CompTIA Sec+

Chapter 1 - General Security Concepts

Primary types of security controls

1. Technical

2. Managerial

3. Operational

Technical controls

Implemented using systems (operating system controls, firewalls, anti-virus, etc.)

Managerial controls

Administrative measures focused on the management of risk and the oversight of cybersecurity systems (e.g. admin controls, security policies, standard operating procedures)

Operational controls

Implemented by people (security guards, awareness programs), focused on day-to-day procedures

Physical controls

Limit physical access (locks, badge readers, fences, etc.)

Preventive controls

Designed to stop security incidents before they occur by limiting access to resources or preventing unauthorized actions (e.g. firewalls)

Corrective controls

Apply after an event has already happened

Compensating controls

Control using other means, prevents exploitation of a weakness rather than directly addressing the weakness (block instead of patch, separation of duties, backup power generator)

Directive controls

Directing someone toward security compliance (sign: authorized personnel only)

CIA Triad

Fundamental principles of security

1. Confidentiality: prevent disclosure of info to unauthorized people/systems (e.g. encryption)

2. Integrity: no modifications with detection, stored/transferred as intended (e.g. digital certificate)

3. Availability: systems/networks continue to run as intended (e.g. redundancy, fault tolerance)

Non-repudiation

Inability to deny what has been said, like signing a contract

IRP

Acceptable Use Policy (AUP)

Set of rules and guidelines that define acceptable and unacceptable behaviors when using an organization’s computer systems, networks, and digital resources

AAA

1. Authentication: requires proof of identity (e.g. password)

2. Authorization: determines level of access

3. Accounting: tracking resource usage by account

Solutions for AAA functionality

• TACACS+:

• RADIUS:

Public key infrastructure

Hierarchical system for the creation, management, storage, distribution, and revocation of digital certificates

Certificate Authority (CA)

Trusted entity that issues digital certificates to verify the ownership of public keys. Does so by creating a cert from a device, signing it with the organization’s CA, and putting it onto the device. It then checks the cert for authentication

Gap analysis

Comparing current to desired security position, done by evaluating current systems and weaknesses and creating a path towards baseline

Zero Trust

No assumed trust, continually verifies access for every person/process/device through security checks. Split into:

• Data plane: process

Adaptive identity

Threat scope reduction

Decreasing potential entry points to a system

Types of access control

• Discretionary (DAC): owner of a resource determines who can access it

• Mandatory (MAC): assigns security labels to both users and resources to determine access

• Role-based (RBAC): permissions are based on a user’s role within an organization

• Rule-based (RuBAC): access is determined by predefined rules based on conditions such as time, location, or device type

• Attribute-based (ABAC): considers user attributes (e.g. job title, department, location), resource attributes (e.g. sensitivity level), and environmental conditions (e.g. time of day, network location)

• Policy-based (PBAC): uses dynamic policies to manage access

Security zones

Delineates where you are coming from and where you are going in a network (e.g. untrusted network → trusted network), as well as which zones can access other zones

Policy Enforcement Point (PEP)

Acts as a gatekeeper for resources by intercepting, monitoring, and/or terminating access requests

Policy engine

Evaluates decisions based on policies (e.g. grant, deny, revoke)

Policy admin

Provides the access control policies that are enforced by the PEP

Access control vestibule

Room that you must pass through to access the rest of the building

Honeypots

Used to lure and trap attackers to a fake target in order to buy time and conduct recon

Honeynets

Made up of multiple honeypots

Honeyfiles

Files with fake info, sends an alert when they are accessed

Honey tokens

Traceable fake data that can be monitored for suspicious activity (e.g. API creds, fake email addresses, browser cookies)

Change management

Defines how to make changes with software, patching applications, and/or firewall settings. Requires clear policies on change frequency, duration, and rollback procedures

Backout plan

Method of reverting changes through system backups

Standard operating procedure (SOP)

