CompTIA Security+ Notes

Public Key Infrastructure

• Public Key Infrastructure (PKI)
  • System of hardware, software, policies, procedures, and people based on asymmetric encryption.
  • PKI uses public key cryptography.

Digital Certificates

• Digital Certificates
  • Digitally-signed electronic documents that bind a public key with a user’s identity.
• X.509
  • Standard used by PKI for digital certificates.
• Wildcard Certificates
  • Allow all subdomains to use the same public key certificate.
• Subject Alternative Name (SAN)
  • Allows a certificate owner to specify additional domains and IP addresses to be supported.
• Single-sided certificates only require the server to be validated.
• Dual-sided certificates require both the server and the user to be validated.
• X.690 uses BER, CER, and DER for encoding.
• Basic Encoding Rules (BER)
  • Original ruleset governing the encoding of data structures for certificates.
• Canonical Encoding Rules (CER)
  • A restricted version of the BER that only allows the use of only one encoding type.
• Distinguished Encoding Rules (DER)
  • Restricted version of the BER which allows one encoding type and has more restrictive rules.
• PEM, CER, CRT, KEY, P12, PFX, P7B are file types associated with PKI.
  • Privacy-enhanced Electronic Mail (.pem, .cer, .crt, .key)
  • Public Key Cryptographic System #12 (PKCS#12) (.p12)
  • Personal Information Exchange (.pfx)
  • Public Key Cryptographic Systems #7 (PKCS#7) (.p7b)

Certificate Authorities

• Registration Authority
  • Verifies user information before a certificate authority issues the certificate.
• Certificate Authority
  • Issues certificates to users.
• Certificate Revocation List (CRL)
  • Online list of revoked digital certificates.
• Online Certificate Status Protocol (OCSP)
  • Determines the revocation status of a digital certificate using its serial number.
• OCSP Stapling
  • Certificate holder gets the OCSP record from the server and includes it in the SSL/TLS handshake.
• Public Key Pinning
  • HTTPS website resists impersonation attacks by presenting trusted public keys to the user’s web browser.
• Key Escrow
  • Secure copy of a user’s private key is held in case the user loses their key.
• Key Recovery Agent
  • Software that allows the restoration of a lost or corrupted key.
• Compromised CA certificates must be revoked.

Web of Trust

• Web of Trust
  • Decentralized trust model addressing public key authentication issues in a CA-based PKI system.
  • Peer-to-peer model.
  • Certificates are self-signed.
  • Pretty Good Privacy (PGP) is a web of trust.

Security Protocols

• Security Protocols Include:
  • Emails
  • Websites
  • Remote control
  • Remote access
• S/MIME
  • Secure/Multipurpose Internet Mail Extensions (S/MIME)
  • Provides cryptographic security for electronic messaging.
  • S/MIME features include Authentication, Integrity, and Non-repudiation.
  • S/MIME can encrypt emails and their contents including malware.
• SSL and TLS
  • Secure Socket Layer (SSL) and Transport Layer Security (TLS)
  • Provide secure Internet communications.
  • Downgrade Attack: Protocol tricked into using a lower quality version.
• SSH
  • Secure Shell (SSH)
  • Creates a secure channel between two computers or network devices for remote control.
  • Requires a server (daemon) and a client.
  • SSH 2.0 uses Diffie-Hellman key exchange and MACs.

VPN Protocols

• Virtual Private Networks
  • A secure connection between two or more computers or devices that are not on the same private network
• Point-to-Point Tunneling Protocol (PPTP)
  • Encapsulates PPP packets and sends data as encrypted traffic.
  • Vulnerable to attacks due to CHAP-based authentication.
• Layer 2 Tunneling Protocol (L2TP)
  • Paired with IPSec for security.
• IPSec
  • Authenticates and encrypts IP packets, securing communications.
  • Provides confidentiality, integrity, and authentication.
• Internet Key Exchange (IKE)
  • Method used by IPSec to create a secure tunnel.
  • Includes Main, Aggressive, and Quick modes.
• Security Association (SA)
  • Establishment of secure connections and shared security information using certificates or cryptographic keys.
• Authentication Header (AH)
  • IPSec protocol providing integrity and authentication.
• Encapsulating Security Payload (ESP)
  • Provides integrity, confidentiality, and authenticity of packets by encapsulating and encrypting them.
  • Transport Mode: Encryption of payload only.
  • Tunnel Mode: Encryption of entire IP packet.

Planning for the Worst

• Redundancy
  • Ensures fault-tolerance to continue operations.
• Single Point of Failure
  • Element that causes system failure if it fails.
• Redundant Power
  • Redundant Power Supply: Mitigates a single point of failure.
• Power Issues
  • Surge: Unexpected voltage increase.
  • Spike: Short transient in voltage.
  • Sag: Unexpected voltage decrease.
  • Brownout: Low voltage causing lights to dim.
  • Blackout: Total loss of power.
• Backup Power
  • Uninterruptible Power Supply (UPS): Surge protector with battery backup.
  • Backup Generator: Emergency power system.

