SYO-701 General Security Concepts Study Guide for the CompTIA Security+

Page 2

Change Management Processes

Change management evaluates the potential change before, during, and after implementation to reduce the potential impacts that the change may incur. You should be able to identify and explain the change management processes, their importance, and their potential impact on security.

Business Processes Impacting Security Operation

A business process is a set of procedures, such as change management processes, that are used to achieve a business goal. Many business processes may have a direct impact on an organization’s security.

Approval Process

The approval process for implementing a change typically consists of three phases. These are the first three steps of the change management standard operating procedures (SOPs; discussed below).

The first phase is the request phase. When a potential change is identified and deemed necessary or useful by an employee, the change is formally requested. The second phase is the review phase, during which a predefined set of people, such as stakeholders or board members, review the requested change and evaluate the impact analysis of the change. The third phase is the approve or reject phase. Approval may be contingent upon additional requirements the board identifies, such as requiring a backout plan.

Ownership

Ownership in the change management process refers to the primary person who is responsible for overseeing the process, ensuring all SOP requirements are met, and improving or updating the process if necessary.

Stakeholders

Stakeholders in the change management process are the people or groups that may be affected by the change. During the impact analysis, stakeholders are defined and prioritized based on their importance in the business environment.

Impact Analysis

An impact analysis is an assessment of the proposed change that identifies stakeholders and evaluates the potential risks and benefits to the stakeholders. An impact analysis is used to aid in the approval or rejection process.

Test Results

After approval, a change should be tested in a controllable environment. These test results can then be further evaluated to identify any potential unknown outcomes or repercussions the change may have had, with the change plan adjusted accordingly.

Backout Plan

A backout plan is a procedure that outlines how a change can be undone and the system restored to its previous state in case of unforeseen issues with the change.

Maintenance Window

A maintenance window is a set time frame during which a change can be made with the least impact on business operations. For example, if a change must be applied to a business that is most active during the day, the maintenance window could be scheduled for the night before the start of business.

Standard Operating Procedure (SOP)

The SOP for the change management process typically include six steps:

  1. Request the change.
  2. Review the change.
  3. Approve or reject the request.
  4. Test the change.
  5. Schedule and implement the change.
  6. Document the change.

Technical Implications

The change management process may affect technical security as well as business processes. When developing a change process, take into consideration the effect of technical aspects as applied to the CIA triad.

Allow and Deny Lists

Allow and deny lists are security controls that specify which types of traffic may or may not access resources. Changes can affect these lists, which will then need to be reconfigured appropriately for the change.

Restricted Activities

During a change, certain activities may need to be restricted. These restrictions on activity might affect business processes and should be considered when developing a change management strategy to reduce the impact on business processes.

Downtime

Downtime refers to the amount of time a system or resources will be unavailable during the change. Changes should be implemented to reduce downtime and its potential impact on business processes.

Service Restart

When a change is implemented, services may require restarting. Restarting systems may result in downtime, which could affect business processes and availability.

Application Restart

Application restart, like service restart, may affect availability and business processes.

Legacy Applications

A legacy application is one that is no longer supported by the manufacturer or vendor. When implementing a change, legacy applications may not be compatible with the change or may create a vulnerability in the system, potentially threatening confidentiality.

Dependencies

Technical dependencies are systems, applications, or software that are interconnected with the system being changed. Dependencies need to be identified and considered during the change management process.

Documentation

Documentation of a change, from beginning to end, is vital to the change management process. Documentation involves not only the change process but also any documents that may be affected by it, such as technical configurations, policies and procedures, and diagrams.

Updating Diagrams

Diagrams affected by a change should be updated when the change occurs. Diagrams can include traffic flow diagrams, physical diagrams, logical diagrams, or business flow diagrams.

Updating Policies and Procedures

Policies are defined statements of intent. Procedures are step-by-step guides that define the appropriate processes to be followed based on specific circumstances. Policies and procedures that were valid before the change may not be correct after the change.

Version Control

Version control is the process of ensuring that all systems and users are using the latest software or applications. This process also tracks how and when an update is applied during a change.

Cryptographic Solutions

Cryptography in cybersecurity is the process of changing data from one form to another to protect it. Numerous cryptographic solutions can be used for data security. You should be able to explain different cryptographic solutions and their importance.

Public Key Infrastructure (PKI)

A PKI, which uses asymmetric encryption, manages digital certificates throughout its lifecycle. This includes policies and procedures as well as the software and hardware used from creation to revocation. Implementing a PKI is the process of building, managing, and maintaining digital certificates.

Public Key

A key is a predefined set of characters that is used in an encryption algorithm to change data into an indecipherable state or from an indecipherable state back to plain text data. The public key in PKI is the key that is shared with the public during communications.

