2.5 Explain concepts related to vulnerability response, handling, and management.
📘CompTIA CySA+ (CS0-003)
In IT security, controls are actions, devices, policies, or software that reduce risk or protect systems from threats. Controls can be managerial, operational, or technical, and they can serve different purposes like preventative, detective, responsive, or corrective.
1. Managerial Controls
- Definition: These are policies, procedures, and oversight activities that guide how security is implemented.
- Purpose: Ensure that proper security practices are planned, enforced, and reviewed.
- Examples in IT:
- Writing and enforcing patch management policies.
- Creating a vulnerability assessment schedule for servers.
- Assigning roles and responsibilities for security monitoring.
- Exam Tip: Managerial controls are about planning and oversight, not technical tools.
2. Operational Controls
- Definition: Day-to-day procedures and practices that help enforce security policies.
- Purpose: Make sure security policies are followed in everyday operations.
- Examples in IT:
- Daily review of logs to detect unusual server activity.
- Conducting regular vulnerability scans.
- Performing user access reviews to ensure least privilege is maintained.
- Exam Tip: Operational controls are process-focused and usually involve human actions.
3. Technical Controls
- Definition: Hardware or software mechanisms that enforce security automatically.
- Purpose: Protect systems and data without relying on human behavior.
- Examples in IT:
- Firewalls to block unauthorized network traffic.
- Antivirus and endpoint protection to stop malware.
- Intrusion Detection Systems (IDS) to identify suspicious activity.
- Encryption to protect sensitive data.
- Exam Tip: Technical controls are automatic, IT-based safeguards.
4. Preventative Controls
- Definition: Controls designed to stop a security incident before it happens.
- Purpose: Reduce the chance of vulnerabilities being exploited.
- Examples in IT:
- Strong password policies to prevent unauthorized access.
- Patch management to fix software vulnerabilities before attackers exploit them.
- Access controls to restrict users to only what they need.
- Exam Tip: Preventative = prevention-focused.
5. Detective Controls
- Definition: Controls that detect and alert when a vulnerability is exploited or a security event occurs.
- Purpose: Identify problems quickly so corrective action can be taken.
- Examples in IT:
- Security Information and Event Management (SIEM) tools to analyze logs for anomalies.
- IDS/IPS alerts for unusual network traffic.
- Audit logs that track who accessed which systems and when.
- Exam Tip: Detective = detection-focused; it doesn’t stop the attack, it reveals it.
6. Responsive Controls
- Definition: Controls that respond to an incident immediately to reduce impact.
- Purpose: Limit damage and control security incidents as they happen.
- Examples in IT:
- Automatic account lockout after multiple failed login attempts.
- Blocking malicious IP addresses after detection.
- Network segmentation to isolate compromised systems.
- Exam Tip: Responsive = active defense during the incident.
7. Corrective Controls
- Definition: Controls that fix or recover from an incident after it has occurred.
- Purpose: Restore systems and prevent future recurrence.
- Examples in IT:
- Restoring servers from backups after ransomware attack.
- Reconfiguring firewall rules after a breach.
- Removing malware and applying patches post-incident.
- Exam Tip: Corrective = post-incident recovery and repair.
Summary Table for the Exam
| Control Type | What It Does | IT Example |
|---|---|---|
| Managerial | Policies & oversight | Patch management policy |
| Operational | Day-to-day procedures | Daily log reviews, user access checks |
| Technical | Automated hardware/software | Firewalls, IDS, antivirus |
| Preventative | Stops incidents before they happen | Strong passwords, patching, access controls |
| Detective | Detects incidents | SIEM alerts, audit logs |
| Responsive | Responds immediately | Account lockout, block malicious IPs |
| Corrective | Fixes/recover post-incident | Restore backups, remove malware, reconfigure firewall |
✅ Key Exam Tip:
- Controls can overlap. For example, a firewall is technical and preventative, while SIEM is technical and detective.
- Always link the control to its purpose: prevent, detect, respond, or correct.
