Mastering General Security Concepts for Security Plus Exam 2024
Heads up!
This summary and transcript were automatically generated using AI with the Free YouTube Transcript Summary Tool by LunaNotes.
Generate a summary for freeIf you found this summary useful, consider buying us a coffee. It would help us a lot!
Introduction
In the rapidly evolving world of cybersecurity, ensuring a solid understanding of general security concepts is crucial, especially for those preparing for the Security Plus exam. This article is dedicated to Domain 1 of the exam cram series for 2024, where we will explore the various categories and types of security controls, the significance of change management, and the role of cryptographic solutions.
By the end of this article, you will have a better grasp of foundational concepts that will help you succeed in the Security Plus exam and enhance your understanding of security practices in real-world scenarios.
Understanding Categories of Security Controls
Security controls are essential for protecting IT environments and ensuring the integrity, confidentiality, and availability of systems and data.
Types of Security Controls
- Technical Controls: These are hardware and software mechanisms used to protect system resources. Examples include encryption, firewalls, and access control lists.
- Physical Controls: These measures protect the physical premises and assets, including fences, security guards, and surveillance cameras.
- Managerial Controls: These derive from the organization’s security policies and procedures, focusing on risk management. They include security training, hiring practices, and policy enforcement.
- Operational Controls: Focused on daily operations, these controls are often implemented by personnel. They include conducting security awareness training and configuration management.
Types of Security Controls by Function
- Preventive Controls: Intended to stop unauthorized activities (e.g., firewalls, locks).
- Deterrent Controls: Discourage breaches (e.g., security badges, policies).
- Detective Controls: Discover breaches post-incident (e.g., intrusion detection systems).
- Corrective Controls: Resolve issues after a breach has occurred (e.g., restoring backups).
- Compensating Controls: Alternative measures that help mitigate risk (e.g., redundant systems).
- Directive Controls: Policies that instruct and guide actions (e.g., compliance policies).
Invoking Context in Control Types
It's important to note that often a single control can serve multiple purposes depending on the context. For instance, a security camera can act as both a deterrent and a detective control.
The CIA Triad – The Foundation of Cybersecurity
The CIA Triad represents the core principles of cybersecurity:
- Confidentiality: Ensures that sensitive information is only accessible to authorized users.
- Integrity: Guarantees the accuracy and authenticity of data.
- Availability: Ensures that authorized users have access to information when needed.
In addition to the CIA Triad, concepts like non-repudiation, which ensures that actions can be traced back to individuals, and accountability through logging user activities are essential for a robust security framework.
Importance of Change Management in Security
Change management is crucial for maintaining security. It involves processes that govern changes to systems, assets, and configurations. Effective change management includes:
- Requesting Changes: Changes should be formally requested
- Approval Process: Management should review and authorize changes.
- Testing Changes: Validating changes in a test environment prepares organizations for potential challenges.
- Backout Plans: Detailed procedures must be created to revert to previous configurations if issues arise.
- Documenting Changes: Keeping track of modifications and updates is vital for security audits and compliance.
Cryptographic Solutions and Their Relevance
Encryption is essential for protecting information at rest and in transit. The following methods of encryption can help secure sensitive data:
- Symmetric Encryption: Uses a single secret key for both encryption and decryption (e.g., AES).
- Asymmetric Encryption: Utilizes a public-private key pair to secure communications (e.g., RSA).
- Hashing: A one-way function that generates a hash value to verify data integrity (e.g., SHA).
Cryptographic solutions ensure confidentiality, integrity, authenticity, and non-repudiation in communications and data storage.
Conclusion
Understanding the concepts covered in Domain 1 of the Security Plus exam is foundational to your success in the field of cybersecurity. From security controls to change management and cryptographic techniques, each element plays a critical role in protecting digital assets and maintaining robust security practices. Be sure to familiarize yourself with these concepts and apply them in real-world scenarios for comprehensive preparation and to uphold the highest security standards.
