Professor Messer’s

CompTIA Security+
1.1 - Security Controls (continued)
Managing security controls • There are multiple security controls for each category and type
• These are not inclusive lists – Some security controls may exist in multiple types or categories

SY0-701 Course Notes https://www.ProfessorMesser.com

– There are many categories of control
– Some organizations will combine types
– New security controls are created as systems and processes evolve
– Your organization may use very different controls
1.1 - Security Controls
Security controls Detective control types
• Security risks are out there • Detective
– Many different categories and types to consider – Identify and log an intrusion attempt
• Assets are also varied – May not prevent access
– Data, physical property, computer systems • Find the issue
• Prevent security events, minimize the impact, – Collect and review system logs
and limit the damage – Review login reports
– Security controls – Regularly patrol the property
– Enable motion detectors
Control categories
• Technical controls Corrective control types
– Controls implemented using systems • Corrective
– Operating system controls – Apply a control after an event has been detected
– Firewalls, anti-virus – Reverse the impact of an event
• Managerial controls – Continue operating with minimal downtime
– Administrative controls associated with security design • Correct the problem
and implementation – Restoring from backups can mitigate a ransomware
– Security policies, standard operating procedures infection 1.2 - The CIA Triad
• Operational controls – Create policies for reporting security issues
The CIA Triad Integrity
– Controls implemented by people instead of systems – Contact law enforcement to manage criminal activity
• Combination of principles • Data is stored and transferred as intended
– Security guards, awareness programs – Use a fire extinguisher
– The fundamentals of security – Any modification to the data would be identified
• Physical controls Compensating control types – Sometimes referenced as the AIC Triad • Hashing
– Limit physical access • Compensating • Confidentiality – Map data of an arbitrary length to data of a fixed length
– Guard shack – Control using other means – Prevent disclosure of information to • Digital signatures
– Fences, locks – Existing controls aren’t sufficient unauthorized individuals or systems – Mathematical scheme to verify the integrity of data
– Badge readers – May be temporary
• Integrity • Certificates
Preventive control types • Prevent the exploitation of a weakness – Messages can’t be modified without detection – Combine with a digital signature to verify an individual
• Preventive – Firewall blocks a specific application instead of
• Availability • Non-repudiation
– Block access to a resource patching the app
– Systems and networks must be up and running – Provides proof of integrity, can be asserted to be genuine
– You shall not pass – Implement a separation of duties
– Require simultaneous guard duties Confidentiality Availability
• Prevent access • Certain information should only be known
– Generator used after power outage • Information is accessible to authorized users
– Firewall rules to certain people
Directive control types – Always at your fingertips
– Follow security policy – Prevent unauthorized information disclosure
– Guard shack checks all identification • Directive • Redundancy
– Direct a subject towards security compliance • Encryption – Build services that will always be available
– Enable door locks
– A relatively weak security control – Encode messages so only certain people • Fault tolerance
Deterrent control types can read it
• Do this, please – System will continue to run, even when a failure occurs
• Deterrent • Access controls
– Discourage an intrusion attempt – Store all sensitive files in a protected folder • Patching
– Create compliance policies and procedures – Selectively restrict access to a resource
– Does not directly prevent access – Stability
– Train users on proper security policy • Two-factor authentication – Close security holes
• Make an attacker think twice – Additional confirmation before information
– Post a sign for “Authorized Personnel Only”
– Application splash screens is disclosed
– Threat of demotion
– Front reception desk
– Posted warning signs

© 2023 Messer Studios, LLC Professor Messer’s CompTIA SY0-701 Security+ Course Notes - Page 1 https://ProfessorMesser.com © 2023 Messer Studios, LLC Professor Messer’s CompTIA SY0-701 Security+ Course Notes - Page 2 https://ProfessorMesser.com
 1.2 - Non-repudiation 1.2 - Authentication, Authorization, and Accounting
Non-repudiation Hashing the encyclopedia AAA framework Authenticating systems
• You can’t deny what you’ve said • Gutenberg Encyclopedia, Vol 1, • Identification • You have to manage many devices
– There’s no taking it back by Project Gutenberg (8.1 megabytes) – This is who you claim to be – Often devices that you’ll never physically see
• Sign a contract • Change one character somewhere in the file – Usually your username • A system can’t type a password
– Your signature adds non-repudiation – The hash changes • Authentication – And you may not want to store one
– You really did sign the contract • If the hash is different, something has changed – Prove you are who you say you are • How can you truly authenticate a device?
– Others can see your signature – The data integrity has been compromised – Password and other authentication factors – Put a digitally signed certificate on the device
• Adds a different perspective for cryptography Proof of origin • Authorization • Other business processes rely on the certificate
– Proof of integrity • Prove the message was not changed – Based on your identification and authentication, – Access to the VPN from authorized devices
– Proof of origin, with high assurance of authenticity – Integrity what access do you have? – Management software can validate the end device
Proof of integrity • Prove the source of the message • Accounting Certificate authentication
• Verify data does not change – Authentication – Resources used: Login time, data sent and • An organization has a trusted Certificate Authority (CA)
– The data remains accurate and consistent • Make sure the signature isn’t fake received, logout time – Most organizations maintain their own CAs
• In cryptography, we use a hash – Non-repudiation • The organization creates a certificate for a device
– Represent data as a short string of text • Sign with the private key – And digitally signs the certificate with the organization’s CA
– A message digest, a fingerprint – The message doesn’t need to be encrypted • The certificate can now be included on a device as an
• If the data changes, the hash changes – Nobody else can sign this (obviously) authentication factor
– If the person changes, you get a different fingerprint • Verify with the public key – The CA’s digital signature is used to validate the certificate
• Doesn’t necessarily associate data with an individual – Any change to the message will invalidate the signature
– Only tells you if the data has changed Using an Authorization Model

Creating a Digital Signature

You’re 3 1 Alice creates a hash

of the original plaintext
2
sBcBAEBCAA

1
QBQJZzBIbCR
hired, AW8ZAwUFg
Bob You’re
Hash of hired,
2
Alice encrypts the hash
Plaintext Plaintext GmdBkELopt
Bob
sBcBAEBCAA 8hF85TetMS
with her private key
QBQJZzBIbCR
Hash
AW8ZAwUFg
EncrypTon Digital
GmdBkELopt
Signature 8hF85TetMS
Alice’s Computer Hashing Hash of The encrypted hash
Algorithm Plaintext

Alice’s Private Key

Plaintext
and Digital
Signature
3 (digital signature) is
included with the plaintext Authorization models Using an authorization model
• The user or device has now authenticated • Add an abstraction
– To what do they now have access? – Reduce complexity
– Time to apply an authorization model – Create a clear relationship between the user
• Users and services -> data and applications and the resource
Verifying a Digital Signature
– Associating individual users to access rights • Administration is streamlined
You’re Bob decrypts the does not scale – Easy to understand the authorizations
You’re GmdBkELopt hired,
hired,
8hF85TetMS
1 Bob 2 1 digital signature
to obtain the • Put an authorization model in the middle – Support any number of users or resources
Digital
Bob
Signature Plaintext
plaintext hash – Define by Roles, Organizations, Attributes, etc.
sBcBAEBCAA sBcBAEBCAA
GmdBkELopt DecrypGon QBQJZzBIbCR
Hash
QBQJZzBIbCR
Bob hashes the
No authorization model
8hF85TetMS AW8ZAwUFg AW8ZAwUFg
• A simple relationship
Plaintext 2 plaintext and

and Digital
Hash of Hashing Hash of compares it to – User -> Resource
Plaintext Algorithm Plaintext the decrypted hash
Signature Bob’s Laptop • Some issues with this method
Alice’s Public Key – Difficult to understand why an authorization may exist
– Does not scale

