CompTIA Security+ (SY0-061)

1. Risk Management

1.1. Risk Management Concepts

1.1.1. Risk Vector

1.1.1.1. Definition

1.1.1.1.1. The specific trick or method they use to break into a computer system or network

1.1.1.2. Mission-Critical IT systems

1.1.1.2.1. Payment processing

1.1.1.2.2. Human resources

1.1.1.2.3. Emergency systems

1.1.1.3. Sensitive data

1.1.1.3.1. Do we know what we have and where it is?

1.1.1.4. 3rd Party Access

1.1.1.4.1. Contractors

1.1.2. Physical Risk Vectors

1.1.2.1. Access control vestibules (Mantraps)

1.1.2.2. Server Room Access

1.1.2.3. Limit USB bootable devices

1.1.3. Risk Management Frameworks (RMFs)

1.1.3.1. Definition

1.1.3.1.1. a guidebook that businesses use to identify/manage risk

1.1.3.2. Center for internet Security (CIS)

1.1.3.2.1. Publishes CyberSecurity best practices

1.1.3.3. NIST Risk Management Framework (RMF)/ CyberSecurity Framework (CSF)

1.1.3.3.1. CyberSecurity Risk Management

1.1.3.3.2. Lifecycle

1.1.3.4. International Organization for Standardization/Interneral Electrotechnical Commision (ISO/IEC)

1.1.3.4.1. 27001/27002/27701/31000

1.1.3.4.2. IT system and informaton security

1.1.3.5. NIST Special Publication (SP) 800-30, Rev.1

1.1.3.5.1. Guide for Conducting Risk Assessments

1.1.4. Finanacial RMFs

1.1.4.1. Statment on Standards for Attestation Engagements System and Organization Controls (SSAE SOC2)

1.1.4.1.1. Financial Statment integrity

1.1.4.1.2. Internal Controls

1.1.4.1.3. Type I and Type II

1.1.5. Data privacy Regualtaions and Standards

1.1.5.1. Genderal Data Protection Rtulation (GDPR)

1.1.5.1.1. Protects EU citizens private data

1.1.5.2. Health Insuracne Protability and Accountability Act (HIPAA)

1.1.5.2.1. Protects American patient medical information

1.1.5.3. Payment Card Industy Data Security Standard (PCI DSS)

1.1.5.3.1. Protects cardholder information

1.1.5.3.2. pcicomplianceguide.org

1.1.6. Types of Security Policies

1.1.6.1. Acceptable use policy (AUP)

1.1.6.1.1. E-mail, social media, Web browsing

1.1.6.2. Resource access policies

1.1.6.2.1. App or file access

1.1.6.3. Account policies

1.1.6.3.1. Account hardening

1.1.6.4. Data retention policies

1.1.6.4.1. Often dictated by regulations

1.1.6.5. Change Control policies

1.1.6.6. Access management policies

1.2. Security Controls

1.2.1. Security Controls

1.2.1.1. Solution that mitigates threat

1.2.1.1.1. Malware scanner mitigates malware infractions

1.2.1.2. Implemented differently based on platfrom/vendor/user

1.2.1.2.1. Network infrastructure devices

1.2.2. Security Control Categories

1.2.2.1. Managerial/administrative

1.2.2.1.1. What should be done?

1.2.2.1.2. Employee background checks

1.2.2.2. Operational

1.2.2.2.1. How often must we do it?

1.2.2.2.2. Periodic review of security policies

1.2.2.3. Technical

1.2.2.3.1. How exactly will we do it?

1.2.2.3.2. Firewall rule confiugration

1.2.2.4. Physical

1.2.2.4.1. Access control vestibule (ManTrap)

1.2.2.5. Detective

1.2.2.5.1. Log analysis

1.2.2.6. Corrective

1.2.2.6.1. Patching known vulnerabilities

1.2.2.7. Derrent

1.2.2.7.1. Device logon warning banners

1.2.2.8. Compensating

1.2.2.8.1. Alternative choice Security Control

1.2.3. Cloud Security Control Documents

1.2.3.1. Cloud Security Alliance (CSA)

1.2.3.1.1. Cloud Controls Matrix (CCM)

1.2.4. Security Control Documents

1.2.4.1. Payment Card Industry Data Secuity Standard (PCI DSS)

1.2.4.1.1. Security controls must be in place to be compliant

1.2.5. Risk Example

1.2.5.1. Risk

1.2.5.1.1. Theft of online banking credentals

1.2.5.2. Attack Vector

1.2.5.2.1. Spoofed email message with link to spoofed web site tricking an end user

1.2.5.3. Mitigation trhough Security controls

1.2.5.3.1. User secuity awareness

1.2.5.3.2. Antvirus Software

1.2.5.3.3. Spam Filters