welcome to domain 1 of the Security Plus exam cram series 2024 Edition and here in domain 1 we'll focus on General
Security Concepts we'll begin with a look at the categories and types of security controls before moving on to
coverage of an array of fundamental security Concepts we'll explore the impact of change management on security
and we'll close out domain one with a look at the importance of appropriate cryptographic Solutions domain 1 helps
us establish the foundation for everything else we cover in the Security Plus syllabus and as always we'll go
line by line through every skill measured in the official exam syllabus important stuff let's get
installment cover ing every topic in the official exam syllabus for domain one of the Security Plus
exam because it's so often requested I've included a PDF copy of this presentation available for download in
the video description so you can review at your leisure as you prepare for the exam and I've also included a clickable
table of content in the video description so you can move forward and back through topics as necessary as you
prepare and as with the previous release of the Security Plus exam I recommend the the official study guide from Cybex
which includes 500 practice questions 100 flashcards and two practice exams as well as the companion practice
test manual which brings another thousand practice questions and two practice exams and if you register for
the online resources so you can leverage these questions in an electronic format I believe it's all the practice quizzing
you're going to need to prepare yourself for exam day and I will leave you links in the
one where we will focus on General Security Concepts and we're going to go line by line through every topic
mentioned in the official exam syllabus so section 1.1 focuses on comparing and contrasting the various
types of security controls so this is a fairly short but very important section so we'll start with the categories which
include technical managerial operational and physical now what's different here versus past versions of the exam and
other exams out there is the inclusion of the operational category really just a more granular way
of considering the control types which have not changed they are preventive deterrent detective corrective
compensating and directive I'll give you two bits of advice for exam day number one you should know some examples of
each for the exam I'll help there and know that controls can fit into multiple types based on the context of the
situation I see folks get wound up on this fact as they're working through their practice exams and their exam prep
I'll take you through a logical way to think about this to ensure you can get the right answer on control related
we have technical controls these are Hardware or software mechanisms used to manage access to resources and systems
and to provide protection for those resources and systems next we have physical these are security mechanisms
focused on providing protection to the facility and Real World objects then we have managerial which are the policies
and procedures administrative controls really defined by an organization's security policy managerial controls use
planning and assessment methods to review the organization's ability to reduce and manage risk and then we have
that operational category which helps to ensure that the day-to-day operations of an organization comply with their
overall security primarily implemented and executed by people instead of systems I think of operational as people
enforcing the managerial controls supporting physical security and using the technology we've implemented through
technical controls to ensure that we comply with our overall security strategy let me give you some examples
here we'll start with technical we have encryption smart cards passwords Biometrics Access Control list firewalls
routers intrusion detection and prevention again it's the technology next we have the physical guards fences
touch next we have managerial policies and procedures hiring practices background checks data classification
security training risk assessments vulnerability assessments but the focus here is all of these practices laid out
in policies and procedures the organization follows and then we have the operational category which would
include things like conducting the awareness training configuration management media protection the
doing so to summarize those a couple of different ways we have technical which is the implementation of the hardware
documented and then the operational people doing stuff so to visualize these categories we have our assets the focus
of our protection and we have our managerial Technical and physical controls of we're looking at this
historically the policies which give us guidance on the what the technical controls we implementing the hardware
and the software to help with the how and then a layer of physical security around our facilities devices and other
assets it's important to remember there is no security without physical security if I can get into your facility get into
your data center get into your wiring closet there is no technical control that can then stop me there is no
managerial policy that's going to prevent me from doing damage as an attacker now let's insert that
operational layer people Centric activities conducting the awareness training ensuring the backups have
completed making sure the media is stored appropriately so we can use it for Recovery when necessary implementing
the managerial policies supporting the technology and the physical and while these categories are important it's
really the types of controls that are going to come up in questions on the exam but before we dive into control
types I want to sync on the definition of a security control security controls are security measures for countering and
minimizing loss or unavailability of services or apps due to vulnerabilities you'll often hear the
on it safeguards are proactive controls they reduce the likelihood of occurrence and counter measures are reactive they
reduce impact after occurrence of the security event now let's dive into control types we have the deterrent
control which is deployed to discourage violation of security policies preventive controls deployed to
thwart or stop unwanted or unauthorized activity from occurring detective controls deployed to
provide options to other existing controls to Aid in enforcement of sec security policies they're supporting or
