Lesson 3: Security Control and Technologies

What are security controls?

In the context of cybersecurity, security controls are mechanisms strategically implemented to protect
the confidentiality, integrity, and availability of information, computer systems, and other crucial assets
from potential threats. Security controls function to avoid, prevent, detect, mitigate, and remediate risks
and vulnerabilities within an organization.

Security controls are essential components in the protection of networks, devices, and data in the face of
evolving cyber threats. Among the most fundamental technologies are firewalls, intrusion detection and
prevention systems (IDPS), antivirus and anti-malware solutions, along with encryption and
cryptographic protocols. Each of these technologies plays a crucial role in establishing a robust
cybersecurity posture for organizations.

Firewalls
Firewalls serve the primary purpose of controlling incoming and outgoing network traffic based on
predetermined security rules. They allow or block network traffic between devices according to
instructions from the firewall administrator.

Firewalls usually sit between a trusted network and an untrusted network; oftentimes the untrusted
network is the Internet. For example, office networks often use a firewall to protect their network from
online threats.

ITCOM 301 – IFORMATION ASSURANCE AND SECURITY

Instructor: Jarine Eblacas| La Consolacion College Isabela
Lesson 3: Security Control and Technologies

Firewalls decide whether to allow incoming and outgoing traffic to pass through. They can be built into
hardware, software, or a combination of both. The ability of a firewall to determine the legitimacy of
traffic helps in preventing unauthorized access to sensitive data and enforcing policy compliance.

Software-Based Personal Firewalls - A software-based personal firewall is a program installed on

individual workstations that monitors and controls incoming and outgoing network traffic based on
predetermined security rules.

Example: Windows Defender Firewall - Windows Defender Firewall is a built-in firewall included with
Microsoft Windows operating systems.

Features:

 Individual Protection: Each workstation has its own firewall, providing a tailored security layer.

 Application Control: Monitors and controls the behavior of applications attempting to access the
network.

 Ease of Use: Often comes with user-friendly interfaces, allowing users to configure settings
easily.

 Flexibility: Can be updated and reconfigured quickly to adapt to new threats.

 Portability: Moves with the workstation, protecting it wherever it is connected to a network.

Advantages:

 Granular Control: Offers detailed control over individual applications and processes.

 Personalized Security: Customizable for specific user needs and usage patterns.

Disadvantages:

 Resource Intensive: Can consume significant system resources, potentially impacting

performance.

 User-Dependent: Requires proper configuration and management by the user, which can lead to
potential vulnerabilities if not handled correctly.

Hardware-Based Network Firewalls - A hardware-based network firewall is a physical device installed at

the boundary of a network that manages and filters traffic between different network segments,
including external and internal networks.

Example: Cisco ASA (Adaptive Security Appliance) - Cisco ASA is a hardware-based network firewall that
provides robust security features for managing and protecting network traffic.

ITCOM 301 – IFORMATION ASSURANCE AND SECURITY

Instructor: Jarine Eblacas| La Consolacion College Isabela
Lesson 3: Security Control and Technologies

Features:

 Network-Wide Protection: Provides a security barrier for an entire network segment.

 Dedicated Resources: Operates on dedicated hardware, ensuring robust performance without

impacting workstation resources.

 Advanced Filtering: Capable of deep packet inspection and sophisticated filtering techniques.

 Scalability: Can be scaled to protect large networks with high traffic volumes.

Advantages:

 Centralized Management: Simplifies management by providing a single point of control for

network traffic.

 High Performance: Designed to handle large volumes of traffic without degrading performance.

 Robust Security: Often includes additional security features like intrusion detection/prevention
systems (IDS/IPS) and virtual private network (VPN) capabilities.

Disadvantages:

 Cost: Can be expensive to purchase and maintain, especially for small businesses.

 Complex Configuration: Requires specialized knowledge to configure and manage effectively.

 Single Point of Failure: If the firewall fails, it can leave the entire network segment unprotected.

Why use a firewall?

The primary use case for a firewall is security. Firewalls can intercept incoming malicious traffic before it
reaches the network, as well as prevent sensitive information from leaving the network.

Firewalls can also be used for content filtering. For example, a school can configure a firewall to prevent
users on their network from accessing adult material. Similarly, in some nations the government runs a
firewall that can prevent people inside that nation-state from accessing certain parts of the Internet.

ITCOM 301 – IFORMATION ASSURANCE AND SECURITY

Instructor: Jarine Eblacas| La Consolacion College Isabela
Lesson 3: Security Control and Technologies

What are the different types of firewall?

