COMPTIA SY0-701: Overview
The COMPTIA Security+ SY0-701 exam divides into five general security topics:
- General Security Concepts
- Threats, Vulnerabilities, and Mitigations
- Security Architecture
- Security Operations
- Security Program Management and Oversight
Summarizing and clarifying certain topics. Most is stuff I already know.
Resources and Links
COMPTIA SY0-701: General Security Concepts
Security Controls
Compare and contrast various types of security controls:
Categories
- Technical
- Also, called logical security controls that are implemented with technology and executed by computer systems.
- "Hardware and software controls used to provide automated protection to the IT system or applications." (CNSS 4009)
- Examples: IDs, Firewalls, Encryption
- Managerial
- Also, called administrative security controls that are documented policies and prioritize risk reduction.
- Examples: Organizational security policies (the procedures not the implementation in say AWS IAM), risk assessments, and security awareness training.
- Operational
- The security controls (i.e., safeguards or countermeasures) for an information system that're primarily implemented and executed by people (as opposed to systems).
- Security controls that keep machines and devices running correctly.
- Physical
- Set of measures taken to protect business assets (including information, hardware, people, and data) from physical threats.
- Technical
Control Types
- Preventive
- Prevents incidents
- Policies, standards, procedures, firewalls, configurations, etc.
- Deterrent
- Deters would-be attackers
- Examples: Locks, vestibules, lighting, signs, steel doors, etc.
- Detective
- Identifies problems once they have occurred
- Examples: audits, investigations, anomoly reports, etc.
- Corrective
- Fixes a problem after it's occurred
- Examples: patch, fix, new policy, disciplinary action, etc.
- Compensating
- Alternative taken to address a security concern
- Examples: reverting to a prior secure version instead of patching due to lack of expertise or time, using automated detection systems in light of low staff count, etc.
- Directive
- Established to bring about desired outcomes
- Examples: a new guidance that aims to make it easier to apply security fixes in the future, etc.
- Preventive
Security Concepts
Summarize fundamental security concepts:
- Confidentiality, Integrity, and Availability (CIA)
- Confidentiality
- Preserves privacy and prevents unauthorized access or disclosure.
- Integrity
- Gaurantees the authenticity, completeness, and trustworthiness of the resource.
- Availability
- The resource is accessible when needed and in a timely manner.
- Confidentiality
- Non-repudiation
- Cannot dispute authorship or origin of something. (Cannot repudiate something.)
- Authentication, Authorization, and Accounting (AAA)
- Authenticating People
- Authenticating systems
- Authorization models
- Gap Analysis
- Zero Trust
- Control Plane
- Responsible for defining and managing security policies.
- Adaptive Identity
- Threat Scope Reduction
- Policy-Driven Access Control
- Policy Administrator (PA)
- Policy Engine (PE)
- Data Plane
- Responsible for enforcing and executing the security policies defined by the Control Plane.
- Implicit Trust Zones
- Subject/System
- Policy Enforcement Point (PEP)
- Refer to: https://konghq.com/learning-center/cloud-connectivity/control-plane-vs-data-plane
- Control Plane
- Physical Security
- Bollards
- Vertical posts that create a physical barrier outside a building.
- Access Control Vestibule
- A secured entrance booth that someone must pass through to gain entry to a building.
- Fencing
- Video Surveillance
- Security Guard
- Access Badge
- Lighting
- Sensors
- Infrared
- Pressure
- Microwave
- Ultrasonic
- Bollards
- Deception and Disruption Technology
- Honeypot
- A a resource that's designed to detect, deflect, or distract some unauthorized use of a system.
- Legitimate users should not access or use the Honeypot.
- Example: a subsystem that secretly tracks unauthorized IP Addresses by posing as a security vulnerability
- Honeynet
- A Honeypot that's an entire network that's used to detect vulnerabilities.
- Uses servers, routers, logging, switches, firewalls, and other devices to monitor and track would be hackers.
- Honeyfile
- A Honeypot that's a file that tracks a would be hacker.
- Legitimate users should not access or use the Honeyfile.
- Honeytoken
- An identifier that's used to flag a would be attacker and their actions on a network.
- Examples: a cookie or bearer token that's generated when a user accesses something in an unauthorized way and then is subsequently used to track the whereabouts and actions of that user.
- Honeypot
Change Management
Explain the importance of change management processes and the impact to security:
- Business Processes Impacting Security Operation
- Approval Process
- Ownership
- Stakeholders
- Impact Analysis
- Test Results
- Backout Plan
- Maintenance Window
- Standard Operating Procedure
- Technical Implications
- Allow Lists/Deny Lists
- Restricted Activities
- Downtime
- Service Restart
- Application Restart
- Legacy Applications
- Dependencies
- Documentation
- Updating Diagrams
- Updating Policies/Procedures
- Version Control
Cryptographic Solutions
Explain the importance of using appropriate cryptographic solutions:
- Public Key Infrastructure (PKI)
- Public Key
- Shared and potentially visible publicly.
