CompTIA Security+ Student Guide (Exam SY0-701) PDF
Document Details
Uploaded by EntrancedCloisonnism
Rutgers University
2023
CompTIA
James Pengelly, Gareth Marchant
Tags
Summary
This CompTIA Security+ student guide (Exam SY0-701) provides an overview of security principles and covers topics like security concepts, threat types, cryptographic solutions, and more. It's a helpful resource for those preparing for the SY0-701 exam and seeking a solid foundation in security. This guide is an excellent study material and a practical resource for security.
Full Transcript
The Official CompTIA Security+ Student Guide (Exam SY0-701) SY0-701_TTL_ACK_ppi-ii.indd 1 7/31/23 7:45 AM Course Edition:...
The Official CompTIA Security+ Student Guide (Exam SY0-701) SY0-701_TTL_ACK_ppi-ii.indd 1 7/31/23 7:45 AM Course Edition: 2.0 Acknowledgments James Pengelly, Author Gareth Marchant, Author Michael Olsen, Director, Content Development Danielle Andries, Senior Manager, Content Development Notices Disclaimer While CompTIA, Inc. takes care to ensure the accuracy and quality of these materials, we cannot guarantee their accuracy, and all materials are provided without any warranty whatsoever, including, but not limited to, the implied warranties of merchantability or fitness for a particular purpose. The use of screenshots, photographs of another entity’s products, or another entity’s product name or service in this book is for editorial purposes only. No such use should be construed to imply sponsorship or endorsement of the book by nor any affiliation of such entity with CompTIA. This courseware may contain links to sites on the Internet that are owned and operated by third parties (the “External Sites”). CompTIA is not responsible for the availability of, or the content located on or through, any External Site. Please contact CompTIA if you have any concerns regarding such links or External Sites. Trademark Notice CompTIA®, Security+®, and the CompTIA logo are registered trademarks of CompTIA, Inc., in the U.S. and other countries. All other product and service names used may be common law or registered trademarks of their respective proprietors. Copyright Notice Copyright © 2023 CompTIA, Inc. All rights reserved. Screenshots used for illustrative purposes are the property of the software proprietor. Except as permitted under the Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of CompTIA, 3500 Lacey Road, Suite 100, Downers Grove, IL 60515-5439. This book conveys no rights in the software or other products about which it was written; all use or licensing of such software or other products is the responsibility of the user according to terms and conditions of the owner. If you believe that this book, related materials, or any other CompTIA materials are being reproduced or transmitted without permission, please call 1-866-835-8020 or visit https://help.comptia.org. LICENSED FOR USE ONLY BY: TURSHABEN CHAUDHARI · 58054892 · AUG 27 2024 SY0-701_TTL_ACK_ppi-ii.indd 2 7/31/23 7:45 AM Table of Contents | iii Table of Contents Lesson 1: Summarize Fundamental Security Concepts............................................... 1 Topic 1A: Security Concepts................................................................................... 2 Topic 1B: Security Controls.................................................................................... 8 Lesson 2: Compare Threat Types.................................................................................. 15 Topic 2A: Threat Actors........................................................................................ 16 Topic 2B: Attack Surfaces.................................................................................... 23 Topic 2C: Social Engineering................................................................................ 30 Lesson 3: Explain Cryptographic Solutions.................................................................. 37 Topic 3A: Cryptographic Algorithms................................................................... 38 Topic 3B: Public Key Infrastructure.................................................................... 47 Topic 3C: Cryptographic Solutions...................................................................... 60 Lesson 4: Implement Identity and Access Management........................................... 69 Topic 4A: Authentication..................................................................................... 70 Topic 4B: Authorization........................................................................................ 81 Topic 4C: Identity Management.......................................................................... 89 Lesson 5: Secure Enterprise Network Architecture.................................................... 99 Topic 5A: Enterprise Network Architecture.................................................... 100 Topic 5B: Network Security Appliances........................................................... 115 Topic 5C: Secure Communications.................................................................... 129 Lesson 6: Secure Cloud Network Architecture.......................................................... 141 Topic 6A: Cloud Infrastructure.......................................................................... 142 Topic 6B: Embedded Systems and Zero Trust Architecture........................... 158 Table of Contents LICENSED FOR USE ONLY BY: TURSHABEN CHAUDHARI · 58054892 · AUG 27 2024 SY0-701_TOC_ppiii-vi.indd 3 8/28/23 10:12 AM iv | Table of Contents Lesson 7: Explain Resiliency and Site Security Concepts......................................... 171 Topic 7A: Asset Management............................................................................ 172 Topic 7B: Redundancy Strategies...................................................................... 182 Topic 7C: Physical Security................................................................................ 198 Lesson 8: Explain Vulnerability Management........................................................... 209 Topic 8A: Device and OS Vulnerabilities........................................................... 210 Topic 8B: Application and Cloud Vulnerabilities............................................. 220 Topic 8C: Vulnerability Identification Methods.............................................. 231 Topic 8D: Vulnerability Analysis and Remediation......................................... 242 Lesson 9: Evaluate Network Security Capabilities.................................................... 251 Topic 9A: Network Security Baselines.............................................................. 252 Topic 9B: Network Security Capability Enhancement.................................... 263 Lesson 10: Assess Endpoint Security Capabilities..................................................... 273 Topic 10A: Implement Endpoint Security......................................................... 274 Topic 10B: Mobile Device Hardening................................................................ 292 Lesson 11: Enhance Application Security Capabilities............................................. 303 Topic 11A: Application Protocol Security Baselines........................................ 304 Topic 11B: Cloud and Web Application Security Concepts............................. 318 Lesson 12: Explain Incident Response and Monitoring Concepts........................... 327 Topic 12A: Incident Response............................................................................ 328 Topic 12B: Digital Forensics............................................................................... 340 Topic 12C: Data Sources..................................................................................... 347 Topic 12D: Alerting and Monitoring Tools........................................................ 358 Table of Contents LICENSED FOR USE ONLY BY: TURSHABEN CHAUDHARI · 58054892 · AUG 27 2024 SY0-701_TOC_ppiii-vi.indd 4 8/28/23 10:12 AM Table of Contents | v Lesson 13: Analyze Indicators of Malicious Activity................................................. 371 Topic 13A: Malware Attack Indicators............................................................. 