Pass CompTIA CySA+ CS0-002 Exam in First Attempt Easily

Identify Security Control Types

1. Identify Security Control Types (Introduction)

In this section of the course, we're going to cover how you can identify security control types. Now, our focus in this section is going to be on domain five, objective five. Three explain the importance of frameworks, policies, procedures, and controls. Now, as we move through this section, we're going to start out with the different roles and responsibilities associated with cybersecurity. And then we're going to move into the role of the security operations centre and how it integrates into the overall organization. This is going to lay the groundwork for us as we begin to think about the role of a cybersecurity analyst and where one might work on a daily basis. Then we're going to dig into the National Institute of Standards and Technology special publication 853, which provides a catalogue of security and privacy controls for all of the US. Federal information systems, with a special focus on the three control categories that are tested on the CST exam. After that, we're going to describe the methods of selecting controls to mitigate vulnerabilities and enforce the confidentiality, integrity, and availability of our systems and networks. So let's get started.

2. Cybersecurity Roles and Responsibilities (OBJ 5.3)

Cybersecurity roles and responsibilities. In this lesson, we're going to talk about some of the various roles that exist inside the cybersecurity space. Now, if you're taking this course, you're taking the cybersecurity analyst course, and that is one of the roles that exist within this wide world of cybersecurity. There are many different roles, such as specialist or technician, which are covered more in the Security Plus exam. These are people who will actually do the hands-on configuration of a system and do things under the direction of a cybersecurity analyst. There are also cybercrime investigators who work a lot in the digital forensics realm. We'll talk a little bit about that in this course as well. We'll also talk about incident response analysts. These are people who are focused on responding to a data breach or other type of cyberattack that happens across your organization. We'll also cover this in this course as well. And then there's the "cyber security analyst," which is a large, overall, encompassing term for a lot of these other areas as well as a senior position inside most organizations.

And then we'll talk about a penetration tester. Now, a penetration tester is somebody who breaks into somebody's systems with their permission to identify their vulnerabilities. We'll also talk about that inside this course as well, because that is one of the roles that a cybersecurity analyst may fill. Additionally, you might be at a management level, so you might be a manager, or you might be an engineer. And an engineer is focused on building tools and techniques and designing the entire system at a very large level for the organization. And then the analysts will operate the day-to-day systems to make sure those things are done correctly.

And finally, we have the CISO, which is our chief information security officer. We'll talk a little bit more about that in a second. Now, when I talk about a cybersecurity analyst, according to CompTIA, this is a senior position within an organization's security team with direct responsibility for protecting sensitive information and preventing unauthorized access to electronic data and the systems that protect it. Essentially, they are our network defenders. They are responsible for hardening and protecting our networks, our servers, our laptops, our desktops, and our smartphones. Any device that processes or uses our information is covered by the role of a cybersecurity analyst. Now, cybersecurity teams will often contain both junior and senior analysts. Now this is important because if you're taking this course and you're brand new to cybersecurity, you're going to be looking for the role of a junior analyst working underneath somebody who is much more senior. Now, one of the things that is very troublesome for a lot of people is that they'll go out and get a certification and think they're going to immediately get a job at the analyst level.

And the problem is that analyst is an intermediate- to senior-level position. So even a junior-level analyst tends to have two to four years of experience doing stuff as a cybersecurity specialist or technician first before getting hired into the role of an analyst. So keep that in mind when you start going out into the job market to figure out where you're going to fit to be able to get a job as an analyst. You are going to be expected to have a couple of years of experience already working within it and its security at that lower level as a specialist or a technician first. Then you'll work your way into being a junior analyst and eventually a senior analyst. And both of these roles will be encompassed by that cybersecurity team. A team might have five or ten junior analysts and one or two senior analysts who are overseeing their actions. Now all of these folks are going to respond upward in the chain of command inside your organisation to the Chief Information Security Officer.

This is a senior position that resides in Cleveland, which would be your chief executive officer, your chief information officer, your chief operating officer, and your chief information security officer. All of these people work together to lead and provide governance for the organization. And the daily running of the analyst team is going to be left to those senior analysts or the senior cybersecurity managers. Those people are going to be reporting up to the Chief Information Security Officer. Now, what are some of the different functions that a cyber security analyst might perform? Well, a cybersecurity analyst is going to be responsible for implementing and configuring security controls, things like your firewalls, your intrusion detection systems, and other threat management appliances and software. It's going to be your job to figure out what you're going to do to best protect the network using these technical controls. You may also be responsible for working within SOCK, a security operations centre, which we'll talk more about in the next lesson. You will also be part of a computer security incident response team, or a C. Sir.

