SYO-701 General Security Concepts Study Guide for the CompTIA Security+
Page 1
General Information
This is study material for the CompTIA SYO-701 Security+ exam, which replaces the old (as of July 31, 2024) CompTIA SYO-601 Security+ exam. Be sure you are studying for the right test.
Questions about general security concepts occupy only about 12% of the CompTIA Security+ SYO-701 exam, but the concepts are important to study. They form the basis for your comprehension of all the other security ideas. None of these questions will begin with a scenario, so they are just testing what you know about the general security environment.
Security Controls
As a security professional, you will need to be able to protect various aspects of the networking landscape, including physical and logical assets, so as to prevent incidents, limit their impact, and recover from them. In order to maintain the security of assets, varying controls must be employed. You need to be able to compare and contrast different categories and types of controls.
Categories
Security controls fall into four major categories: physical, managerial, operational, and technical. Each provides security through mechanisms that are specific to their design.
Technical
A technical control is designed to address technical operational standards to uphold and enforce the CIA triad: confidentiality, integrity, and availability. Examples of technical controls include firewall rules, intrusion prevention systems (IPSs) and intrusion detection systems (IDSs), and encryption standards
Managerial
Managerial controls use procedural mechanisms, focusing on the risk management process. Examples of managerial controls include organization-wide security policies, organizational best practices, periodic risk assessments, and security-aware change management.
Operational
Operational controls focus on the day-to-day policies and practices used to secure assets. Examples of operational controls include security guards checking ID badges, user access reviews, and employee awareness training.
Physical
Physical controls are designed to address the physical environment. Physical controls include fences, locks, lighting, fire suppression, and alarms, among others.
Control Types
A control type refers to the desired effect of the control set in place. When implementing controls, many security mechanisms will fall into multiple control type categories.
Preventive
A preventive control is intended to stop an incident before it occurs. For example, a firewall prevents access to a network by stopping suspicious traffic.
Deterrent
A deterrent control dissuades a potential threat actor from taking an action before they even attempt it. For example, bollards are a physical deterrent control that are meant to prevent a threat actor from breaching a location with a car.
Detective
A detective control is designed to identify security concerns that have occurred. For example, an IDS system monitors traffic for potential malicious traffic that has already occurred.
Corrective
A corrective control aims to fix or recover from security issues that have already occurred. For example, restoring from a backup after an incident is a corrective control.
Compensating
A compensating control is designed to reduce the impact associated with an incident or the risk associated with exceptions to security policies. For example, a compensating control to reduce impact may be a server connected to an alternate power supply in case of power loss. A compensating control to reduce the risk associated with security exceptions could be isolating needed legacy software from the primary network.
Directive
A directive control is used to inform the human element about how to respond to a security threat. Policies and procedure specifications are directive controls.
Fundamental Security Concepts
Fundamental security concepts are the primary goals behind a security-based mindset. Security programs are designed to support these fundamental concepts. For the Security+ exam, you should be able to summarize each fundamental security concept.
Confidentiality, Integrity, and Availability (CIA)
The CIA triad is a set of three complimentary objectives that are used as a model upon which cybersecurity programs are based. Confidentiality refers to the concept that only authorized users will be able to access data and sensitive information. Integrity is the concept that the data or system that is presented is complete and unaltered without modification from unauthorized users. Availability refers to the ability of authorized users to be able to access data or systems when needed or requested.
Nonrepudiation
Nonrepudiation is a fundamental concept that ensures that if an action is taken, it can be proven through digital evidence. For example, if a user sends an email and later denies sending it, the email’s digital trail can prove that the email was sent by the user. Digital signatures are an example of a security practice that supports nonrepudiation.
Authentication, Authorization, and Accounting (AAA)
AAA (generally referred to as “triple A”) refers to a framework for managing access to a system or network. Although a AAA framework may be used on users or systems, the basic concept is the same. First, a person or system must be authenticated to a system, such as with a username and password. After the person or system is authenticated, they must be authorized to perform functions. Accounting refers to an audit of the system’s or user’s profile, such as tracking time usage.
Authenticating People
Authenticating people is ensuring that the user is who they claim to be. While the most common example of an authentication method is the use of a username and password, there are numerous methods for authentication based on various factors, such as something the user is, has, or knows, and various attributes, such as location, knowledge, or performance.
Authenticating Systems
Authenticating systems using a AAA framework involves the same general concepts in the digital realm. The system must provide proof of authentication as well as have the correct authorization prior to access.
Authorization Models
An authorization model is a framework used to control access to resources based on various factors, such as the authenticated user or system roles, attributes, or identities. Authorization models provide a method for setting and enforcing resource access security rules.
Gap Analysis
A gap analysis is an evaluation of security objectives and the security controls that are designed to address the security objectives. If a discrepancy in the security objective and the security control or controls is found, that is a gap. Gap analysis is useful in identifying potential vulnerabilities in the security program.
Zero Trust
Zero trust is a security concept that states no entity within the network is assumed safe. All traffic, whether originating from within or outside the network, is a potential threat and must be evaluated prior to transmission within the network. The National Institute of Standards and Technology (NIST) provides the following diagram of a zero trust architecture (ZTA).
Control Plane
The control plane is the portion of the ZTA that filters access requests through the policy decision point (PDP). The PDP verifies the identity used to access resources. The control plane consists of four primary components: adaptive identity, threat scope reduction, policy-driven access control, and policy administrator.
Adaptive Identity
Adaptive identity, also known as adaptive authentication, provides context-based authentication for users requesting access to resources. Context-based data may include data such as the location of the request, the device being used, and the security parameters of the requesting device. Adaptive identity may also require additional information prior to authentication.