372 Topic 13B: Physical and Network Attack Indicators....................................... 385 Topic 13C: Application Attack Indicators......................................................... 399 Lesson 14: Summarize Security Governance Concepts............................................ 409 Topic 14A: Policies, Standards, and Procedures.............................................. 410 Topic 14B: Change Management....................................................................... 425 Topic 14C: Automation and Orchestration...................................................... 433 Lesson 15: Explain Risk Management Processes...................................................... 439 Topic 15A: Risk Management Processes and Concepts.................................. 440 Topic 15B: Vendor Management Concepts...................................................... 453 Topic 15C: Audits and Assessments.................................................................. 460 Lesson 16: Summarize Data Protection and Compliance Concepts....................... 469 Topic 16A: Data Classification and Compliance.............................................. 470 Topic 16B: Personnel Policies............................................................................ 488 Appendix A: Mapping Course Content to CompTIA Security+..................................A-1 Solutions......................................................................................................................... S-1 Glossary...........................................................................................................................G-1 Index................................................................................................................................. I-1 Table of Contents LICENSED FOR USE ONLY BY: TURSHABEN CHAUDHARI · 58054892 · AUG 27 2024 SY0-701_TOC_ppiii-vi.indd 5 8/28/23 10:12 AM LICENSED FOR USE ONLY BY: TURSHABEN CHAUDHARI · 58054892 · AUG 27 2024 SY0-701_TOC_ppiii-vi.indd 6 8/28/23 10:12 AM 1 About This Course CompTIA is a not-for-profit trade association with the purpose of advancing the interests of IT professionals and IT channel organizations; its industry-leading IT certifications are an important part of that mission. CompTIA's Security+ certification is a global certification that validates the foundational cybersecurity skills necessary to perform core security functions and pursue an IT security career. This exam will certify the successful candidate has the knowledge and skills required to assess the security posture of an enterprise environment and recommend and implement appropriate security solutions; monitor and secure hybrid environments, including cloud, mobile, and IoT; operate with an awareness of applicable regulations and policies, including principles of governance, risk, and compliance; identify, analyze, and respond to security events and incidents. Security+ is compliant with ISO 17024 standards. Regulators and government rely on ANSI accreditation because it provides confidence and trust in the outputs of an accredited program. CompTIA Security+ Exam Objectives Course Description Course Objectives This course can benefit you in two ways. If you intend to pass the CompTIA Security+ (Exam SY0-701) certification examination, this course can be a significant part of your preparation. But certification is not the only key to professional success in the field of IT security. Today's job market demands individuals with demonstrable skills, and the information and activities in this course can help you build your cybersecurity skill set so that you can confidently perform your duties in any entry-level security role. On course completion, you will be able to do the following: Summarize fundamental security concepts. Compare threat types. Explain appropriate cryptographic solutions. Implement identity and access management. Secure enterprise network architecture. Secure cloud network architecture. Explain resiliency and site security concepts. Explain vulnerability management. Evaluate network security capabilities. Assess endpoint security capabilities. Enhance application security capabilities. Explain incident response and monitoring concepts. Analyze indicators of malicious activity. LICENSED FOR USE ONLY BY: TURSHABEN CHAUDHARI · 58054892 · AUG 27 2024 SY0-701_Preface_ppxi-xiv.indd 7 9/22/23 1:11 PM viii | Preface Summarize security governance concepts. Explain risk management processes. Summarize data protection and compliance concepts. Target Student The Official CompTIA Security+ (Exam SY0-701) is the primary course you will need to take if your job responsibilities include safeguarding networks, detecting threats, and securing data in your organization. You can take this course to prepare for the CompTIA Security+ (Exam SY0-701) certification examination. Prerequisites To ensure your success in this course, you should have a minimum of two years of experience in IT administration with a focus on security, hands-on experience with technical information security, and a broad knowledge of security concepts. CompTIA A+ and CompTIA Network+, or the equivalent knowledge, is strongly recommended. The prerequisites for this course might differ significantly from the prerequisites for the CompTIA certification exams. For the most up-to-date information about the exam prerequisites, complete the form on this page: www.comptia.org/training/resources/ exam-objectives. How to Use the Study Notes The following notes will help you understand how the course structure and components are designed to support mastery of the competencies and tasks associated with the target job roles and will help you to prepare to take the certification exam. As You Learn At the top level, this course is divided into lessons, each representing an area of competency within the target job roles. Each lesson is composed of a number of topics. A topic contains subjects that are related to a discrete job task, mapped to objectives and content examples in the CompTIA exam objectives document. Rather than follow the exam domains and objectives sequence, lessons and topics are arranged in order of increasing proficiency. Each topic is intended to be studied within a short period (typically 30 minutes at most). Each topic is concluded by one or more activities, designed to help you to apply your understanding of the study notes to practical scenarios and tasks. In addition to the study content in the lessons, there is a glossary of the terms and concepts used throughout the course. There is also an index to assist in locating particular terminology, concepts, technologies, and tasks within the lesson and topic content. In many electronic versions of the book, you can click links on key words in the topic content to move to the associated glossary definition, and on page references in the index to move to that term in the content. To return to the previous location in the document after clicking a link, use the appropriate functionality in your eBook viewing software. About This Course LICENSED FOR USE ONLY BY: TURSHABEN CHAUDHARI · 58054892 · AUG 27 2024 SY0-701_Preface_ppxi-xiv.indd 8 9/22/23 1:11 PM Preface | ix Watch throughout the material for the following visual cues. A Note provides additional information, guidance, or hints about a topic or task. A Caution note makes you aware of places where you need to be particularly careful with your actions, settings, or decisions so that you can be sure to get the desired results of an activity or task. As You Review Any method of instruction is only as effective as the time and effort you, the student, are willing to invest in it. In addition, some of the information that you learn in class may not be important to you immediately, but it may become important later. For this reason, we encourage you to spend some time reviewing the content of the course after your time in the classroom. Following the lesson content, you will find a table mapping the lessons and topics to the exam domains, objectives, and content examples. You can use this as a checklist as you prepare to take the exam and to review any content that you are uncertain about. As a Reference The organization and layout of this book make it an