Preventative vs. Deterrent Access Control

djasonslick

Can anybody explain the difference between these two access control types?
I was asked a question that said something to the effect of " what's an access control that aims to deter an individual from taking malicious action"?
I answered deterrent and it was actually preventative.
I'm a little confused.
Has anybody else seen this Sybex flashcard/question?

NetworkNewb

Your right, the question is either worded incorrectly or they have the wrong answer selected in the program.

NotHackingYou

Preventive stops something from happening - a door lock stops a person from entering a building.

Deterrent helps someone choose not to do something - a guard might see someone trying to break it. The risk of getting caught will deter them from their action.

Remember that some controls can fit in more than one categories. Just try to remember the rules that define each category, rather than memorizing a list of types/controls. The exam is pretty straightforward as long as you can articulate what defines each access control type.

636-555-3226

Preventive access control - NTFS permissions give you read-only access to a file. You are "prevented" from modifying the file.

Deterrent access control - A warning banner on your computer every time you log in says you will be fired if you email porno from your work email. Nothing stops you from emailing out porno, but you are "deterred" from using email for porno.

Hunter85

Some test sources are really annoying.

There was a question about putting lights all around the premises and it was deterrent.

My answer was detective, but if you think about it it is also deterrent....

I would also add dogs to this

Do you think dogs are detective or deterrent?

sydneysundar

Guard dogs as a sight is a deterrent. Sniffer dogs is a detective control.

Hunter85

really good point but I havent seen any question that mentions about the skill set of the dog

If they are just talking about dogs, which category would you put it in?

And also which category Lights get in?

sydneysundar

Again my 2 cents though you might know,don't consider controls as either or, it be both as well. May be at a point of time they are doing a specific control activity.

kabooter

Honestly this is ridiculous and needless hair splitting. Most of such questions have more than one correct answer and often even context does not mean anything.
Example: Sybex 7th edition book - Access Control
It specifies preventive access control example being locks, mantraps, fences, job rotation.
It also specifies locks, fences, mantraps as deterrent controls - on same page! Bravo

dhay13

Don't overthink it. Yes the questions can be tricky but prepare as best you can and don't fret the 'trick' questions. Go with what you feel ISC2 is looking for. When reading those types of questions be sure to look at the context of the question to see if there are any clues there.

Don't focus so much time on the trick questions that it takes away from studying the actual material and understanding it.

PJ_Sneakers

Sounds like an error in the Sybex test question to me.

OctalDump

NotHackingYou wrote: »

Remember that some controls can fit in more than one categories.

This is true. If you think hard enough you could probably fit every measure into multiple categories, most will be more one than the others.

ACLs and NTFS permissions for example, there are probably implementation bugs that allow you to work around these, so they are slowing down rather than stopping ie working as deterrents rather than preventative controls. Or a lock that can be broken could act also as a detective control, since if the lock is broken it could indicate that someone has broken in.

You can also say that for a particular threat the control works differently. A security guard can act as a preventative control if they can pick up an intruder and throw them outside, but against a fire, they might work only as a detective control by alerting the fire brigade.

kabooter

dhay13 wrote: »

Don't overthink it. Yes the questions can be tricky but prepare as best you can and don't fret the 'trick' questions. Go with what you feel ISC2 is looking for. When reading those types of questions be sure to look at the context of the question to see if there are any clues there.

Don't focus so much time on the trick questions that it takes away from studying the actual material and understanding it.

Very true, keyword is that study for this exam and the exam itself is a journey. Don't get stuck.
I spent close to 90 mins researching due care vs due diligence, deterrent vs preventive and MTTF vs MTTB. (by the way MTBF is defined wrong in combined notes.

cyberexpert

One another confusing sentence from the Sybex CBK 7th Edition.

A CCTV is a preventive measure, whereas reviewing recorded events is a detective measure.


How can a CCVT become a preventive measure? How can it prevent a breach? I think a CCVT is deterrant measure.

Any idea?

OctalDump

cyberexpert wrote: »

How can a CCVT become a preventive measure? How can it prevent a breach? I think a CCVT is deterrant measure.

Maybe they mean if someone is viewing the live stream and can act on it. For example if you had it set up when people buzz for access to a secure area. Still not really preventative in itself, but part of a preventative system.

In the same way, it's not exactly the CCTV that's a deterrent, it's the perception of CCTV. Dummy cameras can be used for a similar deterrent effect. If all the cameras are hidden, then it might have no deterrent effect at all.