Lesson Introduction
As a new or recently practicing cybersecurity analyst, you must be able to demonstrate the importance of security intelligence and threat intelligence. As understanding of threat types and actors grows, those threat actors change their tactics and procedures to escape detection. Consequently, identifying and updating robust intelligence sources and setting up effective information sharing systems is a critical part of the role of a cybersecurity analyst. Threat intelligence feeds into the selection and configuration of distinct types of security controls. It is important that you be able to classify the function and operation of different control types.
Lesson Objectives
In this lesson you will:
- Identify security control types.
- Explain the importance of threat data and intelligence.
OBJECTIVES COVERED
Explain the importance of frameworks, policies, procedures, and controls.
In this topic you will review the responsibilities associated with the cybersecurity analyst role and explain the importance of classifying security controls by category and type.
CYBERSECURITY ROLES AND RESPONSIBILITIES
Cybersecurity refers to the protection of personal or organizational information or information resources from unauthorized access, attacks, theft, or data damage over computer or electronic systems and networks. A cybersecurity analyst is a senior position within an organization‘s security team with direct responsibility for protecting sensitive information and preventing unauthorized access to electronic data and the systems that process it. A cybersecurity team may contain junior and senior analyst levels, and an enterprise may develop specialized roles in different sectors of information assurance. Senior analysts are likely to report directly to the chief information security officer (CISO). Some generic analyst job functions and duties include the following:
- Implementing and configuring security controls, such as firewalls, Intrusion Detection Systems, and other threat management appliances and software
- Working in a leading role in the computer security incident response team (CSIRT) or security operations center (SOC) to manage security incidents
- Auditing security processes and procedures, performing due diligence on third parties, and delivering employee training
- Performing risk assessments, vulnerability assessments, and penetration tests and recommending appropriate security controls or procedures
- Maintaining up-to-date threat intelligence and awareness and advising on legal, compliance, and regulatory issues
Successful analysts require technical knowledge of network and security systems and programming/software development environments, tools, and procedures. Analysts must also be good at creative thinking and problem solving and be able to describe a problem and devise and report solutions to a nontechnical audience with clarity. Attention to detail and patience are also important characteristics. Finally, incident response situations can be highly pressured, so calm decision making is another important attribute.
SECURITY CONTROL CATEGORIES
Cybersecurity exists within a general process of business risk management. To mitigate risks arising from cyber threats and attacks, organizations must select and implement effective security controls. A security control is something designed to give a particular asset or information system the properties of confidentiality, integrity, availability, and nonrepudiation.
Historically, security controls may have been deployed in haphazard fashion, as a reactive response to emerging threats. For example, when hackers started to penetrate networks in the 1980s, firewalls were created to block access, and as viruses and worms started to infect computer systems in greater numbers through the 1990s, companies started to deploy anti-virus software on their workstations and servers. As modern cyber threats have become more sophisticated, it is now recognized that security controls should be selected and deployed in a structured way, within an overall risk management framework. An important part of this is to classify controls according to their category and/or type of function. This classification process assists in selecting a diversity of complementary controls that can act together to provide layered security or defense in depth.
One means of classifying security controls in the context of an overall risk management framework is set out in the NIST Special Publication 800-53 Security and Privacy Controls for Federal Information Systems and Organizations (nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf). This document identifies controls as belonging to one of 18 families, such as access control (AC), audit and accountability (AA), incident response (IR), or risk assessment (RA). The family describes the basic functions of the controls. Similarly, the ISO 27001 framework identifies 14 control categories, such as information security policies, asset management, physical security, communications security, and so on.
The National Institute of Standards and Technology (NIST) Special Publications discussed are available at csrc.nist.gov/publications/sp. ISO 27001 is a proprietary standard (iso.org/standard/54534.html).
In the early versions of 800-53, each family is also assigned to a class, based on the dominant characteristics of the controls included in that family. The control categories identified in the CySA+ exam objectives are like those used by NIST:
- Technical—The control is implemented as a system (hardware, software, or firmware). For example, firewalls, anti-virus software, and OS access control models are technical controls. Technical controls may also be described as logical controls.
- Operational—The control is implemented primarily by people rather than systems. For example, security guards and training programs are operational controls rather than technical controls.
- Managerial—The control gives oversight of the information system. Examples could include risk identification or a tool allowing the evaluation and selection of other security controls.
Later revisions of 800-53 (rev 4 and up) no longer classify families of controls in this way, but individual controls can still be identified as being of a managerial, operational, or technical character.
The NIST schema isn't the only way of classifying security controls, however. Some schemes do not distinguish between operational and managerial control types, calling them all administrative controls. Also, be aware that security processes may involve multiple controls of diverse types. For example, a vulnerability management process is governed by overall managerial controls that give oversight of the process, operational controls that govern how technicians perform and respond to scans, and technical controls that automate scanning and reporting software.
