SEC+ 701 MODULE 1

avatar
Created by
Phleyx Green

Cards (238)

  • Attackers are looking for different ways to gain access to our systems
  • We need to find different ways to prevent them from getting that access
  • We're protecting data, physical systems, buildings, people, and everything in our organization
  • Security controls can prevent events from occurring, minimize the impact of events that do occur, and limit the damage if someone gains access
  • Categories of security controls
    • Technical
    • Managerial
    • Operational
    • Physical
  • Technical controls
    Controls implemented using technical systems
  • Managerial controls
    Policies and procedures that explain how to manage computers, data, and systems
  • Operational controls
    Controls using people to set them, like security guards, training, and awareness programs
  • Physical controls
    Controls that limit physical access, like guard shacks, fences, locks, and badge readers
  • Preventive control

    Limits access to a resource, like a firewall rule or a guard shack
  • Deterrent control

    Discourages an attack, like a splash screen, threat of consequences, or warning signs
  • Detective control
    Identifies and warns of a breach, like reviewing logs, patrols, or motion detectors
  • Corrective control
    Reverses or minimizes the impact of an event, like restoring from backup, reporting issues, contacting authorities, or using a fire extinguisher
  • Compensating control
    Provides temporary alternative means to control an event when resources are lacking, like firewall rules, separation of duties, multiple security guards, or a generator
  • Directive control

    Directs someone to do something more secure, like policies for storing sensitive data, compliance training, or "authorized personnel only" signs
  • Directive controls
    • File storage policies
    • Compliance policies
    • Security training
    • "Authorized personnel only" sign
  • The examples provided are just one set, there are many other possible examples for each control type and category
  • Security controls and categories may evolve as technology and processes change
  • Different organizations will use different security controls
  • CIA Triad
    An easy way to remember the fundamentals of IT security
  • AIC Triad
    Differentiates the IT security triad from the federal organization in the US called the Central Intelligence Agency
  • Confidentiality (C in CIA Triad)

    Preventing someone from gaining access to private information
  • Integrity (I in CIA Triad)

    Ensuring the recipient receives exactly what was sent from the origination
  • Availability (A in CIA Triad)

    Ensuring all systems remain up and running at all times
  • The CIA Triad is often represented as a triangle, with each leg representing confidentiality, availability, and integrity
  • Making data available to others
    Ensuring availability is only to the right people (confidentiality)
  • Providing confidentiality through encryption
    1. Encrypt data
    2. Send encrypted data
    3. Recipient decrypts data
  • Access controls
    Limiting who has access to certain types of information
  • Additional authentication factors

    Providing more confidentiality by requiring more credentials to access an account
  • Providing integrity through hashing
    1. Sender creates hash of data
    2. Sends data and hash
    3. Recipient verifies hash matches
  • Digital signatures
    Taking a hash and encrypting it with an asymmetric encryption algorithm to provide additional integrity
  • Certificates
    Used to identify devices or people and provide additional factors of integrity
  • Nonrepudiation
    Proof of integrity, confirming the information came from the originating party
  • Availability
    • Ensuring people have access to the data they'd like to view
    • Designing systems to always be up and running
    • Implementing fault tolerance
    • Patching and managing systems to ensure stability
  • Cryptography
    Ensuring that when someone sends data to a third party, that third party is able to verify the information really came from the sender
  • Signing a contract
    Provides proof that the contract was signed by the person
  • Proof of integrity
    Verifying that the data received is exactly the same as the data that was originally sent
  • Hash
    A short string of text created based on data in the plaintext, also called a message digest or fingerprint
  • If anything changes in the data, the hash will be different
  • A hash can verify the integrity of data but not who sent it