Danni-Tech

Welcome to my CompTIA Security Plus course this is Danny Tech this course aims to be a complete course for Security Plus 100% free stay tuned until the end as there will be a quiz to test your knowledge of the material in this video now let’s get started.

Lets  start by answering a two part question, What are Control Categories and What are Control Types?

To start, Control Categories: Refer to How controls are implemented. So for example, 

The Control Categories are:

1. Technical
2. Managerial
3. Operational
4. Physical

Each of these categories offer unique examples. For instance, technical controls—what are they, and how do they work?”

Technical Controls use technology to reduce vulnerabilities. An administrator would install and or  configure this type of control, which would then function automatically. For example, encryption.

Per our definition, an administrator would first configure it, after which it would function automatically. This applies to all our other examples.” Such as

• Antivirus software
• IDS Intrusion detection system 
• IPS (intrusion prevention system
• Firewalls

Managerial controls are administrative measures that focus on the overarching strategies, policies, and procedures for managing and mitigating risks. They are documented in an organization’s security policies and serve to guide the implementation and evaluation of security practices.

An example of a managerial Control would be a  Risk assessment: A risk assessment helps organizations identify vulnerabilities and prioritize risk mitigation efforts, by aligning them with business objectives.

Another example would be implementing a formalized change management process: Which would ensure that system updates are carefully planned, tested, and documented to maintain security and operational integrity.

Next we have operational controls. Now,

Operational controls are implemented and managed by people to ensure an organization’s day-to-day activities align with and support its security plan. They focus on processes, procedures, and activities that maintain protection.

For example, think about security training and awareness:   This isn’t just about sitting through a boring presentation; it’s about regularly helping employees recognize threats, understand policies, and apply best practices to keep assets and data secure.

Then there are incident response procedures:. These are the clear steps everyone needs to follow when something goes wrong. The idea is to minimize damage and get things back to normal as quickly as possible.

And finally, we have routine vulnerability scans:. These are like regular check-ups for your systems—finding and fixing weaknesses before someone else does.

And the final control category, 

Physical Controls would include any control that you could physically touch. Their overarching purpose is to prevent, protect, and deter.

Examples include,

• Access Control Vestibules

An access control vestibule, or mantrap, is a small space with two doors. One door must close completely before the other can open, ensuring only authorized individuals gain access.”

Other types of physical controls

• Fences
• Signs
• Locks
• Bollards –  are poles or posts and sometimes they can be very large potted plants that are placed at facility entrances to block unauthorized vehicle access.

Now let’s move on to Control Types, which refer to what the control is designed to do.

The Control Types are:

1. Preventive
2. Deterrent
3. Detective
4. Corrective
5. Compensating
6. Directive

What are some examples of each?

Lets start with

Preventive Controls: These controls  are  designed to prevent a security incident from occurring.

For example:

• Hardening systems by using a defense-in-depth strategy
• Implementing firewalls
• Enforcing strong access controls
• Using multi-factor authentication

Deterrent Controls: are designed to deter or discourage a threat.

For example:

• Security cameras.
• Warning signs.
• Visible security personnel.
• Motion-activated lighting.
• Fences topped with barbed wire

Detective Controls: are used to detect when a vulnerability has been exploited, which results in a security threat. A detective control, however, discovers an event only after it has occurred.

For example:

• Monitoring logs in order to identify security events or anomalies that have already occurred, such as unauthorized access attempts or suspicious activity. 
• Using an intrusion detection system (IDS), which detects malicious traffic after it enters the network.

Next we have,

Corrective Controls: These are designed to respond to and fix security incidents or vulnerabilities after they have occurred. Their goal is to mitigate damage, restore systems to their normal state, and prevent the issue from recurring.

For example:

• Restoring data from backups after a ransomware attack.
• Applying patches to fix software vulnerabilities.
• Reconfiguring security settings after a breach is detected.

Now let’s move on to, 

Compensating Controls: These are alternative methods put in place when the primary security control isn’t feasible or available. They are designed to achieve the same level of protection as the original control.

For example:

• If multi-factor authentication cannot be implemented, using strong passwords combined with strict monitoring can provide a comparable level of security. While it may not be as robust as the original control, it still helps achieve a similar level of protection.

And Lastly….

Directive Controls: These are designed to guide or direct employee behavior and ensure compliance with security policies.

For example:

• Security awareness training Is employed in order to ensure that employees recognize phishing attacks and follow best practices.
• Incident response procedures are there  to provide step-by-step guidance during a breach.
• Posting signs that say “Authorized Personnel Only” on restricted facility doors. Are used to direct behavior 

How do Control Categories and Control Types work together to Secure an Environment?

Well, for example lets take a look at, Preventive Controls.

1. Preventive + Technical:

Imagine you’re configuring a wireless network, and you enable WPA3 encryption. This setup ensures that only devices with proper credentials can connect. 

By stopping unauthorized devices before they access the network, this becomes a preventive control. 

