CompTIA Security+ SYO-701 Professor Messer Course Notes

Security Control Categories (List All 4)

Technical, Managerial/Administrative, Operational, Physical

Security Control Types (List All 6)

Preventive,

Deterrent,

Detective,

Corrective,

Compensating,

Directive

CIA Triad

Confidentiality, Integrity, Availability

AAA Framework

Authentication, Authorization,

Accounting

Gap Analysis

Analyzing the gap between the current security posture and the goal security posture of the organization

Zero Trust

A wholistic system that covers every device, process, and person, requiring verification for everything, nothing is inherently trusted

Planes of Operation (List Both)

Data Plane and Control Plane

Policy Decision Point (PDP)

Entity which receives untrusted requests, made up of a Policy Engine and Policy Administrator

Policy Engine

Evaluates access decision based on policy and other information, grants, denies, or revokes access

Policy Administrator

Generates Access Tokens or credentials, Communicates with the Policy Enforcement Point (PEP)

Policy Enforcement Point (PEP)

Endpoint which receives untrusted requests and sends them to the PDP

Access Control Vestibule

A room that controls the movement of people who go through it, usually at the entrance to a building

Honeypot, Honeynet, Honeyfile, Honeytoken

A Fake network, system, token, etc to attract and trap threat actors

Key Escrow

Someone else holds your private keys

Key Stretching

Make a weak key stronger by performing multiple processes with the same key, encrypting multiple times, hashing multiple times etc.

Out-Of-Band Key Exchange

Transfer an encryption key OFF of the internet, over the phone, in person, etc

In-Band Key Exchange

Exchanging encryption keys over the network, using encryption or something else

Trusted Platform Module (TPM)

Device that contains cryptographic hardware, includes key backup, cryptographic accelerators, etc/

Secret Enclave

Protected area for encryption secrets

Attributes of Threat Actors (List 4)

Internal/External,

Level of Sophistication/Capability,

Resources,

Motivation

Watering Hole Attack

Infect a 3rd party site, network, tool, etc with malware and wait for target to arrive

Memory Injection

Malware injects itself into the memory of an already running process

DLL Injection

Malware injects a path to a malicious DLL (Dynamic Link Library) Into existing windows process, one form of Memory Injection

Buffer Overflows

Overwriting a buffer of memory to change something in another separate memory area

XSS (Cross-Site Scripting) Attack

An attack where a threat actor injects code into a website to make a request to a third party using that user's authentication information

Directory Traversal

Allows applications to access data outside of their own folder using ../../..

Worm

Malware that self-replicates through the network, not requiring human interaction

Rootkit

Malware that modifies core system files, invisible to the operating system

Environmental Attack

Attack everything supporting the technology, the power, HVAC,

DNS Poisoning

Modify a DNS server to route a URL to a malicious IP address

Domain Hijacking

Get access to a domain registration, move traffic flow towards malicious sites

Birthday Attack

An attack that takes advantage of hash collision

Spraying Attack

Try 3 most common passwords on a ton of different accounts so you don't get locked out

Out-Of-Cycle Logging

Logs coming in at an unexpected time, an indicator of compromise

ACLs (Access Control Lists)

List to allow or disallow traffic, from source and destination IP, port number, time of day, application, etc

SSH Port

22 TCP

HTTPS Port

443 TCP

HTTP Port

80 TCP

EDR (Endpoint Detection and Response)

System that detects threats on endpoints throughout a network

SCADA / ICS

Supervisory Control and Data Acquisition System , a large scale, multi-site Industrial Control System, usually air-gapped and controls industrial equipment

RTOS (Real-Time Operating System)

An operating system with a deterministic processing schedule, meaning that each process is guaranteed to be executed in a specific amount of time, without waiting for other processes.

Availability Vs Redundancy

Available means constantly up, if something is redundant but not available it might require manually turning on the replacement infrastructure

Security Zones

Zone-based security technologies, labeling certain parts of the network as trusted, untrusted, screened, etc.

Fail Modes (List 2)

Fail-Open, meaning when the system fails, data continues to flow,

Fail-Closed,

when the system fails, data does not flow

IPS (Intrusion Prevention System)

System that watches network traffic looking for intrusions, both preventing and detecting

Forward Proxy

Protects the clients by controlling their access (internal proxy on client’s private network) to servers

Reverse Proxy

Direct inbound traffic from the internet to the proxy on your network

Open Proxy

External proxy that allows anyone to use it without restrictions (uncontrolled)

IEEE 802.1X

Port-based network access control, you don't get access to the network until you authenticate

EAP

Extensible Authentication Protocol, provides many different ways to authenticate, integrates with 802.1X

Traditional vs NGFW Firewall

Traditional firewall can't filter on application information, only port numbers, Next-Gen can also do content filtering, control website traffic by category, and serve as IPS systems

UTM (All-in-one Security Applicance)

Firewall that can also do a ton of other stuff, filter spam, inspect for malware, serve as a router, a switch, and an IPS/IDS system

