Professional Documents
Culture Documents
• Types of controls
• Management of control types
• Security control strategies
Types of controls Separation of control
Deterrent control Technical control
Detective control
Compensating
Types of control
• Deterrent control
• Deter a potential attacker from attempting an attack.
• Good light around the house.
• Fake cameras around the building.
• Welcome banner accessing SSH server.
• Preventative control
• Long character password length
• Putting a lock on the server room door
• Background check when hiring a new employee
Types of control
• Detective control
• Actively look for an attack and alert security professionals to the presence of
an active, ongoing attack.
• Corrective control
• A corrective control applies after an attack has taken place and fixes/mitigates
the result of the incident. Restoring data from backups is probably the most
common example of a corrective control.
• Compensating
• Provide a temporary solution to a vulnerability that’s less than optimal.
• Use compensating controls to keep going until a better control is available or
possible.
Management of control types
• Technical controls
• Technical controls are security controls applied to technology. If you specify a
security control that states, “All edge routers must be able to communicate on
SNMPv3,” then you’ve made a technical control.
• Administrative controls
• Administrative controls are applied to people. If you have a security control that
states, “All users must log off their workstations every time they leave their office,
regardless of length of time,” then you’ve made an administrative control.
• Physical controls
• Physical controls are applied to secure physical areas from physical access by
unauthorized people. Fences, door locks, elevator floor blockers, and biometric
retinal scanners are all examples of physical controls.
Security control
strategies
• Layered security
• Vendor diversity
• Do not stick with one vendor when
providing security. Use different vendors.
• Control diversity
• Add admin and technical controls.
• Asking user to select a complex password
(admin control) and adding a complex
password policy to windows (technical
control).
• User training
• Continuous user training
https://www.malwarefox.com/layered-security/
IV. Risk assessment