CERTIFIED IN CYBERSECURITY

ISC2
DOMAIN 1: Security Principles

Foundational Concepts of Cybersecurity Principles

Cybersecurity principles ensure the confidentiality, integrity, and availability of information

while protecting systems from unauthorized access or harm. The foundational principles
include:

1. Confidentiality: Ensures that only authorized individuals have access to sensitive

information.
o Example: Using encryption to secure files or communication.
2. Integrity: Ensures the accuracy and consistency of data, preventing unauthorized
modification.
o Example: Using hash functions to verify file integrity.
3. Availability: Ensures that information and systems are accessible when needed.
o Example: Implementing redundancy or backups to mitigate downtime.
4. Authentication and Authorization: Verifies user identities and ensures they only
access permitted resources.
5. Accountability: Tracks actions and holds users responsible through mechanisms like
audit logs.

Foundational Security Concepts of Information Assurance

Information assurance builds on the CIA Triad (Confidentiality, Integrity, Availability) and
includes additional concepts:

• Non-repudiation: Prevents users from denying their actions (e.g., digital signatures).
• Defense in Depth: Deploying multiple layers of security measures (e.g., firewalls,
intrusion detection systems, physical security).
• Least Privilege: Granting users only the minimum access necessary to perform their
roles.

Risk Management Terminology and Process

Terminology:

• Risk: The potential for loss or harm due to a threat exploiting a vulnerability.
• Threat: Any event or circumstance that could cause harm (e.g., malware, insider
attacks).
• Vulnerability: A weakness in a system that can be exploited (e.g., unpatched
software).
 • Impact: The consequence or damage resulting from a realized risk.
• Likelihood: The probability of a risk occurring.

Risk Management Process:

1. Identify Risks:
o Catalog assets and identify potential threats and vulnerabilities.
o Example: Perform a vulnerability scan.
2. Assess Risks:
o Determine the likelihood and impact of risks using qualitative or quantitative
methods.
3. Mitigate Risks:
o Implement controls to reduce risk, such as installing firewalls or training
employees.
4. Monitor Risks:
o Continuously evaluate and adjust security measures to address new threats.

Relating Risk Management to Personal or Professional Practices

Personal Practices:

• Using antivirus software on personal devices.

• Enabling two-factor authentication (2FA) for online accounts.
• Regularly updating and patching operating systems and applications.

Professional Practices:

• Conducting regular penetration tests to identify weaknesses.

• Establishing robust incident response procedures.
• Ensuring compliance with industry regulations like GDPR or HIPAA.

Types of Security Controls

1. Administrative Controls:
o Policies, procedures, and employee training.
o Example: Security awareness training programs.
2. Technical Controls:
o Technology-based mechanisms.
o Example: Firewalls, encryption, intrusion detection systems (IDS).
3. Physical Controls:
o Measures to secure the physical environment.
o Example: Surveillance cameras, biometric locks, fences.

Distinguishing Policies, Procedures, Standards, Regulations, and Laws

 1. Policies: High-level guidelines outlining an organization's security objectives and
principles.
o Example: Acceptable Use Policy (AUP).
2. Procedures: Step-by-step instructions for implementing policies.
o Example: A guide on how to handle a data breach.
3. Standards: Specific requirements to enforce policies and ensure uniformity.
o Example: A password standard requiring 12-character passwords.
4. Regulations: Legal requirements enforced by governing bodies.
o Example: GDPR mandates for protecting personal data.
5. Laws: Government-enforced rules.
o Example: Cybersecurity Information Sharing Act (CISA).

Relationship Among Governance Elements

Governance provides a framework for managing and implementing cybersecurity effectively:

• Policies inform the creation of standards and procedures.

• Standards define specific rules to achieve policy objectives.
• Compliance with laws and regulations ensures adherence to governance
requirements.

Governance ensures accountability and alignment of security measures with organizational

objectives.

ISC2 Code of Ethics Canons

The ISC2 Code of Ethics consists of four canons:

1. Protect Society, the Common Good, Public Trust, and Confidence:

o Example: Reporting a vulnerability responsibly instead of exploiting it.
2. Act Honorably, Honestly, Justly, Responsibly, and Legally:
o Example: Avoiding unauthorized access to sensitive systems.
3. Provide Diligent and Competent Service to Principals:
o Example: Ensuring clients’ systems meet security best practices.
4. Advance and Protect the Profession:
o Example: Mentoring junior cybersecurity professionals.

Practice Terminology and Review Security Principles

Key Concepts to Practice:

• Understanding the CIA Triad.

• Applying risk management terminology.
• Differentiating between types of security controls.
 • Using case studies to analyze security policies and responses.

DOMAIN 2: Incident
Response, Business
Continuity and Disaster Recovery
Concepts

How Organizations Respond to, Recover From, and Continue Operations

During Unplanned Disruptions

Organizations must prepare for unplanned disruptions such as cyberattacks, natural disasters,
or system failures. They achieve this through Incident Response (IR), Business Continuity
Planning (BCP), and Disaster Recovery (DR) strategies.

