ITPro.TV: CompTIA Security+ (SY0-601)

CompTIA Security+ Exam Cram

Today we’re going to read through three chapters of the Security+ Exam Cram:

Configuration Management

Configuration Management: The process of identifying, controlling, and auditing the creation and modification of an IT baseline.

Important pieces:

Security baselines can either be layered onto system baselines, or may be present from the beginning as part of the baseline for different system roles.

The Exam Cram emphasizes the importance of guarding against both intentional and unintentional “attacks” as part of the hardening process.

Data Loss Prevention

The Exam Cram emphasizes the role of not only the software controls that I’m more familiar with in service of DLP, but also hardware restrictions (for example, forbidding USB drive access).

Cloud Access Security Brokers

I’m mostly familiar with CASBs as a way of discovering and managing cloud usage. But Exam Cram explicitly situates them as primarily a DLP solution. More generally, they’re conceptualized as “extending on-prem security solutions to cloud systems”.

Encryption and Data Obfuscation

Apparently the term “data in processing” has come to supplant the notion of “data in use”, at least w.r.t. homomorphic encryption. This terminology difference appears to be an attempt to emphasize that humans can’t actually work directly with (“use”) encrypted data.

Other approaches to data minimization during processing:

I’m mostly familiar with tokenization as “using references rather than data”, but this doesn’t seem to fit into any of the definitions Exam Cram provides. If anything, in the Exam Cram universe, the difference between tokenization and masking seems to boil down to whether the substitute data is “human meaningful”.

Exam Cram situates masking as primarily a development strategy - no data reversing should be possible.

Interesting: The first 4 – 6 digits of a credit card number identify the issuing bank, and are thus not particularly sensitive.

Rights Management

DRM and IRM (“digital” vs. “information” rights management); the former is generally consumer facing, while the latter is used within organization. While DRM is based around tightly controlled encryption keys, IRM functions a lot more like device management. To a certain extent, the sharing capabilities within Google Drive (being able to control who can access the document in a fine-grained fashion, being able to revoke this access, being able to restrict printing, etc.) can be thought of as a form of IRM.

Encrypted Traffic Management

Basically, SSL intercept/MitM solutions.

Data Integrity

Hashing, signing, etc.

Oddly, the Exam Cram states that “[r]enaming the file … will produce different [hash] output”, which is not actually true (only the file contents, not its name on disk, will influence its hash).

Data Availability

Backups, disaster response/preparedness, etc.

Site Resiliency

Warm (backup) sites are generally shared by multiple organizations.

Cold (backup) sites are often just contracts for facilities.

Deception and Disruption

Exam Cram emphasizes that traditional honeypots are generally not used anymore, but all of their examples seem like they’re basically automated honeypot creation/maintenance.

Nature of Controls

This is about “controls” in the risk mitigation sense of the word.


Functional Use of Controls

Controls can be further divided into:

Compensating Controls

Basically, if you can’t (or won’t) implement a given control, what control(s) do you layer in instead to provide equivalent security guarantees?

Industry-Standard Frameworks and Reference Architectures

Regulatory and Non-Regulatory Requirements

The difference here boils down to: Which have teeth, and which are just fancy specifications?

Industry-Specific Frameworks

SOC = Service Organizational Control

Benchmarks and Secure Configuration Guides

CIS Critical Security Controls + related benchmarks and guides.