CompTIA Sec+ Flashcards

CIA Triad

Confidentiality, Integrity, Availability

Confidentiality

Keeps information private and protected from unauthorized access.

Social Engineering

Users accidentally disclosing too much information - Greatest threat to Confidentiality

Sniffing

Capturing data on the network using a packet or protocol analyzer

How to stop sniffing

Encrypt data

Media Reuse

If there is sensitive information on a drive and we want to reuse the drive, we need to scrub information

Integrity

The accuracy and consistency of data, ensuring that it remains unaltered during storage and transmission.

Hashe

used to verify data integrity by producing a unique fixed-size output from variable-sized input

MACS (Message Authentication Codes)

• Provides reasonable authenticity and integrity

• Not strong enough to be non-repudiation

  • Due to usage of symmetric key

Digital Signatures

• Can detect both malicious and accidental modifications

• Requires overhead

• Provides true non-repudiation

  • Stronger than MACS due to usage of asymmetric keys

Availability

the assurance that systems and data are accessible when needed, ensuring continuous operation and reducing downtime.

How to provide availability

• Redundancy

• Content Delivery Networks

• Data Dispersion

How to take down systems (aka stop availability)

DoS, DDoS, Disasters

Non-repudiation

• Person-Based Authenticity + Integrity

• Accomplished through digital signatures

• Provides assurance of the origin of a message and the contents have not been modified

What does non-repudiation accomplish

Provides assurance of the origin of a message and the contents have not been modified

Access Control

Identification, Authentication

Authorization

DAC (Discretionary Access Control)

• Most windows systems

• Security of an object is at the discretion of the objects owner

• Access is granted through an ACL (Access Control List)

• Commonly implemented in commercial products and all client-based system

• Identity Based

How are security labels and categories defined?

By the organization

RBAC (Role-Based Access Control)

• Access is granted based on roles within an organization

• Users are assigned roles with predefined permissions

• Enforces least privilege by restricting access to job-related tasks

• Scalable for large organizations

Roles group permissions (For RBAC)

• Simplifies management

Security Controls

• Implementation or enforcement of the CIA triad for a system or data asset

• Controls are divided into four categories

Technical Controls

• Control implemented as a system

  • Hardware, software, firmware

• May also be called logical security controls

• Executed by computer systems (instead of people)

• Implemented with technology

Operational Controls

• Implemented by people, rather than system

• Focused on the day to day procedures of an organization

• Focused on managing risk

Examples of Technical Controls

• Firewalls

• Encryption

• IDS

Examples of operational controls

• Configuration management

• Systems backups

• Patch management

Managerial Controls

• Provides oversight of the information system

Examples of managerial controls

• Organizational security policy

• Risk assessments

• Security awareness training

Physical Controls

Deter, detect, and prevent unauthorized access, theft, damage, or destruction of material assets

Examples of physical security controls

• Data backups

• Firewalls

• Asset Management

Preventive Controls

• Proactive

• Stop attack (even temporarily)

Examples of preventive security controls

• Encryption

• Firewalls

• AV Software

Deterrent controls

• Proactive

• Discourage attacks

Examples of deterrent controls

• Warning signs

• Lighting

• Fencing/Bollards

Corrective Controls

• Reactive

• Recovering data from backup copies

• Applying software updates and patches to fix vulnerabilities

• Developing and implementing IRPs to respond to and recover from security incidents

• Activating and executing DRPs to restore operations after a major incident

Detective controls

• Reactive

• Helps indicate a compromise to the system

Example of detective controls

• Log monitoring

• Security audits

• CCTV

• IDS

• Vulnerability scanning

Compensating Controls

• Primary control is not available or is not providing enough security

Example of compensating controls

• Backup power systems

• MFA

• Application Sandboxing

• Network Segmentation

Directive Controls

• Managerial controls that come from leadership

• Implemented through policies and procedures

Example of directive controlsd

• IRP

• AUP

Purpose of Functional controls

Gap analysis

Functional Controls

Preventive, detective, corrective, deterrent, compensating, directive

Gap analysis

• Where you are

• Skills needed to get where you’re going

• Where you need to be

Security controls

Technical, operational, managerial, physical

Security Zones

• Grouping different security levels into different areas or zones

• As you go farther into the system, the less trusted the zone is

Movement between security zones

• Interfaces between zones have some type of access control to restrict movement between zones

  • Like biometric and guard stations

  • Or firewalls

Median Security Zone

• Between the internet and internal network

• Called DMZ

  • Demilitarized Zone

Zones of Trust (Security Zones)

• Untrusted - External Firewall - Semi Trusted - Internal Firewall - Trusted

Internet accessible servers

• Placed in DMZ

• Called bastion hosts

• Placed in between the internet and internal network

Zero trust

• Assumes there is no inherent trust

• Each independent entity must authenticate individually before access is allowed

How to implement zero trust

break down our network into smaller and easier to manage planes (Control and data plane)

Data Plane

• Processing of packets, frames and network data

• Where actual security function happens

  • Encryption, NAT, filtering, etc

Control Plane

• Where administrative functions are performed

  • Controls how data is allowed to move through the data plane

How is the control plane set up?