An organization’s instructions for performing specific tasks or responding to incidents consistently and efficiently

Key escrow

Process of storing private encryption keys with a trusted third-party, useful if keys are lost or for managing data access

Recovery Agent (RA)

A trusted third party (an individual, entity, or system) who is authorized to assist in the retrieval of encryption keys and data on behalf of the data owner

Out-of-band vs in-band key exchange

Out-of-band: exchanging keys outside of the network (e.g. in-person)

In-band: exchanging keys on the network, requires asymmetric encryption

Trusted platform module (TPM)

Embedded microcontroller in a device’s motherboard that is designed to secure hardware with integrated cryptographic keys. Used for secure boot, disk encryption, and system integrity verification

Hardware security module (HSM)

Higher end hardware for larger environments with associated software/firmware, stores thousand of cryptographic keys and has faster cryptographic functions

Secure enclave

Isolated hardware processor for cryptographic keys and real-time encryption

Self-encrypting drive (SED)

An HDD or SSD that uses hardware-based encryption to automatically encrypt all data written to it and decrypt data when read

Full Disk Encryption (FDE)

Encrypting all data stored on a device’s hard drive, including the operating system, applications, user files, temporary files, and system logs

Steganography

Hiding information in an image file, can also be done with audio/video files

Tokenization

Replacing sensitive data with tokens which are then transferred over a network. Unlike hashing/encryption, tokens are not related to the original data. Common for credit card processing

Data masking

Hides some portions of data while keeping the original intact

Hash salt

Random data added to a password when hashing, useful for slowing down brute-force attacks

Pretty Good Privacy (PGP) vs GNU Privacy Guard (GPG)

Pretty Good Privacy (PGP): proprietary encryption software owned by Symantec

GNU Privacy Guard (GPG): FOSS implementation of the OpenPGP standard

Data Encryption Key (DEK)

Symmetric key used to protect data

Key Encryption Key (KEK)

Cryptographic key used to encrypt and protect other keys

Chapter 2

Shadow IT

An internal team of threat actors that builds their own infrastructure, uses their own funds and cloud based services

Simple Mail Transfer Protocol (SMTP)

Used for sending email messages between mail servers or from a client device to a mail server

Simple Mail Transfer Protocol Secure (SMTPS)

Deprecated TLS-based method for secure transmission of email messages

Secure/Multipurpose Internet Mail Extensions (S/MIME)

Obsolete protocol used for secure data transfer over the web

FTP vs SFTP

FTP: older, unencrypted protocol

SFTP: runs over SSH, thus ensuring end-to-end encryption

IPsec

Secure network protocol and technology suite that provides encryption, authentication, and data integrity for network traffic

CCMP

Encryption protocol used in Wi-Fi networks implementing the WPA2 security standard

Elliptic Curve Cryptography (ECC)

Public-key cryptographic system that is ideal in low-resource devices, such as IoT, embedded, and mobile devices

War dialing

Identifying devices such as modems and computers that are connected to the public switched telephone network PSTN, could lead to access to systems

Watering hole attack

Targets employees by infecting websites that they use with malware

Memory injection

Malicious code that runs in memory through malware hidden in legitimate processes

Cross-site scripting (XSS)

Executing JavaScript in a victim’s browser, often to gain control over an application or user

1. Reflected: scripts come from current HTTP requests (attacker sends a request and gets a response), limited since you can mostly only target yourself

2. Stored: scripts are stored in a database and retrieved later, can attack multiple users

3. DOM-based: client-side has vulnerable JS that uses untrusted user input

Jailbreaking/rooting

Replacing a smartphone’s existing OS with custom firmware, allows for circumvention of security features

Zero-day

An attack without a patch or method of mitigation

Rootkit

Gains unauthorized access into a computer while being hidden from system and its users

RFID cloning

Duplicating RFID to gain unauthorized access

Friendly DOS

Unintentional or well-intentioned actions that cause services shutdowns

DNS spoofing/poisoning

Modifying a DNS server or client host file, or sending a fake response to a valid DNS request

