security testing and helps evaluate the system.
Vulnerability assessment is done by automated tools to locate potential threats and weak access points in the organisation’s infrastructure, leading to risk exposure or leveraging the attacker in gaining access. In addition to this, it greatly helps in risk management by evaluating how susceptible the system is to known vulnerabilities and threats.
b) Penetration Testing
Penetration Testing, also known as pen-test, is a simulated cyber attack techniques organisation use as a defensive approach to test their network, web application, cloud infrastructure, embedded and IoT devices to identify potential vulnerabilities that can be exploited either alone or by chained up with other flaws.
The primary goal of the pen-test is to discover the weak point in the targeted assets and prevent cybercriminals and intruders from gaining access to the network, system or application. In addition, it evaluates whether the organisation’s security policies and controls are adequate and working as defined.
For web applications and APIs, secure code reviews or hardening reviews are a great benefit where weaknesses are identified at the code-level. For example, PHP security review is a popular exercise for website running with PHP/MySQL or LAMP framework.
c) Security Audit
A security Audit is another systematic evaluation of an organisation’s Information Security Management system. Unlike other technical testing, security audits evaluate how well the organisation’s assets security controls conform to the regulatory bodies’ established criteria.
It is typically performed to determine the business nature compliances with the regulations and laws such as GDPR, HIPAA, SOX, etc., identify security gaps and weaknesses, compliances with the organisation’s internal policies, the effectiveness of security training and culture, and many more.
Thorough security audits assess the security controls by considering devices and software configurations, information handling processes and practices, data storage techniques, internal and external data transmission, and other necessary security requirements.
d) Risk Assessment
A cyber risk assessment is a process of evaluating information security assets that might be affected by a potential cyber attack. The risk assessment identifies and prioritises vulnerable holdings concerning risk rate, probability of threat exposure, and attack occurrence.
It is typically done after getting penetration testing, vulnerability assessment or another security testing, followed by selecting controls to treat the identified risks. Finally, the assessment evaluates adversarial opportunities and removes or minimises their level by following a risk management plan according to their security requirements and urgency.
e) Log Review and Analysis
Log management and review are other critical parts while performing cyber security control assessments. The defensive system and solutions generate logs. Developing a log is to highlight and notify events such as incorrect login, malware detection, password change, file movement, DoS attack, new user accounts, etc., by generating a flag when some abnormal event occurs.
Log analysis provides visibility and enhances capabilities to identify the cyber threats and malicious traffic coming to the host network. Later, it facilitates responding to cyber threats. With the log management system, the security team, system administrators, and overall organisation can monitor their traffic to diagnose and rectify the issues. In addition, regular log monitoring reduces the likelihood and severity of cyber-attacks and promotes earlier threat management culture within the organisation.
Step# 4: Other Elements
Disaster Recovery Plan- This is one of the security controls organisations should have as a part of their business continuity strategy. While performing the security control assessment, look out whether the business has an appropriate incident response and recovery plan included in its cyber strategy or not.
The disaster recovery plan is something every organisation can use to restore important data and services, not only in cyber attacks but also in any natural disaster or mishap. An established incident and disaster recovery plan helps an organisation continue the business during an investigation or downtime with minimal loss.
Backup- Similar to an incident response and disaster recovery plan, having a backup for all important and sensitive data is as necessary as having an appropriate disaster recovery plan. Ensure a backup plan to avoid data loss during information security control assessment or implementation.
The backup data must be encrypted, updated, and tested for successful restoration. Regular backup saves organisations from ransomware attacks, system failure and other natural incidents.
Patch Management- In the security control assessment, verifying the patch management process is important. For example, identify how the updates are distributed, whether the update can be forged or not, etc. In addition, if your organisation built and utilises its own software instead of third parties, then it is essential for the business to promptly patch the system and application as soon as any vulnerability is discovered.
For this, you have to implement and maintain security controls for the patch management because any unpatched bug can let the attacker compromise the other security controls. Thus, your single negligence will collapse the overall security posture of your organisation.
Step# 5: Reporting
Regardless of which security assessment any organisation chooses, all assessment results drive some of the weak points that can provide an opportunity to threat actors. In the reporting stage of security control assessment, you must compile and prioritise all security requirements and vulnerable points according to their importance to business security. Once you make a list, you can easily identify missing or required controls.
Not every risk can be mitigated with information security controls, and often you have to bear the risk due to financial limitations or complexity in remediation. Therefore, security practitioners can only make the right approach to implementation of security controls as they know how to implement required security controls to meet the objectives of businesses and regulatory demands.
The end goal of cyber security control assessment is to align the business objective and control’s objective with the three principles, i.e. CIA triad of information security. At cyphere, our security specialists have a wealth of experience securing the cypher sphere with the proper security controls. Whether it is your on-prem infrastructure or cloud service model, we cater through our regular assessment and managed security service to elevate the business’s overall cyber security position.