return systems to normal after an unwanted or unauthorized activity has occurred and directive which direct
confine or control the actions of subjects to force or encourage compliance with our security policies
and you'll notice I've highlighted the key descriptors of each type along the way here that you'll want to remember
for the exam now let's look at some examples of control types together we have preventive controls
deployed to stop unwanted activity and examples here include fences locks Biometrics alarm systems data
Behavior next we have deterrent controls deployed to discourage violation of security policies this control picks up
where prevention leaves off are examples here locks fences security badges guards lighting cameras alarms separation of
Duty security policies and security awareness training do you notice the overlap in control types here the fact
of the matter is every security control is generally going to fall into one control category but will map to
psychological barrier locks create a visible and tangible barrier even if the lock is unlocked if I have a pad lock
that's even unlocked and hanging there on a gate that sends a signal that not just anybody should be walking through
there and it also conveys increased perceived effort when it is locked it makes the would be trespass or think
twice but stick with me and I'll show you how to navigate the overlap on the exam here in a moment and next we have
detectors job rotation mandatory vacation audit Trails intrusion detection these all allow us to detect
or discover unwanted activity directive which direct confine or control actions policies and
procedures standards guidelines physical signage directing Behavior verbal instructions contracts and agreements
restore systems to normal backups and restores patching antivirus or antimalware forensic analysis
disciplinary action all play a direct or indirect role in returning our systems and environment back to normal and
finally compensating controls which provide options to existing controls to Aid in enforcement and supporting our
security policy they are additional backup supporting controls these could include security policies Personnel
supervision monitoring work task procedures and when I say security policies that could be anything from
it's time to address the overlap we see here in type so we have one control that maps to multiple types or functions and
you saw it in those previous examples a single security control can be identified as multiple types depending
on the context of the situation and that is just a fact of life security controls are designed to work together and their
functions often overlap for example a security camera system is both deterrent it deters unwanted entry and detective
it records potential security incidents for later review if as a deterrent it doesn't do its job successfully so
context matters the classification of a control can depend on how it's implemented and the specific risk it's
addressing so a context based example we have an access control list that can be primarily preventive if it blocks
investigation perhaps the access control list showed that an individual should be granted access to the file repository
but they then deleted sensitive data that shouldn't have been deleted well at that point the activity was logged and
can be investigated later so when we take this knowledge to the exam it comes down to the language exams often use
specific words or phrases to hint at a control type so let's look at some keywords for each of the six types that
you can use to reason your way to the right answer on an exam words like warning aign visibility
perception these indicate a deterrent control preventative Access Control authentication firewall encryption these
all prevent access these are preventive in nature we have policy procedure standard guideline all designed to
direct good behavior so they are directive monitoring auditing logging alerting all designed to detect Behavior
so that's a detective control backup restore incident response patching all correcting negative
conditions a sure sign of a corrective control and alternative backup redundancy supporting all signs of a
compensating control so keep this information in mind and I think security control related questions on the exam
1.2 section 1.2 asks us to summarize fundamental security Concepts so read that as foundational Concepts that apply
called the AAA protocols we'll dig into authenticating people systems and authorization models here the purpose
and outcome of a gap analysis we're going to go deep on zero trust both at the control plane and the
data plane and the language we see here tells us that CompTIA is pulling a page from nist's special publication
security touching on ballards access control vestibules fencing lighting guards cameras and we'll touch on four
types of sensors even if you've been around security for a while those may not all be clear to you so we'll dive
deep on those and we'll wrap up 1.2 with deception and disruption technology the honey pot honey net and supporting
components and what do we see in that physical security topic we see security controls so I want you to be thinking
about control categories and control types as we go through this content reinforcing what you learned in our
previous installment so let's dive into the CIA Triad which as a security professional you should know by heart so
CIA stands for confidentiality integrity and availability we see it represented in the Triangle 1 two and three
beginning with confidentiality so access controls help ensure that only authorized subjects can access objects
we'll dig a little deeper in this session but think of subjects as people and objects as resources such as data
configurations are not modified without authorization that the file sent exactly matches the file received
availability because authorized requests for objects must be granted to subjects within a reasonable amount of time
non-repudiation which guarantees that no one can deny a transaction and the most common method
to provide non-repudiation or digital signatures which prove that a digital messenger document was not
modified intentionally or unintentionally from the time it was signed that document could be an email
actually based on asymmetric cryptography a public private key pair it's the digital equivalent of a
handwritten signature or a stamped seal and it provides non-repudiation in a publicly verifiable manner the public
key stated another way non-repudiation is the ability of one party to defeat or counter a false rejection or refusal of