WAF (Web Application Firewall)

A firewall that runs in the browser

SD-WAN

Software Defined Networking in a Wide Area Network

a WAN built for cloud services so cloud applications can communicate directly without hopping through a central point

Data Sovereignty

Data that resides in a certain country is subject to the laws of that country

Data Masking

Hide some of the original data, like ******123 with credit card numbers

COOP (Continuity of Operations Planning)

A plan for continuing the organizations operations if all the technology is disabled

Fail Over

Plan for the worst case scenario to keep running with alternate infrastructure to "fail over" to

Recovery Testing

Simulating a situation where data is lost and we restore to a backup

Replication

An ongoing real-time backup, keep data synchronized in multiple locations

Journaling

Writing data to storage in chunks, make a journal entry when start writing, close it when done, so that if the system goes down while writing you can distinguish corrupted data

UPS (List 3 Types)

Uninterruptible power supply.

Offline/Standby,

Line-Interactive,

On-Line/Double Conversion

Site Surveys

Sample existing wireless landscape in a location

MDM

Mobile Device Management, centralized management of mobile devices

BYOD

Bring Your Own Device, technology or devices that employees bring in, need to meet the company's requirements

COPE

Company Owned, Personally Enabled, a device that the company buys, but can also be used as a personal device

CYOD

Choose your own Device, similar to COPE, but the user gets to choose the device

WPA2 vs WPA3

WPA2 has a vulnerability that allows the PSK to be brute forced or captured over the network, WPA3 solves this problem

SAE

Simultaneous Authentication of Equals (Dragonfly handshake)

• Authentication method for WPA3

• resistant to offline dictionary attacks

• forward secrecy

• use of ECC

RADIUS

Remote Authentication Dial-In User Service

One of the more common AAA protocols, centralize authentication for users

Static Code Analyzer (SAST)

Static Application Security Testing analyzes code to help identify security flaws, has false positives

Fuzzing (Dynamic Analysis)

Input randomized input to applications to find vulnerabilities

CTA

Cyber Threat Alliance, an alliance of organizations which share information about cybersecurity threats

OSINT

Open Source Intelligence, contains a collection of known threats

Responsible Disclosure Program

controlled release of information about vulnerabilities, bug bounties

CVSS

Common vulnerability Scoring system, quantitative scoring of a vulnerability used in the National Vulnerability Database

SIEM

Security information and event Manager, an application that colocates security logs from across the network into one place

DLP

Data Loss Prevention

SNMP

Simple Network Management Protocol, polls devices for statistics at fixed intervals, can be set up for alerts called SNMP traps

Active Directory

a database of everything on the network, primarily windows based

FTP Port

20, TCP

Telnet Port

23

IMAP Port

143 TCP

SPF

Sender Policy Framework, sender configures a list of all servers authorized to send emails for a domain

DKIM (Domain Keys Identified Mail)

A Mail server digitally signs all outgoing mail, the signature is validated by the receiving mail servers

DMARC

Domain-Based Message Authentication, Reporting and Conformance

an extension of SPF and DKIM, the domain owner decides what receiving email sdervers should do with emails not validating using SPF and DKIM, accept all, send to spam, or reject, creates compliance reports sent to email administrator

FIM (File Integrity Monitoring)

monitor important files that should never change with hashes, in windows its SFC in linux its tripwire

Extended Detection and Response (XDR)

An evolution of EDR improves missed detections, false positives, etc. Adds network-based detection

IAM

Identity and Access Management, manages identities and authorization for different resources

LDAP (Lightweight Directory Access Protocol)

Protocol for reading and writing directories over an IP network

Security Assertion Markup Language (SAML)

Open standard for authentication and authorization

Access Control Types (List 5)

Mandatory (Based on levels of security clearance, confidential, secret, top secret, etc)

Discretionary (Based on data ownership, the creator of data decides who has access to it)

Role-Based access Control (Different roles in the org have different levels of access)

Rule-Based Access control (generic system enforced rules for access)

Attribute-Based (Complex relationships between users and data, may be based on many different criteria)

MFA types (List 4)

Something you know

Something you have

Something you are

Somewhere you are

NIST SP800-61

National Institute of Standards and Technology, computer security incident handling guide

Incident Response Lifecycle

Preparation

Detection & Analysis

Containment, Eradication, & Recovery

Post-Incident Activity

Acceptable Use Policies (AUP)

Detailed documentation on the acceptable use of company assets, internet, telephone, etc.

ARO (Annualized Rate of Occurence)

how likely is it that a certain disaster will happen over the course of a year

Exposure Factor (EF)

Percentage of an asset’s value that will be lost if an incident / threat materializes

SLE (Single Loss Expectancy)

What is the monetary loss if a single event occurs?

Exposure Factor x Asset Value

ALE (Annualized Loss Expectancy)

Annualized Rate of Occurence * Single Loss Expectancy