Selecting Security Controls

Selecting Security Controls

Situation-based Thinking

So, We all would have read a lot about policies, procedures, frameworks, security controls, and much more in Cybersecurity, but that's not how actually we will be using it. Everything will be bits and pieces if you don't actually know how to implement them at the right time and right place. Situational thinking is much important from a cybersecurity analyst's perspective. So I thought I would create some easy and real-life scenarios which will help us to think and apply the appropriate security controls.

Situation: Securus has implemented routine backups of databases to ensure quick recovery if the database is corrupted or infected. The backup solution also uses hashing to validate the integrity of each entry as it is written to the backup device. What technical control would you recommend adding to ensure the tenets of the CIA are upheld?

Think . . . . . . . . . . . . . . . . . . .

Solution: From the question it is very clear that it's a backup, So Availability is upheld. Also, it mentions that it uses the hashing technique, which means Integrity is satisfied. Therefore, only confidentiality is in question. Now, we have to think about how to achieve it. There are many ways to achieve it.

  1. Limit access rights to data backups (Access control policy).
  2. Setting up the right user permission for the users accessing the database.
  3. Encrypt the backups, so if the data is lost, no one could read them.

Apart from this, there are many different controls like physical access controls, ensuring the backup device is protected, etc. It is not necessary that only any of these controls can be used. We can use a combination of controls to add an additional layer of security - Defense in Depth.

By thinking this way, we would be able to apply what we read. For example, in this situation, we have used a few concepts like Risk assessment ( which tenets of the CIA are upheld?), and the NIST framework (Access control policy).

I believe situations like this will help beginners to transfer their knowledge into action. I will try to come up with more situations like this in my upcoming blogs.