​​Cyber security controls 

Security controls are countermeasures implemented to protect various forms of data and infrastructure vital to an business. Controls are used to avoid, detect, counteract, or minimise security risks. Cyber security controls are the countermeasures that companies implement to detect, prevent, reduce, or counteract security risks. They are the capabilities that a business deploys to manage threats targeting their computer systems and networks. Security controls can be physical, technical or administrative and include policies, training, techniques, methodologies, action plan, devices, and customised solutions to avoid, detect, and prevent intruders and minimise the security risk befalling the individual or organisational proprietary information systems, etc.

Controls must be agile and adaptable, as they will need to flex to counter an evolving cyber threat landscape As such, every organisation requires to understand the best controls suitable for addressing their security concerns. Along with protecting against cyber threats, security controls majorly help linger away from hefty fines and penalties that regulatory bodies such as the General Data Protection Regulation (GDPR) impose 20 million to 4% global turnover in case of cyber attack ending in sensitive data exposure.

Cyber security controls are risk driven, where these risks are in turn driven by an organisations threat landscape, exploitable vulnerabilities, efficacy of existing controls and probability and impact of a risk materialising. Industry analysis indicates that organisations typically spend up to 13% of their IT budget on cyber security.

Shape Divider - Style curve_asymmetrical

​Security control frameworks

Systems of security controls, including the processes and documentation defining implementation and ongoing management of these controls, are referred to as frameworks or standards. Frameworks enable an organisation to consistently manage security controls across different types of assets according to a generally accepted and tested methodology. The most widely adopted frameworks and standards include the following:

National Centre for Cyber Security (NCSC) Cyber Essentials Framework
Cyber Essentials is an effective, UK Government backed scheme to help protect your business, whatever its size, against a whole range of the most common cyber attacks. Launched in October 2016, the NCSC has headquarters in London and brought together expertise from CESG (the information assurance arm of GCHQ), the Centre for Cyber Assessment, CERT-UK, and the Centre for Protection of National Infrastructure (which became the National Protective Security Authority, NPSA, in March 2023). The NCSC provides a single point of contact for SMEs, larger organisations, government agencies, the general public and departments. It also works collaboratively with other law enforcement, defence, the UK’s intelligence and security agencies and international partners.

National Institute of Standards and Technology Cyber Security Framework
The National Institute of Standards and Technology (NIST) created a voluntary framework in 2014 to provide organisations with guidance on how to prevent, detect, and respond to cyberattacks. The assessment methods and procedures are used to determine if an organisation’s security controls are implemented correctly, operate as intended, and produce the desired outcome (meeting the security requirements of the organisation). The NIST framework is consistently updated to keep pace with cybersecurity advances.

Center for Internet Security controls
The Center for Internet Security (CIS) has developed a list of high-priority defensive actions that provide a “must-do, do-first” starting point for every enterprise looking to prevent cyberattacks. According to the SANS Institute, which developed the CIS controls, “CIS controls are effective because they are derived from the most common attack patterns highlighted in the leading threat reports and vetted across a very broad community of government and industry practitioners.”

Businesses can refer to these and other frameworks to develop their own framework and IT security policies. A well-developed framework ensures that a business or organisation does the following:

• Enforces IT security policies through security controls
• Educates employees and users about security guidelines
• Meets industry and compliance regulations
• Achieves operational efficiency across security controls
• Continually assesses risks and addresses them through security controls

Cyber Essentials is the framework most widely adopted in the UK.

Shape Divider - Style tilt

Cyber Essentials

Cyber Essentials revolved five distinct control themes:

1. Use a firewall to secure yourInternet connection
2. Use secure settings for your devices and software​
3. Control who has access to your data and services
4. Protect yourself from viruses and other malware​
5. Keep your devices and software up to date

• 1. Firewall

• 2. Secure Configuration

• 3. Access Control

• 4. Malware Protection:

• 4.1 Signature

• 4.2 Behaviour

• 4.3 Sandboxing

• 5. Patch Management

• 9

• 10

• 11

• 12

• 13

• 14

• 15

• 16

• 17

• 18

• 19

• 20

• 21

• 22

• 23

• 24

• 25

• 26

• 27

• 28

• 29

• 30

• All your internet-connected devices are protected by a ​firewall, a virtual boundary that protects your system and devices from incoming threats. Firewalls police incoming web traffic and decide whether or not to allow it through to your network. It’s important to make sure it’s not just your computer that is protected, but all internet-enabled devices, including mobile devices, BYOD or company owned.
  For smaller business networks which may rely on a single router, you should check on the firewall settings by accessing the router and determine which ports are open and which are closed. Your firewall rules controls which ports are open and which are not and only the necessary minimum ports should be open. Open ports are a security risk, so its critical to avoid unnecessary risks. The same applies with large businesses but clearly on a bigger scale. ​
• Secure configuration concerns minimising the attack service and strong user authentication. Remove applications that are not used, particularly if they are no longer vendor supported. Cyber essentials advocates strong multi-factor authentication and for good reason. The rise in cloud service adoption, working from home and BYOD have greatly increased the attack surface for hackers and single-factor authentication is easily breached. Data leaks from platform providers and re-used credentials just add to the risks.
• ​It is important to user access to data and systems to a minimum. This is about minimising the damage that could be done should an attacker break through your defences. One way of doing this is by instituting user access control: i.e. giving access only to what is essential and blocking access to everything else. Criminals want to get administrator rights so they can break into applications and access confidential information. Convenience sometimes results in many users having administrator rights, which can create opportunities for exploitation. User accounts, particularly those with special access privileges, should be assigned only to authorised individuals. They must be managed effectively, and provide the minimum level of access to applications, computers and networks.
  