easy-to-use resource for future reference. Guidelines can be used during class and as after-class references when you're back on the job and need to refresh your understanding. Taking advantage of the glossary, index, and table of contents, you can use this book as a first source of definitions, background information, and summaries. How to Use the CompTIA Learning Center The CompTIA Learning Center is an intuitive online platform that provides access to the eBook and all accompanying resources to support The Official CompTIA curriculum. The CompTIA Learning Center can be accessed at learn.comptia.org. An access key to the CompTIA Learning Center is delivered upon purchase of the eBook. Use the CompTIA Learning Center to access the following resources: Online Reader—The interactive online reader provides the ability to search, highlight, take notes, and bookmark passages in the eBook. You can also access the eBook through the CompTIA Learning Center eReader mobile app. Videos—Videos complement the topic presentations in this study guide by providing short, engaging discussions and demonstrations of key technologies referenced in the course. Assessments—Practice questions help to verify your understanding of the material for each lesson. Answers and feedback can be reviewed after each question or at the end of the assessment. A timed Final Assessment provides a practice-test-like experience to help you to determine how prepared you feel to attempt the CompTIA certification exam. You can review correct answers and full feedback after attempting the Final Assessment. Strengths and Weaknesses Dashboard—The Strengths and Weaknesses Dashboard provides you with a snapshot of your performance. Data flows into the dashboard from your practice questions, Final Assessment scores, and your indicated confidence levels throughout the course. About This Course LICENSED FOR USE ONLY BY: TURSHABEN CHAUDHARI · 58054892 · AUG 27 2024 SY0-701_Preface_ppxi-xiv.indd 9 9/22/23 1:11 PM LICENSED FOR USE ONLY BY: TURSHABEN CHAUDHARI · 58054892 · AUG 27 2024 SY0-701_Preface_ppxi-xiv.indd 10 9/22/23 1:11 PM Lesson 1 Summarize Fundamental Security Concepts 1 LESSON INTRODUCTION Security is an ongoing process that includes assessing requirements, setting up organizational security systems, hardening and monitoring those systems, responding to attacks in progress, and deterring attackers. If you can summarize the fundamental concepts that underpin security functions, you can contribute more effectively to a security team. You must also be able to explain the importance of compliance factors and best practice frameworks in driving the selection of security controls and how departments, units, and professional roles within different types of organizations implement the security function. Lesson Objectives In this lesson, you will do the following: Summarize information security concepts. Compare and contrast security control types. Describe security roles and responsibilities. LICENSED FOR USE ONLY BY: TURSHABEN CHAUDHARI · 58054892 · AUG 27 2024 SY0-701_Lesson01_pp001-014.indd 1 8/4/23 8:08 AM 2 | The Official CompTIA Security+ Student Guide (Exam SY0-701) Topic 1A Security Concepts 2 EXAM OBJECTIVES COVERED 1.2 Summarize fundamental security concepts. To be successful and credible as a security professional, you should understand security in business starting from the ground up. You should know the key security terms and ideas used by security experts in technical documents and trade publications. Security implementations are constructed from fundamental building blocks, just like a large building is built from individual bricks. This topic will help you understand those building blocks so that you can use them as the foundation for your security career. Information Security Information security (infosec) refers to the protection of data resources from unauthorized access, attack, theft, or damage. Data may be vulnerable because of the way it is stored, transferred, or processed. The systems used to store, transmit, and process data must demonstrate the properties of security. Secure information has three properties, often referred to as the CIA Triad: Confidentiality means that information can only be read by people who have been explicitly authorized to access it. Integrity means that the data is stored and transferred as intended and that any modification is authorized. Availability means that information is readily accessible to those authorized to view or modify it. The triad can also be referred to as "AIC" to avoid confusion with the Central Intelligence Agency. Some security models and researchers identify other properties of secure systems. The most important of these is non-repudiation. Non-repudiation means that a person cannot deny doing something, such as creating, modifying, or sending a resource. For example, a legal document, such as a will, must usually be witnessed when it is signed. If there is a dispute about whether the document was correctly executed, the witness can provide evidence that it was. Lesson 1: Summarize Fundamental Security Concepts | Topic 1A LICENSED FOR USE ONLY BY: TURSHABEN CHAUDHARI · 58054892 · AUG 27 2024 SY0-701_Lesson01_pp001-014.indd 2 8/4/23 8:08 AM The Official CompTIA Security+ Student Guide (Exam SY0-701) | 3 Cybersecurity Framework Within the goal of ensuring information security, cybersecurity refers specifically to provisioning secure processing hardware and software. Information security and cybersecurity tasks can be classified as five functions, following the framework developed by the National Institute of Standards and Technology (NIST) (nist. gov/cyberframework/online-learning/five-functions): Identify—develop security policies and capabilities. Evaluate risks, threats, and vulnerabilities and recommend security controls to mitigate them. Protect—procure/develop, install, operate, and decommission IT hardware and software assets with security as an embedded requirement of every stage of this operation’s lifecycle. Detect—perform ongoing, proactive monitoring to ensure that controls are effective and capable of protecting against new types of threats. Respond—identify, analyze, contain, and eradicate threats to systems and data security. Recover—implement cybersecurity resilience to restore systems and data if other controls are unable to prevent attacks. Core cybersecurity tasks. NIST’s framework is just one example. There are many other cybersecurity frameworks (CSF). Lesson 1: Summarize Fundamental Security Concepts | Topic 1A LICENSED FOR USE ONLY BY: TURSHABEN CHAUDHARI · 58054892 · AUG 27 2024 SY0-701_Lesson01_pp001-014.indd 3 8/4/23 8:08 AM 4 | The Official CompTIA Security+ Student Guide (Exam SY0-701) Gap Analysis Each security function is associated with a number of goals or outcomes. For example, one outcome of the Identify function is an inventory of the assets owned and operated by the company. Outcomes are achieved by implementing one or more security controls. Numerous categories and types of security controls cover a huge range of functions. This makes selection of appropriate and effective controls difficult. A cybersecurity framework guides the selection and configuration of controls. Frameworks are important because they save an organization from building its security program in a vacuum, or from building the program on a foundation that fails to account for important security concepts. The use of a framework allows an organization to make an objective statement of its current cybersecurity capabilities, identify a target level of capability, and prioritize investments to achieve that target. This gives a structure to internal risk management procedures and provides an externally verifiable statement of regulatory compliance. Gap analysis is a process that identifies how an organization’s security systems deviate from those required or recommended by a framework. This will be performed when first adopting a framework or when meeting a new industry or legal compliance requirement. The analysis might be repeated every few years to meet compliance requirements or to validate any changes that have been made to the framework. For each section of the framework, a gap analysis report will