CompTIA Security+ Architecture and Design Review

Comprehensive vocabulary terms based on the Secure Baselines, Hardening, Identity Management, and Incident Response lecture transcript.

Secure Baselines

Defined security configurations established (often by manufacturer), deployed via centrally administered consoles, and maintained over time.

SCADA/ICS

Supervisory Control and Data Acquisition / Industrial Control Systems; large-scale multi-site systems that manage onsite equipment and require extensive segmentation.

RTOS

Real-Time Operating System; an OS with a deterministic processing schedule, isolated from the network and run with minimum services.

MDM

Mobile Device Management; centralizes management of company/user-owned mobile devices including apps, data, camera, and access control.

COPE

Corporate Owned, Personally Enabled; the company buys the device but allows personal use while keeping full control.

CYOD

Choose Your Own Device; like COPE, but the user picks which device they want from a pre-approved list.

WPA3

Wi-Fi Protected Access $3$, adopted in $2018$; introduces GCMP and SAE for stronger security.

GCMP

Galois/Counter Mode Protocol; uses AES for data confidentiality and GMAC for message integrity.

SAE

Simultaneous Authentication of Equals; a Diffie-Hellman derived key exchange (dragonfly handshake) used in WPA3 that creates different session keys with the same PSK.

WPA3-Personal/PSK

WPA3 using a pre-shared key where everyone uses the same $256$-bit key.

RADIUS

Remote Authentication Dial-in User Service; one of the more common AAA protocols used to centralize authentication.

IEEE $802.1X$

Port-based Network Access Control; ensures no access to the network until the user is authenticated.

EAP

Extensible Authentication Protocol; a framework that embeds authentication within the $802.1X$ process.

SAST

Static Application Security Testing / Static code analyzers; tools that find security vulnerabilities by reviewing source code.

Code Signing

Using asymmetric encryption where a trusted CA signs the developer's public key and the developer signs code with their private key to verify origin.

Fuzzing

Dynamic analysis / fault injection testing that sends random input to an application to see how it handles it.

OSINT

Open-Source Intelligence; publicly available info from the internet, government data, and commercial data.

CVSS

Common Vulnerability Scoring System; quantitative scoring of vulnerability severity on a scale from $0$ to $10$.

CVE

Common Vulnerabilities and Exposures; a standardized list or identifier for known vulnerabilities.

Exposure Factor

The percentage of value or business activity lost if a specific vulnerability is exploited.

Compensating Controls

'Good enough' solutions used when a primary security control cannot be implemented.

SCAP

Security Content Automation Protocol; maintained by NIST, it consolidates vulnerability info across devices into a single language.

SIEM

Security Information and Event Management; a system for log collection and security alert management.

SNMP

Simple Network Management Protocol; an application-layer protocol used to monitor and manage network devices over IP.

NetFlow

A protocol that gathers traffic statistics from all traffic flows on a network.

NGFW

Next Generation Firewall; a Layer $7$ firewall that analyzes and categorizes every packet, also known as deep packet inspection.

Implicit Deny

A firewall principle where traffic is denied by default at the end of the rule list if it does not match any specific rule.

Screened Subnet

An additional layer of security between the internal network and the internet, connected through a firewall.

SELinux

Security-Enhanced Linux; open-source security patches for the Linux kernel that add Mandatory Access Control (MAC).

SPF

Sender Policy Framework; defines which email servers can send mail on a domain's behalf to verify sender legitimacy.

DKIM

DomainKeys Identified Mail; digitally signs outgoing mail to confirm it was not altered after being sent.

DMARC

Domain-based Message Authentication, Reporting, and Conformance; extends SPF and DKIM and allows domain owners to specify actions for failing emails.

FIM

File Integrity Monitoring; monitors the integrity of files on a system (e.g., SFC for Windows or Tripwire for Linux).

EDR

Endpoint Detection and Response; uses behavioral analysis and machine learning to detect threats and respond via isolation or quarantine.

XDR

Extended Detection and Response; an evolution of EDR that adds broader data input from network and cloud sources.

LDAP

Lightweight Directory Access Protocol; a protocol for read/write access of directories over an IP network, based on X.$500$.

SAML

Security Assertion Markup Language; an open standard for the authentication of a user through a third party.

MAC

Mandatory Access Control; assigns labels to objects with the administrator deciding access by security level.

DAC

Discretionary Access Control; the data creator or owner decides access; highly flexible but weak.

RBAC

Role-Based Access Control; access is determined by the user's role in the organization via group memberships.

ABAC

Attribute-Based Access Control; grants or denies access based on characteristics of the user, resource, and environment.

Legal Hold

A legal technique to preserve relevant Electronically Stored Information (ESI) in a separate repository.

Chain of Custody

A list of everyone who has had contact with digital data to maintain its integrity for forensic purposes.