CompTIA Security+

CompTIA Security+ Certification (SY0-601) Mike Meyers and Dan Lachance

Threat actors

Hackers
Hacktivists
Script kiddies
Insiders
Competitors
Shadow IT
Criminal syndicates
State actors
APT - Advanced persistent threat

Asset - is any part of an IT infrastructure that has value
Vulnerability - is a weakness in an asset in an IT system that leaves it open to a threat
Exploit - is peace of code that takes advantage of vulnerability
Threat - is an action that a threat actor can use against a vulnerability to cause harm
- An attack (exploit) that a malicious actor will use agains asset
Likelihood - is the probability of assets being damaged over time
Threat actor - is anyone or anything with the motive and resources to attack another IT infrastructure. They are sources of threats
Risk - is the likelihood of a threat actor taking advantage of vulnerability by using a threat against an IT asset
Attack vector - are pathways to gain access to restricted systems

Objective 1.5

CIA

Confidentiality
- Form of encryption
Integrity
- Form of hashing
  - to check that we don't have any unauthorized changes
Availability
- Making sure that systems are available when we need them

Attack vectors

Weak configuration
Open firewall ports
Lack of user security awarness
Lack of multifactor authentication
Missing patches
Infected USB
Supply chain
1. manufacturers
2. contractors
3. implementers
4. outsorsed software developers

AIS - automated indicator sharing
1. Exchange of cybersecurity intelligence between entities
STIX - structured threat information expression
CVE - common vulnerability and exposure
Dark Web - encrypted and anonymized internet access
AUP - acceptable use policy
RMF - risk management frameworks provide guidance on identifying and managing risks
Security policies are designed to protect
Security controls are there for mitigate specific threats
Managerial - administrative function - background checks
Operational - policy review
Technical - IT security solution
Security control type include:
1. physical
  1. mantrap
  2. access control
2. detective
  1. log analysis
3. corrective
  1. vulnerability patching
4. preventive
5. deterrent
  1. device logon warning banner
6. compensating
  1. isolate IOT in a separate network

Prioritize threat against asset

SLE - Single Loss Expectancy

Asset value = 24,000
Exposure factor = 12.5%
1. Single loss expectancy = 24.000 x 12.5% = 24000 x 0.125 = 3.000

AV = 24.000 per day
Risk - 3h downtime
1. 24h / 3h = 12.5 % of 24h
Exposure factor - 12.5%
SLE = AV * EF = 24.000 x 0.125 = 3.000 for 3h downtime

ARO - annual rate of occurance

Expected number of yearly occurrences

ALE - annualized loss expectancy

Total yearly costs of bad things happening
ALE = SLE * ARO
ALE = 3k$ * 2 = 6$k

ALE is to understand how much we can loss if something goes wrong as well as to understand if we spend on security more than we can loss, since then it won't make sense

MTBF - mean time between failures
- average time between component failure
- software patching
MTTF - mean time to failure
- average time between non-repairable component failure
- hard disk, switch, router
MTTR - time required to repair
PTA - privacy threshold assessment
- first step before implementing solutions related to sensitive data
PIA - privacy impact assessment
RPO - recovery point objective
- maximum tolerable amount of data loss
RTO - recovery time objective
- maximum tolerable amount of downtime
BIA - business impact analysis
- identifies how negative incidents will impact business processes and sensitive data

Data types and roles

Data classification assigns labesl to data to faciliate management

PII - personally indentifiable information
PHI - personal health information
Proprietary
Public
Critical
Financial

Data Privacy Standards

Data privacy and breach notification
levy fines
IP - protect intellectual property
PCI DSS - payment card industry data security standard
- carholder information
GDPR - general data protection regulation

Data classification tools

metadata apply
- cloud resource tagging
- ?
- ?

Data roles and responsibilities

Owner
- Legal data owner
- Set policies on how data will be managed
Controller
- ensures data complies with applicable regulations
Processor
- handles data in accordance with privacy guidelines
Custodian
- data managing in allignment with data owner policies
- applies data management policies
  - permissions
  - backup
DPO - data privacy officer
- ensures data privacy regulation compliance with any law and regulation

Security and the Information Life Cycle

Collection
Storage
Process
Share
Archive/Delete

PII - Personal Identifiable Information.

Social security number
E-mail address
Credit card number
Home address
Web browser cookies

PHI - Protected health information

Health insurance plan number
Blood type
Patient medical ailments

PET - privacy-enhancing technologies

Anonymization
- GDPR without user consent
- limited data value
Pseudo-anonymization
- PII replaced with fake identifiers
Data minimization
- Limit stored/retained sensitive data
Tokenization
- authorizes access instead of the original credentials
Data masking
- Hide sensitive data from unauth users
- Masked out credit card number digits on a receipt

Data sovereignty

Data location and laws that apply to it
- Where did it originate
- Where is it now
- Which laws and regs apply
Azure

Data Destruction

Failed/decom. storage devices
Storage devices end of life policies

Physical level

Hard disc shedding device

Software level

Disk wiping tools
- Disk Scrubber
Multiple overwrites of randomized data
Degausing for HD
Cryptographic erasure
- destroy decryption key
SED
- Self-encrypting drive

Personnel Risk and Policies

Last updated 1 year ago