4.1 Explain common security concepts Flashcards
Confidentiality, integrity,
availability (CIA)
Confidentiality, Integrity, and Availability (CIA) are the foundational principles of information security. These principles guide organizations in protecting data and ensuring that it is secure from unauthorized access, tampering, or loss.
For the exam, it is essential to recognize that confidentiality ensures that sensitive information is only accessible to authorized users, often enforced through encryption and access controls. Integrity guarantees that data remains accurate and unaltered during storage and transmission, achieved through checksums, hashes, and version controls. Availability ensures that authorized users have access to data and resources when needed, supported by redundant systems, backups, and robust disaster recovery plans. Understanding the CIA triad helps in assessing risks and implementing effective security measures within a network.
Internal Threats
Internal threats refer to risks that originate from within an organization, typically posed by employees or contractors who have legitimate access to systems and data. These threats can be intentional, such as sabotage or data theft, or unintentional, like human error or negligence in handling sensitive information.
For the exam, it’s important to understand that internal threats can significantly compromise an organization’s security posture. Employees might misuse their access for personal gain or inadvertently expose data through careless actions. Organizations can mitigate internal threats by implementing strict access controls, regular security training, monitoring user activity, and establishing clear policies regarding acceptable use and data protection. Recognizing the potential for internal threats is crucial for developing a comprehensive security strategy.
External Threats
External threats refer to risks that originate outside an organization, typically from malicious actors such as hackers, cybercriminals, or competitors. These threats can take many forms, including malware attacks, phishing schemes, denial-of-service attacks, and data breaches, all aimed at compromising the security of an organization’s systems or data.
For the exam, it’s important to know that external threats often exploit vulnerabilities in software, networks, or human behavior to gain unauthorized access. Organizations can mitigate these threats by employing a multi-layered security approach, which includes firewalls, intrusion detection systems, regular software updates, employee training, and incident response plans. Understanding the nature of external threats is essential for developing effective security measures to protect an organization’s assets and information.
Common vulnerabilities and exposures (CVE)
Common Vulnerabilities and Exposures (CVE) is a publicly accessible database that provides a standardized way to identify and categorize vulnerabilities in software and hardware. Each CVE entry includes a unique identifier, a brief description of the vulnerability, and references to related security advisories and databases. This system allows security professionals and organizations to share information about vulnerabilities consistently.
For the exam, you should be familiar with how CVE helps organizations prioritize their security efforts. Knowing the CVE identifier format and how to use CVE databases to look up vulnerabilities relevant to your environment is important. CVEs play a crucial role in the cybersecurity landscape, enabling better communication and coordination in addressing security weaknesses across systems and applications.
Zero-day
A zero-day refers to a newly discovered vulnerability in software or hardware that is unknown to the vendor or developer and, consequently, has not yet been patched. The term “zero-day” signifies that the developers have had zero days to fix the vulnerability before it can potentially be exploited by attackers. Zero-day vulnerabilities are particularly dangerous because they can be exploited immediately upon discovery, often leading to significant security breaches.
For your exam, it’s essential to understand that zero-day attacks can occur without warning and can target various systems, making them difficult to defend against. You should also be aware of the importance of security measures like timely software updates, intrusion detection systems, and threat intelligence to mitigate the risks associated with zero-day vulnerabilities. Being prepared for zero-day threats is a critical aspect of maintaining a secure network environment.
Exploits
Exploits are specific pieces of software, code, or sequences of commands that take advantage of vulnerabilities in a system, application, or network. They are often crafted to gain unauthorized access or control over a target system, causing damage or compromising data. Exploits can target a variety of vulnerabilities, including software bugs, configuration flaws, or weaknesses in security protocols.
For your exam, it’s important to know that exploits can be categorized into different types, such as local or remote exploits, depending on whether they require physical access to the target system or can be executed over a network. Understanding the relationship between vulnerabilities and exploits is crucial since exploits are the methods attackers use to leverage weaknesses. Awareness of common types of exploits, like buffer overflow, SQL injection, or cross-site scripting (XSS), is also vital for implementing effective security measures and defenses in a network environment.
Least privilege
Least privilege is a security principle that stipulates users, systems, and applications should only have the minimum level of access necessary to perform their assigned tasks. This concept is essential in reducing the attack surface and limiting potential damage from security breaches. By restricting access rights, organizations can better protect sensitive information and systems from unauthorized use.
For the exam, it is important to understand that implementing the least privilege principle can help mitigate risks associated with insider threats and accidental misuse. This involves regularly reviewing and adjusting access permissions, employing role-based access control (RBAC), and ensuring that permissions are revoked promptly when they are no longer needed, such as during employee offboarding. Familiarity with concepts like permission auditing and access control lists (ACLs) can further reinforce your understanding of how least privilege is applied in practice.