- Example: an SSH Public Key added to GitHub.
- Private Key
- Known only to a specific user and never (or shouldn't be) shared publicly.
- Example: an SSH Private Key for connecting a terminal to GitHub that's stored locally in
~/.ssh.
- Key Escrow
- An arrangement where keys are held in escrow so an authorized third-party can get access to them.
- Public Key
- Encryption
- Level
- Full-Disk Encryption (FDE)
- Partition
- File
- Volume
- Database
- Record
- Level
- Transport/Communication
- Asymmetric
- Includes Public Key cryptography (PKI, above).
- A Key is divided into pairs with distinct levels of visibility between the two: Public and Private.
- RSA
- Symmetric
- Where only one Key is used to encrypt or decrypt data.
- AES
- Key Exchange
- Where two or more parties coordinate the sharing or exchange of a Key deliberately created for the exchange.
- Often through Key Escrow.
- Algorithms
- Advanced Encryption Standard (AES)
- Trusted by U.S. Government.
- Typically,
128,192, or256(in increasing order of encryption strength). - Widely thought to be resistant to Quantum tampering/decryption (although this has not been formally proven).
- Symmetric, and lower AES cryptographic strengths are susceptible to Brute-Forcing attacks.
- Rivest–Shamir–Adleman (RSA)
- Used in PGP and GPG.
- Asymmetric Public and Private Key.
- Advanced Encryption Standard (AES)
- Key Length
- Tools
- Trusted Platform Module (TPM)
- A dedicated microcontroller designed to secure hardware through integrated cryptographic Keys.
- Hardware Security Module (HSM)
- A physical computing device that protects and manages secrets.
- Key Management System
- Secure Enclave
- The Secure Enclave is a dedicated secure subsystem integrated into Apple chips isolated from the main processor to provide an extra layer of security.
- Trusted Platform Module (TPM)
- Obfuscation
- Steganography
- Concealing a file, message, image, or video within another file, message, image, or video.
- Tokenization
- Data Masking
- Steganography
- Hashing
- Any function or technique that maps some value to an entry or Key.
- Salting
- A value that's supplied along with an encryption algorithm (Cipher) and Plaintext value to introduce variance into the resultant encrypted text.
- Digital Signatures
- Key Stretching
- Blockchain
- Open Public Ledger
- Certificates
- Certificate Authorities (CA)
- Distinction between a CA and PKI:
- A CA issues and signs Certificates.
- PKI is a system of digital Certificates, Public Keys, and Private Keys that are used to secure communications.
- Distinction between a CA and PKI:
- Certificate Revocation Lists (CRLs)
- A list of Certificates that have been revoked by a CA.
- Online Certificate Status Protocol (OCSP)
- Alternative to a CRL.
- Doesn't require encryption (CRLs do) so can be less secure.
- Smaller packet or request size (since they contain less info than CRLs).
- Obtain the revocation status of a digital certificate.
- Alternative to a CRL.
- Self-Signed
- Third-Party
- Root of Trust
- Certificate Signing Request (CSR) Generation
- Wildcard
- Certificate Authorities (CA)
Resources and Links
COMPTIA SY0-701: Threats, Vulnerabilities, and Mitigations
Threat Actors
Compare and contrast common threat actors and motivations:
- Threat Actors
- Nation-State
- Unskilled Attacker
- Hacktivist
- Insider Threat
- Organized Crime
- Shadow IT
- Attributes of Actors
- Internal/External
- Resources/Funding
- Level of Sophistication/Capability
- Motivations
- Data Exfiltration
- Espionage
- Service Disruption
- Blackmail
- Financial Gain
- Philosophical/Political Beliefs
- Ethical
- Revenge
- Disruption/Chaos
- War
Attack Surfaces
Explain common threat vectors and attack surfaces:
- Message-Based
- Short Message Service (SMS)
- Instant Messaging (IM)
- Image-Based
- File-Based
- Voice Call
- Removable Device
- Vulnerable Software
- Client-Based vs. Agentless
- Unsupported Systems and Applications
- Unsecure Networks
- Wireless
- Wired
- Bluetooth
- Open Service Ports
- Default Credentials
- Supply Chain
- Managed Service Providers (MSPs)
- Vendors
- Suppliers
- Human Vectors/Social Engineering
- Phishing
- Obtaining sensitive data through email and misleading URLs/links.
- Vishing
- Obtaining sensitive data through video and/or telephony services.
- Think video-based Phising.
- Smishing
- Obtaining sensitive data through SMS text messages/messaging services.
- Think, SMS text-message Phishing.