Data Redundancy

• Redundant Array of Independent Disks (RAID)
  • Combines multiple physical hard disks into a single logical hard disk drive.
  • RAID 0: Data striping for performance.
  • RAID 1: Data mirroring for redundancy.
  • RAID 5: Data and parity striping for redundancy.
  • RAID 6: Data and double parity striping for redundancy.
  • RAID 10: Striped RAID of two mirrored RAIDs (RAID 1 & RAID 0).
  • Fault-resistant RAID: Protects against single disk failure (RAID 1 or RAID 5).
  • Fault-tolerant RAID: Protects against single component failure (RAID 1, RAID 5, RAID 6).
  • Disaster-tolerant RAID: Provides two independent zones with full data access (RAID 10).
  • RAIDs provide redundancy and high-availability.

Network Redundancy

• Ensures the network remains up.
• Implementation through Redundant Internet connections.

Server Redundancy

• Cluster
  • Two or more servers working together to perform a job function
  • Failover Cluster: Secondary server takes over when the primary fails.
  • Load-balancing Cluster: Servers share resources.

Redundant Sites

• Hot Site
  • Near duplicate of the original site that can be up and running within minutes
• Warm Site
  • Has computers, phones, and servers but might need configuration
• Cold Site
  • Has basic infrastructure like tables, chairs, and cabling

Data Backup

• Crucial for disaster recovery.
• Full Backup: Backs up all contents of a drive.
• Incremental Backup: Backs up contents changed since the last full or incremental backup.
• Differential Backup: Backs up contents changed since the last full backup.
• Tape Rotation
  • 10 Tape Rotation: Each tape used once per day for two weeks, then reused.
  • Grandfather-Father-Son: Three sets of tapes (daily, weekly, monthly).
  • Towers of Hanoi: Complex rotation system with three sets of tapes.
• Snapshot Backup
  • Captures the entire operating system image, including applications and data.
  • Commonly used with virtualized systems.

Disaster Recovery Planning

• In-depth plan for problems affecting data access or the organization’s building.
• Includes written Disaster Recovery Plan (DRP) with:
  • Contact Information
  • Impact Determination
  • Recovery Plan
  • Business Continuity Plan (BCP)
  • Copies of Agreements
  • Disaster Recovery Exercises
  • List of Critical Systems and Data

Social Engineering

• Manipulates users into revealing confidential information.
• Insider Threat
  • A person who works for or with your organization but has ulterior motives
  • Employees who steal your information.
  • Data Loss Prevention systems can be used to help identify insider threats
• Phishing
  • Fraudulently obtaining information from a user, usually by email.
  • Smishing: Phishing via text messaging (SMS).
  • Vishing: Phishing via voice and phone calls.
  • Pharming: Tricking a user to access a fake website.
• Diversion Theft
  • Thief diverts a shipment to a nearby location.
• Hoax
  • Deceiving people into believing something false is true or vice versa.
• Shoulder Surfing
  • Obtaining authentication information through direct observation.
• Eavesdropping
  • Listening in on a conversation.
• Dumpster Diving
  • Scavenging for private information in garbage containers.
• Baiting
  • Leaving malware-infected removable media in plain view.
• Piggybacking
  • Unauthorized person gaining entry with an authorized person.
• Watering Hole Attack
  • Attacker places malware where users frequently go.

User Education

• Never share authentication information.
• Clean Desk Policy
  • Policy where all employees must put away everything from their desk at the end of the day into locked drawers and cabinets
• Train users how to encrypt emails and data.
• Follow organizational data handling and disposal policies.

Policies and Procedures

• Governance provides a comprehensive security management framework.
• Policies
  • Defines the role of security in an organization and establishes the desired end state of the security program
• Organizational Policies
  • Provide general direction and goals, a framework to meet the business goals, and define the roles, responsibilities, and terms
• System-Specific Policies
  • Address the security needs of a specific technology, application, network, or computer system
• Issue-Specific Policies
  • Built to address a specific security issue, such as email privacy, employee termination procedures, or other specific issues
• Standards implement policies.
• Baseline
  • Created as reference points which are documented for use as a method of comparison during an analysis conducted in the future
• Guidelines recommend actions.
• Procedures
  • Detailed step-by-step instructions to ensure personnel can perform an action.
  • Policies are generic, procedures are specific.

Data Classifications

• Data Classification
  • Category based on the value to the organization and the sensitivity of the information if it were to be disclosed
• Sensitive Data
  • Any information that can result in a loss of security, or loss of advantage to a company, if accessed by unauthorized persons
• Commercial Classifications
  • Public Data: No impact if released.
  • Private Data: Only used within the organization.
  • Confidential Data: Highest level; affects the business if disclosed.
• Government Classifications
  • Unclassified Data: Can be released to the public.
  • Sensitive but Unclassified: Could impact individuals if released.
  • Confidential Data: Seriously affects the government if disclosed.
  • Secret Data: Seriously damages national security if disclosed.
  • Top Secret Data: Gravely damages national security if disclosed.
• Data should not be stored forever.