Role-based access
Role-based access control (RBAC) is a security mechanism that restricts system access to authorized users based on their assigned roles within an organization. In this model, access permissions are grouped by role, and users are assigned to these roles according to their job responsibilities. This approach simplifies the management of user permissions and enhances security by ensuring that individuals can only access the information necessary for their specific roles.
For the exam, it’s crucial to know that RBAC helps enforce the principle of least privilege by limiting user permissions and reducing the risk of unauthorized access to sensitive data. Understanding the differences between role-based access and other access control models, such as discretionary access control (DAC) and mandatory access control (MAC), is also important. You might also want to be familiar with scenarios where RBAC is effectively implemented, such as in large organizations with various departments, and how to conduct regular audits of user roles to ensure they align with current job functions.
Zero Trust
Zero Trust is a security framework that operates on the principle of “never trust, always verify.” This approach assumes that threats can exist both inside and outside the network perimeter, meaning that no user or device should be automatically trusted based solely on their location within the network. Instead, every access request is thoroughly authenticated and authorized before granting access to resources, regardless of whether the request originates from inside or outside the organization.
For the exam, it’s important to understand that Zero Trust requires continuous verification of user identities, device security postures, and contextual factors like location and time. Key components of a Zero Trust architecture include multi-factor authentication (MFA), micro-segmentation, and least privilege access policies. You should also be familiar with how Zero Trust addresses modern challenges like remote work and cloud services, as well as the technologies and strategies used to implement this framework effectively. Understanding the differences between traditional perimeter-based security models and Zero Trust is essential for grasping its significance in contemporary cybersecurity.
Network segmentation enforcement
Network segmentation enforcement involves dividing a computer network into smaller, isolated segments to improve security, performance, and management. By creating distinct network segments, organizations can control traffic flow, limit access to sensitive data, and reduce the potential impact of security incidents. This approach is crucial for protecting critical systems and data from unauthorized access and attacks.
For the exam, you should know that segmentation can be enforced through various methods, including virtual LANs (VLANs), firewalls, and access control lists (ACLs). It’s also important to understand how segmentation can help meet compliance requirements and improve overall network performance by reducing broadcast traffic and enhancing resource allocation. Be prepared to discuss the benefits of segmentation, such as improved security through isolation, better network performance, and simplified management and monitoring of network traffic. Additionally, be familiar with how segmentation supports principles like least privilege and Zero Trust architectures.
Perimeter network [previously
known as demilitarized zone (DMZ)]
A perimeter network, previously known as a demilitarized zone (DMZ), is a physical or logical subnetwork that separates an organization’s internal network from untrusted external networks, typically the internet. The purpose of a perimeter network is to add an additional layer of security by allowing external access to certain services while protecting the internal network from potential threats. It typically hosts servers that need to be accessed from the outside, such as web servers, mail servers, and DNS servers.
For the exam, it’s essential to understand that the perimeter network acts as a buffer zone, reducing the risk of attacks directly impacting the internal network. You should know the key components, such as firewalls and intrusion detection systems, which help manage and monitor traffic between the perimeter network and both the internal network and the internet. It’s also crucial to recognize the importance of securing services in the perimeter network, implementing security policies, and ensuring that sensitive data is protected while allowing necessary external access.
- Separation of duties
Separation of duties is a security principle that involves dividing tasks and responsibilities among multiple individuals to reduce the risk of fraud, error, or misuse of power. By ensuring that no single person has control over all aspects of a critical process, organizations can create checks and balances that help safeguard assets and data. This principle is especially important in areas such as financial transactions, access controls, and system administration.
For the exam, you should understand that separation of duties is a key component of an effective internal control system. It prevents any one individual from having unchecked power, which could lead to unauthorized actions or fraud. It’s vital to know the different roles and responsibilities that can be separated, such as having one person responsible for approving transactions and another for executing them. Additionally, you may encounter questions about the implications of violating this principle and how to implement it effectively within an organization to enhance security and compliance.
- Network access control
Network access control (NAC) is a security solution that enforces policies regarding who can access a network and what resources they can use. It works by assessing the security posture of devices trying to connect to the network and can either grant or deny access based on established security policies. NAC solutions often check for factors such as antivirus status, operating system updates, and compliance with organizational security policies.