the other of an obligation with irrefutable evidence so the digital signature on that message on that
parties were involved in the transaction and it cannot be denied side note do remember that shared accounts and
identities prevent non-repudiation simple example if I have a Twitter account and three people have
access using the same credentials I can't prove who posted a tweet ever we'll often hear the concept of AAA
mentioned in the context of several protocols that provide authentication authorization and accounting services
and we'll touch on those protocols here and there throughout the series but I want to focus right now on these three
where the authenticated users are granted access to resources based on the roles and or permissions assigned to
their identity and accounting refers to the methods that track user activity and Records these activities in
and these three concepts really are prefaced by a fourth they go hand in hand so I want to take another pass at
this from a slightly different angle let's talk about identification and authentication so identification is
where a subject claims an identity and identification could be as simple as a username for a user as simple as an
active directory account and authentication again with a subject proves their identity by providing
authentication credentials the matching password for a username for example and this leads to authorization
so after authenticating subjects systems can authorize access to objects based on their proven
identity and then there's accountability auditing logs and audit Trails record events including the identity of the
subject that performed the action so we have authorization that comes after authentication and accountability that
accountability so why is accountability important let's go through the how's to get to the why so accountability is
maintained for individual subjects using auditing logs record user activities and users can be held accountable for their
compliance with the organization security policies generally speaking users are going to behave when they know
their actions are being audited when they are being logged and it provides an audit Trail for
investigation if the fact that we're logging doesn't deter that bad behavior or if heaven forbid we have a security
breach a compromised identity we're going to have that audit Trail so we can go back and piece together the sequence
of events and this discussion can extend beyond users to syst systems and devices as well it's common in modern
Enterprises that systems and devices will have identities also two good examples virtual machines in the cloud
will have a managed identity managed by the platform created and deleted with the VM sharing its life cycle and used
by the VM when it accesses resources such as data so we have an audit Trail and client devices will often have
machine identities in a mobile device platform often tied back to the identity provider platform
and that can be leveraged to make decisions around authentication and authorization of the user on the device
which brings us to our next topic authorization models so you want to be familiar with all these models for the
exam beginning with non-discretionary access control which enables the enforcement of systemwide restrictions
that override object specific Access Control role-based access control is an example of a non-discretionary
authorization model in discretionary access control every object has an owner and the owner can
grant or deny access to any other subject at their discretion this model is considered to be use-based and user
Windows widely used for more than a couple of decades now next we have Ro based access control a key
characteristic of which is the use of roles or groups so instead instead of assigning permissions directly to users
the user accounts are placed in roles and administrators assign privileges to the roles these are typically mapped to
applies Global rules to all subjects the rules within this model are sometimes referred to as
restrictions or filters a good example of rule-based Access Control is a firewall that uses rules that allow or
block traffic to all users equally and finally we have mandatory access control a key point about mandatory access
control is that every object and every subject has one or more labels these labels are predefined and the system
determines access based on assigned labels an example of mandatory access control that comes immediately to mind
is military security where the data owner doesn't set access if data is top secret they don't determine who has top
secret clearance nor is that individual data owner allowed to down classify data so they couldn't down classify data from
access control where access is restricted based on an attribute on the account such as Department location or
department attribute in order to view contracts now just to be sure you're clear for the
exam let's touch on subjects and objects directly key Concepts in Access Control for sure so subjects are the users
groups and services accessing resources known as objects and the objects are the resources files folders shares printers
databases any resources being accessed by the subject and the authorization model determines how a system grants
discussions of access control so just make sure you have them straight in your head for the exam the syllabus also
calls out Gap analysis which is a common task performed on a recurring basis and often in preparation for external audits
so in a gap analysis Auditors will often follow a standard like ISO 271 and compare standard requirements to the
organization's current operations and deficiencies versus the standard will be captured in the audit
report as gaps sometimes called control gaps a control Gap is a discrepancy between the security measures an
organization should have in place versus the controls they actually have in place the outcome is an attestation which is a
formal statement made by the auditor on the controls and processes in place and as to whether or not they are
sufficient and both internal and external Auditors should have Independence in the audit process but at
contestations from external Auditors tend to carry more weight higher confidence because the auditor is not
employed directly by the organization zero trust is called out in great detail in section 1.2 on the
syllabus so zero trust is an approach to security architecture in which no entity is trusted by default and zero trust is
