Security+ ControlsIf you’re planning on taking the Security+ exam you can expect to see some Security+ Controls questions. Objectives for the Security+ exam specifically identify the following three control types:
Security+ Controls Practice Test QuestionsOf the following choices, what type of control is least privilege?
Which of the following is a preventative control that can prevent outages due to ad-hoc configuration errors? A. Security audit B. Least privilege C. Change management plan D. A periodic review of user rights
Answers at the end of this blog
Security+ Control ObjectivesControls are mentioned in the following Security+ objectives:
2.1 Explain risk related concepts
- Control types
- Implement security controls based on risk
- Detection controls vs. prevention controls
- IDS vs. IPS
- Camera vs. guard
Technical ControlsA technical control is one that uses technology to reduce vulnerabilities. An administrator installs and configures a technical control, and the control then provides the protection automatically. The following list provides a few examples of technical controls:
- Least Privilege. The principle of least privilege is an example of a technical control. It specifies that individuals or processes are granted only the rights and permissions needed to perform their assigned tasks or functions, but no more.
- Antivirus software. Once installed, the antivirus software provides protection against infection.
- Intrusion detection systems (IDSs). An IDS can monitor a network or host for intrusions and provide ongoing protection against various threats.
- Firewalls. Firewalls restrict network traffic going in and out of a network.
Management ControlsManagement controls are primarily administrative in function. They use planning and assessment methods to provide an ongoing review of the organization’s ability to reduce and manage risk. Some management controls are:
- Risk assessments. These help quantify and qualify risks within an organization so that they can focus on the serious risks. For example, a quantitative risk assessment uses cost and asset values to quantify risks based monetary values. A qualitative risk assessment uses judgments to categorize risks based on probability and impact.
- Vulnerability assessments. A vulnerability assessment attempts to discover current vulnerabilities. When necessary, additional controls are implemented to reduce the risk from these vulnerabilities.
Operational ControlsOperational controls help ensure that day-to-day operations of an organization comply with their overall security plan. Operational controls include the following families:
- Awareness and training. The importance of training to reduce risks cannot be overstated. Training helps users maintain password security, follow a clean desk policy, understand threats such as phishing and malware, and much more.
- Configuration management. Configuration management often uses baselines to ensure that systems start in a secure, hardened state. Change management helps ensure that changes don’t result in unintended configuration errors.
- Contingency planning. Chapter 9 presents several different methods that help an organization plan and prepare for potential system outages. The goal is to reduce the overall impact on the organization if an outage occurs.
- Media protection. Media includes physical media such as USB flash drives, external and internal drives, and backup tapes.
- Physical and environmental protection. This includes physical controls such as cameras, door locks, and environmental controls such as heating and ventilation systems.
Controls Based on FunctionsMany controls are identified based on their function as opposed to the type of control. The three primary functions of controls are preventative, detective, and corrective.
Preventative ControlsPreventative controls attempt to prevent an incident from occurring. The goal is to take steps to prevent the risk. Some examples include:
- Security guards. Guards act as a deterrent and provide a preventative security control. For example, an attacker may attempt social engineering to fool a receptionist, but is less likely to attempt these techniques, or succeed, when guards protect an access control point.
- Change management. Change management (introduced as an operational control) ensures that changes don’t result in ad-hoc (or as-needed) configuration errors. In other words, instead of administrators making changes on the fly, they submit the change to a change management process.
- Account disablement policy. Most organizations ensure that user accounts are disabled when an employee is terminated. This ensures that these accounts are not used by the ex-employee or by anyone else.
- System hardening. Various methods ensure that a system is more secure from its default configuration. This includes removing and disabling unneeded services and protocols, keeping the system up to date, and enabling firewalls.
Detective ControlsDetective controls are designed to detect when a vulnerability has been exploited. A detective control can’t predict when an incident will occur, and it can’t prevent it. However, it can discover the event after it’s occurred. Some examples of detective controls are:
- Security audit. Security audits can examine the security posture of an organization. For example, a password audit can determine if the password policy is ensuring the use of strong passwords. Similarly, a periodic review of user rights can detect if users have more permissions than they should.
- Video surveillance. A closed circuit television (CCTV) system can record activity and detect what occurred. It’s worth noting that video surveillance can also be used as a preventative control since it can act as a deterrent.
Corrective ControlsCorrective controls attempt to reverse the impact of an incident or problem after it has occurred. Some examples of corrective controls are:
- Active IDS. Active intrusion detection systems (IDSs) attempt to detect attacks and then modify the environment to block the attack from continuing.
- Backups and system recovery. When data is lost, a backup ensures that the data can be recovered. Similarly, when a system fails, system recovery procedures ensure it can be recovered. Chapter 9 covers backups and disaster recovery plans in more depth.
Security+ Controls Practice Test Question AnswerOf the following choices, what type of control is least privilege?
Bis correct. The principle of least privilege is a technical control and ensures that users have only the rights and permissions needed to perform the job, and no more. A corrective control attempts to reverse the effects of a problem. A detective control (such as a security audit) detects when a vulnerability has been exploited.A preventative control attempts to prevent an incident from occurring.
Which of the following is a preventative control that can prevent outages due to ad-hoc configuration errors?
A. Security audit
B. Least privilege
C. Change management plan
D. A periodic review of user rights
D is correct. A vulnerability assessment is a management control and attempts to discover weaknesses in systems. A corrective control attempts to reverse the effects of a problem. A detective control (such as a security audit) detects when a vulnerability has been exploited. A technical control (such as the principle of least privilege) enforces security using technical means.
- CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide
- Excerpt of CompTIA Security+ Get Certified Get Ahead Study Guide
- Security+ Audio Files Now Available
- Kindle Version of Security+ Study Guide Now Available
- Security+ Practice Test Questions for Your Mobile Phone
- SY0-301 Security+ Study Guide on Amazon