Security Fundamentals
186 cards · 13 sections
Sections▾
Fundamentals of Security
Information Security
The protection of data and information from unauthorized access, unlawful modification, disruption, disclosure, corruption, and destruction. Focuses on the information itself, not the systems holding it.
Information System Security
The protection of the systems that hold, process, and transmit critical data, including computers, servers, network devices, and smartphones. Focuses on the systems and devices, not the information itself.
CIA Triad
Confidentiality, Integrity, Availability — the three pillars of security. Every security decision maps back to protecting at least one of these three properties.
Confidentiality
Ensures information is only accessible to those with appropriate authorization. Violated when unauthorized users can view or access data.
Integrity
Ensures data remains accurate and unaltered unless modification is authorized. Example: checksums verify a file was not changed or corrupted during network transfer.
Availability
Ensures information resources are accessible and functional when needed by authorized users. Example: redundancy measures keeping a website online under high traffic.
Non-repudiation
Guarantees a specific action or event has taken place and cannot be denied by the parties involved. Example: a digital signature proves the sender cannot deny sending the message.
CIANA
CIA expanded with Non-repudiation (N) and Authentication (A) — a five-property pentagon model. The exam may reference both the original triad and this expanded form.
Authentication
The process of verifying the identity of a user or system. Example: username and password checked against stored credentials.
Authorization
Determines what actions or resources an authenticated user has permission to perform. Example: employee can VIEW database records but not EDIT them (read without write).
Accounting
Tracking user activities and resource utilization for auditing or billing. Example: logging all network actions to detect unusual or unauthorized behavior.
Security Controls
Measures or mechanisms put in place to mitigate risks and protect the CIA of information systems and their data. Every control has both a category and a type.
Zero Trust
Security model where no one — inside or outside the organization — is trusted by default. Verification is required from everyone attempting to access resources.
Security vs Convenience Trade-off
Increasing security adds friction; users will bypass overly restrictive controls. Increasing convenience loosens the security posture. Average data breach cost: $4.35 million (2022).
CIANA — Expanded CIA Triad
CIA (3 properties) extended with Non-repudiation and Authentication = CIANA (5 properties, pentagon). Authentication in CIANA feeds directly into the AAA framework.
AAA Framework — Strict Order
Must occur in this exact sequence — you cannot skip ahead:
- Authentication — verify identity (who are you?)
- Authorization — grant permissions (what can you do?)
- Accounting — log all actions (what did you do?)
Security Control Categories (WHO manages it)
Four categories — every control belongs to exactly one:
- Technical — hardware/software controls (firewalls, encryption, antivirus)
- Managerial — policies, procedures, risk assessments, governance
- Operational — day-to-day human processes (security training, guards, background checks)
- Physical — physical barriers and deterrents (locks, fencing, cameras, bollards)
Security Control Types (WHAT it does)
Six types — every control belongs to exactly one:
- Preventative — stops an incident before it occurs (firewall blocking malicious traffic)
- Deterrent — discourages attackers without physically blocking (warning signs, lighting)
- Detective — identifies incidents after they occur (CCTV footage, SIEM alerts, audit logs)
- Corrective — reduces impact after an incident (applying patch, restoring from backup)
- Compensating — alternative control when the primary control cannot be implemented
- Directive — mandates behavior through rules (acceptable use policy, mandatory procedures)
Zero Trust — Two Planes
Zero Trust requires both planes working together:
- Control Plane — adaptive identity, threat scope reduction, policy-driven access controls, secured zones
- Data Plane — subject/system, policy engine, policy administrator, policy enforcement points
Info Security vs Info System Security
Scenario about 'protecting the data itself' → Information Security. Scenario about 'protecting the devices/systems that hold the data' → Information System Security. This exact distinction is tested.
Control category AND type — two separate questions
Category = WHO manages it (Technical / Managerial / Operational / Physical). Type = WHAT it does (Preventative / Deterrent / Detective / Corrective / Compensating / Directive). Door lock = Physical + Preventative. CCTV camera = Physical + Detective. Exam tests both axes independently.
Non-repudiation → digital signature
Exam cue: 'the sender cannot deny sending it' → non-repudiation. A digital signature satisfies three properties simultaneously: Authentication, Integrity, and Non-repudiation.
AAA: Authentication before Authorization — always
You cannot be authorized until authenticated. If a scenario describes a user accessing resources they should not have, trace which AAA step failed first.
Domain 1 exam objectives covered here
Obj 1.1 = compare and contrast types of security controls (categories vs types). Obj 1.2 = summarize fundamental security concepts (CIA, CIANA, AAA, Zero Trust). Study 1.2 before 1.1.
Threats & Vulnerabilities
Threat
Anything that could cause harm, loss, damage, or compromise to a system or its data. A threat creates danger, but it only creates risk when a matching vulnerability exists.
Vulnerability
A weakness in design, implementation, configuration, or process that can be exploited by a threat. Vulnerabilities are internal weaknesses that the organization can often remediate.
Risk
The potential for loss or damage when a threat can exploit a vulnerability. Risk exists only when both a threat and a matching vulnerability are present.
Risk Management
The process of deciding how to handle identified risks. Every response falls into one of four strategies: Mitigate, Transfer, Avoid, or Accept.
