Scribd
Upload
7 views32 pages

Security+ Week1

WEEK 1

Uploaded by

María Cristina Pontes
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
7 views32 pages

Security+ Week1

WEEK 1

Uploaded by

María Cristina Pontes
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 32

CompTIA Security+

SY0-701

Attention Attendees:
Remember to type your messages to all panellists and attendees
Course Structure

Week / Module 1
Introduction & Security Fundamentals

Week / Module 2
Compliance & Operational Security

Week / Module 3
Threats & Vulnerabilities

Week / Module 4
Application, Data & Host Security

Attention Attendees:
Remember to type your messages to all panellists and attendees
CompTIA Security+
CompTIA Security+ certification is a global certification exam that validates
the baseline skills you need to perform core security functions and pursue
an IT security career.

Computing Technology Industry Association (CompTIA) is a leading,


vendor-neutral organisation that provides education, training, certification,
philanthropy, and market research for information technology. They have
awarded more than 2.5 million certifications in areas such as
cybersecurity, networking, cloud computing and technical support.

Source: https://www.comptia.org/faq/security/what-is-comptia-security-certification and https://www.comptia.org/about-us

Attention Attendees:
Remember to type your messages to all panellists and attendees
Study Guide
There is no mandatory text for this short course and all the assessments
will be covered in the material.

However, if do plan to take the exam, there is a study guide available.

Security+ (SY0-701) Certification Study Guide | CompTIA IT Certifications

Attention Attendees:
Remember to type your messages to all panellists and attendees
Introduction
Information Security
Confidentiality
• Information should only be read by authorized persons
Integrity
• Data is stored and transferred as intended and any modification is authorized
Availability
Confidentiality
• Information is accessible to those authorized to view or modify it
Non-repudiation
• Persons cannot deny creating or modifying data
Information
Security

Integrity Availability

Attention Attendees:
Remember to type your messages to all panellists and attendees
Cyber Security Framework

Attention Attendees:
Remember to type your messages to all panellists and attendees
Gap Analysis

Attention Attendees:
Remember to type your messages to all panellists and attendees
Access Control

Attention Attendees:
Remember to type your messages to all panellists and attendees
Security Control Categories

• Managerial
• Give oversight of system
• Operational
• Relies on a person for implementation
• Technical
• Implemented in operating systems, software,
and security appliances
• Physical
• Devices that mediate access to premises
and hardware

Attention Attendees:
Remember to type your messages to all panellists and attendees
Security Control Functional Types

• Preventive
• Physically or logically restricts unauthorized
access
• Operates before an attack
• Detective
• Identifies attempted or successful intrusions
• Operates during an attack
• Corrective
• Responds to and fixes an incident and may
prevent its reoccurrence
• Operates after an attack

Attention Attendees:
Remember to type your messages to all panellists and attendees
Security Control Functional Types (cont’d)

• Directive
• Enforces a rule of behavior
• Deterrent
• Psychologically discourages intrusions
• Compensating
• Substitutes for a principal control
• Associated with framework compliance measures

Attention Attendees:
Remember to type your messages to all panellists and attendees
Information Security Roles & Responsibilities

• Overall responsibility
• Chief Information Officer (CIO)
• Chief Security Officer (CSO)
• Managerial
• Technical
• Information Systems Security Officer (ISSO)
• Non-technical
• Due care/liability
Image by rawpixel.com on Freepik

Attention Attendees:
Remember to type your messages to all panellists and attendees
Information Security Competencies

• Risk assessments and testing


• Specifying, sourcing, installing, and configuring secure devices and software
• Access control and user privileges
• Auditing logs and events
• Incident response and reporting
• Business continuity and disaster recovery
• Security training and education programs

Attention Attendees:
Remember to type your messages to all panellists and attendees
Information Security Business Units

• Security Operations Center (SOC)


• DevSecOps
• Development, security, and operations
• Incident response
• Cyber incident response team (CIRT)

Attention Attendees:
Remember to type your messages to all panellists and attendees
Risk Management
What is Risk?

(Risk is) “the effect of uncertainty on objective” – ISO 31000

Attention Attendees:
Remember to type your messages to all panellists and attendees
Risk Identification and Assessment

• Risk identification is fundamental to managing risk


• Malware attacks
• Phishing attempts
• Insider threats
• Equipment failures
• Software vulnerabilities
• Nontechnical risks like inadequate policies or training
• Risk assessment evaluates previously identified risks to determine their
potential impact on the organization

Attention Attendees:
Remember to type your messages to all panellists and attendees
Risk Identification and Assessment (cont’d)

• Risk Analysis
• Describes identifying and evaluating potential risks and the characteristics that define
them
• Quantitative Analysis
• Assign tangible values to each risk
• Qualitative Analysis
• Assess risks based on subjective judgment
• Risk Assessment
• Estimates potential risk levels and their significance by interpreting data collected
during risk analysis

Attention Attendees:
Remember to type your messages to all panellists and attendees
Risk Identification and Assessment (cont’d)

• Inherent Risk
• Level of risk before any type of
mitigation has been attempted
• Heat Map

Traffic light impact grid.

