Security Controls - CompTIA Security+ SY0-701 - 1.1

Summary

In his video, Professor Messer delves into security controls within the context of the CompTIA Security+ SY0-701 exam. He explains the various types of security controls - technical, managerial, operational, and physical - and how they fit into different categories and control types like preventive, deterrent, detective, corrective, compensating, and directive controls. Each type is illustrated with practical examples, offering insights into their application and importance in IT security.

Highlights

• Technical controls use technology like firewalls and antivirus to protect systems. 💻
• Managerial controls involve policies and procedures to guide people managing IT resources. 📋
• Operational controls rely on human intervention, such as security guards and training sessions. 👥
• Physical controls restrict access to physical spaces through barriers like locks and security desks. 🚪
• Preventive controls limit access to resources, such as firewall rules and guard shacks. 🛑
• Deterrent controls discourage unauthorized actions, like security warnings and reception desks. ⚠️
• Detective controls alert and log breaches, like system logs and motion detectors. 📊
• Corrective controls mitigate damage post-incident, like restoring systems from backups. 🔄
• Compensating controls temporarily address risks, like firewalls blocking vulnerable apps. 🕹️
• Directive controls guide secure practices, like compliance policies and warning signs. ✍️

Key Takeaways

• Understand the different types of security controls: technical, managerial, operational, and physical. 🛡️
• Explore various control types such as preventive, deterrent, detective, corrective, compensating, and directive. 🕵️‍♀️
• Learn practical examples of each control type, like firewalls, policy setups, security training, and physical access restrictions. 🔒
• Discover ways to categorize security measures and identify the right fit for your organization. 🏢
• Embrace the dynamic nature of IT security controls and adapt to evolving technologies and threats. 💡

Overview

Professor Messer kicks off the video with an exploration of security controls necessary for mitigating the myriad of risks in IT security. He emphasizes that protecting data, systems, and facilities involves a layered approach using various security controls and explains them through relatable examples. From technical controls like firewalls to managerial ones involving company policies, each control plays a vital role in ensuring security.

Moving further, he categorizes these controls into different types: preventive, deterrent, detective, corrective, compensating, and directive. Professor Messer illustrates these categories with vivid examples, such as firewall rules for preventive control and reception desks for deterrent. These insights provide viewers a comprehensive picture of how each control type functions and its significance in maintaining a robust security posture.

Finally, the video highlights the importance of flexibility and adaptation in security strategies. As technology and threats evolve, so too must our controls. Professor Messer encourages viewers to stay informed and continuously assess and update their security measures, ensuring they are appropriately aligned with both current technology and potential threats. This adaptability is crucial for maintaining an effective defense against increasingly sophisticated attacks.

Chapters

• 00:00 - 00:30: Introduction to Security Risks The chapter 'Introduction to Security Risks', outlines the diverse array of security threats that IT security professionals need to anticipate and defend against. Emphasizing that attackers seek various methods to access systems, it stresses the importance of developing strategies to thwart such attempts. Additionally, the discussion covers the broad scope of protection, which extends beyond data to include physical systems, buildings, and personnel. The chapter also introduces various security controls and their applications as a means of defense.
• 00:30 - 01:00: Understanding Security Controls This chapter focuses on understanding security controls. It introduces the concept of preventing events and minimizing their impact if they do occur. It emphasizes the importance of limiting damage in case of a security breach and outlines broad categories of security controls, beginning with technical controls. Technical controls are those implemented using technical systems, essential for managing operating systems effectively.
• 01:00 - 02:00: Technical and Managerial Controls This chapter discusses the different types of controls that can be implemented to ensure security within an organization. Technical controls include the use of software such as firewalls and antivirus programs to manage what functions can occur within an operating system. Additionally, as a security administrator, it is important to establish managerial controls through the creation of policies and procedures. These policies guide individuals on the best practices for managing their computers, data, and other systems.
• 02:00 - 03:00: Operational and Physical Controls This chapter, titled 'Operational and Physical Controls,' discusses the integration of managerial controls into security policies and standard operating procedures. It emphasizes the importance of operational controls, which rely on human involvement to implement and manage controls rather than technological means.
• 03:00 - 04:30: Preventive Control Types This chapter discusses different types of preventive controls used in security. It categorizes these controls into operational and physical controls. Operational controls include activities like having security guards, conducting monthly training sessions such as lunch and learns, and utilizing posters or awareness programs at the workplace to promote IT security best practices. Physical controls are measures that restrict physical access to facilities, rooms, or devices, such as a guard shack for monitoring access.
• 04:30 - 06:00: Deterrent Control Types The chapter discusses different deterrent control types used to restrict access to specific areas, emphasizing security measures such as fences, locks, and badge readers. It aims to categorize these controls into four main types: technical, managerial, operational, and physical. The focus is on understanding and determining the appropriate category for each control type.
• 06:00 - 07:30: Detective Control Types The chapter 'Detective Control Types' appears to discuss various control mechanisms used to restrict access to resources, likening them to preventive control types. A preventive control type is described as a method, such as a firewall rule or physical security measures like a guard shack, used to prevent unauthorized access to certain network areas or facilities. The chapter suggests testing one's understanding by categorizing these control types appropriately, with a focus on preventive measures.
• 07:30 - 09:00: Corrective Control Types This chapter discusses different types of corrective control measures that can be categorized based on their nature and method of implementation. It covers technical controls like firewall rules, which are implemented at a technical level. Managerial controls are exemplified by policies set for onboarding new employees. Operational controls are described through the use of physical security measures like a guard checking IDs. Lastly, it covers physical controls, such as door locks, which are used to prevent unauthorized access.
• 09:00 - 10:30: Compensating Control Types This chapter discusses compensating control types in security, with a focus on deterrent controls. Deterrent controls might not stop a security breach but can discourage potential attackers by making them think twice about proceeding. Examples given include splash screens with security messages or potential consequences like a demotion for unauthorized access attempts.
• 10:30 - 12:00: Directive Control Types The chapter titled 'Directive Control Types' discusses various elements of facility and data security within organizational environments. It highlights different types of controls categorized into four main groups: technical, managerial, operational, and physical controls. Examples provided include the use of a splash screen as a technical deterrent, the possibility of a demotion as a managerial deterrent, the function of a front reception desk as an operational measure, and the presence of warning signs as physical deterrents. These elements help ensure that only authorized individuals gain access to sensitive areas or data, with clear consequences for unauthorized access.
• 12:00 - 13:00: Summary and Additional Considerations Detective control types provide mechanisms to identify and sometimes warn about breaches. While they may not prevent access, these controls can warn us and log details about specific attacks. Examples include the processes of collecting, reviewing, and analyzing system logs, or reviewing login reports about system access. This information is crucial for understanding potential vulnerabilities and actions of unauthorized users.