Private Key

The private key in PKI is the key that is only known and available for use by the user.

Key Escrow

Key escrow is the storage of cryptographic keys by a third party. It allows the key owner to recover their keys in case of loss.

Encryption

Encryption involves applying complex mathematical algorithms to data to protect it while at rest or in transit. Once an encryption algorithm is applied, the only way to view the unencrypted data is to apply the corresponding key. Encryption can be applied to both data at rest and data in transit. When encryption is applied to a disk (at rest), multiple options or levels can be utilized when applying data encryption.

Level

An encryption level defines the portion of the disk data that encryption will be applied to, ranging from a single file to an entire disk, depending on the security requirements.

Full-Disk

Full-disk encryption (FDE) automatically encrypts all data on a disk, including the operating system (OS), system files, and user files.

Partition

Partition encryption applies encryption to a specific partition on the disk rather than the entire disk. Partition encryption allows the user increased flexibility and is commonly used in dual-booted systems.

File

File encryption, or file-level encryption, applies encryption to specific files rather than the entire disk or partition.

Volume

Volume encryption applies encryption to a specific section, or volume, of a disk. This is useful when a large number of specific files require encryption but you don’t want to have to encrypt an entire partition or the full disk.

Database

Database encryption is applied at the database level to protect sensitive data from unauthorized users. Database encryption has two primary forms: transparent data encryption (TDE), which encrypts the entire database, and column-level encryption (CLE), which encrypts a specified column in the database.

Record

Record-level encryption is a form of database encryption that is applied to specific records in the database.

Transport/Communication

Encryption can also be applied to data in transit, meaning that the data is encrypted as it travels between entities during communications. Data security during communications varies depending on which encryption method is being used.

Asymmetric

Asymmetric key encryption uses single combinations of public and private keys for each user on the system. The two keys work in conjunction to encrypt and decrypt messages. The most commonly used algorithm in asymmetric cryptography is the RSA public key algorithm, which is based on factoring prime numbers.

Symmetric

Symmetric key encryption uses a shared secret key that is available to all users. Symmetric key encryption has three commonly used cryptosystems: Data Encryption Standard (DES), which is highly insecure; Triple DES, which applies a DES algorithm three times and is more secure than DES; and the Advanced Encryption Standard (AES), which is the most widely used and offers three lengths of keys: 128 bit, 192 bit, and 256 bit.

Key Exchange

Key exchange involves securely distributing the keys needed for cryptographic algorithms. The most common methods of key exchange are offline distribution (the physical transfer of a key to another party), public key encryption (a third party establishes and verifies the communications link prior to transmitting the secret key), and Diffie-Hellman (a hybridized version combining asymmetric private keys with a public key to create a unique symmetric shared key).

Algorithms

An encryption algorithm is a mathematical formula that is used to convert plaintext data into ciphertext using a key. The key value is inserted into the encryption algorithm, which is then applied to the data resulting in a ciphertext that can only be deciphered by reversing the encryption algorithm with its associated key.

Key Length

A key is a binary number used in conjunction with a cryptographic algorithm to encrypt and decrypt data. The key space is the range of values that are valid with a specified cryptographic algorithm. The key length determines how large the key space can be. The larger the key length, the more secure the encryption.

Tools

With key encryption, protecting the key is paramount since the data can only be deciphered, in theory, by its corresponding key. Multiple tools have been designed to store and protect encryption keys.

Trusted Platform Module (TPM)

A TPM is a physical module or chip with a built-in cryptoprocessor for storing RSA key pairs. It is commonly used in the secure boot process to restrict access to a computer or device’s firmware or software. TPMs can also provide drive encryption and cryptographic-based security solutions.

Hardware Security Module (HSM)

An HSM is a method of authentication management that can securely create, store, and manage encryption keys. HSMs are typically independent physical plug-and-play devices or expansion cards that can be attached to a computer or compatible device. Cloud service providers may also offer HSM software for use in the cloud environment.

Key Management System

Key management is the process of ensuring the security of cryptographic keys. Key management systems provide this security and include how the keys are encrypted, the composition requirements of keys, the validity length of keys, the retirement of keys, the distribution of keys, and the storage of keys.

Secure Enclave

Secure Enclave is an Apple proprietary key management solution that is included in Apple’s system on a chip (SoC) modules and kept separate from the CPU to ensure key security. It provides a very similar functionality to TPM.

Obfuscation

Obfuscation is a cryptographic process designed to make data or code difficult to understand or decipher. It conceals data and supports confidentiality.

Steganography

Steganography is used to hide data inside other data. The data is not encrypted but is hidden using obfuscation. Steganography can be detected by comparing the file hashes. It can be used to hide data in multiple file types, including audio, video, and image files.