SECURITY CONTROL FUNCTIONAL TYPES
However they are classified, as a category or family, controls can also be described according to the goal or function they perform:
- Preventative—The control acts to eliminate or reduce the likelihood that an attack can succeed. A preventative control operates before an attack can take place. Access control lists (ACL) configured on firewalls and file system objects are preventative-type controls. Anti-malware software also acts as a preventative control, by blocking processes identified as malicious from executing. Directives and standard operating procedures (SOPs) can be thought of as administrative versions of preventative controls.
- Detective—The control may not prevent or deter access, but it will identify and record any attempted or successful intrusion. A detective control operates during the progress of an attack. Logs provide one of the best examples of detective-type controls.
- Corrective—The control acts to eliminate or reduce the impact of an intrusion event. A corrective control is used after an attack. A good example is a backup system that can restore data that was damaged during an intrusion. Another example is a patch management system that acts to eliminate the vulnerability exploited during the attack.
As no single security control is likely to be invulnerable, it is helpful to think of them as delaying or hampering an attacker until the intrusion can be detected. The efficiency of a control is a measure of how long it can delay an attack.
While most controls can be classed functionally as preventative, detective, or corrective, a few other types can be used to define other cases:
- Physical—Controls such as alarms, gateways, locks, lighting, security cameras, and guards that deter and detect access to premises and hardware are often classed separately.
- Deterrent—The control may not physically or logically prevent access, but psychologically discourages an attacker from attempting an intrusion. This could include signs and warnings of legal penalties against trespass or intrusion.
- Compensating—The control serves as a substitute for a principal control, as recommended by a security standard, and affords the same (or better) level of protection but uses a different methodology or technology.
Adopting a functional approach to security control selection allows you to devise a Course of Action (CoA) matrix that maps security controls to known adversary tools and tactics, matching your cybersecurity defensive capabilities to the offensive capabilities of potential cyber adversaries.
SECURITY CONTROL SELECTION BASED ON CIA REQUIREMENTS
Another way of classifying security controls is to consider how they act to enforce and support the CIA triad—confidentiality, integrity, and availability. Consider the following table in which examples of technical controls are reviewed in terms of how they do or do not uphold the CIA principles.
Technical Control | Upholds Confidentiality? | Upholds Integrity? | Upholds Availability? |
|---|---|---|---|
User permissions for network share | Yes, by keeping unauthorized users from accessing shared data | No | No |
Load balancers for web servers | No | No | Yes, by routing traffic to hosts that are available and have capacity |
Message authentication codes (MACs) used in digital signatures | No | Yes, by comparing the expected message digest with the actual message digest upon output | No |
As you can see, no single technology in this list of examples addresses all three attributes. An organization has well-rounded security when it specifically upholds all three components of the CIA triad.
Ultimately, your organization must define which parameters it needs to uphold to mitigate risk—this will drive your process for selecting the right controls. For example, there are several approaches you can use to address risks to confidentiality, such as encryption and access control. In both cases, the goal is to limit the readability of data to only authorized parties. What you implement will depend on your needs as an organization; access control may be enough to keep unwanted users from accessing somewhat sensitive data, but in scenarios where data is much more sensitive, you may want to aim for encryption to achieve the strongest confidentiality assurances.
Front of Flashcard 1 of 3
Despite operating a patch management program, your company has been exposed to several attacks over the last few months. You have drafted a policy to require a lessons learned incident report be created to review the historical attacks and to make this analysis a requirement following future attacks. How can this type of control be classified?
Back of Flashcard 1 of 3
It is implemented as an administrative control as it is procedural rather than technical in nature. Additionally, it is a managerial control rather than an operational control as it seeks oversight of day-to-day processes with a view to improving them. In terms of function, you can classify it as corrective, as it occurs after an attack has taken place.
Front of Flashcard 2 of 3
A bespoke application used by your company has been the target of malware. The developers have created signatures for the application's binaries, and these have been added to endpoint detection and response (EDR) scanning software running on each workstation. If a scan shows that a binary image no longer matches its signature, an administrative alert is generated. What type of security control is this?
Back of Flashcard 2 of 3
This is a technical control as it is implemented in software. In functional terms, it acts as a detective control because it does not stop malware from replacing the original file image (preventative control) or restore the original file automatically (corrective control).
Front of Flashcard 3 of 3
Your company is interested in implementing routine backups of all customer databases. This will help uphold availability because you will be able to quickly and easily restore the backed-up copy, and it will also help uphold integrity in case someone tampers with the database. What controls can you implement to round out your risk mitigation strategy and uphold the components of the CIA triad?
Back of Flashcard 3 of 3
You should consider the confidentiality component. The backups contain the same privileged information as the live copy and so must be protected by confidentiality controls. Access controls can be used to ensure that only authorized backup operators have access to the data. Encryption can be used as an additional layer of protection.
