Security+ Exam Cram: General Security Concepts

1.0 General Security Concepts

• 1.1 Compare and contrast various types of security controls
  • Categories
    • Technical: Hardware or software mechanisms used to manage access to resources and systems and provide protection for those resources and systems. Examples: Encryption, Smart cards, Passwords, Biometrics, Access control lists (ACLs), Firewalls, routers, IDS/IPS.
    • Managerial: Policies and procedures, administrative controls defined by an organization's security policy. Use planning and assessment methods to review the organization’s ability to reduce and manage risk. Examples: Policies, Procedures, Hiring practices, Background checks, Data classification, Security training, Risk assessments, Vulnerability assessments.
    • Operational: Help ensure that the day-to-day operations of an organization comply with their overall security. Primarily implemented and executed by people instead of systems. Examples: Awareness training, Configuration management, Media protection.
    • Physical: Security mechanisms focused on providing protection to the facility and real-world objects. Examples: Guards, Fences, Lights, Motion detectors, Guard dogs, Video cameras, Alarms, Laptop locks.
    • The relationship between categories can be visualized as:
      • Technical: Technology (HW and SW)
      • Physical: Tangible (touchable)
      • Managerial: Policy (and policy implementation)
      • Operational: People (doing stuff)
  • Control Types
    • Preventive: Deployed to thwart or stop unwanted or unauthorized activity from occurring. Examples: locks, fences, security badges, security guards, lighting, security cameras, trespass or intrusion alarms, separation of duties, security policies, and security awareness training, access control, authentication, firewall, encryption.
    • Deterrent: Deployed to discourage violation of security policies. A deterrent control picks up where prevention leaves off. Examples: fences, locks, biometrics, mantraps, alarm systems, job rotation, data classification, penetration testing, access control methods, warning, sign, visibility, perception.
    • Detective: Deployed to discover or detect unwanted or unauthorized activity. Examples: security guards, guard dogs, motion detectors, job rotation, mandatory vacations, audit trails, intrusion detection systems, violation reports, honey pots, and incident investigations, monitoring, audit, logging, alert.
    • Corrective: Modifies the environment to return systems to normal after an unwanted or unauthorized activity has occurred. Examples: security policy, personnel supervision, monitoring, and work task procedures, backup, restore, incident response, patching.
    • Compensating: Provides options to other existing controls to aid in enforcement of security policies. Examples: backups and restores, patching, antivirus/antimalware, forensic analysis, disciplinary action, alternative, backup, redundancy.
    • Directive: Direct, confine, or control the actions of subjects to force or encourage compliance with security policies. Examples: policies, procedures, standards, guidelines, physical signage, verbal instructions, contracts and agreements, policy, procedure, standard, guideline.
    • Controls can fit into multiple types based on context.

DOMAIN 1: CONTROLS

• Security Controls

  • Security measures for countering and minimizing loss or unavailability of services or apps due to vulnerabilities.

• Security Controls Relationship

  • safeguards are proactive (reduce likelihood of occurrence)
  • countermeasures are reactive (reduce impact after occurrence)

• Control Overlap

  • One control, multiple types/functions
  • Security controls are designed to work together, and their functions often overlap.
    • Example: a security camera system is both deterrent (deterring unwanted entry) and detective (recording potential security incidents for later review).
  • The classification of a control can depend on how it's implemented and the specific risk it's addressing.
    • Example: an access control list can be primarily preventive if it blocks unauthorized access or detective if it mainly logs access for later investigation.
  • A single security control can be identified as multiple types, depending on the context of the situation

