General Security Concepts

12% of exam • Foundation of security principles

1.1 Security Control Categories and Types

Control Categories

The "How"

Technical (Logical)

Implemented via hardware or software mechanisms.

Firewalls Encryption IDS/IPS

Managerial (Administrative)

Directives, guidelines, and policies set by management.

Policies Risk Assessments Training

Physical

Tangible mechanisms protecting the facility and hardware.

Locks Fences Guards

Control Function Types

The "When"

Preventive

Stop attack before it happens

Detective

Identify attack during/after

Corrective

Restore after attack

Deterrent

Discourage attacker

Compensating

Alternative control

Directive

Rules & compliance

Exam Tip

Controls can be multiple types! A camera is Detective (records video) but also Deterrent (people see it and behave).

1.2 Fundamental Security Concepts

The CIA Triad

Confidentiality

Encryption, Access Controls, Steganography

Integrity

Hashing, Digital Signatures, Checksums

Availability

Redundancy, Backups, Patching

AAA Framework

AuthN
Authentication "Who are you?" (Password, Biometrics)
AuthZ
Authorization "What can you do?" (Permissions)
Acct
Accounting "What did you do?" (Logs)

Zero Trust

"Never trust, always verify"

Verify explicitly

Least privilege access

Assume breach

Non-repudiation

Proof of origin and integrity. The sender cannot deny sending the message.

Key Tech: Digital Signatures (Private Key signs hash)

1.3 Change Management

1

Request & Review

Submit a formal request. Identify risks, impact, and dependencies.

2

Approval (CAB)

The Change Advisory Board reviews and approves/denies the change.

3

Test & Implement

Test in sandbox. Deploy in maintenance window. Have a Backout Plan ready!

1.4 Cryptographic Solutions

Symmetric

One shared key for encryption & decryption.

AES Strongest (128/256)

3DES Legacy

ChaCha20 Mobile/IoT

Asymmetric

Public key encrypts, Private key decrypts.

RSA Standard (2048+)

ECC Efficient (Mobile)

Hashing (Integrity)

One-way fingerprint of data. Cannot be reversed.

SHA-256

Secure

MD5

Broken

PKI Components

CA Certificate Authority. Signs & issues certs.
CSR Certificate Signing Request. Sent to CA.
CRL Revocation List. Bad certs go here.

2

Threats, Vulnerabilities & Mitigations

22% of exam • Largest domain - Know your attacks!

2.1 Threat Actors & Motivations

Nation-State

Government-sponsored, highly sophisticated (APT).

Espionage, Warfare

Organized Crime

Well-funded criminal syndicates.

Financial Gain

Hacktivists

Politically or socially motivated.

Ideology, Change

Insider Threat

Employees, contractors, partners.

Revenge, Accident

Script Kiddies

Unskilled, use existing tools.

Bragging Rights

Common Attack Vectors

Email/Phishing Removable Media Supply Chain Cloud Direct Access

2.2 Common Attack Types

Social Engineering

Phishing

Generic email attacks.

Spear Phishing

Targeted at specific person.

Whaling

Targeting executives (C-Level).

Vishing/Smishing

Voice or SMS phishing.

Scenario: The Urgent CEO

An email from "CEO" asks for urgent wire transfer. This is Whaling + Urgency (Social Engineering principle).

Malware Types

Ransomware

Encrypts data, demands $$$.

Trojan

Hidden in useful software.

Worm

Self-replicating network spreader.

Rootkit

Kernel-level, hides processes.

Network & App Attacks

DDoS Overwhelm availability

MITM Intercept traffic

SQL Injection Database manipulation

XSS Script injection in browser

CSRF Unwanted user actions

Buffer Overflow Memory corruption

2.3 Vulnerabilities

Zero-Day

No patch exists yet. High risk.

Misconfiguration

Default passwords, open ports.

Legacy Platforms

End-of-life (EOL) systems.

2.4 Indicators (IoC vs IoA)

IoC (Compromise)

"It happened."

Bad IP File Hash Logs

IoA (Attack)

"It is happening."

Port Scan Beaconing Lateral Move

3

Security Architecture

18% of exam • Design secure systems and infrastructure

3.1 Architecture Models

Cloud Service Models

IaaS

Infrastructure as a Service

Virtual Machines
Storage & Network

You Manage: OS, Apps, Data

PaaS

Platform as a Service

Dev Tools
Runtime Env

You Manage: Apps, Data

SaaS

Software as a Service

Email (O365)
CRM (Salesforce)

You Manage: Data, Access

Modern Infrastructure

Serverless

Code runs on-demand. No OS management. (AWS Lambda)

Containerization

Isolated apps sharing OS kernel. (Docker, K8s)

IaC (Infrastructure as Code)

Managing infra via scripts. (Terraform, Ansible)

Microservices

App broken into small, independent services.