These are the people who work to respond to those data breaches and cyberattacks that occur within your organization. Another role you might see is something like auditing security processes and procedures. This allows you to perform due diligence on your third parties that you're working with, provide employee training and do assessments on your own systems, and make sure your security controls are in place and working properly. Another function you might do is conduct things like risk assessments, vulnerability assessments, and penetration tests. And when you do that, you're going to gather all the details you get, look at that information, process it, and then make recommendations on how to better secure the network by adding additional security controls or additional procedures to your organization.

And finally, you're going to be responsible for maintaining up-to-date threat intelligence and awareness on all of the different issues that are out there in the marketplace. So if your company works in one sector and you see that that sector is being targeted by attackers, you need to be aware of that so you can start putting appropriate countermeasures in place to help protect your organization. Also, you may be asked to advise on legal compliance and regulatory issues because that is all part of this idea of a cybersecurity analyst as well. Now, when you think about a cybersecurity analyst, what makes a good cybersecurity analyst? Well, they should have two key features: they should be creative thinkers and they should be problem solvers. Now. Problem solving is essential in the job of a cybersecurity analyst because your job all day is to collect all of these small bits of information from various systems. based on all of the threat intelligence you have and your own common sense putting it all together and trying to figure out exactly what the problem is.

how you can devise a solution for it. And how to communicate those solutions to a non-technical audience. For example, if you're asked to brief a senior manager or the chief executive officer, who may not be a technician and may not understand it, you need to be able to break down what the problem is in nontechnical terms to explain to them the issue and what you propose to do to solve their challenge. Finally, when you put all this together and start dealing with things like instant responses, things happen and you have to think on your feet, be able to problem solve, and be able to deal with these things in a high-pressure situation calmly and still use good decision making and problem solving to solve your issues.

3. Security Operations Center (SOC) (OBJ 5.3)

If you get a job as a cyber security analyst, you are most likely going to start work at a security operations center, also known as a SOCK. Now, a "sock" is a location where security professionals monitor and protect critical information assets within the organisation organization.Essentially, this is a single point of contact where all the data comes in, and we have analysts on duty who can go through the information and try to find out what is happening within the network. Essentially, think about this as a security monitoring center. Inside this, you're going to have a lot of junior analysts overseen by a senior analyst who is going to be looking daily through all of the logs and all the other information on the network to try to find what's known as an indicator of compromise.

Now, we're going to talk more about indicators of compromise later, but essentially think of them as a fingerprint of something bad. This is an indication that something bad has happened within your network, and Instant Response may be needed. Now, stocks are usually going to exist for larger corporations, government agencies, and healthcare organizations. This is because it costs a lot to establish, maintain, and run one of these socks. For this reason, a lot of smaller companies will not have their own sock. But instead, they can outsource this service to a third-party commercial vendor who can monitor their network and provide security as a service for that organization. Now, there are a couple of things that every sock needs to have in order to be successful.

First, they must have the authority to operate, and they get this through organizational policies and procedures. That gives them the authority to be able to do their job and tell other parts of the organization what needs to happen. This is important because if you're dealing with an Instant Response and you need to shut down a server to stop the infection, that can have effects on the business. And so the stock has to be empowered to make those decisions if needed. Second, we need to make sure that we retain motivated and skilled professionals within our organization. It's not enough to just have somebody sitting in a seat watching a screen. They need to know what they're looking at. They need to be able to think critically. If we could just automate this, we wouldn't need people. But we can't. We need to have people who can do the analysis and figure out what is good and what is bad inside this mountain of data we're going to be collecting.