© 2023 Messer Studios, LLC Professor Messer’s CompTIA SY0-701 Security+ Course Notes - Page 3 https://ProfessorMesser.com © 2023 Messer Studios, LLC Professor Messer’s CompTIA SY0-701 Security+ Course Notes - Page 4 https://ProfessorMesser.com
 1.2 - Gap Analysis 1.2 - Zero Trust (continued)
Gap Analysis Compare and contrast
• Where you are compared with where you want to be • The comparison
– The “gap” between the two – Evaluate existing systems
• This may require extensive research • Identify weaknesses
– There’s a lot to consider – Along with the most effective processes
• This can take weeks or months • A detailed analysis
– An extensive study with numerous participants – Examine broad security categories
– Get ready for emails, data gathering, and technical – Break those into smaller segments
research The analysis and report
Choosing the framework • The final comparison
• Work towards a known baseline – Detailed baseline objectives
– This may be an internal set of goals – A clear view of the current state Applying trust in the planes Security zones
– Some organizations should use formal standards • Need a path to get from the current security to the goal • Policy Decision Point • Security is more than a one-to-one relationship
• Determine the end goal – This will almost certainly include time, money, and lots – There’s a process for making an authentication decision – Broad categorizations provide a security-related
– NIST Special Publication 800-171 Revision 2, of change control • Policy Engine foundation
– Protecting Controlled Unclassified Information in • Time to create the gap analysis report – Evaluates each access decision based on policy and other • Where are you coming from and where
– Nonfederal Systems and Organizations – A formal description of the current state information sources are you going
• ISO/IEC 27001 – Recommendations for meeting the baseline – Grant, deny, or revoke – Trusted, untrusted
– Information security management systems • Policy Administrator – Internal network, external network
– Communicates with the Policy Enforcement Point – VPN 1, VPN 5, VPN 11
Evaluate people and processes – Marketing, IT, Accounting, Human Resources
• Get a baseline of employees – Generates access tokens or credentials
– Formal experience – Tells the PEP to allow or disallow access address, etc. • Using the zones may be enough by itself to deny
– Current training – Make the authentication stronger, if needed access
– Knowledge of security policies and procedures • Threat scope reduction – For example, Untrusted to Trusted zone traffic
• Examine the current processes – Decrease the number of possible entry points • Some zones are implicitly trusted
– Research existing IT systems • Policy-driven access control – For example, Trusted to Internal zone traffic
– Evaluate existing security policies – Combine the adaptive identity with a predefined set of rules

Zero Trust Across Planes

1.2 - Zero Trust

Zero trust • Control plane
• Many networks are relatively open on the inside – Manages the actions of the data plane
– Once you’re through the firewall, there are few – Define policies and rules
security controls – Determines how packets should be forwarded
• Zero trust is a holistic approach to network security – Routing tables, session tables, NAT tables
– Covers every device, every process, every person Controlling trust
• Everything must be verified • Adaptive identity
– Nothing is inherently trusted – Consider the source and the requested resources
– Multi-factor authentication, encryption, system – Multiple risk indicators - relationship to the
permissions, additional firewalls, monitoring and organization, physical location, type of connection, IP
analytics, etc Policy enforcement point
Planes of operation • Subjects and systems
• Split the network into functional planes – End users, applications, non-human entities
– Applies to both physical, virtual, and cloud • Policy enforcement point (PEP)
components – The gatekeeper
• Data plane • Allow, monitor, and terminate connections
– Process the frames, packets, and network data – Can consist of multiple components working together
– Processing, forwarding, trunking, encrypting, NAT

