DEV Community

TiltedLunar123
TiltedLunar123

Posted on

Every Security+ control answers two questions, not one

#security #cybersecurity #career #learning

A firewall is a technical control. It is also a preventive control. If a Security+ question asks you to classify it and you only give one of those answers, you can still miss the point, because the exam loves to ask about the label you forgot.

This is one of the quietest traps in Domain 1 of SY0-701. A lot of people study security controls as a single flat list and memorize the definitions. Then a question shows up that wants two things at once, and the second axis is the one that slips.

Here is the fix. Every control sits on two separate axes, and you should be able to place any control on both.

Axis one: the category (what kind of thing enforces it)

CompTIA groups controls into four categories:

  • Technical: enforced by technology. Firewalls, encryption, antivirus, access control lists, MFA prompts.
  • Managerial: enforced by policy and management decisions. Risk assessments, security policies, change management.
  • Operational: carried out by people in their day to day work. Security awareness training, guard patrols, incident response handling.
  • Physical: tangible things that protect tangible spaces. Locks, fences, bollards, badge readers, cameras.

Quick gut check for the category: ask who or what actually carries it out. A machine, a document, a person, or a wall.

Axis two: the control type (when it acts and what it does)

CompTIA lists six control types, and these describe the job a control does relative to an incident:

  • Preventive: stops the event from happening. A firewall rule, a locked door.
  • Deterrent: discourages someone from trying. A visible camera, a warning sign, a fence.
  • Detective: notices that something happened. Logs, IDS alerts, an access review.
  • Corrective: fixes things after the fact. Restoring from backup, isolating an infected host.
  • Compensating: a stand in when you cannot use the control you actually want.
  • Directive: tells people what they are supposed to do. An acceptable use policy, posted procedures.

Why the two axes get tangled

People learn one list and assume a control carries one label. It does not. A control almost always has a category and a type at the same time, and the exam writes questions that pin you on whichever one you were not thinking about.

Walk through a few:

  • A firewall is technical and preventive.
  • An IDS is technical and detective. It does not block anything, it tells you something happened.
  • A nightly backup is technical and corrective. It does nothing to prevent an attack, it helps you recover from one.
  • A security guard is operational, and depending on the scenario the guard can be deterrent, preventive, or detective.
  • An acceptable use policy is managerial and directive.
  • A bollard outside a building is physical and usually deterrent or preventive.

Notice the guard. The same control changes type based on what the question emphasizes.

The part that actually trips people: context changes the type

A security camera recording quietly in a back room is detective. The same camera mounted in plain sight with a sign that says you are being recorded is doing deterrent work. Nothing about the hardware changed. The scenario decided the answer.

This is why memorizing "camera equals detective" burns you. Read what the control is doing in that specific question, not what it usually does.

Compensating controls have the same flavor. A compensating control is not a kind of device, it is a role a control plays because the primary option is off the table. If a legacy system cannot support MFA and you wrap it in extra network segmentation and tighter monitoring instead, that segmentation is compensating in that scenario.

A two question habit that fixes this

For any control in a question, ask both:

  1. What kind of control is it? Technology, policy, people, or physical.
  2. When does it act? Before the event it is preventive, deterrent, or directive. At the moment it is detective. After the fact it is corrective. Standing in for something else, it is compensating.

Answer both every time and the double label questions stop being a coin flip.

How to drill it without burning hours

Make a list of twenty common controls and label both axes for each from memory, then check yourself. The ones you hesitate on are your real weak spots, not the whole domain.

Practice questions matter more than rereading here, because this distinction only shows up under the pressure of a worded scenario. If you want to find which Domain 1 ideas are shaky before you sink a week into the wrong thing, the free diagnostic at https://secplusmastery.com/diagnostic is a fast way to surface them, and the full question bank at https://secplusmastery.com drills these control type questions directly.

Two labels, every control, every time. Once that habit is automatic, a whole flavor of Domain 1 question stops being able to surprise you.

Top comments (0)