Third, we need to incorporate processes into a single center. Now, this is going to happen for some business processes, but mostly for security processes and It.Now, the one thing you need to make sure of is that your stock doesn't become your service desk. That's not their job. You should have a service desk that works on the IT side. But if you start dealing with things like access management, identity management, and any kind of instant responses, All of that should be handled by the sock. And so your stock is going to be your single operation centre for all of your security issues. Also, they need to be equipped to perform incident response because bad things are going to happen. And when they do, the stock is going to lead the charge in getting those things resolved and getting the network back to a secure and well-known baseline. Also, the sock must be capable of protecting itself and the organization, because the sock isn't just looking outward at all the bad guys and what they're attempting to do to the organization's network; the sock itself may come under attack.

Now, if the sock itself becomes under attack and their systems become compromised, they're not going to see all the bad things that are happening on the organization's network too. So it's important that they also protect their own systems. And this is something that many stocks overlook. So keep that in mind as you start building out your own sock. Additionally, we want to make sure that the sock can separate the signal from the noise. Now, what I mean by that is that there is so much data coming in, we're going to have gigabytes and terabytes of data every single day. And as a person, we can't go through all that data ourselves, individually reading every single line. So we're going to have to automate some things. We need to start distinguishing between what is known good, what is known bad, and what we don't know. And the stuff we're not sure of is really where we're going to spend most of our time as sock analysts.

Because if we already know something is bad, we should block it. And if we know something is good, we should allow it. But it's that stuff in the middle that we're not quite sure on that requires additional analysis by a sock analyst. And finally, we need to make sure we're collaborating with other stocks to be able to share data between ourselves. This is critical because if I see something bad on my network and tell my friend who works at another company, he will now be on the lookout for it in his network as well.

The same thing happens if I have one of my friends and she finds something in her network. She should tell me about it so that I can know about it as well. So this is one of the things that stocks do a lot of, as they do a lot of information sharing as part of threat intelligence. So we are all using the same information. We all know what bad things are out there, so we can better protect ourselves against them. Now, one big thing I want you to keep in mind when you think about a sock is that the sock should be your single point of contact for security monitoring and instant response. And you want to make sure you have good, skilled professionals working in your company so you can do these three functions well and protect your organization.

4. Security Control Categories (OBJ 5.3)

Security control categories. Now, in this first section of the course, we are going to talk about security control categories, but we're not going to dive too deep into them yet. We will return to them several times throughout the course. But for now, we just need basic understanding to be able to start caging our discussions throughout the next couple of sections. Now, as far as cybersecurity is concerned, we have to go through a process of risk management to identify the different threats and vulnerabilities to our networks. Once we do that, we have to find a way to mitigate those risks. And how do we do that? Well, we do that by implementing effective security controls. Now, a security control is a technology or procedure that's put in place to mitigate vulnerabilities and risk in order for us to ensure the confidentiality, integrity, availability, and non-repudiation of data and information. If you've taken your security plus already, you're probably familiar with these terms known as the CIA Triad, and they are very important in security plus and again here in Cyst.

Now, historically, we used to take our security controls and just deploy them in any way that we could based on a reactive posture. So when something new came out, like people trying to break into our networks, we would say, "Hey, we need a way to block that access." How do we do that? Let's put up a firewall. And so firewalls became a big thing. After a while, we started seeing that people stopped going through because there were firewalls. They created viruses and worms to try to break into our networks. So what did we do? We added antivirus, and on and on it went. where the attackers did something, and the defenders then did something in retaliation to that, trying to stop the attackers from getting in.

Well, this hodgepodge way of being reactive never lets us get ahead of the game. And so we are always basically one step behind the attackers. So we have to figure out a better way to do security. And the way we do that is through using a risk management framework and being able to take our security controls and select them and deploy them as part of an overall framework. If we know what all of our risks are, we can then prioritise them, mitigate them, and start putting in a holistic approach to be able to prevent these issues and these attackers from breaking in. This process allows us to start selecting primary controls and complementary controls to work together to provide us a layered security approach known as "defense in depth."

Now, the way we classify these different security controls comes out of a publication known as the NIST Special, publication 853—the Security and Privacy Controls for Federal Information Systems and Organizations. If you want to read this document, you can simply Google the name and it will come up. It is a publicly available document for the exam. You do not need to read this document, and you don't need to know everything that's in it. But there are a couple of important things that we're going to get from this document. For example, inside this document, there are 18 families that are broken out, such as access control, accountability, instant response, risk assessment, and many others. Now, as we go through these, give us different ways to classify our different controls. For instance, is this control focused on accountability?