based on three principles assume breach verify explicitly and least privilege access and zero trust has largely
replaced the old trust but verify model which was based on a network perimeter strategy where everything inside the
perimeter was automatically trusted and it's supported by defense and depth that advises a layered approach to security
to think about it another way zero trust really addresses the limitations of that Legacy network perimeter-based security
model it treats identity as the control plane and it assumes compromise and breach in verifying every request again
no entity is trusted by default in zero trust we verify identity we manage devices and apps and we protect data so
let's talk access policy enforcement in the context of zero trust we have the policy enforcement point which is
responsible for enabling monitoring and terminating connections between a subject like a user or a device and an
enterprise resource the policy enforcement Point acts as the Gateway that enforces Access Control
policies so when an access request occurs the policy enforcement Point evaluates the request against
pre-defined policies and applies the necessary controls for example a policy enforcement Point might enforce
multiactor authentication for Access requests from unexpected locations which would imply that enforcement is dynamic
based on conditions and context around the request at the time of the request and then we have the policy decision
point which is where access decisions are made based on various factors like user identity device health and risk
assessment the PDP evaluates the context of an access request and decides whether it should be allowed denied or subjected
to additional controls the policy decision Point considers the five ws who what when where and why but to State it
in short the policy enforcement Point enforces policies at the connection level while the policy decision Point
makes access decisions based on contextual information the exam syllabus calls out several key elements of zero
we have adaptive identity threat scope reduction policy driven Access Control policy administrator and policy engine
you'll need to be familiar with this drives the policy based decision Logic for zero trust in the data plane we have
implicit trust zones subject and system and policy enforcement point so this enforces the decisions defined in the
control plane if you're wondering where these elements of zero trust Network architecture come from they are
described in detail in nist special publication 800-207-6997 adaptive identity changes the way the
system asks a user to authenticate based on the context of the request so the policy decision points going to look at
elements like location the device the user is coming from is that device healthy are they using an approved app
is there any risk associated with this user threat scope reduction is really an end goal of zero trust Network
Control control which are controls based on a user's identity rather than simply their systems location probably the most
popular policy driven Access Control out there is conditional access in Microsoft's entra ID formerly Azure
conditional access policy here in just a moment so you can get a sense of what a system like that looks like and we have
the policy administ ministrator responsible for communicating the decisions made by the policy
engine this is an element of the system not a human person and then we have the policy engine which decides whether to
Grant access to a resource for a given subject another example here is entra ID the identity platform used with Office
365 but the policy administrator and the policy engine together make up the policy decision Point moving
on to the data plane we have implicit trust zones which are part of traditional security approaches in which
firewalls and other security devices formed a perimeter systems belonging to the organization were placed inside the
boundary so we see subject and system called out here the subject is a user who wishes to access a resource and a
system as a nonhuman entity often the device used by the user to access the resource and then we have the policy
enforcement point when a user system requests access to a resource the policy enforcement Point evaluates it against
predefined policies and applies the necessary controls Microsoft entra ID is a good example of a policy enforcement
point so we're going to visualize these Concepts a couple of different ways for context so let's consider conditional
access in entra ID so the system will look at the signals around the request the user their location the device the
application the realtime risk of that user if the user's current risk level is high based on recent activities that's
going to influence the decision it will verify every access attempt it may just allow access if conditions are good it
may require MFA some additional authentication to deal with any concerns around location device or
risk or it may block access altogether but if the user meets the bar if all the conditions of the request are acceptable
they'll gain access to the appson data they're requesting so let's look at a logical
diagram of the zero trust Concepts we've been talking about here so we have the control plane and the data plane and in
the data plane we have the policy enforcement point in the control plane we have the policy decision point which
is comprised of the policy engine and the policy administ rator we have our system and subject
which make the request and the policy enforcement point will enforce the final decision there and if granted give the
subject and system access to the enterprise resource there are certainly many supporting systems and functions
intelligence but these are the core components so the policy enforcement point is is where security controls are
applied it's where they are enforced and the decisions are made in the policy decision point so we talked
about Concepts like adaptive identity so I want to give you a quick tour of conditional access in Microsoft enter ID
so you can see how those conditions around access come together in a policy but again this is just for
context to help you connect the dots Security Plus as vendor agnostic so I'm going to switch over to a browser and
I'll go to the Microsoft entra admin Center and I will look for the conditional access area I will look at
the policies and we'll take a look at an existing policy so exchange online requires compliant device so I'll look
at the settings of this policy so you can get a sense of the conditions you see here I can apply this to specific
