4.0 - Security Operations
Security operations encompass several key activities to protect computing resources and ensure secure environments. These include establishing secure baselines, hardening systems, and implementing encryption for wireless devices. Asset management ensures accountability for hardware, software, and data, while vulnerability management involves scanning, analysis, and patching. Security alerting and monitoring tools like SIEM provide real-time threat detection, and automation enhances efficiency. Incident response and identity management processes ensure readiness and controlled access, while log data and various data sources aid in investigations and continuous security monitoring.
4.1 - Given a scenario, apply common security techniques to computing resources.
To apply security techniques, establish secure baselines with best practices and standards. Harden systems through updates, patching, and configuration. For wireless devices, use WPA3 and MDM for encryption and policy enforcement. Apply application security through input validation and sandboxing, and perform regular log reviews and audits for continuous protection.
4.2 - Explain the security implications of proper hardware, software, and data asset management.
Asset management involves the acquisition, tracking, assignment, and eventual disposal of an organization's assets, ensuring proper management, accountability, and compliance with data retention and disposal policies.
4.3 - Explain various activities associated with vulnerability management.
Vulnerability management includes scanning, code analysis, and dynamic testing to identify security weaknesses. Threat intelligence gathers data from sources like OSINT and shared services to enhance security. Penetration testing simulates attacks, while vulnerability analysis confirms and prioritizes risks. Remediation involves patching, compensating controls, and validating fixes through rescanning and audits.
4.4 - Explain security alerting and monitoring concepts and tools.
Security alerting and monitoring use tools like SIEM for log aggregation and real-time alerts. SCAP standardizes vulnerabilities, antivirus detects malware, DLP prevents data leaks, and vulnerability scanners identify flaws, ensuring systems meet security benchmarks and policies.
4.5 - Given a scenario, modify enterprise capabilities to enhance security.
Enhance security with firewalls, IDS/IPS, and web filtering. Use Group Policy for OS management and SELinux for Linux. Implement secure protocols like HTTPS, WPA3, and VPNs. Strengthen email security with SPF, DKIM, and DMARC, and use File Integrity Monitoring and Data Loss Prevention to protect sensitive data.
4.6 - Given a scenario, implement and maintain identity and access management.
Implementing and maintaining identity and access management (IAM) involves enforcing authentication and authorization, using access control models like RBAC or ABAC, deploying multifactor authentication (MFA), and applying secure password practices such as password managers and just-in-time permissions to ensure controlled and secure access to resources.
4.7 - Explain the importance of automation and orchestration related to secure operations.
Scripting and automation enhance efficiency by automating tasks such as user provisioning, resource management, and security enforcement. They improve system reliability and scalability but require ongoing maintenance to manage complexity, prevent failures, and avoid accumulating technical debt.
4.8 - Explain appropriate incident response activities.
Incident response includes preparation through policies, detection via alerts, and analysis to assess scope. It involves containment to limit damage, eradication of threats, and recovery of systems. Lessons learned improve future responses, and incident planning uses exercises, root cause analysis, and threat hunting to bolster security readiness.
4.9 - Given a scenario, use data sources to support an investigation.
Log data includes firewall, application, endpoint, OS, IPS/IDS, and network logs, capturing traffic, security events, and system activity. Data sources like vulnerability scans, automated reports, dashboards, and packet captures provide valuable insights for security monitoring, troubleshooting, and forensic analysis.