CompTIA Security+ SY0-701: Encryption & Security Controls

Podcast

Play an AI-generated podcast conversation about this lesson

Questions and Answers

Which certification exam does this book provide information about?

SY0-701 Security+ (correct)
GSEC
CISSP
CCNA

What is the primary purpose of transport encryption?

Encrypting data at rest
Managing cryptographic keys
Securing data in databases
Protecting data traversing the network (correct)

Which type of encryption involves encrypting all database information with a symmetric key?

Transparent encryption (correct)
Record-level encryption
Full-disk encryption
File encryption

Which of these is an example of full-disk encryption?

BitLocker (D) Signup and view all the answers

Which security control category involves using systems such as firewalls and anti-virus software?

Technical controls (A) Signup and view all the answers

What type of security control attempts to discourage an intrusion attempt?

Deterrent (B) Signup and view all the answers

Why are larger keys preferred in cryptographic systems?

They prevent brute-force attacks (B) Signup and view all the answers

What type of encryption is used in VPNs to encrypt all data transmitted over the network?

Transport encryption (A) Signup and view all the answers

Which control type focuses on identifying and logging intrusion attempts?

Detective (C) Signup and view all the answers

What is the purpose of corrective security controls?

To reverse the impact of an event (C) Signup and view all the answers

Which of the following is a key principle of the CIA Triad?

Integrity (A) Signup and view all the answers

What does the principle of confidentiality aim to prevent?

Unauthorized information disclosure (D) Signup and view all the answers

What security concept ensures data is stored and transferred as intended, and any modification is detected?

Integrity (C) Signup and view all the answers

What does non-repudiation provide in the context of security?

Proof of integrity and origin (D) Signup and view all the answers

In the AAA framework, what does the term 'authentication' refer to?

Verifying a user's identity (C) Signup and view all the answers

What is the purpose of a Public Key Infrastructure (PKI)?

To manage and distribute digital certificates. (B) Signup and view all the answers

Which of the following is a characteristic of symmetric encryption?

It uses the same key to encrypt and decrypt. (C) Signup and view all the answers

In asymmetric encryption, what can be done with the private key?

Decrypt data encrypted with the public key. (D) Signup and view all the answers

What is required during key generation in asymmetric encryption?

Lots of randomization. (A) Signup and view all the answers

What is the main purpose of key escrow?

To store decryption keys with a third party. (D) Signup and view all the answers

What is a significant limitation of symmetric encryption regarding scalability?

It can be challenging to securely distribute shared keys. (D) Signup and view all the answers

Which of the following is a key component of a Public Key Infrastructure (PKI)?

A certificate authority. (B) Signup and view all the answers

What is required for two parties to communicate using symmetric encryption?

They must share a secret key. (A) Signup and view all the answers

Why is planning important for implementing a Public Key Infrastructure (PKI)?

PKI implementations are big endeavors. (C) Signup and view all the answers

Why is trust important in a Public Key Infrastructure (PKI)?

Certificates are useless without trust. (A) Signup and view all the answers

What is a major limitation of a simple authorization model based solely on User -> Resource relationships?

It is difficult to understand the reasoning behind an authorization. (A) Signup and view all the answers

What is the primary goal of a gap analysis?

To compare the current state with the desired state. (C) Signup and view all the answers

Which of the following is a key step in performing a gap analysis?

Comparing and contrasting existing systems. (B) Signup and view all the answers

What is the purpose of establishing a known baseline when choosing a security framework?

To work towards a specific security goal. (A) Signup and view all the answers

Which of the following is an example of a formal standard that organizations might use as a security framework?

NIST Special Publication 800-171 Revision 2. (A) Signup and view all the answers

What is the fundamental principle of zero trust?

Verify everything attempting to connect to the network. (B) Signup and view all the answers

What is the role of the data plane in a network?

To process and forward network data. (B) Signup and view all the answers

Which component of a zero trust architecture is responsible for making the authentication decision?

Policy Decision Point (PDP) (D) Signup and view all the answers

What action does the Policy Administrator instruct the Policy Enforcement Point (PEP) to take?

To deny or allow access. (B) Signup and view all the answers

What is the purpose of security zones in network security?

They create broad categorizations for security management. (C) Signup and view all the answers

Flashcards are hidden until you start studying

Study Notes

Security Controls

Security controls are necessary to address security risks, with various categories and types available to consider.
Assets include data, physical property, and computer systems.
Security events should be prevented, and their impact and damage limited through security controls.

Types of Security Controls

Technical controls are implemented using systems, such as operating system controls, firewalls, and anti-virus software.
Managerial controls encompass administrative controls related to security design and implementation, including security policies and standard operating procedures.
Operational controls are implemented by personnel to maintain security.
Physical controls limit physical access through measures like guard shacks, fences, locks, and badge readers.
Preventive controls block access to resources and prevent access through firewall rules, security policies and guard shacks.
Deterrent controls discourage intrusion attempts without directly preventing access including application splash screens, or the threat of demotion.
Detective controls identify and log intrusion attempts, such as collecting system logs and reviewing login reports.
Corrective controls apply after an event is detected, reversing the impact.
Compensating controls use alternative means when existing controls are insufficient, like firewall blocking specific apps instead of patching.
Directive controls guide behavior toward security compliance, such as storing sensitive files in protected folders and training users.

Managing Security Controls

Lists of security controls are not all-inclusive, and organizations can combine types.
Multiple controls may exist for each category and type.
New security controls can be created as systems and processes evolve.

