Great!

Here's a complete and enriched column-wise breakdown of security

controls including examples from CompTIA Security+, along with those from
your image:

---

Preventive Controls
(Designed to stop an incident before it happens)
Technical:
 Firewall
 Antivirus/Anti-malware
 Access control lists (ACLs)
 Encryption
 Endpoint protection

Managerial:
 On-boarding policy
 Security awareness training
 Acceptable use policies (AUP)
 Background checks

Operational:

 Guard shack
 Access control procedures
 Change management process
 User provisioning

Physical:
 Door lock
 Biometric access control
 Fencing
 Mantraps
 Turnstiles
---

Deterrent Controls
(Discourage attackers or unwanted behavior)
Technical:
 Splash screen (login banners)
 Password expiration notices

Managerial:
 Demotion policies
 Written warnings

Operational:
 Reception desk
 Visible patrols

Physical:
 Warning signs
 Security cameras (visible)
 "Beware of dog" signage
 Lighting
---

Detective Controls
(Identify and alert on incidents)
Technical:
 System logs
 Intrusion Detection Systems (IDS)
 SIEM alerts
 Audit logs

Managerial:
 Review login reports
 Internal audits
Operational:
 Property patrols
 Incident reports
Physical:
 Motion detectors
 Security cameras (for monitoring)
 Alarm systems

Corrective Controls
(Mitigate or repair after an incident)
Technical:
 Backup recovery
 Patching systems
 System reconfiguration

Managerial:
 Policies for reporting issues
 Disciplinary action
 Operational:
 Contact authorities
 Crisis response plans

Physical:
 Fire extinguisher
 Repair damaged locks
 Re-secure compromised doors

--

Compensating Controls
(Alternative controls when primary ones are not possible)
Technical:
 Block instead of patch
 Additional network segmentation
 Temporary firewall rules

Managerial:
 Separation of duties
 Dual control policies
Operational:
  Require multiple security staff
 Shadowing procedures

Physical:
 Power generator
 Manual override systems
---

Directive Controls
(Provide guidance or instruction)
Technical:
 File storage policies
 Configuration baselines

Managerial:
 Compliance policies
 Code of conduct

Operational:
 Security policy training
 Standard Operating Procedures (SOPs)

Physical:
 Sign: Authorized Personnel Only
 Emergency exit instructions
 Evacuation maps

---

Non-Repudiation, Proof of Integrity, and

Proof of Origin — Notes
Non-Repudiation
 Means you cannot deny an action or message you’ve sent.
  Once you sign something (e.g., a contract), you cannot take it back or deny it later.
 Your signature acts as proof that you performed the action, and others can verify it.
 In cryptography, non-repudiation provides:
o Proof of origin (authenticity of sender)
o Proof that the sender cannot deny their message

Proof of Integrity
 Ensures that data has not been altered or tampered with—it remains accurate and
consistent.
 Uses hashing, which converts the data into a fixed-length string called a message
digest or fingerprint.
 Even a tiny change in the original data results in a completely different hash value.
 Hashing does not link the data to a specific individual; it only confirms whether the
data is unchanged.
Example:
 Changing one character in a large file (e.g., Gutenberg Encyclopedia) changes the
hash, signaling compromised integrity.

Proof of Origin
 Confirms that the message:
o Has not been altered (integrity)
o Originates from the authenticated sender (authentication)
o Is authentically signed by the sender, ensuring non-repudiation
 Achieved using digital signatures:
o The sender signs the message using their private key (only they can produce
this signature).
o The message itself does not need to be encrypted to be signed.
o Recipients verify the signature with the sender’s public key.
o Any change to the message invalidates the signature, indicating tampering.

How Digital Signatures Are Created and Verified

1. Creating a Digital Signature (Signing)

 Step 1: The sender has a message or document they want to send securely.
 Step 2: The sender runs the message through a hash function, which produces a
unique fixed-size hash value (a “fingerprint” of the message).
 Step 3: The sender encrypts this hash value using their private key.
 Step 4: The encrypted hash is the digital signature. The sender sends both the
original message and the digital signature to the receiver.