For the exam, you should know that NAC enhances security by ensuring that only devices meeting specific criteria can connect to the network. Key components of NAC systems include authentication mechanisms, policy enforcement, and continuous monitoring of device compliance. You may also encounter questions about different NAC implementations, such as port-based access control using protocols like IEEE 802.1X, and the role of NAC in preventing unauthorized access and mitigating risks associated with endpoint devices. Understanding the balance between security and user experience is crucial, as overly restrictive NAC policies can hinder productivity.
Honeypot
A honeypot is a security mechanism designed to attract and trap potential attackers by simulating vulnerabilities within a system or network. By creating a decoy environment, honeypots serve to monitor and analyze malicious activity, gathering intelligence about attack methods and tactics. This helps organizations improve their overall security posture by identifying weaknesses and responding to threats more effectively.
For the exam, it’s essential to recognize that honeypots can be classified into different types, such as low-interaction and high-interaction honeypots. Low-interaction honeypots simulate basic services to gather information, while high-interaction honeypots provide a more realistic environment, allowing attackers to interact with them. Understanding the benefits of deploying honeypots, such as threat intelligence collection and diverting attackers from real assets, is crucial. Additionally, you should be aware of the risks associated with honeypots, including the possibility of them being used as launching pads for attacks on other systems if not properly secured.
- Multifactor Authentication
Multifactor authentication (MFA) is a security process that requires users to provide multiple forms of verification before gaining access to an account or system. MFA enhances security by combining two or more factors, typically categorized as something you know (like a password), something you have (like a smartphone or hardware token), and something you are (biometric data, such as fingerprints or facial recognition). This layered approach makes it significantly more challenging for unauthorized users to gain access, as they would need to compromise multiple authentication factors.
For the exam, it’s important to know that MFA can significantly reduce the risk of unauthorized access and is a best practice for securing sensitive data and accounts. Familiarity with common MFA methods, such as SMS codes, authentication apps, and biometrics, is beneficial. Additionally, understand that while MFA greatly improves security, it can also introduce usability challenges, so balancing security and user convenience is vital when implementing MFA solutions.
Terminal Access Controller Access-
Control System Plus (TACACS+)
Terminal Access Controller Access-Control System Plus (TACACS+) is a protocol used for network access control and authentication. It provides a centralized method for managing user access to network devices, servers, and other resources. TACACS+ operates over TCP and encrypts the entire authentication packet, offering a higher level of security compared to its predecessor, TACACS. It separates the authentication, authorization, and accounting processes, allowing for more flexible and granular control of user permissions.
For the exam, you should know that TACACS+ is commonly used in enterprise environments to enhance security through centralized user management. It allows administrators to create detailed user profiles with specific access rights, which is especially important in complex network architectures. Understanding the differences between TACACS+ and other protocols like RADIUS is also important, as TACACS+ offers more robust features, particularly in terms of authorization and accounting capabilities. Remember that it is primarily used for device management and not typically for end-user authentication on applications.
Single sign-on (SSO)
Single Sign-On (SSO) is an authentication process that allows a user to access multiple applications or services with one set of login credentials. This means users enter their username and password only once to gain access to all authorized applications without the need to log in separately to each one. SSO improves user experience by reducing password fatigue and enhances security by minimizing the number of times users enter their credentials.
For the exam, it’s important to understand that SSO relies on protocols like SAML, OAuth, or OpenID Connect to enable secure authentication across different platforms. Additionally, you should know the benefits of SSO, such as improved user convenience, reduced administrative costs for password resets, and enhanced security through centralized user management. However, SSO also has potential downsides, like the risk of a single point of failure; if the SSO service is compromised, it could lead to unauthorized access across all linked applications.
- Remote Authentication Dial-in User Service (RADIUS)
Remote Authentication Dial-In User Service (RADIUS) is a networking protocol that provides centralized Authentication, Authorization, and Accounting (AAA) for users who connect to and use a network service. RADIUS allows organizations to manage access to their network resources securely, enabling the verification of user credentials before granting access.
For the exam, it’s crucial to know that RADIUS operates using a client-server model, where the client is typically a network device (like a router or switch) that requests authentication from the RADIUS server. The server verifies user credentials against a database and returns a response indicating whether access is granted or denied. Key attributes of RADIUS include its use of UDP as a transport protocol and its capability to work with various types of connections, including dial-up, VPNs, and wireless networks. You should also be aware that RADIUS supports multiple authentication methods, such as PAP, CHAP, and EAP, and is often used in conjunction with other security measures, like network access control (NAC).
- Kerberos
Kerberos is a network authentication protocol designed to provide secure authentication for users and services in a networked environment. It uses a system of tickets to allow nodes to prove their identity to one another securely over an insecure network. Kerberos operates based on symmetric key cryptography and employs a trusted third party known as the Key Distribution Center (KDC), which issues time-sensitive tickets to users after validating their credentials.