© 2023 Messer Studios, LLC Professor Messer’s CompTIA SY0-701 Security+ Course Notes - Page 5 https://ProfessorMesser.com © 2023 Messer Studios, LLC Professor Messer’s CompTIA SY0-701 Security+ Course Notes - Page 6 https://ProfessorMesser.com
 1.2 - Physical Security 1.3 - Change Management
Barricades / bollards Guards and access badges Change management Impact analysis
• Prevent access - There are limits to the prevention • Security guard • How to make a change • Determine a risk value
• Channel people through a specific access point – Physical protection at the reception area of a facility – Upgrade software, patch an application, change – i.e., high, medium, low
– Allow people, prevent cars and trucks – Validates identification of existing employees firewall configuration, modify switch ports • The risks can be minor or far-reaching
• Identify safety concerns - And prevent injuries • Two-person integrity/control • One of the most common risks in the enterprise – The “fix” doesn’t actually fix anything
• Can be used to an extreme – Minimize exposure to an attack – Occurs very frequently – The fix breaks something else
– Concrete barriers / bollards, moats – No single person has access to a physical asset • Often overlooked or ignored – Operating system failures
• Access badge – Did you feel that bite? – Data corruption
Access control vestibules
• All doors normally unlocked – Picture, name, other details • Have clear policies • What’s the risk with NOT making the change?
– Opening one door causes others to lock – Must be worn at all times - Electronically logged – Frequency, duration, installation process, rollback – Security vulnerability
Lighting procedures – Application unavailability
• All doors normally locked
• More light means more security • Sometimes extremely difficult to implement – Unexpected downtime to other services
– Unlocking one door prevents others from being unlocked
• One door open / other locked – Attackers avoid the light - Easier to see when lit – It’s hard to change corporate culture Test results
– When one is open, the other cannot be unlocked – Non IR cameras can see better Change approval process • Sandbox testing environment
• Specialized design • A formal process for managing change – No connection to the real world or production
• One at a time, controlled groups
– Consider overall light levels – Avoid downtime, confusion, and mistakes system
– Managed control through an area
– Lighting angles may be important – A technological safe space
Fencing • A typical approval process
– Important for facial recognition – Complete the request forms • Use before making a change to production
• Build a perimeter - Usually very obvious – Avoid shadows and glare – Try the upgrade, apply the patch
– May not be what you’re looking for – Determine the purpose of the change
Sensors – Identify the scope of the change – Test and confirm before deployment
• Transparent/opaque - See through the fence (or not) • Confirm the backout plan
• Infrared – Schedule a date and time of the change
• Robust - Difficult to cut the fence – Detects infrared radiation in both light and dark – Determine affected systems and the impact – Move everything back to the original
• Prevent climbing - Razor wire - Build it high – Common in motion detectors – Analyze the risk associated with the change – A sandbox can’t consider every possibility
Video surveillance • Pressure – Get approval from the change control board Backout plan
• CCTV (Closed circuit television) – Detects a change in force - Floor and window sensors – Get end-user acceptance after the change is complete • The change will work perfectly and nothing
– Can replace physical guards • Microwave Ownership will ever go bad
• Camera features are important – Detects movement across large areas • An individual or entity needs to make a change – Of course it will
– Motion recognition can alarm and alert • Ultrasonic – They own the process • You should always have a way to revert your changes
– Object detection can identify a license plate or face – Send ultrasonic signals, receive reflected sound waves – They don’t (usually) perform the actual change – Prepare for the worst, hope for the best
• Often many different cameras – Detect motion, collision detection, etc. • The owner manages the process • This isn’t as easy as it sounds
– Networked together and recorded over time – Process updates are provided to the owner – Some changes are difficult to revert
– Ensures the process is followed and acceptable • Always have backups
1.2 - Deception and Disruption
• Address label printers needs to be upgraded – Always have good backups
Honeypots • Honeyfiles – Shipping and Receiving department owns the process
• Attract the bad guys - And trap them there – Bait for the honeynet (passwords.txt) Maintenance window
– IT handles the actual change • When is the change happening?
• The “attacker” is probably a machine – Add many honeyfiles to file shares
Stakeholders – This might be the most difficult part of the process
– Makes for interesting recon • An alert is sent if the file is accessed
• Who is impacted by this change? • During the workday may not be the best option
• Honeypots - Create a virtual world to explore – A virtual bear trap
– They’ll want to have input on the change – Potential downtime would affect a large part of
• Many different options Honeytokens management process production
– Most are open source and available to download • Track the malicious actors • This may not be as obvious as you might think • Overnights are often a better choice
• Constant battle to discern the real from the fake – Add some traceable data to the honeynet – A single change can include one individual or the – Challenging for 24-hour production schedules
– If the data is stolen, you’ll know where it came from entire company
Honeynets • The time of year may be a consideration
• A real network includes more than a single device • API credentials • Upgrade software used for shipping labels – Retail networks are frozen during the holiday season
– Servers, workstations, routers, switches, firewalls – Does not actually provide access – Shipping / receiving
– Notifications are sent when used Standard operating procedure
• Honeynets – Accounting reports
• Fake email addresses • Change management is critical
– Build a larger deception network with – Product delivery timeframes
– Add it to a contact list – Affects everyone in the organization
one or more honeypots – Revenue recognition - CEO visibility
– Monitor the Internet to see who posts it • The process must be well documented
• More than one source of information – Should be available on the Intranet
• Many other honeytoken examples
Honeyfiles – Database records, browser cookies, web page pixels – Along with all standard processes and procedures
• Attract the attackers with more honey • Changes to the process are reflected in the standards
– Create files with fake information – A living document
– Something bright and shiny
© 2023 Messer Studios, LLC Professor Messer’s CompTIA SY0-701 Security+ Course Notes - Page 7 https://ProfessorMesser.com © 2023 Messer Studios, LLC Professor Messer’s CompTIA SY0-701 Security+ Course Notes - Page 8 https://ProfessorMesser.com
 1.3 - Technical Change Management 1.4 - Public Key Infrastructure
Technical change management • Services Public Key Infrastructure (PKI) • The private key is the only key that can decrypt data
• Put the change management process into action – Stop and restart the service or daemon • Policies, procedures, hardware, software, people encrypted with the public key
– Execute the plan – May take seconds or minutes – Digital certificates: create, distribute, manage, – You can’t derive the private key from the public key
• There’s no such thing as a simple upgrade • Applications store, revoke The key pair
– Can have many moving parts – Close the application completely • This is a big, big, endeavor • Asymmetric encryption
– Separate events may be required – Launch a new application instance – Lots of planning – Public Key Cryptography
• Change management is often concerned with “what” Legacy applications • Also refers to the binding of public keys to • Key generation
needs to change • Some applications were here before you arrived people or devices – Build both the public and private key at the same time
– The technical team is concerned with “how” to change it – They’ll be here when you leave – The certificate authority – Lots of randomization
Allow list / deny list • Often no longer supported by the developer – It’s all about trust – Large prime numbers
• Any application can be dangerous – You’re now the support team Symmetric encryption – Lots and lots of math
– Vulnerabilities, trojan horses, malware • Fear of the unknown • A single, shared key • Everyone can have the public key
• Security policy can control app execution – Face your fears and document the system – Encrypt with the key – Only Alice has the private key
– Allow list, deny/block list – It may not be as bad as you think – Decrypt with the same key Key escrow
• Allow list • May be quirky – If it gets out, you’ll need another key • Someone else holds your decryption keys
– Nothing runs unless it’s approved – Create specific processes and procedures • Secret key algorithm – Your private keys are in the hands of a 3rd-party
– Very restrictive • Become the expert – A shared secret – This may be within your own organization
• Deny list • Doesn’t scale very well • This can be a legitimate business arrangement
Dependencies
– Nothing on the “bad list” can be executed – Can be challenging to distribute – A business might need access to employee information
• To complete A, you must complete B
– Anti-virus, anti-malware – A service will not start without other active services • Very fast to use – Government agencies may need to decrypt
Restricted activities – An application requires a specific library version – Less overhead than asymmetric encryption partner data
• The scope of a change is important – Often combined with asymmetric encryption • Controversial?
• Modifying one component may require changing or
– Defines exactly which components are covered restarting other components Asymmetric encryption – Of course
• A change approval isn’t permission to make any change – This can be challenging to manage • Public key cryptography – But may still be required
– The change control approval is very specific • Dependencies may occur across systems – Two (or more) mathematically related keys It’s all about the process
• The scope may need to be expanded during the change – Upgrade the firewall code first • Private key • Need clear process and procedures
window – Then upgrade the firewall management software – Keep this private – Keys are incredibly important pieces of information
– It’s impossible to prepare for all possible outcomes Documentation • Public key • You must be able to trust your 3rd-party
• The change management process determines • It can be challenging to keep up with changes – Anyone can see this key – Access to the keys is at the control of the 3rd-party
the next steps – Documentation can become outdated very quickly – Give it away • Carefully controlled conditions
– There are processes in place to make the change – Require with the change management process – Legal proceedings and court orders
successful • Updating diagrams
Downtime – Modifications to network configurations
• Services will eventually be unavailable – Address updates Asymmetric encryption
– The change process can be disruptive • Updating policies/procedures
sBcBAE
– Usually scheduled during non-production hours – Adding new systems may require new procedures Hello, BCAAQ
• If possible, prevent any downtime Version control Alice BQJYtX
– Switch to secondary system, upgrade the primary, • Track changes to a file or configuration data over time
ToCRA
then switch back – Easily revert to a previous setting Plaintext sBcBAE Ciphertext
BCAAQ Hello,
• Minimize any downtime events • Many opportunities to manage versions BQJYtX Alice
– The process should be as automated as possible ToCRA
– Router configurations
– Switch back to secondary if issues appear
– Windows OS patches Ciphertext Plaintext
– Should be part of the backout plan – Application registry entries Alice’s Computer
• Send emails and calendar updates Bob’s Laptop
• Not always straightforward Alice’s Public Key Alice’s Private Key
Restarts – Some devices and operating systems provide version
• It’s common to require a restart control features
– Implement the new configuration – May require additional management software
– Reboot the OS, power cycle the switch,
bounce the service
1 Bob combines Alice’s public key
with plaintext to create ciphertext 2 Alice uses her private key to decrypt
the ciphertext into the original plaintext
– Can the system recover from a power outage?