Since you’re using encryption—a technology— this will secure the wireless network by requiring proper credentials for device connections.  Now let’s take a look at

2. Preventive + Managerial:

Think about implementing a policy that requires all employees to take mandatory cybersecurity training before accessing sensitive systems. This policy is preventive because it prevents employees from making basic security errors  and It’s managerial in nature because it is enforced as part of the organization’s rules.” Next up…

3. Preventive + Operational:

Picture a receptionist stationed at the front desk who verifies IDs before allowing visitors to enter secure areas. This setup is preventive as it prevents unauthorized individuals from entering the building

and it’s operational because it involves a person. Someone who has to physically verify  the id

And lastly…

4. Preventive + Physical:

So the example would be installing electric locks on server room doors. Now Installing such  locks  ensures that only authorized personnel can access these critical areas.  This setup prevents physical intrusion as it uses physical locks to enforce access control. Now let’s move on to Detective Controls

Beginning with…

1. Detective + Technical:

An intrusion detection system (IDS) is a perfect example of a control that is both detective and technical:

It’s a Detective Control  because  It identifies and alerts on potential security incidents after they occur. 

It’s also a Technical Control because It is implemented through technology (software or hardware) and relies on configured rules, signatures, or anomaly detection algorithms to monitor and analyze network activity. Next we have,

2. Detective + Managerial:

When companies perform a monthly review of access logs to check for unusual patterns or unauthorized access, this is an example of a detective control. It identifies issues after they occur.”

and it’s managerial because it involves policies for oversight. Next,

3. Detective + Operational:

Picture a security guard conducting routine patrols and spotting a broken window in a restricted area. This is detective because it uncovers a breach after it occurs, and operational because it relies on human observation. Next we have…

4. Detective + Physical:

In secure areas, such as a high-profile building, motion sensors are used to monitor activity and alert security personnel if unexpected movement is detected during off-hours. This is considered a detective control because it identifies suspicious activity after it occurs,  and a physical control because it relies on physical devices to perform its function.” Next let’s take a look at  Deterrent Controls

Starting with

1. Deterrent + Technical:

“While on the job, such as at a workplace computer, a system login splash screen warning users that all activities are monitored serves to discourage unauthorized access attempts. It is considered a deterrent control because it discourages unwanted actions,  and a technical control because it relies on technology.” Next,

2. Deterrent + Managerial:

Posting a visible company policy stating that employees will face termination for accessing unauthorized files serves to discourage internal threats. This classifies it as a deterrent control. It is also managerial because it is based on organizational rules and procedures.” Next,

3. Deterrent + Operational:

For example, uniformed security guards patrolling an office building discourage potential intruders through their visible presence, classifying this as a deterrent control.  It is considered operational because it involves human intervention Now let’s look at

4. Deterrent + Physical:

“A ‘No Trespassing’ sign posted on a restricted area fence serves as a deterrent by discouraging unauthorized entry. It is classified as a physical control because it is a tangible measure.”

Let’s move on to corrective controls

1. Corrective + Technical:

When a ransomware attack encrypts critical files, restoring the system from a secure backup corrects the issue.  This is corrective because it resolves the problem and technical because it uses technology to restore the data. Next,

2. Corrective + Managerial:

Revising policies to require two-person authorization for certain actions after discovering a fraud attempt is a corrective measure.  It’s managerial because it involves changing organizational rules.

3. Corrective + Operational:

After identifying a broken lock, a security team replaces it immediately to restore security. This is corrective because it addresses the issue and operational because it involves human action. Next,

4. Corrective + Physical:

Using a fire extinguisher to put out a small server room fire is a corrective control.  It’s physical because it involves physical intervention to resolve the issue. Next up are, compensating controls, starting with

1. Compensating + Technical:

When a critical patch is unavailable for a known vulnerability, configuring a firewall rule to block affected ports compensates for the delay. This is compensating because it’s temporary and technical because it uses technology. Next, 

2. Compensating + Managerial:

Creating a temporary policy that requires manual approval for all transactions over $10,000 while an automated fraud detection system is being implemented is a compensating control.

 and It’s managerial because it involves new policies. Next let’s take a look at, 

3. Compensating + Operational:

Assigning additional security personnel to monitor critical areas after a security breach compensates for vulnerabilities while waiting for a permanent solution. And this is operational because it involves human resources. Next,

4. Compensating + Physical:

“Installing temporary barriers to block access to a damaged perimeter fence is a compensating control because it provides an alternative measure to address the security weakness until permanent repairs are completed. It is also a physical control because it involves the use of tangible barriers to physically prevent unauthorized access.” And finally directive controls. Starting with…

1. Directive + Technical:

Configuring a system to automatically encrypt all files stored on a shared drive ensures sensitive data is protected.  This is directive because it enforces security behaviors and technical because it uses technology. Now let’s look  at 

2. Directive + Managerial:

Requiring employees to follow a specific incident reporting procedure ensures that breaches are properly documented.  This is directive because it guides behavior and managerial because it involves organizational policy. Next we have,

3. Directive + Operational:

Holding mandatory training sessions for employees on how to detect phishing emails is a directive control. It’s operational because it involves human education and awareness. And finally,

4. Directive + Physical:

Posting signs that say “Authorized Personnel Only” on secure facility doors directs individuals to avoid restricted areas.  This is directive because it guides behavior and it‘s  physical because it uses tangible signs.