Is it focused on access control? Is it focused on our ability to do instant response," whatever those things are? Now, as I said, this is a federal government publication, the National Institute of Standards and Technology. However, there is a framework known as ISO 27001 that is used all over the world. This framework is a proprietary one, though, and it does cost money to use it. Now, because of this, the NIST standard is actually widely used both here in the United States and around the world because it is free and is a great resource that anyone can use. Previously, each of these different families belonged to a class in earlier versions of the 853. And we were able to categorise things based on these different controls and categories and families that we had.

For instance, we used technical, operational, and managerial as three big classes or families of controls. Now, as we look at these, we can define each one as we talk about a technical control. This is going to be a category where we're going to implement it as a system. So we're going to have some kindof hardware or software or firmware. This is also known as a logical control. Now, for example, if I install a firewall on your network, that is a technical control. If I put an antivirus on or patch your operating system, these are all different logical or technical controls. Next, we have operational. Now, operational is a control that's implemented primarily by people instead of using systems. So in this case, we might be looking at adding security guards to make sure people don't break into our building. We might train all our employees on how to not fall for phishing scams. Both of these are operational controls, not technical controls. The third category we have is managerial controls, and these are controls that give oversight of your information system. So we might have things like risk identification or using different tools to be able to evaluate and select different controls by using things like vulnerability scans and remediations. All of these would be considered an oversight or an assessment, and thus managerial control.

Now, while these three categories of controls are very useful for us to think about our different controls and where they fit inside the organisation of our network, they were actually removed from NIS Special Publication 853 in revision 4. And all of the newer versions of the 853 no longer classify families of controls in this way, calling them technical, operational, or managerial. But this is still a useful way to think of things. And so CompTIA has chosen to still use this in the Cyst Plus exam objectives. Now, one more thing that often confuses students is that sometimes these controls seem to merge together. This is one of the reasons why NIFTactually has eliminated these control families. For example, some things might be both operational and managerial. And so what do you call that? Well, because of this, some people have started creating additional categories. For instance, there is one known as an administrative control.

Now, administrative control is where you can't really distinguish between operational and managerial. As a result, they are mashed together in this hybrid known as an administrative control because these things frequently work together. So what's a good example of something that might be considered an administrative control? Well, let's say you have a vulnerability management programme inside your organization. I'm not talking about a programme like the thing you run on your computer. I'm talking about a programme such as the organisational framework of the policies, the procedures, and all the other things that it takes to do vulnerability management. Well, if you have that in your organization, this is going to be governed by the managerial process. That's the oversight of the information system. But it also has operational controls that tell your technicians what they need to do and when. How do they perform a scan?

How do they respond to a scan? What do they do if something bad happens? And then there's also the technical part of this too, right? Because on the technical side, you have a programme like Nests that you're using to run these scans, and you're running your reports and doing your automated scanning. All of these things work together, which is one of the reasons that Nissan started to break away from these categories, because a single control like a vulnerability management programme actually could fit into the operational, managerial, administrative, or even technical categories as well.

If you're talking about the technical and logical side of this, these are the kinds of things that start getting mixed up, and a lot of students have trouble separating them out into individual categories because of this. Now, for the exam, you're not going to see a question that says, here's a control; which of these three is it? But you need to think about the way that these controls could be categorised because it could help you as you're figuring out what the solution is to a given problem, especially in the real world. Now, as far as the exam goes, let me give you one quick tip. You do not need to go and read the entire 853; as I said before, it is a good thing to use as an on-the-job resource. And so it's something you should be aware of, but you don't need to go and read it and know all of the different designations out there. Also, don't fight the exam. I know that from Rev. 4. The NIST 853, however, does not have these control families anymore. But the exam will still talk about these control families. I don't want you to get hung up on that when you take the exam. Remember, for the exam, you do not need to memorise the different family designations, but you should be familiar with the basic concepts that are presented inside the 853. And we are going to talk a lot about that as we go through this course and mention different types of controls that you can use to protect your networks.

Now, you may remember back in Security Plus, you talked about some other types of security control types, and these are known as functional types. Now, just because we've abandoned the idea of categories or families, it's still helpful to categorise these things according to the goal or function they may perform. And so we have three different types here. We have preventative detective and corrective. Now, when we talk about a preventative control, this is a control that acts to eliminate or reduce the likelihood that an attack can succeed. So for example, if I put in an access control list on my firewall, I am using a preventative type of control. I'm trying to prevent you from accessing my network. Now, will it stop you 100% of the time? But it is going to help prevent a lot of the attacks before they can take place.