1. Proxy-based firewalls

These are proxies* that sit in between clients and servers. Clients connect to the firewall, and the
firewall inspects the outgoing packets, after which it will create a connection to the intended recipient
(the web server). Similarly, when the web server attempts to send a response to the client, the firewall
will intercept that request, inspect the packets, and then deliver that response in a separate connection
between the firewall and the client. A proxy-based firewall effectively prevents a direct connection
between the client and server.

A proxy-based firewall is kind of like a bouncer at a bar. This bouncer stops guests before they enter the
bar to make sure they are not underage, armed, or in any other way a threat to the bar and its patrons.
The bouncer also stops patrons on their way out to ensure that they have a safe way to get home and
are not planning to drink and drive.

The downside of having a bouncer at the bar is that when a lot of people are trying to enter or leave the
bar simultaneously, there will be a long line and several people will experience delays. Similarly, a major
drawback of a proxy-based firewall is that it can cause latency, particularly during times of heavy traffic.

Firewalls: Application Proxy Firewall (youtube.com)

ITCOM 301 – IFORMATION ASSURANCE AND SECURITY

Instructor: Jarine Eblacas| La Consolacion College Isabela
Lesson 3: Security Control and Technologies

2. Packet Filtering Firewall

Packet filtering firewalls operate at the network layer, responsible for regulating the flow of data packets
between networks. These firewalls rely on pre-defined rules that evaluate specific attributes of the
packets such as source IP, destination IP, ports, and protocols. If the attributes match the established
rules, the packet is allowed to pass through. If not, the packet is blocked.

Types of packet filtering firewalls can be further broken down into static packet-filtering firewalls,
dynamic packet-filtering firewalls, stateless packet-filtering firewalls, stateful packet-filtering firewalls.

3. Stateful Inspection firewalls

In computer science, a "stateful" application is one that saves data from previous events and
interactions. A stateful firewall saves information regarding open connections and uses this information
to analyze incoming and outgoing traffic, rather than inspecting each packet. Because they do not
inspect every packet, stateful firewalls are faster than proxy-based firewalls.

ITCOM 301 – IFORMATION ASSURANCE AND SECURITY

Instructor: Jarine Eblacas| La Consolacion College Isabela
Lesson 3: Security Control and Technologies

Stateful firewalls rely on a lot of context when making decisions. For example, if the firewall records
outgoing packets on one connection requesting a certain kind of response, it will only allow incoming
packets on that connection if they provide the requested kind of response.

A known vulnerability associated with stateful firewalls is that they can be manipulated by tricking a
client into requesting a certain kind of information. Once the client requests that response, the attacker
can then send malicious packets that match that criteria through the firewall. For example, unsecure
websites can use JavaScript code to create these kinds of forged requests from a web browser.

4. Next-generation firewalls (NGFW)

A next-generation firewall (NGFW) extends the capabilities of traditional firewalls, offering more
comprehensive security solutions. Unlike their predecessors focused primarily on stateful inspection,
NGFWs provide enhanced features to understand and control application traffic, integrate intrusion
prevention mechanisms, and utilize cloud-sourced threat intelligence. This evolved approach ensures a
more meticulous inspection of data packets, accounting for the intricate nuances of modern cyber
threats.

Beyond access control, NGFWs are adept at addressing modern challenges like advanced malware and
sophisticated application-layer attacks. They delve deeper into the data, examining the nature of the
traffic and identifying patterns that could signal potential threats. The integration of threat intelligence
sources within NGFWs ensures they remain updated with the latest threat vectors, maintaining their
effectiveness against evolving cybersecurity challenges.

The emergence of NGFWs represents a significant stride forward. By marrying the fundamental features
of traditional firewalls with advanced security capabilities, NGFWs offer a robust, multi-faceted line of
defense. Their ability to operate at the application layer and integrate additional protection mechanisms
makes them an indispensable asset in safeguarding corporate networks from both conspicuous and
covert threats.

(1087) "Understanding Packet Filtering, Stateful, and Next-Generation Firewalls | Cybersecurity

Explained" - YouTube

ITCOM 301 – IFORMATION ASSURANCE AND SECURITY

Instructor: Jarine Eblacas| La Consolacion College Isabela
Lesson 3: Security Control and Technologies

5. Web application firewalls (WAF):

A web application firewall, commonly referred to as WAF, serves as a specialized layer of protection for
web applications, web servers, and APIs. It functions by examining and filtering HTTP traffic, thereby
safeguarding web applications from threats like cross-site-scripting (XSS), SQL injection, and file
inclusion. WAFs differentiate themselves by operating at Layer 7, specifically targeting application layer
threats.