© 2023 Messer Studios, LLC Professor Messer’s CompTIA SY0-701 Security+ Course Notes - Page 9 https://ProfessorMesser.com © 2023 Messer Studios, LLC Professor Messer’s CompTIA SY0-701 Security+ Course Notes - Page 10 https://ProfessorMesser.com
 1.4 - Encrypting Data 1.4 - Key Exchange (continued)
Encrypting stored data Cryptographic keys Symmetric key from asymmetric keys
• Protect data on storage devices • There’s very little that isn’t known about the
– SSD, hard drive, USB drive, cloud storage, etc. cryptographic process
– This is data at rest – The algorithm is usually a known entity
• Full-disk and partition/volume encryption – The only thing you don’t know is the key
– BitLocker, FileVault, etc. • The key determines the output
Bob’s Private Key Alice’s Private Key
• File encryption – Encrypted data
– EFS (Encrypting File System), third-party utilities – Hash value
– Digital signature
Database encryption Symmetric Key Symmetric Key
• Protecting stored data • Keep your key private!
– It’s the only thing protecting your data Alice’s Computer
– And the transmission of that data Bob’s Laptop
• Transparent encryption Key lengths Alice’s Public Key Bob’s Public Key
– Encrypt all database information with a symmetric key • Larger keys tend to be more secure
• Record-level encryption – Prevent brute-force attacks
– Attackers can try every possible key combination
– Encrypt individual columns
– Use separate symmetric keys for each column • Symmetric encryption
– 128-bit or larger symmetric keys are common
1 Bob combines his private key with
Alice’s public key to create a symmetric key 2 Alice combines her private key with
Bob’s public key to create the same symmetric key
Transport encryption
– These numbers get larger and larger as time goes on
• Protect data traversing the network
– You’re probably doing this now • Asymmetric encryption
– Complex calculations of prime numbers 1.4 - Encryption Technologies
• Encrypting in the application
– Larger keys than symmetric encryption Trusted Platform Module (TPM) • All key management from one console
– Browsers can communicate using HTTPS
– Common to see key lengths of 3,072 bits or larger • A specification for cryptographic functions – Create keys for a specific service or cloud provider
• VPN (Virtual Private Network) – Cryptography hardware on a device (SSL/TLS, SSH, etc.)
– Encrypts all data transmitted over the network, Key stretching
• A weak key is a weak key • Cryptographic processor – Associate keys with specific users
regardless of the application – Rotate keys on regular intervals
– By itself, it’s not very secure – Random number generator, key generators
– Client-based VPN using SSL/TLS – Log key use and important events
– Site-to-site VPN using IPsec • Make a weak key stronger by performing multiple • Persistent memory
processes – Unique keys burned in during manufacturing Keeping data private
Encryption algorithms • Our data is located in many different places
– Hash a password. Hash the hash of the password. • Versatile memory
• There are many, many different ways to encrypt data – Mobile phones, cloud, laptops, etc.
And continue… – Storage keys, hardware configuration information
– The proper “formula” must be used during – The most private data is often physically closest to us
– Key stretching, key strengthening – Securely store BitLocker keys
encryption and decryption
• Brute force attacks would require reversing • Password protected • Attackers are always finding new techniques
• Both sides decide on the algorithm before encrypting the data – It’s a race to stay one step ahead
each of those hashes – No dictionary attacks
– The details are often hidden from the end user
– The attacker has to spend much more time, Hardware Security Module (HSM) • Our data is changing constantly
• There are advantages and disadvantages between even though the key is small – How do we keep this data protected?
algorithms • Used in large environments
– Clusters, redundant power Secure enclave
– Security level, speed, complexity of implementation, etc.
– Securely store thousands of cryptographic keys • A protected area for our secrets
• High-end cryptographic hardware – Often implemented as a hardware processor
1.4 - Key Exchange – Isolated from the main processor
– Plug-in card or separate hardware device
Key exchange • Share a symmetric session key using – Many different technologies and names
• Key backup
• A logistical challenge asymmetric encryption • Provides extensive security features
– Secure storage in hardware
– How do you share an encryption key across an insecure – Client encrypts a random (symmetric) key with a – Has its own boot ROM
medium without physically transferring the key? server’s public key • Cryptographic accelerators
– Offload that CPU overhead from other devices – Monitors the system boot process
• Out-of-band key exchange – The server decrypts this shared key and uses it to – True random number generator
– Don’t send the symmetric key over the ‘net encrypt data Key management system – Real-time memory encryption
– Telephone, courier, in-person, etc. – This is the session key • Services are everywhere – Root cryptographic keys
• In-band key exchange • Implement session keys carefully – On-premises, cloud-based – Performs AES encryption in hardware
– It’s on the network – Need to be changed often (ephemeral keys) – Many different keys for many different services – And more…
– Protect the key with additional encryption – Need to be unpredictable • Manage all keys from a centralized manager
– Use asymmetric encryption to deliver a symmetric key Symmetric key from asymmetric keys – Often provided as third-party software
• Use public and private key cryptography to – Separate the encryption keys from the data
Real-time encryption/decryption
• There’s a need for fast security create a symmetric key
– Without compromising the security part – Math is powerful
© 2023 Messer Studios, LLC Professor Messer’s CompTIA SY0-701 Security+ Course Notes - Page 11 https://ProfessorMesser.com © 2023 Messer Studios, LLC Professor Messer’s CompTIA SY0-701 Security+ Course Notes - Page 12 https://ProfessorMesser.com
 1.4 - Obfuscation 1.4 - Hashing and Digital Signatures
Obfuscation Tokenization Hashes Adding some salt
• The process of making something unclear • Replace sensitive data with a non-sensitive placeholder • Represent data as a short string of text • Salt
– It’s now much more difficult to understand – SSN 266-12-1112 is now 691-61-8539 – A message digest, a fingerprint – Random data added to a password when hashing
• But it’s not impossible to understand • Common with credit card processing • One-way trip • Every user gets their own random salt
– If you know how to read it – Use a temporary token during payment – Impossible to recover the original message from the digest – The salt is commonly stored with the password
• Hide information in plain sight – An attacker capturing the card numbers can’t use – Used to store passwords / confidentiality • Rainbow tables won’t work with salted hashes
– Store payment information without storing a them later • Verify a downloaded document is the same as the original – Additional random value added to the original
credit card number • This isn’t encryption or hashing – Integrity password
• Hide information inside of an image – The original data and token aren’t mathematically • Can be a digital signature • This slows things down the brute force process
– Steganography related – Authentication, non-repudiation, and integrity – It doesn’t completely stop the
– No encryption overhead reverse engineering
Steganography Collision
• Greek for “concealed writing” Data masking • Hash functions Salting the hash
– Security through obscurity • Data obfuscation – Take an input of any size • Each user gets a different random hash
• Message is invisible - But it’s really there – Hide some of the original data – Create a fixed size string – The same password creates a different hash
• The covertext - The container document or file • Protects PII – Message digest, checksum Digital signatures
– And other sensitive data • The hash should be unique • Prove the message was not changed
Common steganography techniques
• May only be hidden from view – Different inputs should never create the same hash – Integrity
• Network based - Embed messages in TCP packets
– The data may still be intact in storage – If they do, it’s a collision • Prove the source of the message
• Use an image - Embed the message in the image itself – Control the view based on permissions • MD5 has a collision problem – Authentication
• Invisible watermarks - Yellow dots on printers • Many different techniques – Found in 1996 - Don’t use MD5 for anything important • Make sure the signature isn’t fake
Other steganography types – Substituting, shuffling, encrypting, masking out, etc. Practical hashing – Non-repudiation
• Audio steganography • Verify a downloaded file • Sign with the private key
– Modify the digital audio file – Hashes may be provided on the download site – The message doesn’t need to be encrypted
– Interlace a secret message within the audio – Compare the downloaded file hash with the – Nobody else can sign this (obviously)
– Similar technique to image steganography posted hash value • Verify with the public key
• Video steganography • Password storage – Any change in the message will
– A sequence of images – Instead of storing the password, store a salted hash invalidate the signature
– Use image steganography on a larger scale – Compare hashes during the authentication process
– Manage the signal to noise ratio – Nobody ever knows your actual password
– Potentially transfer much more information

