CompTIA SY0-701 Security+ Essential Vocabulary

Fundamental Security Concepts and Frameworks

  • Information Security (Infosec): Focuses on protecting data resources from unauthorized access, attack, theft, or damage.
  • CIA Triad:
    • Confidentiality: Information is readable only by authorized individuals.
    • Integrity: Data is stored and transferred as intended without unauthorized modification.
    • Availability: Information is accessible to authorized users whenever needed.
  • Non-repudiation: Ensures a person cannot deny performing an action (e.g., creating or modifying a resource). Often enforced via digital signatures or legal witnesses.
  • NIST Cybersecurity Framework (CSF) Functions:
    • Identify: Develop security policies, evaluate risks/vulnerabilities, and recommend controls.
    • Protect: Embed security in every stage of IT lifecycle (procure, install, operate, decommission).
    • Detect: Ongoing, proactive monitoring to ensure controls are effective and find new threats.
    • Respond: Identify, analyze, contain, and eradicate threats once detected.
    • Recover: Restore systems and data and implement resilience measures.
  • Gap Analysis: Identifies deviations between an organization's current security posture and requirements of a chosen framework. It provides an objective assessment, remediation recommendations, and helps prioritize investments.
  • Identity and Access Management (IAM):
    • Identification: Creating an account representing a subject (user, device, process).
    • Authentication: Proving the identity (e.g., passwords, certificates).
    • Authorization: Determining and enforcing rights (Discretionary vs. Mandatory models).
    • Accounting: Tracking and alerting on resource usage.

Security Controls and Functional Types

  • Control Categories:
    • Managerial: Administrative oversight, risk identification, and evaluation tools.
    • Operational: Implemented by people (e.g., security guards, training, manual log review).
    • Technical: Implemented via hardware, software, or firmware (e.g., firewalls, antivirus).
    • Physical: Deter and detect physical access (e.g., cameras, locks, alarms).
  • Functional Types:
    • Preventive: Eliminate or reduce the likelihood of success before an attack (e.g., ACLs).
    • Detective: Identify and record activity during an attack (e.g., logs, IDS).
    • Corrective: Mitigate impact after an attack (e.g., backups, patch management).
    • Directive: Enforce rules of behavior (e.g., contracts, training).
    • Deterrent: Psychologically discourage attackers (e.g., warning signs).
    • Compensating: Substitute for primary controls with equivalent protection (e.g., isolating an old app that cannot be patched).

Threat Actors and Attack Surfaces

  • Vulnerability vs. Threat vs. Risk:
    • Vulnerability: A weakness (misconfiguration, flawed code).
    • Threat: Potential for a vulnerability to be exploited. Involves a Threat Actor and a Threat Vector (path).
    • Risk: Likelihood of exploitation $\times$ Impact level.
  • Threat Actor Attributes:
    • Strategic placement: Internal (Insider) vs. External.
    • Sophistication: Low (commodity tools) to High (custom exploits, nation-state capability).
    • Funding: Resource levels range from individual hackers to state-sponsored APTs (Advanced Persistent Threats).
  • Attack Surface: ALL points where an actor could interact with the system (ports, apps, users, folders). Minimization involves restricting access to known needed endpoints.
  • Specific Vectors:
    • Vulnerable Software: Flaws in code; requires robust Patch Management.
    • Network Vectors: Direct physical access, wireless/wired sniffing, cloud credential theft, or open service ports.
    • Lure-Based: USB drop attacks, malicious attachments (Trojan Horse), or embedded code in PDFs/images.
  • Technical Supply Chain: Infiltrating targets via vendors, suppliers, or MSPs (Managed Service Providers). Requires reputable vendor selection and scrutiny of secondhand equipment.

Social Engineering and Human Vectors

  • Social Engineering: "Hacking the human" to elicit info or influence actions.
  • Key Techniques:
    • Impersonation: Pretending to be someone else (IT support, CEO).
    • Pretexting: A fabricated story to make impersonation convincing.
    • Phishing: Spoofed emails; Vishing (voice), SMiShing (SMS).
    • Pharming: Redirecting traffic by corrupting name resolution (DNS).
    • Typosquatting: Registering lookalike domains (e.g., exannple.com).
    • Business Email Compromise (BEC): Targeted fraud against executives to authorize wire transfers.
    • Watering Hole Attack: Compromising a website frequently visited by the target group.

Cryptographic Foundations and Algorithms

  • Symmetric Encryption: Uses one secret key for encryption and decryption. Fast, used for bulk data. Challenges include secure key exchange.
    • Ciphers: Substitution (replacing units) and Transposition (ordering units).
  • Asymmetric Encryption: Uses related public/private key pairs. Public key encrypts; private key decrypts. computationally intensive; used for digital signatures and safe key exchange (session keys).
  • Hashing: One-way function producing a fixed-size digest. Used for integrity (verifying no changes).
    • Algorithms: SHA (stronger), MD5 (legacy/compatibility).
  • Digital Signatures: A hash of a message encrypted with the sender's private key. Provides Integrity, Authentication, and Non-repudiation.
  • Key Strength: Measured by Key Length (bitsbits). A 256-bit AES key provides $2^{256}$ keyspace.
  • Public Key Infrastructure (PKI): Hierarchy of trust using Digital Certificates (X.509X.509 standard) signed by a Certificate Authority (CA).
    • Root Certificate: Self-signed by the CA; serves as the root of trust.
    • Certificate Revocation: CRL (Certificate Revocation List) or OCSP (Online Certificate Status Protocol) for real-time validation.
  • Cryptoprocessors:
    • TPM (Trusted Platform Module): Discrete or integrated hardware chip for secure key storage on an endpoint.
    • HSM (Hardware Security Module): Removable or rack-mounted hardware for centralized key management.
  • Perfect Forward Secrecy (PFS): Uses ephemeral Diffie-Hellman keys to ensure that a future private key compromise cannot decrypt past recorded sessions.