- Misinformation/Disinformation
- Impersonation
- Business Email Compromise
- Pretexting
- Providing a false/fake reason to trick someone into divulging sensitive data.
- Watering Hole
- Identifying a popular or commonly used website as a likely resource that an organization uses to infect it with malware.
- Think: infecting the "gathering place" where many users within an organization are likely to digitally congregate.
- Brand Impersonation
- Typosquatting
- Buying a Domain Name that's similar to a popular and well-trafficked website to trick people who accidentally visit it (when they enter typos or through misspellings by mistake).
- Phishing
Vulnerabilities
Explain various types of vulnerabilities:
- Application
- Memory Injection
- Buffer Overflow
- Race Conditions
- Time-of-Check (TOC)
- Time-of-Use (TOU)
- These two separate concepts are often combined into one with the monniker: time-of-check to time-of-use (TOCTOU).
- TOCTOU vulnerabilities occur when the attacker can modify the resources after Time-of-Check (TOC) but before the Time-of-Use (TOU).
- https://research.nccgroup.com/wp-content/uploads/2021/09/TOCTOU_whitepaper.pdf
- Malicious Update
- Operating System (OS)-Based
- Web-Based
- Structured Query Language Injection (SQLi)
- When input text is used to execute unwanted and unexpected SQL queries/commands to modify a database or return sensitive data.
- Cross-Site Scripting (XSS)
- An exploit where malicious code from a compromised (or attacking) website is used to execute malicious code on another.
- These typically involve a lack of input validation and sanitization (escaping characters/text, preventing input text from being used in queries or executed code, etc.).
- Structured Query Language Injection (SQLi)
- Hardware
- Firmware
- End-of-Life
- Legacy
- Virtualization
- Virtual Machine (VM) Escape
- Resource Reuse
- Cloud-Specific
- Supply Chain
- Service Provider
- Hardware Provider
- Software Provider
- Cryptographic
- Misconfiguration
- Mobile Device
- Side Loading
- Jailbreaking
- Zero-Day
- An attack that occurs before software developers can find a fix.
- Refers to the idea that software developers have "zero days to find a fix" since it's already being exploited.
Indicators of Malicious Activity
Given a scenario, analyze indicators of malicious activity:
- Malware attacks
- Ransomware
- Blocks access to a resource or data until some ransom is paid.
- Trojan
- Malware that's disguised as a beneficial or standard program.
- Misleads a user as to its true intent.
- Worm
- Replicates itself to spread to other computers on a network.
- Stand-alone malicious programs that don't require user interaction (as opposed to a Virus).
- Spyware
- Malware that collects and transmits data about a user, computer, or device.
- Bloatware
- Applications or programs that are unwanted.
- Often installed along with some desired app.
- Virus
- Can copy itself to other computers and resources on a network and infect a computer without the knowledge or permission of a user.
- Requires some user-initiated interaction (e.g. - downloading and opening an unknown file).
- Keylogger
- Records a user's keystrokes and transmits them to obtain passwords or other sensitive information.
- Logic Bomb
- A type of malicious code embedded in software that is activated/triggered by some specific condition.
- Rootkit
- Used to obtain administrator-level control over a device, computer, or network.
- Ransomware
- Physical Attacks
- Brute Force
- Radio Frequency Identification (RFID) Cloning
- Environmental
- Network Attacks
- Distributed Denial-of-Service (DDoS)
- Reflected
- A kind of DDoS attack where the attacker forges the Source Address of Request Packets from a DNS Resolver overwhelming the victim resource with traffic generated from the Request Responses.
- An attacker uses an intermediate Server to send Request (by "reflection" / by using the intermediate DNS Resolver as a Reflector) to a target typically by spoofing (modifying the Source Address in the Request Packet directly).
- Amplified
- Uses multiple DNS Resolvers that are configured to accept recursive DNS Queries to overwhelm a victim with traffic.
- DNS request-response traffic is made to originate from the victim resource and is then directed back to the victim overwhelming it with traffic.
- Reflection attackes are considered to be kinds of Amplification attacks.
- https://www.cloudflare.com/learning/ddos/dns-amplification-ddos-attack/
- Reflected
- Domain Name System (DNS) Attacks
- A category of attacks that exploit the DNS infrastructure or protocol.
- An attacker modifies the DNS Query and sends bogus responses before a legitimate response arrives.
- Examples:
- Amplified and Reflected DDoS attacks (above).
- DNS Hijacking involves an attacker modifying a DNS Server and/or A Record to point a Domain Name to another IP Address.
- Refer to: https://bluecatnetworks.com/blog/four-major-dns-attack-types-and-how-to-mitigate-them/
- Wireless
- On-Path
- Also called a Man-in-the-Middle (MIM) attack.
