Security Controls, CIA Triad, and Change Management in Cybersecurity

Security Controls

Methods used to prevent security events, minimize their impact, and limit damage to assets such as data, property, and computer systems.

Technical Controls

Security mechanisms implemented using systems, such as operating system permissions, firewalls, and antivirus software.

Managerial Controls

Administrative controls that guide the design and implementation of security, such as policies and standard operating procedures.

Operational Controls

Controls implemented by people (not systems), such as security guards or user awareness training.

Physical Controls

Measures that limit physical access, like fences, locks, guard shacks, and badge readers.

Preventive Controls

Controls that block access to a resource or stop an unwanted action before it happens (e.g., firewall rules, locked doors, ID checks).

Deterrent Controls

Controls that discourage intrusion attempts but do not directly prevent access (e.g., warning signs, visible security cameras, reception desks).

Detective Controls

Controls that identify and log intrusion attempts (e.g., system logs, login reports, motion detectors).

Corrective Controls

Controls applied after a security event to reverse or minimize impact, such as restoring from backups or contacting law enforcement.

Compensating Controls

Alternate controls that mitigate weaknesses when primary controls aren't sufficient (e.g., blocking an app at the firewall instead of patching).

Directive Controls

Controls that guide or instruct users toward compliance (e.g., "Authorized Personnel Only" signs, policies, training).

CIA Triad

The foundational security model based on Confidentiality, Integrity, and Availability.

Confidentiality

Ensures information is accessible only to authorized users or systems; achieved through encryption, access controls, and multifactor authentication.

Integrity

Ensures data is accurate and unaltered; maintained using hashing, digital signatures, and certificates.

Availability

Ensures information and systems are accessible to authorized users when needed; supported by redundancy, fault tolerance, and patching.

Non-Repudiation

Provides proof that data or actions originated from a verified source and were not altered, ensuring a sender cannot deny sending a message.

Proof of Integrity

Verification that data has not changed using hashing (e.g., a file hash changes if any data changes).

Proof of Origin

Confirms the authenticity of a message's source, typically using digital signatures created with a sender's private key and verified with their public key.

Authentication

The process of proving an identity claim (e.g., by entering a password or using biometrics).

Authorization

Determines what resources a user or system can access after authentication.

Accounting (Auditing)

Tracks user activities such as login times, data transfers, and resource use for accountability and auditing.

AAA Framework

A model for security management that stands for Authentication, Authorization, and Accounting—used to verify identity, assign permissions, and record activity.

Certificate Authentication

Device or system authentication using a digital certificate issued and signed by a trusted Certificate Authority (CA).

Authorization Models

Frameworks used to assign access rights efficiently (e.g., Role-Based, Attribute-Based, or Organization-Based models).

Gap Analysis

A comparison of an organization's current security posture against a desired or standard baseline to identify deficiencies and improvements.

Zero Trust

A holistic security approach where no device or user is inherently trusted; every access request is verified through continuous authentication, encryption, and policy enforcement.

Planes of Operation (Zero Trust)

Data Plane: Handles actual data processing and forwarding.

Control Plane: Manages how data is processed, using routing or policy tables.

Policy Plane: Determines and enforces trust decisions (Policy Engine, Policy Decision Point, Policy Enforcement Point).

Security Zones

Logical groupings (e.g., trusted, untrusted, internal, VPN) used to apply network access rules and reduce attack surfaces.

Barricades / Bollards

Physical barriers that prevent vehicle access and channel pedestrian movement through controlled points.

Access Control Vestibules (Mantraps)

Controlled entryways that limit access to one person or group at a time to prevent tailgating and unauthorized entry.

Fencing

Physical perimeters used to deter or slow entry; may be opaque, tall, or topped with razor wire.

Video Surveillance (CCTV)

Monitors and records activity; modern systems use motion detection and object recognition.

Security Guards

Personnel who verify identities, monitor access, and protect facilities; may enforce two-person control policies.

Access Badges

Identification cards with photos and electronic tracking used for entry authentication.

Lighting

Enhances visibility and deters intrusion; proper placement avoids glare and shadows, aiding cameras and recognition.

Sensors

Devices that detect motion or intrusion using infrared, pressure, microwave, or ultrasonic technology.

Honeypot

A decoy system designed to attract and observe attackers, often used to collect data on intrusion techniques.

Honeytokens

Trackable fake data (e.g., credentials, email addresses) that notify defenders when stolen or used, identifying leaks or attackers.

Change Management

A formal process that governs modifications to systems or configurations to prevent errors, downtime, and security incidents.

Change Approval Process

Steps include requesting the change, defining purpose and scope, analyzing impact and risk, scheduling, and obtaining approval from a Change Control Board.

Ownership

The person or department responsible for overseeing a change, ensuring it's performed correctly.

Stakeholders

Individuals or groups affected by a change who should be informed or consulted.

Impact Analysis

Evaluates potential risks and side effects of a change, including technical failures or business disruption.

Testing (Sandbox Environment)

Isolated testing areas used to safely trial updates or patches before deployment to production systems.

Backout Plan

A documented method to revert to the previous state if a change fails.

Maintenance Window

A scheduled time for implementing changes that minimizes disruption to operations.

Standard Operating Procedure (SOP)

Documented process ensuring consistency in how changes and maintenance are handled across the organization.

Allow List / Deny List

Application control policies where an allow list restricts execution to approved apps, and a deny list blocks known malicious or unauthorized ones.

Restricted Activities

Defines what actions a change request covers; prevents unauthorized or unintended modifications.

Downtime Management

Strategies to minimize or avoid service interruption during system changes.

