Alright, the last time we met we talked about risk and defined administrative, technical and physical controls.  Now we're going to wrap up our segment on controls by diving into the following controls:

• Preventive
• Detective
• Corrective
• Deterrent
• Compensating

You really need to know these for the exam so I want to make sure you get this.

Preventing Incidents

What do you think preventive controls are?

You already know what these are. 

Preventive controls prevent incidents.

Can you think of some examples?  What's something a sys admin could do to a server to prevent a security incident from happening?

Well he could harden the box right?  To harden a server is to make it more secure by uninstalling unnecessary software, disabling unneeded services and accounts, using strong passwords, and avoiding the default configuration.  The idea is to make it harder for a bad guy to drop the box.  So, for example, by having a working account disablement policy you...

At this point should know what confidentiality, integrity and availability are.  If not, make sure you jump back into those topics for you dig into this beast.

Before we talk about the super awesome stuff related to firewalls, vulnerabilities and hacking we need to talk about risk.

In this guide we're going to look at the following items:

• Risk (what it is)
• How to reduce risk using various controls
• Technical, Administrative and Physical Controls
• Preventive vs Detective Controls
• Deterrent, Corrective and Compensating Controls

I know that looks like a lot but once you get through this you'll ba step ahead of the rest.

What exactly is Risk anyway?

How would would you describe sky diving in terms of risk? Is too risky?

I actually went skydiving with my girlfriend (now wife) a few years ago and it was one of the most exhilarating experiences I ever had.  I think part of the reason for that is because there is a possibility of danger... there's a chance you could die!

I don't...