1.0 General Security Concepts

• 1.2 Summarize fundamental security concepts

  • Confidentiality, Integrity, and Availability (CIA)
    • Access controls help ensure that only authorized subjects can access objects (Confidentiality)
    • Ensures that data or system configurations are not modified without authorization (Integrity)
    • Authorized requests for objects must be granted to subjects within a reasonable amount of time (Availability)
    • KNOW CIA BY HEART!
  • Non-repudiation
    • Methods to provide non-repudiation
    • Digital Signatures prove that a digital message or document was not modified—intentionally or unintentionally—from the time it was signed.
    • based on asymmetric cryptography (a public/private key pair)
    • the digital equivalent of a handwritten signature or stamped seal.
    • provides non-repudiation in a publicly verifiable manner.
    • Non-repudiation is the ability to defeat/counter a false rejection or refusal of an obligation with irrefutable evidence.
    • Non-repudiation is the guarantee that no one can deny a transaction.
    • REMEMBER: shared accounts/identities prevent non-repudiation!
  • Authentication, Authorization, and Accounting (AAA)
    • Several protocols provide authentication, authorization, and accounting services.
    • Authentication: user/service proves identity with some type of credentials, such as a username and password.
    • Authorization: authenticated users are granted access to resources based on the roles and/or permissions assigned to their identity.
    • Accounting: methods that track user activity and records these activity in logs. Tracks user activity and resource access as part of the audit trail.
    • Identification: Subjects claim an identity, and identification can be as simple as a username for a user.
    • Authentication: Subjects prove their identity by providing authentication credentials such as the matching password for a username.
    • Accountability: Auditing logs and audit trails record events including the identity of the subject that performed an action. identification + authentication + auditing = ACCOUNTABILITY
    • After authenticating subjects, systems authorize access to objects based on their proven identity.
    • Maintaining accountability is maintained for individual subjects using auditing. logs record user activities and users can be held accountable for their logged actions.
    • This directly promotes good user behavior and compliance with the organization’s security policy.
    • Provides an audit trail for investigation if needed
    • In modern enterprises, systems and devices have identities as well! In the cloud, VMs have a managed identity (managed by platform) used to access resources, such as data. Client devices have machine identities in mobile device management (MDM) platforms.
    • Authorization models
      • Discretionary Access Control (DAC)
        • A key characteristic of the Discretionary Access Control (DAC) model is that every object has an owner, and the owner can grant or deny access to any other subject.
        • Example: New Technology File System (NTFS)
      • Role Based Access Control (RBAC)
        • A key characteristic is the use of roles or groups. Instead of assigning permissions directly to users, user accounts are placed in roles and administrators assign privileges to the roles.
        • Typically mapped to job roles.
      • Rule-based access control
        • A key characteristic is that it applies global rules that apply to all subjects. Rules within this model are sometimes referred to as restrictions or filters.
        • EXAMPLE: a firewall uses rules that allow or block traffic to all users equally.
      • Non-discretionary Access Control
        • Enables the enforcement of system-wide restrictions that override object-specific access control. Use-based, user-centric RBAC is considered non-discretionary
      • MADATORY ACCESS CONTROL
        • A key point about the MAC model is that every object and every subject has one or more labels.
        • These labels are predefined, and the system determines access based on assigned labels.
        • “ EXAMPLE: in military security, data owner does not set access
      • ATTRIBUTE-BASED - access is restricted based on an attribute on the account, such as department, location, or functional designation.
        • For example, admins may require user accounts have the Legal department attribute to view contracts
      • Subjects and Objects in Access Control
        • Subjects: A user, group, or service accessing resources, known as objects.
        • Objects: Resources, such as files, folders, shares, and printers, accessed by subjects
        • The authorization model determines how a system grants users access to files and other resources. These come up often in discussions of access control, so you should be familiar for the exam
  • Gap analysis
    • A common task performed on a recurring basis, and often in preparation for external audits is the gap analysis.
    • Auditors will follow a standard (often ISO 27001) and then compare standard requirements to the org’s current operations.
    • The outcome of an audit is an attestation, which is a formal statement made by the auditor on controls and processes in place.
    • All auditors should have independence, but attestations from external auditors carry more weight (higher confidence)
    • Control gap: a discrepancy between the security measures an organization should have in place versus controls actually in place.
  • Zero Trust
    • An approach to security architecture in which no entity is trusted by default
    • Based on three principles:
      • Assume breach
      • Verify explicitly
      • Least privilege access
    • Has largely replaced trust but verify and its network perimeter strategy. Supported by defense in depth, that advises a layered approach to security.
    • addresses the limitations of the legacy network perimeter-based security model.
    • treats user identity as the control plane assumes compromise / breach in verifying every request.
    • Key Elements of Zero Trust Network Architecture:
      • Control Plane
        • Adaptive Identity: changes the way that the system asks a user to authenticate based on context of the request. EXAMPLES: location, device, app, risk EXAMPLE: Conditional Access in MSFT Entra ID
        • Threat Scope Reduction: an end goal of ZTNA, which is to decrease risks to the organization.
        • Policy-Driven Access Control: controls based upon a user’s identity rather than simply their system’s location.
        • Policy Administrator (PA): responsible for communicating the decisions made by the policy engine. EXAMPLE: MSFT Entra ID (Azure Active Directory) PA + PE = Policy Decision Point (PDP)
        • Policy Engine (PE): decides whether to grant access to a resource for a given subject.
      • Data Plane
        • Implicit Trust Zones: part of traditional security approach in which firewalls and other security devices formed a perimeter. Systems belonging to the org were placed inside this boundary.
        • Subject/System: A subject is a user who wishes to access a resource. A system is a non-human entity, often the device used by the user, to access the resource. EXAMPLE: MSFT Entra ID (Azure Active Directory)
        • Policy Enforcement Point: when a user or system requests access to a resource, the PEP evaluates it against predefined policies and applies the necessary controls. Enforces the decisions defined in control plane

