.jpg)
Technology Tap
Technology Tap
Cybersecurity Fundamentals: Unlocking Security+ Chapter 1 Part 2: Controls and Roles
Diving into the foundations of cybersecurity certification, Professor JRod delivers an insightful exploration of CompTIA Security+ Chapter 1, revealing why this certification might actually be more approachable than many believe. Unlike many entry-level IT courses, Security+ builds upon concepts from A+ and Network+, creating a natural progression for those following CompTIA's certification path. For career-changers considering jumping straight to Security+, this episode provides valuable perspective on the assumed knowledge and preparation needed.
The heart of this episode focuses on security controls – the safeguards and countermeasures organizations implement to protect their information systems. Professor JRod methodically breaks down the five functional categories: preventive controls that stop incidents before they occur, detective controls that identify security breaches, corrective controls that remediate problems, deterrent controls that discourage inappropriate behavior, and compensating controls that provide alternatives when primary controls aren't feasible. He also highlights the often-overlooked sixth category: directive controls that guide and influence secure behavior through policies and procedures.
Beyond technical concepts, Professor J-Rod emphasizes the organizational structures that support effective security implementation. From the strategic oversight of the CISO to the hands-on work of security engineers and analysts, each role contributes uniquely to the protection of organizational assets. Perhaps most importantly, he stresses that communication skills form the foundation of successful IT security work – a lesson learned early in his career that continues to shape his approach to teaching. The episode concludes with practical application through scenario-based questions that reinforce key concepts, preparing listeners for both certification exams and real-world security challenges.
Looking to boost your cybersecurity knowledge and prepare for Security+ certification? Follow Professor J-Rod on TikTok for visual explanations of these concepts and join us next time as we continue our exploration of CompTIA Security+ with Chapter 2.
Interviews with Tech Leaders and insights on the latest emerging technology trends.
Listen on: Apple Podcasts Spotify
Art By Sarah/Desmond
Music by Joakim Karud
Little chacha Productions
Juan Rodriguez can be reached at
TikTok @ProfessorJrod
ProfessorJRod@gmail.com
@Prof_JRod
Instagram ProfessorJRod
And and welcome to TechnologyTap. I'm Professor J-Rod. In this episode we're going to talk about more. Security Plus, chapter 1, welcome back.
Speaker 1:So one of the reasons why I decided to start with Security Plus and not with A+, because I think Security plus is a little bit different from all the other exams. I actually think out of the trifecta, um, as far as easy, order is a plus, of course, security plus, I think, is second and network plus I think it's actually harder. I think security plus if you know it's a lot of definitions and if you know the definitions, you you get the answer plus I I think I find it easier is because if you but it's easier in a sense, but if you take it in the order right, if you take a, uh, a plus, network plus and security+, by the time you get to Security+ you're going to find that it wasn't as hard as Network+, I believe, because a lot of the information that you get from A+ and Network+ it's either it's already in Security+ or it's assumed that you know it. So those of you who want to take a certification exam for IT and want to jump straight into Security Plus, I'm telling you I've only seen one guy out exam that it's. It's. It makes it a lot easier if you know yourself. So if you take an A plus and Edward plus, this exam is a lot easier, rather than coming in from the cold.
Speaker 1:I used to work for someone. He's actually pretty famous on YouTube and you know LinkedIn and all that stuff famous on YouTube and LinkedIn and all that stuff and I used to teach classes for him and I would tell him the people who sign up for Security Plus, what do I do? Because a lot of them don't seem to know what they're doing. He would say well, the class, I think, was like from 10 to 6. So he goes at 1 o'clock, talk to them and see if they want, you know, if they find it too hard, then he says I can always switch them to the A-plus class. He was really, really good about that and I would tell you know, sometimes at 1 o'clock I would grab a couple of students and I would say, hey, I think this class is a little bit too hard for you. Why don't you go to the A-plus class and start from there? Because you know a lot of these people. They want to change their careers right and they get recommendations. I remember one guy who was like well, my brother-in-law told me to take this class but he didn't know anything about computers. And you know it's like a different language right by the time you get to security plus. If you don't know anything about IT, they're not going to teach you. You know about hardware. They're not going to teach you the port numbers. That's not on this exam. You should already know that by the time that you're here. That's the assumption that they made, that CompTIA makes so. But I think it's a lot easier if you've gone through the first two. It makes it a lot easier. And I find this one to be a lot of definitions. So if you know, you know, if you know the definitions you, you know the answer. All right, so we're doing uh, chapter one. So we're part two. We're going to talk about security control configuration uh categories.