For the exam, it’s important to understand the main components of Kerberos, including the KDC, Ticket Granting Service (TGS), and the use of tickets for authenticating requests. You’ll need to be familiar with the Kerberos authentication process, which typically involves a user requesting a ticket from the KDC, receiving a Ticket Granting Ticket (TGT), and then using the TGT to obtain service tickets for specific services. Additionally, knowing the advantages of Kerberos, such as its ability to provide mutual authentication and protection against eavesdropping and replay attacks, can be beneficial. Lastly, be aware of the limitations of Kerberos, including its reliance on synchronized clocks among network devices.
- LDAP
Lightweight Directory Access Protocol (LDAP) is a protocol used for accessing and managing directory information services over an Internet Protocol (IP) network. LDAP allows clients to query and modify directory services that follow a hierarchical structure, commonly used for storing user information, organizational data, and resources within a network.
For the exam, it’s essential to understand that LDAP operates primarily over TCP and uses a client-server architecture, where clients send requests to an LDAP server, which processes those requests and returns the appropriate information. LDAP is often employed in environments where centralized user management is required, such as authentication for users across different applications and services. You should know about its data structure, which consists of entries, attributes, and a distinguished name (DN), and recognize that LDAP can integrate with various authentication methods, including SASL and SSL/TLS for secure communication. Understanding how LDAP compares to other directory services like Active Directory can also be beneficial for your exam preparation.
- Local authentication
Local authentication is a process where a user’s credentials are verified against a database stored on the same device or system they are attempting to access. This method typically involves users entering a username and password, which are then checked against local user accounts stored on the device. Local authentication is straightforward and does not require external systems or network connectivity, making it quick and efficient for single-user devices or small networks.
For the exam, it’s important to recognize that local authentication is often used in scenarios where centralized authentication methods are not necessary or feasible, such as in small offices or personal devices. You should understand the benefits of local authentication, including simplicity and lower setup costs, but also be aware of its limitations, such as scalability issues and the challenges in managing user accounts across multiple devices. Additionally, knowing how local authentication can be integrated with more robust security measures, like password policies and account lockout settings, is valuable.
- 802.1X
802.1X is an IEEE standard for network access control that provides an authentication mechanism for devices wishing to connect to a LAN or WLAN. It uses a client-server model where the client (supplicant) attempts to connect to the network through an access point or switch (authenticator), which then communicates with an authentication server to verify the client’s credentials. This process ensures that only authorized devices gain access to the network, enhancing security.
For the exam, you should know that 802.1X is often used in conjunction with Extensible Authentication Protocol (EAP) methods, allowing for various authentication types, including certificates and usernames/passwords. Understanding the components involved—such as the supplicant, authenticator, and authentication server—is crucial. Additionally, be familiar with its role in implementing security policies like network segmentation and secure guest access. Knowing how 802.1X fits into enterprise environments and its importance in securing wireless networks will also be beneficial.
Extensible Authentication Protocol (EAP)
Extensible Authentication Protocol (EAP) is an authentication framework widely used in network security, particularly for wireless networks. It provides a flexible method for devices to authenticate to a network, allowing various authentication methods such as passwords, digital certificates, and token-based authentication. EAP is not a standalone authentication mechanism but rather a protocol that supports multiple EAP methods, making it versatile for different network environments.
For the exam, it’s important to know the various EAP types, such as EAP-TLS (which uses certificates for authentication), EAP-PEAP (which encapsulates a second EAP exchange in a secure TLS tunnel), and EAP-TTLS (which allows legacy authentication methods within a secure tunnel). Understanding how EAP works with 802.1X for network access control is also crucial, as it enables secure authentication in enterprise networks. Familiarity with the security benefits EAP provides, like protection against unauthorized access and the ability to use strong authentication methods, will be helpful.
Security risk assessments
Security risk assessments are systematic evaluations of an organization’s information systems and assets to identify potential vulnerabilities, threats, and risks. This process involves analyzing the likelihood and impact of security breaches, evaluating the effectiveness of existing security controls, and determining what additional measures may be necessary to mitigate risks. The goal is to ensure the protection of sensitive data and compliance with relevant regulations.
For the exam, you should understand the steps involved in conducting a security risk assessment, which typically include identifying assets, assessing threats and vulnerabilities, analyzing existing controls, and determining risk levels. Familiarity with risk assessment frameworks, such as NIST SP 800-30 or ISO 27001, can also be beneficial. It’s essential to know the difference between qualitative and quantitative risk assessments and how to prioritize risks based on their potential impact on the organization.
