General Security Concepts🔐
General Security Concepts
This Domain covers essential security concepts, security considerations in change management processes, and cryptography fundamentals.
| Concept | Description |
| Security controls (Learn to classify them based on given scenarios) | Categories: • Technical • Managerial • Operational • Physical Control types: • Preventive • Deterrent • Detective • Corrective • Compensating • Directive |
| CIA | Confidentiality, Integrity, and Availability |
| Non-repudiation | Impossible to deny your involvement |
| AAA | Authentication, Authorization, and Accounting |
| Gap analysis | Identify weaknesses in one’s current security posture and a clear path toward the desired security posture |
| Zero-Trust | Never trust, always verify |
| Physical security | Tangible security measures around buildings and facilities to control access |
| Deception and disruption technology | To catch and understand threat actors. • Honeypot • Honeynet • Honeyfile • Honeytoken |
| Change management | Planning, implementing, and solidifying changes in an organization |
| Ownership | Parties responsible for organizational changes |
| Stakeholders | Parties affected by organizational changes |
| Impact analysis | Analysis of changes within a project and their potential consequences |
| Test results | Outcomes of manual/automated tests used to validate changes |
| Backout plan | Procedures to restore systems to the previous baseline prior to the latest modifications |
| Maintenance window | Predefined, scheduled period for planned changes, updates, or maintenance, minimizing disruption to users |
| Standard operating procedure (SOP) | Clear steps for implementing changes with well-defined roles and responsibilities, and strategies for communication geared toward stakeholders |
| Allow lists/deny lists | List-based access control mechanisms permitting/forbidding access to systems |
| Downtime | Time when a system is unavailable |
| Legacy application | Outdated software still in use, often with known vulnerabilities |
| Dependency | Code packages required by a project to run properly |
| Version control | The practice of tracking and managing changes to files, often collaboratively |
| PKI | Public key infrastructure |
| Encryption levels | • Full-disk • Partition • File • Volume • Database |
| Symmetric cipher | Streaming: • RC4 Block: • DES • Blowfish • 3DES Considerations: • key length • block size • number of rounds |
| Asymmetric cipher | Examples: • Diffie-Hellman key exchange • RSA • Elliptic-curve cryptography |
| TPM | Trusted Platform Module |
| HSM | Hardware security module |
| Key management system | System for managing cryptographic keys and their metadata |
| Secure enclave | Isolated hardware system for protecting sensitive data and operations |
| Steganography | Hide data inside other data |
| Tokenization | Substituting sensitive data elements with non-sensitive equivalents (tokens) with no intrinsic or exploitable meaning or value |
| Data masking | Replacing sensitive data with fake, usable data for added security |
| Hashing | One-way, deterministic process of transforming a string of characters into another |
| Salting | Characters appended to a string (e.g., password) before hashing |
| Digital signature | Public key sender verified to own corresponding private key |
| Key stretching | Method that strengthens weak passwords |
| Blockchain | Decentralized digital ledger of records linked sequentially by cryptographic hashes |
| Open public ledger | Freely accessible and verifiable system of transactional data |
| Certificate authority | Issuer of digital certificates to ensure the legitimacy of web hosts |
| CRL | Certificate revocation list |
| OCSP | Online Certificate Status Protocol |
| Self-signed certificate | Same issuer and subject |
| Third-party certificate | The issuer has no direct affiliation with your hosting or server environment |
| Root of trust | Secure, trusted source within a cryptographic system such as HSM |
| CSR | Certificate signing request |
| Wildcard certificate | Secure a domain and all its first-level subdomains using an asterisk (*) |
| CAPTCHA | Completely Automated Public Turing Test to Tell Computers and Humans Apart |
| Electric Meatball's Digital Garden Home | |
| Terminology📖 |