Threats = External (uncontrollable); Vulnerabilities = Internal (controllable)
The core distinction the exam tests on this topic:
- Threat sources (external): natural disasters, cyber attacks, data integrity breaches, malicious outsiders
- Vulnerability sources (internal): software bugs, misconfigured software, missing patches, unprotected network devices, lacking physical security
The Risk Equation
Risk only materialises when a threat has a matching vulnerability to exploit:
- Threat present + no matching vulnerability = NO risk
- Vulnerability present + no matching threat = NO risk
- Threat + matching vulnerability = RISK — a management response is required
Four Risk Management Strategies
Every cybersecurity decision maps to one of these four responses:
- Mitigate — implement controls to reduce likelihood or impact (e.g. apply security patch)
- Transfer — shift financial risk to another party (e.g. purchase cyber insurance)
- Avoid — eliminate the activity that creates the risk entirely (e.g. decommission vulnerable service)
- Accept — acknowledge the risk and take no action; appropriate for low-priority or low-impact risks
Threat ≠ Risk — both elements must be present
A threat alone is not a risk. A vulnerability alone is not a risk. Exam describes a scenario and asks if risk exists — confirm both a threat AND a matching vulnerability are present before answering yes.
Identify the risk strategy from the scenario
Purchasing cyber insurance = Transfer. Applying a security patch = Mitigate. Permanently shutting down a vulnerable system = Avoid. Documenting a low-severity finding with no remediation = Accept.
Vulnerabilities = internal factors = within org control
Exam may ask what distinguishes threats from vulnerabilities. Key answer: vulnerabilities originate from internal factors the organization can address; threats are external and cannot be prevented, only mitigated.
Confidentiality
Confidentiality
Protection of information from unauthorized access and disclosure. Ensures private or sensitive data is not available to unauthorized individuals, entities, or processes.
Encryption
Converting plaintext into ciphertext to prevent unauthorized access. Only readable by someone who holds the correct decryption key.
Plaintext
Data in its original readable format, before encryption is applied.
Ciphertext
Data after encryption — scrambled and unreadable without the corresponding decryption key.
Data Masking
Obscuring specific fields within a database so unauthorized users cannot see the real values, while authorized users retain access to the full data. Example: credit card number showing only last 4 digits.
PII — Personally Identifiable Information
Any data that can identify a specific individual: name, address, SSN, date of birth. Subject to regulatory protection; failure to protect results in fines.
PHI — Protected Health Information
Health-related data tied to an individual (diagnoses, treatment records). Regulated under HIPAA in the US. Mandatory confidentiality category alongside PII and financial data.
Three Reasons Confidentiality Is Required
The exam tests WHY confidentiality controls exist — know all three:
- Personal Privacy — individuals expect health records, financial details, and personal data to stay private without their consent
- Business Advantage — proprietary data, client lists, and business strategy must stay confidential to maintain competitive edge
- Regulatory Compliance — PII, PHI, and financial data have mandatory protection laws; non-compliance results in fines
Five Methods to Ensure Confidentiality
The exam gives a scenario and asks which method is being used or should be applied:
- Encryption — converts plaintext to ciphertext; only readable with the correct decryption key (most exam-tested method)
- Access Controls — permissions restrict who can read or write data (password-protected files, RBAC)
- Data Masking — hides specific fields in display while underlying data remains intact in storage
- Physical Security — locks, biometric controls, cameras protect paper records and servers from physical access
- Training & Awareness — reduces breaches caused by human error, negligence, or malicious insiders
Confidentiality → encryption
Confidentiality and encryption are the highest-frequency exam pairing. Scenario about preventing unauthorized users from reading data → encryption is the primary answer.
Confidentiality = data cannot be SEEN; Integrity = data cannot be ALTERED
Most commonly swapped CIA properties in exam questions. Unauthorized viewing/disclosure = Confidentiality breach. Unauthorized modification = Integrity breach. Do not swap them.
Data masking vs encryption — key difference
Encryption: entire value scrambled; authorized user receives full plaintext after decryption. Data masking: part of the value permanently hidden in display; full value stays intact in storage.
PII / PHI → regulatory compliance scenario
Question mentions HIPAA or health records → PHI confidentiality. Question mentions SSN, home address, or date of birth → PII confidentiality. Both connect to the regulatory compliance driver.
Integrity
Integrity
Ensures data remains accurate and unchanged from its original state unless intentionally modified by an authorized individual. Verifies the accuracy and trustworthiness of data over its entire lifecycle.
Hashing
Converting data into a fixed-size value (hash digest). Any change to the original data — even one character — produces a dramatically different hash, revealing tampering. The primary integrity verification method.
Hash Digest
The output of a hashing function. Serves as a digital fingerprint for a piece of data — unique to its exact content. If the digest changes, the data has been altered.
Digital Signature
Ensures both integrity and authenticity. Process: (1) file is hashed to produce a hash digest, (2) digest is encrypted with the sender's private key. Any alteration to the file changes the hash and invalidates the signature.
Checksum
A value calculated from data and sent alongside it during transmission. The receiver recalculates the checksum on arrival — if values match, integrity is maintained; if different, tampering or corruption occurred.
Regular Audits
Systematically reviewing logs and operations to ensure only authorized changes have been made. Detects unauthorized modifications to systems, configurations, or data.
