Comprehensive Security Concepts and Controls for IT Professionals

Technical controls

Security measures implemented through hardware or software (e.g., firewalls, encryption, access control lists).

Managerial controls

Policies, procedures, and guidelines created by management to enforce security (e.g., risk assessments, training requirements).

Operational controls

Day-to-day processes and activities carried out by people to maintain security (e.g., incident response, change management).

Physical controls

Measures that physically restrict or detect access to resources (e.g., locks, fencing, guards, cameras).

Preventive

Aim to stop an incident before it occurs (e.g., firewalls, patching, strong authentication).

Deterrent

Discourage attackers from attempting an attack (e.g., warning signs, guards, security policies).

Detective

Identify and report security incidents after they occur (e.g., IDS, logs, video monitoring).

Corrective

Restore systems after an incident (e.g., backups, patches, system recovery).

Compensating

Alternate control used when the primary control is not possible (e.g., monitoring compensates for lack of encryption).

Directive

Provide instructions or rules for expected behavior (e.g., policies, security banners, acceptable use guidelines).

Confidentiality, Integrity, and Availability (CIA)

The foundational security triad.

Confidentiality

Prevent unauthorized access to data.

Integrity

Ensure data is accurate and unaltered.

Availability

Ensure resources are accessible when needed.

Non-repudiation

Assurance that someone cannot deny their actions (e.g., digital signatures prove the sender's identity).

Authentication, Authorization, and Accounting (AAA)

Framework for access control.

Authentication

Verifying identity (passwords, biometrics, MFA).

Authorization

Granting permissions based on identity (role-based access).

Accounting

Tracking user actions (audit logs).

Authenticating people

Verifying user identity (e.g., biometrics, passwords).

Authenticating systems

Ensuring systems trust each other (e.g., certificates, mutual TLS).

Authorization models

Approaches like role-based (RBAC), mandatory (MAC), discretionary (DAC), or attribute-based (ABAC).

Gap analysis

Comparing current security posture to required standards to identify weaknesses.

Zero Trust

Security model that assumes no implicit trust, requiring continuous verification.

Control Plane

Policies and decisions.

Adaptive identity

Dynamically adjusting authentication based on risk.

Threat scope reduction

Minimizing attack opportunities.

Policy-driven access control

Access rules defined centrally.

Policy Administrator

Manages enforcement rules.

Policy Engine

Evaluates requests against rules.

Data Plane

Where access enforcement occurs.

Implicit trust zones

Previously trusted areas (but reduced in Zero Trust).

Subject/System

Entity requesting access.

Policy Enforcement Point (PEP)

Component that enforces access rules (e.g., firewall, gateway).

Bollards

Barriers preventing vehicle access.

Access control vestibule

Two sets of doors creating a "mantrap" for controlled entry.

Fencing

Physical boundary to prevent unauthorized access.

Video surveillance

Cameras to monitor and record activity.

Security guard

Personnel monitoring access points.

Access badge

ID card or smartcard for authentication.

Lighting

Illumination to deter intruders and improve surveillance.

Sensors

Devices to detect physical presence/movement.

Honeypot

Decoy system to attract attackers and monitor their behavior.

Honeynet

Network of honeypots used to simulate a real environment.

Honeyfile

Fake file designed to detect unauthorized access.

Honeytoken

Decoy credentials or data used to detect malicious activity.

Change management

The structured process of planning, reviewing, approving, and documenting changes to IT systems or business processes in a way that reduces security risks, prevents disruptions, and ensures accountability.

Approval process

Formal review and authorization before implementing changes to ensure security and business alignment.

Ownership

Assigning responsibility for the change (ensures accountability).

Stakeholders

Individuals or groups affected by the change (users, IT, security teams, business units).

Impact analysis

Assessing the potential risks, benefits, and consequences of a change.

Test results

Verifying the change in a controlled environment to ensure it won't introduce new vulnerabilities.

Backout plan

A rollback strategy to restore previous conditions if the change fails or creates security issues.

Maintenance window

Scheduled time frame for applying changes to minimize business disruption.

Standard operating procedure (SOP)

Documented, repeatable steps to implement changes consistently and securely.

Allow lists/deny lists

Controlling what applications, services, or processes are permitted (or blocked).

Restricted activities

Limiting high-risk actions (e.g., disabling USB ports, restricting admin privileges).

Downtime

Period when systems are unavailable; needs to be minimized and communicated.

Service restart

Restarting services after a change, which may temporarily affect availability.

Application restart

Restarting applications as part of the change process, potentially impacting users.

Legacy applications

Older apps that may not support new security measures, requiring extra caution.

Dependencies

Other systems, services, or apps that rely on the system being changed (must be considered to avoid chain failures).

Updating diagrams

Revising system/network architecture diagrams to reflect changes.

Updating policies/procedures

Ensuring written policies and security procedures remain accurate.

Version control

Tracking and managing versions of software, configurations, and documentation to prevent confusion, ensure accountability, and allow rollback if needed.

Public Key Infrastructure (PKI)

A framework for managing digital keys and certificates.

Public key

Shared openly, used to encrypt data or verify signatures.

Private key

Secret key used for decryption or creating digital signatures.

Key escrow

Secure storage of encryption keys for recovery purposes.

Full-disk encryption

Encrypts entire storage drive.

Partition encryption

Encrypts only a partition.

File encryption

Encrypts individual files.

Volume encryption

Encrypts a logical storage volume.

Database encryption

Encrypts whole database contents.

Record encryption

Encrypts specific database records.

Transport/communication encryption

Protects data in transit (TLS, IPSec).

Asymmetric encryption

Uses public/private key pairs (RSA, ECC).

Symmetric encryption

Uses one shared key for encryption/decryption (AES).

Key exchange

Securely sharing encryption keys (Diffie-Hellman, ECDH).

Algorithms

Mathematical methods for encryption (AES, RSA, SHA).

Key length

Strength of encryption, measured in bits (longer = stronger).

Trusted Platform Module (TPM)

Hardware chip for secure key storage.

Hardware Security Module (HSM)

Dedicated device for cryptographic key management.

Key management system

Software to securely generate, store, and distribute keys.

Secure enclave

Isolated environment in CPUs for secure operations.

Steganography

Hiding data within another file (e.g., hidden in an image).

Tokenization

Replacing sensitive data with non-sensitive tokens.

Data masking

Hiding real data by altering its format (e.g., displaying only last 4 digits of a card).

Hashing

One-way function to verify data integrity.

Salting

Adding random data to passwords before hashing to prevent rainbow table attacks.

Digital signatures

Provide authenticity, integrity, and non-repudiation.

Key stretching

Strengthening weak keys by processing them multiple times (PBKDF2, bcrypt).

Blockchain

Decentralized ledger secured with cryptography.

Open public ledger

Transparent distributed record (e.g., cryptocurrencies).

Certificate authorities (CAs)

Trusted entities issuing digital certificates.

Certificate revocation lists (CRLs)

List of revoked certificates.

Online Certificate Status Protocol (OCSP)

Real-time certificate validity check.

Self-signed

Certificate signed by the entity itself (not trusted by default).

Third-party

Certificate issued by a trusted CA.

Root of trust

Foundational trusted certificate authority.