• Policy Enforcement Point responsible for enabling, monitoring, and terminating connections between a subject (such as a user or device) and an enterprise resource.

• acts as the gateway that enforces access control policies.

• when an access request occurs, the PEP evaluates the request against predefined policies and applies the necessary controls.

• For example, PEP might enforce Multi-Factor Authentication (MFA) for access requests from unexpected locations.

• Policy Decision Point is where access decisions are made based on various factors such as user identity, device health, and risk assessment.

• evaluates the context of an access request and decides whether it should be allowed, denied, or subjected to additional controls.

• considers the 5 W’s (who, what, when, where, and why)

• In short, the PEP enforces policies at the connection level, while the PDP makes access decisions based on contextual information.

  • Dynamic based on conditions/context
  • Physical security
    • There is no security without physical security
    • Without control over the physical environment, no amount of administrative or technical/logical access controls can provide adequate security.
    • If a malicious person can gain physical access to your facility or equipment, they can do just about anything they want, from destruction to disclosure and alteration.
    • Bollards
      • A short, sturdy vertical post, usually made of concrete, steel, or other heavy-duty materials. They can be fixed in place or retractable.
      • Act as physical barriers, preventing vehicles from forcibly entering a restricted area.
      • Delineate pedestrian areas, parking lots, and sensitive zones to minimize accidental damage
      • Primarily used to control traffic flow and protect buildings or areas from vehicle-based attacks.
    • Access control vestibule
      • A physical security system comprising a small space with two interlocking doors.
      • Only one door can be opened at a time.
      • Designed to strictly control access to highly secure areas by allowing only one person at a time to pass through.
      • Protects against Tailgating (slipping in on someone else's badge) Piggybacking (like tailgating, but with bad intent) Unauthorized entry of any kind
      • Previously called a mantrap
    • Fencing
      • 3-4 feet: deters the casual trespasser
      • 6-7 feet: too difficult to climb easily, may block vision (providing additional security)
      • 8-feet (topped with barbed wire): will deter determined intruders
      • To augment fences some orgs may erect stronger barricades, or zig-zag paths to prevent a vehicle from ramming a gate.
      • PIDAS (perimeter intrusion detection and assessment system) will detect someone attempting to climb a fence.
      • Fence is a DETERRENT control
      • PIDAS is a DETECTIVE control
    • Video surveillance
      • Cameras and closed-circuit television (CCTV) systems provide video surveillance and reliable proof of a person’s identity and activity.
      • Many cameras include motion and object detection capabilities.
    • Security guards
      • a preventive physical security control, and they can prevent unauthorized personnel from entering a secure area.
      • can recognize people and compare an individual’s picture ID for people they don’t recognize.
    • Access badges
      • can electronically unlock a door and help prevent unauthorized personnel from entering a secure area.
    • Lighting
      • Location: installing lights at all the entrances and exits to a building can deter attackers from trying to break in.
      • Efficiency: a combination of automation, light dimmers, and motion sensors to save on electricity costs without sacrificing security. automatically turn on at dusk, automatically turn off at dawn.
      • Protection: protect the lights. If an attacker can remove the light bulbs, it defeats the control. either place the lights high enough so that they can’t be reached or protect them with a metal cage.
      • Deterrent control
    • Sensors
      • Infrared: detects heat signatures in the form of infrared radiation emitted by people, animals, or objects.
      • Pressure: designed to detect changes in pressure on a surface or in a specific area, such as a person walking on a floor or stepping on a mat.
      • Microwave: uses microwave technology to detect movement within a specific area.
      • Ultrasonic: emits high-frequency sound waves and measure the time it takes for the sound waves to bounce back after hitting an object or surface.
      • integrated into security cameras and alarm systems to improve detection capabilities often used with other types of sensors to reduce false alarms commonly used in parking assistance, robotic navigation, and intrusion detection used in access control systems to ensure that only authorized individuals can enter
  • Deception and disruption technology
    • Goal is to distract from real assets and isolate in a padded cell until you can track them down.
    • Lure bad people into doing bad things. Lets you watch them.
    • Only ENTICE, not ENTRAP. You are not allowed to let them download items with “Enticement”. For example, allowing download of a fake payroll file would be entrapment.
    • Honeypot: A group of honeypots is called a honeynet.
    • Honeyfile: a decoy file deceptively named so it attracts the attention of an attacker.
    • Honeytoken: a fake record inserted into a database to detect data theft.
    • These are all intended to deceive attackers and disrupt attackers, divert them from live networks and allow observation.

