Security Plus SY0-701: Section 1

Control Categories

Technical, Managerial, Operational, and Physical

Control type: Preventive

Control type that blocks access to resource like firewall rules or door locks

Control type: Deterrent

Control type that discourages an intrusion attempt, does not directly prevent access. i.e splash screens, demotions, reception desk, warning signs

Control type: Detective

A control type that identifies and logs an intrusion attempt, may not prevent access. i.e system logs, review login reports, property patrols, motion controls

Control Type: Corrective

Control type that applies a control after an event has been detected, reverses the impact of an event. i.e backup recovery, policies for reporting issues, contact authorities, fire extinguisher

Control Type: Compensating

Control type that gains control using other means when existing controls aren't sufficient. i.e firewall blocks specific application, implement separation of duties, require multiple security staff, power generator

Control Type: Directive

Control type that directs a subject towards security compliance, a relatively weak security control. i.e file storage policies, compliance policies, security policy training, sign that directs

CIA Triad

Confidentiality, availability, and integrity

Non-repudiation

Proof of integrity and proof of origin to verify the data comes from the right place and that the data does not change

Proof of Integrity

Verify data does not change

Proof of Origin

Prove the source of the message

AAA Framework

Authentication, Authorization, and Accounting

Authentication

Prove you are who you say you are

Authorization

Based on your identification and authentication, what access do you have?

Accounting

Logging anything: resources used, timestamps, data sent and received, logout time

Certificate Authority

issue digital certificates that validate the ownership of encryption keys used in secure communications and are based on a trust model

Gap Analysis

a type of analysis that compares the differences between where we are and where we would like to be

Zero Trust

A security model based on the principle of maintaining strict access controls and not trusting anyone by default, even those already inside the network

Planes of Operation

Split the network into functional planes including end users, applications, and non-human entities.

Adaptive Identity

Relies on real-time validation that takes into account the

user's behavior, device, location to ensure identity of the user or resource. Can add or subtract from the trust given

Threat scope reduction

Decrease the number of possible entry points

Policy-driven access control

Entails developing, managing, and enforcing user access policies based on their roles and responsibilities

PEP

Policy enforcement point: Where the decision to grant or deny access within a system or network is actually executed

PDP

Policy Decision Point: Process for making an authentication decision

Policy Engine

Grants, Denies, or revokes each access decision based on policy and other information sources

Policy Administrator

Communicates with PEP, generates access tokens, tells the PEP to allow or disallow access

Zero Trust Across Planes

Subject -> system -> PEP -> Policy Administrator -> policy engine -> PEP

Barricade/bollards

Short vertical posts placed in front of entrances to prevent malicious actors from accessing the building

Access Control Vestibules

Double-door system electronically controlled to allow only one door open at a time

Honeypot

Vulnerable computer that is set up to entice an intruder to break into it and trap them in there

Honeynet

collection of honeypots connecting several honey pot systems on a subnet which can include servers, workstations, routers, switches, and firewalls

Honeyfile

Bait files intended for hackers to access. The files reside on a file server, and the server sends an alarm when accessed. Fake file that is baited to seem important

Honeytoken

Piece of data or a resource that has no legitimate value or use but is monitored for access or use so you know where it came from if its accessed. i.e API credentials, fake emails

Change Management

The process, tools, and techniques that help people implement changes to security and existing infrastructure along with anything else within an organization

Change approval process

formal process for managing change to avoid downtime, confusion and mistakes.

allow list

A security configuration where access is denied to any entity (software process, IP/domain, and so on) unless the entity appears on the allow list

deny list

Specific applications are blocked from execution

PKI

Public Key Infrastructure. Group of technologies used to request, create, manage, store, distribute, and revoke digital certificates. Certificates include public keys along with details on the owner of the certificate and on the CA that issued the certificate. Certificate owners share their public key by sharing a copy of their certificate.

