CompTIA_Security__Complete_Study_Guide_Exam_SY0-701-20-47

2 General Security Concepts

2.1 Security Controls

  • Security controls are essential mechanisms, policies, or procedures that protect an organization’s assets and data.

  • Their primary role is to reduce risk by preventing, detecting, or mitigating potential threats.

  • Understanding various types of security controls is vital for implementing secure infrastructures and passing the CompTIA Security+ SY0-701 exam.

  • Prevent, Detect, React model is useful for categorizing controls.

2.1.1 Categories of Security Controls

  • Technical Controls

    • Implemented through technology (often called logical controls).

    • Examples: firewalls, intrusion detection systems (IDS), encryption.

  • Managerial Controls

    • Focus on governance and administrative aspects of an organization’s security program.

    • Examples: risk assessments, data classification policies, security training programs.

  • Operational Controls

    • Involve procedures that act upon managerial guidance, typically technology-driven but requiring human action.

    • Examples: backup procedures, incident response activities, awareness training.

  • Physical Controls

    • Deal with tangible aspects of information security.

    • Examples: security cameras, biometric scanners, door locks, visitor logs.

2.1.2 Types of Security Controls

  • Preventive Controls

    • Stop an event/action from occurring.

    • Examples: firewalls, access control lists, strong authentication methods.

  • Deterrent Controls

    • Aim to discourage a potential attacker.

    • Examples: surveillance signs, visible security personnel.

  • Detective Controls

    • Discover or identify unwanted activities or issues.

    • Examples: system monitoring, auditing, IDS.

  • Corrective Controls

    • Aim to rectify or lessen the damage caused by a security incident.

    • Examples: patch management, restoration plans.

  • Compensating Controls

    • Secondary controls provided when primary controls cannot be applied.

    • Example: multi-factor authentication (MFA) as a substitute for smart cards.

  • Directive Controls

    • Focus on directing behaviors via guidelines or policies.

    • Example: mandatory password change policies.

2.1.3 Case Studies

  1. Healthcare Organization: Used database encryption and risk assessments for patient data privacy.

  2. Online Retailer: Deployed Web Application Firewalls (WAF) and intrusion detection systems (IDS) to counter cyber-attacks.

2.1.4 Summary

  • Understanding security controls is fundamental in crafting a robust information security strategy by categorizing into technical, managerial, operational, and physical types, as well as preventive, deterrent, detective, corrective, compensating, and directive controls.

2.1.5 Key Points

  • Security controls maintain the integrity, availability, and confidentiality of information systems.

  • Categorization of controls helps in effective implementation and strategizing.

2.1.6 Review Questions

  1. What are the four main categories of security controls?

  2. Give examples of preventive and detective controls.

  3. What is the primary function of directive controls?

  4. How do compensating controls differ from corrective controls?

2.1.7 Practical Exercises

  • Map out security controls in your organization.

  • Create flashcards for types and categories of controls.

2.2 Fundamental Security Concepts

  • Understanding foundational security principles is essential for the CompTIA Security+ SY0-701 exam.

2.2.1 Confidentiality, Integrity, and Availability (CIA)

  • Confidentiality: Ensures authorized access only.

    • Examples: password protection, encryption, secure communication.

  • Integrity: Ensures data accuracy and trustworthiness.

    • Measures: checksums, digital signatures, hashing.

  • Availability: Ensures resources are accessible to authorized users.

    • Measures: backup systems, fault tolerance.

2.2.2 Non-repudiation

  • Assures that a specific operation has occurred and was initiated by a specific entity.

  • Digital signatures and strong authentication mechanisms support non-repudiation.

2.2.3 Authentication, Authorization, and Accounting (AAA)

  • Authentication: Verifying identity.

  • Authorization: Determining access levels.

  • Accounting: Tracking activities.

2.2.4 Gap Analysis

  • Identifies security posture gaps to assess effectiveness of controls and need for more.

2.2.5 Zero Trust

  • Assumes no trust by default, even inside the network perimeter.

2.2.6 Physical Security

  • Secures physical assets and infrastructure.

  • Measures: bollards, access control vestibules, video surveillance.

2.2.7 Deception and Disruption Technology

  • Utilizes honeypots and similar tools to mislead attackers and gather information.

2.2.8 Summary

  • Comprehending fundamental concepts is vital in cybersecurity.

2.2.9 Key Points

  • CIA forms the basis of security considerations.

  • Non-repudiation authenticates transactions.

  • AAA is crucial for identity management.

2.2.10 Review Questions

  1. What does the CIA triad stand for?

  2. Explain non-repudiation.

  3. Describe the AAA model.

  4. What is Zero Trust?

2.2.11 Practical Exercises

  • Create a CIA triad diagram.

  • List potential physical security measures for an office setup.

