SSCP Systems Security: Access Controls, Cryptography, and Network Defences

Access control is the largest SSCP domain. The IAA (Identification, Authentication, Authorisation) sequence: identification asserts an identity (username, badge), authentication proves it (password, OTP, biometric), authorisation grants specific access based on proven identity. Access control models: MAC (Mandatory Access Control — security labels, used in government systems, Bell-LaPadula model enforces label hierarchy), DAC (Discretionary Access Control — resource owner grants permissions, flexible but allows over-sharing), RBAC (Role-Based — permissions assigned to roles, users assigned to roles, most practical for enterprise), ABAC (Attribute-Based — policies evaluate user, resource, and environment attributes simultaneously — most granular). Physical access: something you know (PIN), something you have (smart card), something you are (fingerprint). Multi-factor authentication combines at least two different factors.

SSCP expects working knowledge of cryptographic concepts. Symmetric encryption: single key for encrypt and decrypt — fast, used for bulk data (AES-128/256), key distribution problem (how do you securely share the key?). Asymmetric encryption: public key encrypts, private key decrypts (for confidentiality); private key signs, public key verifies (for authentication). RSA, ECDSA, and Diffie-Hellman are asymmetric algorithms. Hybrid encryption: use asymmetric key exchange to securely share a symmetric session key (TLS does this), then use symmetric encryption for the actual data. Hash functions: one-way, fixed output, collision-resistant — SHA-256 produces a 256-bit digest. HMAC = hash + secret key for message authentication (proves data was not tampered and came from someone with the key). Digital signatures: sender hashes the message, encrypts the hash with their private key — recipient decrypts with sender's public key and compares hashes.

Network security for SSCP: firewalls (packet filter = stateless, examines headers only; stateful inspection = tracks connection state; NGFW = adds DPI, IPS, URL filtering, application identity). Proxy servers: forward proxy (client-side, inspects outbound requests, caches content), reverse proxy (server-side, load balancing, WAF, SSL termination). VPN types: site-to-site (connects two networks — IPSec tunnel mode), remote access (connects individual users — SSL/TLS VPN or IPSec), split tunnelling (some traffic goes through VPN, some directly to internet — security risk). IDS vs IPS: IDS detects and alerts but does not block (inline or out-of-band); IPS detects and actively blocks (must be inline). Detection methods: signature-based (known patterns — fast, misses zero-day), anomaly-based (deviations from baseline — catches novel attacks, high false positive rate), heuristic (behavioural rules — middle ground).

Malware types covered by SSCP: virus (attaches to executable files, replicates when run), worm (self-propagating across networks without host file), Trojan horse (malicious code disguised as legitimate software), rootkit (hides presence in OS by modifying system calls), ransomware (encrypts files and demands payment), spyware (covertly monitors activity), keylogger (records keystrokes), botnet (network of compromised machines controlled by C2 server). Incident response process: Preparation (policies, tools, training, contact lists), Detection and Identification (SIEM alerts, user reports, anomaly detection), Containment (isolate affected systems — short-term containment then long-term), Eradication (remove malware, patch vulnerability), Recovery (restore from clean backup, verify), Lessons Learned (post-incident review within two weeks). Evidence handling: document chain of custody, use write blockers for forensic imaging, hash all images to verify integrity.

SSCP risk domain: risk = threat x vulnerability x impact. Controls reduce either likelihood (preventive) or impact (corrective). Risk responses: accept (document and monitor), avoid (stop the risky activity), mitigate (add controls), transfer (insurance, contracts). Monitoring and auditing: log management is foundational — logs must be comprehensive (what happened, who did it, when, from where), protected from modification (write-once media or SIEM with integrity checking), retained per policy, and reviewed regularly. SIEM (Security Information and Event Management) aggregates logs, correlates events, and generates alerts — reduces analyst workload by surfacing the signal from the noise. Vulnerability management: scan regularly, prioritise by severity and exploitability, remediate within defined SLAs (critical within 24-72 hours, high within 30 days). Patch management: test patches in non-production first, deploy during maintenance windows, document all changes.