Security Controls - CompTIA Security+ SY0-701 - 1.1 Transcription

• 00:00 - 00:30 if you spent any amount of time in it security you know there are many different security risks that you need to prepare for the attackers are looking for different ways to gain access to our systems and we need to find different ways to prevent them from getting that access but of course we're not just protecting data we're also protecting physical systems buildings people and everything in our organization in this video we'll look at different security controls and how they can be used to
• 00:30 - 01:00 prevent events from occurring in the first place we can minimize the impact of events that ultimately do occur and in many cases we can limit the damage if someone does find a way into our Computing environment let's look at some very broad categories of security controls the first category we'll look at are technical controls these are controls that we Implement using some type of technical system so if you're someone who is managing an operating system you
• 01:00 - 01:30 might set up policies and procedures within the operating system that would allow or disallow different functions from occurring we can also put firewalls antivirus and other types of software into this category of technical controls as a Security administrator you'll also want to create a series of policies that explain to people the best way to manage their computers their data or their other systems we refer to these as managerial controls so if you are creating series of policies and
• 01:30 - 02:00 procedures or you're creating an official security policy documentation you'll often put these managerial controls inside of your security policies you might also see these managerial controls implemented into day-to-day processes as part of your standard operating procedures another important control category are the operational controls unlike using technology to manage these controls operational controls are using people to be able to set these control controls so
• 02:00 - 02:30 if you have security guards at your place of work you're doing monthly lunch and learns or you have some type of posters or awareness program at work to help explain the best practices for it security then you can put these into the category of operational controls and the last category that we have are physical controls as the name implies these are controls that would limit someone's physical access to a building a room or a device this might be something like a guard shack so they can check everyone
• 02:30 - 03:00 coming into a particular area maybe there are fences and locks to keep people out or maybe use badge readers to limit the access into certain areas within your building so in this video we'll focus on these four categories of controls the technical managerial operational and physical and in this video we'll look at a number of different control types and determine where we would fit certain control types into certain categories the first control type we'll look at is a
• 03:00 - 03:30 preventive control type this is a control type that limits someone access to a particular resource you can think of this as something like a firewall rule which would prevent somebody from Gaining access to a particular area of your network or it may be something that's more tangible such as a guard shack checking everyone's identification as they come into your facility a good way to test yourself with these different control types is to determine what category will a certain type fit into so when we deal with preventive
• 03:30 - 04:00 control types we can look at firewall rules and since those are handled at a technical level then those would fit into the technical category as we hire people we may want to set a certain type of policy for onboarding and those would be policy set as part of a managerial category we've already mentioned a guard shack checking everyone's identification and since that's done by a person we can fit that into an operational category and lastly we have door locks which are physical devices preventing access to a
• 04:00 - 04:30 room so that would fit into the physical category another important control type is a deterrent and although a deterrent may not prevent someone from accessing a resource it may give them a discouragement or have them think twice about the attack that they're planning for example when you start an application there may be a splash screen that provides security information and restricts people who are not authorized from Gaining access to that system or there might be the threat of a demotion
• 04:30 - 05:00 or a dismissal if somebody gains access to data that they should not be accessing there might also be a front reception desk reading everyone who walks in or warning signs telling people that if they gain access to this facility that there would be consequences these fit perfectly into our four categories a splash screen is a deterrent that fits into the technical category a demotion is a managerial category the reception desk fits into the operational category and the warning signs are a physical
• 05:00 - 05:30 deterrent a detective control type can identify and in some cases warn us when a particular breach has occurred this may not prevent access but it would give us a warning and log information about that particular attack an example of a detective control type may be a process of collecting reviewing and going through system logs or you may be reviewing login reports about who's gained access to your systems there might be someone controlling the
• 05:30 - 06:00 property looking for cases where someone might have broken into your facility and you might have motion detectors so that you're automatically notified if something is moving in an area where normally there should be no motion the system logs that are detailing everything that's going on in your systems would fit into the technical category someone reviewing login reports every day or every week would fit into the managerial category someone patrolling the property would be an operational category and then the motion