Response:

• Organizations respond to incidents immediately through Incident Response Plans

(IRP):
o Detect and contain the threat (e.g., isolating affected systems).
o Minimize damage to operations and assets.

Recovery:

• Focuses on restoring normal operations:

o Identify impacted systems and recover data from backups.
o Repair or replace affected infrastructure.

Continuity:

• Ensures critical operations remain functional during disruptions:

o Alternate work locations or backup systems may be used.
o Implement failover mechanisms to maintain essential services.

Terms and Components of Incident Response

Key Terms:

1. Incident: A security event that disrupts normal operations (e.g., ransomware attack).
2. Event: Any observable occurrence in a system or network (not all events are
incidents).
 3. Indicators of Compromise (IoC): Signs of malicious activity, such as unusual
network traffic or unauthorized login attempts.

Incident Response Lifecycle (NIST Framework):

1. Preparation:
o Develop and test the incident response plan (IRP).
o Train staff and deploy security tools (e.g., SIEM systems).
2. Detection and Analysis:
o Identify and assess the incident using IoCs and monitoring tools.
3. Containment, Eradication, and Recovery:
o Contain the threat to prevent further damage.
o Remove the threat from systems.
o Restore affected systems and verify their integrity.
4. Post-Incident Activities:
o Conduct a post-mortem analysis to identify lessons learned.
o Update policies and systems to prevent future incidents.

Components of a Business Continuity Plan (BCP)

A Business Continuity Plan ensures that critical business functions continue during and
after a disruption.

Key Components:

1. Business Impact Analysis (BIA):

o Identify critical processes and their dependencies.
o Assess the potential impact of disruptions.
2. Risk Assessment:
o Identify potential threats (e.g., cyberattacks, power outages).
o Evaluate vulnerabilities and mitigation measures.
3. Recovery Strategies:
o Define alternate methods for maintaining operations, such as remote work
capabilities or backup suppliers.
4. Continuity Teams and Roles:
o Designate personnel responsible for executing the BCP.
o Train staff for specific roles during disruptions.
5. Communication Plan:
o Establish methods to inform stakeholders, employees, and customers during
an incident.
6. Testing and Maintenance:
o Regularly test the BCP to ensure its effectiveness.
o Update the plan as systems and risks evolve.

Components of Disaster Recovery (DR)

A Disaster Recovery Plan (DRP) focuses on restoring IT infrastructure and data after a
major disruption.

Key Components:

1. Backup Systems and Data:

o Regularly back up data and maintain offsite copies (e.g., cloud storage).
2. Recovery Time Objective (RTO):
o The maximum allowable downtime before services must be restored.
3. Recovery Point Objective (RPO):
o The maximum acceptable amount of data loss, measured in time (e.g., the last
backup point).
4. Redundant Systems:
o Failover systems, such as secondary servers or cloud platforms, to quickly
resume operations.
5. Disaster Recovery Sites:
o Hot Site: Fully functional and ready-to-use facility.
o Cold Site: Basic infrastructure that requires setup.
o Warm Site: Partially configured facility requiring less setup than a cold site.
6. Incident-Specific Plans:
o Detailed steps for specific disasters (e.g., data breach, fire, or natural disaster).
7. Testing and Updating:
o Simulate disaster scenarios to validate the DRP and improve it based on
findings.

Terminology and Practice Concepts

Common Terminology:

• High Availability (HA): Ensures minimal downtime by using redundant systems.

• Failover: Automatic switching to backup systems during a failure.
• Critical Systems: Systems essential to business operations.
• Tabletop Exercise: A simulation to practice incident response or disaster recovery.

Review Practices:

• Incident Response:
o Create incident playbooks for common threats.
o Conduct security monitoring using tools like SIEM.
• Business Continuity:
o Perform regular BIA and risk assessments.
o Test communication plans with mock disruptions.
• Disaster Recovery:
o Ensure backups meet RTO and RPO requirements.
o Simulate server failures to test recovery time.
KEY TERMS

1. Recovery Strategies

Recovery Strategies focus on restoring systems, data, and services after a disruption or
disaster. The goal is to return to normal operations as quickly and effectively as possible.

Key Components:

1. Data Backup and Restoration:

o Maintain regular backups of critical data (e.g., incremental, differential, or full
backups).
o Use offsite storage, cloud platforms, or physical tapes for redundancy.
2. System Redundancy:
o Deploy redundant systems (e.g., mirrored servers) to minimize downtime.
3. Disaster Recovery Sites:
o Hot Site: Fully operational backup site, ready for immediate use.
o Warm Site: Partially equipped site requiring setup before use.
o Cold Site: Basic infrastructure requiring full setup.
4. Recovery Point Objective (RPO):
o Defines the maximum acceptable data loss, measured in time (e.g., last backup
point).
5. Recovery Time Objective (RTO):
o Establishes the maximum acceptable downtime for restoring operations.
6. Cloud-Based Recovery:
o Utilize cloud services for scalable and cost-effective disaster recovery.
7. Testing and Validation:
o Conduct regular recovery drills to ensure the plan works and meets RTO/RPO
targets.