Three Reasons Integrity Is Required
The exam tests WHY integrity controls exist — know all three:
- Data Accuracy — decisions must be based on correct, unaltered information (financial records, medical data)
- Maintain Trust — users and systems lose trust in data that can be silently modified by attackers
- System Operability — corrupted data causes system malfunctions, unexpected behavior, and downtime
Five Methods to Maintain Integrity
The exam gives a scenario and asks which method is being applied:
- Hashing — produces a hash digest (digital fingerprint); any change = different hash (most exam-tested)
- Digital Signatures — hash digest encrypted with private key; proves integrity and authenticity together
- Checksums — sender and receiver compare calculated values; mismatch = tampering or corruption in transit
- Access Controls — restrict who can MODIFY data, not just who can view it
- Regular Audits — systematic log review to detect unauthorized changes to data or configurations
How Digital Signatures Work
Two-step process that provides both integrity and authenticity:
- Step 1 — file is hashed, producing a hash digest
- Step 2 — hash digest is encrypted with the sender's private key, producing the digital signature
- Verification — receiver decrypts signature with sender's public key and compares hashes; mismatch = file altered
Integrity → Hashing
Integrity and hashing are a high-frequency exam pairing. Scenario about detecting whether data was altered or tampered with → hashing is the primary answer. Mirror of Confidentiality → Encryption.
Integrity = data cannot be ALTERED; Confidentiality = data cannot be SEEN
Most commonly swapped CIA properties on the exam. Unauthorized modification/tampering = Integrity breach. Unauthorized viewing/disclosure = Confidentiality breach. Read the scenario carefully before answering.
Digital Signatures prove TWO things simultaneously
A digital signature provides Integrity (data was not altered) AND Authenticity/Non-repudiation (sender cannot deny it). Exam may ask which CIA property a digital signature protects — it satisfies Integrity, Authentication, and Non-repudiation.
Checksum logic — match vs mismatch
Sender checksum = receiver checksum → integrity maintained, data arrived unaltered. Sender checksum ≠ receiver checksum → tampering or corruption occurred in transit. Simple rule, tested in scenario form.
CIA parallel structure — use it to remember
Confidentiality and Integrity follow the exact same pattern: 3 reasons it matters + 5 methods to achieve it. Confidentiality → Encryption. Integrity → Hashing. Learning the parallel makes both easier to recall under exam pressure.
Availability
Availability
Ensures information, systems, and resources are accessible and operational when needed by authorized users. Measured by uptime percentage and expressed in 'nines'.
Redundancy
Duplication of critical components or functions of a system to enhance reliability. If one component fails, the backup takes over to ensure uninterrupted service.
Five Nines (99.999%)
The gold standard of availability. Permits a maximum of 5.26 minutes of downtime per calendar year. Requires robust infrastructure, proactive monitoring, and redundancy at every layer.
Three Nines (99.9%)
Permits a maximum of 8.76 hours of downtime per calendar year. Common baseline SLA for many service providers.
Server Redundancy
Using multiple servers in a load-balanced or failover configuration. If one server is overloaded or fails, others take over the load and continue serving users.
Data Redundancy
Storing data in multiple locations so that if one storage site fails, data remains accessible from another. Achieved via RAID locally or hybrid on-premises and cloud-based backup systems.
Network Redundancy
Multiple network paths so that if one path fails, data routes through an alternative. Example: primary fiber + secondary cable + cellular failover.
Power Redundancy
Backup power sources — generators and Uninterruptible Power Supply (UPS) systems — that keep systems operational during power outages or disruptions.
Three Reasons Availability Is Required
The exam tests WHY availability controls exist — know all three:
- Business Continuity — downtime causes direct financial loss (telecom: $2M/hour, $33K/minute); hospitals face life-threatening situations
- Customer Trust — unavailable systems drive customers to competitors and cause revenue loss
- Organisational Reputation — repeated downtime tarnishes brand image and makes it harder to regain customer confidence
The Nines of Availability — Uptime vs Downtime
Service providers express availability as a number of nines. Know these for scenario questions:
- 99% (2 nines) — up to 3.65 days downtime per year
- 99.9% (3 nines) — up to 8.76 hours downtime per year
- 99.99% (4 nines) — up to 52.6 minutes downtime per year
- 99.999% (5 nines) — up to 5.26 minutes downtime per year (gold standard)
Four Types of Redundancy
The exam gives a scenario and asks which type of redundancy addresses it:
- Server Redundancy — load balancing and failover across multiple servers
- Data Redundancy — RAID arrays or cloud backup; data survives single storage failure
- Network Redundancy — multiple ISPs or network paths; traffic reroutes on failure
- Power Redundancy — UPS and generators; systems stay online during power outages
Availability → Redundancy
Availability pairs with redundancy on the exam. Scenario about ensuring systems stay online or survive failures → redundancy is the answer. Completes the CIA exam-link trio: Confidentiality → Encryption, Integrity → Hashing, Availability → Redundancy.
Five nines = gold standard = 5.26 minutes/year
99.999% uptime with a maximum of 5.26 minutes downtime per year. If an exam question names the gold standard or asks for the highest availability tier — five nines. If it asks what 99.9% allows — 8.76 hours.
