Mastering Security Basics (Security+ SY0-701 Series)

Study HallNetwork SecuritySecurity+
Written By Deirra Footman

This Post covers the following Exam Objectives:

  • 1.1 Compare & Contrast various types of Security Concepts

  • 1.2 Summarize Fundamental Security Concepts

Disclaimer: These are simply the notes I’ve taken while reviewing the OCG or a video series—they're not a complete study resource. Use this to supplement your studies. 🤗

Defining Information Security

Definition:
Information security refers to the protection of data resources from unauthorized access, attacks, theft, or damage. It ensures that critical business and personal data remain secure and intact.

The CIA Triad: The Three Pillars of Security

  • Confidentiality: Ensures that data is accessible only to authorized individuals, preventing unauthorized disclosure.

  • Integrity: Guarantees that data is stored and transmitted accurately, allowing only authorized modifications.

  • Availability: Ensures that information and systems are readily accessible to authorized users when needed.

Another Key Term: Non-repudiation
Non-repudiation prevents individuals from denying their actions, such as creating, modifying, or sending data. This is often achieved through digital signatures and audit logs.

Understanding Cybersecurity Frameworks

Definition:
A cybersecurity framework provides structured guidelines for securing hardware and software processing environments.

The Five Core Functions of the NIST Cybersecurity Framework:

  • Identify: Develop security policies, evaluate risks, and recommend appropriate controls.

  • Protect: Secure IT assets throughout their lifecycle using encryption, firewalls, and access controls.

  • Detect: Implement proactive monitoring and threat detection strategies to identify emerging security threats.

  • Respond: Analyze, contain, and eradicate security threats through incident response procedures.

  • Recover: Restore systems and data post-attack, ensuring business continuity and resilience.

Importance of Cybersecurity Frameworks:

  • Helps organizations select appropriate security controls.

  • Supports risk management efforts.

  • Assists in achieving regulatory compliance.

Gap Analysis: Identifying Security Deficiencies

Definition:
A gap analysis identifies deviations from cybersecurity framework requirements and regulations, highlighting areas where security controls are missing or insufficient.

Goals:

  • Evaluates an organization’s current cybersecurity capabilities.

  • Prioritizes investments to improve security posture.

  • Assists in achieving compliance with industry regulations.

Components of Gap Analysis:

  • Outcome-Based: Focuses on identifying missing or poorly configured security controls.

  • Utilization: Used for initial framework adoption, compliance audits, and periodic security assessments.

  • Third-Party Involvement: Organizations may engage external consultants for complex assessments.

Access Control Basics

Definition:
Access control determines how users, devices, and systems interact with resources to protect sensitive data and assets.

Key Components of Access Control:

  • Identification: Unique representation of users or devices (e.g., usernames, biometrics).

  • Authentication: Verifies user identities using passwords, digital certificates, multi-factor authentication (MFA), etc.

  • Authorization: Determines what actions users are permitted to perform based on roles, policies, or access control lists (ACLs).

  • Accounting: Tracks and logs resource access for auditing and detection of unauthorized activity.

Implementation of Access Control:

  • Often managed through Identity and Access Management (IAM) systems.

  • AAA Framework: Another term for Authentication, Authorization, and Accounting.

Understanding Security Controls

Security controls are the policies, procedures, technologies, and mechanisms designed to protect information systems from unauthorized access, threats, and vulnerabilities.

Security controls are categorized based on how they are implemented and who is responsible for them. The four main categories include:

  • Managerial Controls – High-level policies and procedures that govern risk management, security assessments, and compliance.

    • Example:

      • Risk Assessments: The Process of identifying, evaluating, and prioritizing risks to an organization. The goal is to understand the impact of different threats and determine how to mitigate them.

      • Vulnerability Assessments: T he process of identifying, analyzing, and evaluating security weaknesses in systems, networks, applications, or infrastructure. It helps organizations understand their security posture and prioritize remediation efforts.

  • Operational Controls – Security measures that rely on people and processes rather than technology. Example: Security awareness training, incident response plans.