Examples of Recovery Strategies:

• Restoring databases from backups after a ransomware attack.

• Switching to redundant systems after a server failure.

2. Continuity Strategies

Continuity Strategies ensure that critical business functions remain operational during and
after a disruption. These strategies aim to maintain essential services while recovery efforts
are underway.

Key Components:
 1. Business Impact Analysis (BIA):
o Identify essential functions and prioritize them based on their impact on the
organization.
2. Alternate Work Locations:
o Use backup facilities or enable remote work for employees.
3. Failover Systems:
o Implement high-availability solutions like load balancers or backup servers to
keep services running.
4. Communication Plans:
o Establish clear communication channels to inform stakeholders, employees,
and customers during disruptions.
5. Supply Chain Resilience:
o Identify alternate suppliers and logistics plans to mitigate disruptions in the
supply chain.
6. Temporary Manual Operations:
o Develop processes for continuing operations manually if automated systems
are down.
7. Testing and Training:
o Regularly test continuity strategies through tabletop exercises and drills.

Examples of Continuity Strategies:

• Activating a hot site to maintain operations after a data center fire.

• Using remote work tools (e.g., VPN, cloud collaboration) during a pandemic.

3. Incident Management

Incident Management is the process of detecting, responding to, and resolving security
incidents to minimize their impact on operations and assets.

Key Components:

1. Incident Response Plan (IRP):

o A documented process for managing incidents, detailing roles, responsibilities,
and procedures.
2. Incident Response Team (IRT):
o A dedicated team of professionals responsible for managing and mitigating
incidents.
3. Incident Response Lifecycle (NIST Framework):
o Preparation: Develop and test plans, train staff, and deploy monitoring tools.
o Detection and Analysis: Identify and evaluate incidents using logs, IoCs, and
tools like SIEM.
o Containment: Isolate affected systems to prevent further damage.
o Eradication: Remove the root cause of the incident (e.g., malware).
o Recovery: Restore systems and validate their integrity.
o Post-Incident Review: Analyze the incident and update policies to prevent
recurrence.
4. Key Terms in Incident Management:
 Indicators of Compromise (IoC): Signs of malicious activity (e.g., abnormal
o
network traffic).
o Playbooks: Step-by-step guides for responding to specific incidents (e.g.,
phishing attack).
5. Communication During Incidents:
o Notify internal and external stakeholders about the incident.
o Coordinate with legal teams, regulators, or law enforcement if necessary.

Examples of Incident Management:

• Detecting and isolating a system infected with ransomware.

• Responding to a phishing attack by disabling compromised accounts and notifying
users.

Summary of Key Differences

Aspect Recovery Strategies Continuity Strategies Incident Management

Restore operations post- Maintain operations Detect, respond to, and
Purpose
disruption during disruption resolve incidents
IT systems and data Business process
Focus Security incident handling
recovery continuity
Activating failover Containing a malware
Examples Restoring from backups
systems infection

By implementing and practicing these strategies effectively, organizations can ensure

resilience and minimize the impact of unexpected disruptions or security incidents.
DOMAIN 3 Access Control Concepts

Access Controls

Access controls are mechanisms and processes designed to regulate who or what can view or
use resources in a system. They ensure that only authorized individuals can access specific
data, systems, or physical spaces.

1. Selecting Appropriate Access Controls in a Given Scenario

To determine the best access control, evaluate the type of resource, level of risk, and user
requirements. Below are examples:

• Scenario 1: Protecting sensitive files

o Use logical access controls such as file permissions and multifactor
authentication (MFA).
• Scenario 2: Securing a server room
o Implement physical access controls like biometric scanners, key cards, or
security guards.
• Scenario 3: Granting temporary access to a contractor
o Apply time-based access control: Limit access to specific systems during
predefined time windows.
• Scenario 4: Enforcing a principle of least privilege
o Use role-based access control (RBAC) to provide only the necessary
permissions for users to perform their roles.

2. Relating Access Control Concepts and Processes to Scenarios

Access Control Concepts:

• Identification: Determines who is accessing the system (e.g., username).

• Authentication: Verifies identity (e.g., password, biometrics).
• Authorization: Determines access rights (e.g., permission levels).
• Accountability: Tracks user actions through logs or audits.

Scenario Example:

• A financial firm needs to ensure that only the accounting team can access payroll
data:
 o Identification: Employees use a unique ID to log in.
o Authentication: Use MFA (e.g., password + OTP).
o Authorization: RBAC ensures only accountants can access payroll systems.
o Accountability: Logging tracks file access and modifications.

3. Comparing Various Physical Access Controls

Physical access controls restrict entry to physical locations such as buildings, rooms, or data
centers.