Availability attacks = DoS and DDoS
Any attack designed to make a system unavailable targets the Availability pillar of CIA. Denial of Service (DoS) and Distributed Denial of Service (DDoS) are the primary availability-targeting attacks. Exam scenario: 'attacker flooded servers with traffic, users cannot access service' → Availability breach.
Match the redundancy type to the failure scenario
Power outage → Power Redundancy (UPS/generator). Server crash → Server Redundancy (failover). ISP goes down → Network Redundancy. Storage drive failure → Data Redundancy (RAID/backup). The exam names the failure and asks which redundancy type applies.
CIA exam-link summary — all three high-frequency pairings
Confidentiality → Encryption. Integrity → Hashing. Availability → Redundancy. These three pairings are the most commonly tested scenario mappings for the CIA triad. Memorise all three as a set.
Non-repudiation
Non-repudiation
A security measure ensuring individuals or entities involved in a communication or transaction cannot deny their participation or the authenticity of their actions. Provides undeniable proof.
Digital Signature
The primary tool for achieving non-repudiation. Created by: (1) hashing the message to produce a hash digest, then (2) encrypting that hash digest with the sender's private key using asymmetric encryption. Only the private key holder can produce it — cannot be faked.
Asymmetric Encryption (in digital signatures)
Digital signatures use asymmetric encryption: the sender signs with their private key; the recipient verifies with the sender's public key. The private key is never shared, making the signature unique and non-deniable.
Three Reasons Non-repudiation Is Required
The exam tests WHY non-repudiation controls exist — know all three:
- Confirming Authenticity — proves a transaction or communication came from the stated source; prevents impersonation (anyone can create a fake email address, but cannot fake a private key)
- Ensuring Integrity — digital signatures embed a hash; any alteration to the message breaks the signature, proving tampering occurred
- Providing Accountability — every action has a digital stamp traceable back to the actor; users cannot deny actions they took
How Digital Signatures Achieve Non-repudiation
Two-step signing process using asymmetric encryption:
- Step 1 — sender hashes the message, producing a hash digest
- Step 2 — hash digest is encrypted with sender's private key → this is the digital signature
- Verification — receiver decrypts with sender's public key; if hashes match, message is authentic and unaltered
- Non-repudiation — only the sender holds the private key, so they cannot deny having signed it
What Non-repudiation Prevents
Without a digital signature, any attacker can spoof an email address or impersonate a sender. With a digital signature, the private key proves the origin — the sender cannot claim they did not send the message, even if they try.
Non-repudiation → digital signature
Non-repudiation maps directly to digital signatures on the exam. Any scenario about proving someone cannot deny an action → digital signature is the answer.
Digital signatures use the PRIVATE key to sign — not the public key
Signing = private key (only the sender has it). Verification = public key (anyone can verify). Exam frequently tests this direction. Encrypting with the private key = signing. Decrypting with the public key = verification.
One digital signature — three properties satisfied
A digital signature simultaneously proves: Integrity (data was not altered — hash check), Authentication (sender identity confirmed — private key), and Non-repudiation (sender cannot deny — only they hold the private key). Exam may ask which property a digital signature satisfies — the answer is all three.
Non-repudiation vs Integrity — same tool, different question
Integrity concern: 'Was the data altered in transit?' → hash mismatch reveals tampering. Non-repudiation concern: 'Can the sender deny sending it?' → no, private key proves origin. Both use digital signatures but the exam tests them as distinct CIA properties.
No digital signature = no non-repudiation
An unsigned email provides zero non-repudiation — anyone can spoof a sender's name or create a fake account. If a scenario asks how to achieve non-repudiation for email → implement digital signatures (S/MIME or PGP).
Authentication
Authentication
A security measure that ensures individuals or entities are who they claim to be during a communication or transaction. Focuses on verifying identity before granting access.
Knowledge Factor (Something You Know)
Authentication relying on information the user can recall — passwords, PINs, passphrases, security questions. In a username-and-password login, the secret knowledge factor is the password or PIN.
Possession Factor (Something You Have)
Authentication relying on a physical item the user presents — employee badge, smartphone (for OTP), hardware token. Example: one-time SMS code sent to your phone.
Inherence Factor (Something You Are)
Authentication relying on a unique physical or behavioral characteristic. Also called biometric authentication. Examples: fingerprint scan, facial recognition, iris scan, voice recognition.
Action Factor (Something You Do)
Authentication relying on a unique action performed by the user. Examples: handwriting analysis, gait analysis (how you walk), keystroke dynamics.
Location Factor (Somewhere You Are)
Authentication relying on the user being in a specific geographic location. Examples: geofencing (must be within X feet of a location), country-based access restrictions.
MFA — Multi-Factor Authentication
A security process requiring users to provide two or more authentication factors from different categories to verify identity. Even if one factor is compromised, the attacker cannot proceed without the others.
2FA — Two-Factor Authentication
A specific form of MFA using exactly two authentication factors from different categories. A subset of MFA.
Biometric Authentication
An inherence-factor authentication method using unique physical characteristics (fingerprint, face, iris, voice). Falls under 'something you are.'
