If there was one piece of information, one bit of knowledge that I could apply to you, that you could gain as a result of this course, it would be the idea of security controls. I mean, the whole world of security is wrapped around the idea of security controls. So let me tell you what they are. A security control is a verb, it's an action. It's a mechanism that we apply to our IT infrastructure to do one of two things. Either one, it's going to protect our IT infrastructure from security problems, or two, it's going to help remediate problems if we've already had a problem with our security.
And that's really what separates an IT security person from a regular IT person. And it security person may not be very good at, I don't know, configuring WPA two encryption on a Cisco wireless access point and may not be very good at setting up radius authentication, but what an IT security guy can do is they understand that applies encryption, applying authentication to a wireless network is a good idea. And they rate those things as security controls. So that's really what a security control is all about is we're trying to set up things to do to protect our IT infrastructure. Now, as you can imagine, there are trillions of these different types of security controls, I mean, setting up like a firewalls an easy example. But how about putting a fence around our building?
That's a security controller, how about teaching our employees to watch for social engineering attacks, that's a security control as well. So what really separates an IT security person from a regular technician isn't their ability to configure WPA two or set up a firewall. What separates them is that an IT security person understands about security controls, and they can apply security controls. They can monitor security controls, and they can adjust security controls based on the needs of the patient. structure. And that's what it's all about security controls are amazing.
Now, there's zillions of these security controls. So what we do to make it a little bit easier is we break security controls into categories. Let's take a look at the different categories of security controls. First type of security control type is an administrative or what you often hear the term management control. These types of controls control actions people make towards IT security. This would include laws, policies, guidelines, best practices.
I like to think about this in terms of what do people do. The second type is a technical control. This controls actions IT systems make towards it. So this is going to be computer stuff, firewalls, password links, authentication encryption, third is going to be physical, physical controls, actions real world actors make towards it. So this is going to be stuff like gates, guards, keys, man traps, so it's great that we can break security controls into one of these three groups. However, we can take it a little bit further, when we're talking about a security control, when we're talking about some threat actor doing something to us, we can kind of break things down a little bit.
Can we create controls that just prevent them from even trying? Can we create controls that prevent them from being able to succeed in what they're doing? Can we create controls that recognize that they're doing something and warn us about it? Can we create controls that allow us to compensate for it if the threat actor successful, we absolutely can. And that's what I'm going to call the security control function. So let's march through those.
The first type of control function I want to talk about is what I call a deterrent. This actually deters the actor from attempting the threat completely, I mean, stops him from even trying. Second is preventative. This deters the actor from actually performing the threat. This stops them from doing whatever they're going to do. Third is detective.
A detective recognizes the threat and may or may not do something about it, but he does recognize it. Fourth is corrective. A corrective function mitigates the impact of a manifested threat. In other words, we've had an incident What are we going to do about it? At 50, and he's the weird one is compensating a compensating function provides alternative or temporary fixes to any of the above functions when we can't do them the way we want. Now, the interesting thing about this is that we can almost make sort of like a grid, a table, where we can organize by physical, administrative, technical, and then we can look at the different types of functions and kind of put them together.
If we do this, we can do a pretty good job of defining just about any type of security control, the best way to do it is to actually try it. So here's a little table where I have the different types of security controls across the top and the different functions coming down. Down on the left. So let's put some examples in here and see how this works. First of all, let's start off with a background check. A background check is very much an administrative type of control.
But it's in my opinion, it's detective, we're looking for bad people. So in that particular case, this is an administrative detective control. How about employee training? With employee training? It's certainly administrative. But what we're doing is we're trying to prevent things from happening by making our employees smarter.
So to me, that's an administrative preventive control. Third is a firewall, certainly a technical control. But what is it designed to do? Well, it's designed to stop people from coming into our network. So that would be a preventative control. A backup is definitely technical, but it's designed we've had a data loss or something.
So we need to get our data back. So that would be a corrective control. A warning signs sitting outside telling people not to come in would be a physical control. But it's designed to be a deterrent and won't actually stop them from trying. But at least it'll help motivate them to not do it. If you really want to stop them, though, how about offense?
Offense is a physical control, but it's preventative, it stops people from doing something. Now, these are pretty easy, but let's throw in one more. How about closed circuit television? We've got a big camera sitting outside of our fence. Is this a detective or a deterrent? Now it's certainly a physical control.
But is it designed to detect people it would certainly detect people? Or is it a deterrent? does it stop people from doing naughty things? There's not always a perfect answer to every one of these. Even though the IT security industry is still a little bit fragmented on whether these are controls or functions or classifications or whatever. The actual words we use are always there for the exam.
Be comfortable looking at particular scenarios and being able to determine what type of security controls needs to be applied for that type of situation.