Essential Security Practices for Computing Resources
🧩 4.1 Security Administration on Computing Resources
🔹 Secure Baselines
Define secure configurations (disable unused ports, enforce strong passwords, patch systems).
Deploy via configuration tools (Group Policy, Ansible, SCCM).
Maintain through regular audits and updates.
🔹 System Hardening
| Target | Key Techniques |
|---|---|
| Workstations/Servers | Disable Telnet/FTP; patch OS/apps; use AV + firewall; limit admin privileges. |
| Mobile Devices | Use MDM, enforce encryption, PIN/biometrics, remote wipe, containerization. |
| Network Devices (Switch/Router) | Change defaults, disable unused ports, use SSH/SNMPv3, update firmware. |
| IoT/Embedded/SCADA | Change default passwords, update firmware, isolate on VLANs, monitor traffic. |
| Cloud | Use IAM roles, encryption, segmentation, logging, MFA for consoles. |
💡 Exam Tip: Expect questions about “first action” in hardening scenarios (answer: disable unused services or apply baseline).
🧾 4.2 Asset Management and Lifecycle
🔹 Asset Tracking
Maintain inventory of hardware/software (serials, tags, asset IDs).
Use automated discovery tools or SNMP enumeration.
🔹 Lifecycle Phases
Procurement – Evaluate vendor security.
Deployment – Apply secure baseline.
Maintenance – Monitor, patch, track ownership.
Decommissioning – Sanitize → Destroy → Certify.
🔹 Secure Disposal
Clear: Single overwrite.
Purge: Degauss/multiple overwrites.
Destroy: Shred, crush, melt.
💡 Exam Tip: “Company throws away drives without wiping” → Correct answer: data exposure risk.
🔍 4.3 Vulnerability Management
🔹 Identify
Vulnerability Scans: Nessus/OpenVAS.
Authenticated = deeper scan.
Unauthenticated = external view.
Threat Feeds: OSINT, ISACs, proprietary.
Pen Tests: Authorized exploitation (needs signed agreement).
Bug Bounties: Responsible disclosure.
🔹 Analyze
Confirm Findings: False positives/negatives.
Prioritize: Based on CVSS, business impact, exposure factor.
CVE Database for reference.
🔹 Respond
Remediate: Patch, reconfigure, segment, apply compensating controls.
Rescan/Audit to verify fix.
Report to management.
💡 Exam Tip: Always validate findings before patching. “What’s the next step after scan?” → Verify, then prioritize.
📊 4.4 Security Monitoring, Alerting & Analysis
🔹 Core Tools
| Tool | Purpose |
|---|---|
| SIEM | Aggregate & correlate logs (Splunk, QRadar, Sentinel). |
| IDS/IPS | Detect or block malicious traffic. |
| EDR/XDR | Endpoint detection/response (malware, lateral movement). |
| DLP | Prevent data exfiltration. |
| UBA/UEBA | Detect abnormal user behavior. |
| Vulnerability Scanners | Identify missing patches/misconfigurations. |
🔹 Common Data Sources
Firewall, IDS/IPS, OS logs, authentication logs, applications.
Performance anomalies (CPU, memory, bandwidth) may indicate compromise.
NetFlow/SNMP traps show network patterns.
💡 Exam Tip: A sudden midnight data transfer = exfiltration alert.
Know the difference: IDS = detect, IPS = detect + block.
🔐 4.5 Identity and Access Management (IAM)
🔹 Authentication
Methods: Passwords, MFA, smartcards, biometrics.
Protocols:
Kerberos – Ticket-based.
LDAP/LDAPS – Directory lookups.
SAML/OAuth2/OIDC – Federation (SSO).
Federation/SSO: Enables cross-platform logins (e.g., Google, AzureAD).
🔹 Access Control Models
| Model | Description |
|---|---|
| DAC | Owner controls access (e.g., Windows). |
| MAC | System-enforced (e.g., military). |
| RBAC | Role-based. |
| ABAC | Attribute-based (contextual). |
🔹 Account & Privilege Management
Least Privilege, Need-to-Know, Separation of Duties.
Privileged Access Management (PAM):
Use vaults, JIT access, ephemeral credentials.
Policies:
Use long passphrases, not frequent changes (per NIST 800-63B).
Enforce lockout thresholds.
💡 Exam Tip: If asked “how to protect shared admin credentials” → answer: password vault or PAM.
⚙️ 4.6 Automation and Orchestration
🔹 Why Automate?
Speed, consistency, error reduction, scalability.
🔹 Examples
Automated patching, SOAR actions (auto-isolation/quarantine), auto-revoke user access, CI/CD scans (DevSecOps).
🔹 Benefits
Consistent baselines, faster response, better scaling.
🔹 Risks
Complexity, single point of failure, technical debt, cost.
💡 Exam Tip: Automation improves efficiency but requires human oversight to avoid cascading errors.
🚨 4.7 Incident Response (IR)
🔹 IR Process (6 Steps)
Preparation – Policies, tools, team, communications plan.
Detection/Analysis – Identify incident (SIEM, alerts).
Containment – Isolate affected systems.
Eradication – Remove threat.
Recovery – Restore services.
Lessons Learned – Update playbooks.
🔹 Training & Testing
Tabletop Exercises – Discussion-based.
Simulations – Realistic practice.
💡 Exam Tip: Contain before eradicate (“Stop the bleeding before healing”).
Know “who to call” and escalation paths.
🧾 4.8 Digital Forensics & Investigations
🔹 Evidence Handling
Chain of Custody: Document every handler/time.
Order of Volatility: RAM → Network → Disk → Backups.
Work on copies, never originals.
🔹 Data Sources
Logs (firewall, server, email), memory dumps, disk images, packet captures.
Use to reconstruct attack timelines.
💡 Exam Tip: If chain of custody is broken → evidence inadmissible.