← Back to domain
Domain 1 Module 1.3

Security Controls

Module 1.3: Security Controls

Learning Objectives

By the end of this module, you will:

  • Classify any security control by implementation type (Technical, Administrative, Physical)
  • Classify any control by function (Preventive, Detective, Corrective, etc.)
  • Explain defense in depth and why layered security matters
  • Provide examples of each control type and function combination
  • Understand how to select appropriate controls for given scenarios

---

What Are Security Controls?

Security controls are safeguards or countermeasures designed to reduce risk. They either:

  • Reduce likelihood of a threat exploiting a vulnerability, OR
  • Reduce impact if the exploit occurs, OR
  • Both

Every security program is built on selecting, implementing, and monitoring the RIGHT controls for the organization's risk profile.

---

Controls by Implementation Type

Technical Controls (Logical Controls)

Technology-based mechanisms that enforce security through hardware or software.

| Control | What It Does | Example in Practice | |---------|-------------|-------------------| | Firewalls | Filter network traffic by rules | Block external access to internal databases | | Encryption | Transform data into unreadable form | AES-256 for laptop disk encryption | | IDS/IPS | Detect/prevent malicious activity | Snort detecting SQL injection attempts | | Access Control Lists | Define who can access what | Router ACL blocking telnet from outside | | Antivirus/EDR | Detect and remove malware | CrowdStrike quarantining ransomware | | DLP | Prevent data leaving organization | Block emails containing credit card numbers | | SIEM | Centralize and correlate security logs | Splunk alerting on multiple failed logins | | MFA systems | Require multiple authentication factors | Duo Security push notification | | VPN | Encrypt remote connections | IPSec tunnel for remote workers | | WAF | Protect web applications | Cloudflare blocking XSS attempts |

Administrative Controls (Managerial Controls)

Policies, procedures, and management actions that direct security behavior.

| Control | What It Does | Example in Practice | |---------|-------------|-------------------| | Security policies | Define required behavior | "All data must be classified" | | Procedures | Step-by-step instructions | "How to handle a suspected breach" | | Standards | Minimum requirements | "Passwords must be 14+ characters" | | Security training | Educate workforce | Annual phishing awareness training | | Background checks | Screen employees | Criminal/credit check before hiring | | Separation of duties | Split critical functions | Developer ≠ deployer | | Job rotation | Rotate staff through roles | Detect fraud via fresh eyes | | Mandatory vacations | Force time off | Discover concealed activities | | Change management | Control system changes | CAB approves all production changes | | Incident response plan | Define IR procedures | Playbook for ransomware incidents | | Risk assessment | Identify and evaluate risks | Annual risk assessment cycle | | NDA | Legal confidentiality agreement | Signed before accessing sensitive data |

Physical Controls

Tangible mechanisms that prevent, detect, or deter physical unauthorized access.

| Control | What It Does | Example in Practice | |---------|-------------|-------------------| | Fences | Perimeter barrier | 8ft fence with razor wire around data center | | Locks | Restrict entry | Biometric lock on server room door | | Security guards | Human monitoring and response | Guard at lobby checking IDs | | CCTV cameras | Video surveillance | PTZ cameras monitoring parking lot | | Badge readers | Electronic access control | HID proximity card readers at all doors | | Mantraps | Anti-tailgating entry | Vestibule with interlocking doors | | Bollards | Vehicle barriers | Concrete posts around building entrance | | Lighting | Illumination for safety/detection | Parking lot lights deterring crime | | Fire suppression | Protect from fire | FM-200 clean agent in server room | | UPS/Generators | Power protection | Battery backup + diesel generator | | HVAC | Environmental control | 68-72°F in data center | | Cable locks | Prevent device theft | Kensington lock on laptops |

---

Controls by Function

Preventive Controls

Purpose: STOP an incident from occurring in the first place.

