CompTIA Sec+

Chapter 1 - General Security Concepts

Primary types of security controls

1. Technical

2. Managerial

3. Operational

Technical controls

Implemented using systems (operating system controls, firewalls, anti-virus, etc.)

Managerial controls

Administrative measures focused on the management of risk and the oversight of cybersecurity systems (e.g. admin controls, security policies, standard operating procedures)

Operational controls

Implemented by people (security guards, awareness programs), focused on day-to-day procedures

Physical controls

Limit physical access (locks, badge readers, fences, etc.)

Preventive controls

Designed to stop security incidents before they occur by limiting access to resources or preventing unauthorized actions (e.g. firewalls)

Corrective controls

Apply after an event has already happened

Compensating controls

Control using other means, prevents exploitation of a weakness rather than directly addressing the weakness (block instead of patch, separation of duties, backup power generator)

Directive controls

Directing someone toward security compliance (sign: authorized personnel only)

CIA Triad

Fundamental principles of security

1. Confidentiality: prevent disclosure of info to unauthorized people/systems (e.g. encryption)

2. Integrity: no modifications with detection, stored/transferred as intended (e.g. digital certificate)

3. Availability: systems/networks continue to run as intended (e.g. redundancy, fault tolerance)

Non-repudiation

Inability to deny what has been said, like signing a contract

IRP

Acceptable Use Policy (AUP)

Set of rules and guidelines that define acceptable and unacceptable behaviors when using an organization’s computer systems, networks, and digital resources

AAA

1. Authentication: requires proof of identity (e.g. password)

2. Authorization: determines level of access

3. Accounting: tracking resource usage by account

Solutions for AAA functionality

• TACACS+:

• RADIUS:

Security Assertion Markup Language (SAML)

Uses XML to exchange data for both authentication and authorization for SSO between identity providers (IdP) and service providers (SP), commonly used in enterprise environments and legacy systems

Digital certificate

Digital document that verifies the identity of an individual, device, service, or organization in online communications

Public key infrastructure

Hierarchical system for the creation, management, storage, distribution, and revocation of digital certificates

Online Certificate Status Protocol (OCSP)

Verifies the revocation status of digital certificates in real time

Certificate Authority (CA)

Trusted entity that issues digital certificates to verify the ownership of public keys. Does so by creating a cert from a device, signing it with the organization’s CA, and putting it onto the device. It then checks the cert for authentication

Gap analysis

Comparing current to desired security position, done by evaluating current systems and weaknesses and creating a path towards baseline

Zero Trust

No assumed trust, continually verifies access for every person/process/device through security checks. Split into:

• Data plane: process

Adaptive identity

Threat scope reduction

Decreasing potential entry points to a system

Types of access control

• Discretionary (DAC): owner of a resource determines who can access it

• Mandatory (MAC): assigns security labels to both users and resources to determine access

• Role-based (RBAC): permissions are based on a user’s role within an organization

• Rule-based (RuBAC): access is determined by predefined rules based on conditions such as time, location, or device type

• Attribute-based (ABAC): considers user attributes (e.g. job title, department, location), resource attributes (e.g. sensitivity level), and environmental conditions (e.g. time of day, network location)

• Policy-based (PBAC): uses dynamic policies to manage access

Peer-to-peer (P2P)

Decentralized network where participants interact directly without relying on a central server or intermediary

Point-to-point Tunneling Protocol (PPTP)

Obsolete VPN network protocol that encapsulates PPP frames within IP packets

Security zones

Delineates where you are coming from and where you are going in a network (e.g. untrusted network → trusted network), as well as which zones can access other zones

Policy Enforcement Point (PEP)

Acts as a gatekeeper for resources by intercepting, monitoring, and/or terminating access requests

Policy engine

Evaluates decisions based on policies (e.g. grant, deny, revoke)

Policy admin

Provides the access control policies that are enforced by the PEP

Access control vestibule

Room that you must pass through to access the rest of the building

Honeypots

Used to lure and trap attackers to a fake target in order to buy time and conduct recon