And so we deal with things like ACLs and firewalls, antimalware solutions, or intrusion protection systems. These are all things that fall into the preventative category. Now, another thing we have is what's known as a "detective control." A detective control is any control that may not prevent or deter access, but it will help identify and record any attempted or successful intrusion. The most common one is what's known as "logs." Anytime you log something that's happening, you are using a detective control because you can go back in those logs, identify what happened, and put the pieces back together. Another good example of this in the physical world would be a security camera. If you have a security camera in your house, it doesn't stop me from smashing the window and jumping in and stealing your TV, but you can record the fact that I did it, and then you can go backward, put the pieces back together, and say, "Jason broke into my house and he stole my TV."

And here's the proof. I have the detective evidence from it because I was able to see what happened because I recorded that attempt. The third one we have is what's known as a corrective control. Now, this is a control that acts to eliminate or reduce the impact of an intrusion event. So with the idea of a corrective control, we might have something like a backup system. If I back up all my files to an offsite backup, even if my system was compromised, I still have all my data successfully stored offsite, and then I can correct the issue by restoring the system and restoring that data back onto the system just like it was before the intrusion occurred. Another good example of this would be things like patch management systems.

When we know we have a vulnerability that has been exploited, we can deploy a patch to correct it across all of our systems and networks to prevent it from being exploited again. Now the big thing you have to think about when you deal with security controls is that there is no single security control that is going to be perfect. Everything has some kind of vulnerability to it. And so when we measure security control's effectiveness, we really need to determine how long it can delay an attack. The longer it can delay the attack, the more effective that security control is going to be for us. And that way, we can actually use all these controls together to build a good defensive posture. Now, in addition to these preventative, detective, and corrective controls, there are a couple of other ones that we need to talk about. These are physical deterrents and compensators. When I say physical controls, I'm referring to security measures that prevent an in-person intrusion attempt. Alarms, gateway locks, Ballard lighting, security systems, and security guards are all examples of security measures. All of these things can deter and detect access to our premises and the hardware that's contained within our buildings. So these, when you think about physical control, they can be detective, they can be preventative, they can be corrective. These are an additional category. They're not an eitheror. So you can be preventive and physical—for instance, a lock—or you can be detective and physical—for instance, a security camera. The second control we have is a deterrent control. This is any type of security control that discourages an intrusion attempt.

Now the control may not be physically or logically there that can prevent access, but they can try to tell the person, "Hey, you shouldn't attack us here." Have you ever walked through a neighborhood, for example? And you see the sign in front of somebody's house that says, "This house is protected by ADT security"? Whether or not they actually have an alarm system doesn't matter. That sign is a deterrent control.It tells a burglar that this house may be protected, and you may not want to go here. That's the idea of deterrent control. Now the next one we have is what's known as a compensating control, and this is a type of security control that acts as a substitute for a principal control. Now what do I mean by that? Well, when I talk about principled control, this would be the best level of protection you can get, but maybe you can't afford that. And so you need to do something else that isn't quite as good, but it will still give you some benefit.

That's the idea of a compensating control. Generally, a compensating control is going to be recommended by a security standard, and it will give you equivalent protection to what the better technology might be. But it's a different way of achieving that. For instance, let's say you wanted to make sure your password security was good so that you could have good authentication in your systems. Well, you can achieve that in two different ways. You can have very long and complex passwords that are changed every 30 days. For instance, something that's 16 characters has uppercase, lowercase, and all that crazy stuff. But that's really hard for your users to remember. Or you might give them a smart card and a pin, and by doing that they have to remember a four-digit number and put their card into the system.

That's a lot easier for the user. And it's actually equivalent or better than the original control of that 16-character-long strong password because it's two-factor authentication. So even though the standard might have said you must have a long, strong password, if you substitute that with the compensating control of a smart card and a PIN number, that's equivalent or better protection. and so you can substitute that as a compensating control instead. Now, whenever you do all of these different security controls, one of the big things you have to do is pick which controls you want to use. For instance, do you want to use that long, strong password or that smart card and PIN number? And that's what we're going to talk about in the next lesson. We begin to discuss how we choose our differences.