Tokenization

Salting the Hash

© 2023 Messer Studios, LLC Professor Messer’s CompTIA SY0-701 Security+ Course Notes - Page 13 https://ProfessorMesser.com © 2023 Messer Studios, LLC Professor Messer’s CompTIA SY0-701 Security+ Course Notes - Page 14 https://ProfessorMesser.com
 1.4 - Blockchain Technology 1.4 - Certificates
Blockchain • Many practical applications Digital certificates Certificate signing requests
• A distributed ledger – Payment processing • A public key certificate • Create a key pair, then send the public key to
– Keep track of transactions – Digital identification – Binds a public key with a digital signature the CA to be signed
• Everyone on the blockchain network maintains the – Supply chain monitoring – And other details about the key holder – A certificate signing request (CSR)
ledger – Digital voting • A digital signature adds trust • The CA validates the request
– Records and replicates to anyone and everyone – PKI uses Certificate Authorities for additional trust – Confirms DNS emails and website ownership
– Web of Trust adds other users for additional trust • CA digitally signs the cert
• Certificate creation can be built into the OS – Returns to the applicant
– Part of Windows Domain services Private certificate authorities
– Many 3rd-party options • You are your own CA
What’s in a digital certificate? – Build it in-house
• X.509 – Your devices must trust the internal CA
– Standard format • Needed for medium-to-large organizations
• Certificate details – Many web servers and privacy requirements
– Serial number • Implement as part of your overall computing strategy
– Version – Windows Certificate Services, OpenCA
– Signature Algorithm
Self-signed certificates
– Issuer
• Internal certificates don’t need to be signed by a public CA
– Name of the cert holder
– Your company is the only one going to use it
– Public key
– No need to purchase trust for devices that already
– Extensions
trust you
– And more…
• Build your own CA
Root of trust – Issue your own certificates signed by your own CA
• Everything associated with IT security requires trust
• Install the CA certificate/trusted chain on all devices
– A foundational characteristic
– They’ll now trust any certificates signed by your
• How to build trust from something unknown? internal CA
– Someone/something trustworthy provides their – Works exactly like a certificate you purchased
approval
Wildcard certificates
• Refer to the root of trust
• Subject Alternative Name (SAN)
– An inherently trusted component
– Extension to an X.509 certificate
– Hardware, software, firmware, or other component
– Lists additional identification information
– Hardware security module (HSM), Secure Enclave,
– Allows a certificate to support many different domains
Certificate Authority, etc.
• Wildcard domain
Certificate Authorities – Certificates are based on the name of the server
• You connect to a random website – A wildcard domain will apply to all server names
– Do you trust it? in a domain
• Need a good way to trust an unknown entity – *.professormesser.com
– Use a trusted third-party
Key revocation
– An authority
• Certificate Revocation List (CRL)
• Certificate Authority (CA) has digitally signed the – Maintained by the Certificate Authority (CA)
website certificate – Can contain many revocations in a large file
– You trust the CA, therefore you trust the website
• Many different reasons
– Real-time verification
– Changes all the time
Third-party certificate authorities • April 2014 - CVE-2014-0160
• Built-in to your browser – Heartbleed
– Any browser – OpenSSL flaw put the private key of affected
• Purchase your web site certificate web servers at risk
– It will be trusted by everyone’s browser – OpenSSL was patched, every web server certificate
• CA is responsible for vetting the request was replaced
– They will confirm the certificate owner – Older certificates were moved to the CRL
– Additional verification information may be
required by the CA
© 2023 Messer Studios, LLC Professor Messer’s CompTIA SY0-701 Security+ Course Notes - Page 15 https://ProfessorMesser.com © 2023 Messer Studios, LLC Professor Messer’s CompTIA SY0-701 Security+ Course Notes - Page 16 https://ProfessorMesser.com
 1.4 - Certificates (continued) 2.1 - Threat Actors
OCSP stapling Getting revocation details to the browser Threat Actors • Can be internal or external
• Online Certificate Status Protocol • OCSP (Online Certificate Status Protocol) • The entity responsible for an event that has an impact – But usually external
– Provides scalability for OCSP checks – The browser can check certificate revocation on the safety of another entity • Not very sophisticated
• The CA is responsible for responding to all • Messages usually sent to an OCSP responder via HTTP – Also called a malicious actor – Limited resources, if any
client OCSP requests – Easy to support over Internet links • Threat actor attributes • No formal funding
– This may not scale well – More efficient than downloading a CRL – Describes characteristics of the attacker – Looking for low hanging fruit
• Instead, have the certificate holder verify • Not all browsers/apps support OCSP • Useful to categorize the motivation Hacktivist
their own status – Early Internet Explorer versions did not support OCSP – Why is this attack happening? • A hacker with a purpose
– Status information is stored on the certificate – Some support OCSP, but don’t bother checking – Is this directed or random? – Motivated by philosophy, revenge, disruption, etc.
holder’s server Attributes of threat actors • Often an external entity
• OCSP status is “stapled” into the SSL/TLS handshake • Internal/external – Could potentially infiltrate to also be an insider threat
– Digitally signed by the CA – The attacker is inside the house • Can be remarkably sophisticated
– They’re outside and trying to get in – Very specific hacks
• Resources/funding – DoS, web site defacing, private document release
Certificate signing requests – No money • Funding may be limited
– Extensive funding – Some organizations have fundraising options
Applicant Cer,ficate Authority (CA) • Level of sophistication/capability
– Blindly runs scripts or automated vulnerability scans
Insider threat
• More than just passwords on sticky notes
– Can write their own attack malware and scripts
– Motivated by revenge, financial gain
2 Motivations of threat actors
• What makes them tick?
• Extensive resources
Applicant’s – Using the organization’s resources against themselves
– There’s a purpose to this attack
Private Key • An internal entity
• Motivations include – Eating away from the inside
– Data exfiltration
• Medium level of sophistication
– Espionage
– The insider has institutional knowledge
Validate the – Service disruption
– Attacks can be directed at vulnerable systems
Applicant’s Iden6ty – Blackmail
– The insider knows what to hit
– Financial gain
Applicant’s
Public Key 1 – Philosophical/political beliefs
– Ethical
Organized crime
• Professional criminals
– Revenge – Motivated by money
Cer6ficate – Disruption/chaos – Almost always an external entity
Signing – War • Very sophisticated
Nation states – Best hacking money can buy
Request (CSR)
3 • External entity • Crime that’s organized
Applicant – Government and national security – One person hacks, one person manages the exploits,
Iden6fying • Many possible motivations another person sells the data, another handles
Informa6on CA’s – Data exfiltration, philosophical, revenge, disruption, customer support
Digitally Signed Private Key war • Lots of capital to fund hacking efforts
Cer6ficate Shadow IT
• Constant attacks, massive resources
– Commonly an Advanced Persistent Threat (APT) • Going rogue
• Highest sophistication – Working around the internal IT organization
Create a key pair, then send the – Builds their own infrastructure
1 public key to the CA to be signed
2 The CA validates the request – Military control, utilities, financial control
– United States and Israel destroyed 1,000 nuclear • Information Technology can put up roadblocks
centrifuges with the Stuxnet worm – Shadow IT is unencumbered
Unskilled attackers – Use the cloud
• Runs pre-made scripts without any knowledge of what’s – Might also be able to innovate
CA digitally signs the cert
3 and returns it to the applicant
really happening
– Anyone can do this
• Limited resources
– Company budget
• Motivated by the hunt • Medium sophistication
– Disruption, data exfiltration, sometimes philosophical – May not have IT training or knowledge