The CIA Triad

The CIA Triad, or AIC Triad, combines principles of security.
Confidentiality seeks to prevent unauthorized disclosure.
Integrity ensures data is unmodified without detection.
Availability ensures systems are operational for authorized users.

Confidentiality

Encryption encodes messages such as emails so only certain people can decrypt and read them.
Access controls selectively restrict access to resources.
Two-factor authentication requires additional confirmation before disclosing information.

Integrity

This involves ensuring data is stored and transferred as intended while identifying an modifications during the transfers.
Hashing maps data of any length to data of fixed length, with digital signatures verifying data integrity.
Combining digital signatures with certificates can verify individuals, ensuring non-repudiation.

Availability

Ensures information is always accessible to authorized users, accomplished through redundancy, fault tolerance, patching and stability.

Non-Repudiation

Non-repudiation means denying something cannot occur, applicable in contract signing, integrity proof, and origin.
A digital signature adds non-repudiation.
By using a hash, represented data does not change, the data is accurate and consistent.
Signing with the private key, with message not needing to be encrypted, and verifying with the public key can invalidate the signature.

Authentication, Authorization, and Accounting (AAA)

Identification is a user's claim (usually username).
Authentication proves identity (password, etc.).
Authorization grants access based on identity.
Accounting tracks resource use (login time, data sent).

Authenticating Systems

Use digitally signed certificates for device authentication.
An organization maintains its own Certificate Authority (CA) to create and sign certificates.
The CA's digital signature validates the certificate.

Authorization Models

Authorization models define access levels.
Authorization is defined by Roles, Organizations and Attributes.
No-authorization models have single relationship of User to Resource.
Models require easy understanding of authorization, and streamlined administration and support.

Gap Analysis

Gap analysis compares the current position to the desired position.
Extensive research is required to look at a variety of options.
This process may require time and consideration of all the options.
Formal standards and frameworks need to be considered such as the NIST and information security management systems.
A detailed analysis is required to examine systems, identify the details, and identify broad security categories.
Formal description of current state is used to create a report of the current state to make a baseline objective.

Zero Trust

Networks are traditionally open internally with few security controls.
Zero trust authenticates everything, leaving nothing inherently trusted.
Split the network into data plane and control plane, applying to physical, virtual, and cloud components.
The Policy enforcement point acts as a gatekeeper, allowing, monitoring and terminating connections.

Physical Security

Physical security is maintained through barricades, access controls, guards, and lighting.
High fences and bollards limit access.
Vestibules keep doors locked and control entry through an area.
Security guards are the best form of physical security.
Lighting is required where guards are not available.

Deception and Disruption

Honeypots lure the attacker with something that looks interesting.
Honeynets create a real network.
Honeyfiles attract attention.
Guards and access badges provide physical control at the reception.
Sensors include the latest intrusion controls with infrared and microwaves.

Change Management

Requires policies for frequency, duration, installation, and rollback.
Changes require approval that define scope, date, time, impact and risk.
Need stakeholders to provide input during the change management process.
Analysis determine a risk value of what can be prevented from change.
Requires testing before productions and a backout plan
Follow standardized procedures on agreed on maintenance window.

Technical Change Management

Involves allow/deny lists for app usage The process should be followed with consideration of downtime and dependency.
Restarts for both the server and service components may be required.
Legacy applications may require specific procedures with thorough documentation.
This requires updating diagrams for any hardware or address updates.
Using version may come into play to track files and configuration.

Public Key Infrastructure (PKI)

PKI involves policies, procedures, hardware, software, and personnel.
It also refers to binding public keys to people or devices, where the certificate authority provides the trust.
Symmetric encryption uses a single shared key that must be kept secret, but asymmetric encryption uses two mathematically related keys.
The private key for asymmetric encryption must be kept private, while the public key can be given away.

Encrypting Data

Data at Rest is protected via Disk and Volume/Partition encryption.
Databases can be protected via Transparent Encryption.
Data in Transport require VPN, encryption in application.
Key lengths of 128 bit larger are considered more secure to prevent Brute Force Attacks, symmetric often have keys of 3072 bits or higher.

Key Exchange

Allows the sharing of encrypting in insecure methods such as over a network, commonly done Out-of-band using telephone or in-band using encryption.

Encryption

Requires a TPM(Trusted Platform Module) processor to generate a Cryptographic key.
Hardware security modules securely store the keys.
Enclaves are protected area for our code within isolated hardware.

Obfuscation

The process of making data unclear, often confused as steganography, hiding data security obscurity through messages.
A form of data masking may hide some of the originals using substitution, shuffling, encrypting, masking out, etc.
Tokenization is replacing sensitive data with non-sensitive placeholders.

Hashing and Digital Signatures

Represent data as a short string of text that cannot be reversed.
Collisions should be unique, but that can cause problems.
Hashes are used with salted addition of random data as passwords and digital signatures.
Digital Signatures to prove message integrity.

Blockchain Technology

Distributed ledger that can perform practical applications such as tracking and monitoring.
Requests are sent for every computer in the blockchain to be verified with code and data.
Any alterations will cause rejection in the blocks.

Certificates

Digital certificates bind with a key.
Root and third-party authorities exist to cause more trust.
Signing request, validates by confirming ownership.
In the event of key revocation, maintain certificate revocation lists.

Studying That Suits You

Use AI to generate personalized quizzes and flashcards to suit your learning preferences.

Description

Test your knowledge of encryption methods like symmetric and full-disk encryption. Questions cover security controls, including firewalls and VPNs, and key management practices.