wish I can specify the target resources in this case we're targeting exchange online so I could Target this to as much
as all my cloud apps I can go very broad or very narrow and then when I look at my conditions here I see I can look at
the user risk for example so I can make decisions based on the user's risk level and I can look at their signin
risk so if we have concerns about the signin itself but you'll notice here it mentions the signin risk level is
platforms you see I can drill down and apply a policy that applies only to Windows or Mac or Android or iOS for
example and we can look at location so I can exclude trusted locations if I wish maybe I don't want to prompt users for
additional authentication factors when they're on a managed device in a known trusted location like the corporate
office we get sign in fatigue and unhappy users when we're overdoing it in that respect so we have to establish our
boundaries based on our competence and I'll go over here and look at my access control so I can grant
authentication require a specific strength of authentication I can require a device to be marked as compliant or to
be joined to my organization like join to my entra Organization for example I can require an approved app and you'll
notice I can require any one of these selected controls or I can apply them all and say you must meet all of these
conditions and the more sensitive the operation the more likely I'm going to go that route of requiring multiple
conditions in that respect but that's how adaptive identity flows in the Microsoft ecosystem but you'll find
similar Concepts across many platforms out there so if you don't have any exposure hopefully that gives you a bit
of context so let's move on to physical security it's important to remember there is no security without physical
security without control over the physical environment no amount of administrative or technical access
controls can provide adequate security if a militi person can gain physical access to your facility or your
equipment they can do just about anything they want from destruction of property to disclosure and
alteration so physical security is that first outer layer of protection and we'll go through the physical security
controls mentioned in the exam syllabus in order beginning with the Ballard which is a short sturdy vertical
post usually made of concrete steel or some heavy duty material they can be fixed in place or
retractable but they act as physical barriers preventing vehicles from forcibly entering a restricted area
they often delineate pedestrian areas parking lots and sensitive zones to minimize accidental damage but they're
attacks next we have the access control vestibule which is a physical security system comprising a small space with two
interlocking doors only one of which can be open at a time it's designed to strictly control access to highly secure
areas by allowing only one person at a time to pass through this will protect against tailgating where a user slips
through an entry based on someone else's badge when they themselves don't have a badge it's also prevents piggy backing
which is just like tailgating but typically with bad intent to gain access to a rest red area you don't really need
to be too worried about the details between those two they both describe a situation where somebody tries to follow
someone with a badge into a system without using a badge of their own and the access control vestibule will really
help block unauthorized access of any kind you may have previously heard the access control vestibule called a man
trap the naming has been updated in recent years but two names for the same thing so fences are called out on the
exam so let's talk about the characteristics of fences typically efficacy comes down to their height and
their composition so a fence of 3 to 4 ft deters the Casual trespasser a 6 to 7t fence is too
difficult to climb easily it might block Vision which provides additional security if folks standing on the ground
can't see what behind the fence on the other hand an 8ft fence topped with Barb Wire will deter determined
Intruders and then we could even employ what's called a petas a perimeter intrusion detection and assessment
system which will detect someone attempting to climb a fence petus is an expensive control and it may generate
also erect stronger barricades or zigzag paths to prevent a vehicle from ramming a gate so really think of that as a
layered defense as defense in depth where we're adding additional supporting controls compensating controls of a
fashion if we go back to our previous installment so next we have video surveillance so cameras and close
circuit TV systems can provide video surveillance and reliable proof of a person's identity and activity and many
cameras nowadays include motion and object detection capabilities which will kick them into action when necessary
when there's activity to capture that makes combing through camera footage for Meaningful events much easier after the
fact we have security guards a preventive physical security control and they can prevent unauthorized Personnel
from entering a security area they can recognize people and compare an individual's picture ID for people they
these video is detective security guards are preventive access badges are preventive maybe you can see how each
barrier as well as a physical barrier that may deter bad behavior a video camera can do the same thing if someone
sees that video camera they may simply think twice it discourages them from acting with lighting we need to think
about location efficiency and protection so in terms of location installing lights at all entrances and exits to a
efficiency a combination of automation light dimmers and motion sensors can save on electricity cost without
they can even be motion detecting and we need to protect the lights if an attacker can remove the
light bulbs it defeats the control if the attacker can break the light bulb it defeats the control so either place the
lights high enough that they can't be reached or protect them with a metal cage and your lighting is a deterrent
control there are four types of sensors called out in the syllabus the first is infrared which detects heat signatures
in the form of infrared radiation emitted by people animals or objects infrared sensors are often integrated
into security cameras and alarm systems to improve detection capabilities next we have pressure
