🔒

Foundational Security Concepts and Controls

Nov 29, 2024

Security Plus Exam Cram Series 2024 Edition: Domain 1

Overview

  • Focus on general security concepts.
  • Categories and types of security controls.
  • Impact of change management on security.
  • Importance of cryptographic solutions.

Categories of Security Controls

  1. Technical Controls: Hardware/software mechanisms to manage access (e.g., encryption, firewalls).
  2. Physical Controls: Protection for facilities and objects (e.g., guards, locks, cameras).
  3. Managerial Controls: Policies and procedures (e.g., hiring practices, security training).
  4. Operational Controls: Day-to-day operations compliance, primarily executed by people.

Types of Security Controls

  • Preventive: Stop unwanted activity (e.g., locks, alarm systems).
  • Deterrent: Discourage violations (e.g., security badges, lighting).
  • Detective: Discover unwanted activity (e.g., audit trails, intrusion detection).
  • Compensating: Support or redundancies (e.g., monitoring, security policies).
  • Corrective: Restore systems to normal (e.g., backups, patching).
  • Directive: Guide behavior (e.g., policies, signage).

Security Control Context

  • Controls can have multiple types based on context of use.
  • Example: A lock can act as both preventive and deterrent.

Fundamental Security Concepts

  • CIA Triad: Confidentiality, Integrity, and Availability.
  • Non-repudiation: Guarantees that parties cannot deny a transaction (e.g., digital signatures).
  • AAA Protocols: Authentication, Authorization, and Accounting.

Authorization Models

  • Non-discretionary: System-wide restrictions (e.g., role-based access).
  • Discretionary: Owners grant/deny access.
  • Role-based: Uses roles/groups for permissions.
  • Rule-based: Applies global rules to all users.
  • Mandatory: Access based on labels (e.g., military classifications).
  • Attribute-based: Restrictions based on attributes (e.g., department).

Change Management

  • Importance: Reduces risks from unauthorized changes.
  • Processes: Approval, stakeholder analysis, impact analysis, testing, documentation.
  • Technical Considerations: Firewall updates, downtime, legacy application impact.

Cryptographic Solutions

  • Public Key Infrastructure (PKI): Management of cryptographic keys.
  • Certificate Types: User, root, domain validation, extended validation, wildcard.
  • Encryption Levels: File, volume, disk.
  • Data States: Data at rest, in transit, in use.
  • Symmetric vs. Asymmetric: Symmetric for bulk data; asymmetric for key exchange.

Tools for Cryptography

  • TPM: For full disk encryption and secure boot.
  • HSM: Manages digital keys and encryption.
  • Key Management Systems: Secure storage of application secrets.

Obfuscation Techniques

  • Steganography: Hiding data within data.
  • Tokenization: Replacing data with tokens.
  • Anonymization: Removing data to prevent identification.

Additional Concepts

  • Hashing: One-way function to create a hash.
  • Salting: Adding random data to passwords before hashing for security.
  • Digital Signatures: Ensure authenticity, integrity, and non-repudiation.
  • Key Stretching: Enhancing weak keys by making them longer.
  • Blockchain: Distributed public ledger for transactions.

Summary

  • Domain 1 covers foundational concepts essential for security practices.
  • Emphasizes understanding security controls, change management, and cryptographic tools.

Use these notes to review key points and prepare for the Security Plus exam.

Full transcript