Honeynets

Made up of multiple honeypots

Honeyfiles

Files with fake info, sends an alert when they are accessed

Honey tokens

Traceable fake data that can be monitored for suspicious activity (e.g. API creds, fake email addresses, browser cookies)

Change management

Defines how to make changes with software, patching applications, and/or firewall settings. Requires clear policies on change frequency, duration, and rollback procedures

Backout plan

Method of reverting changes through system backups

Standard operating procedure (SOP)

An organization’s instructions for performing specific tasks or responding to incidents consistently and efficiently

PBKDF2

Enables secure conversion of user passwords into cryptographic keys

Public Key Infrastructure (PKI)

Framework of technologies, policies, and processes used in networking to manage digital certificates and public-key encryption

Key Distribution Center (KDC)

Centralized server that is used to distribute cryptographic keys and authenticate users and services within a network

Key escrow

Process of storing private encryption keys with a trusted third-party, useful if keys are lost or for managing data access

Recovery Agent (RA)

A trusted third party (an individual, entity, or system) who is authorized to assist in the retrieval of encryption keys and data on behalf of the data owner

Electronic Code Book (ECB)

Simplest mode of operation for block ciphers, used to encrypt data in fixed-size blocks using the same key

Counter Mode (CTM)

Block cipher mode that combines a unique counter with encryption key to generate a stream of pseudorandom data blocks which are then used for encrypting data

Cipher Feedback (CFB)

Block cipher mode that transforms a block cipher into a stream cipher, thus enabling the encryption of individual bits or bytes of data

Out-of-band vs in-band key exchange

Out-of-band: exchanging keys outside of the network (e.g. in-person)

In-band: exchanging keys on the network, requires asymmetric encryption

Trusted platform module (TPM)

Embedded microcontroller in a device’s motherboard that is designed to secure hardware with integrated cryptographic keys. Used for secure boot, disk encryption, and system integrity verification

Hardware security module (HSM)

Higher end hardware for larger environments with associated software/firmware, stores thousand of cryptographic keys and has faster cryptographic functions

Secure enclave

Isolated hardware processor for cryptographic keys and real-time encryption

System on a Chip (SoC)

An integrated circuit combining components typically found in a standard computer system onto a single microchip

Self-encrypting drive (SED)

An HDD or SSD that uses hardware-based encryption to automatically encrypt all data written to it and decrypt data when read

Full Disk Encryption (FDE)

Encrypting all data stored on a device’s hard drive, including the operating system, applications, user files, temporary files, and system logs

Steganography

Hiding information in an image file, can also be done with audio/video files

Tokenization

Replacing sensitive data with tokens which are then transferred over a network. Unlike hashing/encryption, tokens are not related to the original data. Common for credit card processing

Data masking

Hides some portions of data while keeping the original intact

Hash salt

Random data added to a password when hashing, useful for slowing down brute-force attacks

Pretty Good Privacy (PGP) vs GNU Privacy Guard (GPG)

Pretty Good Privacy (PGP): proprietary encryption software owned by Symantec, used for secure email communication and data protection

GNU Privacy Guard (GPG): FOSS implementation of the OpenPGP standard

Data Encryption Key (DEK)

Symmetric key used to protect data

Key Encryption Key (KEK)

Cryptographic key used to encrypt and protect other keys

Master Boot Record (MBR)

Contains data about partitions and the bootloader, used in older non-UEFI based PCs

Chapter 2

Shadow IT

An internal team of threat actors that builds their own infrastructure, uses their own funds and cloud based services

Simple Mail Transfer Protocol (SMTP)

Used for sending email messages between mail servers or from a client device to a mail server

Simple Mail Transfer Protocol Secure (SMTPS)

Deprecated TLS-based method for secure transmission of email messages

Secure/Multipurpose Internet Mail Extensions (S/MIME)

Obsolete protocol used for secure data transfer over the web, allowing for digitally signing emails

