CompTIA+Security++(SY0-701)+Study+Guide

Page 4

Fundamentals of Security

• Objectives: 1.1 - Compare and contrast various types of security controls1.2 - Summarize fundamental security concepts

• Information Security: Protecting data from unauthorized access, modification, disruption, disclosure, and destruction.

• Information Systems Security: Protecting the systems (computers, servers, network devices) that hold and process critical data.

• CIA Triad:

  • Confidentiality: Ensures information is accessible only to authorized personnel (e.g., encryption).

  • Integrity: Ensures data remains accurate and unaltered (e.g., checksums).

  • Availability: Ensures information and resources are accessible when needed (e.g., redundancy measures).

• Non-Repudiation: Guarantees that an action cannot be denied by the involved parties (e.g., digital signatures).

Page 5

Extended Concepts

• CIANA Pentagon: Extends the CIA triad with non-repudiation and authentication.

• Triple A’s of Security:

  • Authentication: Verifying identity (e.g., password checks).

  • Authorization: Determining actions/resources accessible to users (e.g., permissions).

  • Accounting: Tracking user activities (e.g., audit purposes).

• Security Control Categories:

  • Technical

  • Managerial

  • Operational

  • Physical

• Security Control Types:

  • Preventative

  • Deterrent

  • Detective

  • Corrective

  • Compensating

  • Directive

• Zero Trust Model: No one should be trusted by default.

Page 6

Risk Management & Threats

• Zero Trust Implementation:

• Control Plane: Adaptive identity, threat scope reduction, policy-driven access control.

• Data Plane: Subject/system, policy engine/administrator, and policy enforcement points.

• Threats: Anything that causes harm (natural disasters, cyber-attacks).

• Vulnerabilities: Weaknesses in the system (software bugs, misconfigurations).

Page 7

Managing Risks

• Risk Intersection: Risks arise where threats meet vulnerabilities.

• Risk Management: Minimizing likelihood of adverse outcomes.

• Confidentiality Importance:

  • Protects personal privacy

  • Maintains business advantage

  • Achieves regulatory compliance

• Confidentiality Methods:

  • Encryption

  • Access Controls

Page 8

Methods for Ensuring Security

• Data Masking: Obscuring specific data within a database.

• Physical Security Measures: Protect both physical/digital information.

• Training and Awareness: Regular security awareness training for employees.

• Integrity Importance:

  • Ensures data accuracy

  • Maintains trust

  • Ensures system operability

• Integrity Methods:

  • Hashing

  • Digital Signatures

  • Checksums

  • Access Controls

  • Regular Audits

Page 9

Availability & Continuity

• Availability Definition: Ensures systems are operational when needed.

• Availability Benefits:

  • Ensures business continuity

  • Maintains customer trust

  • Upholds reputation

• Redundancy:

  • Types of Redundancy:

    • Server

    • Data

    • Network

    • Power

Page 10

Non-Repudiation

• Non-Repudiation Definition: Ensures undeniable proof in digital transactions.

• Digital Signatures: Unique for each user, created by hashing and encrypting with a private key.

• Importance of Non-Repudiation:

  • Confirms transaction authenticity

  • Ensures integrity

  • Provides accountability

Page 11

Authentication Methods

• Authentication Definition: Ensures entities are who they claim to be.

• Common Authentication Methods:

  • Knowledge Factor

  • Possession Factor

  • Inherence Factor

  • Action Factor

  • Location Factor

• Multi-Factor Authentication (MFA): Requires multiple identification methods for verification.

Page 12

Authorization & Accounting

• Authorization Definition: Permissions granted post-authentication.

• Importance of Authorization Mechanisms:

  • Protects sensitive data

  • Maintains system integrity

  • Streamlines user experience

• Accounting Definition: Tracking user activities during transactions.

• Robust Accounting Systems:

  • Audit trails

  • Regulatory compliance

  • Forensic analysis

  • Resource optimization

  • User accountability

Page 13

Technologies for Accounting

• Technologies Used:

  • Syslog Servers: Aggregate logs for analysis.

  • Network Analysis Tools: Capture and analyze network traffic.

  • SIEM Systems: Provides real-time security alerts.

Page 14

Security Control Categories

• Broad Categories:

  • Technical

  • Managerial

  • Operational

  • Physical

• Basic Types of Security Controls:

  • Preventive

  • Deterrent

  • Detective

  • Corrective

  • Compensating

  • Directive

Page 15

Gap Analysis and Processes

• Gap Analysis Definition: Evaluating differences between current and desired performance.

• Steps in Gap Analysis:

  • Define scope

  • Gather current-state data

  • Analyze data and identify areas for improvement

  • Develop a bridging plan

• Types of Gap Analysis:

  • Technical

  • Business

Page 16

Zero Trust Architecture

• Zero Trust Definition: Requires verification for every access request, no inherent trust.

• Control Plane: Manages user and system access policies.

• Key Elements:

  • Adaptive Identity

  • Threat Scope Reduction

  • Policy-Driven Access Control

  • Secured Zones

Page 17

Policy Management

• Data Plane Components:

  • Subject/System

  • Policy Enforcement Point

• Policy Engine: Cross-references access requests with policies.

• Policy Administrator: Manages access policies.