5. Selecting Security Controls (OBJ 5.3)

selecting security controls. Now, as we covered in the last lesson, there are lots of different security controls out there, and we just talked about the general categories, but under each category, there are hundreds and thousands of different controls, and lots of these controls will do the same thing or give you the same benefit. So how do you select the security controls you want to use? Well, one of the best ways to do that is to think in terms of the CIA. If you think about confidentiality, integrity, and availability, you can make sure you have proper coverage in each of those areas. to make sure you're creating security for your system.

Let's consider the following example of some technical controls. First. What if I had an encrypted hard drive on a laptop? Which type of control is this? Am I upholding confidentiality, integrity, or availability? Well, if you think back to your SecurityPlus studies, you'll remember that anytime we're dealing with encryption, we're really dealing with confidentiality because we're trying to make sure that nobody's prying eyes can see our data. If we encrypt our drive, nobody can access the information on that drive without that encryption key. and that is going to maintain confidentiality. But it doesn't really do anything for integrity or availability, so it only upholds the C in CIA. What if I decided I wanted to use digital signatures on my emails?

Well, again, thinking back to security plus, a digital signature is essentially a hash of the email you're going to send, encrypted with your digital private key. Now, if you remember, a digital signature doesn't encrypt the email itself. It encrypts the hash. And when we talk about hashes, we're always talking about integrity. And so what we're dealing with here is upholding integrity by using a digital signature. It doesn't do anything for confidentiality, and it doesn't do anything for availability. So, again, we're only dealing with the eye of the CIA. How about a third example? What if I'm dealing with a cloud product, and it has the ability to instantly scale up or scale down using its elasticity to meet demand? Which would it be? Would it be confidentiality, integrity, or availability?

Well, availability, because we have the ability to take on as much traffic as somebody can send to us because we can instantly scale up and accept that load. So, again, this doesn't give me anything for confidentiality. It gives me nothing in terms of integrity. But it's all about availability. So each of these three things on their own can give me CI or A, but they can't give me all three. And that's the idea here. If none of these technologies alone can give us confidentiality, integrity, and availability, if I combine them all together, I can get the tenants of security. That is why it is critical to use your risk management framework to determine what risk you are attempting to solve. Is it a confidentiality risk? Is it an integrity risk, or is it an availability risk?

Or is it all three? And if so, you may need to select multiple controls to be able to deal with that. So how do you decide which security controls you're actually going to apply? Well, again, this is going to depend on your risk and what you're trying to mitigate. Let's walk through an example together. Dion training, my company has recently implemented routine backups of our databases to ensure that we can quickly recover if a database is ever corrupted or infected. Now, our backup solution also uses hashing to validate the integrity of each entry as it's being written to that backup device. Which technical control would you recommend adding to ensure the tenants of the CIA are upheld? Now, I'm not even giving you multiple choices here, but I want you to think about this. If you have a backup solution, and that backup solution is backing up a database, that's going to be availability, right?

And then if we're dealing with hashing, that's going to give us integrity. So I have the I and the A covered, but I don't have confidentiality. So what could I do to give you confidentiality? There are lots of answers out there, but I'm going to present you with just two. First, I might think about adding an access control system. By having an access control system, I can control which users can access that backup and have access to the data. Because remember, that backup has all of our live data as well. And so by using the right user permissions, that would be one way to maintain confidentiality. Now, another way we could do it is wecan encrypt those backups, because if those backups getlost and somebody could read them, that would bebad, that would breach our confidentiality. So we can use encryption as a way to uphold confidentiality. Or we might use both of these controls because we're worried about the wrong people accessing the data and we're worried about the loss of the data if somebody took the database out. And by having it encrypted, that would solve that problem too. So that's the idea when you start thinking about these security controls.

And as a cyber-security analyst, you are going to do this a lot in your job. You're going to look at a problem, you're going to look at a vulnerability, and then you're going to decide, "What can I do to solve this vulnerability?" How can I mitigate this risk? And by going through and syncing through the CIA part of it, you can think of what controls can help in each of these areas and give you more holistic coverage over the entire vulnerability and how you can best mitigate it.

Hide