Comptia Security 701 Study

What is the CIA Triad?

Three principles of security control and management: Confidentiality, Integrity, and Availability. Also known as the information security triad.

Confidentiality

The fundamental security goal of keeping information and communications private and protecting them from unauthorized access.

Integrity

The fundamental security goal of keeping organizational information accurate, free of errors, and without unauthorized modifications.

Availability

The fundamental security goal of ensuring that computer systems operate continuously and that authorized persons can access data that they need.

Non-repudiation

The security goal of ensuring that the party that sent a transmission or created data remains associated with that data and cannot deny sending or creating that data.

NIST(National Institute of Standards and Technology)

develops computer security standards used by US federal agencies and publishes cybersecurity best practice guides.

Cybersecurity Frameworks (CSF)

Standards, best practices, and guidelines for effective security risk management.

Security Controls

A technology or procedure put in place to mitigate vulnerabilities and risk and to ensure the confidentiality, integrity, and availability (CIA) of information.

Gap Analysis

An analysis that measures the difference between the current and desired states in order to help assess the scope of work included in a project.

IAM(Identity and Access Management)

a security process that provides identification, authentication, and authorization mechanisms for users, computers, and other entities.

Authentication

A method of validating a particular entity's or individual's unique credentials.

Authorization

The process of determining what rights and privileges a particular entity has.

Accounting

Tracking authorized usage of a resource or use of rights by a subject and alerting when unauthorized use is detected or attempted.

AAA(Authentication, Authorization, and Accounting)

a security concept where a centralized platform verifies subject identification, ensures relevant permissions, and logs actions.

Managerial Control

The control gives oversight of the information system. Examples include risk identification or tools for evaluating and selecting other security controls.

Operational Control

A category of security control that is implemented by people.

Technical Control

Control implemented as a system (hardware, software, or firmware). Examples: firewalls, antivirus software, and OS access control models.

Physical Control

Controls such as alarms, gateways, locks, lighting, security cameras, and guards that deter and detect access to premises and hardware.

Preventive Control

A type of security control that acts before an incident to eliminate or reduce the likelihood that an attack can succeed.

Detective Control

A type of security control that acts during an incident to identify or record that it is happening.

Corrective Control

A type of security control that acts after an incident to eliminate or minimize its impact.

Deterrent Control

A type of security control that discourages intrusion attempts.

Compensating Control

A security measure that takes on risk mitigation when a primary control fails or cannot completely meet expectations.

SOC(Security Operations Center)

the location where security professionals monitor and protect critical information assets in an organization.

DevOps(Development and Operations)

the practice of integrating software development with systems operations.

DevSecOps

A combination of software development, security operations, and systems operations, integrating each discipline with the others.

CIRT(Computer Incident Response Team )

team with responsibility for incident response across multiple business domains.

Vulnerability

A weakness that could be triggered accidentally or exploited intentionally to cause a security breach.

Threat

A potential for an entity to exploit a vulnerability (that is, to breach security).

Risk

Likelihood and impact (or consequence) of a threat actor exercising a vulnerability.

Threat Actor

A person or entity responsible for an event that has been identified as a security incident or as a risk.

Nation-state Actors

A type of threat actor that is supported by the resources of its host country's military and security services.

Hacktivists

A threat actor that is motivated by a social issue or political cause.

Organized Crime

A type of threat actor that uses hacking and computer fraud for commercial gain.

Internal Threat

A type of threat actor who is assigned privileges on the system that cause an intentional or unintentional incident.

Shadow IT

Computer hardware, software, or services used on a private network without authorization from the system owner.

Threat Vector

The path that a threat actor uses to execute a data exfiltration, service disruption, or disinformation attack.

Social Engineering

Using persuasion, manipulation, or intimidation to make the victim violate a security policy.

Impersonation

Social engineering attack where an attacker pretends to be someone they are not.

Pretexting

Social engineering tactic where a team communicates a lie or half-truth to get someone to believe a falsehood.

Phishing

A type of email-based social engineering attack from a supposedly reputable source to try to elicit private information.

Vishing

A human-based attack where the attacker extracts information while speaking over the phone or leveraging VoIP.

Smishing

A form of phishing that uses SMS text messages to trick a victim into revealing information.

Pharming

An impersonation attack in which a request for a website is redirected to a similar-looking, but fake, website.

Typosquatting

An attack where an attacker registers a domain name with a common misspelling of an existing domain.

Business Email Compromise

An impersonation attack where the attacker gains control of an employee's account and uses it to convince other employees to perform fraudulent actions.

Watering Hole Attack

An attack where an attacker targets specific groups, discovers which websites they frequent, and injects malicious code into those sites.

Cryptography

The science and practice of altering data to make it unintelligible to unauthorized parties.

Plaintext

Unencrypted data that is meant to be encrypted before transmission, or the result of decryption.

Ciphertext

Data that has been enciphered and cannot be read without the cipher key.

Encryption

Scrambling characters in a message so it can be seen but not understood or modified unless deciphered.

Symmetric Encryption

Two-way encryption scheme where encryption and decryption are both performed by the same key.

