This chapter covers security controls, a foundational topic for the CompTIA Security+ SY0-701 exam under Domain 1.0: General Security Concepts, Objective 1.1. Security controls are the mechanisms—technical, administrative, and physical—that organizations implement to protect confidentiality, integrity, and availability (CIA). Mastering this objective is critical because it underpins every other security domain. You will learn to categorize controls by type (preventive, detective, corrective, deterrent, compensating, directive) and by implementation (technical, managerial, operational, physical). This chapter provides the depth needed to answer scenario-based questions that ask you to select the most appropriate control for a given risk.
Jump to a section
Imagine a medieval castle as a secure network. The castle walls are the perimeter firewall—tall, thick, and designed to keep out invaders. The moat is a demilitarized zone (DMZ): a barrier that slows down attackers and provides a first line of defense. Guards at the gate are like an intrusion prevention system (IPS)—they inspect everyone entering and can deny access if they detect a threat. Inside, the castle has multiple layers: the keep (internal network) holds the king’s treasure (sensitive data), and only trusted knights (authorized users) with a password (authentication) can enter. However, a spy might slip in wearing a knight’s armor (credential theft). To counter this, the castle uses a watchtower (security information and event management, or SIEM) to monitor all activity, and a dungeon (quarantine) for suspicious persons. The castle also has a backup escape tunnel (disaster recovery) in case of siege. Each control works together: preventive (walls), detective (watchtower), corrective (dungeon), and deterrent (moat). This mirrors how security controls in IT—firewalls, IDS/IPS, authentication, SIEM, and backups—create defense in depth.
What Are Security Controls?
Security controls are safeguards or countermeasures designed to protect the confidentiality, integrity, and availability of information systems. The SY0-701 exam expects you to understand two primary classification schemes: (1) by function (preventive, detective, corrective, deterrent, compensating, directive) and (2) by implementation type (technical, managerial, operational, physical). These categories are not mutually exclusive; a single control can serve multiple purposes.
Functional Categories
Preventive controls aim to stop threats before they occur. Examples include firewalls (which block unauthorized traffic), encryption (which prevents data exposure), and access control lists (ACLs) that restrict file permissions. A firewall, for instance, examines packets based on rules and drops those that match malicious signatures. Preventive controls are the first line of defense.
Detective controls identify threats that have already breached preventive measures. Intrusion detection systems (IDS) analyze network traffic for anomalies and generate alerts. Log monitoring and security information and event management (SIEM) tools aggregate logs to detect patterns like brute-force attacks. Detective controls do not stop attacks; they enable response.
Corrective controls remediate damage after an incident. Antivirus software that removes malware, restoring a server from backup, or patching a vulnerability are corrective. They restore systems to normal operation and prevent recurrence.
Deterrent controls discourage attackers by increasing perceived risk. Warning banners, guards, and visible security cameras are deterrents. They rely on psychology: an attacker may choose an easier target.
Compensating controls provide alternative protection when a primary control is infeasible. For example, if multifactor authentication (MFA) cannot be deployed on a legacy system, compensating controls might include strict IP whitelisting and enhanced logging.
Directive controls are policies or procedures that guide behavior. Acceptable use policies (AUP), security awareness training, and compliance standards like GDPR are directive. They tell users what to do but rely on other controls for enforcement.
Implementation Categories
Technical controls use hardware or software to enforce security. Firewalls, encryption, antivirus, and biometric scanners are technical. They operate automatically based on configuration.
Managerial controls are administrative mechanisms like risk assessments, security policies, and due diligence. They define the security program’s direction.
Operational controls are day-to-day procedures performed by people. Examples include user account reviews, backup verification, and incident response drills.
Physical controls protect tangible assets. Locks, fences, guards, and biometric door locks are physical. They prevent unauthorized physical access.
