Security+: Selecting Appropriate Security Controls (SY0-401)
Please note: this article is based on information about the previous version of the Security+ exam (SY0-401), which expired in May of 2018. For updated information, please see our up-to-date Security+ listing.
Appropriate use of security controls can provide a number of behind-the-scenes security measures: deterrents, prevention, detection, and so on. The three primary goals of security, confidentiality, integrity, and availability (also known as the CIA triad), are common enough in most organizations. In addition to the CIA triad, though, organizations should also focus on providing security to the physical environment, protecting human life, and ensuring the implementation of other safety procedures.
What Do I Need to Know about Confidentiality?
Confidentiality prevents unauthorized disclosure of data and information to the bad guys. For example, when the data is in transit over a network, confidentiality ensures that the attacker cannot intercept it for nefarious purposes. This means that when a user sends data or text message over a network, only the intended recipient can receive it. Confidentiality can be ensured by deploying three basic security controls: include encryption, access controls, and steganography.
Encryption is a process of converting electronic data or information into code, called ciphertext, to prevent unauthorized access. Only authorized parties can understand this ciphertext. Two popular encryption techniques, symmetric and asymmetric, are used to encrypt and decrypt data. Encryption converts data into ciphertext, which is an unreadable form of data whereas the decryption process converts ciphertext back into readable data.
Access controls and permissions are used to restrict access to valuable data. A user can obtain only the level of access that is granted by the system administrator.
Steganography is a technique of hiding data or information in another type of data. Steganography can be applied to images or to audio or video files. Since media files can be large, security experts use them for steganographic transmissions. Hiding data in a large media is difficult to tamper with.
How Does Integrity Protect Essential Data and Information?
Integrity is a security service that protects data and information from damage or deliberate manipulation. It is essential for any business or e-commerce website. Integrity ensures that, when data has been communicated or stored, it has not been manipulated, changed, or altered in storage media or even after transit. Integrity checks use various methods, including hashing, digital signatures, certificates, and non-repudiation.
Hashing prevents the data and information from being accessed in an unauthorized way. It operates by producing a unique identifier, which can be a fingerprint, checksum, or hash value, through a hash function or algorithm. The popular hash functions include MD2, MD4, MD5, and secure hash algorithm (SHA-1). An attacker often uses reverse engineering to reverse a hash matching and to crack passwords.
Digital signatures: A digital signature is a mathematical technique used to validate the integrity and authenticity of a message, digital document, or software. Digital signatures are intended to solve the problems of impersonation and tampering with data while in transit.
Certificates: A digital certificate proves the identity of the user who sends a message. It only verifies the source of the message (sender), rather than proving the quality or reliability of the message or the network on which that message was being transmitted.
Non-repudiation is the assurance that a sender cannot deny the authenticity of a message pr data that is sent to a recipient. For example, email non-repudiation uses an email tracking method that ensures that a sending party cannot deny having sent the message or data and that the receiving party cannot deny having received that message or data.
What Do I Need to Know about Availability?
Availability is a security service that ensures that the data and systems are available for authorized users in an effective and timely manner. Availability can be ensured through proper data backups, disaster recovery plans, and redundant systems. Availability also helps users to accomplish their assigned tasks within a given time. The underlying techniques ensure the availability of IT systems.
Redundancy is the use of alternate or secondary solutions. In an IT environment, redundancy provides alternate means to accomplish IT functions or perform tasks. Redundancy improves fault tolerance by reducing the chances of a single point of failure. If a primary system is compromised, it can be switched over to the redundant servers or backup systems so that the smooth continuation of the work is ensured. Failover, or rollover, means redirecting traffic or workload to a backup system when the primary machine fails to perform.
Fault tolerance: Fault tolerance is the capability of a computer system or network device to continue its operations in the event of a failure or malfunction of any of its components, including hardware and software. In fact, fault tolerance prevents the sudden failure of large systems (such as proxy servers, FTP servers, email Servers, etc.) to provide uninterrupted services to the users. For example, VMware’s vSphere 6.x is a branded data availability architecture that accurately replicates a VMware’s virtual machine on an alternate physical host in case of failure of the main host server.
Patching is the process of applying updates to system or application software. The purpose of patching is to improve the usability or performance of the software by fixing its security vulnerabilities and bugs. Organizations often hire a patch management team that identifies what patch should be applied to which system when necessary.
Which Safety Procedures Are Necessary for the Security+ Exam?
The safety of personnel and facilities is a prerequisite to an organization’s overall security endeavor. In addition to the safety of human life, providing physical security for infrastructure and other important assets is also essential. The important aspects of safety and security are discussed below.
Fencing: This is a device that marks a perimeter to differentiate between specifically protected and non-protected areas. Fencing involves the usage of concrete walls, chain-link fences, barbed wires, stripes painted on the ground, or invisible perimeters, including laser beams and heat detectors.
Lighting: Although lighting isn’t a strong deterrent, it can be an effective security tool to discourage intruders, prowlers, and trespassers. For better results, lighting should be combined with CCTV, dogs, guards, or any other form of intrusion detection system.
Locks: The gates and doors should be locked properly through hardware locks, electronic locks, and conventional locks that employ traditional metal keys so that only authorized workers can unlock them. In addition, biometric locks are effective for authentication purposes. A biometric lock requires the user to present a biometric factor, such as a hand, finger, or retina to the scanner. A person cannot enter into a secured room unless his/her biometric factor is verified.
CCTV: A closed-circuit television (CCTV) is used to record the events within or/and outside the secured environment. Security management mostly installs CCTV cameras on the entry and exit points, resources and other valuable assets, in order to watch the movements of suspects.
Escape plans are designed to define the alternate routes for exits in the event of an emergency or disaster. Escape plans are often sketched on the maps placed on the walls of the facility. An effective escape plan properly maps the positions of fire extinguishers and identifies alternate routes with arrows and explicit instructions, rather than a vague and unclear guide. Other essential elements of an escape plan include smoke alarms, floor plan, clear escape routes, no elevators, and staff training.
InfoSec Security+ Boot Camp
The InfoSec Institute offers a Security+ Boot Camp that teaches you information theory and reinforces that theory with hands-on exercises that help you learn by doing.
Moreover, the InfoSec Institute has been one of the most awarded (42 industry awards) and trusted information security training vendors for 17 years.
InfoSec also offers thousands of articles on all manner of security topics.