2. Verifying a Digital Signature

 Step 1: The receiver gets the message and the digital signature.
 Step 2: The receiver runs the message through the same hash function to generate a
new hash value.
 Step 3: The receiver decrypts the digital signature using the sender’s public key to
retrieve the original hash.
  Step 4: The receiver compares the newly computed hash with the decrypted hash:
o If both hashes match, the message is authentic and unchanged (integrity and
origin are verified).
o If they differ, the message has been altered or the signature is invalid.

Easy Example: Signing a Letter

 Imagine you write a letter (the message).
 You create a unique “summary” of the letter (hash).
 You put this summary in a locked box that only you have the key to lock (private key
encrypting the hash).
 You send the letter and the locked box to your friend.
 Your friend opens the box with a special key you gave them (your public key) to get
the summary inside.
 Your friend also makes their own summary of the letter.
 If the summary from the box and their own summary are the same, they know the
letter is exactly what you sent and that it came from you.

Data Loss Prevention (DLP) Summary

 Purpose: DLP systems help enforce policies to prevent data loss and theft by
monitoring for sensitive data on systems and networks.
 Types of DLP:
1. Agent-based DLP
 Uses software agents installed on endpoints (computers, devices).
 Scans local systems for sensitive info like Social Security numbers,
credit card numbers.
 Can block risky user actions (e.g., stopping USB drives to prevent data
copying).
2. Agentless (Network-based) DLP
 Dedicated devices monitor outbound network traffic for unencrypted
sensitive data.
 Can block or encrypt data transmissions automatically, often used for
email protection.
 DLP Mechanisms:
o Pattern Matching: Detects sensitive data formats (credit card numbers,
SSNs) or keywords like "Top Secret".
o Watermarking: Attaches electronic tags to sensitive documents, allowing
tracking and blocking of unauthorized distribution; also used in Digital Rights
Management (DRM).
 Actions: DLP can block transmission, alert administrators, or automatically
encrypt data to prevent leaks.

Data Minimization

 Goal: Reduce risk by minimizing sensitive data retained.

  Best Practice: Destroy data when no longer needed.

 Alternatives when deletion isn't possible:

o Deidentification: Remove links to individuals (reduce sensitivity).

o Data Obfuscation: Transform data so original info can’t be retrieved.

 Hashing: Convert data to a hash value; irreversible but vulnerable to

rainbow table attacks if hash values are predictable.

 Tokenization: Replace sensitive values with random tokens; secure

lookup table needed.

 Masking: Partially hide data (e.g., show only last 4 digits of credit
card).

Access Restrictions

 Limit access based on:

o Geography: Access only allowed from trusted locations.

o Permissions: Role-based access, e.g., only trained and authorized personnel

access sensitive data.

Segmentation and Isolation

 Segmentation: Separate sensitive systems into isolated network segments with

controlled communication.

 Isolation: Completely cut off systems from external networks for maximum security.

Core Cybersecurity Objectives (Exam Essentials)

 Confidentiality: Prevent unauthorized data access.

 Integrity: Prevent unauthorized data modification.

 Availability: Ensure data and systems are accessible when needed.

 Nonrepudiation: Ensure actions can’t be denied (e.g., digital signatures).

Security Control Categories

 Controls based on mechanism of action:

 o Managerial: Risk assessments, planning.

o Operational: User reviews, log monitoring.

o Physical: Locks, fences.

o Technical: Firewalls, encryption.

 Controls based on intent:

o Preventive, Detective, Corrective, Deterrent, Compensating, Directive.

Data Breach Impact

 Breaches cause:

o Financial risk: Direct costs (incident response) + indirect losses (revenue,

competition).

o Reputational risk: Loss of customer/stakeholder trust.

o Operational risk: Disruptions in daily business activities.

o Compliance risk: Legal/regulatory penalties (e.g., HIPAA violations).

Data Protection States

 Data must be protected when:

o In transit: Use encryption to prevent interception.

o At rest: Encrypt stored data to protect from breaches.

o In use: Protect data during processing on systems.

Data Loss Prevention (DLP) Systems

 Enforce info handling policies to prevent unauthorized data loss or theft.

 Function as:

o Agent-based: Software on endpoints scanning for sensitive data.

o Agentless/network-based: Monitor outgoing traffic for sensitive data leaks.

 Detection techniques:

o Pattern matching: Recognize sensitive data formats or keywords.

o Watermarking: Track tagged documents.