Speaker 1:Security controls are safeguards or countermeasures used to reduce risk and protect information systems. They are categorized based on their function, implementation, type and objectives Control functions there are five functional categories of security controls. They are preventive, detective, corrective, deterrent and compensating. And as we go down, I'll give you like examples of each Preventive stops an incident from occurring. Detective identify and alert when incidents occur. Corrective remediates or restores after an incident. Deterrent discourage attacks through fear or awareness. And compensating alternative control when the primary control is not feasible.
Speaker 1:Control types by implementation these are how the controls are implemented the administrative, technical and physical. The administrative is sometimes called managerial Policies, procedures, trainings and risk assessments. Technical enforced by hardware, software, or sometimes known as logical and physical tangible protections. So examples of controls by category Preventive is firewalls, access control, encryption. Detective is IDS, ips, cctvv, audit logs, corrective patch management, backups. Deterrent security awareness posters, security awareness posters and guards. Compensating manual review with automated control is missing. And a better example that is like using mfa when biometrics is not, it's not working, all right, you compensating.
Speaker 1:So security functions are grouped by the functional purpose, what they're designed to do when information security system. So preventive control the goal for preventive controls to stop security incidents before they happen. So what do we use? We use use firewalls, acls, security policy, user authentication, encryption, antivirus, physical locks and secure doors. Detective controls their goal is to identify security incidents when they occur and they use intrusion detection system, security information and event management, audit logs and monitoring, surveillance cameras, file integrity monitoring, motion detectors.
Speaker 1:Corrective controls the goal is to fix or restore systems after a security incident has happened. Example patch management, antivirus quarantine, backup or recovery, incident response procedures, system re-imaging, reboot script or automated repairs, deterrent controls. The goal is to discourage attackers or inappropriate behavior through warning and awareness. Example warning banners right, you get those like all this you know through emails and you get them. Like if you log into somebody else's system. Right, if you log into the IRSgov, you get a warning saying that this is a government website. Right, that's the kind of warning banner. They're talking about Security awareness training, which is important for everybody, surveillance signs when you walk in some place, legal and HR policies, and then visual security measures, guards and cameras. Compensating control Go is substitute for primary control. That is not feasible or has failed. Example, like I gave you multi-factor authentication when biometric logging is unavailable, manual review processes in place of automated scanning, network segmentation if encryption is not yet implemented, and jump box use instead of direct administration access.
Speaker 1:There is what they call a sixth type of security control that is often overlooked, and it's called directive control. Directive controls are designed to guide, influence or encourage secure behavior. They don't prevent or detect threats directly, but establish expectations and provide direction on how users and systems should behave. They are typically policy-based or behavioral and form the foundation of broader security. The purpose of directive control is to promote desired security behavior, establish a security mindset across an organization, lay the groundwork for other controls and often pair with administrative controls. Examples of directive controls is acceptable use policy, code of conduct, security training programs, posters and reminders, management directives and standard operating procedures. So directive controls are proactive and behavioral. They rely on policy awareness and leadership. They help enforce the security culture over organizations.
Speaker 1:Now we're gonna talk about information security roles and responsibilities. In any organization, protecting information assets require clearly defined roles and responsibilities. These roles help ensure accountability, compliance and effective risk management across technical and non-technical teams, Start off with the chief information security officer. They define overall security strategy and vision, reports to executive leadership, cio, ceo or board, oversee risk management, compliance and incident response and align security with business goals. Next we have the information security manager manages security staff and day-to-day operations, coordinates incidents response and audits and monitors compliance with whatever standard you're using right, nist, hipaa, ferpa, right Security analysis. They analyze, logs, alerts. They monitor system SEMI and IDS IPS systems. Investigates incidents and supports incidents response, conducts vulnerability assessments and report findings. Security Engineer they design secure networks and system architecture. They configure firewalls, vpn, ids, ips and access control. They implement encryption and endpoint protection. They work on secure development lifecycle.
Speaker 1:Then you have your system administrator IT staff Implements technical security controls, patches systems and maintains access control, supports backup and disaster recovery processes, follows security procedures and enforced policies. Next you have your data owner. Data owner determines data classification and access level, improves access requests and data sharing, ensures compliance with legal and business requirements. Data custodian maintains and protects data on behalf of the owner, backs up data, applies encryption, maintains logs and ensures data integrity and availability. End user follows security policies, completes security awareness training, reports suspicious activity or incident and uses the system in a responsible or secure manner. And then you have your incident response team responses to security incidents, perform root cause analysis and containment, coordinates with legal, pr and law enforcement as needed, documents incidents for future, prevention and audits. Right, so there you have it. You have your CISO, security manager, security analyst, security engineer, system admin, it staff, data owner, data custodian, end user, incident response team, system admin and IT staff. They're together, if you're taking notes.
