CompTIA Sec+

Chapter 1 - General Security Concepts

Primary types of security controls

1. Technical

2. Managerial

3. Operational

Technical controls

Implemented using systems (operating system controls, firewalls, anti-virus, etc.)

Managerial controls

Administrative measures focused on the management of risk and the oversight of cybersecurity systems (e.g. admin controls, security policies, standard operating procedures)

Operational controls

Implemented by people (security guards, awareness programs), focused on day-to-day procedures

Physical controls

Limit physical access (locks, badge readers, fences, etc.)

Preventive controls

Designed to stop security incidents before they occur by limiting access to resources or preventing unauthorized actions (e.g. firewalls)

Corrective controls

Apply after an event has already happened

Compensating controls

Control using other means, prevents exploitation of a weakness rather than directly addressing the weakness (block instead of patch, separation of duties, backup power generator)

Directive controls

Directing someone toward security compliance (sign: authorized personnel only)

CIA Triad

Fundamental principles of security

1. Confidentiality: prevent disclosure of info to unauthorized people/systems (e.g. encryption)

2. Integrity: no modifications with detection, stored/transferred as intended (e.g. digital certificate)

3. Availability: systems/networks continue to run as intended (e.g. redundancy, fault tolerance)

Non-repudiation

Inability to deny what has been said, like signing a contract

Acceptable Use Policy (AUP)

Set of rules and guidelines that define acceptable and unacceptable behaviors when using an organization’s computer systems, networks, and digital resources

AAA

1. Authentication: requires proof of identity (e.g. password)

2. Authorization: determines level of access

3. Accounting: tracking resource usage by account

Solutions for AAA functionality

• TACACS+:

• RADIUS:

Security Assertion Markup Language (SAML)

Uses XML to exchange data for both authentication and authorization for SSO between identity providers (IdP) and service providers (SP), commonly used in enterprise environments and legacy systems

Digital certificate

Digital document that verifies the identity of an individual, device, service, or organization in online communications

Symmetric vs asymmetric encryption

Symmetric (secret-key): uses a single shared secret key for both encryption and decryption

Asymmetric (public key): uses a public key and a private key

Public vs private key

Public key: shared openly with everyone, used for encryption

Private key: kept strictly secret by its owner, used for decryption

Public key infrastructure (PKI)

Hierarchical framework for the creation, management, storage, distribution, and revocation of digital certificates

Simple Certificate Enrollment Protocol (SCEP)

Automates the issuance and management of certificates within a PKI environment

Online Certificate Status Protocol (OCSP)

Verifies the revocation status of digital certificates in real time

Certificate Authority (CA)

Trusted entity that issues digital certificates to verify the ownership of public keys. Does so by creating a cert from a device, signing it with the organization’s CA, and putting it onto the device. It then checks the cert for authentication

Certificate Revocation List (CRL)

A list of revoked certificates maintained by a CA

Gap analysis

Comparing current to desired security position, done by evaluating current systems and weaknesses and creating a path towards baseline

Zero Trust

No assumed trust, continually verifies access for every person/process/device through security checks. Split into control and data planes

Control plane

Centralized decision-making component responsible for:

• Authentication

• Policy evaluation

• Identity verification

Data plane

Distributed execution component responsible for transmitting app traffic, includes:

• Implicit trust zones

• Subject/system

• Policy Enforcement Point

Network Access Control (NAC)

Defines and enforces network access policies to restrict unauthorized users and devices from accessing a corporate or private network

Adaptive identity

Adjusts user/system privileges dynamically according to source

Threat scope reduction

Decreasing potential entry points to a system

Types of access control

• Discretionary (DAC): owner of a resource determines who can access it

• Mandatory (MAC): assigns security labels to both users and resources to determine access, rules are defined using statements that closely resemble natural language

• Role-based (RBAC): permissions are based on a user’s role within an organization

• Rule-based (RuBAC): access is determined by predefined rules based on conditions such as time, location, or device type

