Security controls and countermeasures

Area 2: Security, Confidentiality, and Privacy (35-45%)

Your Progress

0 of 93 questions attempted

Topics

Preventive, detective, and corrective controls
Encryption and authentication
Network security controls

Lessons

Security Controls and Monitoring

Study Frameworks

Access Control Models

Access Control Frameworks

DAC (Discretionary Access Control)

Owner of resource sets permissions

Flexible but less secure

Example: file system permissions set by file owner

MAC (Mandatory Access Control)

System-enforced based on classification labels

Users cannot change access rights

Example: military/government classified systems

RBAC (Role-Based Access Control)

Permissions assigned to roles, users assigned to roles

Supports least privilege and segregation of duties

Most common in enterprise environments

ABAC (Attribute-Based Access Control)

Decisions based on user, resource, and environment attributes

Highly granular and context-aware

Example: allow access only during business hours from corp network

Encryption Method Selection

Is the data at rest (stored)?

Yes

Do you need to query or search individual fields within the encrypted data?

Yes

Column-level / field-level encryption (AES-256) — encrypt sensitive columns individually; allows querying non-encrypted fields

Full-disk or volume encryption (AES-256, BitLocker, LUKS) — encrypts entire storage volume transparently; best for laptops, servers, cloud volumes

Is the communication between two parties who have not previously exchanged keys?

Yes

Asymmetric encryption (RSA/ECC) for key exchange, then symmetric (AES) for session — TLS/HTTPS

Symmetric encryption with pre-shared key — VPN tunnels, internal network communication

Biometric Accuracy — Crossover Error Rate

CER = point where FAR = FRR

False Acceptance Rate (FAR) = % of unauthorized users incorrectly accepted. False Rejection Rate (FRR) = % of authorized users incorrectly rejected. Lower CER indicates a more accurate biometric system.

Encryption Comparison

Feature	Symmetric (AES)	Asymmetric (RSA/ECC)
Keys	Single shared key	Public/private key pair
Speed	Fast — suitable for bulk data	Slow — computationally intensive
Key distribution	Challenge — must securely share key	Easier — public key can be freely distributed
Common algorithms	AES-128, AES-256, 3DES	RSA-2048, RSA-4096, ECC
Primary use	Data at rest, session encryption	Key exchange, digital signatures, authentication
TLS/HTTPS	Session data encryption (after handshake)	Initial key exchange (handshake phase)

Control Types and Functions

Type	Timing	Purpose	Examples
Preventive	Before the event	Stop threats from occurring	Firewalls, access controls, encryption, segregation of duties, input validation
Detective	During/after the event	Identify that a threat has occurred	IDS/IPS, log monitoring, audit trails, reconciliations, SIEM alerts
Corrective	After the event	Remediate the impact of a threat	Backups/restore, patch deployment, incident response, antivirus quarantine
Deterrent	Before the event	Discourage potential threats	Warning banners, security cameras, acceptable use policies, penalties
Compensating	Varies	Substitute when primary control is not feasible	Manual review when automated control fails, additional monitoring

KHAKnowledge (something you know), Have (something you have), Are (something you are)

The three authentication factors. Knowledge = password/PIN. Have = token/smart card/phone. Are = biometrics (fingerprint, retina). MFA requires two or more different factors.

DRMMDAC, RBAC, MAC, (A)BAC

The four access control models from least to most restrictive: Discretionary (owner decides), Role-Based (role determines access), Mandatory (classification labels), Attribute-Based (policies evaluate multiple attributes).

Practice These Topics(93 questions)