Security+ (SY0-701): Lesson 1: Summarize Fundamental Security Concepts

1. Confidentiality

2. Integrity

3. Availability

Keeping data and communications private and protecting them from unauthorized access; data can only be read by people who have explicit authorized access.

Keeping organizational data accurate, free of errors, and without unauthorized modifications.

Ensuring computer systems operate continuously and that authorized persons can access data that they need.

Goal of ensuring that the party that sent a transmission/created data remains associated with that data and cannot deny sending or creating that data.

Develops computer security standards; Publishes cybersecurity best practice and research.

1. Identify

2. Protect

3. Detect

4. Respond

5. Recover

Evaluating assets, risks, business function, policies, threats/vulnerabilities and recommending security controls/policies to manage them securely.

Ensures delivery of critical infrastructure services; Supports the ability to limit/contain a potential cybersecurity event.

Securing IAM; Security Awareness training; Data protection controls and documentation; Maintenance of assets; Managing protective technology.

Perform ongoing monitoring ensuring controls are effective and capable of protecting against new types of threats; Enables timely discovery of cybersecurity events.

Ensuring Anomalies and Events are detected; Implementing Continuous Monitoring; Maintaining Detection Processes

Identify, analyze, contain, and eradicate threats to systems and data security.

Managing communications with stakeholders and law enforcement; Analysis of incidents; Mitigation to prevent expansion and for resolution;

Implementing resilience to restore systems/services/data if other functions are unable to prevent attacks; Supports timely recovery to normal operations.

Implementing recovery processes to restore systems; Implement improvements based on lessons learned and review of strategy.

By implementing security controls.

A technology or procedure put in place to mitigate vulnerabilities and risk and to ensure the confidentiality, integrity, and availability (CIA/AIC)

Guides selection and configuration of security controls; Gives structure to risk management and provides externally verifiable statement of regulatory compliance.

Allows an organization to asses current cybersecurity capabilities, identify a target level of capability, and prioritize investments to achieve targets.

Measures the difference between the current and desired system state(s) to help assess the scope of work included in a project.

Ensure that information system meets the goals of the CIA triad by governing how subjects interacts with objects.

Something that can request and be granted access to a resource; Person, Service/Process.

The resources that access is granted to; Network, server, database, app, or file.

Process providing identification, authentication, and authorization for users, computers, and services/process to access a network/host/application

1. Identification

2. Authentication

3. Authorization

4. Accounting

Aka enrollment; Creating an account and credentials to uniquely represent a user/host/process in the organization.

Determines the method used to validate an entity or individuals credentials.

Determining the rights/abilities subjects should have on each resource, and enforcing those rights.

Tracking authorized usage of a resource or use of rights by a subject and alerting when unauthorized use is detected or attempted.

AAA (Authentication, Authorization, and Accounting)

Confidentiality, integrity, and availability (and non-repudiation)

winver

1. Managerial

2. Operational

3. Technical

4. Physical

Focuses on the management of risk and the management of information system security.

Controls implemented by people; Security Guards, Training programs, SOPs

Implemented as a system (hardware, software, or firmware); Aka. 'logical controls'; Firewalls, AV, IDS

Controls such as alarms, gateways, locks, lighting, and security cameras that deter and detect access to premises and hardware.

Another way to define a security control is: a safeguard or countermeasure used to reduce risk and protect information assets from threats.

Operates before an attack takes place to eliminate/reduce the likelihood that the attack will succeed.

ACLs, Anti-Virus/Malware, encryption

Operates during an attack to identify and record an attempted or successful intrusion.

Logs review, IDS

Eliminates/reduces the impact of a security policy violation.

Backup system to restore data damaged during an intrusion; A patch management system that eliminates a vulnerability before/during/after an attack; Lessons learned.

Control that enforces a rule, best practice, SOP, or SLA through a policy or contract.

A contract/policy; Training/awareness programs.

Control that discourages intrusion attempts; signs/warnings

A substitute for a principal control recommended by a security standard to mitigate risk and affords similar level of protection.

A formalized statement defining how security will be implemented within an organization.

Company officer responsible for management of information technology assets and procedures.

Company officer with the primary role of making effective use of new and emerging computing platforms and innovations.

Person with overall responsibility for information assurance and systems security.

A location where security professionals monitor and protect critical information assets across other business functions.

A combination of software development and system/network operations.

IT personnel and developers can build, test, and release software faster and more reliably.

A combination of software development, security operations, and systems/network operations.

To embed security expertise into any development project.

A single point of contact for notification of security incidents; Function might be handled by SOC or established as an independent business unit.