Tokenization

Tokenization is an obfuscation technique that uses unique identifiers to replace private data values. These unique identifiers are stored in a lookup table. For example, a social security number could be replaced with a random nine-digit number. Then, when the social security number is needed by a system, it can be converted as needed. This allows the data to stay secure.

Data Masking

Masking is a cybersecurity technique for de-identification that obfuscates or anonymizes potentially sensitive data from observation by unprivileged entities. Masking can be as simple as replacing a character with an asterisk, such as when a password is entered, or it can involve replacing the entire data set with a preset code that can only be unmasked by authorized users.

Hashing

Hashing is applying a mathematical algorithm to data to create a unique value. Unlike encryption, hashing can not be reverse-engineered since it does not modify the original data into an unrecognizable form but creates a unique value from the data set as a whole. The final product from the hashing process is commonly referred to as the message digest. Hashing, using common hashing algorithms such as MD-5 or SHA-256, is often used for password storage or to authenticate transmissions.

Salting

Salting adds more characters to a password before hashing it. By adding more characters, the strength of the password is increased. The hash will also be different than it was before. Salting helps defend against rainbow table attacks.

Digital Signatures

Digital signatures use a combination of public key cryptography and hashing functions to provide integrity, authentication, and nonrepudiation to data by attaching a signed message digest to data. The sender uses a hashing algorithm to create a digest of the transmitted data, which they then encrypt using a private key. The recipient decrypts the digital signature with the sender’s public key and then uses the same hashing algorithm on the transmitted data to create a message digest. If the sender’s decrypted digest and the recipient’s created digest match, then the transmitted data is complete and sound.

Note: Digital signatures do not encrypt the transmitted data, only the message digest.

Key Stretching

Key stretching makes the stored password stronger by adding a cryptographic stretching algorithm to a password that applies thousands of iterations of salting and hashing to the original password to create a secure encryption key.

Open Public Ledger

An open public ledger is a trusted decentralized digital database commonly used with blockchain. It provides incorruptible data storage and records of transactions. Each block of the open public ledger is interconnected, meaning that if a change is made to any portion of the chain, it will be evident in other blocks in the chain.

Blockchain

A blockchain is a shared and fixed open public ledger that stores and shares its contents with many systems around the world without altering them. Blockchain is most commonly associated with cryptocurrency but can also be implemented in other applications, such as public records or supply chains, which provides data integrity and visibility to all parties.

Certificates

A certificate is an authentication method that validates a user or device and employs public key cryptography and a PKI. Digital certificates provide assurance to users and commonly contain identifying information based on the International Telecommunication Union (ITU) X.509 standard. The X.509 standard requires that certificates contain their X.509 version, serial number, signature identifier algorithm, certification authority (CA) identifier, validity date, the subject’s Common Name (CN) and Subject Alternate Name (SAN), and the subject’s public key.

Certificate Authority (CA)

A CA is a trusted, neutral organization that provides digital certificates notarization. The CA vets applicants for digital certificates. If the applicant is able to sufficiently prove their identity, the CA issues a digital certificate.

Certificate Revocation List (CRL)

A CRL is a list of certificates that have been revoked by their issuing CA prior to their assigned expiration date. Certificates on a CRL should not be trusted.

Online Certificate Status Protocol (OCSP)

OCSP is an alternate way of checking a certificate’s validity. Instead of using a CRL, OCSP provides a real-time check of a certificate’s validity.

Self-Signed

A self-signed certificate is a certificate created within a system or organization by an internal CA and not through a third-party provider.

Third-Party

A third-party certificate is one issued by a CA external to the requesting subject. While certificates may be issued by numerous third parties, certificates issued by reputable CAs, such as Amazon Web Services and DigiCert Group, are considered highly trusted.

Root of Trust (RoT)

The trust model is the primary concept behind the PKI. The client trusts that the information provided on the certificate and issued by the CA is valid and true. If trust is broken, the PKI breaks down. The root certificate, or the private key, of the issuing CA, is the basis for the RoT and is the top level on which the entire PKI is based.

Certificate Signing Request (CSR) Generation

During certificate generation, the requesting party proves their identity through the enrollment process. Once the requestor’s identity has been verified, a CSR is sent to the CA. A CSR contains the requesting party’s public key. When the CA receives the CSR, an X.509 digital certificate is created containing all of the required attributes.

Wildcard

A wildcard on a certificate name indicates that the certificate is valid for subdomains as well as the CN on the certificate. A wildcard is indicated by an asterisk (*) followed by the CN.

All Study Guides for the CompTIA Security+ are now available as downloadable PDFs