Information Security
Controls within Information Security are protective measures that are used to against Threats to help mitigate or remove entirely the effects of Vulnerabilities
Dam analogy
Using a dam analogy, controls would be plugging the crack (Vulnerabilities) on the dam to prevent the water leaking as the water level rises Threats.
If something can’t be fixed quickly then it can be patched up to mitigate large failures of security, however it is best to have thorough controls in place that reduces the chance of a Vulnerabilities being exploited as much as possible or soften the impacts so it doesn’t break the fundamentals of The CIA Triad
Control Methods
Encryption
Encryption can be used as a control to mitigate any Threats from exploiting Vulnerabilities such that it upholds The CIA Triad, the concept of encryption as a control is to scramble data so that its meaningless for intruders without how it was scrambled
Link to original
Circular transclusion detected: Zettel/Encryption
Circular transclusion detected: Zettel/Encryption
Software Controls
Software controls relate to programs, these programs must enforce security restrictions such that it mitigates or prevents exploitation of Vulnerabilities
Software Controls Examples
Checking user passwords to see if they meet certain policies (e.g minimum 8 characters, 1 number, and 1 symbols) Checking user access rights, if a user doesn’t have a certain role they can’t access certain assets
Software Control Real-World Example
Take for instance a University website, the admin should provide correct access rights such that those who are enrolled into a specific course they can only view the modules of said course, they shouldn’t view anything above that nor change anything (so it enforces Integrity, Availability, Confidentiality)
Hardware Controls
Hardware controls relate to physical hardware that can be put in place to mitigate or prevent the exploitation of Vulnerabilities.
Hardware Controls
It can be something as simple as locks or cameras for monitoring, or more advanced controls such as hardware-based Encryption or Intrusion Detection Systems
Policies
Policies are rules that are set in place and must be adhered to, are overlooked however they are very important as they enforce all the other control methods.
Policies and other control methods
A policy that requires a password to have minimum 8 characters and a symbol would need to be checked to ensure it meets this criteria so Software-based Controls is required.
Procedures
Procedures are methods or steps that are put in place, its a official way of doing or completing something.
For controls methods, procedures are simply the official way that actions should be taken (and/or documented) when dealing with a security plan. The security plan may include how to deal with Vulnerabilities how to prevent vulnerabilities being exploited by Threats or even how to implement Controls.
It’s a crucial control as without it it would hinder the efficiency when dealing with a attack such as Distributed Denial of Service which renders services offline, affecting Availability
Expanded upon CS2IS - Lecture 3
Fundamentals of Control Effectiveness
There are 2 fundamentals that must be upheld for controls be effective against Vulnerabilities and Threats
- Controls must be used properly to be effective
- Controls should be efficient to a extent, easy to use and appropriate for the task
- Can’t force someone to memorize a long character password
- Exam papers should be protected only to the extent of the exam day after which it can be revealed