Control Types
This type of control is designed to stop a security problem before it happens.
Preventative control
Firewalls, antivirus software, encryption, and access control lists belong to this category.
Technical controls
This security principle means users should only have the access they need to do their job.
Principle of least privilege
A company requries employees to use MFA before logging into email
Preventative technical control
This type of control helps identify that a security issue has happened or is happening.
Detective control
Locks, fences, cameras, guards, and badge readers belong to this category.
Physical controls
Proving you are who you say you are
Authentication
A security camera records someone entering a restricted room
Detective deterrent physical control
This type of control helps fix or restore systems after an incident.
Corrective control
Policies, procedures, background checks, and security training belong to this category.
Administrative controls
Requiring a password and a phone verification code is an example of this.
MFA
Attackers steal customer emails, addresses, and purchase history from an online store. Why is this still serious even if no credit cards were stolen?
The data can be used for phishing, scams, or identity theft attempts.
Loss of reputation.
Warning signs, visible cameras, and login banners are examples of this type of control because they discourage bad behavior.
Deterrent control
Day-to-day security actions for an organization like monitoring logs, reviewing alerts, and following incident response steps belong to this category.
Operational controls
Having a layered security approach
Principle of defense
A ransomware attack prevents employees from accessing their work computers. What is the main impact?
Operational disruption.
Potential financial loss.
This type of control is used as a backup or alternative when the preferred control cannot be used.
Compensative control
A school rule requiring students to use strong passwords is this category of control.
Administrative control
Following an authorized person into a secured area
Tailgating
Name two corrective controls, two ways to exploit them, and two ways to mitigate against the exploits.
Backups and patches.
Delete / Corrupt the backups and supply chain attacks (hijack patches)
Creating immutable and multiple backups / Regularly test backups. Verify and test software updates prior to distributing them across entire systems.