Identity and Access Management (IAM) Implementation

  • Authentication Factors:
    • Something you know: Password, Passphrase, PIN.
    • Something you have: Smart card, hardware security key (U2F), app-based OTP.
    • Something you are: Biometric (Fingerprint, Facial recognition).
    • Somewhere you are: IP address, Geofencing.
  • Biometric Metrics:
    • FRR (False Rejection Rate) - Type I Error.
    • FAR (False Acceptance Rate) - Type II Error.
    • CER (Crossover Error Rate) - Where FAR and FRR are equal; indicates reliability.
  • Authorization Models:
    • DAC (Discretionary): Owner sets permissions.
    • MAC (Mandatory): Clearances and sensitivity labels (Read-down/Write-up).
    • RBAC (Role-Based): Based on job functions.
    • ABAC (Attribute-Based): Uses subject/object/context attributes (very granular).
  • Least Privilege: Granting only the minimum necessary rights to complete a task to limit damage from compromise.
  • Privileged Access Management (PAM): Special controls for admin accounts, including JIT (Just-in-Time) permissions and password vaulting.
  • Federation: Trusting accounts from other networks (e.g., logging into a site with Google/SAML/OAuth).

Network Architecture and Appliances

  • Networking Layers (OSI Overview):
    • Layer 1/2: Switches, WAPs, MAC addresses.
    • Layer 3: Routers, IP addresses (IPv4IPv4/IPv6IPv6), Routing protocols.
    • Layer 4: TCP (reliable) and UDP (unreliable) ports.
    • Layer 7: Application protocols (HTTP/S, DNS).
  • Infrastructure Components:
    • VLANs: Logical segmentation of Layer 2 broadcast domains.
    • Firewalls: Stateful (Layer 4) tracking sessions or Application-Aware (Layer 7) as Next-Gen Firewalls (NGFW).
    • Proxy Servers: Forward/Reverse proxies for caching and filtering.
    • IDS/IPS: Detective vs. Preventive monitoring based on signatures or behavior.
    • Load Balancers: Distribute traffic for high availability. Techniques include Round Robin and Source IP Affinity.
    • SDN (Software Defined Networking): Separates Management, Control, and Data planes.
  • Secure Communication:
    • VPNs: Site-to-site or client-to-site using IPsec (Layer 3) or TLS (Layer 7).
    • SSH: Secure command-line access using host and client key pairs.
  • Zero Trust Architecture (ZTA): Moves defense from the network perimeter to individual resources. Assumes no inherent trust; requires continuous authentication.

Resiliency, Site Security, and Asset Management

  • Asset Management: Inventory of hardware/software. Uses CMDB (Configuration Management Database) and standard naming conventions.
  • Data Backups: Deduplication (removing redundant blocks) and off-site storage are critical. RPO (Recovery Point Objective) and RTO (Recovery Time Objective) define target recovery times.
  • Redundancy Strategies:
    • High Availability (HA): Using clustering and load balancing for $99.99$% uptime ("nines").
    • Site Resiliency: Hot sites (live data), Warm sites (needs loading), Cold sites (empty building).
    • Clustering: Active/Passive vs. Active/Active nodes.
  • Power Redundancy: UPS (Uninterruptible Power Supply) for temporary power; Generators for long-term outages; Dual PSUs in servers.
  • Physical Controls:
    • Gates/Fencing/Lights (Deterrents).
    • Mantraps/Access Vestibules (Prevent tailgating).
    • Alarms (Circuit, infrared, pressure sensors).
    • Data Destruction: Degaussing (magnetic), wiping (overwriting bits), or physical shredding.

Vulnerability Management and Remediation

  • Vulnerability Identification:
    • Credentialed vs. Non-credentialed Scans (Insider vs. Outsider view).
    • CVE (Common Vulnerabilities and Exposures): A dictionary of publicly known flaws.
    • CVSS (Common Vulnerability Scoring System): Score $0$ to $10$ based on severity.
  • Remediation: Patching, Insurance (transfer), Segmentation (containment), or Risk Acceptance (exception/exemption).
  • Software Supply Chain: Using SBOM (Software Bill of Materials) to track dependencies and libraries.
  • Indicators of Malicious Activity:
    • Resource Consumption: Anomalous CPU/memory spikes.
    • C2 Beaconing: Regular outbound traffic to malicious domains.
    • Lateral Movement: Login anomalies caught by UEBA (User and Entity Behavior Analytics).
    • Malicious Code: Shellcode, Credential Dumping (DCSync), Persistence (registry keys).

Governance and Compliance

  • Policies: Acceptable Use (AUP), Incident Response, Change Management.
  • Standards: ISO/IEC 27001 (Security), PCI DSS (Credit Cards), HIPAA (Health), GDPR (Privacy).
  • Procedures: Step-by-step instructions and Playbooks for incident response.
  • Personnel Management: Background checks during recruitment, training during operation, and revocation of access during offboarding.
  • Change Management: Impact analysis, backout plans, and maintenance windows to minimize downtime.
  • Data Governance Roles: Owner (strategic), Controller (defines purpose), Processor (acts on data), Custodian (safeguards/stores).
  • Automation and Orchestration:
    • Infrastructure as Code (IaC): Terraform/Ansible to automate secure baselines.
    • SOAR (Security Orchestration, Automation, and Response): Coordinates alerts across systems to combat alert fatigue.