Control Description Strengths Weaknesses

Requires a card to unlock Convenient, easy to track Cards can be lost or
Key Card
doors usage stolen
Biometric Uses fingerprint, retina, or High security, unique to Can be expensive,
Scanner facial recognition individuals may have errors
Monitors entry points and
Security Human error or bias
verifies individuals Flexible and responsive
Guard may occur
manually
Dual-door system to control Prevents tailgating Expensive to
Mantrap
access to sensitive areas (unauthorized following) implement
CCTV Monitors and records access Deters unauthorized Cannot prevent
Cameras areas entry, provides evidence breaches in real-time

4. Logical Access Controls

Logical access controls manage access to digital resources like files, databases, and
networks.

Examples of Logical Access Controls:

1. Passwords and Passphrases:

o Basic authentication method requiring a secret code.
2. Multifactor Authentication (MFA):
o Combines two or more factors:
 Something you know: Password.
 Something you have: Security token or OTP.
 Something you are: Biometric data.
3. Role-Based Access Control (RBAC):
o Assigns permissions based on a user's role (e.g., "admin" or "viewer").
4. Discretionary Access Control (DAC):
o Resource owners control who can access their data.
5. Mandatory Access Control (MAC):
o Access is strictly regulated by the organization, based on security labels (e.g.,
"Top Secret").
6. Encryption:
 o Ensures data is unreadable to unauthorized users.
7. Firewalls and Intrusion Detection Systems (IDS):
o Control network access and monitor for malicious activities.

5. Practicing Access Control Terminology

• Least Privilege: Users are given the minimum access necessary to perform their
duties.
• Segregation of Duties: Splits responsibilities to prevent fraud or unauthorized
activities.
• Access Control Lists (ACLs): Define permissions for files, directories, or network
resources.
• Single Sign-On (SSO): Allows users to authenticate once and access multiple
systems.
• Privileged Access Management (PAM): Monitors and manages elevated accounts
(e.g., system admins).

Reviewing Concepts

Concept Description
Access Control Mechanism to regulate who can use resources.
Physical Access
Controls physical entry (e.g., locks, security guards, mantraps).
Control
Logical Access Control Manages access to digital resources (e.g., passwords, firewalls).
Authentication Verifies a user's identity (e.g., biometrics, MFA).
Authorization Determines what actions or resources a user can access.
Tracks and logs user actions to ensure compliance and identify
Accountability
breaches.
RBAC Role-Based Access Control, granting permissions based on roles.
Users have the minimum permissions necessary to perform their
Least Privilege
tasks.
Segregation of Duties Dividing critical tasks among multiple people to reduce risk.
Security Control Protocols

Security control protocols are sets of procedures and technologies designed to protect an
organization's assets by mitigating risks and ensuring compliance with security requirements.
They are categorized based on their function and purpose in securing systems and data.

Types of Security Control Protocols

1. Preventive Controls
o Stop security incidents before they occur.
o Examples:
 Firewalls: Block unauthorized network traffic.
 Access Control Mechanisms: Prevent unauthorized access.
 Antivirus Software: Blocks malware before it executes.
2. Detective Controls
o Identify and alert on potential security incidents.
o Examples:
 Intrusion Detection Systems (IDS): Monitors and flags suspicious
activity.
 Security Information and Event Management (SIEM): Logs and
analyzes events.
 Audit Logs: Record access and activity for later review.
3. Corrective Controls
o Address and fix issues after detection.
o Examples:
 Patching Vulnerabilities: Updating software to fix security flaws.
 Data Recovery: Restoring data after a breach or failure.
4. Deterrent Controls
o Discourage malicious activities through visible safeguards.
o Examples:
 Security Cameras: Visible monitoring deters intrusions.
 Warning Signs: Inform potential attackers of strict penalties.
5. Compensating Controls
o Provide alternative protections when primary controls are unavailable or
insufficient.
o Examples:
 Two-person rule for sensitive actions.
 Encryption as an alternative to secure file transfer mechanisms.
6. Physical Controls
o Protect physical infrastructure.
o Examples:
 Locks, security guards, and surveillance systems.
Access Control Strategies

Access control strategies define how access is granted, monitored, and managed to ensure
only authorized individuals can interact with resources.

1. Types of Access Control Strategies

1. Role-Based Access Control (RBAC)

o Access is assigned based on job roles.
o Example: A "Finance Manager" role may have access to financial reports but
not HR files.
2. Discretionary Access Control (DAC)
o Resource owners decide who has access.
o Example: A file owner shares access permissions with selected users.
3. Mandatory Access Control (MAC)
o Access is governed by security policies, classifications, or clearance levels.
o Example: A "Top Secret" document is only accessible to users with the
appropriate clearance.
4. Attribute-Based Access Control (ABAC)
o Access is based on user attributes (e.g., location, time, device).
o Example: A system allows access only during work hours from a company
network.
5. Rule-Based Access Control
o Access is granted based on defined rules.
o Example: Network firewalls that block traffic based on IP addresses.
6. Time-Based Access Control
o Access is restricted to specific time periods.
o Example: Temporary contractors can access systems only during contract
hours.