- An attacker interposes oneself between two or more parties without authorization or their knowledge.
- Credential Replay
- Malicious Code
- Distributed Denial-of-Service (DDoS)
- Application Attacks
- Injection
- Exploits text or input serialization vulnerabilities to execute unwanted, unexpected, or untrusted code.
- Buffer Overflow
- An exploit where the amount of data exceeds the available storage or memory.
- Replay
- An exploit where transmitted authentication or access control information is recorded and then reused/replayed for unauthorized access or effect.
- Privilege Escalation
- An exploit where permissions, access, or privileges are increased to gain unauthorized access, visibility, or privilege.
- Forgery
- An exploit involving the use of credentials to gain unwanted and unauthorized permission to carry out some task.
- Directory Traversal
- Where input text is exploited to traverse directories, read or find files within the container, or gain unauthorized access to resources.
- Injection
- Cryptographic Attacks
- Downgrade
- An attack that forces a network channel to switch or change to an unprotected and less secure data transmission format.
- Collision
- An attack that attempts to find two input Strings that generate the same Hash (Hash Collision) to determine the hashing method.
- Birthday
- A kind of Brute Force attack that exploits the likelihood of certain seemingly low-probability events to determine the method of hashing (by Hash Collision).
- Downgrade
- Password attacks
- Spraying
- A specific kind of Brute Force attack where the same passwords are tried against multiple accounts.
- Brute Force
- An attack that uses trial and error to crack a password, credential, or secret, or to obtain unauthorized access to a resource, network, device, or computer.
- Spraying
- Indicators
- Account Lockout
- Concurrent Session Usage
- Blocked Content
- Impossible Travel
- Resource Consumption
- Resource Inaccessibility
- Out-of-Cycle Logging
- Published/Documented
- Missing Logs
Mitigation Techniques
Explain the purpose of mitigation techniques used to secure the enterprise:
- Segmentation
- Access Control
- Access Control List (ACL)
- Permissions
- Application Allow List
- Isolation
- Patching
- Encryption
- Monitoring
- Least Privilege
- Configuration Enforcement
- Decommissioning
- Hardening Techniques
- Encryption
- Installation of Endpoint Protection
- Host-Based Firewall
- Host-Based Intrusion Prevention System (HIPS)
- Disabling Ports/Protocols
- Default Password Changes
- Removal of Unnecessary Software
Resources and Links
COMPTIA SY0-701: Security Architecture
Architecture Models
Compare and contrast security implications of different architecture models:
- Architecture and Infrastructure Concepts
- Cloud
- Responsibility Matrix
- Hybrid Considerations
- Third-Party Vendors
- Infrastructure as Code (IaC)
- Serverless
- Microservices
- Network Infrastructure
- Physical Isolation
- Air-Gapped
- Physical Isolation
- Logical Segmentation
- Software-Defined Networking (SDN)
- On-Premises
- Centralized vs. Decentralized
- Containerization
- Virtualization
- IoT
- Industrial Control Systems (ICS)/Supervisory Control and Data Acquisition (SCADA)
- Real-Time Operating System (RTOS)
- Embedded Systems
- High Availability
- Cloud
- Considerations
- Availability
- Resilience
- Cost
- Responsiveness
- Scalability
- Ease of Deployment
- Risk Transference
- Ease of Recovery
- Patch Availability
- Inability to Patch
- Power
- Compute
Security Principles
Given a scenario, apply security principles to secure enterprise infrastructure:
- Infrastructure Considerations
- Device Placement
- Security Zones
- Attack Surface
- Connectivity
- Failure Modes
- Fail-Open
- Where a failure results in the "gates opening" (the resource or service allows access).
- Fail-Closed
- Where a failure results in the "gates closing" (the resource or service disallows or severs access).
