COMPTIA Security + (601) 3.0 Implementation

SRTP (Secure Real-Time Transport Protocol/Secure RTP)

(3.1 Secure Protocols) Provides encryption, message authentication, and integrity for RTP (Real-time Transport Protocol).

S/MIME (Secure/Multipurpose Internet Mail Extensions)

(3.1 Secure Protocols) Uses both asymmetric encryption and symmetric encryption. It can encrypt email at rest (stored on a drive) and in transmit (data sent over the network)

Secure POP

(3.1 Secure Protocols) Transfers emails from servers down to clients.

Secure IMAP

Used to store email on an email server, and it allows users to organize and manage email in folders on the server.

SSL/TLS

(3.1 Secure Protocols)
If the mail is browser based, always encrypt with this.

HTTPS (HTTP over TLS/SSL/ HTTP Secure)

(3.1 Secure Protocols) Encrypts web traffic to ensure it is secure while in transit.

IPSec (Internet Protocol Security)

(3.1 Secure Protocols) Used to encrypt IP traffic. IPsec encapsulates and encrypts IP packet payloads and uses tunnel mode to protect virtual private network (VPN) traffic.

FTPS (File Transfer Protocol Secure)

(3.1 Secure Protocols) An extension of FTP (File transfer protocol - unloads and downloads large files to and from an FTP server.) that uses SSL or TLS encrypt FTP traffic. Not an SFTP.

SFTP (Secure File Transfer Protocol)

(3.1 Secure Protocols) A secure implementation of FTP. It is an extension of Secure Shell (SSH) using SSH to transmit files in an encrypted format.

LDAP (Lightweight Directory Access Protocol)

(3.1 Secure Protocols) Specifies the formats and methods used to query directories, such as Microsoft AD DS. +

LDAPS (LDAP Secure)

(3.1 Secure Protocols)
A non-standard implementation of LDAP over SSL.

SASL (Simple Authentication and Security Layer)

(3.1 Secure Protocols)
Provides authentication using many methods, i.e, Kerberos or client certificate.

SSH (Secure Shell)

(3.1 Secure Protocols) Encrypts traffic in transit and can be used to encrypt other protocols such as FTP.

DNSSEC (Domain Name System Security Extensions)

Validates DNS responses. Origin authentication. Data integrity.
Done through Public Key Cryptography. DNS records are signed with a trusted third party. Signed DNS records are published in DNS

SNMPv3 (Simple Network Management Protocol version 3)

Contains confidentiality - encrypted data, Integrity - no tampering of data, and Authentication - verifies the source.

DHCP client DOS - Starvation attack

(3.1 Secure Protocols)
Use spoof MAC addresses to exhaust the DHCP pool.

EDR (Endpoint Detection and Response)

(3.2 Endpoint Protection) Provides continuous monitoring of endpoints.

Data Loss Prevention (DLP)

(3.2 Endpoint Protection) Prevent data loss. Can block the use of USB flash drives and control the use of removable data.

NGFW (Next Generation Firewall)

(3.2 Endpoint Protection) Performs deep-packet inspection, adding application-level inspection as a core feature. Aware of common application protocols used on the internet, such as FTP and HTTP.

host-based firewall

(3.2 Endpoint Protection) Monitors traffic going in and out of a single host, such as a server or workstation. Monitors traffic passing through the NIC and can prevent intrusions into the computer via the NIC.

HIDS (host-based intrusion detection system)

(3.2 Endpoint Protection) Protects the individual host, can detect potential attacks, and protects critical operating system files.

HIPS (host-based intrusion prevention system)

(3.2 Endpoint Protection)
Recognize and block known attacks. Secure OS and application configs, validate incoming service requests. Often built into endpoint protection software.

HIPS identification

(3.2 Endpoint Protection)
- Signatures, heuristics, behavioral
- Buffer overflows, registry updates, writing files
to the Windows folder
- Access to non-encrypted data

TPM (Trusted Platform Module)

(3.2 Boot Integrity) A hardware chip on the computer’s motherboard that stores cryptographic keys used for encryption.

UEFI BIOS Secure Boot

(3.2 Boot Integrity) One Includes software that provides a computer with basic instructions starting. It runs some basic checks, locates the operating system, and boots. Other is the first with enhancements such as booting from larger disks and is designed to be CPU-independent.