Threat Scope Reduction
Threat scope reduction is also commonly referred to as a limited blast radius. Threat scope reduction provides the zero trust network with resource limiting to reduce the amount of access an entity has to resources. This limits the potential for data loss by using the principle of least privilege and network segmentation.
Policy-Driven Access Control
Policy-driven access control refers to the use of policies to allow or deny access to resources through policy engines. A policy engine is a system that uses policies to make access decisions. The policy engine then notifies the policy administrator.
Policy Administrator
The policy administrator is the entity responsible for making decisions based on activity identified by the policy engine.
Data Plane
The data plane is the portion of the ZTA that provides communication between the devices and applications in the network. The data plane is composed of three primary components: the implicit trust zones, subject/system, and policy enforcement point.
Implicit Trust Zones
Implicit trust zones are portions of the network that are able to be traversed once a subject is authenticated to the system by the policy engine. Once authenticated, the subject is able to access the resources in the trust zone without re-authenticating.
Subject/System
The subject or system is the user or device that is requesting access to the resources.
Policy Enforcement Point (PEP)
The PEP is the portion of the data plane that is used to manage trust zones. The PEP has the ability to enable access, monitor communications, and terminate connections and access to resources if necessary.
Physical Security
Physical security controls are tangible security measures that are designed to limit access to a physical device or location. It is important to be able to explain the importance of common physical controls and concepts.
Bollards
Some businesses use barricades to assist with the security of physical fences. One form of barricade that many businesses use is bollards, which are short vertical posts made of steel and concrete. These physical barriers make it more difficult for vehicles to run through the fence or through a front entrance.
Access Control Vestibule
Access control vestibules are used to prevent a threat actor from using techniques like tailgating to intrude a physical space. These vestibules consist of two separate doors, both requiring authorization to open, with a chamber in between them. A person enters through the first set of doors with authorization. These doors are then secured behind them, leaving the person in a middle chamber. The second door is only opened to the secure location after authorization. If the person is unauthorized, the second door remains closed, locking the threat actor in the middle chamber.
Fencing
Setting up fences is a way to deter unauthorized people from entering a property. Fences can be simple or highly complex, using various fencing materials, such as razor wire, to prevent access. Fences are often paired with gates that control access and may be monitored by security guards.
Video Surveillance
Video surveillance, also known as closed-circuit television (CCTV), involves cameras that show their video on a screen to specified viewers. It can be monitored live on premises or from an off-site location. Video surveillance footage is also commonly saved for a specific duration to be viewed if needed at a later date.
Security Guard
Human guards or security guards are a type of physical security control that can be used to prevent unauthorized people from gaining physical access to a building. Guards are able to respond to potential incidents immediately and can also act as a deterrent for threat actors.
Access Badge
Access badges are physical cards that can be used to gain access to secure locations or devices within a company. Badges may use magnetic striping, radio-frequency identification (RFID), or near-field communication (NFC) for authorization. Along with photos to prevent impersonation, badges can also provide additional identification information, such as the department the employee works in.
Lighting
Placing lighting around a building is a relatively inexpensive way to deter threat actors. The lighting should be placed near entrances and other locations where an intruder may try to gain access to the building. They can be set to trigger via motion detectors. Threat actors will take advantage of dark or shaded areas, so extensive lighting is an effective deterrent.
Sensors
Sensors are another type of physical security control. These pick up on abnormal occurrences in the environment. There are various types of sensors commonly used as physical security controls, including infrared, pressure, microwave, and ultrasonic sensors.
Infrared
Infrared sensors detect changes in infrared light or heat radiation to identify abnormal activity. Infrared sensors are an inexpensive method of detection and work well in smaller, highly controlled areas.
Pressure
Pressure sensors are used to detect changes in pressure (e.g., from a liquid or gas). Pressure sensors are commonly used to identify if an object placed on the sensor has been disturbed or moved.
Microwave
Microwave sensors use a microwave signal to identify changes in a physical space. The microwave sensor first sends out a microwave signal during standard conditions and measures responses to create a baseline. If a change in response is detected, the microwave sensor will alert. Microwave sensors are more precise than Infrared sensors and can identify movement through physical obstacles.
Ultrasonic
An ultrasonic sensor uses sound waves above the audible spectrum to identify movement in a space. Ultrasonic sensors are commonly used as proximity sensors.
Deception and Disruption Technology
Deception and disruption are tactics that can be used to secure an enterprise environment by capturing attackers or disrupting an attack. Deception employs misleading environments to lure the attacker in order to capture information about the attacker or attack. Disruption, as the name indicates, aims to disrupt an attack before it can take hold.
Honeypot
A honeypot is a decoy server that is designed to look especially lucrative to a threat actor. The server may have few to no security controls in place to allow threat actor access. Honeypots are used to trick the threat actor, keeping them away from the corporate network while collecting information about the threat.
Honeynet
A honeynet is a decoy network isolated from the corporate network. It simulates the corporate network and is composed of multiple honeypots to further lure the attacker into breaching the decoy network. Once in the honeynet, data is collected on the threat actor that can shed light on the tools and methods used to breach the network.
Honeyfile
A honeyfile is a decoy file that is used to lure a threat actor. If the honeyfile is accessed or transmitted, it indicates a potential breach of the system.
Honeytoken
A honeytoken is decoy data that is designed to attract and identify threat actors. Once accessed or exfiltrated, the honeytoken is used to track and gain information on the threat actor. Honeytokens may be placed in databases, files, or directories, among others.
All Study Guides for the CompTIA Security+ are now available as downloadable PDFs