SEC+ preparation #2

Jonas SatkauskasJonas Satkauskas
6 min read

Table of contents

Intro

Let’s jump into next day of preparing for SEC+.

Before beginning I just want to give credit to Master OTW at Hackers-Arise. I really enjoy how he describes data. Real professional.

You can purchase Security+ SY0-701 boot camp here

Main differences between SEC 601 and 701

In basic words it’s kind of an updated information about latest trends and techniques used now.

Exam did not change, it just got updated in two topics:

  • Current trends

  • Hybrid Environments - it’s when we talk about cloud infrastructure and on premises. They’ve updated it for cloud environment.

CISSP certification

  • It’s a “crown” certification for a cyber security professional.

  • You can take it only when you have 5 years of experience in cybersecurity industry.

  • Generally it looks kind of Sec+ when we talk about things that it covers, but it gets into more details. More depth.

SEC+

Sec+ is a really good starting point for people wanting to get into the industry.

Why Sec+? Let’s see:

  • It is vendor neutral certification. That means that for example Cisco teaches how to secure Cisco devices.

  • It is globally recognized

  • It gives foundation security knowledge

It is really important to pass the concepts of Security+. If not, then it will be difficult in this career.

Structure of exam:

  • 90 questions (90minutes)

  • Passing score is 750 in the scale of 100-900

  • You can take exam in Pearson VUE certified test centers

It is really important to know the acronyms before taking exam. Some of the places where you can find them are:

Comp TIA Sec+ is valid for 3 years. After that period you need to renew your certification, because information updates.

There’s also some programs of continuous education for Sec+.

There are continuous education units which you have to acquire. CE has a fee of 49$ that is payed to Comp Tia. It’s for the newest knowledge.

Key security concepts

The CIA triad

  1. Confidentiality

    • Only intended people gets access to the data

  2. Integrity

    • Detect changes to the storage (hashes are used for this scenario. For example when a single bit changes in a file, hash of the files changes dramatically. Hash is kind of a fingerprint of a file)

    • Detects deletion, creation.

  3. Availability

    • Having access when it is needed. Also where it is needed

    • It is closely related to SLA (Service Level Agreement)

It’s important to understand that when you try to make better confidentiality, you lose availability. That means that when you try to achieve good result in one part, you lose the other one.

The DAD triad

  1. Disclosure - it’s an exposure of sensitive information to people who shouldn’t see it. In other words - data loss. Attackers who remove information from organization does data exfiltration. (hackers usually want to exfiltrate the data). Disclosure may also happen accidentally because of the misconfiguration of access controls or employee losing device of the organization.

  2. Alteration - it may occur because of the natural activity, for example power surge. Then files are being modified. Denial is a disruption of an authorized access to the information.

  3. Denial - events that violate the principle of availability. It can be intentional. For example DDoS (Distributed Denial-of-Service) attacks does that. These attacks are not always distributed. A single person can DoS the server.

Breach impact

impact of a security incident (risks to entire organization, not only cybersecurity):

  1. Financial - organization looses money. For example intellectual property gets stolen. Chinese likes to do that.

  2. Reputational - if organization gets hacked and we loose customers info, reputation gets damaged. Later on it can lead to financial risk.

  3. Strategic - for example employee looses device and there’s a new project info in the device. Organization looses it’s strategy on developing new project and there’s a possibility of a breach.

  4. Operational - flood or fire is an operational risk. When you cannot carry a data to operations. If server room is flooded, your data is at risk.

  5. Compliance - when there’s a security breach and it breaks the compliance rules. If you don’t do certain stuff, you cannot use certain things. For example credit cards.

Risks not necessarily will fit into these frames that we’ve talked about.

Implementing Security Controls

In the organization they have their risk landscape. Technical (IT) and business (managers).

What’s the best way to keep the organization safe? It’s easy to keep it safe, but it also has to be functional and it has to make money. Ultimate objective is to make money. We need to create balance on security controls and making money.

Top level people are CEO (Chief Executive Offices), CTO (Chief Technical Officer), some organizations have CISO (Chief Information Security Officer).

Gap analysis

Current state > Future state > GAP > Improve

If controls do not meet the objectives, there’s a gap. Gap between objective and control.

It’s kind of when we look what are the objectives, what’s in the place and what is missing. That’s the gap.

Security control categories

  • Technical controls - translates to CIA (Confidentiality, Integrity, Availability). Firewalls, encryption, IDS (Intrusion detection system, for example SNORT).

  • Operational controls - access reviews, logs management

  • Managerial controls - administrative controls, risk assessments (what does risk looks like? usually they are periodic), security exercises

  • Physical controls - It is really important to keep physical access safe.

It is also important to master Social Engineering. Over 80% hacks happened because of the element of social engineering. If you’re a defender you cannot ignore it, absolutely not. If you’re a hacker you shouldn’t ignore it.

Security control types

  • Preventative controls - it is intended to stop security issue before it occurs. Firewalls.

  • Deterrent controls - they try to prevent the attack. Lighting, alarms

  • Detective controls - if it already occurred it detects it. IDS.

  • Corrective controls - if attacks occurred, we need to fix it. Restore info from backups. You must test backups.

  • Compensating controls - you cannot rid all of the risk. You must accept some of the risks. Organizations decide what risks they accept and then they mitigate the risks. Doing backups every day instead of every week

    • Accepted risk is a risk that for example for saving 200.000 i need to spend 2.000.000. I’ll better choose to lose 200.000.

  • Directive controls - security policies (every organization now has to have it). How we manage our security.

Data protection

  • Data at rest - hard drives, cloud

  • Data in transit - data that’s moving over network. That’s where encryption comes in. There’s always a possibility that there is someone in the middle.

  • Data in use - data that is used by computers. Data that is stored in computer memory. Data that I use now by writing this blog post.

Data encryption

  • This is key (cryptographic key) part of security operations. Clear text is converted to unreadable text. It is encrypted by a key.

    • Encrypted data is the data that you cannot understand.

  • RAM has data in it.

5
Subscribe to my newsletter

Read articles from Jonas Satkauskas directly inside your inbox. Subscribe to the newsletter, and don't miss out.

cybrSecurity#cybersecuritycybersecuritycyber securitycomptia security+comptia

Written by

Jonas Satkauskas
Jonas Satkauskas