Trusted Boot

(3.2 Boot Integrity)
Bootloader verifies digital signature of the OS kernel
- A corrupted kernel will halt the boot process
• The kernel verifies all of the other startup components
- Boot drivers, startup files
• Just before loading the drivers,
- ELAM (Early Launch Anti-Malware) starts
- Checks every driver to see if it's trusted
- Windows won't load an untrusted driver

Measured Boot

(3.2 Boot Integrity) Goes through enough of the boot process to perform these checks without allowing a user to interact with the system.

Remote attestation

(3.2 Boot Integrity) The remote system verifies the files are the same and attests, or confirms the system is safe.

Tokenization

Replace sensitive data with a non-sensitive placeholder. For example, SSN 266-12-1112 is now 691-61-8539

Normalization

Organizing the tables and columns to reduce redundant data and improve overall database performance.

Dynamic Code Analysis

Checks the code as it is running.

Fuzzing

Uses a computer program to send random data for an application.

cookies

Information stored on your computer by the browser. Used for tracking, personalization, session management. Not executable, not generally a security risk. Unless someone gets access to them.

code signing

Used to validate the authentication of executable applications or scripts. Verifies the code has not been modified.

Application Hash

Only allows applications with this unique identifier.

Certificate

A digital document that typically includes the public key and information on the owner of the certificate.

Path

Only run applications in these folders.

Network Zone

The apps can only run from this network zone.

SAST (Static Application Security Testing)

Help to identify security flaws

Application Hardening

The practice of making an operating system (OS) or application more secure from its default installation. Helps eliminate vulnerabilities from default configurations, misconfigurations, and weak configurations.

registry

The primary configuration database for Windows. Almost everything can be configured from the registry.

Disk encryption

(3.2 Application Hardening)
Prevent access to application data files
- File system encryption

FDE (Full Disk Encryption)

(3.2 Application Hardening) Encrypts an entire disk.

SED (Self Encrypting Drive)

(3.2 Application Hardening) automatically encrypts and decrypts data on a drive without user intervention.

Sandboxing

(3.2 Application Hardening)

Used to test applications within an isolated area specifically created for testing.

load balancing

Distribute the load. Multiple servers. Invisible to the end-user.

Round Robin

Each server is selected in turn

Weighted round robin

Prioritize the server use

Dynamic Round Robin

Monitor the server load and distribute to the server with the lowest use

Network Segmentation

Physical, logical, or virtual segmentation -Devices, VLANs, virtual networks.

Physical Segmentation

• Devices are physically separate
• Switch A and Switch B
• Must be connected to provide communication
• Direct connect, or another switch or router
• Web servers in one rack
• Database servers on another
• Customer A on one switch, customer B on another
• No opportunity for mixing data
• Separate devices
• Multiple units, separate infrastructure

Logical segmentation with VLANs

Segment logic groups between logical groups of users or computers with a virtual local area network (VLAN).

DMZ (demilitarized zone)/Subnet

A buffer zone between the Internet and an internal network. It allows access to services while segmenting access to the internal network.

Extranet

Part of a network that can be accessed by authorized entities from outside of the network.

Intranet

An internal network. People use this to communicate and share content.

East-west traffic

Traffic between devices in the same data center. Relatively fast response times

North-South Traffic

- ingress/egress to an outside device
- a different security posture than east-west traffic

Zero Trust

You trust nothing else on your network and there has to be additional authentication.

VPN (Virtual Private Network)

Provides remote access to a private network via a public network.

Remote VPN

Users connect to internal networks from remote locations.

SSL VPN (Secure Socket Layer VPN)

Encrypts VPN traffic using TLS over port 443. Port 443 provides a lot of flexibility for many administrators and rarely requires opening additional fire ports.

HTML5 (HyperText Markup Language 5) VPNs

Allows users to connect to the VPN using their web browser, making it rather simple for users. Uses TLS to encrypt the session, but it can be very resource-intensive.

full tunnel

All traffic goes through the encrypted tunnel while the user is connected to the VPN

Split Tunnel

A VPN administrator determines what traffic should use the encrypted tunnel.

site-to-site VPN

Two VPN servers that act as gateways for two networks separated geographically. It connects both networks without requiring additional steps on the part of the user.