Asymmetric Algorithm

Cipher that uses public and private keys that are mathematically linked, but the private key is not derivable from the public one.

Public Key

In asymmetric encryption, freely distributed key used to encrypt data, which can only be decrypted by the linked private key.

Private Key

In asymmetric encryption, key known only to the holder and linked to, but not derivable from, a public key.

Hashing

A function that converts an arbitrary-length string input to a fixed-length string output, reducing the chance of collisions.

SHA(Secure Hash Algorithm)

a cryptographic hashing algorithm created to address possible weaknesses in MD5. Current version is SHA-2.

MD5(Message Digest Algorithm #5)

a cryptographic hash function producing a 128-bit output.

Digital Signature

A message digest encrypted using the sender's private key that is appended to a message to authenticate the sender and prove integrity.

PKI(Public Key Infrastructure)

a framework of certificate authorities, digital certificates, software, and services deployed to validate subject identities.

Certificate Authority (CA)

A server that guarantees subject identities by issuing signed digital certificate wrappers for their public keys.

Digital Certificate

Identification and authentication information presented in X.509 format and issued by a CA as a guarantee that a key pair is valid.

Root Certificate

In PKI, a CA that issues certificates to intermediate CAs in a hierarchical structure.

Certificate Chaining

A method of validating a certificate by tracing each CA that signs the certificate up through the hierarchy to the root CA.

Self-signed Certificate

A digital certificate that has been signed by the entity that issued it, rather than by a CA.

CSR(Certificate Signing Request)

a Base64 ASCII file that a subject sends to a CA to get a certificate.

SAN(Subject Alternative Name)

a field in a digital certificate allowing a host to be identified by multiple host names/subdomains.

Wildcard Domain

In PKI, a digital certificate that will match multiple subdomains of a parent domain.

CRL(Certificate Revocation List )

a list of certificates that were revoked before their expiration date.

OCSP(Online Certificate Status Protocol)

allows clients to request the status of a digital certificate to check whether it is revoked.

TPM(Trusted Platform Module)

specification for secure hardware-based storage of encryption keys, hashed passwords, and other identification information.

HSM(Hardware Security Module)

an appliance for generating and storing cryptographic keys, less susceptible to tampering than software-based storage.

Data at Rest

Information that is primarily stored on specific media, rather than moving from one medium to another.

Data in Transit

Information that is being transmitted between two hosts, such as over a private network or the Internet.

Data in Use

Information that is present in the volatile memory of a host, such as system memory or cache.

FDE(Full Disk Encryption)

encryption of all data on a disk including system files, temporary files, and the pagefile.

Perfect Forward Secrecy (PFS)

A characteristic ensuring that if a key is compromised, it will only affect a single session and not facilitate recovery of other sessions' plaintext.

Diffie-Hellman

A cryptographic technique that provides secure key exchange.

Salt

A security countermeasure that mitigates precomputed hash table attacks by adding a random value to each plaintext input.

Key Stretching

A technique that strengthens potentially weak input for cryptographic key generation against brute force attacks.

Blockchain

A concept where an expanding list of transactional records in a public ledger is secured using cryptography.

Obfuscation

A technique that "hides" or "camouflages" code or other information so it is harder to read by unauthorized users.

Steganography

A technique for obscuring the presence of a message, often by embedding information within a file or other entity.

Data Masking

A de-identification method where generic or placeholder labels are substituted for real data while preserving structure.

Tokenization

A de-identification method where a unique token is substituted for real data.

PIN(Personal Identification Number)

a number used with authentication devices such as smart cards, known only to the user.

Password Best Practices

Rules to govern secure selection and maintenance of knowledge factor authentication secrets, such as length, complexity, age, and reuse.

MFA(Multifactor Authentication)

an authentication scheme requiring the user to present at least two different factors as credentials.

Biometric Authentication

An authentication mechanism that allows a user to perform a biometric scan to operate an entry or access system.

FRR(False Rejection Rate)

a biometric metric measuring the number of valid subjects who are denied access.

FAR(False Acceptance Rate)

a biometric metric measuring the number of unauthorized users who are mistakenly allowed access.

CER(Crossover Error Rate)

a biometric evaluation factor expressing the point at which FAR and FRR meet, with low values indicating better performance.

Smart Cards

A security device similar to a credit card that can store authentication information on an embedded cryptoprocessor.

OTP(One-Time Password)

a password generated for use in one specific session and becomes invalid after the session ends.

Security Key

Portable HSM with a computer interface (USB or NFC) used for multifactor authentication.

Passwordless

Multifactor authentication scheme that uses ownership and biometric factors, but not knowledge factors.

DAC(Discretionary Access Control)

an access control model where each resource is protected by an ACL managed by the resource's owner.

MAC(Mandatory Access Control)

an access control model where resources are protected by inflexible, system-defined rules with clearance levels.

RBAC(Role-Based Access Control)

an access control model where resources are protected by ACLs managed by administrators based on job functions.

ABAC(Attribute-Based Access Control)

an access control technique that evaluates a set of attributes each subject possesses to determine access.