PII and PHI

• Responsibility to protect collected data.
• Personal Identifiable Information (PII)
  • Data that can identify a single person such as:
    • Full Name
    • Driver’s License
    • Date/Place of Birth
    • Biometric Data
    • Financial Account Numbers
    • Email/Social Media Usernames
• Privacy Act of 1974
  • Affects U.S. government computer systems that collects, stores, uses, or disseminates personally identifiable information
• Health Insurance Portability and Accountability Act (HIPAA)
  • Affects healthcare providers, facilities, insurance companies, and medical data clearing houses
• Sarbanes-Oxley (SOX)
  • Affects publicly-traded U.S. corporations and requires certain accounting methods and financial reporting requirements
• Gramm-Leach-Bliley Act (GLBA)
  • Affects banks, mortgage companies, loan offices, insurance companies, investment companies, and credit card providers
• Federal Information Security Management (FISMA) Act of 2002
  • Requires each agency to develop, document, and implement an agency- wide information systems security program to protect their data
• Payment Card Industry Data Security Standard (PCI DSS) is a contractual obligation
• Help America Vote Act (HAVA) of 2002
  • Provides regulations that govern the security, confidentiality, and integrity of the personal information collected, stored, or processed during the election and voting process
• SB 1386 requires any business that stores personal data to disclose a breach
• Privacy policies govern data labeling and handling.
• Acceptable Use Policy
  • Defines rules for using a computer, network, or systems.
• Change Management Policy
  • Defines the structured way of changing the state of a computer system, network, or IT procedure
• Separation of Duties
  • A preventative type of administrative control
• Job Rotation
  • Different users are trained to perform the tasks of the same position to help prevent and identify fraud that could occur if only one employee had the job
• Onboarding and Offboarding Policy
  • Dictates what needs to be done when an employee is hired, fired, or quits.
  • Terminated employees are often not cooperative.
• Due Diligence
  • Ensuring that IT infrastructure risks are known and managed properly.
• Due Care
  • Mitigation actions against uncovered risks.
• Due Process
  • How an organization must respect and safeguard personnel’s rights.

User Education

• Security Awareness Training
  • Reinforces the importance of user help in securing valuable resources.
• Security Training
  • Teaches personnel skills for secure job performance.
  • Security education is generalized training (like Security+).
  • Specialized training may be developed too.

Vendor Relationships

• Non-Disclosure Agreement (NDA)
  • Defines confidential data that cannot be shared.
• Memorandum of Understanding (MOU)
  • Non-binding agreement detailing a common line of action.
• Service-Level Agreement (SLA)
  • Ability to support and respond to problems within a given timeframe and continuing to provide the agreed upon level of service to the user
  • SLA may promise 99.999% uptime
• Interconnection Security Agreement (ISA)
  • Documents technical requirements each organization must meet.
• Business Partnership Agreement (BPA)
  • Establishes conditions of relationship, including security requirements.

Disposal Policies

• Asset disposal occurs when a system is no longer needed.
• Degaussing
  • Wipes data by exposing the hard drive to a powerful magnetic field.
• Purging (Sanitizing)
  • Removes data so it cannot be reconstructed using any known forensic techniques
• Clearing
  • Assurance that data cannot be reconstructed
• Process Steps:
  • 1. Define equipment for disposal.
  • 2. Determine storage location.
  • 3. Analyze equipment for disposal method (reuse, resell, destruction).
  • 4. Sanitize device and remove data.
  • 5. Dispose, recycle, or resell.

Incident Response Procedures

• Systems will never be 100% secure.
• Incident Response
  • Procedures followed when examining a security incident.
• Incident Management Program
  • Monitoring, detection, and response to security events.
  • Preparation
  • Identification: Determine if an event is classified as an incident.
  • Containment: Isolating the incident.
  • Eradication
  • Recovery: Data restoration, system repair, and re-enabling.
  • Lessons Learned

Data Collection Procedures

• Create a forensic disk image of the data as evidence
  • Capture and hash system images
  • Analyze data with tools
  • Capture screenshots
  • Review network traffic and logs
  • Capture video
  • Consider Order of Volatility
  • Take statements
  • Review licensing and documentation
  • Track man-hours and expenses
• FTK and EnCase are popular forensic tools

IT Security Frameworks

• Sherwood Applied Business Security Architecture (SABSA) is a risk-driven architecture
• Control Objectives for Information and Related Technology (COBIT)
  • Divides IT into four domains: Plan and Organize, Acquire and Implement, Deliver and Support, and Monitor and Evaluate
• NIST SP 800-53 is a security control framework developed by the Dept. of Commerce
• ISO 27000
• ITIL is the de facto standard for IT service management

Exam Tricks

1. Use a Cheat Sheet
2. Skip the Simulations
3. Take a Guess
4. Pick the Best Time
5. Be Confident