Playing the Balancing Act with your Controls

21 Jun Playing the Balancing Act with your Controls

In my previous post, I introduced the term information security at its very basics. I went over,

• What is information security
• What is information
• Why do we need to protect it

In this article I wanted to discuss the different ways to protect your information, not just by preventing a security incident but also by preparing for an incident if and when it should happen. Protecting information requires individuals and companies alike to put mechanisms, better referred to as “controls”, in place that would stop their information from being leaked, deleted or tempered with. Keeping information secure entails some work – whether major or minor depends on how important the information is to you.

To an organisation, an information security breach is inevitable. There exists no such thing as perfect security.  This is also true for individuals’ information. With information security attacks it is never about the “if” but the “when” this will turn into a breach. That being said, it is within your control to reduce the probability of a breach, and the impact once it actually happens. But how can you go about doing that?

4 types of Controls

Controls that can put into place to protect your data and your business can be categorised into 4. The different types of controls have different objectives, impacting the likelihood that a breach occurs and impact of an attack once it turns into an incident. All 4 types of controls are equally important, and should reflect your risk appetite i.e. how much you are willing to risk and how much are you willing to pay to reduce your risk.

The below diagrams provides a high-level description of the 4 different types of controls and their objective.

Playing the Balancing Act

The 4 types of controls have different objectives, and together can make for a holistic framework of security controls, balanced between reducing the chances of an attack, detecting an attack as early as possible, reacting optimally to an attack once it results into a data security incident and monitoring for abnormal behaviours that could lead to a potential attack.   Investing all your money, resources and time to ensure that a breach will never happen,  will take away the focus from actually investing in controls that will allow you to notice that a breach has occurred, and most importantly, controls that will reduce the impact of a breach.

           Protective Controls 

Now don’t get me wrong, reducing the chance that your information is breached is imperative. Putting into controls that will  block an attacker from getting your data, from leaking your information, from making it unavailable, should be a priority for anyone. Preventative controls like implementing proper identity and access management; investing in properly configured network security devices and continuously testing your products to make sure they are not vulnerable to attacks are a critical component of a information security controls framework.

This is as applicable for organisations as it is for individuals making use of social media to connect with their friends and iCloud drives to store their family photos; entrepreneurs utilising financial software and online tools to manage and operate their business. Putting into place protective controls to prevent an incident is critical.  You need to have proper password management, two-factor authentication to make sure no unauthorised hackers access their data. It is also important to think about setting up a web application firewall to protect your website from being attacked and defaced. Preventative controls are key to maintaining the confidentiality, integrity and availability of your data and your business.

            Setting a Balance

It is also critical however to balance the type of controls put into place. Putting all your money and effort into blocking an attack, can render you helpless should an attack actually happen and you are unable to stop it. Not being prepared for a breach is putting yourself up for failure. Thousands of attack and threat variants being developed on a daily basis. This coupled with the fact that vulnerabilities in vendor products are announced on a daily basis, makes it feel like we are constantly playing catch-up. And we need to be prepared for that horrific day when we actually get caught.

That’s why it is important that any company, any individual, any self-employed person invests not only to protect their information via preventative controls, but to also put into place detective and reactive controls. What do we mean by this? Let’s say you invest in proper protection that reduces the chance that you will get hacked one day. This does not mean that you’ve reduced this probability to 0%, perfect security is impossible :). Do you feel prepared for the inevitable day that you will be compromised, that your account is taken over, your data is ransomed, your site is defaced.

           Reactive Controls

So here’s some ideas to think about, on controls that you will find useful when an attack actually does turn into an incident:

• Backup your data and test this backup out – make sure that you are able to restore your information within a time frame that is adequate for you and your business.
• When backing up your data, think about the frequency of such backups, this represents the amount of data you will lose should you undergo a data loss incident. Can you lose a month’s work of data, or can you only afford a week’s worth of data?
• This may vary for the types of data that you have. It’s important that you distinguish between the types of data that is important to your business and classify it by criticality, then reflect this in your backup frequency. Do not go for a one-size fits all approach.
• Take snap shots of your application – if you have a web application, and it is defaced, be prepared to restore it as quickly as possible.
• Encrypt your highly sensitive data. If you are storing passwords, credit card numbers, sensitive data – encrypt it. So that if your data is actually stolen, the impact on your clients is kept to a minimum, and so is the residual impact on your business’ reputation.
• Document your incident management procedures. Start with a step-by-step process for your most probably attacks, and keep on building from there. The more playbooks you have to follow during an emergency, the better. Leave as little to chance as is possible.
• Perform an incident drill, go through your procedures and test them out. Identify your weaknesses, and improve on them.
• Have a clear communication procedure that you can follow should an information security breach impact data of your clients, or effect the availability of your service. Manage the situation in an effective way, keep your customers informed and protect your reputation which can easily be lost if your clients lose trust in your capabilities to protect their information.

In conclusion 

The examples mentioned in this article are definitely not exhaustive. The range of controls that you can choose from is vast, and multiple frameworks already exist listing various types of controls from all 4 categories. For more information on this, refer to NIST SP 800-53, ISO 27002 or the NIST CSX Framework.

When choosing your controls however, it is important that you think about balancing the types of controls and making sure that your choices reflect on your objectives. Think about what it is that you want to focus on, how much risk are you willing to take, and then reflect that in your choice of controls. It is always important to keep in mind that balance is key, no matter your risk appetite. Don’t put all your eggs in one basket – be prepared for when your protection does not work. Make sure you know what a security attack looks like through monitoring for abnormal behaviour. Put in alerting to so that you can notice when your normal patterns change. Plan to react to abnormal changes that can indicate an attack. Be prepared to protect your business through optimised reaction.