QeeqBox

Security Controls

Written by

Giga Alqeeq

in

Security Controls

Security controls are countermeasures or safeguards designed to protect information systems, networks, and data from cyber threats and attacks. Their main goal is to detect, prevent, and mitigate risks so that valuable assets remain secure, available, and reliable.

These controls can take many forms:

  • Technical controls (e.g., firewalls, encryption, intrusion detection systems).
  • Administrative controls (e.g., policies, training, incident response procedures).
  • Physical controls (e.g., locked server rooms, surveillance cameras, security guards).

By combining these safeguards, organizations create a layered defense strategy that reduces vulnerabilities, ensures regulatory compliance, and strengthens resilience against cyberattacks.

Security Controls Functions

  • Deterrent Controls
    • Purpose: Reduce the likelihood of a deliberate attack by discouraging malicious actors.
    • How they work: These controls create the perception that an attack will fail or that the attacker will be caught.
  • Preventive Controls
    • Purpose: Stop an attack from happening in the first place.
    • How they work: They block or restrict malicious activity before it causes harm.
  • Detective Controls
    • Purpose: Identify when an attack or suspicious activity is happening.
    • How they work: These controls monitor, log, and alert when anomalies or breaches occur.
  • Corrective Controls
    • Purpose: Reverse or minimize the damage caused by an incident once it has occurred.
    • How they work: They aim to contain the attack, fix vulnerabilities, and prevent recurrence.
  • Recovery Controls
    • Purpose: Restore systems and operations back to their normal condition after an incident.
    • How they work: They ensure business continuity and help the organization return to a fully functional state.

These five functions create a comprehensive security strategy: deterrence (discouraging attacks), prevention (preventing incidents), detection (spotting issues), correction (fixing problems), and recovery (restoring normal operations).

Physical

  • Deterrent (Discourage attacks or intrusions)
    • Purpose: Make potential attackers think twice before attempting unauthorized access or damage.
    • Examples:
      • Warning signs (e.g., “Authorized Personnel Only,” “24/7 Surveillance”).
      • Visible security guards or patrols.
      • Well-lit areas around buildings to reduce concealment opportunities.
      • Fake cameras or dummy equipment (sometimes used to discourage casual intruders).
  • Preventive (Block attacks before they occur)
    • Purpose: Create physical barriers to stop unauthorized entry or access.
    • Examples:
      • Fences and gates securing the perimeter.
      • Locked doors and cabinets for sensitive equipment.
      • Biometric access controls (fingerprint, iris scan).
      • Turnstiles or mantraps in secure facilities.
      • Security guards checking IDs at entrances.
  • Detective (Identify intrusions or incidents in progress)
    • Purpose: Monitor and detect unauthorized activities or physical breaches.
    • Examples:
      • CCTV (Closed-Circuit Television) for surveillance and evidence collection.
      • Motion detectors and alarms to spot unusual activity.
      • Access logs from card readers or biometric scanners.
      • Environmental sensors (smoke detectors, water leak detectors, temperature sensors).
  • Corrective (Mitigate damage after an incident)
    • Purpose: Limit the impact of a physical incident and help restore security.
    • Examples:
      • Fire suppression systems (sprinklers, inert gas systems) to minimize fire damage.
      • Emergency response teams handling breaches or accidents.
      • Lock rekeying or reprogramming after lost/stolen keys or badges.
      • Containment measures (e.g., sealing off flooded or contaminated areas).
  • Recovery (Return to normal operations)
    • Purpose: Restore physical infrastructure and operations after a disruption.
    • Examples:
      • Disaster recovery sites (alternate office locations or data centers).
      • Repairing physical damage to buildings, power systems, or equipment.
      • Restoring utilities (electricity, HVAC, internet connectivity).
      • Relocating staff and assets temporarily until the primary site is functional again.