provide an overall score, a detailed list of missing or poorly configured controls associated with that section, and recommendations for remediation. Summary of gap analysis findings showing number of recommended controls not implemented per function and category; plus risks to confidentiality, integrity, and availability from missing controls; and target remediation date. Lesson 1: Summarize Fundamental Security Concepts | Topic 1A LICENSED FOR USE ONLY BY: TURSHABEN CHAUDHARI · 58054892 · AUG 27 2024 SY0-701_Lesson01_pp001-014.indd 4 8/4/23 8:08 AM The Official CompTIA Security+ Student Guide (Exam SY0-701) | 5 While some or all work involved in gap analysis could be performed by the internal security team, a gap analysis is likely to involve third-party consultants. Frameworks and compliance requirements from regulations and legislation can be complex enough to require a specialist. Advice and feedback from an external party can alert the internal security team to oversights and to new trends and changes in best practice. Access Control An access control system ensures that an information system meets the goals of the CIA triad. Access control governs how subjects/principals may interact with objects. Subjects are people, devices, software processes, or any other system that can request and be granted access to a resource. Objects are the resources. An object could be a network, server, database, app, or file. Subjects are assigned rights or permissions on resources. Modern access control is typically implemented as an identity and access management (IAM) system. IAM comprises four main processes: Identification—creating an account or ID that uniquely represents the user, device, or process on the network. Authentication—proving that a subject is who or what it claims to be when it attempts to access the resource. An authentication factor determines what sort of credential the subject can use. For example, people might be authenticated by providing a password; a computer system could be authenticated using a token such as a digital certificate. Authorization—determining what rights subjects should have on each resource, and enforcing those rights. An authorization model determines how these rights are granted. For example, in a discretionary model, the object owner can allocate rights. In a mandatory model, rights are predetermined by system-enforced rules and cannot be changed by any user within the system. Accounting—tracking authorized usage of a resource or use of rights by a subject and alerting when unauthorized use is detected or attempted. Lesson 1: Summarize Fundamental Security Concepts | Topic 1A LICENSED FOR USE ONLY BY: TURSHABEN CHAUDHARI · 58054892 · AUG 27 2024 SY0-701_Lesson01_pp001-014.indd 5 8/4/23 8:08 AM 6 | The Official CompTIA Security+ Student Guide (Exam SY0-701) Differences among identification, authentication, authorization, and accounting. (Images © 123RF.com.) The servers and protocols that implement these functions can also be referred to as authentication, authorization, and accounting (AAA). The use of IAM to describe enterprise security workflows is becoming more prevalent as the importance of the identification process is better acknowledged. For example, if you are setting up an e-commerce site and want to enroll users, you need to select the appropriate controls to perform each function: Identification—ensure that customers are legitimate. For example, you might need to ensure that billing and delivery addresses match and that they are not trying to use fraudulent payment methods. Authentication—ensure that customers have unique accounts and that only they can manage their orders and billing information. Authorization—rules to ensure customers can place orders only when they have valid payment mechanisms in place. You might operate loyalty schemes or promotions that authorize certain customers to view unique offers or content. Accounting—the system must record the actions a customer takes (to ensure that they cannot deny placing an order, for instance). Remember that these processes apply both to people and to systems. For example, you need to ensure that your e-commerce server can authenticate its identity when customers connect to it using a web browser. Lesson 1: Summarize Fundamental Security Concepts | Topic 1A LICENSED FOR USE ONLY BY: TURSHABEN CHAUDHARI · 58054892 · AUG 27 2024 SY0-701_Lesson01_pp001-014.indd 6 8/4/23 8:08 AM The Official CompTIA Security+ Student Guide (Exam SY0-701) | 7 Review Activity: Security Concepts 3 Answer the following questions: 1. What are the properties of a secure information processing system? 2. What term is used to describe the property of a secure network where a 2. sender cannot deny having sent a message? 3. A company provides a statement of deviations from framework best practices to a regulator. What process has the company performed? 4. What process within an access control framework logs actions performed by subjects? 5. What is the difference between authorization and authentication? 6. How does accounting provide non-repudiation? Lesson 1: Summarize Fundamental Security Concepts | Topic 1A LICENSED FOR USE ONLY BY: TURSHABEN CHAUDHARI · 58054892 · AUG 27 2024 SY0-701_Lesson01_pp001-014.indd 7 8/4/23 8:08 AM 8 | The Official CompTIA Security+ Student Guide (Exam SY0-701) Topic 1B Security Controls 7 EXAM OBJECTIVES COVERED 1.1 Compare and contrast various types of security controls. Information security and cybersecurity assurance is met by implementing security controls. By identifying basic security control types, you will be better prepared to select and implement the most appropriate controls for a given scenario. You should also be able to describe how specific job roles and organizational structures can implement a comprehensive security program for organizations. Security Control Categories Information and cybersecurity assurance usually takes place within an overall process of business risk management. Implementation of cybersecurity functions is often the responsibility of the IT department. There are many different ways of thinking about how IT services should be governed to fulfill overall business needs. Some organizations have developed IT service frameworks to provide best practice guides to implementing IT and cybersecurity. These frameworks can shape company policies and provide checklists of procedures, activities, and technologies that represent best practice. Collectively, these procedures, activities, and tools can be referred to as security controls. A security control is designed to give a system or data asset the properties of confidentiality, integrity, availability, and non-repudiation. Controls can be divided into four broad categories based on the way the control is implemented: Managerial—the control gives oversight of the information system. Examples could include risk identification or a tool allowing the evaluation and selection of other security controls. Operational—the control is implemented primarily by people. For example, security guards and training programs are operational controls. Technical—the control is implemented as a system (hardware, software, or firmware). For example, firewalls, antivirus software, and OS access control models are technical controls. Physical—controls such as alarms, gateways, locks, lighting, and security cameras that deter and detect access to premises and hardware are often placed in a separate category to technical controls. Lesson 1: Summarize Fundamental Security Concepts | Topic 1B LICENSED FOR USE ONLY BY: TURSHABEN CHAUDHARI · 58054892 · AUG 27 2024 SY0-701_Lesson01_pp001-014.indd 8 8/4/23 8:08 AM The Official CompTIA Security+ Student Guide (Exam SY0-701) | 9 Categories of security controls Although it uses a different scheme, be aware of the way the National Institute of Standards and Technology (NIST) classifies security controls (csrc.nist.gov/publications/ detail/sp/800-53/rev-5/final). Security Control Functional Types As well as a category, a security control can be defined according to the goal or function it performs: Preventive—the control acts to eliminate or reduce the likelihood that an attack can succeed. A preventive control operates before an attack