2. Implementing Access Control Strategies

• Scenario 1: Protecting Financial Data

o Use RBAC to ensure only finance team members can access financial
systems.
o Apply MFA for additional authentication.
• Scenario 2: Securing a Cloud-Based Environment
o Implement ABAC to allow access only from company-approved devices or
locations.
• Scenario 3: Data Center Access
o Apply MAC with classification levels to restrict access to sensitive data.
User Privilege Administration

User privilege administration involves managing and monitoring the permissions and access
rights of users within an organization.

Key Concepts

1. Principle of Least Privilege (PoLP)

o Users should only have access necessary to perform their jobs.
o Example: A receptionist does not need access to server configurations.
2. Privilege Creep
o Occurs when users accumulate unnecessary permissions over time.
o Mitigation: Regularly review and revoke unneeded access rights.
3. Separation of Duties (SoD)
o Critical tasks are split among multiple users to prevent fraud or errors.
o Example: One person processes payments, while another approves them.
4. Access Review and Auditing
o Periodic evaluation of user access to ensure compliance.
o Example: Conduct quarterly reviews of admin accounts.
5. Privileged Account Management (PAM)
o Secures and monitors accounts with elevated access rights.
o Example: System admin accounts are monitored for unusual activity.

Implementing Effective User Privilege Administration

1. User Provisioning
o Grant access based on the user's role during onboarding.
2. Access Revocation
o Remove access promptly when employees leave or change roles.
3. Monitoring Privileged Activity
o Use logging and monitoring tools to track the actions of privileged users.
4. Temporary Privileges
o Grant temporary access for specific tasks and revoke it afterward.
5. Role-Based Permissions
o Create predefined roles to simplify access management and reduce errors.

Review of Key Terminology

 • Security Controls: Measures to protect assets (preventive, detective, corrective).
• Access Control: Mechanisms to regulate access (physical or logical).
• Least Privilege: Providing minimum permissions necessary.
• Separation of Duties (SoD): Splitting tasks to prevent unauthorized actions.
• PAM: Monitoring and securing privileged accounts

DOMAIN 4: Network Security

Network Security Concepts

Network security is the practice of protecting network infrastructure and data from
unauthorized access, misuse, malfunction, or destruction. This includes implementing
strategies to detect, prevent, and respond to cyber threats.

1. Recognizing Common Networking Terms and Models

Networking Terms:

• IP Address: A unique identifier for devices on a network (e.g., IPv4, IPv6).

• Subnet: A division of an IP network that isolates specific devices for improved
security and efficiency.
• Firewall: A barrier that controls incoming and outgoing traffic based on predefined
security rules.
• VPN (Virtual Private Network): A secure channel to access a network remotely.
• Bandwidth: The maximum data transfer rate of a network.

Networking Models:

• OSI Model (Open Systems Interconnection): A conceptual framework with 7

layers:
0. Physical (cables, devices)
1. Data Link (Ethernet, switches)
2. Network (IP addressing, routing)
3. Transport (TCP, UDP)
4. Session (establishing/terminating connections)
5. Presentation (data encryption, compression)
6. Application (HTTP, FTP, DNS)
• TCP/IP Model: A 4-layer protocol model (Application, Transport, Internet, Network
Interface).

2. Identifying Common Protocols and Ports and Their Secure Counterparts

Common Protocols and Ports:

 • HTTP (Port 80): Web traffic (insecure).
• HTTPS (Port 443): Secure web traffic using TLS/SSL encryption.
• FTP (Port 21): File transfer (insecure).
• SFTP (Port 22): Secure file transfer using SSH.
• SMTP (Port 25): Email transmission.
• IMAP (Port 143) / IMAPS (Port 993): Email retrieval.
• DNS (Port 53): Domain name resolution.
• RDP (Port 3389): Remote desktop access.

Secure Counterparts:

• Replace HTTP with HTTPS.

• Use SFTP instead of FTP.
• Prefer IMAPS over IMAP.

3. Types of Network Threats and Attacks

1. Malware:
o Includes viruses, worms, trojans, ransomware.
o Impact: Compromises systems, steals data, encrypts files for ransom.
2. Phishing:
o Deceptive emails or links trick users into revealing sensitive information.
3. Man-in-the-Middle (MitM) Attacks:
o Attacker intercepts and manipulates communication between two parties.
4. Distributed Denial of Service (DDoS):
o Overloads a network with traffic, causing service disruptions.
5. SQL Injection:
o Injects malicious SQL queries into a database via user input fields.
6. Zero-Day Exploits:
o Exploits unknown vulnerabilities in software or systems.
7. Rogue Access Points:
o Unauthorized wireless access points allow attackers to eavesdrop.

4. Common Tools to Identify and Prevent Threats

Threat Detection Tools:

• Intrusion Detection Systems (IDS): Detects unauthorized activities (e.g., Snort).

• Network Monitoring Tools: Monitors network traffic and detects anomalies (e.g.,
Wireshark, SolarWinds).
• Vulnerability Scanners: Identifies security gaps in networks (e.g., Nessus,
OpenVAS).

Threat Prevention Tools:

• Firewalls: Filters and blocks malicious traffic (e.g., Cisco ASA, pfSense).
 • Antivirus/Antimalware Software: Protects against malware.
• Endpoint Detection and Response (EDR): Monitors endpoints for suspicious
behavior (e.g., CrowdStrike, SentinelOne).
• Security Information and Event Management (SIEM): Aggregates and analyzes
security logs (e.g., Splunk, QRadar).