1.0 General Security Concepts

• 1.3 Explain the importance of change management processes and the impact to security.
  • WHAT do these solve for? Why do we use them?
  • Organizational Policies
    • Configuration Management
      • ensures that systems are configured similarly, configurations are known and documented.
      • Baselining: ensures that systems are deployed with a common baseline or starting point, and imaging is a common baselining method.
    • Change Management
      • the policy outlining the procedures for processing changes helps reduce risk associated with changes, including outages or weakened security from unauthorized changes. Ensure true ‘current state’ is known to all
      • Can prevent security related incidents and outages
      • Requires changes to be requested, approved, tested, and documented.
    • Change Management vs Change Control
      • Change Control: refers to the process of evaluating a change request within an organization and deciding if it should go ahead. requests are sent to the Change Advisory Board (CAB) to ensure that it is beneficial to the company. the process of evaluating a change request to decide if it should be implemented Guidance on the process
      • Change Management: policy that details how changes will be processed in an organization The process in action
  • Business processes impacting security operation
    • business process issues, including:
      • Approval process: ensures that every proposed change is properly reviewed and cleared by management before it takes place.
      • Ownership: clearly defines who is responsible for each change by designating a primary owner who will be the key decisionmaker and sponsor of the change.
      • Stakeholder analysis: identifies all the individuals and groups within the organization and outside the organization that might be affected by the change.
      • Impact analysis: review of potential impacts of a change, including side effects. Ensures team considers impact to systems and stakeholders
      • Testing: confirms that the change will work as expected by validating it in a test environment before production rollout. Test results should be captured in the change approval request
      • Backout plan: provides detailed step-by-step sequence that the team should follow to roll back if the change goes wrong. Ensures systems can be quickly restored to an operational state These elements together can define a standard operating procedure for change management. REMEMBER: Any change that affects system or data exposure may impact security!
      • Maintenance windows: Standing window of time during which changes can be implemented that minimizes impact to business, often outside of business hours. For critical services, may be defined in customer contracts
      • Ensure alignment across teams
  • Technical implications
    • There are several technical implications that should be considered as part of the change management process. to avoid service disruptions and security vulnerabilities
      • Allow lists/deny lists: firewall rules, application allow/deny lists, and access control lists (ACLs) may need to be updated.
      • Restricted activities: some activities may need to be restricted, such as data updates during database replication/migration.
      • Downtime: some changes may cause service interruption, resulting in direct impact to the business. This is where our ‘maintenance window’ comes into play
      • Application restarts: putting controls around risky activities, such as application and service restarts.
      • Legacy applications: modifications to legacy apps that may not support some changes, such as component/service version updates. use case for private or hybrid cloud
      • Dependencies: tracking dependencies between systems and services to identify downstream effects of current and future changes.
  • Documentation
    • Provides benefits to IT and security operations, BC/DR, incident response, and future design and planning iterations.
    • Provides team members with a repository of information about the way that systems and applications are designed and configured.
    • Servers as a reference for current and future team members
    • You cannot fully secure a system or service for which you do not have a true picture of current state!
    • Change management processes should ensure that changes are not closed out until all documentation and diagrams are updated.
    • It is a continuous process across new deployments and changes
    • Documentation applies not only to environment, but to policies and procedures that direct operation and support of the environment.
    • The process of documentation current state of and changes to the operating environment
  • Version control
    • A formal process used to track the current versions of software code and system/application configurations.
    • For the exam: Focus on the functions of version control, not on any specific version control system.
    • Most organizations use a formal version control system that is integrated into their software development processes. For most orgs, this is some platform based on Git.
    • Developers modify the code and check it into a version control system that identifies conflicts in their changes with those made by other devs.
    • It also tracks the current dev, test, and production versions of code.
    • Code for different environments is tracked in Git using code ‘branches’