Attention Attendees:
Remember to type your messages to all panellists and attendees
Risk Management Strategies

• Risk management strategies


• Describe the proactive and systematic
approaches used to identify, assess,
prioritize, and mitigate risks to
minimize their negative impacts
• Risk responses
• Identify how risk items are managed

Attention Attendees:
Remember to type your messages to all panellists and attendees
Risk Management Strategies

• Residual Risk
• The amount of risk left after mitigations are implemented
• Risk cannot be fully eliminated
• Risk Appetite
• Acceptable levels of risk
• Varies from one organization to another
• Sometimes defined in a formal risk appetite statement

Attention Attendees:
Remember to type your messages to all panellists and attendees
Risk Management Processes

• Identifying, assessing, and mitigating vulnerabilities and threats to the


essential functions that a business must perform to fulfill its purpose
• Risk
• A measure of threats, vulnerabilities, impact, and probability
• Risk Registers
• Risk description
• Severity
• Owner of the risk item
• Identified mitigations
• Often utilize heat maps

Attention Attendees:
Remember to type your messages to all panellists and attendees
Risk Management Processes

• Risk Threshold
• Defines the limits or levels of acceptable risk
• Key Risk Indicators
• Predictive indicators for monitoring and predicting potential risks
• Risk Reporting
• Communicate an organization's risk profile
• Communicate the effectiveness of a risk management program

Attention Attendees:
Remember to type your messages to all panellists and attendees
Business Impact Analysis

• Identification of Critical Systems


• Mission Essential Functions

• Maximum Tolerable Downtime (MTD)


• Recovery Time Objective (RTO)
• Work Recovery Time (WRT)
• Recovery Point Objective (RPO) Metrics governing mission essential functions. (Images © 123RF.com.)

Attention Attendees:
Remember to type your messages to all panellists and attendees
Vendor Selection

• Systematically evaluate and assess potential vendors to minimize


risks associated with outsourcing or procurement
• Third-Party Vendor Assessment
• Critical component of Governance, Risk, and Compliance (GRC)
• Vendor assessments provide evidence of due diligence
• Conflict of Interest
• When an individual or organization has competing interests or obligations
that could compromise their ability to act objectively, impartially, or in the
best interest of the organization

Attention Attendees:
Remember to type your messages to all panellists and attendees
Vendor Selection (cont’d)

• Vendor Assessment Methods


• Evidence of Internal Audits
• Independent Assessments
• Penetration Testing
• Supply Chain Analysis
• Right-to-Audit Clause
• Vendor Monitoring
• Continuously evaluating vendors to ensure ongoing adherence to security
standards, compliance requirements, and contractual obligations

Attention Attendees:
Remember to type your messages to all panellists and attendees
Legal Agreements

• Initial Agreements
• Memorandum of Understanding (MOU)
• Nondisclosure Agreement (NDA)
• Memorandum of Agreement (MOA)
• Business Partnership Agreement (BPA)
• Master Service Agreement (MSA)
• Operational/Performance Agreements
• Service-level Agreement (SLA)
• Statement of Work (SOW)/Work Order (WO)
• Expectations
• Rules of Engagement (RoE)

Attention Attendees:
Remember to type your messages to all panellists and attendees
Attestation & Assessments

• Attestation
• Verifying the accuracy, reliability, and effectiveness of security controls
• Internal Assessment
• Organization's own employees conduct an in-depth assessment
• Relatively simple to perform and customize
• External Assessment
• Independent Third-Party
• Impartial and objective evaluation of business practices
• Required for legal compliance

Attention Attendees:
Remember to type your messages to all panellists and attendees
Penetration Testing

• Uses authorized hacking techniques to discover exploitable


weaknesses in the target's security systems.
• Sometimes referred to as Pen Test or Ethical Hacking
• Internal Pen Test performed by a “Red Team”
• May include Active and Passive Reconnaissance
• Known Environment Penetration Testing
• Partially Known Environment Penetration Testing
• Unknown Environment Penetration Testing
Attention Attendees:
Remember to type your messages to all panellists and attendees
Exercise Types

• Different types of penetration tests allow organizations to use a


flexible and prioritized approach toward security assessment
• Offensive Penetration Testing “Red Team”
• Defensive Penetration Testing “Blue Team”
• Physical Penetration Testing
• Integrated Penetration Testing
• Combines different types of penetration testing techniques

Attention Attendees:
Remember to type your messages to all panellists and attendees
Questions

Attention Attendees:
Remember to type your messages to all panellists and attendees

You might also like