Can reroute DNS server so that it redirects users to a malicious site whenever a specific IP is received

Domain hijacking

Controlling where traffic flows through access to the domain registration

URL hijacking

Using misspelled versions of legitimate domain names to redirect users to malware

On-path/MITM attack

Watching, intercepting, and/or redirecting traffic between two computers

On-path browser attack

Malware on victim’s device acts as a proxy between the browser and the Internet, able to see traffic in plaintext

Replay attack

Intercepting valid network traffic and then fraudulently resending it to misdirect the target, not the same as an on-path attack since the original workstation is not needed. Can be prevented by salting hashes, encryption, and combining session ID and hash

Header manipulation

Changing HTTP headers to bypass security measures, conduct spoofing attacks, or manipulate web application behavior. Can be prevented using end-to-end encryption

Directory traversal

Reading and writing to files in a web server that are outside the scope of the website’s files

Birthday attack

Finding a hash value that causes a collision, thus breaking cryptographic controls. Can be prevented by having a large hash output

Downgrade attack

Forcing a system to downgrade security, such as SSL stripping or downgrading from HTTPS → HTTP through a MITM attack

Spraying attack

Attempt the most common passwords before an account gets locked out, then moving on to the next account

Examples of indicators of compromise (IOC)

• Unusual network activity

• Change of hash values

• Changes to DNS data

• Files are more frequently read

• Uncommon login patterns

• Irregular international traffic

Concurrent session usage

Multiple account logins from multiple locations/devices. Is a possible indicator of compromise, however isn’t conclusive since having multiple devices is common

Blocked content

Attacker blocks certain features to remain in the computer as long as possible (e.g. blocking patches and updates to anti-virus, removing tools)

Impossible travel

Significant login location changes in a short period of time (e.g. America → Bulgaria in 3 mins)

Suspicious resource consumption

Outgoing transfer of files and use of bandwidth at odd hours

Resource inaccessibilty

Malicious network disruption, often with the intent to cover for an actual exploit

Parameter pollution

Manipulating HTTP requests by adding extra or modified parameters to bypass security measures or alter application behavior

Decommissioning

Making sure that sensitive data is wiped off of old devices, and then either recycling or destroying the devices

Endpoint Detection and Response (EDR)

System that monitors, investigates, and stops threats without user intervention. Functions include:

• Recognizing known malware and viruses

• Tracking user behavior

• Machine learning to better detect intrusions

• Process monitoring

• Isolate systems that are breached

Host-based IPS

Recognizes and blocks known attacks, and secures OS and apps

Chapter 3 - Infrastructures

Hybrid cloud

Services are provided by more than one cloud provider, which includes more complexity. This makes protection mismatches (e.g. different firewall/server settings, responsibilities, logs) and data leakages more common

Third party in the cloud

Have a vendor risk assessment/management policy, include the third-parties incident response, and constantly monitor third-party services

Virtual Local Area Network (VLAN)

Allows for multiple logically isolated networks on one physical switch

Software Defined Networking (SDN)

Three separate planes of operation, split

Network Address Translation (NAT)

Hides internal IP addresses by modifying IP address information in packet headers while in transit across a traffic routing device

Supervisory Control and Data Acquisition System (SCADA)

Large-scale multi-site industrial control system (ICS). Allows PC to manage the equipment, and distributed control systems can relay info in real time (distributed systems must be segmented, so that one breach doesn’t compromise everything)

Resilience

How quickly you can recover/act to maintain availability

Risk transference

Shifting the potential financial consequences of cyber risks through insurance

Attack surface

The total possible entry points into a system

Fail-open vs Fail-closed

Fail-open: system defaults to an open state in the event of a failure/malfunction, allowing access and traffic to continue uninterrupted

Fail-closed: access/traffic stops during failure/malfunction