Security+ SY0-501 Domain 3.1 study cards

Industry-standard frameworks and reference architectures: Regulatory
Click the card to flip 👆
1 / 19
Terms in this set (19)
Benchmarks and secure configuration guides offer guidance for setting up and operating computer systems to a secure level that is understood and documented. The standard for a benchmark is a consensus-based set of knowledge designed to deliver a reasonable set of security across as wide a base as possible.
Many different web server are used in enterprises, but the market leaders are Microsoft, Apache, and nginx. By definition, web server offer a connection between users and webpages, and as such they are prone to attacks setting up any external facing application properly is key to prevent unnecessary risk fortunately for these, several authoritative and proscriptive sources of information are available to help administrators properly secure the application.
The operating system is the interface for the applications that we use to perform tasks and the actual physical computer hardware. As such, this is a key component for the secure operation of a system. Comprehensive, pro-scripted configuration guides for all major ones are available from their respective manufacturers, from the Center for Internet security, and from the DoD DISA STIGs program.
Application servers are the part of the enterprise that handle specific tasks we associate with IT systems. Whether it is an email server, a database server, a messaging platform, or any other server, these are where the work happens. Proper configuration of these depends to a great degree on the server specifics
Network infrastructure devices are the switches, routers, concentrators, firewalls, and other specialty devices that make the network function smoothly. Properly configuring these devices can be challenging but is very important because failures at this level can adversely affect the security of traffic being processed by them. The criticality of these devices makes them targets, for if a firewall fails, in many cases there are no indications until an investigation finds that it failed to do its job. Ensuring these devices are properly configured and maintained is not a job to gloss over, but one that requires professional attention by properly trained personnel, and backed by routine configuration audits to ensure they stay properly configured.
Benchmarks/secure configuration guides: General purpose guidesThe best general purpose guide is the CIS Controls, a common set of 20 security controls. This project began as a consensus project out of the US Department of Defense and has over nearly 20 years more into the de facto standard for selecting an effective set of security controls.Defense-in-depth/layered security: Vendor diversityThe practice of implementing security controls from different vendors to increase securityDefense-in-depth/layered security: Control diversityThe use of different security control types, such as technical controls, administrative controls, and physical controlsDefense-in-depth/layered security: Control diversity: AdministrativeSecurity controls implemented via administrative or management methodsDefense-in-depth/layered security: Control diversity: TechnicalSecurity controls implemented through technologyDefense-in-depth/layered security: User trainingThe best defense in an organization is to implement a strong user training program that instructs users to recognize safe and unsafe computing behaviors. The best form of this has proven to be user-specific training, training that is related to the tasks that individuals use computers to accomplish. That means you need separate training for executives and management. Users who continually have problems should have to do remedial training.Vendor DiversityThe practice of implementing security controls from different vendors to increase securityFrameworkA basic set of ideas used to develop a larger planITILA set of concepts and practices for IT service management