Posted by Tyler Chancey, GCFA on

Tyler Chancey is a cybersecurity professional currently serving as the Director of Cyber Security at Scarlett Cybersecurity Services. With a solid foundation in Computer Software Engineering from the University of Florida, Tyler holds a repertoire of certifications that underscore his expertise. These include the prestigious Microsoft 365 Certified: Enterprise Administrator Expert and Microsoft 365 Certified: Security Administrator Associate, showcasing his mastery in Microsoft's enterprise solutions. Tyler's commitment to comprehensive security is further evidenced by his CompTIA Security+ certification, demonstrating proficiency in core cybersecurity principles. Additionally, his GIAC Certified Forensic Analyst (GCFA) credential attests to his advanced skills in forensic analysis—an invaluable asset in today's complex cybersecurity landscape. Tyler's dedication to staying at the forefront of industry standards is evident in the active pursuit and maintenance of these certifications, making him a trusted authority in the field.

Tyler C., GCFA 

Job title: Director of Cyber Security
Expertise: Information Security, Cybersecurity Incident Response, Cybersecurity Compliance, Cyber Policy
Education: University of Florida, Computer Software Engineering

Highlights:

  • Director of Cyber Security at Scarlett Group since 2022 
  • Holds GCFA and Microsoft 365 Enterprise Administrator certifications
  • Expertise in compliance, incident response and cyber policy

Experience: 

Tyler C. currently serves as the Director of Cyber Security at Scarlett Group in Jacksonville, Florida. He first joined Scarlett Group in 2019 as a Cyber Security Consultant, before being promoted to his current director role in 2022. Tyler has over 4 years of experience providing cybersecurity services to American private and public organizations.

Education:

Tyler earned his degree in Computer Software Engineering from the University of Florida in 2016. While at UF, he developed expertise in programming and software development.

Licenses & Certifications:

  • Microsoft 365 Certified: Enterprise Administrator Expert (Issued May 2023)
  • GIAC Certified Forensic Analyst (GCFA) (Issued Jan 2019, Expires Jan 2027)  
  • Microsoft 365 Certified: Security Administrator Associate (Issued Jul 2022, Expired Jul 2023)
  • CompTIA Security+ (Issued Jun 2020, Expired Jun 2023)

Additional Skills: 

  • Customer Service, Leadership, Public Speaking, Network Security, Forensic Analysis, Disaster Recovery, Cloud Applications

Last month, we discussed the importance of practicing “defense-in-depth” within an organization. This system of redundant defenses helps protect against a huge array of potential threats. One of the core aspects of this defensive philosophy is that an attack will happen. A company needs to be prepared for the possibility that their perimeter defenses fail.

Previously, we listed the three “areas” of security controls as administrative, physical, and technical. All types of security policies and products fit within these three implementation categories. The implementation domain that we will focus on in this post is the administrative controls that can be utilized by a company to help prevent breaches and remediate the incident.

In the last post, three control types were covered that encompassed all the implementation areas for cybersecurity defenses. While these three categories do cover all security products, they do not properly express the goals of these security controls. Below you will find a list of the most common goals of the previously outlined controls. These goals are used in conjunction with the controls. For example, a firewall would primarily be a technical control with preventative goals.

Note that many solutions will not fit into a single control and goal category. This firewall example may also be an administrative control if the policies surrounding its implementation are considered.

Detection

Solutions or policies with the goal of detecting incidents after they have occurred. This goal is usually achieved primarily via technical or physical controls. Many products achieve both detective and preventative goals simultaneously in order to reduce the amount of security products required within an organization.

Prevention

Preventative controls are based around the concept of stopping an attack before it can cause damage. These are some of the most well-known products such as firewalls, AV, IPS, etc.

Correction

Whenever an incident causes impact, corrective controls will intervene in order to remediate the issue. One of the most vital administrative corrective controls is a proper Incident Response Plan, outlined later in this post.

Determent

This is a rather unusual security goal, but deterring possible attackers is a viable method for defending an enterprise. There is a common belief that an unlocked door invites trouble. A proper “bug bounty” program can deter by offering greater incentives to report the issue.

Compensation

Controls that are implemented solely as a substitute for a more effective method. A commonly used example would be a new employee that is not registered with the existing badge reader system. A compensating control would be to escort the associate until a proper solution is achieved.

Critical Administrative Controls

Now that we have defined the goals of our security controls, we can get to the real meat and potatoes of this post. Administrative controls are vitally important for a company’s defenses but are often the most overlooked control. Almost all security actions come from an administrative decision at some point. Nothing happens within a vacuum. But some of the more complex goals and examples are rarely even entertained until it is too late. Below we will define a few of the most critical administrative controls and the categories in which they fit. Remember that a single solution will likely fit into multiple control categories and goals so we will simply emphasize certain examples below.

Administrative Control – Corrective

Incident Response Plan - This is the big one. Incident Response Plans are a corrective administrative control that provides incalculable value in the form of disaster preparedness. It is fairly common knowledge that companies need a plan when dealing with an incident, but very few companies have documentation that details their exact goals and strategy should an incident occur. “How did this happen? Who should we call? How long have the attackers been in our network? What have they taken?” These questions may have extremely complex answers that require full-fledged investigations. Obviously not every business can afford an Incident Response Team that is available 24/7. However, every single business can afford to take the time to develop a solid Incident Response Plan.

Administrative Control – Detective

Auditing – Most products contain thorough logs that allow owners to audit the users and data involved with the system. By setting up a regular review of these events, companies may detect an attack that was never seen by other tools. For example, reviewing badge-reader access logs to a restricted area may reveal evidence of a potential incident.

Administrative Control – Preventative

User Training – As technology gets better and better, the human has proved to be the weakest link in the chain. Attackers have started targeting employees for easy access into the most critical assets. User training helps combat this strategy by shoring up defenses where they matter most. The best training engages users with timely exercises and simulations in order to drive home the effectiveness of some of the new attack techniques.

Administrative Control – Determent

“Bug Bounty” – This control falls under many categories, but we feel it is administrative-focused on deterring negative behavior. Placing a large bounty for outside users that discover security threats helps to incentivize attackers by giving rewards when vulnerabilities are discovered. Without a system to reward the discovery of a vulnerability, the attackers may launch an actual attack instead of reporting the issue.

What’s Next?

We’ve taken a deeper look at one of the primary controls for proper Defense in Depth while defining the specific goals of all security controls. The list in this post barely scratches the surface of the available administrative controls. Next month, we are going to publish an article emphasizing the importance of disaster preparedness and proper IR policies in order to expand upon some of the examples given above.

In the following months, keep an eye out for an article covering technical controls and physical controls. We will use the expanded definitions and goals provided in this post to cover these final two control types and give specific examples regarding their implementation and importance.

For more details on current security standards, be sure to check out the NIST documentation on security controls: https://nvd.nist.gov/800-53.

Share This

Related Posts

Live Nation has revealed that its Ticketmaster subsidiary experienced a data breach, with a hacker offering to sell customer data on the dark web, including names, addresses, phone numbers and some credit card details.
Disaster Recovery Testing is the process of going through each and every essential piece of a business or organization’s disaster recovery plan. The goal is to ensure that the existing is thorough enough to ensure that the business can recover in…
As much of the world has had to shift to a work-from-home model in light of the COVID-19 pa