| Example | Type | How It Prevents | |---------|------|----------------| | Firewall rules | Technical | Blocks unauthorized network traffic | | Encryption | Technical | Prevents reading of stolen data | | MFA | Technical | Prevents access with stolen password alone | | Security policy | Administrative | Directs proper behavior | | Background check | Administrative | Prevents hiring threats | | Training | Administrative | Prevents user errors | | Door lock | Physical | Prevents unauthorized entry | | Fence | Physical | Prevents physical access | | Mantrap | Physical | Prevents tailgating |

Detective Controls

Purpose: DISCOVER that an incident has occurred or is occurring.

| Example | Type | What It Detects | |---------|------|----------------| | IDS | Technical | Network intrusions | | SIEM | Technical | Correlated security events | | Audit logs | Technical | Unauthorized actions | | Log review | Administrative | Policy violations | | Mandatory vacation | Administrative | Fraud during absence | | Job rotation | Administrative | Concealed activities | | CCTV | Physical | Unauthorized physical access | | Motion sensors | Physical | Movement in restricted areas | | Security guards | Physical | Suspicious behavior |

Corrective Controls

Purpose: FIX a problem after it has occurred, minimize damage, restore normal operations.

| Example | Type | What It Corrects | |---------|------|-----------------| | Antivirus quarantine | Technical | Removes detected malware | | Patches | Technical | Fixes known vulnerabilities | | Backup restore | Technical | Recovers lost data | | IPS (blocking mode) | Technical | Stops detected attack | | Incident response plan | Administrative | Guides recovery actions | | Termination procedure | Administrative | Removes insider threat | | Fire suppression | Physical | Stops active fire | | Spare equipment | Physical | Replaces failed hardware |

Deterrent Controls

Purpose: DISCOURAGE potential attackers from attempting an action.

| Example | Type | How It Deters | |---------|------|--------------| | Login warning banner | Technical | Legal warning discourages unauthorized use | | Account lockout | Technical | Discourages brute force | | Security awareness training | Administrative | Makes employees think twice | | Acceptable Use Policy | Administrative | Threat of termination deters misuse | | Security guards | Physical | Visible presence discourages intrusion | | Warning signs | Physical | "Trespassers will be prosecuted" | | Cameras (visible) | Physical | Knowledge of being watched | | Barbed wire fence | Physical | Signals serious security |

Compensating Controls

Purpose: ALTERNATIVE control when the primary control is not feasible.

| Scenario | Primary Control Missing | Compensating Control | |----------|------------------------|---------------------| | Legacy system can't be patched | Patch management | Extra monitoring + network isolation | | Can't implement SoD (small team) | Separation of duties | Enhanced logging + management review | | Budget doesn't allow new firewall | NGFW | Stricter ACLs + IDS monitoring | | Biometric system breaks | Biometric access | Guard verification + manual log |

Recovery Controls

Purpose: RESTORE systems and operations after an incident.

| Example | Type | What It Recovers | |---------|------|-----------------| | Backup systems | Technical | Restore data after loss | | Disaster recovery site | Technical/Physical | Resume operations at alternate location | | System images | Technical | Rebuild compromised systems | | BCP activation | Administrative | Coordinate business recovery | | Generator | Physical | Restore power after outage |

---

Control Classification Matrix

| Control | Type | Function(s) | |---------|------|------------| | Firewall | Technical | Preventive | | IDS | Technical | Detective | | IPS | Technical | Preventive + Detective | | Encryption | Technical | Preventive | | Antivirus | Technical | Preventive + Detective + Corrective | | Backup | Technical | Recovery | | Security policy | Administrative | Preventive + Directive | | Training | Administrative | Preventive + Deterrent | | Background check | Administrative | Preventive | | Incident response plan | Administrative | Corrective + Recovery | | Mandatory vacation | Administrative | Detective | | Door lock | Physical | Preventive | | CCTV | Physical | Detective + Deterrent | | Guard | Physical | Preventive + Detective + Deterrent | | Fire suppression | Physical | Corrective | | Warning sign | Physical | Deterrent | | Fence | Physical | Preventive + Deterrent | | Lighting | Physical | Deterrent + Detective |

---

Defense in Depth

The Castle Analogy

Imagine a medieval castle protecting a king: 1. Moat (perimeter) → Firewall, DMZ 2. Outer walls (network) → IDS/IPS, network segmentation 3. Inner walls (host) → Endpoint protection, host firewall 4. Castle guards (monitoring) → SIEM, SOC analysts 5. Locked rooms (application) → Access controls, input validation 6. Vault (data) → Encryption, DLP

If attackers cross the moat, they still face walls. If they breach the walls, they face guards. No single layer failure is catastrophic.

