CompTIA Security+ SY0-701 Course Notes (James Messer)-10-26

Page 1: Security Controls

• Security Risks and Assets

  • Many categories and types of security risks exist.

  • Assets can include data, physical property, and computer systems.

• Objectives of Security Controls

  • Prevent security events, minimize impacts, and limit damages through effective security controls.

• Control Categories

  • Technical Controls:

    • Implemented using systems (e.g., operating systems, firewalls, anti-virus).

  • Managerial Controls:

    • Administrative controls for security design and implementation (e.g., policies, procedures).

  • Operational Controls:

    • Controls enacted by personnel rather than systems (e.g., security guards, training programs).

  • Physical Controls:

    • Limit physical access (e.g., guard shacks, fences, locks).

• Types of Preventive Controls

  • Preventive:

    • Block access to resources (e.g., firewall rules, checks).

  • Deterrent:

    • Discourage intrusions (e.g., warning signs).

  • Detective:

    • Identify and log intrusions (e.g., logging, patrols).

  • Corrective:

    • React after events (e.g., restoring backups).

  • Compensating:

    • Control through alternative means when existing controls are insufficient.

  • Directive:

    • Direct subjects towards compliance in a relatively weak manner.

Page 2: The CIA Triad

• Definition of CIA Triad:

• Confidentiality, Integrity, Availability - principles central to security.

• Confidentiality:

  • Prevent unauthorized information disclosure through encryption, access controls, and two-factor authentication.

• Integrity:

  • Ensure data is stored and transferred as intended without unauthorized modification (e.g., using hashing and digital signatures).

• Availability:

  • Ensure information is accessible to authorized users at all times (e.g., redundancy, fault tolerance).

• Managing Security Controls:

  • Security controls are dynamic and may vary across organizations.

Page 3: Non-repudiation

• Concept Description:

  • Ensures individuals cannot deny their actions (e.g., signing contracts).

• Proof of Integrity:

  • Use hashing to verify data consistency (e.g., hash change indicates data alteration).

• Proof of Origin:

  • Authenticity is ensured through digital signatures that verify the message source.

• Digital Signature Creation:

  • Involves hashing plaintext and encrypting that hash with a private key.

  • Verification is done using the public key, ensuring authenticity and integrity.

Page 4: AAA Framework

• Overview of AAA:

  • Authentication, Authorization, Accounting – fundamental concepts in access control.

• Identification:

  • Establish who individuals claim to be (e.g., usernames).

• Authentication:

  • Validating the individual’s identity through passwords or other means.

• Authorization:

  • Determining access levels based on identities and authentication status.

• Accounting:

  • Tracking resources used by users, such as login times and data usage.

Page 5: Gap Analysis

• Purpose of Gap Analysis:

  • Identify the disparity between current security posture and desired goals.

• Choosing Frameworks:

  • Utilize established standards like NIST SP 800-171 or ISO/IEC 27001 for benchmarks.

• Evaluate People and Processes:

  • Assess employees’ training and security knowledge alongside current processes and policies.

• Comparison and Analysis:

  • Perform comparative analyses to identify weaknesses and successful processes.

• Final Reporting:

  • Document the gap analysis and provide a clear path to improve security posture.

Page 6: Zero Trust Strategy

• Zero Trust Concept:

  • Verification of every user and device accessing the network without trust assumptions.

• Functional Planes:

  • Distinction between data plane and control plane for operational efficiency.

• Controlling Trust:

  • Employ policy enforcement points (PEP) to manage user and system access effectively.

Page 7: Physical Security Measures

• Barricades and Bollards:

  • Used to prevent unauthorized vehicle access.

• Access Control Vestibules:

  • Manage entry through secured door systems (e.g., doors locking when others are opened).

• Fencing:

  • Create secure perimeters (e.g., robust, climb-resistant designs).

• Video Surveillance:

  • CCTV systems for physical security monitoring and alerts.

• Guards and Access Badges:

  • Personnel overseeing access including two-person integrity rules for sensitive areas.

Page 8: Change Management

• Change Management Importance:

  • Procedures for implementing changes to minimize risks and disruptions in systems.

• Change Approval Process:

  • Formal steps to manage changes (request, analysis, approval).

• Impact Analysis:

  • Identify risks associated with both changes and non-changes.

• Testing and Backout Plans:

  • Use sandbox environments to confirm change functionality and devise reversion strategies.

Page 9: Technical Change Management

• Execution of Change Management:

  • Processes established to make system changes.

• Allow List/Deny List:

  • Control application execution for security (allow approved, deny malicious).

Page 10: Public Key Infrastructure (PKI)

• PKI Definition:

  • Framework for managing digital certificates and associated keys.

• Symmetric vs. Asymmetric Encryption:

  • Symmetric utilizes a single key; asymmetric involves a key pair.

Page 11: Encrypting Data

• Encryption Types:

  • Encrypting stored data (data at rest) and data in transit (data in motion).

Page 12: Key Exchange and Technologies

• Key Exchange Methods:

  • Securely sharing any encryption keys needed for communication.

Page 13: Obfuscation Techniques

• Obfuscation Method:

  • Making data unclear to protect sensitive information.

Page 14: Hashing and Digital Signatures

• Hash Functionality:

  • Creating message digests to verify integrity and confidentiality.

Page 15: Blockchain Technology

• Blockchain Overview:

  • Distributed ledger for maintaining transaction records and security applications.

Page 16: Certificates

• Digital Certificates:

  • Binds public keys with identities to enforce trust.

Page 17: Certificate Management

• Certificate Authorities (CA):

  • Serve as trusted entities to validate and sign digital certificates.