Security+ Study Shortcomings

This study-set is to help bring me up in the areas I am struggling

TPM

Trusted Platform Module

Hardware CHIP on the motherboard

1. Stores keys for local encryption

2. Provides FDE (full disk encryption)

3. Is the root of trust for a system / secures boot process

HSM

Hardware Security Module

External device

1. Provides cryptographic operations

2. Stores keys for multiple systems

MSA

Master Service Agreement

Overarching framework / terms for ongoing relationship between two organizations.

1. Billing / payment

2. General service expectations

SOW

Service Level Agreement

Statements of Work

Document that outlines specific activities, deliverables, and timelines for a particular project/task within larger MSA

SLA

Document that specifies the minimum level of service a provider will provide

1. Often quantifiable performance metrics (uptime, response times, data preservation requirements)

MOU

Memorandum of Understanding

Less formal document that expresses intent to collaborate on certain terms

1. Not legally enforceable

MOA

Memorandum of Agreement

More formal document detailing specific terms that both parties agree to

NDA

Non-Disclosure Agreement

Signed when two organizations are exploring business partnership. Ensures confidential information remains secret.

BPA

Business Partnership Agreement

Agreement defines the relationship, ownership structure, financial details, profit-sharing, and how partners operate / make decision within a business

Forward Proxy

Protects clients by sitting on client’s private network (controls outbound traffic)

1. Can filter outbound traffic to certain servers (policy enforcement) 

2. Masks clients IP addresses

Reverse Proxy

Protects servers by sitting on server’s private network (controls inbound traffic)

1. Masks servers IP addresses

2. Protects against DDos / can load balance

What is Zero Trust Architecture?

An architecture where you “assume breach”. To connect with any application or database you need to authenticate each time. 

1. Never trust, always verify

2. Least privilege 

3. Explicit verification (not implicit except in trusted zones only)

How can we apply Zero Trust?

Control Planes

Break up devices and processes into 2 planes of operation:

1. Data Plane (Doing)

   1. Handles data movement

   2. Enforces policies on live traffic

2. Control Plane (Planning)

   1. Manages configurations / policies for data plane

What is adaptive identity?

When security controls are elevated based on additional information. Looks at more information than just what the user is providing.

Example: someone logging into database in US, system might see they are reaching from China and employ extra security.

What are security zones?

They are zones of operation within a system.

1. Untrusted (external)

2. Trusted (internal)

• DENY untrusted-trusted 

• ALLOW implicit trust if trusted-trusted

What are the 3 policy components?

Policy Enforcement Point (PEP), Policy Decision Point (PDP - PA/PE)

What does PEP do?

Policy enforcement point serves as the gatekeeper. All traffic going over network needs to go through this.

1. Inspects users, processes, and apps (gathers info but doesn’t decide)

What does PDP (or PE) do?

Policy decision points actually analyze the request information gathered from the PEP and then decide to trust or not.

1. Decide whether or not something / someone is to be trusted

2. MAKES THE DECISION

Policy Administrator

Establishes communication path between requester and the system resource by dispensing access tokens. MAKES IT HAPPEN

What is the overall flow of steps through a zero trust (PEP/PDP/PA) system?

1. User hits PEP

2. PEP refers to PDP (PA/PE)

3. PDP refers back to PEP and allows access

What is the Policy Engine?

Component that actually decides to grant/deny access to a resource for a requester

Which plane is PEP in? PDP? PA? PE?

Data Plane

1. PEP

Control Plane

1. PDP, PA, PE

Who is the data owner and what do they do?

Data Owner

Senior Executive or Manager

1. Classify data

2. Determine access levels

3. Ensure protection aligns with business needs

Who is the data controller and what do they do?

HR/ Payroll Department

1. Decides the purposes and means of processing personal data

2. Ensure compliance with laws (example people above payroll processors)

3. Define how data is used/collected

4. Oversee the data processors

Who is the data processor and what do they do?

Individual / Team/ 3rd party service

1. Processes data on behalf of the controllers (example payroll processing) 

2. Implement security measures

3. Report breaches

Who is the data custodian/steward and what do they do?

Individual / Team

1. Responsible for operational security

2. Storage and backups

3. Keep data accurate, available, and compliant

What’s the difference between risk acceptance and risk tolerance?

Risk Acceptance

1. Conscious decision to take on risk after assessment

2. Choosing to not mitigate or transfer the risk

Risk Tolerance

1. The LEVEL of risk a company will tolerate before addressing it

So risk > risk tolerance ≠ Risk acceptance

What are some examples of indicators of compromise?

1. Unusual network traffic

2. Unusual user activity

3. Anomalous logs

4. Unauthorized processes

5. Modified system files / registries