can take place. Access control lists (ACL) configured on firewalls and file system objects are preventive-type technical controls. Antimalware software acts as a preventive control by blocking malicious processes from executing. Detective—the control may not prevent or deter access, but it will identify and record an attempted or successful intrusion. A detective control operates during an attack. Logs provide one of the best examples of detective-type controls. Corrective—the control eliminates or reduces the impact of a security policy violation. A corrective control is used after an attack. A good example is a backup system that restores data that was damaged during an intrusion. Another example is a patch management system that eliminates the vulnerability exploited during the attack. While most controls can be classed functionally as preventive, detective, or corrective, a few other types can be used to define other cases: Directive—the control enforces a rule of behavior, such as a policy, best practice standard, or standard operating procedure (SOP). For example, an employee’s contract will set out disciplinary procedures or causes for dismissal if they do not comply with policies and procedures. Training and awareness programs can also be considered as directive controls. Lesson 1: Summarize Fundamental Security Concepts | Topic 1B LICENSED FOR USE ONLY BY: TURSHABEN CHAUDHARI · 58054892 · AUG 27 2024 SY0-701_Lesson01_pp001-014.indd 9 8/4/23 8:08 AM 10 | The Official CompTIA Security+ Student Guide (Exam SY0-701) Deterrent—the control may not physically or logically prevent access, but it psychologically discourages an attacker from attempting an intrusion. This could include signs and warnings of legal penalties against trespass or intrusion. Compensating—the control is a substitute for a principal control, as recommended by a security standard, and affords the same (or better) level of protection but uses a different methodology or technology. Functional types of security controls. (Images © 123RF.com.) Information Security Roles and Responsibilities A security policy is a formalized statement that defines how security will be implemented within an organization. It describes the means the organization will take to protect the confidentiality, availability, and integrity of sensitive data and resources. The implementation of a security policy to support the goals of the CIA triad might be very different for a school, a multinational accountancy firm, or a machine tool manufacturer. However, each of these organizations, or any other organization (in any sector of the economy, whether profit-making or non-profit-making), should have the same interest in ensuring that its employees, equipment, and data are secure against attack or damage. An organization that develops security policies and uses framework-based security controls has a strong security posture. As part of the process of adopting an effective organizational security posture, employees must be aware of their responsibilities. The structure of security responsibilities will depend on the size and hierarchy of an organization, but these roles are typical. Overall responsibility for the IT function lies with a Chief Information Officer (CIO). This role might also have direct responsibility for security. Some organizations will also appoint a Chief Technology Officer (CTO), with more specific responsibility for ensuring effective use of new and emerging IT products and solutions to achieve business goals. In larger organizations, internal responsibility for security might be allocated to a dedicated department, run by a Chief Security Officer (CSO) or Chief Information Security Officer (CISO). Managers may have responsibility for a domain, such as building control, web services, or accounting. Lesson 1: Summarize Fundamental Security Concepts | Topic 1B LICENSED FOR USE ONLY BY: TURSHABEN CHAUDHARI · 58054892 · AUG 27 2024 SY0-701_Lesson01_pp001-014.indd 10 8/4/23 8:08 AM The Official CompTIA Security+ Student Guide (Exam SY0-701) | 11 Technical and specialist staff have responsibility for implementing, maintaining, and monitoring the policy. Security might be made of a core competency of systems and network administrators, or there may be dedicated security administrators. One such job title is Information Systems Security Officer (ISSO). Nontechnical staff have the responsibility of complying with policy and with any relevant legislation. External responsibility for security (due care or liability) lies mainly with directors or owners, though again it is important to note that all employees share some measure of responsibility. NIST's National Initiative for Cybersecurity Education (NICE) categorizes job tasks and job roles within the cybersecurity industry (gov/itl/applied-cybersecurity/nice/nice- framework-resource-center). Information Security Competencies IT professionals working in a role with security responsibilities must be competent in a wide range of disciplines, from network and application design to procurement and human resources (HR). The following activities might be typical of such a role: Participate in risk assessments and testing of security systems and make recommendations. Specify, source, install, and configure secure devices and software. Set up and maintain document access control and user privilege profiles. Monitor audit logs, review user privileges, and document access controls. Manage security-related incident response and reporting. Create and test business continuity and disaster recovery plans and procedures. Participate in security training and education programs. Information Security Business Units The following units are ofen used to represent the security function within the organizational hierarchy. Security Operations Center (SOC) A security operations center (SOC) is a location where security professionals monitor and protect critical information assets across other business functions, such as finance, operations, sales/marketing, and so on. Because SOCs can be difficult to establish, maintain, and finance, they are usually employed by larger corporations, like a government agency or a healthcare company. Lesson 1: Summarize Fundamental Security Concepts | Topic 1B LICENSED FOR USE ONLY BY: TURSHABEN CHAUDHARI · 58054892 · AUG 27 2024 SY0-701_Lesson01_pp001-014.indd 11 8/4/23 8:08 AM 12 | The Official CompTIA Security+ Student Guide (Exam SY0-701) A security operations center (SOC) provides resources and personnel to implement rapid incident detection and response, plus oversight of cybersecurity operations. (Image © gorodenkoff 123RF.com.) DevSecOps Network operations and use of cloud computing make ever-increasing use of automation through software code. Traditionally, software code would be the responsibility of a programming or development team. Separate development and operations departments or teams can lead to silos, where each team does not work effectively with the other. Development and operations (DevOps) is a cultural shift within an organization to encourage much more collaboration between developers and systems administrators. By creating a highly orchestrated environment, IT personnel and developers can build, test, and release software faster and more reliably. DevSecOps extends the boundary to security specialists and personnel, reflecting the principle that security is a primary consideration at every stage of software development and deployment. This is also known as shift left, meaning that security considerations need to be made during requirements and planning phases, not grafted on at the end. The principle of DevSecOps recognizes this and shows that security expertise must be embedded into any development project. Ancillary to this is the recognition that security operations can be conceived of as software development projects. Security tools can be automated through code. Consequently, security operations need to take on developer expertise to improve detection and monitoring. Incident Response A dedicated computer incident response team (CIRT)/computer security incident response team (CSIRT)/computer emergency response team (CERT) is a single point of contact for the notification of security incidents. This function might be handled by the SOC or it might be established as an independent business unit. Lesson 1: Summarize Fundamental Security Concepts | Topic 1B LICENSED FOR USE ONLY BY: TURSHABEN CHAUDHARI · 58054892 · AUG 27 2024 SY0-701_Lesson01_pp001-014.indd 12 8/4/23 8:08 AM The Official CompTIA Security+ Student Guide (Exam SY0-701) | 13 Review Activity: Security Controls 8 Answer the following questions: 1. You have implemented a secure web gateway that blocks access to a social networking site. How would you categorize this type of security control? 