    • Example

      • Configuration Management: Leverages baselines to ensure systems start and run is a secure state.

      • Change Management: The tracking and managing changes to ensure that they do not negatively impact security. It includes documenting changes, assessing their impact, and obtaining approval before implementation.

      • Testing: Regular testing of security systems and procedures, such as penetration testing and vulnerability assessments, helps identify and address weaknesses.

  • Technical Controls – Security measures enforced through technology, such as hardware, software, or firmware. Example: Firewalls, intrusion detection systems (IDS), antivirus software

    • Example

      • Firewalls: A firewall can be a hardware device or software application that monitors and controls incoming and outgoing network traffic based on predetermined security rules. It acts as a barrier between trusted and untrusted networks, filtering traffic to prevent unauthorized access.

      • Intrusion Detection Systems (IDS) & Intrusion Prevention Systems (IPS): Hardware or software systems that monitor a network or host for various threats.

      • Encryption: By encrypting data we can ensure that it remains confidential and secure during transmission or storage. (Think SSL/TLS for secure web browsing, and AES for data encryption.)

      • Least Privilege: The principle that say that individuals should only be granted the level of access they need to perform their jobs and no more.

  • Physical Controls – Measures designed to protect physical assets and prevent unauthorized access to buildings, devices, and systems. Example: Security cameras, biometric locks, keycard access.

    • Example:

      • Gates, Barricades, Locks: These physical barriers prevent unauthorized access to sensitive areas.

      • Security Guards: Human security personnel can monitor and control access to a facility, respond to incidents, and enforce security policies.

Functional Types of Security Controls

Security controls can also be classified based on their function in protecting systems and data. These include:

  • Preventive Controls – Aim to stop attacks before they occur by reducing vulnerabilities.

    • Hardening: The practice of making a system or application more secure than its default configuration. This is accomplished by disabling unnecessary ports and services, implementing secure protocols, keeping systems patched, using strong passwords along with a robust password policy, and disabling default. accounts

    • Training: Regular security training and awareness programs help employees understand security policies, recognize threats, and respond appropriately.

    • Security Guards: Human security personnel can monitor and control access to a facility, respond to incidents, and enforce security policies.

    • Account Disablement process: A process ensures that user accounts are disabled when an employee leaves the organization.

    • Intrusion prevention system (IPS): An IPS can block malicious traffic before it reaches a network.

  • Detective Controls – Controls that detect when vulnerabilities have been have been exploited.

    • Log Monitoring

    • Security Information and Event Management (SIEM) Tools

    • Security Audits

    • Video Surveillance

    • Motion Detection

    • Intrusion Detection Systems (IDS)

  • Corrective Controls – Minimize damage and restore systems after a security event.

    • Backups and System Recovery: Backups ensure that data can be recovered if it is lost or corrupted.

    • Incident Handling Processes: Defines the steps to take in response to security incidents.

  • Directive Controls – Documents for enforcing security policies and behavioral expectations.

    • Policies, standards, procedures, and guidelines: Security professionals use many different types of documents to direct actions. 

      • Standards: Formalized requirements that must be followed to ensure security and compliance. These are typically industry-wide (e.g., ISO 27001, NIST).

      • Policies: High-level statements outlining an organization's security expectations and goals. Example: A company-wide password policy requiring strong passwords.

      • Guidelines: Recommended best practices to help implement policies effectively. Example: A guideline suggesting using password managers to store complex passwords.

      • Procedures: Step-by-step instructions on how to execute specific security tasks. Example: A procedure for resetting a user's password securely.

      These concepts work together to create a structured security framework within an organization.

  • Deterrent Controls – Discourage potential attackers through visible security measures.

    • Warning Signs

    • Login Banners

  • Compensating Controls – Alternative controls used instead of a primary control

    • Time-based One-Time Password (TOTP) - Can be used when onbaording a new employee.

Deirra Footman
Previous

Understanding Logging (Security+ SY0-701 Series)
Next

Study Hall: The Security+ Edition