2.3 Importance of Change Management Processes

  • Essential for maintaining security in changing environments.

2.3.1 Business Processes Impacting Security Operations

  • Approval Process: Formal approval for proposed changes.

  • Ownership: Designate responsible individuals for changes.

  • Stakeholders: Keep informed to manage expectations.

  • Impact Analysis: Assess potential impacts on security.

  • Test Results: Document results from tests to evaluate feasibility.

  • Backout Plan: Prepare for reversible changes.

  • Maintenance Window: Schedule changes during off-peak hours.

  • Standard Operating Procedure (SOP): Document steps for implementation.

2.3.2 Technical Implications

  • Changes might not require updates to access control lists or allow/deny lists to minimize risk.

  • Assess downtime implications during changes.

2.3.3 Documentation

  • Update network diagrams and policies post-change.

2.3.4 Version Control

  • Essential for auditing changes and rolling back if necessary.

2.3.5 Summary

  • A well-managed change process minimizes security vulnerabilities.

2.3.6 Key Points

  • Change ownership and stakeholder communication are vital.

  • Rigorous testing and documentation are necessary.

  • Version control acts as a safety measure.

2.3.7 Review Questions

  1. Why is approval necessary in change management?

  2. What is a backout plan?

  3. Why is version control important?

  4. What technical implications should be considered?

2.3.8 Practical Exercises

  • Create a mock change management form.

  • Draft a simple SOP for a common change.

2.4 Cryptographic Solutions

  • Essential for securing data and communications.

2.4.1 Public Key Infrastructure (PKI)

  • Crucial for creating and managing digital certificates aiding secure communications.

2.4.2 Encryption

  • Converts plain text to unreadable format.

  • Types include full-disk, partition, volume, database, and record.

2.4.3 Asymmetric & Symmetric Encryption

  • Asymmetric uses different keys for encryption/decryption, symmetric uses the same.

2.4.4 Key Exchange

  • Uses mechanisms like Diffie-Hellman for secure key exchange.

2.4.5 Algorithms

  • Common algorithms include AES, DES, and RSA. Key Length correlates to strength.

2.4.6 Tools and Hardware

  • TPM: Stores RSA encryption keys for the host system.

  • HSM: Safeguards keys and performs cryptographic operations.

2.4.7 Obfuscation, Steganography, Tokenization, Data Masking

  • Techniques for hiding data within other data or replacing sensitive information.

2.4.8 Hashing and Salting

  • Hashing transforms data into fixed-length strings; salting adds randomness to enhance security.

2.4.9 Digital Signatures

  • Verifies the authenticity of digital documents.

2.4.10 Blockchain and Certificates

  • Blockchain offers a secure public ledger; certificate authorities manage digital certificates.

2.4.11 Summary

  • Cryptography secures data and communications; several methods are tailored to specific needs.

2.4.12 Key Points

  • PKI is foundational for communication security.

  • Encryption can be applied in various ways.

  • Utilizing TPM and HSM enhances security.

2.4.13 Review Questions

  1. Differences between public key and private key?

  2. What levels of encryption exist and why select one?

  3. Role of HSM?

  4. How does key stretching enhance password security?

2.4.14 Practical Exercises

  • Set up an encrypted email service.

  • Use a simple steganography tool.

3 Threats, Vulnerabilities, and Mitigations

3.1 Common Threat Actors and Motivations

  • Understand types of threat actors and their motivations for better anticipation and mitigation.

3.1.1 Threat Actors

  • Nation-State Actors: Highly skilled groups focused on national interests; examples include espionage activities.

  • Unskilled Attackers: Limited skill using standard tools; motivations often include notoriety and thrill.

  • Hacktivists: Individuals targeting institutions for social/political reasons.

  • Insider Threats: Malicious activities from individuals inside organizations with privileged access.

  • Organized Crime: Groups engaged in cybercrime for financial gain, utilizing sophisticated methods.

  • Shadow IT: Unauthorized use of IT solutions within organizations.

3.1.2 Attributes of Actors

  • Can be internal or external with varying funding and sophistication.

3.1.3 Motivations

  • Include exfiltration, espionage, service disruption, blackmail, financial gain, and philosophical or revenge-related reasons.

3.1.4 Summary

  • Knowing threat actors aids in developing targeted defense strategies.

3.1.5 Review Questions

  1. How do nation-state actors differ from unskilled attackers?

  2. Describe a hacktivism example.

  3. Insider threat scenarios can be both intentional and unintentional; explain.

  4. Motivation associated with organized crime?

  5. Security risks from Shadow IT?

3.1.6 Key Points

  • Awareness of threat actor types and motivations enhances security protocols.

3.1.7 Practical Exercises

  • Create a profile of threat actors for an organization.

  • Develop a matrix comparing attributes of different threat actors.