L2TP (Layer 2 Tunneling Protocol)

A tunneling protocol that is also used for VPNs. The most recent version is L2TPv3.

Transport Mode

IP header is put in the front.
Data will be encrypted and an IPSec header and IPSec trailer will be put around it.

Tunnel mode

The IP header and the data are encrypted with IPSec. IPSec headers and trailers will be put around those.

Authentication Header (AH)

Allow each of the IPsec conversation hosts to authenticate with each other before exchanging data. Provides authentication and integrity.

ESP (Encapsulating Security Payload)

Encrypts the data and provides confidentiality. Includes AH so it provides confidentiality, authentication, and integrity. Uses protocol number 50/

Broadcasts

Send information to everyone at once. One frame or packet, received by everyone. Every device must examine the broadcast.

Loop Protection

• Connect two switches to each other
• They'll send traffic back and forth forever
• There's no "counting" mechanism at the MAC layer
• This is an easy way to bring down a network
• And somewhat difficult to troubleshoot
• Relatively easy to resolve
• IEEE standard 802.1D to prevent loops
in bridged (switched) networks (1990)

Port Fast

Bypass the listening and learning states

BPDU (Bridge Protocol Data Unit)

The spanning tree protocol

BPDU Guard

It monitors the ports for any BPDU messages.

DHCP snooping

Prevents unauthorized DHCP servers (often called rogue DHCP servers) from operating on a network.

MAC filtering

Can restrict access to a wireless network to specific clients.

out-of-band management

Allows management outside of normal communications channels (not using network resources).

QoS (Quality of Service)

the technologies running on a network that measure and control different traffic types.

Physical taps

Disconnect the link, put a tap in the middle. Can be an active or passive tap

port mirror

Port redirection, SPAN (Switched Port ANalyzer). Softeare-based tap. Limited functionality, but can work well in a pinch.

Monitoring services

Constant cybersecurity monitoring. Ongoing security checks. A staff of cybersecurity experts at a Security Operations Center (SoC). Identify threats - A broad range of threats across many different organizations. Respond to events - Faster response time. Maintain compliance - Someone else ensures PCI DSS, HIPAA compliance.

FIM (File Integrity monitoring)

Detect modified system files. Calculates hashes on system files as a baseline; Periodically recalculates the hashes on these files and compares them with the hashes in the baseline. If hashes are different, it indicates the system has been modified.

network-based firewall

An advanced firewall that adds capabilities that aren’t available in first-generation or second-generation firewalls.

stateless firewall

Blocks traffic using an ACL

stateful firewall

Blocks traffic based on the state of the packet within a session.

UTM (Unified Threat Management)/ Web Security Gateway

Combines multiple security controls into a single appliance. Can inspect data streams and often include URL filtering, malware inspection, and content inspection components.

WAF (Web Application Firewall)

Provide strong protection for web servers and protect against several types of attacks, focusing on web application attacks.

ACLs (access control lists)

Rules are implemented on a router (and on firewalls) to identify what traffic is denied.

Open Source Firewall

Provides traditional firewall functionality

proprietary firewall

Includes application control and high-speed hardware.

Purpose-built hardware

Provides efficient and flexible connectivity options

Software-Based Firewall

Can be installed almost anywhere.

Virtual Firewalls

provide valuable East/West network security

Edge Control

Your internet link. Managed primarily through firewall rules. Firewall rules rarely change.

Network Access Control (NAC)

Methods to inspect clients for health, such as having up-to-date antivirus software, and can restrict access of unhealthy clients to a remediation network.

Persistent agents

Permanently installed onto a system • Periodic updates may be required

Dissolvable agents

Downloaded and runs on the client when the client logs on remotely. Collects information it needs, identifies the client as healthy or not healthy, and reports the status back to the NAC system.

Agentless NAC (Network Access Control)

Scans a client remotely without installing code on the client, either permanently or temporarily

Proxies

• Sits between the users and the external network
• Receives the user requests and sends the request
on their behalf (the proxy)
• Useful for caching information, access control,
URL filtering, content scanning
• Applications may need to know
how to use the proxy (explicit)
• Some proxies are invisible (transparent)