sec+ sy0-701 guide

confidentiality

ensures that data is only viewable by authorized users. best choice is encryption to provide this, along with access controls

integrity

provides assurances that data has not been modified, tampered with, or corrupted through unauthorized or unintended changes. hashing is a common method for this.

availability

ensures that data and services are available when needed. common goal is to remove single points of failure. fault tolerance methods and redundancy are used to achieve this.

scaling up

adding additional hardware resources such as memory, processing power, bandwidth capability, and/or drive space.

scaling out

adding additional nodes or servers.

scalability

the ability of a system to handle increased workload either by scaling up or by scaling out. done manually by admins

elasticity

ability of a system to handle the increased workload by dynamically adding or removing resources as the need arises. cloud resources typically have this, allowing them to adapt to the increased and decreased demand automatically.

resiliency

these methods help systems heal themselves or recover from faults with minimal downtime.

risk

the possibility of a threat exploiting a vulnerability and resulting in a loss.

threat

any circumstance or event that has the potential to compromise confidentiality, integrity, or availability.

vulnerability

a weakness in the hardware, software, configuration, or the users operating the system.

the four security control categories are…

managerial, operational, technical, and physical

managerial controls

primarily administrative and include items such as risk and vulnerability assessmentsand security policies that guide overall security practices within an organization.

operational controls

focused on the day-to-day operations of an organization. help ensure organization is complying with its overall security plan. These controls include procedures, practices, and guidelines that support the implementation of the organization's security policies.

technical controls

use technology to reduce vulnerabilities. encryption, antivirus, IDS, firewalls, and the principle of least privilege are included

physical controls

any controls you can physically touch. examples are bollards and other barricades, mantraps, lighting, fences, and signs

the six control types

preventive, deterrent, detective, corrective, compensating and directive

preventive controls

attempt to prevent security incidentsand minimize vulnerabilities. They include measures like access controls, firewalls, and security awareness training.

detective controls

attempt to detect when a vulnerability has been exploited or when an incident has occurred. These controls include intrusion detection systems, security cameras, and log monitoring.

deterrent controls

attempts to prevent incidents by discouraging threats.

corrective controls

attempt to reverse the impact of an incident or problem after it has occurred. These controls include incident response plans, data restoration, and patch management.

compensating controls

alternative controls used when it isn’t feasible or possible to use the primary control

directive controls

provide instruction to individuals on how they should handle security-related situations that arise

authentication

allows entities to prove their identity by using credentials known to another entity

identification

occurs when a user claims or professes an identity, such as a username, email address, or biometrics

authentication

occurs when an entity provides proof of a claimed identity, such as a password.

authorization

provides access to resources based on a proven identity

accounting

these methods track user activity and record the activity in logs

4 factors of authentication

something you know, you have, you are, and where you are.

HOTP

generates one time use passwords that do not expire until they are used.

TOTP

generates one time passwords that expire after a specified period of time.

single sign on - SSO

allows users to authenticate with a single user account and access multiple resources on a network without authenticating again.

SAML

XML based standard used to exchange authentication and authorization information between different parties. used in web based applications

OAuth

open standard for authorization. allows users to log on with another account such as google, facebook, paypal, microsoft, or twitter. uses api calls to exchange information and a token to show that access is authorized.

role based access control - role-BAC

uses roles to grants access by placing users into roles based on their assigned jobs, functions, or tasks.

rule based access control - rule-BAC

based on a set of approved instructions, such as ACL rules in a firewall.

discretionary access control - DAC

every object has an owner. owner has explicit access and establishes access for any other user. microsoft NFTS uses this scheme.

mandatory access control - MAC

uses security or sensitivity labels to identify objects and subjects.

attribute based access control - ABAC

evaluates attributes and grants access based on said attribute values. used in many software defined networks.

osi model

describes network communications using seven layers numbered through 1 to 7. includes the physical layer, data link layer, network layer, transport layer, session layer, presentation layer, and application layer.

transmission control protocol (TCP)

connection-oriented protocol that provides guaranteed delivery

user datagram protocol (UDP)

connectionless protocol that provides ‘best effort’ delivery

file transfer protocol

used to transfer files over networks, but does not encrypt the transmission

simple mail transfer protocol (SMTP)

sends email using either TCP port 24 or 587, with the latter port being used for email encrypted with TLS

post office protocol v3 (POP3)

recieves email using tcp port 110 or tcp port 995 for encrypted connections

internet message access protocol v4 (IMAP4)

uses tcp port 143 or port 993 for encrypted connections. allows users to access and manage their email directly on the email server, enabling synchronization across multiple devices.

hypertext transfer protocol secure (HTTPS)

is an extension of HTTP that uses TLS/SSL to encrypt data for secure communication over the internet, typically operating on TCP port 443.

network time protocol (NTP)

provides time synchronization services

domain name system (DNS)

provides domain name resolution. these zones include A records for IPv4 addresses and AAAA records for IPv6 addresses. translates human-readable domain names into IP addresses, enabling users to access websites using easy-to-remember names.

domain name system security extensions (DNSSEC)

provides validation for DNS responses by adding a resource record signature (RRSIG)

switch

connect computers on a local network. map media access control addresses (MAC) to physical ports

router

connect networks to each other and direct traffic based on the destination IP address. use rules within access control lists (ACLs) to allow or block traffic.

implicit deny

indicates that unless something is explicitly allowed, it is denied. last rule in an ACL

host-based firewalls

filter traffic in and out of individual hosts

network-based firewalls

filter traffic in and out of a network. placed on the border of a network, such as between the internet and an internal network.

