WOLF//SEC
← Domain 1
OBJECTIVE 1.2 Summarize

Summarize fundamental security concepts

This objective covers the conceptual foundations that every other objective builds on. If you don’t internalize these, the rest of the exam is guesswork.

The CIA Triad

Three properties every security program exists to protect:

Confidentiality — Only authorized entities can access data.

  • Encryption (at rest, in transit), access controls, data classification
  • Breach of confidentiality: unauthorized data exposure, exfiltration

Integrity — Data is accurate, complete, and unaltered by unauthorized parties.

  • Hashing, digital signatures, checksums, version control
  • Breach of integrity: data tampering, man-in-the-middle modification, log deletion

Availability — Systems and data are accessible when needed by authorized users.

  • Redundancy, load balancing, backups, DDoSDistributed Denial of Service — Attack overwhelming target from multiple sources mitigation
  • Breach of availability: ransomware, DDoSDistributed Denial of Service — Attack overwhelming target from multiple sources, hardware failure

Exam trap: Questions will describe a scenario and ask which CIAConfidentiality, Integrity, Availability — The three core security properties property is most affected. Ransomware affects availability (you can’t access your data) even though it technically encrypts it. Data exfiltration affects confidentiality. An attacker modifying database records affects integrity.

Non-repudiation

The assurance that someone cannot deny having performed an action. Requires both:

  • Authentication — proving who performed the action
  • Integrity — proving the action/data wasn’t altered after the fact

Implemented through digital signatures (asymmetric cryptography). The signer’s private key creates the signature; anyone with the public key can verify it. The signer cannot deny signing because only they hold the private key.

AAA Framework

Authentication — Proving identity. “Who are you?”

  • Something you know (password, PINPersonal Identification Number — Numeric passcode for authentication)
  • Something you have (smart card, hardware token, phone)
  • Something you are (fingerprint, retina, facial recognition)
  • Somewhere you are (geolocation, IPInternet Protocol — Network layer addressing and routing range)

Authorization — Determining permissions. “What can you do?”

  • After authentication, the system checks what resources the identity can access
  • Implemented via ACLs, RBACRole-Based Access Control — Permissions assigned to roles, users assigned to roles, ABACAttribute-Based Access Control — Access decisions based on attributes (user, resource, environment), group policies

Accounting — Tracking activity. “What did you do?”

  • Audit logs, session logging, SIEMSecurity Information and Event Management — Centralized log collection, correlation, and alerting correlation
  • Essential for forensics, compliance, and non-repudiation

Zero Trust

Core principle: Never trust, always verify. No implicit trust based on network location, device ownership, or previous authentication.

Key tenets:

  • Verify explicitly — Authenticate and authorize every access request based on all available data (identity, device health, location, anomalies)
  • Least privilege accessJITJust-In-Time — Temporary access granted only when needed (Just-In-Time) and JEAJust-Enough-Access — Minimum permissions for the task at hand (Just-Enough-Access) permissions
  • Assume breach — Design every layer as if the attacker is already inside

Control Plane vs. Data Plane:

  • Control plane: Policy engine + policy administrator making access decisions
  • Data plane: Where the actual traffic flows, gated by policy enforcement points

Exam focus: Zero trust is not a product you buy — it’s an architecture model. Expect questions about what constitutes zero trust vs. what doesn’t (VPNVirtual Private Network — Encrypted tunnel over public networks alone is NOT zero trust).

Gap Analysis

Comparing current security posture against a desired state (framework, policy, or baseline) to identify deficiencies.

  • Conduct against frameworks like NISTNational Institute of Standards and Technology — US standards body, publishes CSF and SP 800 series CSFCybersecurity Framework — NIST framework: Identify, Protect, Detect, Respond, Recover, ISOInternational Organization for Standardization — Publishes ISO 27001/27002 security standards 27001, CISCenter for Internet Security — Publishes CIS Controls and Benchmarks Controls
  • Output: prioritized list of gaps with remediation recommendations
  • Feeds directly into risk management and budget decisions

Gap Analysis Process

CompTIA tests the process steps, not just the definition:

  1. Define the desired state: Select a target framework or standard (NISTNational Institute of Standards and Technology — US standards body, publishes CSF and SP 800 series CSFCybersecurity Framework — NIST framework: Identify, Protect, Detect, Respond, Recover, ISOInternational Organization for Standardization — Publishes ISO 27001/27002 security standards 27001, CISCenter for Internet Security — Publishes CIS Controls and Benchmarks Controls, or organizational policy)
  2. Assess current state: Document existing controls, policies, and capabilities through interviews, documentation review, and technical assessment
  3. Identify gaps: Compare current state against desired state. Each gap is a control or capability that exists in the target but not in the organization.
  4. Prioritize gaps: Rank by risk impact, regulatory requirement, and implementation difficulty
  5. Develop remediation plan: For each gap, define the action needed, responsible party, timeline, and estimated cost
  6. Execute and track: Implement remediations and monitor progress. Re-assess periodically.

