CompTIA Security+ Notes

1. Risk Management
- Three main objectives of cybersecurity, CIA: Confidentiality, Integrity & Availability. Also,
important to consider Auditing (keeping records of what occurs) and non-repudiation (not
allowing denial or covering up of actions taken by user/device)
- Two main ways of measuring risk, quantitative (% based likelihood) and qualitative (more
intangible, can be ranked in terms of low, medium, high etc. Deals with impacts that are
harder to quantify.)
- Impact is the actual harm caused by a threat and can be measured both quantitatively and
qualitatively.
- Threats -> Vulnerability = Risk
- SP 800-30/37 document contains a long list of various potential threats that can be used for
risk assessment.
- OSINT = Open-source intelligence, the knowledge of vulnerabilities, potential threats/threat
actors etc spread throughout open communication platforms
- Script kiddies = trivial knowledge, often use pre-made scripts made by other people.
- Hacktivist = political/social intent
- Organised crime = profit motivation
- Nation state = motivation/intent is intelligence and sabotage.
- Advanced Persistent Threat (APT) = a persistent threat that remains in place and continues
to work.
- Insiders = acting from within an organisation, not always an employee (contractors, vendors
etc)
- Risk assessment involves the assessment of both threats and vulnerabilities, often at the
same time.
- Common Vulnerabilities and Exposures (CVE) database cve.mitre.org
- Nessus – a program that runs within a LAN that goes out into the network and generates a
document with various vulnerabilities that it finds.
- Four main types of threats: Adversarial (intentional and malicious), Accidental (incorrect
user input, accidental deletion etc), Structural (failure of hardware/software etc) and
Environmental (fires, building damage etc).
- Risk Transference is shifting some of the likelihood/risk/impact onto a third party (e.g. using
a cloud-based web server instead of hosting your own physical server).
- Risk Acceptance is when potential cost of a risk is lower than what it would take to mitigate
the risk, therefore is accepted as a potential cost.
- Risk Avoidance where the likelihood and potential impact of a risk is great enough to
warrant completely avoiding the risk entirely (e.g. simply not storing private information at
all if there is no reliably safe way to store it).
- Risk Mitigation: reducing the likelihood or potential impact of a risk
- Framework = workflow/methodology
- NIST Risk Management Framework (SP 800-30) + ISACA Risk IT Framework
- Use benchmarking to establish baseline/expected behaviour and compare it with current
activity.
 - Hardware and software vendors often have secure configuration guides/documentation to
assist with maintaining security on their respective products. NIST also provides guides for
securing various devices, networks, and software etc.
- Security Controls are actions/mechanisms put into place to either protect IT infrastructure
or remediate problems that have already occurred.
- Administrative/Management controls: controls actions towards IT security (e.g. Laws,
Policies, Guidelines and Best practices).
- Technical Control: Control actions within IT systems towards IT Security (e.g.
hardware/software, firewalls, authentication, encryption etc).
- Physical Control: Control actions in the physical world (e.g. Gates, guards, keys etc)
- Security Control Functions:
1. Deterrent: deters the actor from attempting the threat in the first place.
2. Preventative: deters the actor from performing the threat.
3. Detective: recognising an actor’s threat.
4. Corrective: Mitigates the impact of a manifested/realised threat.
5. Compensating: Provides alternative fixes to any of the above functions if they are unable
to function the way we want them to.

Administrative Technical Physical

Deterrent Warning signs
Preventative Employee Training Firewall Fencing
Detective Background checks
Compensating
Corrective Backups

- Diversity in defence = multiple different TYPES of defences vs Redundancy = multiple layers