5. Data Center Terminology

• Server Rack: Housing for servers and network equipment.

• Load Balancer: Distributes traffic across multiple servers to ensure performance.
• DMZ (Demilitarized Zone): A separate network layer for public-facing services,
adding a security buffer.
• Hypervisor: Software that enables virtual machines (VMs) to run on physical
hardware.

6. Cloud Service Terminology

• IaaS (Infrastructure as a Service): Provides virtualized hardware (e.g., AWS EC2).

• PaaS (Platform as a Service): Offers platforms for application development (e.g.,
Azure App Service).
• SaaS (Software as a Service): Software delivered via the cloud (e.g., Google
Workspace).
• Public Cloud: Services provided over a shared infrastructure.
• Private Cloud: Exclusive cloud environment for an organization.
• Hybrid Cloud: Combines public and private clouds.

7. Secure Network Design Terminology

• Network Segmentation: Divides networks into smaller segments to isolate sensitive

systems.
• Zero Trust Architecture: Assumes no inherent trust; verifies every user/device.
• Defense in Depth: Implements multiple layers of security controls.
• VPN: Provides secure remote access to private networks.
• Air-Gapped Network: Physically isolated from external networks for maximum
security.

8. Practice and Review Terminology

Key Terms:

• Firewall: Controls traffic in and out of a network.

 • IDS/IPS: Detects and prevents intrusions.
• DMZ: Isolated network layer for external services.
• VPN: Encrypted remote access to a network.
• Zero Trust: Always verify, never assume trust.

Key Concepts:

• Use secure protocols like HTTPS, SFTP.

• Monitor traffic with IDS and network tools.
• Mitigate threats with segmentation and firewalls.
• Regularly update systems to protect against zero-day exploits.

KEY TERMS

Secure Infrastructure Strategies

Building a secure infrastructure involves protecting hardware, software, networks, and data
from threats by designing systems with security and resilience in mind.

Key Strategies:

1. Defense in Depth:
o Use multiple layers of security controls across physical, logical, and
administrative domains.
o Examples: Firewalls, intrusion detection/prevention systems (IDS/IPS),
encryption, access controls.
2. Zero Trust Architecture:
o Assumes no user or device is inherently trustworthy.
o Requires continuous authentication and monitoring.
3. Redundancy and Failover:
o Ensure backup systems (e.g., redundant power supplies, data replication) for
high availability.
4. Network Segmentation:
o Divide networks into smaller segments to limit access and contain breaches.
5. Patch Management:
o Regularly update software to address vulnerabilities.
6. Physical Security:
o Use secure server locations, biometric access, and surveillance systems.

Cloud Computing Infrastructure

Cloud infrastructure refers to the virtualized resources (servers, storage, and networking)
used to provide cloud services. Ensuring its security is critical.
Types of Cloud Services:

1. IaaS (Infrastructure as a Service): Provides virtual machines, storage, and

networking (e.g., AWS EC2, Azure VMs).
2. PaaS (Platform as a Service): Enables application development on managed
platforms (e.g., Google App Engine).
3. SaaS (Software as a Service): Provides complete applications (e.g., Microsoft 365,
Salesforce).

Cloud Security Strategies:

1. Identity and Access Management (IAM):

o Restrict access using role-based access control (RBAC).
o Use multi-factor authentication (MFA).
2. Data Encryption:
o Encrypt data at rest and in transit (e.g., TLS, AES-256).
3. Cloud Firewalls:
o Protect workloads from unauthorized traffic.
4. Shared Responsibility Model:
o Understand that the cloud provider handles infrastructure security, while the
organization secures data and access.
5. Data Backups and Recovery:
o Use snapshots and redundancy to ensure data availability.
6. Compliance and Auditing:
o Adhere to regulations like GDPR, HIPAA, or PCI-DSS, depending on data
types.

Network Architecture

A secure network architecture minimizes vulnerabilities by implementing design principles

that protect data flow and resources.

Best Practices:

1. Demilitarized Zone (DMZ):

o Place public-facing services (e.g., web servers) in a DMZ to isolate them from
internal networks.
2. Segmentation and VLANs:
o Separate networks into logical segments (e.g., employee, guest, and IoT
networks).
o Prevent attackers from moving laterally within the network.
3. Firewalls and IDS/IPS:
o Use firewalls to control traffic flow and intrusion systems to detect/prevent
malicious activity.
4. Virtual Private Networks (VPNs):
o Provide encrypted remote access for users.
5. Zero Trust Network Access (ZTNA):
o Enforce least privilege principles and authenticate users/devices continuously.
 6. High Availability:
o Use redundant devices and links to ensure uptime.

Secure Network Design Components:

• Proxy Servers: To control and monitor outbound traffic.

• Load Balancers: Distribute traffic to prevent bottlenecks.
• Air-Gapped Networks: Physically isolated networks for critical systems.