1.0 General Security Concepts

• 1.4 Explain the importance of using appropriate cryptographic solutions.
  • Public key infrastructure (PKI)
    • Key management: management of cryptographic keys in a cryptosystem. Operational considerations include dealing with the generation, exchange, storage, use, crypto-shredding (destruction) and replacement of keys. Design considerations include cryptographic protocol design, key servers, user procedures, and other relevant protocols.
    • Certificate authority (CA): Certification Authorities create digital certificates and own the policies.
    • CONCEPTS Also called a ‘certification authority’ by some vendors
    • PKI hierarchy can include a single CA that serves as root and issuing CA, but this is not recommended.
      • Root CA: Usually maintained in an offline state Issues certs to new subordinate CAs
      • Issuing CA: Also called a Policy CA or Intermediate CA Issues certs to new issuing CAs
      • Subordinate CA: Certificates for clients, servers, devices, websites, etc. issued from here CHAIN OF TRUST Can be consolidated to fewer servers, creating a 1 or 2-level hierarchy.
    • Certificate revocation list (CRL)
      • Contains information about any certificates that have been revoked due to compromises to the certificate or PKI hierarchy.
      • CRL of issuing CA contains info on revocation of certs it has issued
      • CAs are required to publish CRLs, but it’s up to certificate consumers if they check these lists and how they respond if a certificate has been revoked.
      • Each CRL is published to a file, that the client must download to check, which can grow large over time
    • Online Certificate Status Protocol (OCSP)
      • Offers a faster way to check a certificate’s status compared to downloading a CRL.
      • With OCSP, the consumer of a certificate can submit a request to the issuing CA to obtain the status of a specific certificate.
    • Certificate signing request (CSR)
      • Records identifying information for a person or device that owns a private key as well as information on the corresponding public key.
      • It is the message that's sent to the CA in order to get a digital certificate created.
      • CN (common name): the Fully Qualified Domain Name (FQDN) of the entity (e.g. web server)
    • Online vs. offline CA
      • Online CA is always running, offline CA is kept offline except for specific issuance and renewal operations.
      • Offline is best practice for your root CA.
    • Stapling: a method used with OCSP, which allows a web server to provide information on the validity of its own certificate.
      • Done by the web server essentially downloading the OCSP response from the certificate vendor in advance and providing it to browsers.
    • Pinning: a method designed to mitigate the use of fraudulent certificates.
      • Once a public key or certificate has been seen for a specific host, that key or certificate is pinned to the host.
      • Should a different key or certificate be seen for that host, that might indicate an issue with a fraudulent certificate.
    • Certificate chaining: Refers to the fact that certificates are handled by a chain of trust. You purchase a digital certificate from a certificate authority (CA), so you trust that CA’s certificate. In turn, that CA trusts a root certificate.
    • Trust model: A model of how different certificate authorities trust each other and how their clients will trust certificates from other certification authorities. The four main types of trust models that are used with PKI are bridge, hierarchical, hybrid, and mesh.
    • Key escrow: Addresses the possibility that a cryptographic key may be lost. The concern is usually with symmetric keys or with the private key in asymmetric cryptography. If that occurs, then there is no way to get the key back, and the user cannot decrypt messages. Organizations establish key escrows to enable recovery of lost keys.
    • Certificate Formats
      • Distinguished encoding rules (DER): NO Secure remote access (Linux and network)
      • Privacy enhanced mail (PEM): YES Secure copy to Linux/Unix
      • Personal information exchange (PFX): YES Supports storage of all certificates in path
      • Base64-encoded (CER): NO Storage of a single certificate.
      • PKCS#12 standard (P12): YES Supports storage of all certificates in path
      • Cryptographic Message Syntax Standard (P7B): NO Supports storage of all certificates in path.
      • X. 509 certificate formats and descriptions
    • Types of certificates
      • User: Used to represent a user's digital identity. In most cases, a user certificate is mapped back to a user account.
      • Root: A trust anchor in a PKI environment is the root certificate from which the whole chain of trust is derived;
      • Domain validation: A Domain-Validated (DV) certificate is an X. 509 certificate that proves the ownership of a domain name.