sensors which are designed to detect changes in pressure on a surface or in a specific area such as a person walking
on a floor or stepping on a mat pressure sensors are used in Access Control Systems to ensure that only authorized
individuals can enter microwave sensors use microwave technology to detect movement within a
specific area they're often used with other types of sensors to reduce false alarms ultrasonic sensors emit high
frequency sound waves and measure the time it takes for the soundwaves to bounce back after hitting an object or a
surface ultrasonic sensors are commonly used in parking assistance robotic navigation and intrusion
detection and in the category of deception and disruption we have the Honeypot honey Poots lure bad people
into doing bad things it lets you watch them but honeypots should only entice not and trap you're not allowed under us
law to let them download items with enti enticement if you want your evidence to be admissible in court for example
allowing them to download a fake payroll file might be considered entrapment the goal of a honey pot is really to
distract from real assets and isolate in a padded cell until you can track them down a group of Honey pots is called a
exam then we have the honey file which is a decoy file to ively named so it attracts the attention of an
attacker then the honey token is a fake record inserted into a database to detect Data Theft these are all intended
to deceive attackers and disrupt attackers and divert them from live networks and allow observation of our
1.3 the 1.3 in the syllabus is explain the importance of change management processes and the impact to security so
we'll be focused on business processes impacting security operations from approval to testing to backout plans
documentation and Version Control so these are really more about what these processes solve for and why do we use
them and we're about to cover every one of them right here so buckle up and I'm going to take one step further right out
of the gate and mention configuration management because when we make changes often we are affecting system or
security related incidents and outages that's our top level goal so to cover off configuration management just
briefly it ensures that systems are configured similarly that configurations are known and documented it ensures that
a true current state is known to all and perhaps more importantly that our intended current state is actually
enforced and in an automated way we possible we can automate some of that using baselining which ensures that
systems are deployed with a common baseline or starting point Imaging is a common baselining method for example in
Virtual machines or even in desktop but I can establish Baseline configurations for just about any
service and in the world of cicd continuous integration and continuous deployment I can often
automate implementation of that Baseline through a pipeline through a devops pipeline and then we have change
changes change management helps reduce risk associated with changes including outages or weakened security from
documented going a step further in change management I want to clarify the difference between change management and
change control you'll often hear these two terms used interchangeably and the difference in their meaning may not
always be clear so Change Control refers to the process of evaluating a change request within an organization and
deciding if it should go ahead in this process request are generally sent to the change Advisory Board often called
the cab to ensure that it is beneficial to the organization so essentially change management is the policy that
process of evaluating a change request to decide if it should be implemented so change management is guidance on the
process and change control is the process in action now let's talk through business processes impacting Security
operation because any change management program should address a few important business processes including approval
which ensures that every proposed change is properly reviewed and cleared by management before it takes place this
ensures alignment across teams and really throughout the organization changes should always have clear
ownership we want to clearly Define who is responsible for each change by designating a primary owner and that
owner will be the key decision maker and sponsor of the change stakeholder analysis identifies
all the individuals and groups within the organization and outside the organization that might be affected by
the change so this enables the team to contact and coordinate with all relevant stakeholders
stakeholders and we have testing which first and foremost confirms that a change will work as expected by
validating it in a test environment before production rollout from a process perspective test results should be
captured in the change approval request this will be one of the core questions every change approval board is going to
ask that same board will also want to talk about your backout plan which provides detailed stepbystep sequences
that the team should follow to roll back if the change goes wrong this ensures systems can be quickly restored to an
operational state if we have a problem and often as a matter of policy organizations won't allow a change to be
approved if it hasn't been tested and if it does not include a backout plan and then we need to think about when a
change should be rolled out which is where maintenance Windows come into play a standing window of time during which
hours there are certainly inconsequential changes that can happen during business hours but when we think
about critical Services it's going to be outside of business hours and often the maintenance window is defined in
customer contracts and when you roll all of these processes up together these elements together can
affects system or data exposure may impact security so we need to make sure we update our documentation our data
flow diagrams and potentially do threat modeling to identify any new attack surfaces and address any new potential
vulnerabilities with appropriate security controls so shifting gears let's talk through the technical
implications that need to be considered as part of the change management process do we need to update allow or
deny lists on our firewall are there any restricted activities here potentially involving sensitive data what are our
expectations of down time any application restarts impact to Legacy applications and what other depend
Tendencies are there in the service chain we need to check all of these boxes in our planning process and at the
