Essential Security Practices for Computing Resources
๐งฉ 4.1 Security Administration on Computing Resources
๐น Secure Baselines
Define secure configurations (disable unused ports, enforce strong passwords, patch systems).
Deploy via configuration tools (Group Policy, Ansible, SCCM).
Maintain through regular audits and updates.
๐น System Hardening
| Target | Key Techniques |
|---|---|
| Workstations/Servers | Disable Telnet/FTP; patch OS/apps; use AV + firewall; limit admin privileges. |
| Mobile Devices | Use MDM, enforce encryption, PIN/biometrics, remote wipe, containerization. |
| Network Devices (Switch/Router) | Change defaults, disable unused ports, use SSH/SNMPv3, update firmware. |
| IoT/Embedded/SCADA | Change default passwords, update firmware, isolate on VLANs, monitor traffic. |
| Cloud | Use IAM roles, encryption, segmentation, logging, MFA for consoles. |
๐ก Exam Tip: Expect questions about โfirst actionโ in hardening scenarios (answer: disable unused services or apply baseline).
๐งพ 4.2 Asset Management and Lifecycle
๐น Asset Tracking
Maintain inventory of hardware/software (serials, tags, asset IDs).
Use automated discovery tools or SNMP enumeration.
๐น Lifecycle Phases
Procurement โ Evaluate vendor security.
Deployment โ Apply secure baseline.
Maintenance โ Monitor, patch, track ownership.
Decommissioning โ Sanitize โ Destroy โ Certify.
๐น Secure Disposal
Clear: Single overwrite.
Purge: Degauss/multiple overwrites.
Destroy: Shred, crush, melt.
๐ก Exam Tip: โCompany throws away drives without wipingโ โ Correct answer: data exposure risk.
๐ 4.3 Vulnerability Management
๐น Identify
Vulnerability Scans: Nessus/OpenVAS.
Authenticated = deeper scan.
Unauthenticated = external view.
Threat Feeds: OSINT, ISACs, proprietary.
Pen Tests: Authorized exploitation (needs signed agreement).
Bug Bounties: Responsible disclosure.
๐น Analyze
Confirm Findings: False positives/negatives.
Prioritize: Based on CVSS, business impact, exposure factor.
CVE Database for reference.
๐น Respond
Remediate: Patch, reconfigure, segment, apply compensating controls.
Rescan/Audit to verify fix.
Report to management.
๐ก Exam Tip: Always validate findings before patching. โWhatโs the next step after scan?โ โ Verify, then prioritize.
๐ 4.4 Security Monitoring, Alerting & Analysis
๐น Core Tools
| Tool | Purpose |
|---|---|
| SIEM | Aggregate & correlate logs (Splunk, QRadar, Sentinel). |
| IDS/IPS | Detect or block malicious traffic. |
| EDR/XDR | Endpoint detection/response (malware, lateral movement). |
| DLP | Prevent data exfiltration. |
| UBA/UEBA | Detect abnormal user behavior. |
| Vulnerability Scanners | Identify missing patches/misconfigurations. |
๐น Common Data Sources
Firewall, IDS/IPS, OS logs, authentication logs, applications.
Performance anomalies (CPU, memory, bandwidth) may indicate compromise.
NetFlow/SNMP traps show network patterns.
๐ก Exam Tip: A sudden midnight data transfer = exfiltration alert.
Know the difference: IDS = detect, IPS = detect + block.
๐ 4.5 Identity and Access Management (IAM)
๐น Authentication
Methods: Passwords, MFA, smartcards, biometrics.
Protocols:
Kerberos โ Ticket-based.
LDAP/LDAPS โ Directory lookups.
SAML/OAuth2/OIDC โ Federation (SSO).
Federation/SSO: Enables cross-platform logins (e.g., Google, AzureAD).
๐น Access Control Models
| Model | Description |
|---|---|
| DAC | Owner controls access (e.g., Windows). |
| MAC | System-enforced (e.g., military). |
| RBAC | Role-based. |
| ABAC | Attribute-based (contextual). |
๐น Account & Privilege Management
Least Privilege, Need-to-Know, Separation of Duties.
Privileged Access Management (PAM):
Use vaults, JIT access, ephemeral credentials.
Policies:
Use long passphrases, not frequent changes (per NIST 800-63B).
Enforce lockout thresholds.
๐ก Exam Tip: If asked โhow to protect shared admin credentialsโ โ answer: password vault or PAM.
โ๏ธ 4.6 Automation and Orchestration
๐น Why Automate?
Speed, consistency, error reduction, scalability.
๐น Examples
Automated patching, SOAR actions (auto-isolation/quarantine), auto-revoke user access, CI/CD scans (DevSecOps).
๐น Benefits
Consistent baselines, faster response, better scaling.
๐น Risks
Complexity, single point of failure, technical debt, cost.
๐ก Exam Tip: Automation improves efficiency but requires human oversight to avoid cascading errors.
๐จ 4.7 Incident Response (IR)
๐น IR Process (6 Steps)
Preparation โ Policies, tools, team, communications plan.
Detection/Analysis โ Identify incident (SIEM, alerts).
Containment โ Isolate affected systems.
Eradication โ Remove threat.
Recovery โ Restore services.
Lessons Learned โ Update playbooks.
๐น Training & Testing
Tabletop Exercises โ Discussion-based.
Simulations โ Realistic practice.
๐ก Exam Tip: Contain before eradicate (โStop the bleeding before healingโ).
Know โwho to callโ and escalation paths.
๐งพ 4.8 Digital Forensics & Investigations
๐น Evidence Handling
Chain of Custody: Document every handler/time.
Order of Volatility: RAM โ Network โ Disk โ Backups.
Work on copies, never originals.
๐น Data Sources
Logs (firewall, server, email), memory dumps, disk images, packet captures.
Use to reconstruct attack timelines.
๐ก Exam Tip: If chain of custody is broken โ evidence inadmissible.