🛡️

Security Concepts and Controls

Jun 24, 2025

Overview

This lecture covers Domain 1 of the Security Plus 2024 Exam, focusing on general security concepts including types of security controls, fundamental security principles, physical security, change management, and cryptographic solutions.

Types and Categories of Security Controls

  • Security controls are grouped into technical (hardware/software), managerial (policy/procedure), physical (tangible), and operational (people enforcing controls).
  • Security controls can serve multiple functions: preventive (stop unwanted activity), deterrent (discourage violation), detective (discover incidents), corrective (restore systems), compensating (alternative/backup), and directive (guide behavior).
  • Examples: Encryption (technical), guards (physical), policies (managerial), training (operational).
  • Controls can overlap across categories and types depending on context.

Fundamental Security Concepts

  • CIA Triad: Confidentiality (restrict access), Integrity (prevent unauthorized modification), Availability (ensure reliable access).
  • Non-repudiation: Proof that a transaction occurred (often via digital signature/asymmetric cryptography).
  • AAA: Authentication (prove identity), Authorization (grant access), Accounting (track usage).
  • Access control models: Discretionary, non-discretionary, role-based, rule-based, mandatory, attribute-based.
  • Gap analysis: Compare current controls to standards, document deficiencies (control gaps).
  • Zero Trust: Assumes breach, verifies explicitly, enforces least privilege; includes policy enforcement and decision points.

Physical Security Controls

  • Ballards: block vehicle access.
  • Access control vestibule (mantrap): prevents tailgating/piggybacking.
  • Fences: deter and delay intruders (effectiveness varies by height/design).
  • Cameras/CCTV: detective; Security guards, badges: preventive/deterrent; Lighting: deterrent.
  • Sensors: Infrared (heat), pressure (weight), microwave, ultrasonic (movement).

Deception/Disruption Technologies

  • Honeypot: decoy system to observe attackers.
  • Honeynet: collection of honeypots.
  • Honey file/honey token: fake data to detect unauthorized access.

Change Management & Impact on Security

  • Change management: formal process for requesting, testing, approving, and documenting changes.
  • Change control: evaluates change requests (Change Advisory Board).
  • Key processes: approval, ownership, stakeholder impact, testing, backout plans, maintenance windows, documentation, version control.
  • Technical implications: update allow/deny lists, consider downtime, app restarts, legacy compatibility, dependencies.
  • Documentation and version control (e.g., git) are crucial for accurate security posture.

Cryptographic Solutions

  • PKI: Hierarchical structure with root, subordinate, issuing CAs; manages certificates.
  • Certificate types: user, root, domain validation, wildcard, code signing, self-signed, machine, email, SAN (subject alternative name).
  • Certificate status checked via CRL or OCSP.
  • Encryption scope: file, volume, disk (BitLocker, DM-Crypt, SEDs).
  • Data states: at rest (disk/cloud/transparent DB), in transit (TLS), in use (RAM encryption).
  • Symmetric encryption (AES, 3DES): fast, shared key, best for bulk data.
  • Asymmetric encryption (RSA, ECC): key pairs, used for signatures, key exchange.
  • Stream vs block ciphers; key stretching, salting, hashing (integrity), digital signatures (authenticity, non-repudiation).
  • Hardware security: TPM, HSM, secure enclave.
  • Data protection: tokenization, pseudonymization, anonymization, data minimization, data masking.
  • Blockchain: distributed ledger with proof of work; public ledgers can be centralized.
  • Cryptographic limitations: speed, key strength, compatibility, time, longevity, entropy, predictability.

Key Terms & Definitions

  • Technical Control — Security via technology (e.g. firewalls, encryption).
  • Managerial Control — Security via policies, procedures.
  • Physical Control — Tangible barriers (locks, fences).
  • Operational Control — People enforcing security practices.
  • CIA Triad — Confidentiality, Integrity, Availability.
  • Non-repudiation — Cannot deny an action/transaction.
  • AAA — Authentication, Authorization, Accounting.
  • Honeypot/Honeynet — Decoy systems to lure attackers.
  • PKI — Public Key Infrastructure for managing digital certificates.
  • CRL/OCSP — Methods to check certificate revocation.
  • BitLocker/DM-Crypt — Disk encryption tools.
  • TPM/HSM — Hardware for secure key storage.

Action Items / Next Steps

  • Download and review the PDF of Domain 1 presentation.
  • Review examples and context for each security control type.
  • Familiarize with key cryptographic algorithms and certificate types.
  • Ensure understanding of physical and operational controls.
  • Prepare for Domain 2 by reviewing foundational security principles.

Full transcript