Speaker 1:Information security competencies refers to the skills, knowledge and abilities required to effectively protect an organization's data systems and networks. These competencies span technical, managerial and behavioral domains that are essential for building a robust cybersecurity workforce. Core competency domains One is technical competencies these involve hand-on skills and technical knowledge to implement and manage security systems. Right skills and technical knowledge to implement and manage security systems you need to know cryptology, network security, endpoint security, cloud security, identity access management. Managerial, strategic competencies these involve planning, oversight, compliance and aligning security with business needs. Skill areas risk management policy development, business continuity, vendor risk management policy development, business continuity, vendor risk management. Then you have behavioral soft competencies. These are essential for teamwork, communications, ethics and leadership in a security role Communication skills, ethical decision making, analytical thinking, continuous learning, collaboration and teamwork and attention to detail. So these are a lot of the things I kind of try to teach in my classes.
Speaker 1:I always tell my students that the overall umbrella of IT is communications. Right, you know it's part of the communication network, it. It falls under that umbrella of communications and you have to learn how to be a good communicator. If you cannot be a good communicator, it's not going to work. And one of my, my first real job that I got as an adult uh, my old boss, um, he drilled that into me so much that I still carry that to this day, like he just would say just constantly that oh, you got to communicate, communicate, communicate. And he, and he would tell me you know, if you don't understand something, I'd rather explain it to you five times than explain it to you Once you walk away. You don't understand and you do it wrong. So he says if you, once you walk away, you don't understand and you do it wrong. So he says if you, if he goes, I would never yell at you If I, if you tell me, if I explain something to you and you come back and you say I didn't understand that, can you explain it again? Because I want you to do it right the first time and I want you to walk away knowing that I understand what he wants me to do. So I always appreciate that for him, probably more now than I did when I worked there. I was a kid, so you know what did I know so, but I appreciate a lot of the stuff that he told me. Unfortunately, he passed, but you know, I still remember him. All right, how do you build these competencies? You take certification exams, lab and simulations, training and boot camps, mentorship and internship and continuous education.
Speaker 1:Let's see key information security responsibilities. Of course, everybody in IT or security has to know at least some level of this risk assessments, access control, user privilege, ordering logs, et cetera, et cetera. Next, we have information security business units. In a modern organization, infosec is not the responsibility of a single team. It spans multiple business units that collaborate to protect systems, data and operations. Each unit plays a unique role in enforcing confidentiality, integrity and availability across the enterprise.
Speaker 1:First is we're going to talk about information security. They manage all security technologies and policies. They're responsible for risk management, incident response, security operations, vulnerability assessments, penetration testing, testing, security policies, framework compliance oversight. Next, we have IT network operations. Their core functions maintain network technology infrastructure and they're responsible for implementing and managing security controls, patch management system, hardening, backup and recovery procedures. Then we have compliance legal and audit Core function ensure regulatory and legal adherence Responsibilities. They interpret laws like HIPAA, gdpr, pci, dss and SOC. They manage security audits, ensure documentation and they address data breaches from a legal standpoint.
Speaker 1:Human resources core functions manage employees' life cycle and conduct responsibilities. Enforce security-related policies, coordinate security training and awareness programs, handle insider threat and investigations. In partnership with Infotech Finance, their core functions is budgeting and procurement, responsible for funding security tools and personnel, manage vendor risk and financial fraud prevention and align investment with security priorities. Executive leadership, the C-suite or the board the core function is strategic oversight. Responsibilities is to set the tone for security culture, approve security budgets and framework and assess enterprise risk and support compliance programs. Next is the business continuity team. Core responsibility is make sure that they do whatever they have to do to keep the business up and running. Responsibilities is develop and test business continuity and recovery plans, coordinate with IT and InfoSec during outages or incidents, ensure mission-critical services can be restored quickly. Next is the training and awareness unit. Core function is foster security culture and they're responsible for develop user awareness programs, communicate incidents, procedures and policy changes and coordinate simulations.