3.2 Enterprise Infrastructure

Network Devices

Firewall Filters traffic (L3/L4/L7)

IDS/IPS Detects/Blocks attacks

Proxy Intermediary (Privacy/Caching)

Load Balancer Distributes load (Availability)

Segmentation

VLAN

Logical separation

DMZ

Public-facing buffer

Air Gap

Physical isolation

VPN

Secure tunnel

Secure Protocols

Protocol	Port	Use Case
HTTPS	443	Secure Web
SSH	22	Remote Admin
LDAPS	636	Directory Services
RDP (Secure)	3389	Windows Remote

3.3 Data Protection

1

At Rest

Storage. Use Disk Encryption.

2

In Transit

Moving. Use TLS/VPN.

3

In Use

Processing. Use Memory Encryption.

DLP (Data Loss Prevention)

Detects and blocks sensitive data exfiltration (e.g., blocking credit card numbers in emails).

3.4 Resilience & Recovery

RTO

Max Downtime

RPO

Max Data Loss

Backup Types

Full Slow Backup / Fast Restore

Incremental Fast Backup / Slow Restore

Differential Moderate / Moderate

4

Security Operations

28% of exam • Largest domain - Day-to-day security

4.1 Security Techniques

System Hardening Checklist

Disable unnecessary services/ports

Remove default accounts/passwords

Patch Management (OS & Apps)

Host-based Firewall enabled

Endpoint Defense

EDR

Endpoint Detection & Response. Behavioral analysis & automated response.

XDR

Extended DR. Correlates data across Endpoint, Network, Cloud.

Antivirus (AV)

Signature-based. Good for known threats.

4.3 Vulnerability Management

CVSS Scoring

None 0.0

Low 0.1-3.9

Med 4.0-6.9

High 7.0-8.9

Crit 9.0-10.0

Scanning Methods

Credentialed Deep / Accurate

Non-credentialed Surface / Fast

Agent-based Continuous

Pen Testing

Black Box No Knowledge

Gray Box Partial Knowledge

White Box Full Knowledge

4.4 Monitoring & Alerting

SIEM

Log Aggregation & Correlation. (Splunk, Sentinel)

SOAR

Orchestration & Automation. (Auto-response scripts)

True Positive

Real Attack Detected

False Negative

Attack Missed (Bad!)

False Positive

False Alarm

True Negative

Quiet & Safe

4.5 Identity & Access Management

Something You Know

Password, PIN

Something You Have

Token, Phone

Something You Are

Biometrics

Access Models

DAC Owner decides
MAC Labels (Top Secret)
RBAC Roles/Groups
ABAC Attributes (Time/Loc)

Protocols

SAML (SSO) OAuth 2.0 OIDC Kerberos RADIUS

5

Security Program Management

20% of exam • Governance, Risk, and Compliance (GRC)

5.1 Governance Structure

Policies

High-level intent. Mandatory. "We will secure data."

Standards

Specific requirements. Mandatory. "Use AES-256."

Procedures

Step-by-step instructions. Mandatory. "Click File > Save."

Guidelines

Best practices. Optional. "Use strong passwords."

Key Frameworks

NIST CSF

US Gov

Identify, Protect, Detect, Respond, Recover.

ISO 27001

Intl

Requirements for an ISMS (InfoSec Mgmt System).

CIS Controls

Best Practice

Prioritized actions to stop attacks (Top 18).

5.2 Risk Management

Quantitative Analysis

SLE Single Loss Expectancy

Asset Value × EF

ARO Annual Rate of Occurrence

Times / Year

ALE Annual Loss Expectancy

SLE × ARO

Risk Response Strategies

Accept

Do nothing. Cost of fix > Cost of loss.

Transfer

Insurance or outsourcing.

Mitigate

Implement controls to reduce risk.

Avoid

Stop the activity causing the risk.

5.4 Third-Party Risk Management

Agreements

SLA Service Level Agreement
MSA Master Service Agreement
NDA Non-Disclosure Agreement

Supply Chain

Risks from vendors, suppliers, and partners.

Hardware Tampering Software Backdoors

Due Diligence

Investigating a vendor's security posture BEFORE signing.

Questionnaires, Audits, Financials

CompTIA Security+ SY0-701