- Physical Controls are things, like locks, cameras, ID cards, guards, etc.
- Technical Controls are things, like encryption, ACLs, authentication, etc.
- Administrative Controls are things like policies, procedures, training, etc. They are procedural or legal/regulatory.
Now that we’ve learned a bit about the types of threat actors and security threats out there, let’s take a look at some of the main ways to mitigate them.
These are things in the real-world environment that we can use to deter or prevent attacks from occurring. Some examples would alarm systems, locks, surveillance cameras, identification cards, security guards, etc. All of these kinds of things.
There are many technical controls ranging from physical to digital. Smart cards, encryption, access control lists (ACLs), intrusion detection systems, and network authentication are all examples of technical controls. There are many more, as well.
These kinds of controls are things like policies, procedures, security awareness training, contingency planning, and disaster recovery plans. User training would fit this type of control and is the considered to be one of the most cost-effective security methods.
Administrative controls come in two flavors: procedural and legal. Procedural controls are methods put in place by choice while legal–or regulatory–controls are ones a company has to impliment and adhere to.
Knowing the threats is half the battle. Knowing the correct methods to use in order to mitigate them fills in the rest. InfoSec pros need to use combinations of physical, technical, and administrative controls that are specific for each individual situation.
Security threats come in many forms, as mentioned. Beginning with the next issue, we’ll be taking more detailed looks into the most common types, beginning with malware.