Speaker 1:And there's a lot of cross-functioning collaboration. Right for incidents response, you need the infotech team, it, legal, hr, communication. For risk management, you need infosec, executive compliance and finance. For security, you need InfoSec, executive compliance and finance. For security, you need HR training, infosec and communications. And for vendor risk management, you need procurement, legal and InfoSec. So how they work together they continue monitoring and detecting, they develop secure code development, response to cyber attacks and the root cause analysis, recovery. They all work as a team. So this is very important that you have some kind of strategy or hierarchy to deal with and break up your stuff into teams. And these are not all like IT people, right? Hr is not IT. Sometimes, compliance is not IT. Obviously, legal is not IT. So it's more than just finance is not IT, right, it's more than just IT people, when you have to think of these kind of teams that you're building or you're putting together, so they don't necessarily have to be IT-centric.
Speaker 1:All right, now that we've gone through it, let's go over some questions, right? Um, security control questions. So he's going to be the first one and I'll put these on tiktok. That way, you can. You can. Some people are visual people, so I'll put it on tiktok. It's at professor jrod, that's j-r-o-d and you gotta. You know, professor p-r-o-f-e-s-s-o-r, j-r-o-d. And you got to. You know, professor P-R-O-F-E-S-S-O-R, j-r-o-d. Look for that on TikTok and you will find me there with the same questions.
Speaker 1:All right, number one a company requires all employees to attend annual cybersecurity awareness training. Which type of security controls does this represent? A technical and preventive. B administrative and deterrent. C administrative and preventive. D physical and detective. Company requires employees to attend annual cyber security awareness training. Which type of security controls. Does this represent a technical and preventive, b administrative and deterrent, c administrative and preventive, d. D physical and detective? Give you five seconds to think about it and the answer is C administrative and preventive. Right, the administrative side is again, a company requires all employees to take annual cybersecurity training. So on the administrative side, they plan all that and it's to prevent people from clicking on stuff that they shouldn't be clicking on right.
Speaker 1:Next, preventive versus detective An IDS intrusion detection system is deployed in a data center to monitor and alert on suspicious network traffic. What type of control is this? A Technical and preventive, b Technical and detective, c Administrative and corrective. D Physical and deterrent. Again, an IDS is deployed in a data center to monitor and alert on suspicious network traffic. What type of control is this? A Technical and preventive, b Technical and detective, c this a technical and preventive. B the technical and detective. C administrative and corrective. D physical and deterrent. I'll give you a couple of seconds to think about it and the answer is what do you think? The answer is guys, those of you who are those of you who are smart out there the answer is technical and detective. Right, that's number two.
Speaker 1:Number three after a malware outbreak and organizations use known organizations using known cleanup backups to restore effective systems. This is an example of A Technical Corrective B, administrative, detective C, physical, preventive, d, technical, compensating. After malware outbreak, an organization uses known clean backups to restore effective systems. This is an example of A Technical Corrective B, administrative, detective C, physical, preventive, d, technical and compensating. And the answer is A technical and corrective. Right Corrective is you know, you're fixing what's broken, so you're correcting the problem, all right.
Speaker 1:Next, in a legacy application. A legacy application does not support multi-factor authentication. To mitigate the risk, the security team implements strict network segmentations and additional monitoring. This is an example of A compensating B, detective C, preventive, d, deterrent. A legacy application does not support multi-factor authentication. To mitigate the risk, the security team implements strict network segmentations and additional monitoring. This is an example of A compensating B detective C, preventive, d, deterrent. Give you a couple of seconds and the answer is compensating. Right, you're compensating something for something else, all right. Last one A company installs man traps, bad readers, bad badge readers and security guards at data center entrance.
Speaker 1:These are best described as administrative controls, physical, preventive controls, technical, corrective controls, physical, detective controls. A company installs man traps, bad readers and security guards at data center. They're best described as administrative controls, physical, preventive controls, technical corrective controls or physical detective controls. I'll give you a couple of seconds to think about it. And the answer is B physical and preventive controls. Right, think about it and the answer is b physical and preventive controls. Right, they're preventing people from doing stuff that they're not supposed to. You know, do, right, I don't want to get themselves in trouble.
Speaker 1:So they, you know, they put the man trap in there, which has been replaced, right, they call man trap something else on the path, that's man in the Middle. I forgot, but they changed the word for Mantrap so you may not see it anymore on the CompTIA. Uh, I don't know, I forgot what it was, but it's not Mantrap anymore. It's uh, on the Path. No, on the Path is man in the Middle, on the Path Attack. So anyway, yep, but hope you got them right. If you got five out of five, pat yourself on the back. You're almost ready to tackle chapter one. So that's going to do it, guys. For chapter one we are done, and next time we're going to start on chapter 2. Like I said, I think there's 16 chapters. There are 16 chapters in this series in the slides that I got from Swordmaster, so I kind of just put them together as notes and, yeah, I hope you like it and we'll see you next time.