- Fail-Open
- Device Attribute
- Active vs. Passive
- Inline vs. Tap/Monitor
- Network Appliances
- Jump Server
- Proxy Server
- Intrusion Prevention System (IPS)/Intrusion Detection System (IDS)
- Load Balancer
- Sensors
- Port Security
- 802.1X
- Extensible Authentication Protocol (EAP)
- Firewall Types
- Web Application Firewall (WAF)
- Unified Threat Management (UTM)
- Next-Generation Firewall (NGFW)
- Layer 4/Layer 7
- Layer 4 (TCP), TCP/UDP forwarding
- Layer 7 (HTTP), HTTP/2, WebSocket, HTTPS
- Secure Communication/Access
- Virtual Private Network (VPN)
- Remote Access
- Tunneling
- Transport Layer Security (TLS)
- Internet Protocol Security (IPSec)
- Software-Defined Wide Area Network (SD-WAN)
- Secure Access Service Edge (SASE)
- Selection of Effective Controls
Data Protection Concepts
Compare and contrast concepts and strategies to protect data:
- Data Types
- Regulated
- Trade Secret
- Intellectual Property
- Legal Information
- Financial Information
- Human- and Non-Human-Readable
- Data Classifications
- Sensitive
- Confidential
- Public
- Restricted
- Private
- Critical
- General Data Considerations
- Data States
- Data at Rest
- Data in Transit
- Data in Use
- Data Sovereignty
- Geolocation
- Data States
- Methods to Secure Data
- Geographic Restrictions
- Encryption
- Hashing
- Masking
- Tokenization
- Obfuscation
- Segmentation
- Permission Restrictions
Resilience and Recovery
Explain the importance of resilience and recovery in security architecture:
- High Availability
- Load Balancing vs. Clustering
- Site Considerations
- Hot
- Cold
- Warm
- Geographic Dispersion
- Platform Diversity
- Multi-Cloud Systems
- Continuity of Operations
- Capacity Planning
- People
- Technology
- Infrastructure
- Testing
- Tabletop Exercises
- Fail Over
- Simulation
- Parallel Processing
- Backups
- Onsite/Offsite
- Frequency
- Encryption
- Snapshots
- Recovery
- Replication
- Journaling
- Power
- Generators
- Uninterruple Power Supply (UPS)
COMPTIA SY0-701: Security Operations
Common Security Techniques
Given a scenario, apply common security techniques to computing resources:
- Secure Baselines
- Establish
- Deploy
- Maintain
- Hardening Targets
- Mobile Devices
- Workstations
- Switches
- Routers
- Cloud Infrastructure
- Servers
- ICS/SCADA
- Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition (SCADA)
- Are used to monitor industrial infrastructure processes and systems.
- Embedded Systems
- RTOS
- IoT Devices
- Wireless Devices
- Installation Considerations
- Site Surveys
- Heat Maps
- Installation Considerations
- Mobile Solutions
- Mobile Device Management (MDM)
- Deployment Models
- Bring Your Own Device (BYOD)
- Corporate-Owned, Personally Enabled (COPE)
- Choose Your Own Device (CYOD)W
- Bring Your Own Device (BYOD)
- Connection Methods
- Cellular
- Wi-Fi
- Bluetooth
- Wireless Security Settings
- Wi-Fi Protected Access 3 (WPA3)
- AAA/Remote Authentication Dial-In User Service (RADIUS)
- RADIUS uses UDP (as opposed to TACACS+ which uses TCP).
- Cryptographic Protocols
- Authentication Protocols
- Application Security
- Input Validation
- Secure Cookies
- Static Code Analysis
- Code Signing
- Sandboxing
- Monitoring
Security Implications of Proper Asset Management
Explain the security implications of proper hardware, software, and data asset management:
- Acquisition/Procurement Process
- Assignment/Accounting
- Ownership
- Classification
- Monitoring/Asset Tracking
- Inventory
- Enumeration
- Disposal/Decommissioning
- Sanitization
- Destruction
- Certification
- Data Retention
Vulnerability Management
Explain various activities associated with vulnerability management:
- Identification Methods
- Vulnerability Scan
- Application Security
- Static Analysis
- Dynamic Analysis
- Package Monitoring
- Threat Feed
- Open-Source Intelligence (OSINT)
- Proprietary/Third-Party
- Information-Sharing Organization
- Dark Web
- Penetration Testing
- Responsible Disclosure Program
- Bug Bounty Program
- System/process Audit
- Analysis
- Confirmation
- False Positive
- False Negative
- Prioritize
- Common Vulnerability Scoring System (CVSS)
- Common Vulnerability Enumeration (CVE)
- Vulnerability Classification
- Exposure Factor
- Environmental Variables
- Industry/Organizational Impact
- Risk Tolerance
- Confirmation
- Vulnerability Response and Remediation
- Patching
- Insurance
- Segmentation
- Compensating Controls
- Exceptions and Exemptions
- Validation of Remediation
- Rescanning
- Audit
- erification
- Reporting
Monitoring Concepts and Tools
Explain security alerting and monitoring concepts and tools:
- Monitoring Computing Resources
- Systems
- Applications
- Infrastructure
- Activities
- Log Aggregation
- Alerting
- Scanning
- Reporting
- Archiving
- Alert Response and Remediation/Validation
- Quarantine
- Alert Tuning
- Tools
- Security Content Automation Protocol (SCAP)
- Benchmarks
- Agents/Agentless
- Security Information and Event Management (SIEM)
- Combines log management, event correlation, and real-time monitoring.