How Controls Work Mechanically
Consider a firewall as a preventive/technical control. It operates at the network layer (OSI Layer 3/4) or application layer (Layer 7). A stateful firewall tracks connection states—it remembers whether a packet is part of an established session. For example, a rule might allow inbound HTTP traffic (TCP port 80) only if it matches an existing outbound request. The firewall inspects packet headers, checks state table entries, and applies rules in order. If a packet matches a deny rule, it is dropped. Logs record the event.
An IDS (detective/technical) works by signature-based detection (matching known attack patterns like a specific byte sequence) or anomaly-based detection (comparing traffic to a baseline). When a match occurs, the IDS generates an alert and logs packet details. Unlike an IPS, it does not block traffic.
Encryption (preventive/technical) transforms plaintext into ciphertext using an algorithm (e.g., AES-256) and a key. For data at rest, full disk encryption (e.g., BitLocker) encrypts entire volumes. For data in transit, TLS (RFC 8446) uses asymmetric key exchange (e.g., RSA or ECDHE) to establish a symmetric session key. Without the correct key, data is unreadable.
Key Standards and Protocols
The SY0-701 exam expects familiarity with: - 802.1X (port-based network access control) – a technical preventive control that authenticates devices before granting network access. - RADIUS/TACACS+ – authentication protocols used for centralized AAA (authentication, authorization, accounting). - IPsec (RFC 4301) – a suite of protocols for securing IP communications, used in VPNs. - TLS 1.3 (RFC 8446) – the current standard for secure web communications. - NIST SP 800-53 – a catalog of security controls for federal systems. - ISO 27001 – an international standard for information security management.
How Attackers Exploit Controls
Attackers target control weaknesses. For example, a misconfigured firewall rule might allow inbound traffic on port 3389 (RDP). An attacker can then perform a brute-force attack to guess credentials. If MFA (a preventive control) is not enforced, the attacker gains remote access. Detective controls like IDS might alert on multiple failed logins, but if logging is not monitored (an operational control failure), the attack goes unnoticed.
Another common exploit is social engineering, which bypasses technical controls by targeting humans. A phishing email (directed at an individual) can trick a user into installing malware, defeating antivirus (preventive) if the malware is zero-day. Corrective controls like endpoint detection and response (EDR) might later remove the malware, but data may already be exfiltrated.
Real Command/Tool Examples
- iptables (Linux firewall):
iptables -A INPUT -p tcp --dport 22 -j DROPThis adds a rule to drop incoming SSH traffic (preventive). - Snort (IDS):
snort -c snort.conf -i eth0Snort reads rules from snort.conf and alerts on matching traffic. - openssl (encryption):
openssl enc -aes-256-cbc -salt -in file.txt -out file.encEncrypts a file using AES-256-CBC (preventive). - Nmap (used by attackers to probe controls):
nmap -sS -p 1-65535 target_ipA SYN scan to discover open ports, revealing which preventive controls are in place.
Defense in Depth
No single control is sufficient. Defense in depth layers multiple controls so that if one fails, another compensates. For example, a web server might have: 1. A network firewall (preventive) blocking non-web traffic. 2. A web application firewall (WAF) (preventive) filtering SQL injection. 3. An IDS (detective) monitoring for attacks. 4. Hardened server configuration (preventive) disabling unnecessary services. 5. Regular patching (corrective) fixing known vulnerabilities. 6. Log monitoring (detective) and incident response (corrective).
This layered approach is central to the SY0-701 exam.
Identify Assets and Risks
Begin by identifying what needs protection: data, systems, and users. Conduct a risk assessment to determine threats (e.g., malware, unauthorized access) and vulnerabilities (e.g., unpatched software). For SY0-701, this step aligns with risk management (Domain 5). Example: An e-commerce company identifies customer payment data as high-risk. The threat is data theft via SQL injection. The vulnerability is a lack of input validation. This step sets the stage for selecting appropriate controls.
Select Preventive Controls
Based on risks, deploy preventive controls to block threats. For SQL injection, a web application firewall (WAF) can inspect input and reject malicious patterns. Also, implement parameterized queries in code (a directive control). For network access, use a firewall to allow only HTTP/HTTPS traffic. For physical security, install locks and access cards. Preventive controls are the first layer. Logs from these controls (e.g., firewall deny logs) provide early indicators.
