WEBVTT

00:07.370 --> 00:11.990
Often in our network, we understand that we can't fix every flaw or vulnerability.

00:12.020 --> 00:14.210
Sometimes the flaw is too expensive.

00:14.240 --> 00:19.670
The the technology isn't available, or if it is available, we don't have access to it.

00:19.880 --> 00:22.910
There's different flaws specific to use cases.

00:22.910 --> 00:28.310
Maybe we have a machine that we're supporting, that we can't implement the patch or the control.

00:28.310 --> 00:33.470
That would fix the issue because of the way it interacts with the software that's running on the server.

00:33.500 --> 00:38.540
There's all kinds of different reasons that we can't fix a security flaw or vulnerability the way we

00:38.540 --> 00:39.380
would like to.

00:39.410 --> 00:43.040
We ought to refer to this as utilizing compensating controls.

00:43.040 --> 00:50.120
Compensating controls are a temporary fix for an unavailable reason that we would normally fix that

00:50.180 --> 00:53.150
problem or flaw or vulnerability within our system.

00:53.180 --> 00:58.040
For instance, if I have a security device that is completely compromised during an attack, it may

00:58.070 --> 01:00.830
be considered time to restore or replace that device.

01:00.830 --> 01:07.340
But in the meantime, we can use a compensating control to reroute traffic or to better secure that

01:07.390 --> 01:10.540
specific device or that specific flaw.

01:10.570 --> 01:15.130
When we talk about compensating controls, we need to understand that it meets the intent or the rigor

01:15.130 --> 01:18.400
of the original requirement of the device we're trying to fix.

01:18.430 --> 01:23.860
A compensating control is not just throwing a band aid while the system is still hemorrhaging data.

01:23.890 --> 01:26.860
A compensating control is, hey, we have a data breach.

01:26.860 --> 01:28.270
Let's stop it now.

01:28.270 --> 01:30.880
And by stopping it now, we're going to do X.

01:30.880 --> 01:33.580
That X stops all the data breach from happening.

01:33.580 --> 01:38.170
It may have other circumstances behind it that doesn't really help us that much.

01:38.170 --> 01:44.380
But for a compensating control, it still provides us that unique perspective of stopping the flaw in

01:44.380 --> 01:45.340
its tracks.

01:45.340 --> 01:51.580
When we have a flaw or a vulnerability within a system, we often look to fixing that problem right

01:51.580 --> 01:52.360
off the get go.

01:52.390 --> 01:56.290
There's many ways to fix a problem, but there's often a best case scenario.

01:56.290 --> 01:59.380
Sometimes that best case scenario is patching the vulnerability.

01:59.380 --> 02:03.970
And while we would love to be able to patch every single vulnerability or flaw that comes into our system,

02:03.970 --> 02:06.010
sometimes that's just not capable.

02:06.010 --> 02:10.840
We've got problems like older servers that may be running software where the patch, if we implement

02:10.840 --> 02:12.940
it, would shut down that entire service.

02:12.970 --> 02:16.880
Yet that service is literally providing funding for an entire company.

02:16.910 --> 02:20.960
It is not practical to stop or to patch that system because of this.

02:20.990 --> 02:26.690
We often see data or if there's a data breach occurring, that we need to put a stop to it immediately.

02:26.690 --> 02:32.120
And while the best way of doing it isn't within our financial means, or we don't have the capability

02:32.120 --> 02:37.400
or capacity to implement that defence against it immediately, we have to come up with something.

02:37.400 --> 02:44.660
We can utilise a compensating control to fix that flaw or fix that vulnerability in a temporary standpoint.

02:44.660 --> 02:50.390
The compensating control needs to come into play and provide the same rigor as the original requirement.

02:50.390 --> 02:56.300
It needs to provide the same level of defence, and it rose to either go to the level or beyond the

02:56.300 --> 03:00.440
original level of providing a fix for that original data breach.

03:00.440 --> 03:06.050
We may need to mitigate the existence of the problem that is in play at the time.

03:06.080 --> 03:08.000
A compensating control is not a band aid.

03:08.000 --> 03:14.360
We're not providing a short term fix that doesn't provide 100% of the stoppage of the data breach.

03:14.390 --> 03:18.950
It needs to provide the same level that the original fix would have provided.

03:18.980 --> 03:25.300
With that said, we go into the fact of knowing that compensating controls are often our one ditch effort

03:25.300 --> 03:31.990
to fix a problem when we don't always have the money, the finances, the availability, or the original,

03:31.990 --> 03:34.780
uh, safeguard that we would originally put into place.

03:34.780 --> 03:39.850
There are different control types that we need to be aware of managerial, technical and operational.

03:39.880 --> 03:44.980
The managerial controls, also referred to as administrative controls or controls that are developed

03:44.980 --> 03:49.660
or implemented as part of an overall security process utilized for people.

03:49.690 --> 03:54.940
More often than not, we're talking about account management policies, media or equipment use policies,

03:54.940 --> 04:00.970
acceptable use policies, incident response plans and procedures, security awareness and training.

04:01.000 --> 04:06.100
Pretty much when we talk about managerial or administrative controls, think paperwork, we're doing

04:06.100 --> 04:07.690
paperwork to stop a problem.

04:07.690 --> 04:12.460
If I've got an employee that's constantly clicking on that phishing link, we could create a policy

04:12.460 --> 04:15.250
that says, hey, don't do that or you're going to get fired.

04:15.250 --> 04:20.500
That's a managerial administrative control that we're putting in place to stop someone from doing something

04:20.500 --> 04:21.250
they shouldn't.

04:21.280 --> 04:24.910
We're adhering to that human nature, so to speak.

04:24.910 --> 04:30.620
When it comes to managerial policies, Technical controls are controls that we utilize on a technical

04:30.620 --> 04:31.010
nature.

04:31.010 --> 04:32.180
Just like it sounds.

04:32.180 --> 04:35.840
We can use firewall configurations, outlining access control lists.

04:35.840 --> 04:41.120
We can go through and we can say, hey, I need to reconfigure this device to counter this problem.

04:41.120 --> 04:45.770
When we talk about technology controls, we're really thinking about patch management.

04:45.770 --> 04:50.480
We're thinking about, hey, how do I effectively use technology to solve a problem?

04:50.480 --> 04:52.940
This is the adherence to a technical control.

04:52.970 --> 04:55.190
Finally we look at operational controls.

04:55.220 --> 05:01.070
Operational controls are tools that may be traditionally physical or operational in nature.

05:01.070 --> 05:03.770
This would be things like hey, let's lock the gate.

05:03.770 --> 05:06.980
Let's put up a boundary inside of our network.

05:07.130 --> 05:11.840
From the perspective of I don't want anybody to go in through this door, let's put a padlock on the

05:11.840 --> 05:13.550
door and then secure it with a bar.

05:13.580 --> 05:17.960
Maybe we have a problem with our humidity inside of our server room.

05:17.960 --> 05:20.240
Let's purchase a humidifier.

05:20.270 --> 05:22.040
Maybe we need video surveillance.

05:22.070 --> 05:24.860
Maybe we need to go through and hire some extra security guards.

05:24.890 --> 05:28.100
Operational controls are anything that's not technical in nature.

05:28.100 --> 05:32.990
It's not necessarily administrative in nature, but it still provides a control that stops people from

05:32.990 --> 05:34.280
doing stupid things.