Five Authentication Factors — Know All Five
The exam uses both the casual name and the formal factor name:
- Something You Know → Knowledge Factor (password, PIN, security question)
- Something You Have → Possession Factor (badge, smartphone OTP, hardware token)
- Something You Are → Inherence Factor (fingerprint, facial recognition, iris scan)
- Something You Do → Action Factor (handwriting, gait analysis, keystroke dynamics)
- Somewhere You Are → Location Factor (geofencing, country-based restrictions)
MFA — Why It Matters
Combining two or more factors from different categories means a single compromised credential is not enough for an attacker to gain access:
- Password stolen → attacker still blocked without the second factor (e.g. OTP on smartphone)
- Phone stolen → attacker still blocked without the password
- 2FA = exactly two factors | MFA = two or more factors (2FA is a subset of MFA)
Three Reasons Authentication Is Critical
The exam tests WHY authentication controls exist:
- Prevent Unauthorized Access — keeps impersonators and malicious actors out of systems and data
- Protect User Data and Privacy — ensures personal and sensitive data is shown only to rightful owners or authorized individuals
- Ensure Resource Validity — ensures only valid users consume shared resources such as cloud storage and network bandwidth
MFA requires factors from DIFFERENT categories
Using two passwords is NOT MFA — it is the same factor type used twice (knowledge + knowledge). True MFA combines different categories: e.g. password (knowledge) + OTP on phone (possession). This is a classic exam distractor.
OTP via SMS = possession factor, not knowledge factor
A one-time code sent to your smartphone is 'something you have' (possession) — not 'something you know.' The phone is the possession. Exam scenarios often test whether you can correctly classify this.
Biometrics = inherence factor = something you are
Fingerprint, facial recognition, iris scan, voice recognition → all inherence factors. The formal term is 'inherence factor.' If the exam asks which factor type biometrics belongs to → inherence / something you are.
Know the formal factor name AND the casual name
Exam questions use both forms interchangeably: 'knowledge factor' = 'something you know', 'possession factor' = 'something you have', 'inherence factor' = 'something you are', 'action factor' = 'something you do', 'location factor' = 'somewhere you are'.
Authentication vs Authorisation — order matters
Authentication = verify WHO you are (happens first). Authorisation = determine WHAT you can do (happens after authentication). You cannot be authorized before being authenticated. Exam tests this sequence in scenario form.
Authorization
Authorization
The permissions and privileges granted to users or entities AFTER they have been authenticated. Determines what an authenticated identity is allowed to do, view, or modify within a system.
Role-Based Authorization (RBAC)
Access permissions determined by the user's assigned role in the system. Example: nurses can view patient vitals; only doctors can alter treatment plans. Covered in depth in Domain 4 (IAM).
Rule-Based Authorization
Access determined by predefined rules set by administrators, independent of user role. Example: no access allowed outside business hours regardless of who the user is.
Attribute-Based Authorization (ABAC)
Access determined by attributes of the user, the resource, and the environment (e.g. department, clearance level, time of day, location). More flexible than role-based. Covered in depth in Domain 4.
Permissions / Privileges
The specific actions a user is authorized to perform — read, write, modify, delete, execute. Granted after authentication based on identity and role.
Authentication vs Authorization — the core distinction
Two sequential steps that are commonly confused on the exam:
- Authentication — verifies WHO you are (entering the building with an access card)
- Authorization — determines WHAT you can do once inside (which rooms or floors you may enter)
- Authorization always follows authentication — you cannot be authorized without first being authenticated
Three Reasons Authorization Is Required
The exam tests WHY authorization controls exist:
- Protect Sensitive Data — ensures confidential data is accessible only to users with proper clearance (nurse sees vitals; only doctor alters treatment plans)
- Maintain System Integrity — prevents accidental or deliberate misconfigurations by restricting who can make changes to systems or data
- Streamline User Experience — users see only the options and data relevant to their role, reducing complexity and error
Authorization Mechanisms
Three types of authorization controls the exam may reference:
- Role-based — access tied to the user's role (RBAC); most common in enterprise environments
- Rule-based — access governed by administrator-defined rules applied to all users
- Attribute-based — access based on multiple attributes of the user, resource, and environment (ABAC); most flexible
Authentication vs Authorization — most commonly swapped
Authentication = 'Who are you?' (identity verification). Authorization = 'What are you allowed to do?' (permissions). The exam describes a scenario and asks which one is occurring — authentication ends when identity is confirmed; authorization begins after that.
AAA sequence cue -> Authentication, then Authorization, then Accounting
Authentication confirms identity first. Authorization determines permitted actions next. Accounting records what the user did after access was granted. If the exam asks which step sits between identity verification and logging, choose authorization.
Authorization enforces Least Privilege
Least Privilege principle states users should only have the minimum permissions needed for their role. Authorization is the mechanism that enforces it. Exam scenario: 'user can only read, not write' → authorization enforcing least privilege.
RBAC, rule-based, ABAC — introduced here, tested in Domain 4
This transcript introduces the three authorization mechanism types. Deep scenario questions on RBAC, MAC, DAC, and ABAC appear in Domain 4 (IAM — Day 19). Flag for review when you reach that section.
Accounting
Accounting
A security measure ensuring all user activities during a communication or transaction are properly tracked and recorded. Focuses on monitoring and logging actions of users or entities during digital interactions.
Audit Trail
A chronological record of all user activities used to trace changes, unauthorized access, or anomalies back to a specific user or point in time. The primary output of an accounting system.