Exam tip: Gap analysis is a planning tool, not a technical scan. It compares policy/process/control maturity against a standard — it’s not a vulnerability scan.

Physical Security

Often overlooked but heavily tested:

  • Bollards — Posts preventing vehicle-borne attacks on buildings
  • Fencing — Perimeter demarcation; height matters (3ft = demarcation, 6ft = deterrent, 8ft+ = serious barrier)
  • Access control vestibule (mantrap) — Two interlocked doors; prevents tailgating
  • Video surveillance — Detective + deterrent; PTZPan-Tilt-Zoom — Camera type with remote directional and zoom control cameras for active monitoring
  • Security guards — The only control that can make judgment calls in real-time
  • Access badges — Something you have; often combined with PINPersonal Identification Number — Numeric passcode for authentication (two-factor)
  • Lighting — Deterrent control; eliminates hiding spots

Physical Security Depth

Standoff distance: The controlled area between a building’s perimeter and the structure itself. Prevents vehicle-borne IED damage. Bollards, planters, and barriers enforce standoff distance. The further you keep threats from the building, the lower the blast impact.

Environmental controls:

  • HVACHeating, Ventilation, and Air Conditioning — Environmental controls for data centers security: Data center cooling is a critical dependency. Loss of cooling = forced shutdown to prevent hardware damage. HVACHeating, Ventilation, and Air Conditioning — Environmental controls for data centers systems should be monitored and physically secured.
  • Fire suppression: Wet pipe (water — cheap, effective, damages equipment), dry pipe (water held back until activation), clean agent (FM-200, Novec 1230 — safe for electronics, no residue), pre-action (combines dry pipe + detection — two triggers required)
  • Humidity controls: Too low = static discharge risk. Too high = condensation/corrosion. Data centers target 40-60% relative humidity.
  • Temperature monitoring: Continuous monitoring with automated alerting. Hot aisle/cold aisle containment in data centers.

Exit controls:

  • Emergency exit doors with alarms (allow egress, detect/deter unauthorized use)
  • Anti-passback: badge must be used to enter AND exit — prevents lending badges or tailgating
  • Emergency evacuation procedures must not be defeated by security controls (fire code compliance)

Deception and Disruption Technologies

Honeypot — Decoy system designed to attract attackers. Detective control — any interaction with a honeypot is suspicious by definition.

Honeynet — Network of honeypots simulating a realistic environment. More convincing than a single decoy.

Honeyfile — Decoy document (e.g., “passwords.xlsx”) that triggers an alert when accessed. High-confidence indicator of compromise.

Honeytoken — Fake credentials, APIApplication Programming Interface — Interface for software-to-software communication keys, or data records planted in systems. If they appear in authentication logs or exfiltrated data, you know you’ve been breached.

Deception Technology Depth

Honeytoken monitoring:

  • Plant fake credentials in credential stores, code repos, or configuration files
  • Monitor authentication systems for any use of honeytoken credentials — any login attempt is a confirmed IOCIndicator of Compromise — Evidence that a security breach has occurred
  • Plant fake database records (canary rows) — if they appear in data exports or on the dark web, you know exactly which dataset was breached
  • AWS example: Create an IAMIdentity and Access Management — Framework for managing digital identities and permissions access key that’s never used legitimately. If CloudTrail logs any APIApplication Programming Interface — Interface for software-to-software communication call with that key, it’s an attacker.

Honeypot deployment considerations:

  • Low-interaction: Emulates services at a surface level. Easy to deploy, low risk. Captures attacker IPInternet Protocol — Network layer addressing and routing, port scans, basic exploit attempts. Examples: Cowrie (SSHSecure Shell — Port 22. Encrypted remote administration protocol), Dionaea.
  • High-interaction: Full operating system with real or near-real services. More convincing but higher risk (attacker could use it as a pivot). Requires monitoring and containment.
  • Detection evasion by attackers: Sophisticated attackers fingerprint honeypots by checking for unrealistic system profiles (too many open ports, default configurations, lack of legitimate traffic). Effective honeypots must look like real production systems with realistic traffic patterns, appropriate patch levels, and believable data.

Offensive Context

Zero trust exists because perimeter-based security failed. If you assume the attacker is already inside your network — which they probably are — then “trust but verify” is backwards. The attacker’s perspective validates the assume-breach model: once past the perimeter, traditional networks offer minimal resistance to lateral movement. Every zero-trust control (microsegmentation, continuous authentication, device health checks) is a direct response to specific offensive techniques.