© 2023 Messer Studios, LLC Professor Messer’s CompTIA SY0-701 Security+ Course Notes - Page 17 https://ProfessorMesser.com © 2023 Messer Studios, LLC Professor Messer’s CompTIA SY0-701 Security+ Course Notes - Page 18 https://ProfessorMesser.com
 2.1 - Threat Actors (continued) 2.2 - Common Threat Vectors (continued)
Vulnerable software vectors Open service ports
• Client-based • Most network-based services connect over
– Infected executable a TCP or UDP port
– Known (or unknown) vulnerabilities – An “open” port
– May require constant updates • Every open port is an opportunity for the attacker
• Agentless – Application vulnerability or misconfiguration
– No installed executable • Every application has their own open port
– Compromised software on the server – More services expand the attack surface
would affect all users • Firewall rules
– Client runs a new instance each time – Must allow traffic to an open port
Unsupported systems vectors Default credentials
• Patching is an important prevention tool • Most devices have default usernames and passwords
– Ongoing security fixes – Change yours!
• Unsupported systems aren’t patched • The right credentials provide full control
– There may not even be an option – Administrator access
• Outdated operating systems • Very easy to find the defaults for your access point or router
– Eventually, even the manufacturer won’t help – https://www.routerpasswords.com
• A single system could be an entry
Supply chain vectors
– Keep your inventory and records current
• Tamper with the underlying infrastructure
2.2 - Common Threat Vectors Unsecure network vectors – Or manufacturing process
Threat vectors File-based vectors • The network connects everything • Managed service providers (MSPs)
• A method used by the attacker • More than just executables – Ease of access for the attackers – Access many different customer networks from one
– Gain access or infect to the target – Malicious code can hide in many places – View all (non-encrypted) data location
– Also called “attack vectors” • Adobe PDF • Wireless • Gain access to a network using a vendor
• A lot of work goes into finding vulnerabilities in these vectors – A file format containing other objects – Outdated security protocols (WEP, WPA, WPA2) – 2013 Target credit card breach
– Some are more vulnerable than others • ZIP/RAR files (or any compression type) – Open or rogue wireless networks
• Suppliers
• IT security professional spend their career watching these – Contains many different files • Wired – Counterfeit networking equipment
vectors • Microsoft Office – Unsecure interfaces - No 802.1X – Install backdoors, substandard performance and availability
– Protect existing vectors – Documents with macros • Bluetooth – 2020 - Fake Cisco Catalyst switches
– Find new vectors – Add-in files – Reconnaissance, implementation vulnerabilities
Message-based vectors Voice call vectors 2.2 - Phishing
• Phishing attacks • Vishing Phishing Tricks and misdirection
– People want to click links – Phishing over the phone • Social engineering with a touch of spoofing • How are they so successful?
– Links in an email, links send via text or IM • Spam over IP – Often delivered by email, text, etc. – Digital slight of hand - It fools the best of us
• Deliver the malware to the user – Large-scale phone calls – Very remarkable when well done • Typosquatting
– Attach it to the email • War dialing • Don’t be fooled – A type of URL hijacking - https://professormessor.com
– Scan all attachments, never launch untrusted links – It still happens – Check the URL • Pretexting - Lying to get information
• Social engineering attacks • Call tampering • Usually there’s something not quite right – Attacker is a character in a situation they create
– Invoice scams, cryptocurrency scams – Disrupting voice calls – Spelling, fonts, graphics – Hi, we’re calling from Visa regarding an automated payment
Image-based vectors Removable device vectors to your utility service…
Business email compromise
• Easy to identify a text-based threat • Get around the firewall • We trust email sources Phishing with different bait
– It’s more difficult to identify the threat in an image – The USB interface – The attackers take advantage of this trust • Vishing (Voice phishing) is done over the phone or voicemail
• Some image formats can be a threat • Malicious software on USB flash drives – Caller ID spoofing is common
• Spoofed email addresses
– The SVG (Scalable Vector Graphic) format – Infect air gapped networks – Fake security checks or bank updates
– Not really a legitimate email address
– Image is described in XML (Extensible Markup Language) – Industrial systems, high-security services – professor@professormessor.com • Smishing (SMS phishing) is done by text message
• Significant security concerns • USB devices can act as keyboards – Spoofing is a problem here as well
• Financial fraud
– HTML injection – Hacker on a chip – Forwards links or asks for personal information
– Sends emails with updated bank information
– Javascript attack code
• Data exfiltration – Modify wire transfer details • Variations on a theme
• Browsers must provide input validation – Terabytes of data walk out the door – The fake check scam, phone verification code scam,
• The recipient clicks the links
– Avoids running malicious code – Zero bandwidth used – Boss/CEO scam, advance-fee scam
– The attachments have malware
– Some great summaries on https://reddit.com/r/Scams
© 2023 Messer Studios, LLC Professor Messer’s CompTIA SY0-701 Security+ Course Notes - Page 19 https://ProfessorMesser.com © 2023 Messer Studios, LLC Professor Messer’s CompTIA SY0-701 Security+ Course Notes - Page 20 https://ProfessorMesser.com
 2.2 - Impersonation 2.2 - Other Social Engineering Attacks
The pretext Identity fraud Misinformation/disinformation Brand impersonation
• Before the attack, the trap is set - There’s an actor and a story • Your identity can be used by others • Disseminate factually incorrect information • Pretend to be a well-known brand
• “Hello sir, my name is Wendy and I’m from Microsoft Windows. – Keep your personal information safe! – Create confusion and division – Coca-cola, McDonald’s, Apple, etc.
This is an urgent check up call for your computer as we have • Credit card fraud • Influence campaigns • Create tens of thousands of impersonated sites
found several problems with it.” – Open an account in your name, or use your – Sway public opinion on political and social issues – Get into the Google index, click an ad,
• Voice mail: “This is an enforcement action executed by the US credit card information • Nation-state actors get a WhatsApp message
Treasury intending your serious attention.” • Bank fraud – Divide, distract, and persuade • Visitors are presented with a pop-up
• “Congratulations on your excellent payment history! You now – Attacker gains access to your account or opens • Advertising is an option – You won! Special offer! Download the video!
qualify for 0% interest rates on all of your credit card accounts.” a new account – Buy a voice for your opinion • Malware infection is almost guaranteed
Impersonation • Loan fraud • Enabled through Social media – Display ads, site tracking, data exfiltration
• Attackers pretend to be someone they aren’t – Your information is used for a loan or lease – Creating, sharing, liking, amplifying
– Halloween for the fraudsters • Government benefits fraud
• Use some of those details from reconnaissance – Attacker obtains benefits on your behalf The misinformation process
– You can trust me, I’m with your help desk Protect against impersonation
• Attack the victim as someone higher in rank • Never volunteer information
– Office of the Vice President for Scamming – My password is 12345
• Throw tons of technical details around • Don’t disclose personal details
– Catastrophic feedback due to the depolarization of the – The bad guys are tricky
differential magnetometer • Always verify before revealing info
• Be a buddy - How about those Cubs? – Call back, verify through 3rd parties
Eliciting information • Verification should be encouraged
• Extracting information from the victim – Especially if your organization owns valuable
– The victim doesn’t even realize this is happening information
– Hacking the human
• Often seen with vishing (Voice Phishing)
– Can be easier to get this information over the phone
• These are well-documented psychological techniques
– They can’t just ask, “So, what’s your password?”