Ports and Services Management

Proper port and service management is essential for reducing the attack surface of systems.

Key Concepts:

1. Understanding Ports:
o Ports are endpoints for communication. Examples:
 Port 80: HTTP (insecure).
 Port 443: HTTPS (secure).
 Port 22: SSH (secure remote access).
 Port 3389: RDP (remote desktop).
2. Secure Port Practices:
o Close unused ports to prevent unauthorized access.
o Use secure alternatives (e.g., SFTP over FTP).
o Enable firewalls to filter incoming and outgoing traffic.
3. Service Management:
o Regularly audit and disable unnecessary services.
o Implement service whitelisting, allowing only approved processes to run.
4. Port Scanning Tools:
o Use tools like Nmap or Netcat to detect open ports and assess vulnerabilities.

Conclusion

A secure infrastructure integrates strategies like defense in depth, secure network design,
cloud security practices, and port/service management. By understanding and applying these
principles, organizations can protect critical assets, ensure availability, and reduce the risk of
attacks.
DOMAIN 5: Security Operations

Concepts of Security Operations

Security operations focus on protecting an organization’s information assets by monitoring,

detecting, and responding to threats and incidents. Key components include:

1. Incident Response: Quickly identifying, mitigating, and recovering from security

incidents.
2. Threat Intelligence: Gathering data on potential threats to prevent attacks.
3. Vulnerability Management: Identifying, assessing, and addressing security
weaknesses in systems.
4. Security Information and Event Management (SIEM): Centralized logging and
real-time monitoring to detect and respond to threats.

Data Handling Best Practices

Protecting sensitive data is critical to maintaining privacy and compliance.

Best Practices:

1. Data Classification:
o Categorize data (e.g., public, confidential, or restricted) to determine
protection levels.
2. Encryption:
o Encrypt data at rest and in transit using strong encryption algorithms like
AES-256.
3. Data Minimization:
o Collect only necessary data to reduce exposure to risk.
4. Access Control:
o Restrict access to data based on roles and responsibilities.
5. Data Retention and Disposal:
o Define policies for securely storing and deleting data.
6. Compliance:
o Follow regulations like GDPR, HIPAA, or PCI-DSS.

Concepts of Logging and Monitoring

Logging and monitoring help detect anomalies and investigate security incidents.

Key Concepts:

1. Logging:
o Records events and activities within systems (e.g., login attempts, file access).
o Types of logs:
 System Logs: OS-level events.
 Application Logs: Application-specific actions.
 Audit Logs: Tracks administrative changes.
2. Monitoring:
o Continuous review of logs and activities to identify suspicious behavior.
o Use tools like SIEM to correlate and analyze logs.
3. Key Metrics:
o Mean Time to Detect (MTTD): How quickly an attack is identified.
o Mean Time to Respond (MTTR): How quickly mitigation actions are taken.
4. Alerting:
o Trigger notifications for suspicious activities, such as failed login attempts or
unusual file access patterns.

Types of Encryption and Their Common Uses

Encryption protects data by converting it into unreadable formats, ensuring confidentiality.

Types of Encryption:

1. Symmetric Encryption:
o Single key for encryption and decryption.
o Common Use: Encrypting large amounts of data (e.g., AES for file
encryption).
2. Asymmetric Encryption:
o Uses a public key for encryption and a private key for decryption.
o Common Use: Secure communications (e.g., SSL/TLS, email encryption).
3. Hashing:
o Converts data into a fixed-length string that cannot be reversed.
o Common Use: Verifying data integrity (e.g., SHA-256).
4. Hybrid Encryption:
o Combines symmetric and asymmetric encryption (e.g., HTTPS).
o Common Use: Secure file transfer protocols like SFTP.

Concepts of Configuration Management

Configuration management ensures systems are set up securely and consistently.

Key Concepts:
 1. Configuration Baselines:
o Define standard secure settings for systems and applications.
2. Change Management:
o Document and evaluate changes to systems to prevent introducing
vulnerabilities.
3. Automation:
o Use tools like Ansible, Puppet, or Chef to automate configuration
management.
4. Patch Management:
o Regularly update systems to fix vulnerabilities.
5. Continuous Monitoring:
o Track configuration drift to ensure compliance with baselines.

Application of Common Security Policies

Security policies establish rules for protecting organizational assets.

Common Policies:

1. Acceptable Use Policy (AUP):

o Defines how employees can use company resources (e.g., devices, internet).
2. Access Control Policy:
o Defines rules for granting, revoking, and monitoring access to systems.
3. Incident Response Policy:
o Details procedures for identifying, reporting, and responding to security
incidents.
4. Data Protection Policy:
o Outlines how sensitive data should be stored, accessed, and transmitted.
5. Password Policy:
o Sets password complexity and expiration rules.

Importance of Security Awareness Training

Security awareness training educates employees on recognizing and preventing security

threats.