Syslog Server
Aggregates logs from various network devices and systems into a central location so administrators can analyze them to detect patterns or anomalies across the organization.
Network Analyser (e.g. Wireshark)
Captures and analyzes network traffic to provide detailed insights into data moving across the network. Used to inspect packet-level detail for troubleshooting and forensic investigation.
SIEM — Security Information and Event Management
Provides real-time analysis of security alerts generated by hardware and software infrastructure across the organization. Aggregates, correlates, and alerts on log data. Covered in depth in Domain 4 (Day 26).
Five Reasons Accounting Is Used
The exam tests WHY accounting controls exist — know all five:
- Audit Trail — chronological record traces changes, unauthorized access, and anomalies to a specific user or time
- Regulatory Compliance — industries require comprehensive activity records to meet data protection regulations
- Forensic Analysis — detailed logs reveal what happened in a breach, how it occurred, and how to prevent recurrence
- Resource Optimisation — tracks bandwidth and storage usage by whom, enabling informed allocation decisions
- User Accountability — knowing actions are logged deters misuse and enforces adherence to security policies
What Accounting Logs
Any action taken by a user within a system should be captured:
- Login and logout events
- File access and modification
- Configuration changes
- Software downloads and installations
- Attempted unauthorized actions
Three Technologies That Implement Accounting
Each serves a different scope and depth of logging:
- Syslog Server — aggregates logs from network devices and systems into one location for centralised analysis
- Network Analyser (Wireshark) — captures full packet data from network traffic for deep inspection
- SIEM — correlates log data from across the organization in real time; generates alerts on anomalies
Accounting is always LAST in the AAA sequence
Authentication (verify identity) → Authorization (grant permissions) → Accounting (log actions). You cannot log meaningful actions before identity is verified and access is granted. Exam tests this order in scenario form.
SIEM vs Syslog — different tools, different purpose
Syslog = passive log aggregation and storage from network devices. SIEM = active real-time correlation, analysis, and alerting across all log sources. Exam scenario: 'detect and alert on suspicious activity in real time' → SIEM, not Syslog.
Accounting deters insider threats
User accountability is a deterrent control — users behave differently when they know their actions are being logged. Exam may ask which AAA component helps prevent insider misuse → Accounting.
Audit trail = forensic evidence
In incident response and forensic analysis questions, the audit trail is the primary evidence source. 'How do you determine what a compromised account accessed?' → review the audit trail / accounting logs.
Accounting supports both Integrity and Availability
Logs detect unauthorized modifications (Integrity) and track resource consumption that could signal a DoS condition (Availability). Accounting is not just a housekeeping function — it actively supports the CIA triad.
Security Control Categories
Technical Controls
Technologies, hardware, and software mechanisms implemented to manage and reduce risk. Operate at the system/technology layer and provide automated protection. Examples: antivirus, firewalls, encryption, intrusion detection systems (IDS).
Managerial Controls (= Administrative Controls)
Strategic planning and governance side of security. Ensure the organization's security strategy aligns with business goals and risk tolerance. Examples: risk assessments, security policies, training programs, incident response strategies. Also called Administrative Controls — both names are used on the exam.
Operational Controls
Day-to-day procedures and measures designed to protect data, governed by internal processes and human actions. Examples: password rotation policies, backup procedures, account reviews, user awareness training.
Physical Controls
Tangible, real-world measures that protect assets outside the digital realm. Examples: surveillance cameras, biometric scanners, reinforced doors, barbed wire fences, security guards, door locks, secure document shredding.
Four Security Control Categories
Every security control belongs to exactly one category based on who manages it and how it operates:
- Technical — automated hardware/software protection (antivirus, firewall, encryption, IDS/IPS)
- Managerial — strategic governance and planning (risk assessments, security policies, IR strategies)
- Operational — human-performed day-to-day processes (password rotation, backups, awareness training)
- Physical — tangible barriers protecting assets (cameras, biometrics, locks, guards, secure shredding)
Layered Security Across All Four Categories
No single category is sufficient on its own. A robust security posture layers controls across all four categories simultaneously — technical tools, management strategy, operational procedures, and physical barriers work together to defend against a wide variety of threats.
Managerial = Administrative — both names tested
The exam uses both 'Managerial controls' and 'Administrative controls' to mean the same thing. If you see either term in a question or answer option, treat them as identical. This is one of the most common sources of confusion on the exam.
Identify the category from the scenario — four quick rules
Read the scenario and apply this decision tree:
- Automated software or hardware doing the protecting → Technical
- Policy, risk assessment, strategy, or governance document → Managerial / Administrative
- Human-performed process or procedure on a recurring basis → Operational
- Lock, camera, guard, door, fence, or physical barrier → Physical
Password rotation policy = Operational control
A policy requiring password changes every 90 days is Operational — it is a human-governed, day-to-day procedure. The policy document that mandates it is Managerial. Do not confuse the procedure (Operational) with the policy that created it (Managerial).
A single control can address multiple CIA properties
Technical controls like encryption protect Confidentiality. Firewalls can protect Availability (blocking DoS) and Confidentiality. Physical controls protect all three by preventing hardware theft or tampering. The exam may ask which CIA property a control primarily addresses.
Security Control Types
Preventative Control
Proactive measures implemented to thwart potential threats before an incident occurs. Fortifies systems ahead of time. Example: firewall filtering traffic to block harmful packets before they enter the network.
