1.5. Reflection Checkpoint

Key Takeaways

Before proceeding to the exam domains, ensure you can:

• Diagnose any security scenario using the CIA Triad — identify which property is at stake
• Assess risk using the Threat × Vulnerability × Impact framework
• Explain why defense in depth requires layered controls across categories and types
• Distinguish between authentication (who are you?) and authorization (what can you do?)
• Articulate why Zero Trust replaces perimeter-based security and name its two planes
• Choose between symmetric and asymmetric encryption for a given scenario
• Differentiate hashing from encryption and explain when each is appropriate

Connecting Forward

In Phase 2, you'll apply these first principles to the first exam domain: General Security Concepts. You'll see the CIA Triad formalized in objective 1.2, the control categories and types detailed in objective 1.1, Zero Trust architecture expanded in objective 1.2, and cryptographic solutions explored in depth in objective 1.4. Every concept you just learned becomes a concrete exam topic.

Self-Check Questions

1. A hospital's patient records were modified by an unauthorized user who gained access through a phishing attack. Which CIA property was primarily violated — and which was the attack vector that enabled it?

2. Your organization uses a VPN for remote access. Once connected, employees can access all internal resources without additional verification. A consultant's laptop is stolen with saved VPN credentials. Under a Zero Trust model, what additional controls would have limited the damage?

3. An e-commerce company needs to encrypt millions of transactions per second while also allowing customers to securely establish connections. Why can't they use only asymmetric encryption for everything? What hybrid approach solves this?