Security Plus Exam Cram Series 2024 Edition - Domain 1: General Security Concepts

Jul 28, 2024

Review flashcards

Security Plus Exam Cram Series 2024 Edition - Domain 1: General Security Concepts

Overview

  • Focus on General Security Concepts for the Security Plus exam.
  • Will cover categories/types of security controls, fundamental security concepts, change management impacts, and cryptographic solutions.

Categories and Types of Security Controls

Categories

  1. Technical: Hardware/software mechanisms managing access. E.g., encryption, ACL, firewalls.
  2. Physical: Mechanisms protecting physical facilities/objects. E.g., guards, cameras, locks.
  3. Managerial: Policies and procedures directing security. E.g., hiring practices, risk assessments.
  4. Operational: Processes ensuring compliance with security policies. E.g., awareness training, configuration management.

Control Types

  1. Preventive: Prevents unwanted activity (e.g., encryption, firewalls).
  2. Deterrent: Discourages violation attempts (e.g., guards, lights).
  3. Detective: Detects activity (e.g., IDS, cameras).
  4. Corrective: Corrects environment after activity (e.g., backups, patches).
  5. Compensating: Alternative controls aiding policy enforcement (e.g., monitoring).
  6. Directive: Directs actions of subjects (e.g., policies, procedures).

Exam Tips

  • Memorize examples of each control type.
  • Controls can fit multiple types based on context.

Fundamental Security Concepts (Section 1.2)

  • CIA Triad: Confidentiality, Integrity, Availability.
  • Non-repudiation: Ensures no denial of transaction (e.g., digital signatures).
  • AAA Model: Authentication, Authorization, Accounting.
  • Identification and Authentication: Proving identity and access rights.
  • Authorization Models: DAC, MAC, RBAC, ABAC.
  • Gap Analysis: Identifying deficiencies vs. standards (e.g., ISO 271).
  • Zero Trust: No entity trusted by default; verify every request.
  • Physical Security: Fundamental for preventing breaches.

Detailed Topics

  • Zero Trust Architecture: Policies and enforcement points for verifying and controlling access.
  • Physical Security Controls: Bollards, access control vestibules, fences, video surveillance.
  • Types of Sensors: Infrared, Pressure, Microwave, Ultrasonic.
  • Deception/Disruption Technologies: Honeypots, honeynets, honeyfiles, honey tokens.

Change Management Processes and Impact (Section 1.3)

  • Configuration Management: Ensuring consistent system configurations.
  • Change Management: Policy and process for change handling.

Business Processes

  • Approval: Management review required.
  • Ownership: Clear designation of change responsibility.
  • Stakeholder Analysis: Identifying and coordinating affected parties.
  • Impact Analysis: Assessing and documenting potential impacts.
  • Testing: Validating changes in a test environment.
  • Backout Plan: Steps to revert changes if issues arise.
  • Maintenance Windows: Scheduling changes to minimize business impact.
  • Documentation: Ensuring changes are documented and updated.
  • Technical Considerations: Firewall rules, downtime, application impact.

Cryptographic Solutions (Section 1.4)

  • PKI Concepts: Key management, CA hierarchy, CRLs, OCSP.
  • Certificate Types: User, Root, Domain Validation, Extended Validation, Wildcard, Code Signing, Self-Signing, Machine, Email, SAN.
  • Encryption by Scope: File, Volume, Disk encryption.
  • Symmetric vs Asymmetric Encryption: Use cases, algorithms (AES, RSA).

Encryption Tools

  • TPM: Chip on motherboard for managing keys.
  • HSM: Physical device managing digital keys.
  • Hardware Root of Trust (e.g., TPM, HSM).
  • Key Management Systems (e.g., AWS KMS).
  • Secure Enclave: Isolated area for secure data processing.
  • Obfuscation: Steganography, tokenization, pseudonymization.
  • Hashing: Verifying data integrity, digital signatures.
  • Salting: Preventing rainbow table attacks.
  • Digital Signatures: Ensuring integrity, authentication, non-repudiation.
  • Key Stretching: Making weak keys stronger.
  • Blockchain and Open Public Ledger: Distributed ledgers ensuring transaction integrity.
  • Use Cases/Limitations: Specific scenarios and constraints for encryption implementations.

Summary of Security Controls in Context

  • Understand and memorize the relationship between control categories and types.
  • Familiarize with cryptographic tools and key concepts of PKI.
  • Pay attention to documentation, change management processes, and encryption strategy in maintaining secure systems.