2.2 - Watering Hole Attacks

2.3 - Memory Injections
Watering hole attack Because that’s where the money is
• What if your network was really secure? • January 2017, Polish Financial Supervision Authority, Finding malware DLL injection
– You didn’t even plug in that USB key from National Banking and Stock Commission of Mexico, • Malware runs in memory • Dynamic-Link Library
the parking lot State-owned bank in Uruguay – Memory forensics can find the malicious code – A Windows library containing code and data
– The watering hole was sufficiently poisoned • Memory contains running processes – Many applications can use this library
• The attackers can’t get in
– DLLs (Dynamic Link Libraries) • Attackers inject a path to a malicious DLL
– Not responding to phishing emails • Visiting the site would download malicious JavaScript files
– Threads – Runs as part of the target process
– Not opening any email attachments – But only to IP addresses matching banks and other
– Buffers • One of the most popular memory injection methods
• Have the mountain come to you financial institutions
– Memory management functions – Relatively easy to implement
– Go where the mountain hangs out • Did the attack work? – And much more
– The watering hole – We still don’t know • Malware is hidden somewhere
– This requires a bit of research Watching the watering hole – Malware runs in its own process
Executing the watering hole attack • Defense-in-depth – Malware injects itself into a legitimate process
• Determine which website the victim group uses – Layered defense Memory injection
– Educated guess - Local coffee or sandwich shop – It’s never one thing • Add code into the memory of an existing process
– Industry-related sites • Firewalls and IPS – Hide malware inside of the process
• Infect one of these third-party sites – Stop the network traffic before things get bad • Get access to the data in that process
– Site vulnerability • Anti-virus / Anti-malware signature updates – And the same rights and permissions
– Email attachments – The Polish Financial Supervision Authority attack code – Perform a privilege escalation
• Infect all visitors was recognized and stopped by generic signatures in
– But you’re just looking for specific victims Symantec’s anti-virus software
– Now you’re in!
© 2023 Messer Studios, LLC Professor Messer’s CompTIA SY0-701 Security+ Course Notes - Page 21 https://ProfessorMesser.com © 2023 Messer Studios, LLC Professor Messer’s CompTIA SY0-701 Security+ Course Notes - Page 22 https://ProfessorMesser.com
 2.3 - Buffer Overflows 2.3 - Malicious Updates
Buffer overflows Variable(A(and(B(before(buffer(overflow Software updates Automatic updates
• Overwriting a buffer of memory Variable(Name A B • Always keep your operating system and applications • The app updates itself
– Spills over into other memory areas Value [null(string] 1979
updated – Often includes security checks / digital signatures
• Developers need to perform bounds checking – Updates often include bug fixes and security patches • Relatively trustworthy
Hex(Value 00 00 00 00 00 00 00 00 07 BB
– The attackers spend a lot of time looking for openings • This process has its own security concerns – Comes directly from the developer
• Not a simple exploit Overflowing(variable(A(changes(variable(B – Not every update is equally secure • Solarwinds Orion supply chain attack
– Takes time to avoid crashing things Variable(Name A B • Follow best practices – Reported in December 2020
– Takes time to make it do what you want Value 'e' 'x' 'c' 'e' 's' 's' 'i' 'v' 25856 – Always have a known-good backup – Attackers gained access to the Solarwinds
• A really useful buffer overflow is repeatable Hex(Value 65 78 63 65 73 73 69 76 65 00
– Install from trusted sources development system
– Which means that a system can be compromised – Did I mention the backup? – Added their own malicious code to the updates
Downloading and updating – Gained access to hundreds of government agencies
• Install updates from a downloaded file and companies
2.3 - Race Conditions
– Always consider your actions
Race condition Race conditions can cause big problems – Every installation could potentially be malicious
• A programming conundrum • January 2004 - Mars rover “Spirit”
• Confirm the source
– Sometimes, things happen at the same time – Reboot when a problem is identified
– A random pop-up during web browsing may not
– This can be bad if you’ve not planned for it – Problem is with the file system, so reboot
be legitimate
• Time-of-check to time-of-use attack (TOCTOU) because of the file system problem
– Reboot loop was the result • Visit the developer’s site directly
– Check the system
– Don’t trust a random update button or random
– When do you use the results of your last check? • Pwn2Own Vancouver 2023 - Tesla Model 3
downloaded file
– Something might happen between the check and the use – TOCTOU attack against the
– Tesla infotainment using Bluetooth • Many operating systems will only allow signed apps
Race condition example – Don’t disable your security controls
• Two bank accounts with $100 – Elevated privileges to root
– Earned $100,000 US prize and
– User 1 and User 2 transfer $50 from Account A to Account B
they keep the Tesla 2.3 - Operating System Vulnerabilities
– Expected outcome:
Account A has $50, Account B has $150 (or A has $0 and B has $200) Operating systems Best practices for OS vulnerabilities
• A foundational computing platform • Always update
• What if you don’t perform proper validation?
– Everyone has an operating system – Monthly or on-demand updates
– User 1 and User 2 check the account balances ($100 in each account)
– This makes the OS a very big target – It’s a race between you and the attackers
– User 1 transfers $50 from Account A (now at $50) to Account B (now at $150)
– At about the same time, user 2 transfers $50 from Account A • Remarkably complex • May require testing before deployment
(still has $100, right?, so now at $50) to Account B (now at $200) – Millions of lines of code – A patch might break something else
– Outcome: Account A has $50, Account B has $200 – More code means more opportunities for a security issue • May require a reboot
• The vulnerabilities are already in there – Save all data
This race condition assumes that deposits to the account are immediate and withdrawals are not. – We’ve just not found them yet • Have a fallback plan
A month of OS updates – Where’s that backup?
• A normal month of Windows updates
– Patch Tuesday - 2nd Tuesday of each month
– Other companies have similar schedules
• May 9, 2023 - Nearly 50 security patches
– 8 Elevation of Privilege Vulnerabilities
– 4 Security Feature Bypass Vulnerabilities
– 12 Remote Code Execution Vulnerabilities
– 8 Information Disclosure Vulnerabilities
– 5 Denial of Service Vulnerabilities
– 1 Spoofing Vulnerability
• https://msrc.microsoft.com/

