Comptia Security+ Domain 4

Secure baselines

• The security of an app environment should be well defined

• Integrity measurements check for the secure baseline

Establishing baselines

• Create a series of baselines

• Security baselines are often available from the manufacturer

  • App dev

  • OS manufacturer

  • Appliance manufacturer

• Many OS’s have extensive options

Deploying baselines

• Have established detailed security baselines

• Deploy the baselines

• May require multiple deployment mechanisms

• Automations is key

Maintaining baselines

• Many of these are best practices

• Other baselines may require ongoing updates

• Test and measure to avoid conflicts

Hardening targets

• No system is secure with default configs

• Hardening guides are specific to software or platform

Mobile device hardening

• Updates are critical

• Segmentation can protect data

• Control with an MDM (Mobile Device Manager)

Workstations hardening

• User desktops and laptops

• Constant monitoring and updates

• Automate monthly patches

• Connect to a policy management system

  • Active directory

• Remove unnecessary software

Network infrastructure hardening

• Switches, routers, etc.

• Purpose-built devices

  • Embedded OS, etc.

• Configure authentication

  • Don’t use defaults

• Check with manufacturer

Cloud infrastructure hardening

• Least privilege

• Configure Endpoint Detection and Response (EDR)

• Always have backups

  • Cloud to Cloud (C2C0

Server hardening

• Many and varied

• Updates

• User accounts

• Network access and security

• Monitor and secure

SCADA/ICS hardening

• PC manages equipment

• Requires extensive segmentation

Embedded systems hardening

• Can be difficult to upgrade

• Correct vulnerabilities

• Segment and firewall

RTOS (Real-Time OS) hardening

• Isolate the system

• Run with minimum services

• Use secure communication

IoT device hardening

• Weak defaults

• Deploy updates quickly

• Segmentation

Site surveys

• Determine existing wireless landscape

• Identify existing access points

• Work around existing frequencies

• Plan for ongoing site surveys

• Heat maps

  • Identify wireless signal strengths

Wireless survey tools

• Signal coverage

• Potential interference

• Built-in tools

• 3rd-party tools

• Spectrum analyzer

MDM (Mobile Device Manager)

• Manage company-owned and user-owned mobile devices

• Centralized management of the mobile devices

• Set policies on apps, data, camera, etc.

• Manage access control

BYOD

• Bring own device

• Employee owns the device

• Difficult to secure

COPE

• Corporate owned, personally enabled

• Organization keeps full control of the device

• Info is protected using corporate policies

• CYOD (Choose your own device)

Cellular networks

• Mobile devices

• Separate land into “cells”

• Security concerns

  • Traffic monitoring

  • Location tracking

  • Worldwide access to a mobile device

Wi-Fi

• Local network access

• Same security concerns as other Wi-Fi devices

• Data capture

• On-path attack

• Denial of service

Bluetooth

• High-speed communication

• Connects our mobile devices

• Don’t connect to unknown Bluetooth devices

Securing a wireless network

• An organization’s wireless network can contain confidential info

• Authenticate users before granting access

• Ensure all communication is confidential

• Verify the integrity of all communication

  • Message Integrity Check (MIC)

WPA2 PSK problem

• Has a brute-force problem

  • Listen to 4-way handshake

  • Capture the hash

• With hash, attackers can brute force the pre-shared key (PSK)

• Has become easier as technology improves

• Once you have the PSK, you have everyone’s wireless key

WPA3 and GCMP

• GCMP block cipher mode

• GCMP security services

  • Data confidentiality with AES

  • MIC with GMAC

SAE

• WPA3 changes the PSK authentication process

  • Creates a shared session key without sending key across the network

• Simultaneous Authentication of Equals

  • A Diffie-Hellman derived key exchange with an authentication component

  • An IEEE standard - the dragonfly handshake

Wireless authentication methods

• Credentials

  • PSK

  • Centralized authentication (802.1X)

• Configuration

Open System

No authentication password is required

WPA3-Personal / WPA3-PSK

• WPA2 or WPA3 with a pre-shared key

• Everyone uses the same 256-bit key

WPA3-Enterprise / WPA3-802.1X

Authenticates users individually with an authentication server (i.e., RADIUS)

AAA Framework

• Identification - Who you claim to be (username)

• Authentication - Prove you are who you say you are (password)

• Authorization - What access you have

• Accounting - Resources used

RADIUS (Remote Authentication Dian-in User Service)

• One of the more common AAA protocols

• Centralize authentication for users

• Available on almost any server OS

IEEE 802.1X

• Port-based Network Access Server (NAC)