Positioned in front of web applications, WAFs act as reverse proxies. This means that they intercept and
inspect requests bound for the web application, ensuring only legitimate traffic passes through. Any
suspicious or malicious traffic is promptly blocked, preventing potential attacks. This architecture not
only enhances the security of web applications but aids in shielding applications from direct exposure to
internet threats.

To maintain efficiency, WAFs employ policies or sets of rules. These rules help the firewall discern
between benign and potentially malicious traffic. Adjustments to these policies can be executed swiftly,
allowing for immediate response to emerging threats or changing attack patterns. Regular updates to
these rules are crucial.

Intrusion Detection and Prevention Systems

Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) are critical components of
modern network security, each serving distinct yet complementary roles. An IDS primarily focuses on
monitoring network traffic to detect suspicious activities and alert administrators, while an IPS actively
analyzes network traffic to identify and block potential threats in real time. Together, they enhance an
organization's ability to protect its data and systems from cyber threats.

ITCOM 301 – IFORMATION ASSURANCE AND SECURITY

Instructor: Jarine Eblacas| La Consolacion College Isabela
Lesson 3: Security Control and Technologies

Functionality of IDS

The IDS is a passive system that monitors traffic and reports results to an administrator, but it cannot
automatically take action to prevent detected exploits. It operates by looking for deviations from normal
activity and known attack signatures. If anomalies are detected, they are sent for further analysis to
determine if a threat exists.

Functionality of IPS

An IPS goes beyond detection, actively analyzing network traffic for malicious content while sitting inline
within the network infrastructure. It can automatically take measures such as blocking suspicious traffic
and dropping malicious packets. This allows it to respond to threats without requiring administrator
intervention, providing a critical layer of security for networks

Example Scenario:

In a corporate environment where numerous employees access the network, the IT security team has
deployed an Intrusion Detection and Prevention System (IDPS) to monitor and protect sensitive data. The
IDPS is configured to automatically detect any unusual activity and respond accordingly, ensuring the
safety of the company's assets.

Detection of Malicious Activity

One day, the IDPS detects unusual login attempts from an external IP address attempting to access the
company's database. This external IP address has already failed several password attempts, which
triggers the alert system of the IDPS. The system identifies this pattern as potentially malicious activity,
indicating that a possible intrusion attempt is underway.

Automatic Response Mechanism

Upon detecting the suspicious activity, the IDPS immediately blocks the offending IP address to prevent
further login attempts. This automatic response is crucial in preventing unauthorized access to sensitive
company data. Moreover, the system generates an alert message to notify the IT team of the incident,
promoting timely investigation and response.

Notification to IT Staff

In addition to blocking the IP address, the IDPS sends an email notification to the systems administrator
detailing the incident. The notification includes information such as the time of the attempted login, the
IP address, and the number of failed attempts. This comprehensive report allows the IT team to rapidly
assess the situation and take any necessary additional measures.

Follow-Up Actions

Following the incident, the IT security team conducts a thorough review to ensure no further
vulnerabilities remain. They analyze the logs generated by the IDPS and reinforce security protocols to
avoid future intrusions. The team may also choose to implement additional layers of security, such as
multi-factor authentication, to bolster defenses against similar attacks in the future.

ITCOM 301 – IFORMATION ASSURANCE AND SECURITY

Instructor: Jarine Eblacas| La Consolacion College Isabela
Lesson 3: Security Control and Technologies

Antivirus and Anti-Malware Solutions

Antivirus and anti-malware solutions are fundamental for defending against malicious software that can
compromise system integrity and data security. These tools are designed to detect, quarantine, and
remove a variety of threats, including viruses, worms, Trojans, and spyware. They rely on regularly
updated databases of known malware patterns and employ heuristic analysis to identify new threats
based on behavior. Regular updates and system scans are critical for maintaining effective protection.

Encryption and Cryptographic Protocols

Encryption is a cornerstone of data security, ensuring that sensitive information remains confidential.
Cryptographic protocols facilitate secure communication across networks, utilizing algorithms to encrypt
and decrypt data. With two primary categories, symmetric-key and public-key encryption, these
protocols help establish secure connections over unsecured networks like the internet. For example, the
Advanced Encryption Standard (AES) is widely trusted for its robustness in encrypting data across various
applications. Encryption not only protects data at rest but also secures data in transit from
eavesdropping and tampering.

By employing a balanced combination of policies, procedures, and technologies, security controls enable
organizations to enhance their security posture against malicious activities, proactively identify security
gaps, and ensure a resilient operational environment. This comprehensive approach ensures the
seamless integration of security measures, allowing organizations to operate securely in the ever-
evolving digital landscape.

Digital security controls can be divided into two broad categories:

 Preventative Layer solutions, and

 Detection Layer solutions.