- Antivirus
- Data Loss Prevention (DLP)
- Simple Network Management Protocol (SNMP) Traps
- NetFlow
- Vulnerability Scanners
Modify Security
Given a scenario, modify enterprise capabilities to enhance security:
- Firewall
- Rules
- Access Lists
- Ports/Protocols
- Screened Subnets
- IDS/IPS (Intrusion Detection System/Intrusion Prevention System)
- Trends
- Signatures
- Refers to non-user-behavior patterns to identify potential security threats (e.g. - DDoS attacks, Directory Traversal attacks, etc.).
- Web Filter
- Agent-Based
- Centralized Proxy
- Universal Resource Locator (URL) Scanning
- Content Categorization
- Block Rules
- Reputation
- Operating System Security
- Group Policy
- SELinux
- Implementation of Secure Protocols
- Protocol Selection
- Port Selection
- Transport Method
- DNS Filtering
- Email Security
- Domain-based Message Authentication Reporting and Conformance (DMARC)
- Uses both DKIM and SPF to verify the authenticity of and sign emails.
- Allows DMARC Policies to be specified to define how unauthenticated emails are handled.
- This is the recommended way to implement email authentication and cryptographic signing.
- Should be fewer incorrect email rejections, blocked emails, or emails counted as spam.
- DomainKeys Identified Mail (DKIM)
- Signs emails to verify authenticate origin.
- Sender Policy Framework (SPF)
- List of all Servers a Domain will send emails from.
- Used to determine if an email is spam.
- Gateway
- Domain-based Message Authentication Reporting and Conformance (DMARC)
- File Integrity Monitoring
- DLP
- Network Access Control (NAC)
- Endpoint Detection and Response (EDR)/Extended Detection and Response (XDR)
- Extended Detection and Response (XDR)
- Collects security information from multiple security layers and resources. (As opposed to only from Layer 4, Layer 7, or say a single Web Application and not its VPC traffic.)
- Extended Detection and Response (XDR)
- User Behavior Analytics
Identity and Access Management
Given a scenario, implement and maintain identity and access management:
- Provisioning/De-Provisioning User Accounts
- Permission Assignments and Implications
- Identity Proofing
- Federation
- Single Sign-On (SSO)
- Lightweight Directory Access Protocol (LDAP)
- Typically used with Active Directory (AD) and on-prem (with in-house Servers, Networks, and IT infrastructure).
- Open Authorization (OAuth)
- Typically, JSON Web Token (JWT) Token-based, most often used for diverse/modern Web Application Authorization.
- Newest, most flexible options (mobile, IoT, Server-to-Server, etc.).
- Security Assertions Markup Language (SAML)
- An older XML-based Federated Authentication standard.
- Can be used with OAuth and doesn't use Tokens by default.
- Consult: https://www.strongdm.com/blog/saml-vs-oauth and https://jwt.io/
- Lightweight Directory Access Protocol (LDAP)
- Interoperability
- Attestation
- Access Controls
- Mandatory
- Discretionary
- Role-Based
- Rule-Based
- Attribute-Based
- Time-of-Day Restrictions
- Least Privilege
- Multifactor Authentication
- Implementations
- Biometrics
- Hard/soft Authentication Tokens
- Security Keys
- Factors
- Something You Know
- Something You Have
- Something You Are
- Somewhere You Are
- Implementations
- Password Concepts
- Password Best Practices
- Length
- Complexity
- Reuse
- Expiration
- Age
- Password Managers
- Passwordless
- Password Best Practices
- Privileged Access Management Tools
- Just-in-time Permissions
- Password Vaulting
- Ephemeral Credentials
Automation and Orchestration
Explain the importance of automation and orchestration related to secure operations:
- Use Cases of Automation and Scripting
- User Provisioning
- Resource Provisioning
- Guard Rails
- Security Groups
- Ticket Creation
- Escalation
- Enabling/Disabling Services and Access
- Continuous Integration and Testing
- Continuous Integration and Continuous Delivery (CI/CD)
- Continuous Delivery stops short of automating Production deployments by requiring manual approval to do so.
- Continuous Integration and Continuous Deployment (CI/CD)
- Continuous Deployment deploys code all the way to Production automatically.