• 06:00 - 06:30 detectors provide us with a physical category if there is a notification that someone has breached a system or gained access into a certain area of your business then you want to apply a corrective security control a corrective security control is something that occurs after the event has been detected this is sometimes able to reverse the impact of that particular event or you may be able to continue operating with your business with minimal downtime thanks to these corrective controls for
• 06:30 - 07:00 example if a computer has been infected with ransomware and it has encrypted everything on that system and made all of the data inaccessible you can simply erase everything on that computer and restore it back to a known good system using your backups you might also want to create policies so that if there are security issues or something unusual that you see happen then those would be rolled up into an alert or some type of notification and if you find that someone is jumped your fence or they've
• 07:00 - 07:30 tried to get in through a door in your building you may need to contact law enforcement to be able to correct that particular incident and if something is caught on fire you can grab a fire extinguisher and make sure that that fire doesn't spread any further thereby correcting that particular event and as you might expect those are four events that certainly fits into the four categories that we have for example recovering from a backup would be a technical category being able to have policies for reporting issues when they
• 07:30 - 08:00 occur would be in the managerial category contacting authorities for some type of legal issue would be an operational category and your fire extinguisher is a physical category you might also find yourself in a situation where a security event has occurred but you don't have the resources or means to be able to reverse What that particular event has caused in those cases you may want to use a compensating control type which provides you with using other means in a way to control that
• 08:00 - 08:30 particular security event this may be something you use on a temporary basis until you're able to put together a plan to resolve the overall security incident for example you might have an application that is important for your organization but the application developer has told you that they've identified a significant security vulnerability in that software since the application developer is going to provide you with a patch sometime in the future you may want to set some type of firewall rule today that will would prevent somebody from exploiting that
• 08:30 - 09:00 particular vulnerability or this might be a case where you can separate different duties between different individuals and limit the scope of any type of security concern or you might have multiple security guards all working at the same time to make sure that no single security guard has complete access to everything in your environment and if you lose power in your building you might want to have a generator so that while you're waiting for main power to be restored you can compensate by by turning on your
• 09:00 - 09:30 generator those are our four different categories of a compensating control we have a technical category of blocking that traffic instead of patching the application there may be a separation of duties for the people that work in your organization and that fits into the managerial category you might require multiple security staff working simultaneously and that would be the operational category and lastly having a power generator to compensate for a power outage fits into the physical category
• 09:30 - 10:00 the last control type we'll look at is a directive control type this is a relatively weak security control because it is one where you are directing someone to do something more secure rather than less secure for example you may require everyone to store sensitive information into a protected and encrypted folder on their system this requires the user to make a decision about what data may be sensitive and what data may be non-sensitive and then they are directed to store the sensitive
• 10:00 - 10:30 information in the protected folder as part of our security policies we may want to add compliance policies and procedures so that everyone understands the proper processes to use for security in your environment you might also train users on what the proper security policies might be and another example of a directive control may be a sign that you put on a door that says authorized personnel only there might not be a lock on the door but the sign saying authorized personnel only Direct directs people to either enter or not enter that
• 10:30 - 11:00 particular door so to summarize these our file storage policies will direct people to this technical category a compliance policy fits into a managerial category someone performing a security policy training course would be a directive control type fitting into the operational category and a sign on a door that says authorized personnel only fits into the physical category the examples I provided for the different security controls and the categories
• 11:00 - 11:30 where they fit are simply one single example you can probably think of a number of different examples that you could fit into any of those squares in our Matrix you could probably also think of different security controls that might fit into a different category of control or a different type of control you might also find as our technology changes and our security processes evolve that there might be new control types that we could fit into our chart and of of course not everybody uses the
• 11:30 - 12:00 same security controls so the ones that you use in your organization may be very different than someone else's organization