Prevention Layer Security Control Solution

Prevention layer solutions aim to stop attacks before they can infiltrate systems through mechanisms
such as firewalls and intrusion prevention systems
They are essential in providing a multifaceted defense against a variety of cyber threats.
Notable technologies in the prevention layer include:
 NGFW (Next-Generation Firewall): Provides advanced protection by inspecting and filtering
network traffic beyond traditional firewalls, including application-level and threat intelligence.
 WAF (Web Application Firewall): Protects web applications by filtering and monitoring HTTP
traffic to block threats like SQL injection and cross-site scripting.
 IPS (Intrusion Prevention System): Detects and blocks malicious activities or intrusions within a
network in real time.
 DLP (Data Leakage Prevention): Prevents unauthorized access or transmission of sensitive data
outside the organization.

ITCOM 301 – IFORMATION ASSURANCE AND SECURITY

Instructor: Jarine Eblacas| La Consolacion College Isabela
Lesson 3: Security Control and Technologies

 Email Gateway Security Solutions: Protects email systems from threats such as phishing,
malware, and spam.
 Web Security Gateway: Safeguards web traffic by blocking access to malicious sites and filtering
harmful content.

To have a more solid understanding, we can see an arbitrary organizational structure that shows how
these solutions can be placed.

Testing the Effectiveness of Preventative Security Solutions with Picus Complete Security Validation Platform

We observe that the Next-Generation Firewall (NGFW) is positioned as the first preventative layer
solution, interfacing between the Internet and the organizational network, followed by the Intrusion
Prevention System (IPS). It’s also noted that the Email Server is fortified by a Mail Security solution.
Additionally, the Web Application server, as the name suggests, is shielded by a Web Application Firewall
(WAF) solution. Furthermore, HQ Endpoints and the Data Center, which harbor sensitive information, are
secured through a robust Proxy solution.

It’s imperative that the effectiveness of these security controls be continuously validated and improved to
combat both emerging and known cyber threats, ensuring that the organization's information assets
remain secure and resilient against the evolving threat landscape.

Detection Layer Security Control Solutions

Detection layer solutions focus on identifying and responding to threats that have already bypassed
preventative measures, often utilizing technologies like Intrusion Detection Systems (IDS) and Endpoint
Detection and Response (EDR).
Detection layer solutions encompass various technologies crucial for maintaining endpoint security:
 Endpoint Detection and Response (EDR) - Identifies and analyzes unusual activities on
endpoints and provides immediate responses to threats.
 Extended Detection and Response (XDR) - Enhances EDR by combining data from various
security sources (endpoints, network, email) to detect complex threats.
 Intrusion Detection System (IDS) - Monitors network traffic to identify and log malicious
activities.
 Security Information and Event Management (SIEM) - Collects and analyzes data from various
security systems to provide a comprehensive view of an organization’s security posture and
helps in detecting and responding to threats.

ITCOM 301 – IFORMATION ASSURANCE AND SECURITY

Instructor: Jarine Eblacas| La Consolacion College Isabela
Lesson 3: Security Control and Technologies

These solutions enable continuous monitoring of network traffic and endpoint activities, providing alerts
for suspicious behaviors and potential threats.

Detection layer solutions are crucial for identifying threats within systems, designed to detect
unauthorized alterations, access, and disabling of services, such as creating new registry keys and
disabling Windows Defender.

The use of command-line tools for displaying network configurations and querying DNS infrastructure
may trigger alerts due to their reconnaissance nature.

Additionally, execution and removal of batch script files, abnormal termination of security services, and
creation of ransom notes are significant indicators of compromise, which modern detection solutions are
designed to identify promptly, utilizing network analysis, behavior analysis, and signature-based
detection mechanisms.

While prevention aims to block threats before they breach the first layer of perimeter controls and cause
disruption to organizational networks and systems, detection's role is to swiftly identify and respond to
threats that have managed to bypass the preventative barriers, thus ensuring comprehensive security.

Activity: Understanding Security Controls

Objective: To understand and interpret the meaning and function of various security controls in
cybersecurity.
Instructions:
1. Select Two Security Controls:
o Choose two security controls or technologies discussed in our lesson
2. Write Explanations:
o For each selected security control, write a brief explanation in your own words of what
the control does and why it is important in cybersecurity.
3. Real-World Application:
o For each security control, describe a real-world scenario where the control would be
useful.
o Explain how the control would help protect against specific threats or vulnerabilities in
that scenario.

ITCOM 301 – IFORMATION ASSURANCE AND SECURITY

Instructor: Jarine Eblacas| La Consolacion College Isabela