2. A company has installed motion-activated floodlighting on the grounds 2. around its premises. What class and function is this security control? 3. A firewall appliance intercepts a packet that violates policy. It 3. automatically updates its access control list to block all further packets from the source IP. What TWO functions did the security control perform? 4. If a security control is described as operational and compensating, what 4. can you determine about its nature and function? 5. A multinational company manages a large amount of valuable 5. intellectual property (IP) data, plus personal data for its customers and account holders. What type of business unit can be used to manage such important and complex security requirements? 6. A business is expanding rapidly, and the owner is worried about tensions 6. between its established IT and programming divisions. What type of security business unit or function could help to resolve these issues? Lesson 1: Summarize Fundamental Security Concepts | Topic 1B LICENSED FOR USE ONLY BY: TURSHABEN CHAUDHARI · 58054892 · AUG 27 2024 SY0-701_Lesson01_pp001-014.indd 13 8/4/23 8:08 AM 14 | The Official CompTIA Security+ Student Guide (Exam SY0-701) Lesson 1 Summary 7 You should be able to compare and contrast security controls using categories and functional types. You should also be able to explain how general security concepts and frameworks are used to develop and validate security policies and control selection. Guidelines for Summarizing Security Concepts and Security Controls Follow these guidelines when you assess the use of security controls and frameworks in your organization: Create a security mission statement and supporting policies that emphasize the importance of the CIA triad: confidentiality, integrity, availability. Assign roles so that security tasks and responsibilities are clearly understood and that impacts to security are assessed and mitigated across the organization. Consider creating business units, departments, or projects to support the security function, such as a SOC, CIRT, and DevSecOps. Identify and assess the laws and industry regulations that impose compliance requirements on your business. Select a framework that meets your organization’s compliance requirements and business needs. Create a matrix of security controls that are currently in place to identify categories and functions—consider deploying additional controls for any unmatched capabilities. Perform a gap analysis to evaluate security capabilities against framework requirements and identify goals for developing additional cybersecurity competencies and improving overall information security assurance. Lesson 1: Summarize Fundamental Security Concepts LICENSED FOR USE ONLY BY: TURSHABEN CHAUDHARI · 58054892 · AUG 27 2024 SY0-701_Lesson01_pp001-014.indd 14 8/4/23 8:08 AM Lesson 2 Compare Threat Types 1 LESSON INTRODUCTION To make an effective security assessment, you must be able to explain strategies for both defense and attack. Your responsibilities are likely to lie principally in defending assets, but to do this you must be able to explain the tactics, techniques, and procedures of threat actors. You must also be able to differentiate the types and capabilities of threat actors and the ways they can exploit the attack surface that your networks and systems expose. Lesson Objectives In this lesson, you will do the following: Compare and contrast attributes and motivations of threat actor types. Explain common threat vectors and attack surfaces. LICENSED FOR USE ONLY BY: TURSHABEN CHAUDHARI · 58054892 · AUG 27 2024 SY0-701_Lesson02_pp015-036.indd 15 8/16/23 3:08 PM 16 | The Official CompTIA Security+ Student Guide (Exam SY0-701) Topic 2A Threat Actors 2 EXAM OBJECTIVES COVERED 2.1 Compare and contrast common threat actors and motivations. When you assess your organization’s security posture, you must apply the concepts of vulnerability, threat, and risk. Risk is a measure of the likelihood and impact of a threat actor being able to exploit a vulnerability in your organization’s security systems. To evaluate these factors, you must be able to evaluate the sources of threats or threat actors. This topic will help you to classify and evaluate the motivation and capabilities of threat actor types so that you can assess and mitigate risks more effectively. Vulnerability, Threat, and Risk Security teams must identify ways in which their systems could be attacked. These assessments involve vulnerability, threat, and risk: Vulnerability is a weakness that could be triggered accidentally or exploited intentionally to cause a security breach. Examples of vulnerabilities include improperly configured or installed hardware or software, delays in applying and testing software and firmware patches, poorly designed network architecture, inadequate physical security, insecure password usage, and design flaws in software or operating systems. Factors such as the value of the vulnerable asset and the ease of exploiting the fault determine the severity of vulnerabilities. Threat is the potential for someone or something to exploit a vulnerability and breach security. A threat can have an intentional motivation or be unintentional. The person or thing that poses the threat is called a threat actor or threat agent. The path or tool used by a malicious threat actor is a threat vector. Risk is the level of hazard posed by vulnerabilities and threats. When a vulnerability is identified, risk is calculated as the likelihood of it being exploited by a threat actor and the impact that a successful exploit would have. Relationship between vulnerability, threat, and risk. Lesson 2: Compare Threat Types | Topic 2A LICENSED FOR USE ONLY BY: TURSHABEN CHAUDHARI · 58054892 · AUG 27 2024 SY0-701_Lesson02_pp015-036.indd 16 8/16/23 3:08 PM The Official CompTIA Security+ Student Guide (Exam SY0-701) | 17 Attributes of Threat Actors Historically, cybersecurity techniques relied on the identification of static known threats, such as viruses or rootkits, Trojans, botnets, and exploits for specific software vulnerabilities. It is relatively straightforward to identify and scan for these types of threats with automated software. Unfortunately, adversaries were able to develop means of circumventing this type of signature-based scanning. The sophisticated nature of modern cybersecurity threats requires the creation of profiles of threat actor types and behaviors. This analysis involves identifying the attributes of threat actors’ location, capability, resources/funding, and motivation. Internal/External Internal/external refers to the degree of access that a threat actor posseses before initiating an attack. An external threat actor has no account or authorized access to the target system. A malicious external threat must infiltrate the security system using unauthorized access, such as breaking into a building or hacking into a network. Note that an external actor may perpetrate an attack remotely or on-premises. It is the threat actor that is external rather than the attack method. Conversely, an internal/insider threat actor has been granted permissions on the system. This typically means an employee, but insider threats can also arise from contractors and business partners. Level of Sophistication/Capability Level of sophistication/capability refers to a threat actor’s ability to use advanced exploit techniques and tools. The least capable threat actor relies on commodity attack tools that are widely available. More capable actors can fashion new exploits in operating systems, applications software, and embedded control systems. At the highest level, a threat