4.1 - CompTIA Security+

Hardening targets

Mobile devices

  • Mobile device hardening: Implementing security measures on mobile devices, including configuring strong passwords, enabling encryption, ensuring regular software updates, and installing MDM software

Workstations

  • Workstation hardening: Implementing security measures on workstations, such as configuring firewalls, using antivirus software, managing user access controls, and applying security patches regularly.

Switches/Routers/Servers

  • Switch/router/server hardening: Implementing security measures on network switches, including changing default credentials and ensuring regular firmware updates.

Cloud infrastructure

  • Cloud infrastructure hardening: Ensuring security in cloud environments by utilizing strong access controls (least privilege), encrypting sensitive data, logging user activity, and regularly auditing configurations and compliance with security standards.

ICS/SCADA

  • ICS/SCADA hardening: Isolating control systems from the rest of the network, and the internet (air-gapped systems).

RTOS

  • RTOS hardening: Implementing secure coding practices, minimizing the attack surface by disabling unused features, and applying timely updates and patches to mitigate vulnerabilities.

IoT Devices

  • IoT Devices hardening: Ensuring strong authentication protocols, encrypting data in transit and at rest, regularly updating firmware, and employing network segmentation to limit exposure to threats.

Wireless devices

Installation configurations

Site surveys

Heat maps

Mobile solutions

Mobile device management (MDM)

  • Mobile device manager (MDM): Software used for managing devices owned by a company or that contain corporate data.

Deployment models

Bring your own device (BYOD)

  • Bring your own device (BYOD): A policy that allows employees to use their personal devices for work purposes, enabling greater flexibility and potentially increasing employee satisfaction. Some security risk with data from personal devices may include loss or theft, which can lead to unauthorized access to sensitive corporate information.

Corporate-owned, personally enabled (COPE)

  • Corporate-owned, personally enabled: A model where the organization provides devices to employees, but allows them to personalize and customize those devices. This approach strikes a balance between maintaining company control over the hardware and giving employees the freedom to configure devices to better suit their work preferences.

Choose your own device (CYOD)

  • Choose your own device (CYOD): A model that allows employees to select a device from a predefined organization list - the device is corporate-owned, but users can choose what device they receive.

Connection methods

Cellular

Wi-Fi

  • Wi-Fi security: Ensure all network connections are encrypted and utilize strong passwords to prevent unauthorized access. Regularly update firmware and security settings to safeguard against vulnerabilities.

Bluetooth

  • Bluetooth security: Ensure all devices use a formal pairing process to establish secure connections, and avoid pairing to unverified devices.

Wireless security settings

Wi-Fi Protected Access 3 (WPA3)

  • Wi-Fi Protected Access 3 (WPA3): Wi-Fi standard/protocol designed to enhance security compared to WPA2. Includes improved encryption methods, a more robust authentication process (SAE/dragonfly handshake), and protections against brute-force attacks (GCMP).

AAA/Remote Authentication Dial-In User Service (RADIUS)

  • AAA/RADIUS: A networking protocol that enables centralized authentication, authorization, and accounting for users who connect to a network, providing a more secure method for access control and user management.

Cryptographic protocols

  • Cryptographic protocols: These are protocols that provide secure communication through encryption, ensuring data integrity and confidentiality during transmission. Examples include GCMP for WPA3.

Authentication protocols

  • Authentication protocols: These protocols verify the identity of users or systems before granting access or privileges, enhancing the security of the network. Examples include RADIUS and Kerberos.

  • Authentication (AAA server): The process of verifying that an entity/system is who they claim to be (e.g., through a username/password).

Application security

  • Application security:

Input validation

  • Input validation: Analysis of user input to see if it matches what’s expected by the application - this prevents injection vulnerabilities.

Secure cookies

  • Secure cookies: Utilizing HTTPOnly and Secure attributes to protect cookies from being accessed by client-side scripts and ensuring they are transmitted only over secure channels.

Static code analysis

  • Static code analysis: A method used to examine source code for security vulnerabilities and coding errors without executing the program, allowing developers to identify potential issues early in the development process.

Code signing

  • Code signing: A developer digitally signs the software with a cryptographic key to verify the authenticity and integrity of the code, ensuring that it has not been altered or compromised since it was signed.

Sandboxing

  • Sandboxing: A security mechanism used to run untested or untrusted code in a restricted environment, preventing it from affecting the rest of the system or accessing sensitive data.

Monitoring

  • Monitoring: Building surveillance systems to track unauthorized activity in applications, networks, and user behavior, to ensure that security breaches/anomalies are found and addressed.