Restarts

Reboots or service restarts often required to apply new configurations or updates.

Legacy Applications

Old, unsupported programs still in use; require special documentation and maintenance.

Dependencies

Interconnected systems or services that rely on each other; changes may require coordinated updates.

Documentation

Accurate, current records of configurations, diagrams, and procedures to ensure traceability and consistency.

Version Control

Tracking changes to configurations or files over time, allowing easy rollback and accountability.

Public Key Infrastructure (PKI)

A framework of policies, procedures, hardware, and software that manages digital certificates and encryption keys to enable secure communication and authentication.

Symmetric Encryption

Uses one shared key for both encryption and decryption; fast but less scalable due to key distribution challenges.

Asymmetric Encryption (Public Key Cryptography)

Uses two mathematically related keys: a public key (shared openly) and a private key (kept secret).

Key Escrow

A trusted third party holds encryption keys to allow data recovery under specific legal or organizational conditions.

Data Encryption at Rest

Secures stored data on drives or databases using tools like BitLocker, FileVault, or transparent database encryption.

Transport Encryption

Protects data in transit via HTTPS, SSL/TLS, or VPNs.

Encryption Algorithms

Mathematical formulas used for encryption/decryption; vary in speed, complexity, and security strength.

Cryptographic Key

A string of data used by algorithms to encrypt or decrypt information; must be kept private.

Key Length

The size of the encryption key; longer keys offer stronger protection against brute-force attacks.

Key Stretching

Technique that makes weak keys stronger by repeatedly hashing, slowing brute-force attempts.

Key Exchange

The process of securely sharing encryption keys, often using asymmetric encryption to exchange symmetric session keys.

Trusted Platform Module (TPM)

Hardware chip providing cryptographic functions like secure key generation, storage, and system integrity checks.

Hardware Security Module (HSM)

Dedicated hardware device used to securely generate, store, and manage cryptographic keys, often in enterprise environments.

Key Management System (KMS)

Centralized service for creating, rotating, and managing encryption keys across devices or cloud services.

Secure Enclave

An isolated hardware area for secure key storage and cryptographic operations.

Obfuscation

Making data or code intentionally difficult to understand to prevent misuse or reverse engineering.

Steganography

Hiding information within another medium such as an image, audio, or video file.

Tokenization

Replacing sensitive data with non-sensitive placeholders (e.g., using a token instead of a credit card number).

Data Masking

Hiding portions of sensitive data to protect privacy while keeping data usable (e.g., displaying only the last 4 digits of an SSN).

Hashing

A one-way mathematical process that converts data into a fixed-length "fingerprint" used for verification and password storage.

Collision (Hashing)

When two different inputs produce the same hash—an undesirable event indicating weakness (e.g., MD5 collisions).

Salted Hash

A hash that includes a random value (salt) to make identical passwords produce different hashes.

Digital Signature

An encrypted hash of a message that provides integrity, authentication, and non-repudiation.

Blockchain Technology

A distributed ledger system where all participants maintain synchronized copies of transactional data for integrity and transparency.

Digital Certificate

A file that binds a public key with an entity's identity, digitally signed by a Certificate Authority to establish trust.

Certificate Authority (CA)

A trusted organization that issues and digitally signs digital certificates to validate identity.

Root of Trust

The foundational, inherently trusted element (hardware or software) upon which all other security relies.

Certificate Signing Request (CSR)

A request sent to a CA containing an entity's public key and identifying information to obtain a signed certificate.

Self-Signed Certificate

A certificate signed by the same entity that created it; used internally where external trust isn't needed.

Wildcard Certificate

A certificate that applies to all subdomains of a given domain (e.g., *.example.com).

Certificate Revocation List (CRL)

A list of revoked certificates maintained by a CA to identify certificates that are no longer valid.

Online Certificate Status Protocol (OCSP)

A real-time protocol that lets browsers check whether a certificate has been revoked without downloading a CRL.

OCSP Stapling

Optimization method where a web server "staples" its CA-signed OCSP response during the TLS handshake for efficiency and privacy.

Threat Actor

An entity (individual or group) responsible for actions that compromise security or safety of another entity; also called a malicious actor.

Internal Threat Actor

An attacker within the organization—such as an employee, contractor, or partner—who misuses authorized access.

External Threat Actor

An attacker operating outside the organization, attempting to gain unauthorized access.

Sophistication/Capability

Measures how advanced an attacker's methods and tools are; ranges from simple script execution to custom malware development.

Resources/Funding

Determines an attacker's access to tools, personnel, and infrastructure; well-funded actors can sustain advanced, long-term attacks.

Motivations of Threat Actors

Reasons for conducting attacks, such as data theft, espionage, revenge, financial gain, ideology, disruption, or warfare.

Nation-State Actor

A government-sponsored attacker with vast funding and advanced resources; often conducts espionage or cyberwarfare (e.g., Stuxnet).

Unskilled Attacker ("Script Kiddie")

Uses pre-made tools or scripts without deep technical knowledge; targets low-hanging fruit with limited resources.

Hacktivist

A hacker motivated by political, ethical, or ideological causes; may conduct DDoS attacks, deface websites, or leak data.

Insider Threat

An internal individual (employee or partner) who uses legitimate access for malicious purposes such as revenge or financial gain.

Organized Crime

Professional criminals motivated by money; operate like a business with defined roles for hacking, managing exploits, and monetizing stolen data.

Shadow IT

Unauthorized technology systems or services deployed by departments outside IT's control, increasing security risks and complexity.

Threat Vector (Attack Vector)

The method or path an attacker uses to gain access or compromise a target system, such as email, USB drives, or vulnerable software.