      • Extended validation: Extended validation certificates provide a higher level of trust in identifying the entity that is using the certificate. Commonly used in the financial services sector. Is the “root of trust”
      • Wildcard: Can be used for a domain and a subdomain. For example: In the contoso.com domain, there are two servers called web and mail. The wildcard certificate is
        • .contoso.com and, when installed, it would work for the Fully Qualified Domain Names (FQDNs) for both of these. A wildcard can be used for multiple servers in the same domain, saving costs. Supports multiple FQDNs in the same domain Provides proof of content integrity
      • Code signing: When code is distributed over the Internet, it is essential that users can trust that it was actually produced by the claimed sender. An attacker would like to produce a fake device driver or web component (actually malware) that is claimed to be from some legitimate software vendor. Using a code signing certificate to digitally sign the code mitigates this danger.
      • Self-signed: A self-signed certificate is issued by the same entity that is using it. However, it does not have a CRL and cannot be validated or trusted. It is the cheapest form of internal certificates and can be placed on multiple servers.
      • Machine/computer: A computer or machine certificate is used to identify a computer within a domain.
      • Email: Allow users to digitally sign their emails to verify their identity through the attestation of a trusted third party known as a certificate authority (CA). Allow users to encrypt the entire contents (messages, attachments, etc.)
      • Third-party: A certificate issued by a widely trusted external provider such as GoDaddy or Digicert. Preferred for TLS on public-facing services, such as company website.
      • Subject alternative name (SAN): an extension to the X. 509 specification that allows users to specify additional host names for a single SSL certificate. Is standard practice for SSL certificates, and it's on its way to replacing the use of the common name. You can also insert other information into a SAN certificate, such as an IP address. Enables support for FQDNs from multiple domains in a single certificate.
      • Expiration: certificates are valid for a limited period from the date of issuance, as specified on the certificate. Current industry guidance on maximum certificate lifetime from widely trusted issuing authorities (like Digicert) is currently 1 year (398 days).
  • Encryption - Level (Scope)
    • File Encryption: operates at the individual file level, meaning files could have unique encryption keys. Useful for files containing sensitive info e.g. financial info, PHI, PII Granularity: HIGH
    • Volume Encryption: encryption targets a specific partition or volume within the physical drive. Useful when different volumes need varying levels of protection. Volume vs partition: Partition: It represents a distinct section of storage on a disk. In Windows, the C drive is typically a primary partition Volume: Represents a logical division of a storage device. Represents a single accessible storage area. Can span multiple partitions or disks. Is a distinct PHYSICAL section of storage Assembles one or more partitions into a unified storage area Scope: LOW Granularity: LOW data volume vs system volume automatically encrypts data when it is written to or read from the entire disk. Bitlocker on Windows, dm-crypt on Linux. disk, volumes, and partitions
    • Disk Encryption: drive encryption encryption on a SED that’s built into the hardware of the drive itself. anything that’s written to that drive is automatically stored in encrypted form. Bitlocker protects disks, volumes, and partitions
    • Protecting data at rest
      • Full Disk Encryption (FDE)“under the hood” Trusted Platform Module (TPM): is on the motherboard and is used to store the encryption keys so when system boots, it can compare keys and ensure that the system has not been tampered with. Hardware Root of Trust: When using certificates for FDE, they use a hardware root of trust that verifies that the keys match before the secure boot process takes place. Self-Encrypting Drives (SEDs) The OPAL storage specification is the industry standard for self-encrypting drives. This is a hardware solution, and typically outperform software-based alternatives. They don't have the same vulnerabilities as software and therefore are more secure. SEDs are Solid State Drives (SSDs) and are purchased already set to encrypt data at rest. The encryption keys are stored on the hard drive controller. They are immune to a cold boot attack and are compatible with all operating systems SED is effective in protecting the data on lost or stolen devices (such as a laptop). Only the user and vendor can decrypt the data. A TPM is a HRoT
    • Cloud Storage Encryption: CSPs usually protect data at rest by automatically encrypting before persisting it to managed disks, blob storage, file, or queue storage.