end of the day we're looking to address any new exposures even temporary exposures of our data or our
systems why well to avoid service disruptions and security vulnerabilities as system configurations
change attack surfaces may change as well and we need to plan for that throughout the change process so let's
drill down on each of these technical implications we'll start with allow and deny list so firewall rules application
allow deny list Access Control list may all need to be updated some activities may need to be
restricted like data updates during database replication or migration if you have an orders database being updated
and we need to consider any potential downtime because some changes may cause service interruptions which result in
play next application restart so putting controls around risky activities like application and service
restarts whether that's taking a security function offline for its update or taking down a business application we
need to think about how that's going to affect service availability and if we're taking down security related functions
how that affects our security posture during the time that system is offline and then we have to think about
Legacy application so modifications to Legacy apps that may not support some changes like component or service
hybrid Cloud because the advantage of the public cloud is your services are always is up to date and sometimes the
organization is not ready to update certain applications and services and in some cases you may have a legacy
application that's coasting to end of life and so you need to maintain that aging service until the business is
ready to retire it and Legacy applications bring with them special security concerns you know certainly
vulnerabilities because an application that was developed or architected many years in the past was created without
awareness of modern security concerns there are going to be risk factors that the Architects didn't think about or
could not be aware of 10 or 15 years ago then we need to think about dependency so tracking dependencies between systems
and services to identify Downstream effects of current and future changes if I'm updating a backend API or database
am I making a change that's going to impact the applications that leverage that data or that API for
example so let's move on to documentation so documentation helps us understand the current state of and the
changes to our operating environment this is a weak spot of many organizations and a real concern when it
about the way systems and applications are designed and configured it serves as an ongoing reference for current and
not closed out until all documentation and diagrams are updated it is a continuous process across new
deployments and changes and there may be multiple teams involved in keeping documentation of a system or service
fully up to date and we have to remember that do mentation applies not only to the environment but to policies and
procedures that direct operation and support of that environment at the end of the day there
are some upsides and a downside we need to think about from a security perspective so on a positive note
documentation provides benefits to it and security operations to business continuity and Disaster Recovery efforts
accurate picture of current state is going to be helpful to everyone trying to secure and support that system or
service and we need to remember that you cannot fully secure a system or service for which you do not have a true picture
of current state if you are implementing security controls based on inaccurate information you may be leaving security
vulnerabilities open to potential attackers that no one is aware of and we'll close out 1.3 on Version Control
which is a form Al process used to track current versions of software code and system or application
configurations most organizations use a formal version control system that is integrated into their software
is the most widely used version control system in the world invented by lonus talt the creator of Linux
developers modify the code and they check it into a version control system that can identify conflicts in their
changes with those made by other developers and any version control system that is git or based on git is
going to do so with great accuracy it also tracks the current Dev test and production versions of
code and when we think about the dev SEC Ops discipline security is everyone's responsibility so we're going to be
scanning the code that's being checked into that git repository there will likely be multiple
types of security testing involved from very early in the development process and just one of those can be scanning of
code that's checked in to our git repository code for different environments is typically tracked and
git using Code branches we might have a Dev Branch a test Branch a main branch for production
for the exam though focus on the function of Version Control not on any specific Version Control System but if
any version control system is mentioned it's going to be get and that brings us to section 1.4
Solutions we're going to cover public key infrastructure or pki a variety of encryption mechanisms both types of
techniques a number of encryption Concepts including hashing salting digital signatures key stretching
certificates are directly related because we produce certificates from a pki system so I'm going to cover
certificates right after pki to keep these two together to make your job in preparing for exam day a bit easier but
beyond that I'm going to cover everything else in the order presented as I always do let's Dive Right into
public key infrastructure Concepts beginning with key management which is management of cryptographic keys in a
crypto system so operational considerations include dealing with generation exchange storage use and
crypto shredding or destruction and replace of keys if a key is lost or expires from a design perspective we
have to look at cryptographic protocol design key servers user procedures and any related protocols related to
management updates and revocation the certificate authorities create digital certificates and own the
policies related to certificate creation functionality and issuance now a pki hierarchy can include
a single certificate Authority that serves as the route and the issuing CA and manages all the policies but this is
not recommended because if that server is compromised your entire pki hierarchy itself is compromised there's