Scenario: You notice that an unauthorized user has gained access to a privileged account. What type of control should be implemented to alert you of this in the future?

A.  Preventive Control

B.  Detective Control

C.  Deterrent Control

D.  Compensating Control

Answer:  B

Detailed Explanations

A. Preventive Control

A preventive control is designed to thwart an attack before it succeeds.

• The Goal: To keep the "bad thing" from happening. Examples include firewalls, biometric locks, and Multi-Factor Authentication (MFA).

• Why it's not the Answer: While a preventive control might have stopped the unauthorized user from getting in, the question specifically asks for a control that will alert you. Preventive controls are often "silent" when they work (e.g., a firewall just drops a packet without necessarily sending an emergency page to the admin).

B. Detective Control

Detective controls are designed to identify and record an incident as it happens or after it has occurred.

• Why it's the Answer: The keyword in the question is alert. Detective controls—such as Intrusion Detection Systems (IDS), motion sensors, and security log reviews—are the "eyes and ears" of your security infrastructure. They provide the necessary visibility to trigger an incident response.

• Example: A SIEM (Security Information and Event Management) system that flags a "Privileged Account Login" from an unrecognized IP address is a classic detective control.

C. Deterrent Control

A deterrent control is intended to discourage a potential attacker by influencing their decision-making process.

• The Goal: To make the attacker believe the "cost" or "risk" of the attack is too high. Examples include "No Trespassing" signs, visible security cameras, or login banners warning of prosecution.

• The Limitation: Deterrents do not actually stop a determined attacker, nor do they provide a technical alert that a breach has successfully bypassed your defenses.

D. Compensating Control

A compensating control is a substitute control implemented when a primary security control is impossible or too expensive to deploy.

• The Scenario: If your legacy system cannot support MFA (a preventive control), you might implement a compensating control like "stringent daily log review" (a detective control) or "restricting the system to a specific isolated VLAN."

• Why it's not the Answer: While a compensating control could be detective in nature, "Compensating" describes the reason the control exists, not its function. The question is asking for the specific function of alerting.