Technical

  • Deterrent (Discourage attacks or misuse)
    • Purpose: Reduce the likelihood of malicious activity by warning or discouraging attackers before they act.
    • Examples:
      • Security banners on login screens (e.g., “Access restricted—unauthorized use will be monitored and prosecuted”).
      • System-generated warnings (e.g., failed login attempt alerts).
      • False directories or dummy accounts designed to frustrate and deter intruders.
  • Preventive (Block attacks before they happen)
    • Purpose: Actively prevent threats from penetrating systems or networks.
    • Examples:
      • Firewalls to filter unauthorized traffic.
      • Multi-Factor Authentication (MFA) to stop credential-based attacks.
      • Encryption to prevent data theft during transit or at rest.
      • Access control lists (ACLs) to restrict user privileges.
      • Endpoint security software (antivirus, anti-malware).
  • Detective (Identify malicious activity in progress)
    • Purpose: Monitor, detect, and alert on suspicious activities or intrusions.
    • Examples:
      • SIEM (Security Information and Event Management) for real-time log analysis and threat detection.
      • IDS (Intrusion Detection Systems) to flag unauthorized access attempts.
      • Honeypots and honeynets to lure attackers and study their tactics.
      • Anomaly detection systems to identify unusual traffic patterns or user behaviors.
      • File integrity monitoring to detect unauthorized modifications.
  • Corrective (Mitigate damage after detection)
    • Purpose: Contain, remove, or repair the impact of a cyber incident.
    • Examples:
      • Applying security patches to close vulnerabilities.
      • Quarantining malware to prevent further spread.
      • Disabling compromised accounts to stop unauthorized activity.
      • Reconfiguring firewalls or access controls after a breach.
      • Updating signatures in intrusion prevention systems.
  • Recovery (Restore systems to normal operations)
    • Purpose: Bring systems back to a secure, functional state after an attack or failure.
    • Examples:
      • Data backups and restores (offsite, cloud-based, or local).
      • Disaster recovery solutions (secondary data centers, cloud failover).
      • System reimaging to ensure a clean, uncompromised environment.
      • Redundancy mechanisms (RAID, load balancing, failover clustering).
      • Business continuity tools ensuring minimal downtime.

Administrative

  • Deterrent (Discourage violations or malicious behavior)
    • Purpose: Set expectations and warn users or potential attackers of consequences for policy violations or malicious activity.
    • Examples:
      • Policies and procedures clearly outlining acceptable use, password management, and data handling rules.
      • Code of conduct agreements that employees must sign before accessing systems.
      • Awareness campaigns that emphasize disciplinary actions for security breaches.
      • Regulatory compliance mandates (e.g., HIPAA, GDPR, PCI-DSS) that carry penalties for noncompliance.
  • Preventive (Stop incidents before they occur)
    • Purpose: Establish administrative measures to reduce the chance of security breaches.
    • Examples:
      • Separation of duties (no single individual has complete control over a critical process, reducing insider threats).
      • Data classification policies to ensure sensitive information is handled appropriately.
      • User training and awareness programs to prevent phishing and social engineering attacks.
      • Background checks during hiring to reduce insider threat risk.
      • Access approval processes requiring managerial authorization.
  • Detective (Identify policy violations or suspicious activities)
    • Purpose: Provide oversight to detect security incidents and ensure compliance with policies.
    • Examples:
      • Audit logs and reviews to track user activity.
      • Regular compliance audits to verify adherence to security policies.
      • Internal investigations into unusual or suspicious behavior.
      • Security assessments and penetration tests to detect weaknesses.
  • Corrective (Limit damage and restore order after incidents)
    • Purpose: Define structured administrative processes to mitigate the impact of a security event.
    • Examples:
      • Incident Response Plan (IRP) with roles, responsibilities, and steps for handling incidents.
      • Business Continuity Plan (BCP) to maintain essential operations during disruptions.
      • Policy updates and retraining after identifying gaps that contributed to an incident.
      • Post-incident reviews (lessons learned) to improve future resilience.
  • Recovery (Return operations to normal conditions)
    • Purpose: Establish high-level organizational measures to fully recover from significant disruptions.
    • Examples:
      • Disaster Recovery Plan (DRP) for restoring IT infrastructure and operations after major incidents.
      • Communication plans for informing stakeholders during recovery.
      • Succession planning to ensure leadership continuity during crises.
      • Periodic DR/BCP testing (tabletop exercises, simulations) to validate readiness.

More posts