Key Points:

1. Phishing Awareness:
o Teach users to identify suspicious emails and links.
2. Social Engineering Defense:
o Train employees to avoid sharing sensitive information with unverified
individuals.
3. Password Security:
o Promote using strong passwords and multi-factor authentication (MFA).
4. Incident Reporting:
 o Ensure employees know how to report security incidents promptly.

Practice and Review of Network Operations

Understanding and applying security principles in network operations involves:

• Reviewing terminology: SIEM, VPN, IDS/IPS, firewall, etc.

• Practicing threat detection using tools (e.g., Wireshark, Splunk).
• Applying policies and configurations to mitigate risks.

KEY TERMS

Data Governance

Data governance involves the policies, procedures, and standards that ensure the proper
management, protection, and use of an organization's data. It ensures that data is accurate,
consistent, secure, and used responsibly.

Key Components of Data Governance:

1. Data Ownership: Identifying who owns different sets of data within an organization,
ensuring clear responsibilities.
2. Data Classification: Categorizing data based on sensitivity and defining appropriate
controls and handling procedures for each category (e.g., public, confidential,
sensitive).
3. Data Quality: Ensuring the accuracy, consistency, and reliability of data throughout
its lifecycle.
4. Data Privacy: Ensuring that data is handled in compliance with privacy regulations
(e.g., GDPR, CCPA) and internal policies.
5. Data Security: Implementing measures like encryption, access controls, and
monitoring to protect data from unauthorized access and breaches.
6. Compliance: Ensuring adherence to regulatory requirements like HIPAA, PCI-DSS,
and others related to data protection.

Change Management

Change management in cybersecurity refers to the structured approach of managing changes

in an organization's IT environment to minimize disruptions and avoid introducing
vulnerabilities.

Key Concepts in Change Management:

 1. Change Request: The formal submission of a proposed change to systems, software,
or hardware.
2. Impact Assessment: Evaluating the potential consequences of a change on
operations, security, and compliance.
3. Approval Process: Ensuring changes are reviewed and approved by authorized
individuals before implementation.
4. Change Implementation: Executing the approved change, typically following a
standardized process.
5. Testing and Validation: Ensuring the change works as intended and doesn’t
introduce new vulnerabilities.
6. Post-Change Review: After implementation, reviewing the results to ensure the
change was successful and did not impact the security posture negatively.
7. Rollback Plan: Having a plan in place to revert changes if something goes wrong.

Hashing & Encryption

Both hashing and encryption are cryptographic techniques used to protect data. While
encryption is used to secure data so it can be read only by authorized parties, hashing is used
to verify data integrity.

Hashing:

• Definition: A process that transforms data (e.g., a password or a file) into a fixed-
length string, called a hash, using a hash function.
• Characteristics:
o One-way process: You cannot reverse the hash to get the original data.
o Uses: Verifying data integrity (e.g., checking if a file has been altered) and
storing passwords securely.
o Common Hashing Algorithms: SHA-256, MD5 (though MD5 is considered
weak).

Encryption:

• Definition: A process that transforms data into a format that is unreadable without the
correct decryption key.
• Types:
o Symmetric Encryption: The same key is used for both encryption and
decryption (e.g., AES).
o Asymmetric Encryption: Uses a pair of keys, a public key for encryption and
a private key for decryption (e.g., RSA, Elliptic Curve Cryptography).
• Uses: Protecting data confidentiality during transmission or storage (e.g., SSL/TLS
for web traffic, disk encryption).

Difference Between Hashing and Encryption:

• Purpose: Hashing is used for integrity verification, while encryption is used for
confidentiality.
 • Reversibility: Hashing is irreversible, while encryption is reversible (with the correct
key).

Password Security Awareness

Password security awareness is critical in ensuring that users create strong, secure passwords
and protect them from unauthorized access.

Best Practices for Password Security:

1. Password Complexity:
o Passwords should include a mix of uppercase and lowercase letters, numbers,
and special characters. A common guideline is to use passwords that are at
least 12-16 characters long.
2. Avoid Password Reuse:
o Never reuse passwords across different sites or applications. Use unique
passwords for each account.
3. Multi-Factor Authentication (MFA):
o Always enable MFA, which requires something you know (password),
something you have (phone or hardware token), or something you are
(fingerprint or facial recognition).
4. Password Storage:
o Use password managers to store and generate strong, unique passwords for
each service.
5. Regular Changes:
o Periodically change passwords and avoid using predictable passwords (e.g.,
"password123").
6. Phishing Awareness:
o Be cautious of phishing attempts and avoid entering passwords on unfamiliar
or suspicious websites.
7. Password Sharing:
o Never share passwords via email or over the phone. If sharing is necessary,
use secure methods like password managers or encrypted communication
tools.

Educating Users:

• Security awareness training should cover topics like recognizing phishing emails,
creating strong passwords, and understanding the importance of secure password
management.
• Frequent reminders and updates on new security threats can help maintain high levels
of awareness.

In summary, data governance, change management, hashing & encryption, and

password security awareness are all critical components of an organization's broader
cybersecurity strategy. Proper implementation of these concepts ensures the confidentiality,
integrity, and availability of critical information, as well as the overall security of the
organization’s digital environment.