  Once you know what you’re dealing with you can reset permissions and passwords and introduce a proper cyber security protocol to ensure all users are aware of the importance of maintaining best practice.
  Administrators’ activities should also be restricted to minimise the likelihood of their credentials being stolen. It also goes without saying the software downloads should be restricted to sites and vendors that meet security standards.
• It is vital that you protect your business from malware, which will maliciously seek to access data on your systems. The software can cause chaos by stealing private data, corrupting files, and blocking access to your systems and data for a ransom. There are many different attack vectors for a malware payload(s) to get past your perimeter defences. Email links, internet downloads, external drives, other compromised devices on the same network, security control vulnerabilities and unpatched software and hardware. Anti-malware software uses three strategies to protect systems from malicious software: signature-based detection, behaviour-based detection and sandboxing.​
• Signature-based malware detection. This uses a set of known software components and their digital signatures to identify new malicious software. Software vendors develop signatures to detect specific malicious software. The signatures are used to identify previously identified malicious software of the same type and to flag the new software as malware. This approach is useful for common types of malware, such as Keyloggers and adware, which share many of the same characteristics. However being vulnerable to infection while waiting for a signature is very risky. Another problem is that today’s advanced malware can alter its signature to avoid detection; signatures are created by examining the internal components of an object and malware authors simply modify these components while preserving the object’s functionality and behaviour. There are multiple transformation techniques, including code permutation, register renaming, expanding and shrinking code, and the insertion of garbage code or other constructs.
• Behaviour-based malware detection. This helps computer security professionals more quickly identify, block and eradicate malware by using an active approach to malware analysis. Behavior-based malware detection works by identifying malicious software by examining how it behaves rather than what it looks like. Behavior-based malware detection is designed to replace signature-based malware detection. It is sometimes powered by AI. Behaviour-based malware detection evaluates an object based on its intended actions before it can actually execute that behaviour. An object’s behaviour, or in some cases its potential behaviour, is analysed for suspicious activities. Attempts to perform actions that are clearly abnormal or unauthorised would indicate the object is malicious, or at least suspicious. There’s a multitude of behaviours that point to potential danger. Some examples include any attempt to discover a sandbox environment, disabling security controls, installing rootkits, and registering for autostart. Evaluating for malicious behaviour as it executes is called dynamic analysis. Threat potential or malicious intent can also be assessed by static analysis, which looks for dangerous capabilities within the object’s code and structure. While no solution is completely foolproof, behaviour-based detection still leads technology today to uncover new and unknown threats in near real-time. Some examples of where behaviour-based technology succeeds when signature-based systems fail are:                  -Protecting against new and unimagined types of malware attacks
                    -Detecting an individual instance of malware targeted at a person or organisation
                    -Identifying what the malware does in a specific environment when files are opened
                    -Obtaining comprehensive information about the malware
• Sandboxing. This is a security feature that can be used in anti-malware to isolate potentially malicious files from the rest of the system. Sandboxing is often used as a method to filter out potentially malicious files and remove them before they have had a chance to do damage. For example, when opening a file from an unknown email attachment, the sandbox will run the file in a virtual environment and only grant it access to a limited set of resources, such as a temporary folder, the internet and a virtual keyboard. If the file tries to access other programs or settings, it will be blocked, and the sandbox has the ability to terminate it.​There are a few important limitations to be aware of. If malware determines it’s running in a sandbox, it’ll attempt to avoid detection by curtailing malicious activities. It’s critical that a sandbox remains undetectable, and most are not.
• Patch management is a key requirement of the Cyber Essentials scheme and will help you confirm that devices and software are not vulnerable to known security issues for which fixes are available.All devices and software are prone to technical vulnerabilities. Cyber criminals can rapidly exploit vulnerabilities once they’ve been discovered and shared publicly. Criminal hackers exploit known vulnerabilities in operating systems and third-party applications if they are not appropriately patched or updates. Updating software and operating systems will help to fix these known weaknesses. It is crucial to do this as quickly as possible to close any opportunities that could be used to gain access. The security risk occurs when patch implementation is delayed or particularly when a device or software is no longer supported. ​

Shape Divider - Style tilt

Security Control Assessment

A security controls assessment is an excellent first step for determining where vulnerabilities reside. A security controls assessment evaluates the controls you currently have in place and determines whether they are implemented correctly, operating as intended, and meeting your security requirements. Some key steps for creating a security assessment include the following:

• Determine the target systems: Create a list of IP addresses required to be scanned in your network. The list should contain IP addresses of all the systems and devices connected in your business network.
  Determine the target applications: List the web applications and services to be scanned. Determine the type of web application server, web server, database, third-party components, and technologies used to build existing applications.
• Vulnerability scanning and reporting: Keep network teams and IT teams informed of all assessment activity, because a vulnerability assessment can occasionally create bursts in network traffic when loading the target servers with requests. Also, obtain the unauthenticated pass-through for scanner IPs across the organisation network and ensure the IPs are whitelisted in IPS/IDS. Otherwise, the scanner can trigger a malicious traffic alert, resulting in its IP being blocked.

Shape Divider - Style tilt