CompTIA Security + Notes

Security Tools

  • Categories:
    • Technical:
      • Controls implemented using systems
      • Operating system controls
      • Firewalls, anti-virus
    • Managerial:
      • Administrative controls associated w/ security design and implementation
      • Security policies, standard operating procedures
    • Operational:
      • Controls implemented by PEOPLE instead of systems
      • Security guards, awareness programs
    • Physical:
      • Limited physical access
      • Guard shack, fences, locks, badge readers
  • Control Types:
    • Preventive:
      • Block access to a resource
      • You shall NOT pass
      • Prevent access by: firewall rules, following security policies, guard shack checks all identifications, enable door locks
    • Deterrent:
      • Discourage an intrusion attempt
      • Doesn’t directly prevent access
      • Make an attacker think twice: application splash screens, threat of demotion, front desk receptionist, warning signs
    • Detective:
      • Identify and long an intrusion attempt
      • May not prevent access
      • Find the issue: collect & review system logs, review reports, patrol, enable detectors
    • Corrective:
      • Apply a control after an event detected
      • Reverse the impact on an event
      • Continuing operation w/ minimal downtime
      • Correct the problem: restore from backups, create policies for reporting security issues, contact law enforcement
    • Compensating:
      • Control using other means
      • Existing controls aren’t sufficient
      • Temporary
      • Prevent exploitation of weakness: firewall blocks a specific application, separation of duties
    • Directive:
      • Direct a subject towards security compliance
      • A relatively weak security control

CIA Triad

  • Basic fundamentals of security
  • Confidentiality: prevent disclosure of info to unauthorized persons or systems
    • Encryption: encoding messages so only certain people can read it
    • Access Control: limit access to certain info/resources
    • Two factor authentication: additional confirmation before info is disclosed
  • Integrity: messages cannot be modified w/o detection
    • Hashing: map data of an arbitrary length to data of fixed length (sender sends you the hash to match in order to open file)
    • Digital Signature: math scheme to ensure integrity of data
    • Certificates: combine w/ a digital signature to verify an individual
    • Non-repudiation: provides proof of integrity, verifies that it came from original party
  • Availability: up and running at all times
    • Redundancy: systems that are ALWAYS available
    • Fault Tolerance: continue to run even failure occurs
    • Patching: stability, closing security holes that may appear

Non-Repudiation

  • No taking it back
  • Proof of Integrity: verify data doesn’t change (accurate & consistent)
    • In cryptography, we use hashing:
      • Short string of text we can create based on the plaintext
        • If data changes, the hash CHANGES
        • Doesn’t associate data w/ an individual
  • Proof of Origin:
    • Prove the message wasn’t changed: Integrity
    • Prove the source of the message: Authentication
    • Make sure the signature isn’t fake: Non-repudiation
    • Sign w/ private key: Nobody else can sign this
    • Verify w/ public key: Any change to the message invalidates signature

Authentication, Authorization, Accounting

  • Authentication: prove you are who you say you are
  • Authorization: what access do you have
  • Accounting: log all that has happened – login time, data sent & received, logout time
  • Authenticating Systems:
    • You have to manage many devices – often devices that you’ll never see
    • Authenticating devices – digital signed certificates on devices
      • Access to VPN from authorized devices
      • Management software can validate the end device
    • Certificate Authority (CA): device or software that’s responsible for managing all certificates in the environment
      • Organizations creates a certificate for a device (digitally signs the org’s CA)
      • Certificate can now be used as an authentication factor
  • Authorization Models:
    • Users & Services -> Data & Applications
    • Put an authorization model in the middle
      • Defined by roles, organizations, attributes, etc.
  • Using Authorization Model:
    • Add an abstraction:
      • Reduces complexity
      • Clear relationship between user & the resource
    • Administration is streamlined
      • Easy to understand the authorizations
      • Support any number of users or resources

Gap Analysis

  • Where we are and where we want to be
  • Can take extensive amount of time due to many participants and technical research
  • Evaluate people and processes:
    • Get a baseline of employees:
      • Formal experience, current training, knowledge of policies and procedures
    • Examine current processes
      • Research existing IT systems
      • Evaluate existing security policies
  • Compare and Contrast
    • The comparison
      • Evaluate existing systems
    • Identify weaknesses
      • Along with the most effective processes
    • A detailed analysis
      • Examine the broad security categories and break down into smaller segments
    • The Analysis and Report
      • The final comparison
        • Detailed baseline objectives
        • Clear view of the current state
      • Need path to get from current state to goal
        • Includes time, money, and lots of change control
      • Time to create a gap analysis report
        • A formal description of the current state
        • Recommendations for meeting the baseline

Zero Trust

  • Covers every device, process, person (multiple authentications)
  • NOTHING is trusted
  • Planes of Operation:
    • Split the network into functional planes
      • Applies to physical, virtual, and cloud components
  • Data Plane:
    • Process the frames, packets, and network data
    • Processing forwarding, trunking, encrypting
  • Control Plane:
    • Manages the actions of data plane
    • Defines policy and rules
    • Determines how packets should be forwarded
    • Routing tables, session tables, NAT tables
  • Controlling Trust:
  • Adaptive identity:
    • Consider the source and the requested resources
    • Multiple risk indicators – relationship to org., physical location, type of connection, IP Address, etc.
    • Make the authentication stronger, if needed
  • Threat Scope Reduction:
    • Decrease the number of possible entry points
  • Policy-driven access control:
    • Combine the adaptive identity w/ a predefined set of rules
  • Security zones:
    • More than a 1 to 1 relationship
    • Broad categorizations provide a security related foundation
  • Where are you coming from and where you are going:
    • Trusted, untrusted
    • Internal network, external network
    • VPN 1, VPN5, VPN 11
    • Marketing, IT, Accounting, Human Resources
  • Using the zones may be enough by itself to deny access
    • ex.) untrusted to trusted zone traffic
  • Some zones are implicitly trusted:
    • ex.) trusted to internal zone traffic
  • Policy enforcement point:
    • Subjects and systems:
      • End users, applications, non-human entities
    • The gatekeeper
    • Allow, monitor, and terminate connections
      • Can consist of multiple components working together
  • Applying trust in the planes:
    • Policy Decision Point:
      • There’s a process for making an authentication decision
    • Policy Engine:
      • Evaluates each access decision based on policy and other info sources
      • Grant, deny, or revoke
    • Policy Administrator:
    • Communicates w/ the Policy Enforcement Point
    • Generates access tokens or credentials
    • Tell the PEP to allow or disallow access