17.1 Security Threats and Control Selection
Key Takeaways
- Area II (Security, Confidentiality, and Privacy) is 35-45% of the ISC discipline; candidates classify threat agents, attack types, techniques, and the stages of a cyber-attack before selecting controls.
- Cloud, Internet of Things, mobile, remote access, and vendor connections each create distinct attack surfaces that must be mapped to the system boundary.
- Defense-in-depth layers preventive, detective, and corrective controls rather than relying on one technology to stop every attack path.
- Least privilege, need-to-know, zero trust, and whitelisting are access design principles that drive authentication, authorization, and monitoring choices.
- In SOC 2 and IT advisory scenarios, a CPA distinguishes a control design deficiency from an operating deviation and documents the exception, criterion, evidence, and recommendation.
Blueprint Focus
The ISC (Information Systems and Controls) discipline is one of three CPA exam discipline sections, alongside BAR and TCP. ISC is delivered as a four-hour exam with about 82 multiple-choice questions and 6 task-based simulations, scored on the 0-99 scale with a passing score of 75. Area II, Security, Confidentiality, and Privacy, carries 35-45% of the score and treats security as far more than a vocabulary list: a newly licensed CPA must recognize threat agents, attack methods, and the controls management uses to prevent, detect, and respond to them.
The exam embeds these ideas in an IT audit, SOC 2, vendor-risk, or advisory setting. Three terms anchor every question. A threat agent is the source of potential harm: internal or external, state-sponsored or non-state, a malicious actor, or an employee who creates exposure through error. A threat is the circumstance that can exploit a weakness; a vulnerability is the weakness itself; and risk is the likelihood and impact of the threat exploiting the vulnerability.
Threats, Attacks, and Techniques
Attack types include physical attacks, distributed denial-of-service (DDoS) attacks, malware, social engineering, web-application attacks, and mobile-device attacks. Techniques include SQL injection, cross-site scripting (XSS), buffer overflow, replay attacks, covert channels, race conditions, mobile code, and return-oriented programming. In a scenario, first decide whether the attacker is trying to steal credentials, disrupt service, execute code, bypass authorization, or alter data.
A cyber-attack typically progresses through stages: reconnaissance, gaining access, privilege escalation, maintaining access, network exploitation, and covering tracks. ISC questions hide the stage inside the facts. Unusual administrative-account creation signals privilege escalation; deletion of security logs signals covering tracks; scanning exposed ports signals reconnaissance; a planted backdoor or scheduled task signals maintaining access.
Risk Environment
Cloud, IoT, mobile, and partner connections expand the attack surface. Cloud risk involves misconfigured storage buckets, weak identity federation, insecure application programming interfaces (APIs), and unclear shared responsibility between customer and provider. IoT risk centers on default passwords, limited patching, unmanaged devices, and weak network segmentation. Mobile risk includes lost devices, untrusted networks, malicious apps, and bring-your-own-device data leakage.
| Risk condition | Likely control response |
|---|---|
| Remote access from personal devices | Multi-factor authentication, VPN, managed endpoint security, session logging |
| Flat internal network | Segmentation, firewall rules, least-privilege access paths |
| Unpatched critical software | Vulnerability scanning, patch prioritization, testing, deployment evidence |
| Public web-application input | Secure coding, input validation, web-application firewall, code review |
| Excessive user permissions | Role-based access, periodic access recertification, account restrictions |
Control Selection
Apply defense-in-depth to layer controls so no single failure exposes the system. Preventive controls reduce the chance of an event: system hardening, access restrictions, application whitelisting, and intrusion prevention. Detective controls identify events during or after occurrence: log analysis, intrusion detection, monitoring alerts, and security information and event management (SIEM) review. Corrective controls contain or restore: patching, malware quarantine, backup restoration, and incident response.
Access design should reflect least privilege (only the access a job needs), need-to-know, and zero trust (never trust, always verify, even inside the perimeter). Discretionary access lets owners grant rights; role-based access ties rights to job duties; mandatory access enforces centrally defined classifications. Authentication methods include passwords, single sign-on, multi-factor authentication, digital signatures, smart cards, biometrics, and PIN controls.
CPA Testing Lens
When evaluating controls, separate design from operation. A design deficiency exists when a control, even if performed perfectly, would not address the risk. An operating deviation exists when a suitably designed control was not performed as designed. In a SOC 2 security scenario, document the issue, the affected criterion or service commitment, the evidence reviewed, the exception population, the risk implication, and a recommendation. The best exam answer is usually the control that addresses the stated risk most directly with the fewest unsupported assumptions.
Worked Scenario: Mapping an Attack to Layered Controls
A simulation describes a SaaS provider whose customer-facing application accepts unvalidated text in a search box, and an attacker submits a crafted string that returns other customers' records. Walk the facts in order. The technique is SQL injection, a web-application attack that abuses missing input validation to manipulate a database query. The blueprint expects you to pair it with layered controls rather than a single fix.
- Preventive: parameterized queries (prepared statements), server-side input validation, secure-coding standards, and a web-application firewall to filter known injection patterns.
- Detective: SIEM alerting on anomalous query patterns, database activity monitoring, and code review or static analysis in the build pipeline.
- Corrective: incident response to contain the session, a patch to the vulnerable code, and forensic review of which records were exposed.
Notice that the answer is never "buy a tool." It is "close the design gap (validation) and add detection and response in case prevention fails." That layering is the testable point.
Common Traps
ISC multiple-choice items plant predictable distractors. Watch for these:
- A control that sounds relevant but addresses a different attack stage (training will not stop an active SQL injection).
- Confusing a vulnerability (the weakness) with a threat (the circumstance) or with risk (likelihood times impact).
- Naming a detective control when the stem asks how to prevent an event, or vice versa.
- Treating multi-factor authentication as a cure-all when the real gap is excessive standing privilege, where least privilege and access recertification are the better answers.
- Selecting the broadest, most expensive control instead of the one that directly addresses the stated risk with the fewest assumptions.
The disciplined method is constant: identify the threat agent and attack stage, name the vulnerability, then choose the preventive, detective, or corrective control the stem actually calls for.
A service organization allows remote administrators to connect from personal laptops using only a password. Which control best addresses the most direct security risk?
During a SOC 2 walkthrough, the documented policy requires quarterly access reviews, but management has not performed the review for the last two quarters. How should this be classified?