- Continuous Integration and Continuous Delivery (CI/CD)
- Integrations and Application Programming Interfaces (APIs)
- Benefits
- Efficiency/Time Saving
- Enforcing Baselines
- Standard Infrastructure Configurations
- Scaling in a Secure Manner
- Employee Retention
- Reaction Time
- Workforce Multiplier
- Other Considerations
- Complexity
- Cost
- Single Point of Failure
- Technical Debt
- Ongoing Supportability
Incident Response
Explain appropriate incident response activities:
- Process
- Preparation
- Detection
- Analysis
- Containment
- Eradication
- Recovery
- Lessons Learned
- Training
- Testing
- Tabletop Exercise
- Simulation
- Root Cause Analysis
- Threat Hunting
- Digital Forensics
- Legal Hold
- Chain of Custody
- Acquisition
- Reporting
- Preservation
- E-discovery
Use Data Sources
Given a scenario, use data sources to support an investigation:
- Log Data
- Firewall Logs
- Application Logs
- Endpoint Logs
- OS-Specific Security Logs
- IPS/IDS Logs
- Network Logs
- Metadata
- Data Sources
- Vulnerability Scans
- Automated Reports
- Dashboards
- Packet Captures
Resources and Links
COMPTIA SY0-701: Security Program Management and Oversight
Security Governance
Summarize elements of effective security governance:
- Guidelines
- Policies
- Acceptable Use Policy (AUP)
- Information Security Policies
- Business Continuity
- Disaster Recovery
- Disaster Recovery Plan (DRP)
- Incident Response
- Incident Response Plan (IRP)
- Software Development Lifecycle (SDLC)
- Change Management
- Standards
- Password
- Access Control
- Physical Security
- Encryption
- Procedures
- Change Management
- Onboarding/Offboarding
- Playbooks
- External Considerations
- Regulatory
- Legal
- Industry
- Local/Regional
- National
- Global
- Monitoring and Revision
- Types of Governance Structures
- Boards
- Committees
- Government Entities
- Centralized/Decentralized
- Roles and Responsibilities for Systems and Data
- Owners
- Controllers
- Processors
- Custodians/Stewards
Risk Management Process
Explain elements of the risk management process:
- Risk Identification
- Risk Assessment
- Ad-Hoc
- Recurring
- One-Time
- Continuous
- Risk Analysis
- Qualitative
- Quantitative
- Single Loss Expectancy (SLE)
- Calculated cost of a single event.
- Annualized Loss Expectancy (ALE)
- Calculated cost of all such events in a year.
- Annualized Rate of Occurrence (ARO)
- Calculated frequency of events in a year.
- Probability
- Likelihood
- Exposure Factor
- Impact
- Risk Register
- Key Risk Indicators
- Risk Owners
- Risk Threshold
- Risk Tolerance
- Risk Appetite
- Expansionary
- Conservative
- Neutral
- Risk Management Strategies
- Transfer
- Accept
- Exemption
- Exception
- Avoid
- Mitigate
- Risk Reporting
- Business Impact Analysis
- Recovery Time Objective (RTO)
- The maximum acceptable amount of time a service, system, or resource can be down before recovery is achieved.
- Time-sensitive.
- Example: A service can experience only 5 minutes of downtime to meet it's SLA.
- Recovery Point Objective (RPO)
- The maximum acceptable amount of data (expressed as a time interval) that a service, system, or resource can be down before recovery is achieved.
- Time-sensitive as understood through specified data timestamp.
- Example: an RPO of
15 hoursis set and the last valid data set had is from10 hoursago. (No more than a15 hourdata gap can exist.)
- Mean Time to Repair (MTTR)
- Mean Time Between Failures (MTBF)
- Recovery Time Objective (RTO)
Third-Parties
Explain the processes associated with third-party risk assessment and management:
- Vendor Assessment
- Penetration Testing
- Right-to-Audit Clause
- Evidence of Internal Audits
- Independent Assessments
- Supply Chain Analysis
- Vendor Selection
- Due Diligence
- Conflict of Interest
- Agreement Types
- Memorandum of Understanding (MOU)
- States common areas of agreement but less binding than even a MOA.
- No transfer of funds nor any enforcement of or obligation to.
- Memorandum of Agreement (MOA)
- Conditional agreement but only slightly more binding than a MOU.
- No transfer of funds nor any enforcement of or obligation to but often opening the door for future MSA or SOW's to be signed.
- Master Service Agreement (MSA)
- Critical, foundational document, that covers business agreements.
- High-level and binding.
- Work Order (WO)/Statement of Work (SOW)
- Narrowly-scoped, very detailed, no room for ambiguity.
- Usually subsequent agreements following up on MSA.
- Often includes an SLA.
- Service-Level Agreement (SLA)
- Exact conditions that must be met or that are expected.
- Often included within an SOW.
- Non-Disclosure Agreement (NDA)
- Business Partners Agreement (BPA)
- Memorandum of Understanding (MOU)
- Vendor Monitoring
- Questionnaires
- Rules of Engagement
Effective Security Compliance
Summarize elements of effective security compliance:
- Compliance Reporting
- Internal
- External
- Consequences of Non-Compliance
- Fines
- Sanctions
- Reputational Damage
- Loss of License
- Contractual Impacts
- Compliance Monitoring
- Due Diligence/Care
- Attestation and Acknowledgement
- Internal and External
- Automation
- Privacy
- Legal Implications
- Local/Regional
- National
- Global
- Data Subject
- Any specific person that can be identified directly or indirectly by way of an identifier (name, ID number, account number, email address, or through certain attributes like age, cultural identity, and health characteristics.)
