There are many different tasks, concepts, and skills involved in the pursuit of computer

security. But most of these tasks, concepts, and skills share a few fundamental principles. In
this lesson, you will identify the fundamental components of information security.
Just as you begin the construction of a building with bricks and mortar, each security
implementation starts with a series of basic building blocks. No matter what the final result
is, you will always start with the same base materials and ideas. As a security professional, it
is your responsibility to understand these concepts so you can build the appropriate security
structure for your organization.

In this lesson, you will:

• Identify the fundamental concepts of information security.
• Identify basic security controls.
• Identify basic authentication and authorization concepts.
• Identify basic cryptography concepts.
 | CompTIA® Security+® (Exam SY0-501)

In this lesson, you will identify the fundamentals of computer security. To begin any new endeavor,
it's always a good idea to define the basic terminology and ideas that provide a solid foundation for
more advanced principles. In this topic, you will identify the fundamental concepts of information
security.
To be successful and credible as a security professional, you should understand security in business
starting from the ground up. You should also know the key security terms and ideas used by other
security experts in technical documents and in trade publications. Security implementations are
constructed from fundamental building blocks, just like a large building is constructed from
individual bricks. This topic will help you understand those building blocks so that you can use them
as the foundation for your security career.

Information Security Information security refers to the protection of available information or information resources
®
The CompTIA A+ and from unauthorized access, attack, theft, or data damage. Responsible individuals and organizations
Network+ courses and must secure their confidential information. Due to the presence of a widely connected business
certifications are environment, data is now available in a variety of forms such as digital media and print. Therefore,
recommended but not every bit of data that is being used, shared, or transmitted must be protected to minimize business
required as preparation risks and other consequences of losing crucial data.
for this course. Students
with an A+ and Network
+ background might be
familiar with some of the
basic concepts and There are three primary goals or functions involved in the practice of information security.
technical information
presented in this lesson
and in other sections
throughout the
remainder of the course. Prevention Personal information, company information, and information about
Be sure to assess your intellectual property must be protected. If there is a breach in security in
students' level of
any of these areas, then the organization may have to put a lot of effort
knowledge and adjust
your presentation into recovering losses. Preventing entities from gaining unauthorized
accordingly. access to confidential information should be the number one priority of
Goals of Information information security professionals.
Security Detection Detection occurs when a user is discovered trying to access unauthorized
data or after information has been lost. It can be accomplished by
investigating individuals or by scanning the data and networks for any
traces left by the intruder in any attack against the system.
Risk Recovery When there is a disaster or an intrusion by unauthorized users, system
Keep in mind that risk data can become compromised or damaged. It is in these cases that you
can be defined in need to employ a process to recover vital data from a crashed system or
several different ways, data storage devices. Recovery can also pertain to physical resources.
and that you may find it
valuable to provide an
alternate definition to
students, or to lead a
brief discussion about
As applied to information systems, risk is a concept that indicates exposure to the chance of
how the definition of risk
can vary depending on damage or loss. It signifies the likelihood of a hazard or dangerous threat occurring.
the context in which it is
used.

Lesson 1: Identifying Security Fundamentals | Topic A

 CompTIA® Security+® (Exam SY0-501) |

In information technology, risk is often associated with the loss of a system, power, or network, and
other physical losses. Risk also affects people, practices, and processes.
For example, a disgruntled former employee is a threat. The amount of risk this threat represents
depends on the likelihood that the employee will access his or her previous place of business and
remove or damage data. It also depends on the extent of harm that could result.

Risk is the determining factor when looking at information systems security. If an organization
chooses to ignore risks to operations, it could suffer a catastrophic outage that would limit its ability
to survive.
Note: Risk is covered in greater depth in the next lesson.

At the most basic level, a vulnerability is any condition that leaves an information system open to Vulnerabilities
harm. Vulnerabilities can come in a wide variety of forms, including: Make sure you explain
• Improperly configured or installed hardware or software. the distinction between a
vulnerability and a
• Delays in applying and testing software and firmware patches. threat, as these terms
• Untested software and firmware patches. are easily confused.
• Bugs in software or operating systems.
• The misuse of software or communication protocols.
• Poorly designed networks.
• Poor physical security.
• Insecure passwords.
• Design flaws in software or operating systems.
• Unchecked user input.