• Attribute-based (ABAC): considers user attributes (e.g. job title, department, location), resource attributes (e.g. sensitivity level), and environmental conditions (e.g. time of day, network location), is the strictest

• Policy-based (PBAC): uses dynamic policies to manage access

Peer-to-peer (P2P)

Decentralized network where participants interact directly without relying on a central server or intermediary

Point-to-point Protocol (PPP)

Link layer communication protocol used to establish direct connections between two networking nodes over serial cables, phone lines, or fiber optics

Point-to-point Tunneling Protocol (PPTP)

Obsolete VPN network protocol that encapsulates PPP frames within IP packets

Password Authentication Protocol (PAP)

Two-way handshake authentication method used primarily within PPP to validate users by transmitting usernames and passwords in plaintext

Security zones

Delineates where you are coming from and where you are going in a network (e.g. untrusted network → trusted network), as well as which zones can access other zones

Policy Enforcement Point (PEP)

Acts as a gatekeeper for resources by intercepting, monitoring, and/or terminating access requests

Policy engine

Evaluates decisions based on policies (e.g. grant, deny, revoke)

Policy admin

Provides the access control policies that are enforced by the PEP

Group Policy Objects (GPO)

Windows feature used for centrally managing and enforcing policies and settings for users and computers in a network

Access control vestibule

Room that you must pass through to access the rest of the building

Honeypots

Used to lure and trap attackers to a fake target in order to buy time and conduct recon

Honeynets

Made up of multiple honeypots

Honeyfiles

Files with fake info, sends an alert when they are accessed

Honeytokens

Traceable fake data that can be monitored for suspicious activity (e.g. API creds, fake email addresses, browser cookies)

Change management

Defines how to make changes with software, patching applications, and/or firewall settings. Requires clear policies on change frequency, duration, and rollback procedures

Backout plan

Method of reverting changes through system backups

Standard operating procedure (SOP)

An organization’s instructions for performing specific tasks or responding to incidents consistently and efficiently

PBKDF2

Enables secure conversion of user passwords into cryptographic keys

Key Distribution Center (KDC)

Centralized server that is used to distribute cryptographic keys and authenticate users and services within a network

Key escrow

Process of storing private encryption keys with a trusted third-party, useful if keys are lost or for managing data access

Recovery Agent (RA)

A trusted third party (an individual, entity, or system) who is authorized to assist in the retrieval of encryption keys and data on behalf of the data owner

Electronic Code Book (ECB)

Simplest mode of operation for block ciphers, used to encrypt data in fixed-size blocks using the same key

Counter Mode (CTM)

Block cipher mode that combines a unique counter with encryption key to generate a stream of pseudorandom data blocks which are then used for encrypting data

Galois/Counter Mode (GCM)

Combines CTM for encryption with an authentication mechanism to ensure both data confidentiality and integrity

Cipher Feedback (CFB)

Block cipher mode that transforms a block cipher into a stream cipher, thus enabling the encryption of individual bits or bytes of data

Cipher Block Chaining (CBC)

Block cipher mode that works by chaining ciphertext blocks together, such that each block depends on the previous block

Out-of-band vs in-band key exchange

Out-of-band: exchanging keys outside of the network (e.g. in-person)

In-band: exchanging keys on the network, requires asymmetric encryption

Data Encryption Standard (DES)

Deprecated symmetric-key block cipher that uses 64 bit blocks

3DES

Applies DES three times to each 64 bit block

Advanced Encryption Standard (AES)

Symmetric block cipher that uses 128 bit blocks, extremely fast and ideal for bulk data encryption

RC4

Asymmetric stream cipher for Windows environments

MD5

Message digest hashing algorithm that produces a 128-bit hash value, deprecated for security purposes because it’s susceptible to easy collision generation

International Data Encryption Algorithm (IDEA)

Symmetric block cipher that operates on 64-bit blocks using a 128-bit key

Trusted Platform Module (TPM)

Embedded microcontroller in a device’s motherboard that is designed to secure hardware with integrated cryptographic keys. Used for secure boot, disk encryption, and system integrity verification