• Policies and rules

• Routing tables

• NAT tables

NAT Tables

• Tracks IP addresses and port number reassignments

• Helps the router determine what to do with incoming packets

• Within a router or NAT-Enabled Device

NAT-Enabled Device

• DSL Modem and WIFI Routers

Policy Enforcement Points (PEP)

• The guard for trust zones that host one or more enterprise resources

• Enables, monitors, and eventually terminates connections between subjects and resources

Examples of Policy Enforcement Points (PEP)

• CASB

• APs

• VPNs

Policy Decision Point (PDP)

• Combines with PEP and a policy administrator

• Any system where policy created

• Adaptive identities

Example of PDP systems where policy is created

• RADIUS

• Network Policy Servers

Adaptive identities can be used based on (from PDP)

• Location

• IP addresses

• Other criteria to indicate needs for additional security

Policy Information Point (PIP)

• Integration with active directory

• So RADIUS can forward requests or use the active directory

  • To determine user rights and permissions

PIP consists of

• Identity

• Credential and Access Management (ICAM)

• Endpoint Detection and Response (EDR)

• Security Analytics

• Data Security Systems

Site layout and access

• Layers of security

• Zones with different security controls/access levels

• ID badges

• Barriers and access points

• Fencing

Types of Locks

• Conventional

• Deadbolt

• Electronic

• Smart card

• Biometric

• Multifactor

Turnstiles/Mantraps

• Two doors to enter

• Can’t have both doors open at the same time

Fail-Secure

will lockdown all data inside

Fail-safe

Changes to a secure state in case of a failure, error, or unexpected conditions

Alarm Systems

• Circuit

• Motion

• Duress

Circuit Alarm System

• Open or closed

• Detect intrusion through a barrier

Motion Alarm System

• Radar infrared

• Detect intrusion in a space

Duress Alarm System

• Fixed or mobile

Surveillance

• Guard dogs

• Security guards

• Video/CCTV

• Lighting

• Physical access logs

• Staff

Hardware Security

• Lockable cabinets

• Device locks

• Safes

• Protected distribution

Environmental Controls

• Site location

  • Accessibility

  • Utilities

  • Known hazards

• Building control

Building Controls

• Dust

• Temperature/humidity (HVAC)

HVAC for computer systems

• Hot and Cold Aisles

  • Optimize airflow

  • Place servers back to back

  • Hot aisle / cold aisle

  • Do not allow contamination of cooled air by warmed air

Radio Frequency Interference (RFI)

• Power cabling, motors, microwaves

• Competing devices (multiple access points, Bluetooth)

• Can cause data errors in wireless communications

Electromagnetic Interference (EMI)

• Equipment or cabling in close proximity to the noise source

• Fiber Optic Cabling best because light is not as susceptible to interference

Fire Prevention

• Regular inspection

• Control ignition sources and flammable material

• Fire doors

Fire Detection

Smoke/flame detectors/alarms

Fire emergency procedures

• Escape/Evacuation plan

• Escape routes

• Drills

Fire Suppression

• Personal fire extinguishers

• Sprinklers

What type of fire extinguisher do we want (3 types - A, B, C)

Type C

Types of sprinklers

• Dry pipe

  • After the alarm, there is a period of time till water is released

• Pre-action

  • Releases water immediately but will only activate if the plastic tab holding everything back melts

  • Gives a degree of protection to false positives

• Halon

  • Suppressed fires quickly

  • Kills people though 💀

  • Outlawed because of its effect on the environment

• Clean Agent

  • Release CO2 or some other chemical

Baseline Configuration

• Minimum acceptable security configuration

• Changes should be prevented without

  • Proper authorization and as a result of the change management process

Change Management

• prevents new vulnerabilities from being introduced to a stable environment

Process of Change Management

• Owner of system or data submits change request

• Request is evaluated by CCB for risk and cost/benefit analysis

• Change is approved or denied

• If approved change is tested in an environment isolated from product

• Change is scheduled

  • Backout/rollback plans are created

• Change is rolled out

• Owner manages change and ensures everything is working thereafter

• Maintenance is schedule

• SOPs are updated

CCB

Change control board

SOPs

Standard operating procedures

Restricted Activities

• Authorization for scope change is limited very specifically for items described in the scope document

• Changes that are required to implement the change may need to be added to the scope of work

• Change control processes should document the next steps

Implications of Change Control

• System/service downtime

• Restarts of systems or applications

• Legacy applications may fail

• Dependent services may not be available

Updating Documentation

• Make sure that versioning, revisions, updates, upgrades are added to 

  • Network diagrams

  • Support documentation

  • Policies and procedures

PAIN

Privacy, Authenticity, Integrity, Non-Repudiation

P in PAIN

Prevents unauthorized disclosure of information

A in PAIN

Verifies the claimed identity

I in PAIN

Detects modification or corruption

N in PAIN

• Combines authenticity and Integrity

• Sender cannot dispute having sent a message nor its contents

Cipher Text Equation

Plain Text + Initialization Vector + Algorithm (aka Cipher) + Key