FTP vs SFTP

FTP: older, unencrypted protocol

SFTP: runs over SSH, thus ensuring end-to-end encryption

Multimedia Messaging Service (MMS)

Messaging service that allows users to send content such as images, videos, and audio along with text messages to mobile devices

IPsec

Secure network protocol and technology suite that provides encryption, authentication, and data integrity for network traffic

CCMP

Encryption protocol used in Wi-Fi networks implementing the WPA2 security standard

Elliptic Curve Cryptography (ECC)

Public-key cryptographic system that is ideal in low-resource devices, such as IoT, embedded, and mobile devices

War dialing

Identifying devices such as modems and computers that are connected to the public switched telephone network PSTN, could lead to access to systems

Bluesnarfing

Gaining unauthorized access to a Bluetooth device

Bluejacking

Sending unsolicited messages over Bluetooth to Bluetooth-enabled devices

Managed Service Provider (MSP)

IT solution for a company that needs IT services but lacks any IT personnel

Managed Security Service Provider (MSSP)

Third-party vendor that offers IT security management services

Watering hole attack

Targets employees by infecting websites that they use with malware

Memory injection

Malicious code that runs in memory through malware hidden in legitimate processes

Cross-site scripting (XSS)

Executing JavaScript in a victim’s browser, often to gain control over an application or user

1. Reflected: scripts come from current HTTP requests (attacker sends a request and gets a response), limited since you can mostly only target yourself

2. Stored: scripts are stored in a database and retrieved later, can attack multiple users

3. DOM-based: client-side has vulnerable JS that uses untrusted user input

Cross-Site Request Forgery (CSRF)

Transmitting unauthorized commands from a user’s browser to a website without their consent. The attacker’s script then executes on the website

Jailbreaking/rooting

Replacing a smartphone’s existing OS with custom firmware, allows for circumvention of security features

Zero-day

An attack without a patch or method of mitigation

Rootkit

Gains unauthorized access into a computer while being hidden from system and its users

RFID cloning

Duplicating RFID to gain unauthorized access

Amplified DDOS Attack

Type of DDoS attack wherein an attacker sends a small, specially crafted DNS query containing a spoofed IP address (the victim’s IP) to a compromised DNS server. Upon receiving the query, the DNS server generates a much larger response packet, which is then sent to the victim's IP address, causing potential disruption due to overwhelming traffic

Reflected DDOS Attack

Utilizing third-party servers to reflect and amplify attack traffic towards the target

Friendly DOS

Unintentional or well-intentioned actions that cause services shutdowns

DNS spoofing/poisoning

Modifying a DNS server or client host file, or sending a fake response to a valid DNS request

Can reroute DNS server so that it redirects users to a malicious site whenever a specific IP is received

Domain hijacking

Providing false DNS information to a DNS resolver for the purpose of redirecting or manipulating the resolution of domain names to malicious IP addresses. Legitimate domain registrants end up losing control over their domain names due to unlawful actions of third parties

URL hijacking

Using misspelled versions of legitimate domain names to redirect users to malware

On-path/MITM attack

Watching, intercepting, and/or redirecting traffic between two computers

On-path browser attack

Malware on victim’s device acts as a proxy between the browser and the Internet, able to see traffic in plaintext

Replay attack

Intercepting valid network traffic and then fraudulently resending it to misdirect the target, not the same as an on-path attack since the original workstation is not needed. Can be prevented by salting hashes, encryption, and combining session ID and hash

Header manipulation

Changing HTTP headers to bypass security measures, conduct spoofing attacks, or manipulate web application behavior. Can be prevented using end-to-end encryption

Directory traversal

Reading and writing to files in a web server that are outside the scope of the website’s files

Birthday attack

Finding a hash value that causes a collision, thus breaking cryptographic controls. Can be prevented by having a large hash output

Downgrade attack

Forcing a system to downgrade security, such as SSL stripping or downgrading from HTTPS → HTTP through a MITM attack

Spraying attack

Attempt the most common passwords before an account gets locked out, then moving on to the next account