- Controller vs. Processor
- A Data Controller determines the purposes and means of processing personal data.
- A Data Processor processes personal data on behalf of the Data Controller.
- Ownership
- Data Owners are senior leaders (executives) in charge of managing data and information relating to their specific areas of responsibility.
- Data Custodians are responsible for ensuring the safety, storage, and maintenance of data assets (and no the data directly).
- Data Inventory and Retention
- Right to be Forgotten
- Legal Implications
Audits and Assessments
Explain types and purposes of audits and assessments:
- Attestation
- Internal
- Compliance
- Audit Committee
- Self-Assessments
- External
- Regulatory
- Examinations
- Assessment
- Independent Third-Party Audit
- Penetration Testing
- Physical
- Offensive
- Defensive
- Integrated
- Known Environment
- Partially Known Environment
- Unknown Environment
- Reconnaissance
- Passive
- Active
Security Awareness Practices
Given a scenario, implement security awareness practices:
- Phishing
- Campaigns
- Recognizing a Phishing Attempt
- Responding to Reported Suspicious Messages
- Anomalous Behavior Recognition
- Risky
- Unexpected
- Unintentional
- User Guidance and Training
- Policy/Handbooks
- Situational Awareness
- Insider Threat
- Password Management
- Removable Media and Cables
- Social Engineering
- Operational Security
- Hybrid/Remote Work Environments
- Reporting and Monitoring
- Initial
- Recurring
- Development
- Execution
Resources and Links
COMPTIA SY0-701: Miscellaneous Concepts
Windows Security
- Encrypting File System (EFS)
- Encrypts specific files on any drive on a per-user basis.
- Bitlocker
- Protects all personal and system files on the drive Windows is installed on.
Security Systems
- Terminal Access Controller Access-Control System (TACACS+)
- Uses TCP (as opposed to RADIUS which uses UDP).
- Consult: https://www.cisco.com/c/en/us/support/docs/security-vpn/remote-authentication-dial-user-service-radius/13838-10.html
Kinds of Phishing
- Spearphishing
- Highly personalized cyberattacks that target specific individuals or companies (typically involving Phishing).
- Whaling
- Involves personalized Phishing attacks against VIP targets (CEO's, world leaders, executives, etc.).
Regulatory Designations
- Personally Identifiable Information (PII)
- Regulated financial information
- Any identifying information about a customer including address, email, phone number, etc.
- Protected Health Information (PHI)
- Any health-related or medical information about a customer that's covered by HIPAA.
Elliptic Curve Cryptography
- Diffie-Hellman (DH)
- DH is not itself a Symmetric algorithm - it's an Asymmetric algorithm used to establish a shared secret for a Symmetric Key algorithm.
- Much less expensive to find a point on an elliptic curve than to Brute-Force prime numbers to find a solution.
- Elliptic Curve Cryptography (ECC)
RAID
RAID Configurations:
- RAID 0
- Maximize read/write but without mirroring.
- Splits data up across multiple disks.
- Requires 2 disks at minimum.
- RAID 1
- Automatically mirrors one disk on others.
- Requires 2 disks at minimum.
- RAID 5
- Balances performance and redundancy.
- Requires 3 disks at minimum.
- RAID 10
- Nests two RAID 1 sets within a RAID 0 configuration.
- Requires 4 disks at minimum.
Bluetooth
- Bluejacking
- Is the practice of sending unsolicited messages over Bluetooth to Bluetooth-enabled devices without taking control of the device.
Important Acronyms
- Simple Network Management Protocol (SNMP)
- Used to monitor and manage network devices.
- Devices share their state.
Wireless Security Protocols
WiFi encryption Standards:
- AES is the default Standard used in most contemporary WiFi security schemes.
- Temporal Key Integrity Protocol (TKIP)
- Defined by the IEEE 802.11i Standard.
- Wired Equivalent Privacy (WEP)
- Mostly deprecated.
By order of greatest security:
- Wi-Fi Protected Access (WPA2/3) with AES
- These are often used in tandem with each other.
- WPA implements the IEEE 802.11i Standard.
- WPA typically uses the strongest encryption Standard (AES).
- Occasionally, WPA will fall back to TKIP to support older devices.
- This is increasingly deprecated and discouraged.
- Older versions of WPA (
2or1). - WPA with fallback to TKIP.
- Wi-Fi Protected Access (WPA2/3) with AES
Deprecated:
- WEP
- TKIP
Key ISO Standards
- ISO/IEC 27001
- Main Information Security Standard.
- ISO/IEC 27018
- Main Standard specifying how to secure/protect Personally Identifiable Information (PII).
- IEEE 802.11i
- Defines TKIP, WEP, and other Network/Wireless security mechanisms.