CompTIA Security+ Get Certified Get Ahead: SY0-501 Study Guide

by Darril Gibson

Disk redundancies. Fault-tolerant disks, such as RAID-1 (mirroring), RAID-5 (striping with parity), and RAID-10 (striping with a mirror), allow a system to continue to operate even if a disk fails.

Server redundancies. Failover clusters include redundant servers and ensure a service will continue to operate, even if a server fails.

In a failover cluster, the service switches from the failed server in a cluster to an operational server in the same cluster. Virtualization can also increase availability of servers by reducing unplanned downtime.

Load balancing. Load balancing uses multiple servers to support a single service, such as a high-volume web site.

Site redundancies. If a site can no longer function due to a disaster, such as a fire, flood, hurricane, or earthquake, the organization can move critical systems to an alternate site.

The alternate site can be a hot site (ready and available 24/7), a cold site (a location where equipment, data, and personnel can be moved to when needed), or a warm site (a compromise between a hot site and cold site).

Backups. If personnel back up important data, they can restore it if the original data is lost.

Alternate power. Uninterruptible power supplies (UPSs) and power generators can provide power to key systems even if commercial

Availability ensures that systems are up and operational when needed and often addresses single points of failure.

If this is possible, why not just encrypt all the data? The reason is that encryption consumes resources.

As an example, the above paragraph is about 260 characters. Encrypted, it is about 360 characters. That’s an increase of about 40 percent, which is typical with many encryption methods. If a company decides to encrypt all data, it means that it will need approximately 40 percent more disk space to store the data.

cost

Risk is the possibility or likelihood of a threat exploiting a vulnerability resulting in a loss.

A threat is any circumstance or event that has the potential to compromise confidentiality, integrity, or availability.

vulnerability is a ...

hardware, the software, the configuration, or even the users o...

security incident is an adverse event or series of events that can negatively affect the confidentiality, integrity, or availability of an organization’s information technology (IT) systems and data.

This includes intentional attacks, malicious software (malware) infections, accidental data loss, and much more.

Risk mitigation reduces the chances that a threat will exploit a vulnerability.

You can’t prevent most threats.

However, you can reduce risk by reducing vulnerabilities to the threat, or by reducing the impact of the threat.

Risk is the likelihood that a threat will exploit a vulnerability. Risk mitigation reduces the chances that a threat will exploit a vulnerability, or reduces the impact of the risk, by implementing security controls.

Technical controls use technology. • Administrative controls use administrative or management methods. • Physical controls refer to controls you can physically touch. • Preventive controls attempt to prevent an incident from occurring. • Detective controls attempt to detect incidents after they have occurred. • Corrective controls attempt to reverse the impact of an incident. • Deterrent controls attempt to discourage individuals from causing an incident. • Compensating controls are alternative controls used when a primary control is not feasible.

The first three control types in the list (technical, administrative, and physical) refer to how the security controls are implemented. The remaining control types refer to the goals of the security control.

An administrator installs and configures a technical control, and the technical control then provides the protection automatically.

Encryption. Encryption is a strong technical control used to protect the confidentiality of data.

Antivirus software. Once installed, the antivirus software provides protection against malware infection.

Intrusion detection systems (IDSs) and intrusion prevention systems (IPSs). IDSs and IPSs can monitor a network or host for intrusions and provide ongoing protection against various threats.

Firewalls. Network firewalls restrict network traffic going in and out of a network.

Least privilege. The principle of least privilege specifies that individuals or processes are granted only the privileges they need to perform their assigned tasks or functions, but no more.

Administrative controls use methods mandated by organizational

policies or other guidelines.

Risk assessments. Risk assessments help quantify and qualify risks within an organization so that the organization can focus on the serious risks.

Vulnerability assessments. A vulnerability assessment attempts to discover current vulnerabilities or weaknesses.

Penetration tests. These go a step further than a vulnerability assessment by attempting to exploit vulnerabilities.

Awareness and training. The importance of training to reduce risks cannot be overstated.

Configuration and change management. Configuration management often uses baselines to ensure that systems start in a secure, hardened state.

methods that help an organization plan and prepare for potential system outages.

Media protection. Media includes physical media such as USB flash drives, external and internal drives, and backup tapes. • Physical and environmental protection. This includes physical controls, such as cameras and door locks, and environmental controls, such as heating and ventilation systems.

The National Institute of Standards and Technology (NIST) is a part of the U.S. Department of Commerce, and it includes a Computer Security Division hosting the Information Technology Laboratory (ITL).

Special Publications (SPs) in the 800 series that are of general interest to the computer security community.

SP 800-53 Revision 4, “Security and Privacy Controls for Federal Information Systems and Organizations,”

the Access Control family (AC) includes 25 different groups (AC-1 through AC-25).

It’s worth noting that SP 800-53 Revision 3 attempted to identify every control as technical, management, or operational.

If you’re interested in pursuing other security-related certifications or making IT security a career, the SP 800 documents are well worth your time. You can download SP 800-53 Revision 4 and other SP 800 documents at http://csrc.nist.gov/publications/PubsSPs.html.

Hardening. Hardening is the practice of making a system or application more secure than its default configuration.

Security awareness and training. Ensuring that users are aware of security vulnerabilities and threats helps prevent incidents.

guards. Guards prevent and deter many attacks.

Change management. Change management ensures that changes don’t result in unintended outages.

Account disablement policy. An account disablement policy ensures that user accounts are disabled when an employee leaves.