How To Reduce Cyber Risks For Your Organization
July 14, 2023, 9 min read
A strong control environment design for cyber risks requires an understanding of the functions of the controls to be applied. In this article, I will briefly share my knowledge on this subject.
Unfortunately, despite all efforts, all system host vulnerabilities waiting to be discovered by a malicious attacker or a clumsy employee. Who knows what will happen when the time comes…
Organizations also try to manage these threats with the exercising of administrative, physical, and technical controls within a pre-defined risk appetite in an integrated manner. Policies in the administrative control category indicate which technical and physical controls should be applied, to what extent, and how. Technical controls, with their compelling algorithms, ensure that high-level definitions in policies/procedures are applied or keep notes on the extent to which they are applied. And of course, the presence of solid physical controls is also a must. Otherwise, someone may carry the data you protect with supersonic technologies along with the servers they are in.
It is not easy to implement the numerous control measures spread over these three control categories in an integrated manner, with an effort towards the absolute goal. The level of achievement of this also provides a picture of your cybersecurity maturity.
Defense in Depth
In today’s cybersecurity world, it is recommended to build a layered and in-depth defense structure in order to fend off continuous, strong, and persistent infiltration attempts. By forcing the attackers to overcome more than one control between multiple layers, their will is broken, necessary time is gained for detection and prevention, and opportunities are tried to be created to limit the attack.
In a layered and defense-in-depth understanding, the failure of one layer is designed to prevent the entire system from being compromised or brought down. The intensity of the controls at the layers is related to the criticality of the information presented and the costs that the company will accept along with its risk appetite. As a veteran, I can tell you that this is how a “stronghold defense” is done:
- Satellite and aerial reconnaissance vehicles, terrestrial reconnaissance, thermal cameras, night vision devices to detect competitors,
- Barricades, wire fences, and mines to prevent or direct them to destruction zones,
- Weapon systems of various kinds help to destroy, prevent or limit harmful interference.
The controls used in designing defense-in-depth are evaluated in terms of their function. Now, you may be asking what is the control function. This article is exactly for you.
A control function is a functionality expected of a control. We can list the control types according to their functionalities as follows;
- Deterrent controls,
- preventive controls,
- Compensating controls,
- Detective controls,
- Corrective controls.
Let’s now examine these control functions in turn.
1️ — Directive Controls
Guiding controls are proactive controls that provide guidance to all stakeholders, including employees, on the behavior patterns desired by the organization. In terms of cybersecurity, they are important thanks to their capability to increase the effectiveness of other controls. However, this type of control is not very effective in preventing cyber attacks by itself.
The most common examples of directive controls are organizational security policies and procedures. An example of this control function is the Acceptable Use Policy (AUP). Listing what can/can’t be done with information assets in the organization, the AUP provides a list of appropriate behaviors that all staff should follow. All employees must accept and sign the AUP before being granted access to any corporate information asset.
Another example of directive control is awareness programs. These programs include tutorials, phishing emails, e-mail newsletters, etc. – studies are included. By the way, let me tell you that awareness training, as a very popular practice, has similar content almost all over the world: Privacy (like GDPR) basics, information security practices, cyber threats, and the obligations and duties of employees… If you come across different content, please let me know.
Standards, control frameworks, and guidelines in the field of cyber security are also effective directive controls. For example, CIS Control Framework, NIST Cybersecurity Framework, AICPA Cybersecurity Risk Framework, COBIT, SOC for Cybersecurity, ISO27001, NIST 800 Guidelines, CMMI, CCM, Star certificate… These standards provide us with the criteria for what should be and how we can improve the current maturity of the cybersecurity environment.
Directive controls are dramatically influenced by organizational ethics and risk culture and risk appetite. Their implementation, like any other control, should be monitored and enforced.
2 — Deterrent Controls
You might think that every control has a deterrent function. And that’s absolutely correct, though. For example, having strict access controls on your systems can persuade some potential attackers to take up easier targets. This is based on a simple financial calculation: ROI (Return on Investment)
For attackers, the effort required to circumvent the controls should be reasonable in terms of the reward they may capture. It is considered that in a scenario where malicious users know that their acts and transactions are logged and monitored, they would be more reluctant to commit a harmful action just for fun. Because if they are sure that anonymity is removed, and they can be identified and associated with their actions will make them think twice. In addition, the inclusion of sanctions regarding security violations in HR policies will prevent such actions from being seen as a leisure pastime.
Of course, all these considerations alone cannot stop a determined aggressor from their acts. We know that as the attacker’s capabilities and determination increase, so should the complexity and costs of controls to deter potential attacks.
3 — Preventive Controls
Preventive controls are a proactive control function. And they are often triggered by detective controls if predefined rules are violated.
Today, we give more importance to preventive controls. Because it is very difficult to predict where the effects of unpreventable attacks will reach. That’s why we use a layered security strategy that allows the vulnerability to be overcome through secondary (compensatory) or even tertiary or redundant controls if primary controls fail.
In order to prevent unauthorized access of attackers to systems; asset and configuration management, vulnerability management, security testing, penetration testing, red and blue team exercises, security, user awareness training, application security, and secure software development lifecycle (S-SDLC) are also preventative controls. Also, firewalls, IPS, Web, and Email Gateways are examples of preventive controls. However, let me also point out that;
None of the security technologies can be seen as a control measure, without the necessary configuration, rule, and policy settings…
If the attacker succeeds in infiltrating the system, the controls to increase the authority or to prevent them from seizing their targets are; network segmentation, Internal Firewalls (rules), access control lists (ACL), IPS, Network Access Control (NAC), antivirus software, anti-malware, anti-malware web gateways, endpoint security software.