• Used in conjunction with an access database

  • RADIUS, LDAP, TACACS+

EAP (Extensible Authentication Protocol)

• Many different ways to authenticate based on RFC standards

• Integrates with 802.1X

Secure coding concepts

• A balance between time and quality

• Testing

• Vulnerabilities will eventually be found

Input validation

• What the expected input is

• Document all input methods

• Check and correct all input (normalization)

• Fuzzers will find what you missed

Secure cookies

• Info stored on your computer by the browser

• Used for tracking, personalization, session management

• Have a secure attribute set

• Sensitive info should not be saved in a cookie

Static code analysis

• Many security vulnerabilities found easily

• Not everything can be analyzed through this

• Still have to verify each finding

Code signing

• An app is deployed

• Questions:

  • Has app been modified?

  • App was written by a specific dev?

• The app code can be digitally signed by the dev

  • Asymmetric encryption

  • Trusted CA signs dev’s public key

  • Dev signs the code with their private key

  • For internal app, use own CA

Sandboxing

• Apps can’t access unrelated sources

• Commonly used in development

• Used in many different deployments

  • VMs

  • Mobiles devices

  • Browser iframes (inline frames)

  • Windows User Account Control (UAC)

Acquisition/procurement process

• Purchasing process

• Start with request from the user

• Negotiate with suppliers

• Purchase, invoice, and payment

Assignment/accounting

• A central tracking system

• Ownership

  • Associate a person with an asset

• Classification

  • Type of asset

  • Hardware (capital expenditure)

  • Software (operating expenditure)

Monitoring/asset tracking

• Inventory every asset

• Associate a support ticket with a device make and model

• Enumeration

  • List all parts of an asset

• Add an asset tag

Media sanitization

• System disposal or decommissioning

• Different use cases

  • Clean hard drive for future use

  • Permanently delete a single file

• One-way trip

• Reuse the storage media

Physical destruction

• Shredder/pulverizer

• Drill/Hammer

• Electromagnetic (degaussing)

• Incineration

Certificate of destruction

• Destruction is often done by 3rd party

• Need confirmation that data is destroyed

• A paper trail of broken data

Data retention

• Backup your data

• Regulatory compliance

• Operational needs

  • Accidental deletion

  • Disaster recovery

• Differentiate by type and application

Vulnerability scanning

• Usually minimally invasive

• Port scan

• Identify systems

• Test from outside and inside

• Gather as much info as possible

Dynamic analysis (fuzzing)

• Send a random input to an application

• Looking for something out of the ordinary

Fuzzing engines and frameworks

• Very time and processor resource heavy

• Carnegie Mellon Computer Emergency Response Team (CERT)

Package monitoring

• Some apps are distributed in a package

• Confirm the package is legitimate

• Confirm a safe package before deployment

OSINT (Open-source intelligence)

• Open-source

• Internet

• Government data

• Commercial data

Proprietary/3rd-party intelligence

• Someone else already compiled the threat info

• Threat intelligence services

• Constant threat monitoring

Info-sharing organization

• Public threat intelligence

• Private threat intelligence

• Need to share critical security details

• Cyber Threat Alliance (CTA)

Dark web intelligence

• Hacking groups and services

• Monitor forums for activity

CVSS

• National Vulnerability Database

• Common Vulnerability Scoring System

• Industry collaboration

CVE

• Vulnerabilities can be cross-referenced online

• Some vulnerabilities can’t be definitively identified

Exposure factor

• Loss of value or business activity if the vulnerability is exploited

• A small DDoS may limit access to a service

• A buffer overflow may completely disable a service

• A consideration when prioritizing

Environmental variables

• Prioritization and patching frequency

• Every environment is different

Risk tolerance

Amount of risk acceptable to an organization

Patching

• Most common mitigation technique

• Scheduled vulnerability / patch notices

• Unscheduled patches

  • Zero-day

• Ongoing process

Insurance

• Cybersecurity insurance coverage

• Doesn’t cover everything

  • Intentional acts, fund transfers, etc.

• Ransomware has increased popularity of cybersecurity liability insurance

Segmentation

• Limit scope of exploit

• A breach would have limited scope

• Can’t patch?

