Back to Security Controls Implementation

Detective Controls

5 minutes 5 Questions

Detective Controls are security measures designed to identify and monitor ongoing activities and potential security breaches within an organization's information systems and networks. These controls help organizations detect unauthorized activities, security violations, and other undesirable events…

Guide: Detective Controls in CISSP

What are Detective Controls?
Detective Controls are security measures designed to detect and react to incidents that occur. They do not prevent incidents but instead are used to find abnormal activities and report them.

Why are Detective Controls important?
The importance of Detective Controls lies in their ability to alert the appropriate personnel when a security incident occurs. This empowers a swift response, limiting potential damage.

How do Detective Controls work?
They work by monitoring and logging system activities so that any deviation from the accepted norm can be identified. Examples include Intruder Detection Systems (IDS) and log monitoring.

Exam Tips: Answering Questions on Detective Controls
In an exam situation, remember that Detective Controls are not about prevention, but about detection and response. Questions may involve scenarios where you need to choose the best control for detecting certain types of incidents.

Key points to consider:
- Detective Controls monitor and report, but do not prevent.
- They are crucial for timely response to incidents.
- Examples of Detective Controls include IDS and log monitoring systems.
- In exam scenarios, always consider the purpose of the control discussed.
By understanding these points, you can confidently answer exam questions on Detective Controls.

Test mode:

Exam (Timed)

Practice (With explanations)

Start practice test

CISSP - Detective Controls Example Questions

Test your knowledge of Detective Controls

Question 1

In the event of unauthorized access to confidential data, which detective control would best facilitate the reconstruction of events?

Security Information and Event Management (SIEM) system Continuous vulnerability scanning Implementation of stronger firewall rules Periodic user access reviews

Correct Answer: Security Information and Event Management (SIEM) system

The best detective control to facilitate the reconstruction of events after unauthorized access to confidential data is indeed a Security Information and Event Management (SIEM) system. SIEM systems are specifically designed to gather, analyze, and present information from a variety of sources across the IT infrastructure, such as network devices, servers, and security appliances. This enables organizations to quickly spot unusual activities that may indicate security incidents, providing comprehensive logging and real-time analysis for incident response. SIEM systems also aid in the forensic analysis after an event has taken place, helping to understand what happened, how it happened, and who might have been involved. Periodic user access reviews are a preventive control, mainly intended to ensure that only authorized individuals have access to specific resources based on their role or need to know but do not directly provide the detailed activity logging needed to reconstruct events after a breach. Implementation of stronger firewall rules is another preventive control that aims to stop unauthorized access by defining what traffic is allowed or blocked, but it does not inherently log detailed events for reconstruction purposes. Continuous vulnerability scanning is a preventative and monitoring control designed to identify security deficiencies in the IT environment, but by itself, it does not track user actions or system changes that would allow for event reconstruction after a data incident.

Question 2

An organization recently discovered malware on several servers and is trying to analyze the entry point in the system. Which detective control can help them understand the path taken by the attacker?

User and Entity Behavior Analytics (UEBA) Antivirus Software Host-based Intrusion Detection System (HIDS) File Integrity Monitoring (FIM)

Correct Answer: File Integrity Monitoring (FIM)

FIM detects malicious or unauthorized manipulation of files and can help identify the attacked components within the system. The other options do not provide a focused view on files and their integrity.

Question 3

An employee provides their login credentials when prompted by a seemingly legitimate email. The next day, the IT department discovers unauthorized access to the corporate network. Which detective control would have been most effective in identifying and stopping this attack?

Data Loss Prevention (DLP) Antivirus Software File Integrity Monitoring (FIM) Network-based Intrusion Detection System (NIDS)

Correct Answer: Data Loss Prevention (DLP)

Data Loss Prevention (DLP) is the most effective detective control in this scenario. DLP systems are designed to detect and prevent the unauthorized transmission of sensitive information outside the organization's network. In this case, when the employee provided their login credentials in response to a phishing email, a properly configured DLP system would have detected the attempt to transmit sensitive data (login credentials) outside the network. DLP systems can be configured to recognize patterns of sensitive information, including hashed versions of passwords, and can block the transmission while alerting administrators. This would have prevented the unauthorized access to the corporate network by stopping the credentials from leaving the organization in the first place. While other options like UEBA or NIDS might detect unusual behavior after the fact, DLP is proactive in preventing the initial data exfiltration, making it the most effective in this specific scenario.

🎓 Unlock Premium Access

CISSP + ALL Certifications

🎓 Access to ALL Certifications: Study for any certification on our platform with one subscription
4537 Superior-grade CISSP practice questions
Unlimited practice tests across all certifications
Detailed explanations for every question
CISSP: 5 full exams plus all other certification exams
100% Satisfaction Guaranteed: Full refund if unsatisfied
Risk-Free: 7-day free trial with all premium features!

Start Your Free 7-Day Trial