Initial Core 2 study project

notes/SEC-1-security-controls.md

@@ -0,0 +1,291 @@
+# SEC-1: Security Controls
+
+Status: not started
+
+Domain:
+- 2.0 Security
+
+Objective alignment:
+- 2.1 Security controls
+
+## What You Need To Know
+
+Security controls reduce risk. Core 2 expects you to match the control to the problem.
+
+Main groups:
+- Physical security controls
+- Physical access controls
+- Logical security controls
+- Authentication and access management
+- Data and device management controls
+
+## Memory Trick
+
+Use **P-L-A-D**:
+
+- **P**hysical: stop bodies, cars, theft, and entry
+- **L**ogical: permissions, trust, and network/software rules
+- **A**uthentication: prove who you are
+- **D**ata/device controls: protect data and managed devices
+
+MFA factors:
+- **Know**: password, PIN
+- **Have**: smart card, key fob, phone, token
+- **Are**: fingerprint, face, retina
+- **Where**: location
+
+## Physical Security Controls
+
+Bollards:
+- Posts/barriers that stop vehicles.
+- Exam clue: prevent cars/trucks from reaching a building.
+
+Access control vestibule:
+- Two-door controlled entry area.
+- One door opens while the other remains locked.
+- Exam clue: prevent tailgating or control one-person-at-a-time entry.
+
+Badge reader:
+- Reads magnetic stripe, RFID, NFC, or similar badge.
+- Exam clue: employee door access or time clock.
+
+Video surveillance/CCTV:
+- Cameras and recording.
+- Exam clue: monitor entrances, review incidents, license plates, faces, motion.
+
+Alarm systems:
+- Door/window/fence circuits, motion detection, duress buttons.
+- Exam clue: alert when perimeter or protected area is breached.
+
+Locks:
+- Conventional key, deadbolt, electronic PIN, token-based, biometric, multifactor.
+
+Equipment locks:
+- Lock racks, cabinets, laptops, or devices.
+
+Guards and access lists:
+- Human verification of ID and visitor access.
+- Often includes visitor log.
+
+Fences and lighting:
+- Fences create perimeter.
+- Lighting deters attackers and improves camera visibility.
+
+Magnetometers:
+- Detect metal objects.
+- Exam clue: weapons screening.
+
+## Physical Access Factors
+
+Key fob:
+- Small RFID/proximity key.
+
+Smart card:
+- Certificate-based card, usually part of MFA.
+
+Mobile digital key:
+- Phone acts as key for building, hotel, car, or office.
+
+Biometrics:
+- Fingerprint, retina, palm, face, or voice.
+- Strong but not easily changed if compromised.
+
+## Logical Security Controls
+
+Least privilege:
+- Users get only the access needed to do their job.
+- Exam clue: reduce damage from mistakes or malware.
+
+Zero Trust:
+- Trust nothing automatically.
+- Verify users, devices, apps, and requests continuously.
+
+ACL:
+- Access Control List.
+- Allows or denies traffic or file access based on rules.
+
+## Authentication and Access
+
+MFA:
+- Multi-factor authentication.
+- Requires two or more different factor types.
+
+OTP:
+- One-time password.
+- Used once for a login/session.
+
+TOTP:
+- Time-based one-time password.
+- Common authenticator app code that changes every 30 seconds.
+
+SMS/voice codes:
+- Codes sent by text or phone call.
+- Better than password only, but weaker than authenticator apps or hardware tokens.
+
+Authentication app:
+- Generates codes or push approvals.
+
+SAML:
+- Security Assertion Markup Language.
+- Standard for authentication/authorization between identity provider and service.
+
+SSO:
+- Single sign-on.
+- Authenticate once and access multiple approved resources.
+
+Just-in-time access:
+- Grants elevated/admin access only temporarily.
+- Exam clue: reduce standing admin privileges.
+
+PAM:
+- Privileged Access Management.
+- Broader system for controlling, vaulting, auditing, and granting privileged access.
+
+## Data and Device Controls
+
+MDM:
+- Mobile Device Management.
+- Centrally manages phones/tablets/laptops, policies, screen lock, apps, wipe, and BYOD controls.
+
+DLP:
+- Data Loss Prevention.
+- Detects/prevents sensitive data from leaving approved locations.
+- Exam clue: block SSNs, credit cards, medical records, or confidential files from being emailed/uploaded.
+
+IAM:
+- Identity and Access Management.
+- Gives the right access to the right identities at the right time.
+
+Directory services:
+- Central database of users, computers, groups, printers, and resources.
+- Windows example: Active Directory.
+
+## Commands To Enter
+
+Windows:
+
+```powershell
+whoami
+```
+
+What it does:
+- Shows the current signed-in user.
+
+```powershell
+whoami /groups
+```
+
+What it does:
+- Shows groups for the current user.
+- Useful for checking whether the user has elevated group membership.
+
+```powershell
+whoami /priv
+```
+
+What it does:
+- Shows privileges assigned to the current user.
+
+```powershell
+net user
+```
+
+What it does:
+- Lists local user accounts.
+
+```powershell
+net localgroup
+```
+
+What it does:
+- Lists local groups.
+
+```powershell
+net localgroup administrators
+```
+
+What it does:
+- Shows members of the local Administrators group.
+- Use this to check for excessive admin access.
+
+Linux:
+
+```bash
+whoami
+```
+
+What it does:
+- Shows current user.
+
+```bash
+id
+```
+
+What it does:
+- Shows user ID, group ID, and group membership.
+
+```bash
+groups
+```
+
+What it does:
+- Shows groups for the current user.
+
+```bash
+sudo -l
+```
+
+What it does:
+- Shows what commands the current user can run with `sudo`, if allowed.
+
+macOS, if available:
+
+```bash
+whoami
+id
+groups
+```
+
+What it does:
+- Shows user and group identity information.
+
+## Mini Lab
+
+Goal:
+- Identify authentication factors and local privilege level.
+
+Windows:
+1. Run `whoami`.
+2. Run `whoami /groups`.
+3. Run `whoami /priv`.
+4. Run `net localgroup administrators`.
+5. Record whether your user appears to have admin rights.
+
+Linux:
+1. Run `whoami`.
+2. Run `id`.
+3. Run `groups`.
+4. Run `sudo -l`.
+5. Record whether your user has sudo/admin rights.
+
+Physical control walk-through:
+1. Pick a building you know.
+2. Identify one physical control, such as lock, camera, guard, badge reader, or lighting.
+3. Identify what risk it reduces.
+4. Identify what it does not protect against.
+
+Scenario practice:
+- A user needs admin access for 30 minutes to patch a server. Which control fits?
+- A company wants to stop credit card numbers from being emailed. Which control fits?
+- A company wants all phones to require PINs and allow remote wipe. Which control fits?
+
+## Quick Check Before Quiz
+
+You are ready for the SEC-1 quiz when you can answer these without looking:
+- What does least privilege mean?
+- What is the difference between SSO and MFA?
+- What does DLP protect against?
+- What does MDM manage?
+- What is just-in-time access?
+- Which physical control stops vehicles?
+