  • Disconnect from the world

  • Air gaps may be required

• Use internal NGFWs

Compensating controls

• Optimal security methods may not be available

• Disable problematic service

• Revoke access to the app

• Limit external access

• Modify internal security controls and software firewalls

• Provide coverage until a patch is deployed

Exceptions and exemptions

• Removing vulnerability is optimal

• A balancing act

• Not all vulnerabilities share the same severity

Validation of remediation

• Rescanning

• Audit

• Verification

Reporting

• Ongoing checks required

• Difficult (or impossible) to manage without automation

• Continuous reporting

  • # of identified vulnerabilities

  • Systems patched vs unpatched

  • New threat notifications

  • Errors, exceptions, and exemptions

Monitoring computing resources

• Systems

  • Authentication

  • Server monitoring

• Apps

  • Availability

  • Data transfers

  • Security notifications

• Infrastructure

  • Remote access systems

  • Firewall and IPS reports

Log aggregation

• SIEM or SEM

• Centralized reporting

• Correlation between diverse systems

Archiving

• Take an average of about 9 months for a company to identify and contain a breach

• Access to data is critical

  • Archive over an extended period of time

• May have a mandate

Alerting

• Real-time notifications of security events

• Actionable data

• Notification methods: SMS/text, Email, SOC

Alert response and remediation

• Quarantine

• Alert tuning

• Alert should be accurate

SCAP (Security Content Automation Protocol)

• Many different security tools on the market

  • NGFWs, TPS, vulnerability scanners, etc.

• Managed by the National Institute of Standards and Technology (NIST)

• Allows tools to identify and act on the same criteria

Using SCAP

• Can be shared between tools

• Useful in large environments

• The specification standard enables automation

Automation types

• Ongoing maintenance

• Notification and alerting

• Remediation of noncompliant systems

Benchmarks

• Apple security best-practices to everything

• Example: mobile device

  • Disable screenshots, screen recordings, prevent voice calls when locked, etc.

• Center for Internet Security (CIS)

Agents/agentless

• Check to see if the device is in compliance

• First one can usually provide more detail

• Other one runs without a formal install

SIEM

• Log collection of security alerts

• Log aggregation and long-term storage

• Data correlation

• Forensic analysis

DLP (Data Loss Prevention)

• Stop the data before the attacker gets it

• So many sources, so many destinations

SNMP (Simple Network Management Protocol)

• Database of data (MIB) - Management Info Base

• Contains OIDs - Object Identifiers

• Poll devices over UDP/161

• Request stats from a device

• Poll devices at fixed intervals

SNMP traps

• Can be configured on the monitored device

  • Over UDP/162

• Set a threshold for alerts

  • If number of CRC alerts increases by 5, send a trap

  • Monitoring station can react immediately

NetFlow

• Gather traffic stats from all traffic flows

• Probe and collector

• Usually separate reporting app

Probe

Watches network communication

Collector

Summary records are sent to this

Screened subnet

Additional layer of security between you and the Internet

IPS rules

• Signature-based

  • Look for a perfect match

• Anomaly-based

  • Unusual traffic patterns are flagged

URL scanning

• Allow or restrict based on URL

• Managed by category

• Can have limited control

• Often integrated into an NGFW

Agent based

• Install client software on the user’s device

• Users can be located anywhere

• Updates must be distributed to all agents

Reputation

• Filter URLs based on perceived risk

• Automated and manual setting

DNS filtering

• Before connecting to a website, get the IP

• DNS is updated with real-time threat intelligence

• Harmful sites aren’t resolved

• Works for any DNS lookup

Active Directory

• A database of everything on the network

• Windows-based

• Manage authentication

• Centralized access control

• Commonly used by the help desk

Group policy

• Manage computers or users with Group Policies

• A central console

  • Login scripts

  • QoS

  • Security parameters

• Comprehensive control

Security-Enhanced Linux (SELinux)

• Security patches for the Linux kernel

  • Adds MAC to Linux

  • Linux traditionally uses DAC

• Limits app access

  • Least privilege

Unencrypted network data

• Telnet, FTP, SMTP, IMAP

• Verify with a packet capture

802.11 Wireless

Open access point - No transport-level encryption

WPA3: All user data is encrypted

Mail gateway

• Evaluates source of the inbound email messages

• Blocks it at gateway before it reaches the user

• On-site or cloud-based

SPF (Sender Policy Framework)

• Server configures a list of all servers authorized to send emails for a domain

• List of authorized mail servers are added to a DNS TXT record

DKIM (Domain Keys Identified Mail)

• A mail server digitally signs all outgoing mail

  • Public key is in the DKIM TXT record

• Signature is validated by the receiving mail servers

DMARC (Domain-based Message Authentication Reporting, and Conformance

• Extension of SPF and DKIM

• Domain owner decides what receiving email servers should do with emails not validating using SPF and DKIM

• Compliance reports are sent to the email administrator

FIM (File Integrity Monitoring)

• Some files change all the time

• Monitor important OS and app files

• Windows  SFC (System File Checker)

• Linux - Tripwire

• Many host-based IPS options