Deterrent Control
Discourages potential attackers by making an attack seem less appealing or more risky. Does not block or detect — only discourages. Example: warning signs, security banners on websites, visible cable locks.
Detective Control
Monitors and alerts to malicious activity as it occurs or shortly after. Goal is detection and notification — not prevention. Examples: security cameras, IDS (Intrusion Detection System), audit logs, SIEM alerts.
Corrective Control
Mitigates damage and restores systems to normal state after a threat has been detected. Activated after a detective control identifies an incident. Example: antivirus quarantining and removing malware after detection.
Compensating Control
An alternative measure implemented when the primary or ideal control is not feasible. Provides equivalent protection using a different approach. Example: WPA2 + VPN when a legacy system cannot support WPA3.
Directive Control
Guides, informs, or mandates actions through policy or documentation. Sets standards for behavior within an organization. Example: Acceptable Use Policy (AUP) governing how employees may use company IT assets.
AUP — Acceptable Use Policy
A directive control that defines how employees are permitted to use company-owned IT assets. A policy document — therefore always classified as a directive control.
IDS — Intrusion Detection System
Constantly scans network traffic for suspicious activity and notifies administrators when anomalies are detected. A detective control — it detects and alerts but does not block. Contrast with IPS (Intrusion Prevention System) which blocks.
Six Security Control Types
Every control belongs to one type based on WHAT it does:
- Preventative — stops an incident before it occurs (firewall, access controls, encryption)
- Deterrent — discourages attackers without blocking (warning signs, security banners, lighting)
- Detective — identifies incidents as they occur or after (cameras, IDS, audit logs, SIEM)
- Corrective — restores systems after an incident (malware removal, patching, restoring backups)
- Compensating — alternative when ideal control is unavailable (VPN over WPA2 when WPA3 unsupported)
- Directive — mandates behavior through policy (AUP, security policies, procedures)
One Tool Can Have Multiple Types
The type depends on what the tool is doing at a given moment, not what the tool is. Antivirus is the key example:
- Antivirus scanning and flagging malware → Detective control
- Antivirus quarantining and removing malware → Corrective control
- Same tool, two different types depending on the action being performed
Policy → Directive control
When a question references a policy document, the default exam answer is a directive control. AUP, security policy, data handling procedure, password policy document → all directive controls.
Warning signs = Deterrent; Cameras = Detective — do not swap
The sign warning that cameras are present = Deterrent (discourages the attacker). The camera itself recording activity = Detective (captures what happens). This is a classic exam distractor — read the scenario carefully to identify which object is being described.
IDS = Detective; IPS = Preventative
IDS (Intrusion Detection System) detects and alerts — it does not block. Detective control. IPS (Intrusion Prevention System) detects AND blocks traffic inline. Preventative control. The exam tests this distinction frequently.
Compensating control = fallback when ideal control is not possible
Exam scenario: 'A legacy system cannot support the recommended control, so the organization implemented X instead.' X is the compensating control. The compensating control is always the workaround, not the ideal solution.
Deterrent vs Preventative — key difference
Preventative physically stops an attack from succeeding (firewall drops the packet). Deterrent only discourages — a determined attacker can ignore it. If the control blocks, it is Preventative. If it only warns or discourages, it is Deterrent.
Zero Trust
Zero Trust
A cybersecurity approach that assumes no user, device, or system is trusted by default — regardless of whether they are inside or outside the network. Requires continuous verification for every access request. Mantra: 'Trust nothing and verify everything.'
Deperimeterization
The breakdown of traditional network perimeters, making perimeter-only defences insufficient. Driven by cloud migration, remote work, mobile devices, wireless networks, and outsourcing. The primary reason Zero Trust emerged.
Control Plane
The overarching framework responsible for defining, managing, and enforcing access policies in a Zero Trust architecture. Contains: Adaptive Identity, Threat Scope Reduction, Policy-Driven Access Control, Secured Zones, Policy Engine, and Policy Administrator.
Data Plane
Executes the policies defined by the Control Plane. Contains: the Subject/System (entity requesting access) and the Policy Enforcement Point (where access is granted or denied).
Adaptive Identity
Continuous real-time validation of identity using user behavior, device state, location, and context. Replaces static one-time login verification — identity is constantly re-evaluated and adjusted throughout a session.
Threat Scope Reduction
Limiting user access to only what is needed for their specific work tasks. Reduces the attack surface and minimizes the blast radius if credentials are compromised — an attacker cannot move freely through the whole network.
Policy-Driven Access Control
Developing and enforcing access policies based on user roles and responsibilities. Ensures users can only access data pertinent to their role, reducing potential for data breaches.
Secured Zones
Isolated environments within a network designed to house sensitive data. Only users with explicitly granted permissions can access them — an additional layer of protection beyond standard access controls.
Policy Engine
Cross-references an access request with predefined policies to determine whether the request aligns with the subject's permissions. Acts as the rule book — makes the allow/deny decision.
Policy Administrator
Establishes and manages the access policies that the Policy Engine enforces. Dictates who gets access to what and ensures policies align with the organization's security protocols and business objectives.
Policy Enforcement Point (PEP)
The final gatekeeper in the Zero Trust data plane. Executes the Policy Engine's allow or deny decision — physically grants or restricts access to sensitive systems or data.