Implement Detective Controls
Deploy detective controls to identify attacks that bypass prevention. An IDS (e.g., Snort) monitors for SQL injection signatures. Logs from web servers and databases are aggregated in a SIEM (e.g., Splunk). Set alerts for anomalies like multiple failed logins or unusual data queries. Detective controls generate alerts but require human analysis. A common mistake is not tuning signatures, leading to false positives that desensitize analysts.
Establish Corrective Controls
Prepare corrective controls to respond to incidents. This includes backup restoration, system reimaging, and patch deployment. For SQL injection, corrective actions might involve restoring the database from a clean backup and applying a vendor patch. An incident response plan (managerial control) guides the process. Test backups regularly to ensure they work (operational control). Without corrective controls, an attack can cause prolonged downtime.
Add Deterrent and Compensating Controls
Deterrent controls discourage attackers. Place warning banners on login pages (e.g., "Unauthorized access is prohibited"). Use visible security cameras. Compensating controls are needed when primary controls can't be implemented. For example, if a legacy system cannot be patched, isolate it with network segmentation (compensating). These controls fill gaps and are often tested on the exam as alternative solutions.
Monitor, Audit, and Improve
Continuous monitoring ensures controls remain effective. Review logs, conduct vulnerability scans, and perform penetration tests. Audit compliance with policies (e.g., check that encryption is used). Update controls based on new threats. For example, if a zero-day exploit targets a software version, deploy a virtual patch (compensating) until a vendor fix is available. This step closes the loop, making security a continuous process.
Scenario 1: Ransomware Attack at a Hospital
A hospital's network is hit by ransomware that encrypts patient records. The attacker gained access via a phishing email. The SOC analyst sees alerts from the email gateway (preventive) that flagged the phishing URL, but the user clicked anyway. The analyst then checks the EDR (detective) which shows the ransomware executing on the workstation. The correct response: isolate the workstation (corrective), restore from backup (corrective), and update the email filter rule (preventive). A common mistake: the analyst tries to remove the ransomware without isolating, allowing it to spread. Tools: EDR (e.g., CrowdStrike), backup software (e.g., Veeam), SIEM (e.g., Splunk).
Scenario 2: Insider Threat at a Financial Firm
An employee downloads sensitive customer data onto a USB drive. The DLP (data loss prevention) system (detective) alerts on the data transfer. The SIEM shows the user's activity is outside normal hours. The engineer reviews the DLP policy—it was set to log only, not block (preventive failure). The correct response: block the USB port (preventive), revoke access (corrective), and update the DLP policy to block (corrective). A common mistake: the engineer assumes the DLP is working correctly without testing. Tools: DLP (e.g., Symantec DLP), SIEM, endpoint management.
Scenario 3: Web Application Attack on an E-commerce Site
An attacker attempts SQL injection on a login page. The WAF (preventive) blocks the request and logs it. The SOC analyst sees the alert in the SIEM but ignores it as a false positive because the site works. However, the attacker switches to a different injection technique that bypasses the WAF. The correct response: analyze the WAF logs to identify the bypass pattern, update WAF rules (corrective), and conduct a code review (managerial). A common mistake: relying solely on the WAF without monitoring its effectiveness. Tools: WAF (e.g., ModSecurity), SIEM, vulnerability scanner.
What SY0-701 Tests on This Objective
Objective 1.1 requires you to categorize security controls by type and implementation. The exam presents scenario-based questions where you must select the most appropriate control. For example: "A company wants to prevent unauthorized access to its server room. Which control should they implement?" Answer: physical control (e.g., biometric lock). You must distinguish between preventive, detective, corrective, deterrent, compensating, and directive. Also, know the implementation categories: technical, managerial, operational, physical.
