1.1 Compare and contrast security controls
📘CompTIA Security+ (SY0-701)
1. Security Controls Overview
Security controls are measures put in place to protect an organization’s data, systems, and networks from threats.
Think of them as rules, tools, or actions that help secure IT environments.
Security controls can be categorized in different ways, but for this section, we focus on types based on purpose.
2. Control Types
A. Preventive Controls
- Purpose: Stop security incidents before they happen.
- Goal: Prevent unauthorized actions.
IT Examples:
- Firewalls: Block unauthorized network traffic.
- Access Control Lists (ACLs): Restrict which users can access files or servers.
- Strong Password Policies: Require complex passwords to prevent brute-force attacks.
- Antivirus/Anti-malware Software: Blocks malware before it infects the system.
Exam Tip: Always think of “preventing bad things before they happen.”
B. Deterrent Controls
- Purpose: Discourage attackers from trying to breach security.
- Goal: Make it less likely someone will attempt an attack.
IT Examples:
- Security Warnings: “Unauthorized access will be logged and prosecuted” messages.
- Account Lockout Policies: Lock accounts after multiple failed login attempts, discouraging brute-force attacks.
- Audit Logs (announced/visible): If users know their actions are logged, they are less likely to do something malicious.
Exam Tip: Deterrent controls don’t stop attacks by themselves, but they discourage attempts.
C. Detective Controls
- Purpose: Identify and alert about security incidents after they occur.
- Goal: Detect breaches or anomalies quickly.
IT Examples:
- Intrusion Detection Systems (IDS): Detect suspicious network activity.
- Log Monitoring: Alerts when unusual login activity occurs.
- File Integrity Monitoring: Alerts when system files are changed.
- SIEM Systems: Collect and analyze security events for anomalies.
Exam Tip: Detective controls notice incidents, but don’t stop them.
D. Corrective Controls
- Purpose: Fix or recover after a security incident.
- Goal: Minimize damage and restore systems to normal.
IT Examples:
- Restoring from Backup: Recover files after ransomware or accidental deletion.
- Patch Management: Apply patches to fix vulnerabilities after they are discovered.
- Incident Response Playbooks: Steps to recover systems after a breach.
Exam Tip: Corrective = repair and recover, think of “fixing after something bad happens.”
E. Compensating Controls
- Purpose: Serve as alternative controls when the primary control cannot be used.
- Goal: Provide similar protection using a different method.
IT Examples:
- Using MFA instead of strong password only: If password policy is weak, Multi-Factor Authentication (MFA) adds protection.
- Network segmentation instead of firewall upgrades: If firewall resources are limited, segmentation can reduce risk.
Exam Tip: Compensating controls “fill the gap” when the ideal control isn’t available.
F. Directive Controls
- Purpose: Ensure users follow organizational policies and procedures.
- Goal: Guide people to act securely.
IT Examples:
- Security Policies: Rules about acceptable use of systems.
- Training Programs: Teach employees how to recognize phishing emails.
- Standard Operating Procedures (SOPs): How to handle sensitive data securely.
Exam Tip: Directive controls are policy and guidance-focused, aimed at human behavior.
3. Quick Summary Table
| Control Type | Purpose | IT Example |
|---|---|---|
| Preventive | Stop incidents before they happen | Firewall, ACLs, Antivirus |
| Deterrent | Discourage attacks | Security warnings, account lockout |
| Detective | Identify incidents | IDS, log monitoring, SIEM |
| Corrective | Fix/recover after incidents | Restore backups, patching, incident response |
| Compensating | Alternative when primary control fails | MFA, network segmentation |
| Directive | Guide user behavior | Security policies, training, SOPs |
4. Exam Tips
- Always connect control type → purpose → IT example.
- Remember the sequence for exam questions: Prevent → Detect → Correct.
- Understand differences clearly:
- Detective not preventive
- Deterrent discourages, does not block
- Compensating is an alternative, not a primary control