Subject / System
The individual or entity attempting to gain access — an employee, a workstation, or a software application. Must be continuously verified before access to sensitive data or systems is granted.
Why Zero Trust Replaced Perimeter Security
Traditional perimeter-based defences (firewalls, IPS at the network edge) assumed everything inside the perimeter was safe. Deperimeterization broke that assumption:
- Cloud migration — data and workloads moved outside the physical perimeter
- Remote work — users connect from untrusted networks
- Mobile devices — endpoints outside organizational control
- Wireless networks — broader, harder-to-control access points
- Outsourcing / contracting — third parties accessing internal systems
Control Plane Components
Defines and manages the Zero Trust policy framework:
- Adaptive Identity — continuous real-time identity verification based on behavior, device, and location
- Threat Scope Reduction — least-privilege access to minimize blast radius
- Policy-Driven Access Control — role-based policies governing what each user can access
- Secured Zones — isolated network segments for sensitive data
- Policy Engine — evaluates each request against policies (the rule book)
- Policy Administrator — creates and maintains the policies the Engine enforces
Data Plane Components
Executes the decisions made by the Control Plane:
- Subject / System — the user, device, or application requesting access; must be verified
- Policy Enforcement Point (PEP) — acts on the Policy Engine's decision; grants or denies access
Zero Trust mantra: 'Trust nothing and verify everything'
The exam may quote 'Trust but verify' (Ronald Reagan, old model) vs 'Trust nothing and verify everything' (Zero Trust). The Zero Trust mantra is the correct answer for any question about the Zero Trust philosophy or principle.
Control Plane = defines policy; Data Plane = enforces policy
Control Plane contains the Policy Engine and Policy Administrator — it makes decisions. Data Plane contains the Policy Enforcement Point — it executes decisions. If the exam asks 'where is the allow/deny decision executed?' → Data Plane / Policy Enforcement Point.
Adaptive Identity = continuous verification, not just at login
Traditional systems verify identity once at login. Zero Trust re-verifies continuously using behavior, device health, and location. Exam scenario: 'a system that reassesses user trust throughout a session' → Adaptive Identity.
Threat Scope Reduction = Least Privilege in Zero Trust context
Threat Scope Reduction and Least Privilege are the same principle applied in Zero Trust — limit access to only what is needed. If credentials are compromised, the attacker's reach is limited to that user's scope only.
Zero Trust addresses INTERNAL threats, not just external
A key differentiator from perimeter security: Zero Trust verifies every request regardless of whether it originates inside or outside the network. Insider threats are explicitly part of the threat model.
Gap Analysis
Gap Analysis
A process of evaluating the differences between an organization's current performance/security posture and its desired state. Identifies areas where improvements are needed to bridge the gap.
Technical Gap Analysis
Evaluates an organization's current technical infrastructure and identifies where it falls short of required technical capabilities — e.g. outdated encryption, insufficient network speed for Zero Trust, weak security protocols.
Business Gap Analysis
Evaluates current business processes and identifies where they fall short of required capabilities — e.g. data management processes not suited for cloud, budgeting processes not aligned with new systems.
POA&M — Plan of Action and Milestones
A document that outlines specific measures to address each identified gap or vulnerability, allocates resources, and sets timelines for remediation tasks. The actionable output of a gap analysis — gets the organization from current state to desired state.
Four Steps of a Gap Analysis
The exam may test the correct sequence:
- Step 1 — Define scope: identify which areas will be evaluated and what the desired outcome is
- Step 2 — Gather data: collect information on the current state via surveys, interviews, assessments
- Step 3 — Analyse gaps: compare current state to desired state; identify where performance falls short
- Step 4 — Develop a plan: create specific goals, process changes, and timelines to bridge each gap (POA&M)
Two Types of Gap Analysis
The exam distinguishes between these two types:
- Technical Gap Analysis — focuses on infrastructure, systems, and technical capabilities (encryption standards, network speed, security protocols, IAM models)
- Business Gap Analysis — focuses on processes, workflows, and organizational capabilities (data management, budgeting, forecasting, staffing)
Gap Analysis vs Vulnerability Assessment
These are related but distinct. A vulnerability assessment scans systems for specific technical weaknesses and feeds findings INTO a gap analysis. The gap analysis is the broader strategic process comparing current vs desired state and producing an actionable remediation plan (POA&M).
Gap analysis = current state vs desired state
Any exam scenario describing a comparison between where an organization is now and where it needs to be security-wise → gap analysis. The output is a plan (POA&M), not just a report.
POA&M — know the acronym and its purpose
Plan of Action and Milestones. Created after gaps are identified. Contains: what to fix, who is responsible, resources needed, and deadline for each remediation task. The exam tests both the acronym and when it is produced.
Technical vs Business gap analysis — identify from the scenario
Scenario mentions infrastructure, encryption, protocols, network speed, or technical systems → Technical gap analysis. Scenario mentions processes, workflows, data management, budgeting, or staff capabilities → Business gap analysis.
Gap analysis is an ongoing process, not a one-time event
Organisations run gap analyzes continuously (e.g. weekly vulnerability assessments feeding a rolling POA&M). The exam may describe a recurring review cycle — this is a gap analysis programme, not a single audit.