Hardware security module (HSM)

Dedicated device for key management and encryption

Key Management System

Manages lifecycle of encryption keys

Secure enclave

Isolated hardware processor for cryptographic keys and real-time encryption

System on a Chip (SoC)

An integrated circuit combining components typically found in a standard computer system onto a single microchip

Self-encrypting drive (SED)

An HDD or SSD that uses hardware-based encryption to automatically encrypt all data written to it and decrypt data when read

Full Disk Encryption (FDE)

Encrypting all data stored on a device’s hard drive, including the operating system, applications, user files, temporary files, and system logs

Steganography

Hiding information in an image file, can also be done with audio/video files

Tokenization

Replacing sensitive data with tokens which are then transferred over a network. Unlike hashing/encryption, tokens are not related to the original data. Common for credit card processing

Data masking

Hides some portions of data while keeping the original intact

Hash salt

Random data added to a password when hashing, useful for slowing down brute-force attacks

RSA

An asymmetric encryption algorithm that uses a public key for encryption and a private key for decryption, suitable for bulk data encryption, used for secure communications, digital signature, and key exchange

Pretty Good Privacy (PGP) vs GNU Privacy Guard (GPG)

Pretty Good Privacy (PGP): proprietary encryption software owned by Symantec, used for secure email communication and data protection

GNU Privacy Guard (GPG): FOSS implementation of the OpenPGP standard

Data Encryption Key (DEK)

Symmetric key used to protect data

Key Encryption Key (KEK)

Cryptographic key used to encrypt and protect other keys

Master Boot Record (MBR)

Contains data about partitions and the bootloader, used in older non-UEFI based PCs

Chapter 2

Nation-state threat actor

Government-sponsored, highly skilled and well funded. Mainly focus on espionage, sabotage, and cyberwarfare

Unskilled attacker (script kiddie)

Low technical knowledge, uses pre-made tools, often motivated by curiosity or fame

Hacktivist

Ideologically/politically motivated attacker aiming to disrupt, deface, or leak data

Insider threat

Inividuals within an organization who intentionally or unintentionally cause harm

Organized crime

Cybercriminal groups focused on profit through ransomware, fraud, data theft, etc.

Shadow IT

An internal team of threat actors that builds their own unapproved infrastructure, uses their own funds and cloud based services, leading to security blind spots

SHTTP

Obsolete protocol used for secure data transfer over the web

Simple Mail Transfer Protocol (SMTP)

Used for sending email messages between mail servers or from a client device to a mail server

Simple Mail Transfer Protocol Secure (SMTPS)

Deprecated TLS-based method for secure transmission of email messages

Multipurpose Internet Mail Extensions (MIME)

Enables transfer of graphics, audio, and video files over email

Secure/Multipurpose Internet Mail Extensions (S/MIME)

Extends MIME with asymmetric public key encryption and digitally signing of emails

FTP vs SFTP vs FTPS

FTP: older, unencrypted protocol, runs on port 21

FTPS: extension of FTP that adds TLS/SSL, also runs on port 21

SFTP: runs over SSH, thus ensuring end-to-end encryption, runs on port 22

Multimedia Messaging Service (MMS)

Messaging service that allows users to send content such as images, videos, and audio along with text messages to mobile devices

IPsec

Secure network protocol and technology suite that provides encryption, authentication, and data integrity for network traffic, runs in one of the following modes:

• Transport mode: provides encryption only for the payload (the data part of the packet)

• Tunnel mode: provides entire packet encryption

Encapsulation Security Payload (ESP)

Core protocol of IPsec that provides confidentiality, data integrity, and authentication

Layer 2 Transport Protocol (L2TP)

Tunneling protocol used to support VPNs and deliver services by ISPs, doesn’t encrypt data on its own and instead relies on IPsec to do so

Wired Equivalent Privacy (WEP)

Outdated wireless security protocol designed to provide data confidentiality

Wi-Fi Protected Access (WPA)

Security protocol to secure wireless networks, successor to WEP