of same or similar defences.
- Governance the overarching rules that define how an organisation and its personnel
conduct themselves in IT security.
- Governance policies are influenced by a variety of factors including; Laws and Regulations,
Standards (Government and Industry), Best Practices, Common Sense.
- Policy: A document that defines a course of action that will be enacted.
- Organizational Standard: Defines the level of performance for a policy, far more detailed
than a policy.
- Security controls come from Policies and Organizational Standards
- Procedure: Step by step instructions for how a process is completed. E.g. a procedure for
how to enact a Policy to the Organizational standard.
- Guidelines are optional to follow, everything else is not.
- Acceptable Use Policy: A policy that defines what a person can or can not do on company
assets (e.g. computers, internet etc).
- Data Sensitivity and Classification Policies: define the importance or nature of types of data
(e.g. rating of sensitivity and importance)
- Access Control Policies: Defines how people can get access to data or resources (e.g.
passwords, what type of data a user has access to, rights/privileges)
- Password policy: Defines how passwords are managed/used, recovery, reuse/expiration etc.
- Care and Use of Equipment Policy: How company equipment should be maintained and
used.
- Privacy Policy: Can be applied to both internal and external individuals, detail how data may
be used, what may be recorded, observed, or used.
- Personnel Policies: Detail how the personnel within an organisation will be managed, e.g.
whether background checks may be implemented, will their jobs be rotated, etc.
- Frameworks come from a variety of sources including regulatory, non-regulatory, national
and industry standards/best practices.
- Evaluate security controls to verify what is feasible to implement within a given
environment.
- Authorisation is an important process when defining, implementing, and measuring security
controls.
- Exposure Factor: Percentage of an asset that is lost as the result of an incident.
- Asset Value: the total value of a particular asset to a company (total cost of replacement,
revenue generated, potential losses if unavailable etc)
- Single Loss Expectancy (SLE): Asset value * Exposure factor
- Annualised Rate of Occurrence (ARO): The annual chances of a particular event occurring
(e.g. how often does the area flood etc)
- Annualised Loss Expectancy: SLE * ARO, provides a rough calculation of the yearly cost of
individual risks/incidents for the purposes of risk assessment/calculations.
- Mean Time to Repair (MTTR): The average time that it would take to repair/replace an asset
in the event of loss/damage.
- Mean Time to Failure (MTTF): The average time that an asset lasts before failing
partially/completely which requires fixing/replacing. Normally applied to assets that cannot
be fixed, only replaced.
- Mean Time Between Failure (MTBF): The average time from when an asset is being
replaced/repaired and when it fails again (MTTR + MTTF). Normally applied only to assets
that can be fixed rather than only replacing.
- Business Impact Analysis (BIA): The study and analysis of the impact on an organisation by a
disruption.
- Basic Parts of BIA:

1. Determine mission critical functions: What are the things that happen within IT systems
that are required/critical to fulfill the business’ objectives/purpose.
2. Identify critical systems/assets: Identify what systems/assets serve critical roles within
the function of the organisation.
3. Identify any single-points-of-failure.
4. Identify resource requirements: What systems/assets are required to access necessary
resources (files, software etc)
5. Identify recovery priorities: What systems are the most important for the operation of
the organisation and in what order of importance.

- Privacy Impact Assessment (PIA): What will be the impact be to the organisation if the
privacy information that it holds were to be compromised/leaked.
- Privacy Threshold Assessment (PTA): Assessing what data the organisation holds, how are
they kept and their sensitivity etc.
- Recovery Time Objective (RTO): Minimum time necessary to restore a critical system or the
maximum time a critical system can be down without substantial impact.
- Recovery Point Objective (RPO): The amount of data that can be lost by an organisation
without substantial impact.

- Data Sensitivity/Labelling:
- Public: Publicly available information with no restrictions on it
- Confidential: Limited to authorised viewing as agreed on by the parties involved.
- Private: Limited to only the individual to whom the information is shared with, includes
Personally Identifiable Information (PII).
- Proprietary: Very similar to Private information but regarding companies/corporations,
e.g., trade secrets.
- Protected Health Information (PHI): Any form of information that relates to the health of
an individual.
- Data Roles:
- Owner: The person who has the legal responsibility for the data (usually the
company/corporation that creates it.)
- Steward/Custodian: The individual/s whose responsibility is to maintain the accuracy and
integrity of the data.
- Privacy Officer: Ensures that data adheres to privacy policies and procedures.
- User Roles:
- Users: Assigned standard permissions needed to complete their tasks.
- Privileged Users: Increased access and control relative to a user.
- Executive User: Set policy on data and incident response actions.
- System Administrators: Has complete control over data/systems.
- Data/System Owner: Has legal ownership of a particular data set or system.