Security+ SY0-501 Domain 3.1 study cards

Industry-standard frameworks and reference architectures: Regulatory
Click the card to flip 👆
1 / 19
Terms in this set (19)
Industry-standard frameworks and reference architectures: Regulatory
Regulatory frameworks are based on relevant laws and regulations.
Industry-standard frameworks and reference architectures: Non-regulatory
Non-regulatory framework is not required by any law. Instead, it typically identifies common standards and best practices that organizations can follow
Industry-standard frameworks and reference architectures: National vs. international
Some frameworks are used within a single country while others are used internationally
Industry-standard frameworks and reference architectures: Industry-specific frameworks
Some frameworks only apply to certain industries
Benchmarks/secure configuration guides
Benchmarks and secure configuration guides offer guidance for setting up and operating computer systems to a secure level that is understood and documented. The standard for a benchmark is a consensus-based set of knowledge designed to deliver a reasonable set of security across as wide a base as possible.
Benchmarks/secure configuration guides: Platform/vendor-specific guides:
Setting up secure services is important to enterprises, and some of the best guidance comes from the manufacturer form of Platform/vendor-specific guides. these include installation and configuration guidance, and in some cases operational guidance as well.
Benchmarks/secure configuration guides: Platform/vendor-specific guides: Web server
Many different web server are used in enterprises, but the market leaders are Microsoft, Apache, and nginx. By definition, web server offer a connection between users and webpages, and as such they are prone to attacks setting up any external facing application properly is key to prevent unnecessary risk fortunately for these, several authoritative and proscriptive sources of information are available to help administrators properly secure the application.
Benchmarks/secure configuration guides: Platform/vendor-specific guides: Operating system
The operating system is the interface for the applications that we use to perform tasks and the actual physical computer hardware. As such, this is a key component for the secure operation of a system. Comprehensive, pro-scripted configuration guides for all major ones are available from their respective manufacturers, from the Center for Internet security, and from the DoD DISA STIGs program.
Benchmarks/secure configuration guides: Platform/vendor-specific guides: Application server
Application servers are the part of the enterprise that handle specific tasks we associate with IT systems. Whether it is an email server, a database server, a messaging platform, or any other server, these are where the work happens. Proper configuration of these depends to a great degree on the server specifics
Benchmarks/secure configuration guides: Platform/vendor-specific guides: Network infrastructure devices
Network infrastructure devices are the switches, routers, concentrators, firewalls, and other specialty devices that make the network function smoothly. Properly configuring these devices can be challenging but is very important because failures at this level can adversely affect the security of traffic being processed by them. The criticality of these devices makes them targets, for if a firewall fails, in many cases there are no indications until an investigation finds that it failed to do its job. Ensuring these devices are properly configured and maintained is not a job to gloss over, but one that requires professional attention by properly trained personnel, and backed by routine configuration audits to ensure they stay properly configured.
Benchmarks/secure configuration guides: General purpose guidesThe best general purpose guide is the CIS Controls, a common set of 20 security controls. This project began as a consensus project out of the US Department of Defense and has over nearly 20 years more into the de facto standard for selecting an effective set of security controls.Defense-in-depth/layered security: Vendor diversityThe practice of implementing security controls from different vendors to increase securityDefense-in-depth/layered security: Control diversityThe use of different security control types, such as technical controls, administrative controls, and physical controlsDefense-in-depth/layered security: Control diversity: AdministrativeSecurity controls implemented via administrative or management methodsDefense-in-depth/layered security: Control diversity: TechnicalSecurity controls implemented through technologyDefense-in-depth/layered security: User trainingThe best defense in an organization is to implement a strong user training program that instructs users to recognize safe and unsafe computing behaviors. The best form of this has proven to be user-specific training, training that is related to the tasks that individuals use computers to accomplish. That means you need separate training for executives and management. Users who continually have problems should have to do remedial training.Vendor DiversityThe practice of implementing security controls from different vendors to increase securityFrameworkA basic set of ideas used to develop a larger planITILA set of concepts and practices for IT service management