Now, our next consideration when we're talking about being in operations is making sure that we have the appropriate controls in place to protect our system. Resource is, and our application Ah, and in any other resource is that we have.
So there are seven basic types of access control. And yeah, I actually do think these could be testable. They might say which of the following lists the seven access control types and you'll see different types of control's throne in that aren't on this list. But I would memorize this list for the test.
So we have preventive detective corrective deterrent recovery, compensation controls and directive controls. Those were the seven.
And when we look at these, some of these controls are proactive.
For instance, preventive controls and deterrent controls, those air all about preventing or stopping the attack before it ever happens. The big difference between preventive and deterrent
deterrent is more of a psychological factor,
A deterrent Control is more something that makes you think,
Hey, I might get called.
Where is a preventive control will temporarily stop me doesn't mean I'm forever stop because I can bypass most controls eventually. But what it does mean is, at least for a moment. I'm stop.
So, for example, of preventive controls offense. I can't immediately just float through a fence.
A deterrent control says the wear of dull.
Hey, that doesn't stop me for even a second. I walked right past it. Now it might make me think, Hey, I don't want to get bitten by dog. Maybe I shouldn't do this, But there's nothing about that sign saying Beware of dog that would physically require me to stop. So my first to control types preventive and deterrent or proactive controls
now is my proactive controls don't work that I need reactive control.
And that's where Detective and Corrective controls come into place. So detective controls would be things like my audit logs that I can go in and I can review, and I can see that Ah, security event has happened. Um,
other detective mechanisms, you know, security policies, things like job rotation,
mandatory vacations. Those would be designed for detective purposes. Closed circuit TV camera would be decided. Cameras would be designed for detective purposes. Now, corrective means all right. The attack was already successful to a degree. How do we fix it?
So when we talk about our radar systems been infected with a file moving that file to a quarantine location. That would be a corrective control.
So after the fact we have, ah, detective and corrective intrusion detection systems would detect that the event has happened.
Now they're also intrusion prevention systems that would terminate the attack.
So you've got a look at the name of the device or mechanism, and you can usually figure out which type of control it implements. All right, so we've covered preventive and deterrent is our proactive controls, Detective and corrective A czar. Reactive controls.
We also have recovery compensation and directive controls
our recovery controls. So, for instance, we've lost all our data. That's okay. We have backups. That would be a recovery type of control or hard drive. Number one has failed. That's okay, cause we've implemented raid and we have multiple hard drives that can be started up. Can pick up where raid one failed or device one failed.
directive controls these air things like employee handbooks. Or it might be a sign that says no trespassing,
which could also be a deterrent control. Many types of controls could perform multiple functions Ah, but a directive control essentially provides direction says Don't do this. Thou shalt not or thou shalt or whatever that may be.
And then the compensation control
a compensation control is Plan B.
The mechanism that you wanted to put in place was out of your reach. So, for instance, I wanted to security guard to patrol the premises. But after doing investigation, it turns out the security guards too expensive.
So I get a security dog
turns out of security. Dog is too expensive, so I get a pug
that's a compensating control.
So the bottom line is when my first choice is not available, what I decide to scale back
Ah and go with that's a compensating control.
The bottom line is we need layered defense so we don't look for controls that just prevent and rely wholeheartedly on those. We need reactive controls because no matter what we used to prevent,
anyone mechanism can be bypassed. So we want preventive and detective and directive and compensating and recovery controls. We want to use as many different layers of controls as warranted by the value of the data