actor might use non-cyber tools such as political or military assets. Resources/Funding A high level of capability must be supported by resources/funding. Sophisticated threat actor groups need to be able to acquire resources, such as customized attack tools and skilled strategists, designers, coders, hackers, and social engineers. The most capable threat actor groups receive funding from nation-states and organized crime. Motivations of Threat Actors Motivation is the threat actor’s reason for perpetrating the attack. A malicious threat actor could be motivated by greed, curiosity, or some grievance, for instance. Threats can be characterized as structured/targeted or unstructured/opportunistic, depending on how widely an attack is perpetrated. For example, a criminal gang attempting to steal customers’ financial data from a company’s database system is a structured, targeted threat. An unskilled hacker launching some variant of the “I Love You” email worm sent to a stolen mailing list is an unstructured, opportunistic threat. A threat actor with malicious motivation can be contrasted with an accidental or unintentional threat actor. An unintentional threat actor represents accidents, oversights, and other mistakes. Lesson 2: Compare Threat Types | Topic 2A LICENSED FOR USE ONLY BY: TURSHABEN CHAUDHARI · 58054892 · AUG 27 2024 SY0-701_Lesson02_pp015-036.indd 17 8/16/23 3:08 PM 18 | The Official CompTIA Security+ Student Guide (Exam SY0-701) To help to analyze motivations, it is first useful to consider the general strategies that a threat actor could use to achieve an objective: Service disruption—prevents an organization from working as it does normally. This could involve an attack on their website or using malware to block access to servers and employee workstations. Service disruption can be an end in itself if the threat actor’s motivation is to sow chaos or gain revenge. Service disruption can be used as a blackmail threat, or it can be used as a tactic in the pursuit of some different strategic objective. Data exfiltration—transfers a copy of some type of valuable information from a computer or network without authorization. A threat actor might perform this type of theft because they want the data asset for themselves, because they can exploit its loss as blackmail or to sell it to a third party. Disinformation—falsifies some type of trusted resource, such as changing the content of a website, manipulating search engines to inject fake sites, or using bots to post false information to social media sites. You can relate these strategies to the way they affect the CIA triad: data exfiltration compromises confidentiality, disinformation attacks integrity, and service disruption targets availability. Chaotic Motivations In the early days of the Internet, many service disruption and disinformation attacks were perpetrated with the simple goal of causing chaos. Hackers might deface websites or release worms that brought corporate networks to a standstill for no other reason than to gain credit for the hack. This type of vandalism for its own sake is less prevalent now. Attackers might use service disruption and disinformation to further political ends, or nation-states might use it to further war aims. Another risk is threat actors motivated by revenge. Revenge attacks might be perpetrated by an employee or former employee or by any external party with a grievance. Financial Motivations As hacking and malware became both more sophisticated and better commodified, the opportunities to use them for financial gain grew quickly. If an attacker is able to steal data, they might be able to sell it to other parties. Alternatively, they might use an attack to threaten the victim with blackmail or extortion or to perpetrate fraud: Blackmail is demanding payment to prevent the release of information. A threat actor might have stolen information or created false data that makes it appear as though the target has committed a crime. Extortion is demanding payment to prevent or halt some type of attack. For example, a threat actor might have used malware to block access to an organization’s computers and demand payment to unlock them. Fraud is falsifying records. Internal fraud might involve tampering with accounts to embezzle funds or inventing customer details to launder money. Criminals might use disinformation to commit fraud, such as posting fake news to affect the share price of a company, promote pyramid schemes, or to create fake companies. Lesson 2: Compare Threat Types | Topic 2A LICENSED FOR USE ONLY BY: TURSHABEN CHAUDHARI · 58054892 · AUG 27 2024 SY0-701_Lesson02_pp015-036.indd 18 8/16/23 3:08 PM The Official CompTIA Security+ Student Guide (Exam SY0-701) | 19 Political Motivations A political motivation means that the threat actor uses an attack to bring about some type of change in society or governance. This can cover a very wide range of motivations: An employee acting as a whistleblower because of some ethical concern about the organization’s behavior. A campaign group disrupting the services of an organization that they believe acts in contradiction to their ethical or philosophical beliefs. A nation-state using service disruption, data exfiltration, or disinformation against government organizations or companies in another state in pursuit of war aims. Nation-states commonly perpetrate espionage and disinformation attacks against one another, whether or not they are at war. In cybersecurity, espionage is a type of data exfiltration aimed to learn secrets rather than sell them or use the theft for blackmail. There is also the threat of commercial espionage, where a company attempts to steal the secrets of a competitor. Hackers and Hacktivists Given awareness of the general strategies and motivations, it can also be helpful to evaluate the risk that well-known threat actor types or profiles pose to a business. Hackers Hacker describes an individual who has the skills to gain access to computer systems through unauthorized or unapproved means. Originally, hacker was a neutral term for a user who excelled at computer programming and computer system administration. Hacking into a system was a sign of technical skill and creativity that gradually became associated with illegal or malicious system intrusions. The terms unauthorized (previously known as black hat) and authorized (previously known as white hat) are used to distinguish these motivations. A white hat hacker always seeks authorization to perform penetration testing of private and proprietary systems. Unskilled Attackers An unskilled attacker is someone who uses hacker tools without necessarily understanding how they work or having the ability to craft new attacks. Unskilled attacks might have no specific target or any reasonable goal other than gaining attention or proving technical abilities. Hacker Teams and Hacktivists The historical image of a hacker is that of a loner, acting as an individual with few resources or funding. While the “lone hacker” remains a threat that must be accounted for, threat actors are now likely to work as part of a team or group. The collaborative team effort means that these threat actors are able to develop sophisticated tools and novel strategies. Lesson 2: Compare Threat Types | Topic 2A LICENSED FOR USE ONLY BY: TURSHABEN CHAUDHARI · 58054892 · AUG 27 2024 SY0-701_Lesson02_pp015-036.indd 19 8/16/23 3:08 PM 20 | The Official CompTIA Security+ Student Guide (Exam SY0-701) A hacktivist group, such as Anonymous, WikiLeaks, or LulzSec, uses cyber weapons to promote a political agenda. Hacktivists might attempt to use data exfiltration to obtain and release confidential information to the public domain, perform service disruption attacks, or deface websites to spread disinformation. Political, media, and financial groups and companies are most at risk of becoming a target for hacktivists, but environmental and animal advocacy groups may target companies in a wide range of industries. Nation-State Actors Most nation-states have developed cybersecurity expertise and will use cyber weapons to achieve military and commercial goals. The security company Mandiant’s APT1 report into Chinese cyber espionage units shaped the language and understanding