Security+ Exam Cram: General Security Concepts

Flashcards based on the provided lecture notes for Security+ exam preparation, focusing on key vocabulary and concepts.

Physical Security Controls

Security mechanisms focused on protecting facilities and real-world objects.

Technical Security Controls

Hardware or software mechanisms used to manage access to resources and systems, providing protection.

Managerial Security Controls

Policies, procedures, and administrative controls defined by an organization's security policy for planning and risk management.

Operational Security Controls

Measures ensuring that daily operations comply with overall security, primarily implemented by people.

Security Controls

Security measures to counter and minimize loss or unavailability of services due to vulnerabilities.

Safeguards

Proactive security measures that reduce the likelihood of an event occurring.

Countermeasures

Reactive security measures that reduce the impact of an event after it has occurred.

Deterrent Controls

Controls deployed to discourage violation of security policies.

Preventive Controls

Controls deployed to thwart or stop unwanted or unauthorized activity from occurring.

Detective Controls

Controls deployed to discover or detect unwanted or unauthorized activity.

Compensating Controls

Controls that provide options to other existing controls to aid in enforcement of security policies.

Corrective Controls

Controls that modify the environment to return systems to normal after an unwanted activity.

Directive Controls

Controls that direct, confine, or control actions to force compliance with security policies.

Integrity

Ensuring that data or system configurations are not modified without authorization.

Availability

Authorized requests for objects must be granted to subjects within a reasonable time frame.

Non-Repudiation

Methods to provide irrefutable evidence of a transaction, preventing denial.

Digital Signatures

Digital signatures, based on asymmetric cryptography, that prove a document was not modified since it was signed.

Authentication

User or service proves identity with credentials like username and password.

Authorization

Authenticated users are granted access to resources based on roles and permissions.

Accounting

Methods that track user activity and record it in logs as part of the audit trail.

Discretionary Access Control (DAC)

Every object has an owner, and the owner can grant or deny access to any other subject.

Role Based Access Control (RBAC)

Uses roles or groups, assigning privileges to roles instead of directly to users.

Rule-based Access Control

Applies global rules that apply to all subjects, often referred to as restrictions or filters.

Non-discretionary Access Control

Enforcement of system-wide restrictions that override object-specific access control.

Mandatory Access Control (MAC)

Every object and subject has one or more labels, with the system determining access based on assigned labels.

Attribute-Based Access Control

Access restricted based on attributes on the account, such as department or location.

Subjects

A user, group, or service accessing resources.

Objects

Resources such as files, folders, shares, and printers, accessed by subjects.

Control Gap

Discrepancy between the security measures an organization should have in place versus those actually in place.

Zero Trust

An approach to security architecture in which no entity is trusted by default.

Policy Enforcement Point (PEP)

Responsible for enabling, monitoring, and terminating connections based on access control policies.

Policy Decision Point (PDP)

Where access decisions are made based on factors such as user identity, device health, and risk assessment.

Adaptive Identity

Changes the way a system asks a user to authenticate based on the request's context.

Threat Scope Reduction

An end goal of Zero Trust Network Architecture (ZTNA), which is to decrease risks to the organization.

Policy-Driven Access Control

Controls based upon a user’s identity rather than simply their system’s location.

Policy Administrator (PA)

Responsible for communicating the decisions made by the policy engine.

Policy Engine (PE)

Decides whether to grant access to a resource for a given subject.

Implicit Trust Zones

Part of traditional security where systems belonging to the organization were placed inside a defined boundary.

Bollard

A short, sturdy vertical post used as a physical barrier to prevent vehicle-based attacks.

Access Control Vestibule

A physical security system comprising a small space with two interlocking doors to control access to secure areas.

Perimeter Intrusion Detection and Assessment System (PIDAS)

System that will detect someone attempting to climb a fence.

Change Management

The policy outlining the procedures for processing changes helps reduce risk associated with changes.

Configuration Management

Ensures that systems are configured similarly, configurations are known and documented.

Change Control

Process of evaluating a change request to decide if it should be implemented.

Approval Process

Ensures that every proposed change is properly reviewed and cleared by management.

Ownership (Change Management)

Clearly defines who is responsible for each change by designating a primary owner.

Stakeholder Analysis

Identifies all individuals and groups affected by the change, both inside and outside the organization.

Impact Analysis

A review of the potential impacts of a change, including side effects.

Backout Plan

Detailed step-by-step sequence to roll back if a change goes wrong.