Common Wrong Answers and Why
Choosing "detective" when "preventive" is needed: Candidates confuse detection with prevention. If the question asks to block an attack, the answer is preventive, not detective. Example: "Which control would stop a DoS attack?" Preventive (firewall rate limiting) not detective (IDS).
Selecting "corrective" for a proactive measure: Corrective controls are reactive. If the scenario describes something done before an incident (like a policy), it's likely directive or preventive.
Mixing up "compensating" and "corrective": Compensating controls are alternatives when primary controls cannot be used; corrective controls fix damage after an incident. A compensating control for missing MFA might be IP whitelisting; a corrective control after a breach is password reset.
Overlooking "deterrent": Deterrent controls are psychological. A warning banner is deterrent, not preventive, because it doesn't physically stop an attacker; it discourages them.
Specific Terms and Values
802.1X: Port-based NAC, uses EAP (Extensible Authentication Protocol).
RADIUS: Uses UDP ports 1812 (authentication) and 1813 (accounting).
TACACS+: Uses TCP port 49, encrypts entire packet.
AES: Symmetric encryption with key sizes 128, 192, 256 bits.
TLS 1.3: Handshake uses 1-RTT, supports forward secrecy.
NIST SP 800-53: Control families like AC (Access Control), AU (Audit and Accountability).
Trick Questions
"Which control is both preventive and detective?" Some controls have dual roles. Example: A firewall logs traffic (detective) while blocking (preventive). However, the exam usually expects a single category. Read carefully: if the question says "primarily," choose the main function.
"What type of control is a security guard?" It can be physical (presence) and deterrent (visible). The exam may list both; pick the most direct. If the guard checks badges, it's preventive. If the guard just stands there, it's deterrent.
"Which control is an example of a compensating control?" Look for scenarios where a primary control is not possible. Example: "Due to budget constraints, the company cannot afford a biometric system. Instead, they implement a two-person rule for server access." That's compensating.
Decision Rule for Eliminating Wrong Answers
Read the scenario and identify the primary goal: prevent, detect, correct, deter, compensate, or direct. Then match the control's function. If the goal is to stop something, eliminate detective and corrective. If the goal is to fix something after the fact, eliminate preventive and deterrent. If the goal is to provide an alternative because the primary control is unavailable, choose compensating. For implementation type, ask: Is it a technology (technical), a policy (managerial), a human action (operational), or a physical barrier (physical)? This two-step elimination works for most questions.
Security controls are categorized by function: preventive, detective, corrective, deterrent, compensating, directive.
Implementation types: technical, managerial, operational, physical.
A firewall is primarily preventive but also detective due to logging.
Compensating controls are alternatives when primary controls are not feasible.
Deterrent controls discourage attacks by increasing perceived risk.
Defense in depth uses multiple layers of different control types.
NIST SP 800-53 provides a comprehensive catalog of security controls.
TLS 1.3 (RFC 8446) is the current standard for secure web communications.
802.1X is a port-based network access control (NAC) standard.
RADIUS uses UDP ports 1812/1813; TACACS+ uses TCP port 49.
These come up on the exam all the time. Here's how to tell them apart.
Preventive Control
Blocks threats before they occur
Examples: firewall, encryption, access control
Reduces attack surface
Operates in real-time to deny access
Does not generate alerts for successful attacks
Detective Control
Identifies threats after they occur
Examples: IDS, SIEM, log monitoring
Provides visibility into incidents
Operates by analyzing data and generating alerts
Does not block attacks
Corrective Control
Remediates damage after an incident
Examples: backup restoration, patching
Restores normal operations
Reactive by nature
Often involves incident response
Compensating Control
Provides alternative protection when primary control is infeasible
Examples: IP whitelisting instead of MFA
Does not fix root cause
Proactive alternative
Used temporarily or permanently
Technical Control
Implemented via hardware/software
Examples: firewall, encryption, antivirus
Operates automatically
Protects data and systems logically
Can be remote or local
Physical Control
Implemented via physical barriers
Examples: locks, fences, guards
Requires human operation or presence
Protects physical assets
Local to the facility
Mistake
A firewall is only a preventive control.