of cyber-attack lifecycles. The term advanced persistent threat (APT) was coined to understand the behavior underpinning modern types of cyber adversaries. Rather than think in terms of systems being infected with a virus or Trojan, an APT refers to the ability of an adversary to achieve ongoing compromise of network security—to obtain and maintain access—using a variety of tools and techniques. Nation-state actors have been implicated in many attacks, particularly on energy, health, and electoral systems. The goals of state actors are primarily disinformation and espionage for strategic advantage, but it is a known for countries—North Korea being a good example—to target companies for financial gain. Researchers such as The MITRE Corporation report on the activities of organized crime and nation-state actors. (Screenshot © 2023 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.) State actors will work at arm’s length from the national government, military, or security service that sponsors and protects them, maintaining “plausible deniability.” They are likely to pose as independent groups or even as hacktivists. They may wage false flag disinformation campaigns that try to implicate other states. Lesson 2: Compare Threat Types | Topic 2A LICENSED FOR USE ONLY BY: TURSHABEN CHAUDHARI · 58054892 · AUG 27 2024 SY0-701_Lesson02_pp015-036.indd 20 8/16/23 3:08 PM The Official CompTIA Security+ Student Guide (Exam SY0-701) | 21 Organized Crime and Competitors In many countries, cybercrime has overtaken physical crime in terms of the number of incidents and losses. Organized crime can operate across the Internet from a different jurisdiction than its victim, increasing the complexity of prosecution. Criminals will seek any opportunity for profit, but typical activities are financial fraud—against individuals and companies—and blackmail/extortion. Most espionage is thought to be pursued by state actors, but it is not inconceivable that a rogue business might use cyber espionage against its competitors. Such attacks could aim at theft or to disrupt a competitor’s business or damage their reputation. Competitor attacks might be facilitated by employees who have recently changed companies and bring insider knowledge with them. Internal Threat Actors Many threat actors operate externally from the networks they target. An external actor has to break into the system without having any legitimate permissions. An internal threat (or insider threat) arises from an actor identified by the organization and granted some type of access. Within this group of internal threats, you can distinguish insiders with permanent privileges, such as employees, from insiders with temporary privileges, such as contractors and guests. There is the blurred case of former insiders, such as ex-employees now working at another company or who have been dismissed and now harbor a grievance. These can be classified as internal threats or treated as external threats with insider knowledge, and possibly some residual permissions, if effective offboarding controls are not in place. The main motivators for a malicious internal threat actor are revenge and financial gain. Like external threats, insider threats can be opportunistic or targeted. An employee who plans and executes a campaign to modify invoices and divert funds is launching a structured attack; an employee who tries to guess the password on the salary database a couple of times, having noticed that the file is available on the network, is perpetrating an opportunistic attack. You must also assess the possibility that an insider threat may be working in collaboration with an external threat actor or group. A whistleblower is someone with an ethical motivation for releasing confidential information. While this could be classed as an internal threat in some respects, it is important to realize that whistleblowers making protected disclosures, such as reporting financial fraud through an authorized channel, cannot themselves be threatened or labeled in any way that seems retaliatory or punitive. Insider threats can also arise from unintentional sources. Unintentional or inadvertent insider threat is often caused by lack of awareness or carelessness, such as users demonstrating poor password management. Another example of unintentional insider threat is the concept of shadow IT, where users purchase or introduce computer hardware or software to the workplace without the sanction of the IT department and without going through a procurement and security analysis process. The problem of shadow IT is exacerbated by the proliferation of cloud services and mobile devices, which are easy for users to obtain. Shadow IT creates a new unmonitored attack surface for malicious adversaries to exploit. Lesson 2: Compare Threat Types | Topic 2A LICENSED FOR USE ONLY BY: TURSHABEN CHAUDHARI · 58054892 · AUG 27 2024 SY0-701_Lesson02_pp015-036.indd 21 8/16/23 3:08 PM 22 | The Official CompTIA Security+ Student Guide (Exam SY0-701) Review Activity: Threat Actors 3 Answer the following questions: 1. Which of the following would be assessed by likelihood and impact: vulnerability, threat, or risk? 2. True or false? Nation-state actors only pose a risk to other states. 2. 3. You receive an email with a screenshot showing a command prompt 3. at one of your application servers. The email suggests you engage the hacker for a day’s consultancy to patch the vulnerability. How should you categorize this threat? 4. Which type of threat actor is primarily motivated by the desire for 4. political change? 5. Which three types of threat actor are most likely to have high levels of 5. funding? Lesson 2: Compare Threat Types | Topic 2A LICENSED FOR USE ONLY BY: TURSHABEN CHAUDHARI · 58054892 · AUG 27 2024 SY0-701_Lesson02_pp015-036.indd 22 8/16/23 3:08 PM The Official CompTIA Security+ Student Guide (Exam SY0-701) | 23 Topic 2B Attack Surfaces 6 EXAM OBJECTIVES COVERED 2.2 Explain common threat vectors and attack surfaces. Understanding the methods by which threat actors infiltrate networks and systems is essential for you to assess the attack surface of your networks and deploy controls to block attack vectors. Attack Surface and Threat Vectors The attack surface is all the points at which a malicious threat actor could try to exploit a vulnerability. Any location or method where a threat actor can interact with a network port, app, computer, or user is part of a potential attack surface. Minimizing the attack surface means restricting access so that only a few known endpoints, protocols/ports, and services/methods are permitted. Each of these must be assessed for vulnerabilities and monitored for intrusions. Assessing the attack surface. An organization has an overall attack surface. You can also assess attack surfaces at more limited scopes, such as that of a single server or computer, a web application, or employee identities and accounts. Lesson 2: Compare Threat Types | Topic 2B LICENSED FOR USE ONLY BY: TURSHABEN CHAUDHARI · 58054892 · AUG 27 2024 SY0-701_Lesson02_pp015-036.indd 23 8/16/23 3:08 PM 24 | The Official CompTIA Security+ Student Guide (Exam SY0-701) To evaluate the attack surface, you need to consider the attributes of threat actors that pose the most risk to your organization. For example, the attack surface for an external actor should be far smaller than that for an insider threat. From a threat actor’s perspective, each part of the attack surface represents a potential vector for attempting an intrusion. A threat vector is the path that a threat actor uses to execute a data exfiltration, service disruption, or disinformation attack. Sophisticated threat actors will make use of multiple vectors. They are likely to plan a multistage campaign, rather than a single “smash and grab” type of raid. Highly capable threat actors will be able to develop novel vectors. This means that the threat actor’s knowledge of your organization’s attack surface may be better than your own. The terms "threat vector" and "attack vector" are often taken to mean the same thing. Some sources distinguish the use of threat vector to refer to analysis of the potential attack surface and attack vector to analyze an exploit that has been successf
