This section covers Exam Objective 2 of the CompTIA Security+ SY0-701 exam. It focuses on how to design secure systems, networks, and applications from the ground up, ensuring that security is built-in rather than bolted on.
🏢 Enterprise Security Architecture
Enterprise Security Architecture aligns security practices with business goals. It involves selecting and implementing frameworks to manage risk and ensure compliance.
- ▸ Frameworks: Using standards like NIST CSF, ISO 27001, and SABSA to guide security strategy.
- ▸ Defense in Depth: Layering security controls (physical, technical, administrative) to eliminate single points of failure.
- ▸ Zero Trust: "Never trust, always verify." Assuming breach and verifying every request as if it originates from an open network.
🌐 Secure Network Design
Designing a network with security in mind prevents unauthorized access and lateral movement. Key concepts include:
- ▸ Segmentation: Dividing the network into smaller zones (VLANs, subnets) to contain breaches.
- ▸ DMZ (Demilitarized Zone): A buffer zone for public-facing services, separating them from the internal network.
- ▸ Load Balancing: Distributing traffic to ensure availability and resilience against DDoS attacks.
- ▸ VPNs & Secure Access: Using encrypted tunnels for remote access and site-to-site connectivity.
🤖 Embedded Systems Security
Embedded systems and IoT devices are often vulnerable due to limited resources and infrequent updates. Securing them requires specialized approaches.
- ▸ IoT & IIoT: Securing smart devices and industrial control systems (SCADA/ICS) from network-based attacks.
- ▸ RTOS (Real-Time OS): Protecting systems that require immediate processing, often found in critical infrastructure.
- ▸ Constraints: Addressing power, compute, and network limitations that make traditional security agents difficult to deploy.
🛡️ Security Controls
Security controls are the mechanisms used to protect assets. They are categorized by their function and implementation.
By Function
- ▸ Preventive: Stop an attack before it happens (e.g., Firewalls).
- ▸ Detective: Identify an attack in progress (e.g., IDS).
- ▸ Corrective: Fix the issue after an attack (e.g., Patching).
- ▸ Deterrent: Discourage attackers (e.g., Warning signs).
By Implementation
- ▸ Technical: Hardware/software controls (e.g., Encryption).
- ▸ Administrative: Policies and procedures (e.g., Training).
- ▸ Physical: Tangible barriers (e.g., Locks, Fences).
📚 Additional Resources
🎯 Ready to Test Your Knowledge?
Take our free Security+ Practice Quiz and see how well you understand architecture and design!
Start Practice Quiz →