Symmetric Encryption

the same key is used to encode and decode

Asymmetric Encryption

two keys are used that are mathematically related; one key encodes the message, and the other key decodes the message. Private key and public key

Key Escrow

a control procedure whereby a trusted party is given a copy of a public or private key used to encrypt data

Transparent Encryption

Encrypt all database information with a symmetric key

Record Level Encryption

Encryption that is performed at the record level. Choices can be made about which records to encrypt, which has a significant positive effect on both performance and security

Transport Encryption

Way to protect data traversing the network

VPN

Virtual Private Network; encrypts all data transmitted over the network, regardless of the application

Client-based VPN: using SSL/TLS

Site-to-Site: Using IPsec

Key Stretching

A technique that enhances the security of a key, typically a password, by repeatedly hashing the key using a secure algorithm making it more resilient to brute force attacks

Key Exchange

The process of sending and receiving secure cryptographic keys

Out-of-band key exchange

Sending an encryption key to someone through telephone, courier, in person. Not over the web

TPM

Trusted Platform Module. This is a hardware chip on the motherboard included on many newer laptops. A TPM includes a unique RSA asymmetric key, and it can generate and store other keys used for encryption, decryption, and authentication. TPM provides full disk encryption.

HSM

Hardware security module, high end cryptographic function, key backup for servers. Securely store thousands of cryptographic keys. Can securely store keys and has cryptographic accelerators

Key Management System

Integrated approach for generating, distributing and managing, cryptographic keys for devices and applications

security enclave

A protected area for our secrets. Often implemented as a hardware processor, isolated from main processor, provides extensive security features

Obfuscation

the action of making something obscure, unclear, or unintelligible. Hiding something in plain sight

Steganography

the art and science of hiding information by embedding messages within other, seemingly harmless messages, typically through images

Common steganography techniques

• Network based

• Embed messages in TCP packets

• Use an image

• Embed the message in the image itself

• Invisible watermarks

• Yellow dots on printers

• Serial number and timestamp

Tokenization

The process of replacing sensitive data with unique identification symbols that retain all the essential information about the data without compromising its security.

Data Masking

Hiding some of the original data. i.e. hiding credit card number on receipt

PII

Personally Identifiable Information

Hashes

Represent data as a short string of text (a message digest)

• Impossible to recover the original message from the digest

• Used to store passwords and provide confidentiality

• Can be a digital signature for authentication,

non-repudiation, and integrity

• A well designed hash will not collide

• Different messages will not have the same hash

Collision

when different inputs create the same hash

salting

Adding random data into a one-way cryptographic hash to help protect against password cracking techniques

Rainbow Table

A file of pre-generated hash values and their associated plaintext

Digital Signature

Prove the message was not changed, proves the source of the message, makes sure the signature isn't fake and uses hash to create it

Blockchain

a distributed ledger that keeps track of transactions

Everyone on the blockchain networks keeps track of transactions

records and replicates to anyone and everyone

Applications: payments, digital identification, supply chain monitoring, digital voting

Digital Certificate

a data file that identifies individuals or organizations online and is used to establish trust with the CA that has a lot more information than just a hash

Web of Trust

A decentralized model used for sharing certificates without the need for a centralized CA by having other trusted sources sign a certificate

X.509

The standard format for digital certificates.

Root of trust

Roots of trust are basically hardware or software components that are inherently trusted

CA

Certificate Authority. An organization that manages, issues, and signs certificates and is part of a PKI. Browser trusts CA and therefore establishes trust with any website with digital certificate of a website that is signed by CA. Establishes root of trust

CSR

Certificate signing request. A method of requesting a certificate from a CA. It starts by using the applicants public key along with any identifying information to create the CSR. The CA validates the identity of the CSR and uses its private key to sign thus creating the digital certificate

Self-signed Certificates

Internal certificates don't need to be signed by

a public CA

- Your company is the only one going to use it

- No need to purchase trust for devices that already

trust you

• Build your own CA

- Issue your own certificates signed by your own CA

• Install the CA certificate/trusted chain on all devices

- They'll now trust any certificates signed by

your internal CA

- Works exactly like a certificate you purchased

Wild Card Certificate

Allows multiple sub domains to use the same certificate

SAN

Subject alternative name, Field in a digital certificate allowing a host to be identified by multiple host names/subdomains (Used in wild card certificates)

CRL

Certificate revocation list. A list of certificates that a CA has revoked. Certificates are commonly revoked if they are compromised, or issued to an employee who has left the organization. Maintained by CA

OCSP

Online Certificate Status Protocol. An alternative to using a CRL. It allows entities to query a CA with the serial number of a certificate. The CA answers with good, revoked, or unknown.