Controls such as encryption of data with cryptographic keys, transparent data encryption (TDE), KMIP, tokenization, data masking, data classification, and database access monitoring are also some of the preventive controls to limit unauthorized access to target information assets.
4 — Compensating Controls
Controls that help in reducing the risk to an acceptable level in cases where the primary controls do not perform the expected functions are called compensatory controls.
If key controls in an existing system are not sufficient to achieve the control objective, other technologies or processes can be used to supplement the existing control environment, bridge the gap in controls, meet policy requirements, and reduce overall risk. The case of zero-day vulnerabilities is a striking example in this regard. The current control structure is designed to meet current or foreseeable threats, and to some extent, it can. However, if a previously undetected vulnerability is used in an unexpected way in the software we use, the existing controls may not be sufficient to meet this threat. In this case, additional resources, and measures will be needed; such as reinforcement incident management capability from a vendor that provides cybersecurity services.
In addition, temporary solutions implemented to adapt to a short-term change or to support the development of a new application can also be considered within this scope. For example, when testing applications, changes to access controls may be necessary to support data center consolidation efforts or even a short business relationship with another company. Keep in mind;
When evaluating compensatory controls;
– It provides the relevant control objective,
– It should be ensured that it does not trigger threat agents by influencing different risks.
5 — Detective Controls
Detective controls, which are a type of proactive control, are controls designed to detect threat agents in a timely manner and to take necessary actions quickly. Appropriate structuring of detective controls, which represent the earliest point in the post-event timeline, will also increase the effectiveness of preventive or corrective controls. In cases where detective controls are inadequate, the impact of threats can go far beyond acceptable levels.
Let me explain the issue with an example. Access controls are used aggressively to prevent malicious events with the least privilege. In this context, access privileges provided to an authenticated user help reduce the related security risks by limiting the user’s capabilities within the framework of the organizations’ access strategy. It allows taking log records of user transactions, transferring them to SIEM technologies, monitoring the user over SIEM, and taking timely action for activities other than acceptable transactions.
Detailed Explanation of Detective Controls
Let’s go deeper a little more. In defense-in-depth, it may be necessary to control cyber attacks with different control measures at different stages. Let’s say the attackers managed to infiltrate our systems. Unfortunately, we were not able to detect and prevent it in time. In this case, our defense strategy will focus on restricting the attacker’s reach and enabling them to terminate their activities without further impact. The attacker will try to increase their authority by stealing privileged accounts and discovering sensitive data by scanning for additional targets. In this case;
- Creation of new administrator accounts,
- Sudden activation of existing but never used or previously deactivated accounts,
- Sudden login from multiple IP addresses for application accounts,
- Simultaneous login from multiple locations,
- Experiencing network traffic between systems that have never interacted before,
- User systems (laptops/desktops) that have abnormally intense communication with each other,
- Systems that attempt or achieve to circumvent internal network partitioning limits,
- Repetition of a particular system/device as shown in the logs or alerts,
Requests to disable or change logging,
- Traffic will be observed in new listening ports and undefined or non-standard ports.
During these activities, the attacker will perform scans that may result in large volumes of log entries. A well-defined SIEM structure will create the opportunity to detect the activities of the attacker in a timely manner and to take the necessary actions. In the opposite case, the ability of the information security team to control the event will decrease, as the attacker can disable log recording and warnings by gaining administrator access rights.
The fewer system and administrator accounts the attacker controls, the easier it will be to permanently recover the system from this attacker.
Let’s say you couldn’t stop the attacker in time. In this case, log records will help you determine what the attacker has done, which systems of yours are affected, which data is disclosed, and which data is extracted, and in this way, you can put in place adequate corrective controls.
Log records provide us with the following information about the incident, providing information on understanding the scope of the attack, determining responsibilities and what to do to prevent similar incidents from recurring;
- What happened?
- Who did?
- What did they get?
- Which systems/data are compromised?
Thus, “non-repudiation”, one of the most important principles of information security, is also ensured.
Other examples of detective controls are Firewall rules, intrusion detection systems (IDSs), virus detection systems, Web filtering, Web and Email Gateway systems, DLP technologies…
6 — Corrective Controls
Any security incident indicates the failure of the directive, deterrent, preventive, or detective controls. In this case, a different control function is needed for the system to return to its previous order: Corrective controls.
Among the controls within the scope of this control function;
- Antivirus solutions that ensure the elimination or quarantine of malicious software in the system,
- Plans for restoring deleted or encrypted data from backups (DRP)
- Active intrusion detection systems that can change the environment to stop an ongoing attack,
- I can cite Incident Response Plans (IRP) and Incident Response Guides (playbooks) that outline the actions and tasks required to contain an incident.
Cyber threats have become a major concern for both individuals and organisations in today’s interconnected world. It is no longer just an IT problem, but an organisational one. C-suite leadership must collaborate with IT professionals to build a resilient workforce and implement new security policies and strategies for cyber security. Prepare to detect and contain system breaches by taking advantage of our extensive product-specific cybersecurity training and industry-recognized certification prep courses. You should discover Averest Training Cyber Security Courses here to protect your business.
In terms of cybersecurity, I would like to emphasize that which of the control functions and types. I have briefly introduced here to use should be decided by a rigorous risk assessment to be carried out in organizations. Otherwise, it will not be easy for the organization to create the expected value due to the disruption of business processes.