Aka. countermeasure. Protective measure to remove or reduce 1 or more vulnerabilities. Must know as much as threats to establish control for each.
Control mechanism changes based on kind of threats, control types and what they protects.
Effectiveness
A control’s effectiveness depends on:
- Awareness
Users must know the control exists and why it matters. Unnoticed controls are ignored or bypassed. - Usage Preference
Users avoid controls that cost too much in time, space, or effort. - Correct Usage
Incorrect or inconsistent application leaves gaps. - Periodic Review
Threats evolve. Controls must be reassessed regularly to stay relevant. - Overlapping Coverage
A control that addresses multiple vulnerabilities provides greater protection.
Principle of Weakest Link
Overall security is bounded by the least secure component in the system.
Attackers target the weakest point, not the average. A system with strong controls everywhere except one gap will be exploited through that gap.
Implications:
- Every component must be secured, not just the critical ones.
- Strengthening already-strong controls yields no benefit if weaker ones remain.
- A chain of controls fails at its first weak point.
Types
Physical
Preventing the physical systems from being reached. Locking the server room, for example.
Technical
Controls enforced by technology, either hardware or software.
- Hardware
Physical devices that enforce security: firewalls, encryption cards, hardware security modules. - Software
Programs that protect systems or data: antivirus tools, access control systems, encryption software.
Administrative
Controls enforced through organizational rules and human behavior rather than technology.
- Policies and Procedures
Written rules governing how people interact with systems: password requirements, audit schedules, incident response steps. - Access Control
Defines which users or roles can access which resources, and under what conditions. Typically follows least-privilege: grant only what is needed.