stateless firewalls

controls traffic between networks using rules within an ACL. the ACL can block traffic based on ports, IP addresses, subnets, and some protocols. additionally filter traffic based on the state of a packet within the session.

web application firewall (WAF)

protects a web server against web application attacks. typically placed in the screened subnet and will alert admins of suspicious events.

next-generation firewalls (NGFW)

perform deep packet inspection, analyzing traffic at the application layer.

stateful inspection firewalls

also known as layer 4 firewalls. They maintain the state of active connections and make decisions based on the context of the traffic as well as the rules in an ACL.

fail-open

allow all traffic to pass when the device fails

fail-closed

allow no traffic to pass when the device fails. provide greater security

screened subnet

provides a layer of protection for servers that are accessible from the internet

intranet

internal network. people use this to communicate and share content with each other.

extranet

part of a network that can be accessed by authorized entities from outside the network for secure collaboration with external partners.

network access translation (NAT)

translates public IP address to private IP addresses, private back to public, and hides IP addresses on the internal network from users on the internet.

NAT gateway

A network device that provides network address translation services to allow resources in a private subnet to access external networks, while also controlling inbound access.

air gap

provides physical isolations for systems or networks. these are completely isolated from other systems or networks with a gap of air.

router

what network device provides logical separation and segmentation using ACLs to control traffic?

forward proxy servers

forward requests for services from a client. they can cache content and record users’ internet activities

reverse proxy servers

accept traffic from the internet and forward it to one or more internal web servers. the server is placed in the screened subnet and the web servers can be in the internal network.

unified threat management (UTM)

includes multiple layers of protection, such as URL filters, content inspection, malware inspection, and a distributed DDoS mitigator. typically raise alerts and send them to admins to interpret

jump servers

placed between different security zones and provide secure access from devices in one zone to devices in the other zone. often used to manage devices in the screened subnet from the internal network.

your organization wants to identify biometric methods used for identification. the requirements are:

• collect the data passively

• bypass a formal enrollment process

• avoid obvious methods that let the subject know data is being collected

which of the following biometric methods best meet these requirements?

facial and gait analysis

you need to provide a junior admin with appropriate credentials to rebuild a domain controller after it suffers a catastrophic failure. what type of account would best meet this need?

user account

an admin needs to grant users access to different shares on file servers based on their job functions. which of the following access control schemes would best meet this need?

role-based access control

your organization’s security policy requires that confidential data transferred over the internal network must be encrypted. which of the following protocols would best meet this requirement?

SSH

maggie needs to collect network device config information and network statistics from devices on the network. she wants to protect the confidentiality of credentials used to connect these devices. which of the following protocols would best meet this need?

SNMPv3

which one of the following components would not be able to communicate on the data plane of a zero trust network?

policy administrator

you are configuring a web server that will contain info about your organization and receive orders from your customers. which one of the following network locations is the best placement for this server?

screened subnet

network admins manage network devices remotely. however, a recent security audit discovered they are using a protocol that allows them to send credentials over the network in clear text. which of the following is the best method to be adopted to eliminate this vulnerability?

SSH

you have added another router in your network. the router provides a path to a limited access network that isn’t advertised. however, a network admin needs to access this network regularly. which of the following could he do to configure his computer to access this limited network?

use the route command

several servers in your organization’s screened subnet were recently attacked. after analyzing the logs, you discover that many of these attacks used TCP, but the packets were not part of an established TCP session. which of the following devices would provide the best solution to prevent these attacks in the future?

stateful firewall

intrusion detection systems (IDSs)

are device or software applications that monitor network or system activities for malicious activities or policy violations. They can detect and alert on potential threats but typically do not take action on their own.

intrusion prevention systems (IPSs)

are advanced security measures that monitor network traffic and can take immediate action to prevent detected threats. actively block or mitigate malicious activities based on set rules and policies. placed in-line with the traffic.

host-based IDS (HIDS)

can detect attacks on local systems such as workstations and servers. monitors local resources on the host and can detect some malware that isn’t detected on traditional antivirus software.

network-based IDS (NIDS)

detects attacks on networks

signature-based IDS/IPS

uses signatures to detect known attacks or vulnerabilities

trend-based IDSs

require a baseline and detect attacks based on anomalies or when traffic is outside expected boundaries

false positive

incorrectly raises an alert indicating an attack when an attack is not active. increase the workload of admins.

false negative

when an attack is active, but not reported

wireless access points (APs)

connect wireless clients to a wired network

service set identifier (SSID)

the name of the wireless network. disabling broadcast hides a wireless network from casual users

wifi protected access v2 (WPAv2)

uses AES with CCMP and supports open, pre-shared key ({SL), and enterprise modes

enterprise mode

more secure than personal mode because it adds authentication. uses an 802.1X authentication server implemented as a RADIUS server.

wifi protected access v3 (WPAv3)

uses simultaneous authentication of equals (SAE) instead of the PSK. supports enterprise modeand offers enhanced security features, including improved encryption and increased protection against password cracking.

EAP-TLS

most secure EAP method. requires a certificate on the server and on each of the clients.

captive portal

forces wireless clients to complete a process, such as acknowledging a policy or paying for access, before it grants them access to the network.

disassociation attack

effectively removes a wireless client from a wireless network, forcing the wireless client to reauthenticate.

wifi protected setup (WPS)

allows users to easily configure a wireless device by pressing a button or entering a short pin. not secure with WPAv2.

WPS attack

can discover the PIN created during WPS setup within hours. doesn’t work with WPAv3