Correct
Firewalls also provide detective capabilities by logging traffic and generating alerts on blocked or suspicious packets. They are primarily preventive but can serve a detective role.
Mistake
Compensating controls are the same as corrective controls.
Correct
Compensating controls are alternatives when primary controls cannot be implemented; corrective controls fix damage after an incident. For example, if MFA is not possible, IP whitelisting is compensating; restoring from backup after ransomware is corrective.
Mistake
Deterrent controls are useless because attackers ignore them.
Correct
Deterrent controls reduce the likelihood of attack by increasing perceived risk. Warning banners have been shown to reduce casual intrusion attempts. They are a valuable layer in defense in depth.
Mistake
Physical controls are only about locks and fences.
Correct
Physical controls also include environmental controls (e.g., fire suppression, HVAC) and biometric systems. The SY0-701 exam includes all types of physical security measures.
Mistake
Managerial controls are optional and less important.
Correct
Managerial controls (policies, risk assessments) are foundational. Without them, technical and operational controls lack direction. The exam emphasizes that policies drive security.
A preventive control physically or logically blocks an attack, such as a firewall that drops malicious packets. A deterrent control discourages an attack by increasing the perceived risk, such as a warning banner that says 'Unauthorized access is prohibited.' The key difference: preventive controls stop the action; deterrent controls influence the attacker's decision. On the exam, if the scenario mentions a sign or warning, it's likely deterrent. If it mentions a rule or device that blocks, it's preventive.
Yes, depending on how it is implemented. For example, a firewall is a technical control, but the process of configuring and maintaining it is operational. The SY0-701 exam expects you to categorize based on the primary nature. If the question asks for the 'type' of control, choose the implementation category that best fits the mechanism. A firewall is typically technical. However, if the scenario describes the human task of reviewing firewall logs, it might be operational.
A common example: if multifactor authentication (MFA) cannot be deployed on a legacy system, the organization might implement strict IP whitelisting (only allowing access from specific IP addresses) and enhanced logging. This compensating control reduces risk but does not provide the same level of security as MFA. Another example: if a company cannot afford a biometric door lock, they might install a security camera and a guard. Compensating controls are tested frequently on the exam, so look for scenarios where a primary control is not possible.
The exam presents scenario-based multiple-choice questions. You will be given a situation (e.g., 'A company wants to detect unauthorized access attempts on their network') and asked to select the most appropriate control type (e.g., detective) or a specific control (e.g., IDS). Sometimes the question asks for the implementation category (technical, managerial, operational, physical). You must also know which controls are used for specific threats. Practice by reading the scenario and identifying the goal (prevent, detect, etc.) first.
Defense in depth is a strategy that layers multiple security controls so that if one fails, another compensates. For example, a web application might have a network firewall, a WAF, an IDS, strong authentication, and regular patching. The SY0-701 exam emphasizes that no single control is sufficient. You should be able to identify which controls are missing in a given scenario and recommend additional layers.
Directive controls are policies, procedures, or guidelines that direct behavior. They do not enforce security but set expectations. Examples include acceptable use policies (AUP), security awareness training, and compliance requirements. They are often managerial controls. On the exam, if a scenario describes a rule or policy that tells people what to do, it is directive. For enforcement, you need other controls (e.g., technical).
Use the mnemonic 'PDCCCD' (Preventive, Detective, Corrective, Compensating, Deterrent, Directive) or think of the phrase 'Police Dogs Catch Criminals, Dogs Detect.' Another trick: associate each with a question: Preventive = 'Stop it?', Detective = 'See it?', Corrective = 'Fix it?', Compensating = 'Alternative?', Deterrent = 'Scare it?', Directive = 'Tell it?' Practice with flashcards to reinforce.
You've just covered Security Controls — now see how well it sticks with free SY0-701 practice questions. Full explanations included, no account needed.
Done with this chapter?