Lesson 1: Identifying Security Fundamentals | Topic A

 | CompTIA® Security+® (Exam SY0-501)

Threats In the realm of computer security, a threat is any event or action that could potentially cause
damage to an asset. Threats are often in violation of a security requirement, policy, or procedure.
Regardless of whether a violation is intentional or unintentional, malicious or not, it is considered a
threat. Potential threats to computer and network security include:
• Unintentional or unauthorized access or changes to data.
• The interruption of services.
• The interruption of access to assets.
• Damage to hardware.
• Unauthorized access or damage to facilities.

Attacks In the realm of computer security, an attack is a technique used to exploit a vulnerability in any
application or physical computer system without the authorization to do so. Attacks on a computer
system and network security include:
• Physical security attacks.
• Software-based attacks.
• Social engineering attacks.
• Web application-based attacks.
• Network-based attacks, including wireless networks.

Lesson 1: Identifying Security Fundamentals | Topic A

 CompTIA® Security+® (Exam SY0-501) |

Note: Physical security attack, software attack, and other terms are used in this course to group
attacks into general categories for ease of discussion. They are not meant to imply that the
security industry makes technical distinctions between these broad groups.

In the realm of computer security, controls are the countermeasures that you need to put in place to Controls
avoid, mitigate, or counteract security risks due to threats or attacks. In other words, controls are This course groups
solutions and activities that enable an organization to meet the objectives of an information security administrative controls
strategy. Controls can be safeguards and countermeasures that are logical or physical. Controls are under physical controls,
broadly classified as prevention, detection, and correction controls. which are covered in
more depth in a later
lesson. Keep in mind
that some security
sources consider
administrative controls to
be distinct from the
logical and physical.

Lesson 1: Identifying Security Fundamentals | Topic A

 | CompTIA® Security+® (Exam SY0-501)

Types of Controls The different types of controls include:

This is a high-level • Prevention controls : These help to prevent a threat or attack from exposing a vulnerability in
overview of the types of the computer system. For example, a security lock on a building's access door is a prevention
security controls.
control.
Specific components
and additional examples, • Detection controls: These help to discover if a threat or vulnerability has entered into the
such as keeping log computer system. For example, surveillance cameras that record everything that happens in and
files, will be covered around a building are detection controls.
later in the course. • Correction controls: These help to mitigate the consequences of a threat or attack from
adversely affecting the computer system. For example, a security officer who responds to a silent
alarm detecting an intrusion and who then stops the intruder is a correction control.

The Security The security management process involves identifying, implementing, and monitoring security
Management Process controls.

Identify security This involves detecting problems and determining how best to protect a
controls system:
• Find out when and where security breaches occur.
• Log details of the breaches, showing information regarding the failed
attempts, such as typing a wrong user name or password.
• Select the appropriate identification technique, such as a network
intrusion detection system (NIDS).
Implement security This involves installing control mechanisms to prevent problems in a
controls system:
• Authenticate users appropriately or control access to data and
resources.
• Match implementation security controls with the management
requirements in any organization.
• Install a security mechanism such as an intrusion detection system
(IDS) or an intrusion prevention system (IPS) to prevent any attacks
on the system.
Monitor security This involves detecting and solving any security issues that arise after
controls security controls are implemented:
• Run tests on the various controls installed to see if they are working
correctly and will remain effective against further attacks on the
system.
• Analyze important steps that improve the performance of controls.
• Document each control failure and determine if a control needs to be
upgraded or removed.

Lesson 1: Identifying Security Fundamentals | Topic A

 CompTIA® Security+® (Exam SY0-501) |

You are the new security administrator at Develetech Industries, a manufacturer of home electronics
located in the fictional city and state of Greene City, Richland (RL). As you are meeting your new
colleagues, several of them ask you some questions about security and how it relates to the business.
Activity: Identifying
Information Security
Basics
This course includes
several activities similar
to this one, which pose a
☐ Prevention series of questions
about the information
☐ Auditing covered in the topic. Use
☐ Recovery these questions, along
with your experience, to
☐ Detection facilitate discussion
among all class
participants.
☐ Improperly configured software
☐ Misuse of communication protocols
☐ Damage to hardware
☐ Lengthy passwords with a mix of characters

Answers will vary, but may include: A threat is any potential violation of security policies or
procedures. A vulnerability is any condition that leaves a system open to attack. A risk is an
exposure to the chance of damage or loss, and it signifies the likelihood of a hazard or dangerous
threat.

Lesson 1: Identifying Security Fundamentals | Topic A