Any control, be it technical, physical, or administrative, is either a preventive control, a detective control, or possibly a corrective control (e.g., a security guard can not only det

Any control, be it technical, physical, or administrative, is either a preventive control, a detective control, or possibly a corrective control (e.g., a security guard can not only detect a disturbance but also can respond to it in near real time). Of these three types of controls, technical controls have the advantage that they can be set up to run automatically, always on, running “in the background,” while users perform other tasks.

Unfortunately, the evolution of technical controls in information security often leads both users and management to the mistaken belief that these “set it and forget it” controls keep them completely secure, and their awareness of, and concern for, information security can drop precipitously.

What both users and information security professionals need to always be aware of is that no technical control, no matter how well engineered and tested, can provide 100% risk-free operation. Technical controls can, and will, fail.

For this Discussion, you will explore how technical controls have evolved over the past 10 years, and you will investigate how the failure of these technical controls has led to significant security breaches. As you review technical controls, their evolution and their failures, consider how they failed, what could have been done to prevent or mitigate the failure, and analyze the failures to see if you can identify any trends in how these controls were exploited. Spotting such a trend may serve as a powerful research topic, and developing this knowledge will also serve you well as an information security professional.

To Prepare:

• Based on these resources and your own research, document 2 cases in which the failure of information security technical controls have resulted in significant security breaches (loss of data confidentiality) or security disasters (loss of data integrity or availability) in terms of size or impact.

Participants:
, submit a 2- to 3-paragraph post that includes the following:

• A description of the cases you have documented in which the failure of information security technical controls have resulted in significant security breaches
• Answers to the following questions, including justifications for your responses:
  • What, if any, trends did you discover in how technical controls failed?
  • How could the failure of the technical control have been avoided or otherwise mitigated?