Maintenance Window

Standard window of time during which changes can be implemented with minimal business impact.

Key Management

Managing cryptographic keys, including generation, exchange, storage, destruction, and replacement.

Certificate Authority (CA)

Create digital certificates and own the policies in a Public Key Infrastructure (PKI).

Certificate Revocation List (CRL)

Contains information about any certificates that have been revoked due to compromises.

Online Certificate Status Protocol (OCSP)

Offers a faster way to check a certificate’s status compared to downloading a CRL.

Certificate Signing Request (CSR)

Records identifying information for a person or device that owns a private key, sent to a CA to get a certificate.

Root CA

Usually maintained offline and issues certs to new subordinate CAs.

Subordinate CA

May be referred to as a Policy CA. Issues certs to new issuing CAs. Also referred to as Intermediate CA.

Key Escrow

Addresses the possibility that a cryptographic key may be lost, enabling its recovery.

User Certificate

Used to represent a user's digital identity, often mapped back to a user account.

Root Certificate

A trust anchor from which the whole chain of trust is derived.

Domain Validation (DV) Certificate

A certificate that proves the ownership of a domain name.

Extended Validation (EV) Certificates

Provide a higher level of trust in identifying the entity using the certificate.

Wildcard Certificates

Can be used for a domain and a subdomain, saving costs.

Code Signing Certificate

Used to digitally sign code, ensuring users trust the code's origin and integrity.

Self-Signed Certificate

Issued by the same entity that is using it but is not trusted and lacks a CRL validation.

Machine/Computer Certificate

Used to identify a computer within a domain.

Email Certificate

Allow users to digitally sign and encrypt emails.

Third-Party Certificate

Issued by a widely trusted external provider, preferred for TLS on public-facing services.

Subject Alternative Name (SAN) Certificate

An extension allowing users to specify additional host names for a single SSL certificate.

File Encryption

Used to protect specific files with unique encryption keys.

Volume Encryption

Encryption that targets a specific partition or volume within the physical drive.

Disk Encryption

Automatically encrypts data when written to or read from the entire disk.

Self-Encrypting Drive

Encryption built into the hardware of the drive itself.

Transparent Data Encryption (TDE)

SQL Databases and data warehouses feature encrypting/decrypting database, backups, and transaction logs at rest.

Transport Encryption

Data in transit is most often encrypted using TLS or HTTPS.

Asymmetric Key

Public keys are shared among communicating parties, while private keys are kept secret.

Symmetric Key

Relies on the use of a shared secret key.

Advanced Encryption Standard (AES)

The current industry gold standard, offering flexibility in security levels.

Rivest–Shamir–Adleman (RSA)

Used for key exchange and digital signatures, relying on the difficulty of factoring large prime numbers.

Stream Cipher

A symmetric key cipher where plaintext digits are combined with a pseudorandom cipher digit stream (keystream).Considered to be less secure than block ciphers.

Block Cipher

A method of encrypting text in which a cryptographic key and algorithm are applied to a block of data at once. Considered to be more secure than stream ciphers

Substitution Cipher

A cipher that uses the encryption algorithm to replace each character or bit of the plaintext message with a different character.

Transposition Cipher

A cipher that rearranges order of plaintext letters according to a specific rule. the message itself is left unchanged, just the order is scrambled.

Salt

Random data used as an additional input to a one-way function that hashes data, reducing the effectiveness of rainbow table attacks.

Trusted Platform Module (TPM)

A chip on the motherboard used for storage and management of keys for full disk encryption (FDE) solutions.

Hardware Security Module (HSM)

A physical computing device that safeguards and manages digital keys, performing encryption and decryption functions.

Key Management System (KMS)

A cloud service for centralized secure storage and access for application secrets.

Secure Enclave

A secure and isolated area within a system for processing sensitive data.

Steganography

A file, message, image, or video is concealed within another file, message, image, or video.

Tokenization

A de-identification procedure where Personally Identifiable Information (PII) fields are replaced with artificial identifiers or pseudonyms.

Anonymization

A process of removing all relevant data so that it is impossible to identify the original subject or person.

Data Masking

Implemented so that only a partial data is left in the data field.

Hashing

A one-way function that scrambles plain text to produce a unique message digest.

Key Stretching

Processes used to take a key that may be weak and make it stronger, by making it longer and more random

Blockchain

A distributed, public ledger used to store transactions without intermediaries.