    • Transparent data encryption (TDE): Helps protect SQL Database and data warehouses against threat of malicious activity with real-time encryption and decryption of database, backups, and transaction log files at rest without requiring app changes.
      • CSPs, file integrity monitoring, hash, or symmetric encryption key to find out about change.
  • Transport/communication
    • “Data in transit” Most often encrypted using TLS or HTTPS Also called “data in motion”
  • Protecting data in use /
    • “in processing” Data-in-use/in processing occurs when we launch an application such as Microsoft Word or Adobe Acrobat Apps not running the data from the disk drive but running the application in random access memory (RAM). This is volatile memory, meaning that, should you power down the computer, the contents are erased. In some cases, data in-memory will be encrypted
  • Data protection in relational databases Encrypting Records Many relational databases support row or column level encryption. Row-level encrypts an entire record, column-level encrypts specific fields within the record. Commonly implemented within the database tier, but also possible in code of frontend applicationsTransparent data encryption is full database-level encryption Database Encryption transparent data encryption is full database-level encryption Database Encryption file encryption or disk Scope:LOW
    • Requires no changes in application and comes with virtually no performance impact
    • Offered on most relational database management (RDBMS) platforms, like MSSQL, MySQL, and PostgreSQL
    • Public-private key pairs for communication between parties. Supports scalability, easy key distribution, and nonrepudiation CONCEPT:
      • Symmetric vs Asymmetric
        • Symmetric: Relies on the use of a shared secret key. Lacks support for scalability, easy key distribution, and nonrepudiation
        • Asymmetric key types Public keys are shared among communicating parties. Private keys are kept secret. DATA: To encrypt a message: use the recipient’s public key. To decrypt a message: use your own private key. DIGITAL SIGNATURE: To sign a message: use your own private key. To validate a signature: use the sender’s public key. each party has both a private key and public key!
  • Common uses How are different algorithm types used?
    • Symmetric Example: AES256 Typically used for bulk encryption / encrypting large amounts of data.
    • Asymmetric Example: RSA, DH, ECC Distribution of symmetric bulk encryption keys Identity authentication via digital signatures and certificates Non-repudiation services and key agreement (shared key)
    • Key exchange in asymmetric cryptography Franco sends a message to Maria, requesting her public key Maria sends her public key to Franco Franco uses Maria’s public key to encrypt the message and sends it to her Maria uses her private key to decrypt the message
    • Common symmetric encryption algorithms
      • AES (Advanced Encryption Standard): The current industry gold standard. Highly efficient and widely implemented. It offers various key lengths (128, 192, 256 bits), providing flexibility in security levels.
      • 3DES (Triple DES): A variation of DES applying encryption three times. Being phased out and replaced by AES 1.4 ENCRYPTION ALGORITHMS Symmetric algorithms are used for bulk data encryption
      • Twofish: A finalist in the competition to select AES, known for its flexibility and security. One step better encryption than DES
      • Blowfish: Predecessor to Twofish, also known for its strength and speed.
    • Common asymmetric encryption algorithms
      • RSA (Rivest–Shamir–Adleman): One of the oldest and most widely used asymmetric algorithms. Often used for key exchange and digital signatures. Its security relies on the difficulty of factoring large prime numbers.
      • ECC (Elliptic Curve Cryptography): A more modern approach using elliptic curves. Offers similar security levels to RSA but with smaller key sizes, making it suitable for resource-constrained environments. 1.4 ENCRYPTION ALGORITHMS
      • Diffie-Hellman: Primarily a key exchange protocol, allowing two parties to establish a shared secret key over an insecure channel.
      • ElGamal: An algorithm based on the difficulty of the discrete logarithm problem. Used for encryption and digital signatures.
    • Types of Ciphers
      • Stream cipher: is a symmetric key cipher where plaintext digits are combined with a pseudorandom cipher digit stream (keystream). each plaintext digit is encrypted one at a time with the corresponding digit of the keystream, to create a digit of the ciphertext stream.
      • Block cipher: is a method of encrypting text in which a cryptographic key and algorithm are applied to a block of data (for example, 64 contiguous bits) at once as a group rather than to one bit at a time. Considered to be more secure than stream ciphers
      • Substitution