Corporate Defense in Depth Example

LAYER 1: Perimeter
  → External firewall, DMZ, DDoS protection

LAYER 2: Network
  → Internal firewalls, VLAN segmentation, NAC, IDS/IPS

LAYER 3: Host/Endpoint
  → Antivirus/EDR, host firewall, patch management, hardening

LAYER 4: Application
  → WAF, input validation, secure coding, authentication

LAYER 5: Data
  → Encryption (at rest + in transit), DLP, classification, access controls

CROSS-CUTTING: Administrative
  → Policies, training, incident response, monitoring, auditing

Why Defense in Depth Works

  • No single control is 100% effective
  • Attackers must overcome MULTIPLE barriers
  • Different controls catch different types of attacks
  • Provides time for detection and response
  • Increases attacker cost and effort

---

Selecting Appropriate Controls

Control Selection Criteria

| Factor | Question | |--------|----------| | Risk level | What risk does this control address? | | Cost | Does the control cost less than the potential loss? | | Feasibility | Can we actually implement and maintain this? | | Effectiveness | How much does it reduce the risk? | | Impact on operations | Will it disrupt business? | | Compliance | Does a regulation require this control? | | Compatibility | Does it work with existing systems? |

Cost-Benefit Rule

A control is justified when: Cost of control < Cost of the risk it mitigates

If a $5,000/year firewall prevents $50,000/year in potential losses → clearly justified. If a $100,000 control prevents $5,000 in potential losses → NOT justified (accept the risk instead).

---

Practice Questions

1. An organization implements an employee security training program. What type of control is this?

  • A) Technical - Preventive
  • B) Administrative - Preventive ✅
  • C) Physical - Detective
  • D) Technical - Deterrent

2. A CCTV camera mounted at a building entrance is BEST classified as:

  • A) Technical - Preventive
  • B) Physical - Detective and Deterrent ✅
  • C) Administrative - Corrective
  • D) Physical - Preventive

3. Which control is COMPENSATING?

  • A) A firewall blocking unauthorized traffic
  • B) Enhanced monitoring when a system can't be patched ✅
  • C) A backup restoring lost data
  • D) A policy requiring strong passwords

4. Defense in depth means:

  • A) Using the strongest single control available
  • B) Multiple overlapping security layers ✅
  • C) Spending the most money on perimeter security
  • D) Having redundant network connections

5. Which is a CORRECTIVE control?

  • A) Firewall
  • B) CCTV camera
  • C) Antivirus quarantining malware ✅
  • D) Background check

6. Mandatory vacation for employees is BEST classified as:

  • A) Preventive control
  • B) Detective control ✅
  • C) Corrective control
  • D) Recovery control

7. A "No Trespassing - Violators Will Be Prosecuted" sign is:

  • A) Preventive
  • B) Detective
  • C) Corrective
  • D) Deterrent ✅

8. Which principle states that controls should be layered so failure of one doesn't compromise overall security?

  • A) Least privilege
  • B) Defense in depth ✅
  • C) Separation of duties
  • D) Due diligence

9. An IPS that blocks a detected attack in real-time is BEST classified as:

  • A) Preventive + Detective ✅
  • B) Detective only
  • C) Corrective only
  • D) Compensating

10. A control costs $10,000/year to maintain. It reduces expected annual losses from $50,000 to $5,000. The net benefit is:

  • A) $5,000
  • B) $35,000 ✅ ($45,000 savings - $10,000 cost)
  • C) $40,000
  • D) $50,000

---

*End of Module 1.3 - Next: 1.4 Ethics*

← Previous: 1.2 Next: 1.4 →