© 2023 Messer Studios, LLC Professor Messer’s CompTIA SY0-701 Security+ Course Notes - Page 23 https://ProfessorMesser.com © 2023 Messer Studios, LLC Professor Messer’s CompTIA SY0-701 Security+ Course Notes - Page 24 https://ProfessorMesser.com
 2.3 - SQL Injection 2.3 - Cross-site Scripting (continued)
Code injection SQL injection
• Code injection • SQL - Structured Query Language
– Adding your own information into a data stream – The most common relational database management A#acker sends a link containing
• Enabled because of bad programming system language a malicious script to a vic6m
– The application should properly handle input • SQL injection (SQLi)
and output – Put your own SQL requests into an existing application 1
• So many different data types – Your application shouldn’t allow this
– HTML, SQL, XML, LDAP, etc. • Can often be executed in a web browser A"acker Vic*m
– Inject in a form or field
• An example of website code: 2 Vic6m clicks link and
– “SELECT * FROM users WHERE name = ‘“ + userName + “’”; visits legi6mate site
• How this looks to the SQL database:
– “SELECT * FROM users WHERE name = ‘Professor’”; Malicious script
• Add more information to the query:
sends vic6m’s data
4
– “SELECT * FROM users WHERE name = ‘Professor’ OR ‘1’ = ‘1’”;
(session cookies, Legi6mate site loads in the
• This could be very bad
etc.) to a#acker vic6m’s browser. Malicious
– View all database information, delete database information, add users, denial of service, etc. 3
script is also executed
2.3 - Cross-site Scripting Trusted Website
Cross-site scripting • For social networking, this can spread quickly
• XSS – Everyone who views the message can
– Cascading Style Sheets (CSS) are have it posted to their page 2.3 - Hardware Vulnerabilities
something else entirely – Where someone else can view it and propagate it
Hardware vulnerabilities End-of-life
• Originally called cross-site because of browser further...
• We are surrounded by hardware devices • End of life (EOL)
security flaws Hacking a Subaru – Many do not have an accessible operating system – Manufacturer stops selling a product
– Information from one site could be shared with another • June 2017, Aaron Guzman – May continue supporting the product
• These devices are potential security issues
• One of the most common web app vulnerabilities – Security researcher – A perfect entry point for an attack – Important for security patches and updates
– Takes advantage of the trust a user has for a site • When authenticating with Subaru, users get a token • End of service life (EOSL)
• Everything is connecting to the network
– Complex and varied – This token never expires (bad!) – Manufacturer stops selling a product
– Light bulbs, garage doors, refrigerators, door locks
• XSS commonly uses JavaScript • A valid token allowed any service request – IoT is everywhere – Support is no longer available for the product
– Do you allow scripts? Me too. – Even adding your email address to someone else’s – No ongoing security patches or updates
• The security landscape has grown
Non-persistent (reflected) XSS attack account – Time to change your approach – May have a premium-cost support option
• Web site allows scripts to run in user input – Now you have full access to someone else’s car • Technology EOSL is a significant concern
Firmware
– Search box is a common source • Web front-end included an XSS vulnerability – Security patches are part of normal operation
• The software inside of the hardware
• Attacker emails a link that takes advantage of – A user clicks a malicious link, and you Legacy platforms
– The operating system of the hardware device
this vulnerability have their token • Some devices remain installed for a long time
• Vendors are the only ones who can fix their hardware
– Runs a script that sends credentials/ Protecting against XSS – Perhaps too long
– Assuming they know about the problem
session IDs/cookies to the attacker • Be careful when clicking untrusted links • Legacy devices
– And care about fixing it
• Script embedded in URL executes in the victim’s browser – Never blindly click in your email inbox. Never. – Older operating systems, applications, middleware
• Trane Comfortlink II thermostats
– As if it came from the server • Consider disabling JavaScript • May be running end-of-life software
– Control the temperature from your phone
• Attacker uses credentials/session IDs/cookies to steal – Or control with an extension – Trane notified of three vulnerabilities in April 2014 – The risk needs to be compared to the return
victim’s information without their knowledge – This offers limited protection – Two patched in April 2015, one in January 2016 • May require additional security protections
– Very sneaky • Keep your browser and applications updated – Additional firewall rules
Persistent (stored) XSS attack – Avoid the nasty browser vulnerabilities – IPS signatures for older operating systems
• Attacker posts a message to a social network • Validate input
– Includes the malicious payload – Don’t allow users to add their own scripts
• It’s now “persistent” to an input field
– Everyone gets the payload
• No specific target
– All viewers to the page

© 2023 Messer Studios, LLC Professor Messer’s CompTIA SY0-701 Security+ Course Notes - Page 25 https://ProfessorMesser.com © 2023 Messer Studios, LLC Professor Messer’s CompTIA SY0-701 Security+ Course Notes - Page 26 https://ProfessorMesser.com
 2.3 - Virtualization Vulnerabilities 2.3 - Supply Chain Vulnerabilities
Virtualization security Escaping the VM Supply chain risk Cisco or not Cisco?
• Quite different than non-virtual machines • March 2017 - Pwn2Own competition • The chain contains many moving parts • All network traffic flows through switches and routers
– Can appear anywhere – Hacking contest – Raw materials, suppliers, manufacturers, – A perfect visibility and pivot point
• Quantity of resources vary between VMs – You pwn it, you own it - along with some cash distributors, customers, consumers • July 2022 - DHS arrests reseller CEO
– CPU, memory, storage • JavaScript engine bug in Microsoft Edge • Attackers can infect any step along the way – Sold more than $1 billion of counterfeit Cisco products
• Many similarities to physical machines – Code execution in the Edge sandbox – Infect different parts of the chain without suspicion – Created over 30 different companies
– Complexity adds opportunity for the attackers • Windows 10 kernel bug – People trust their suppliers – Had been selling these since 2013
• Virtualization vulnerabilities – Compromise the guest operating system • One exploit can infect the entire chain • Knock-offs made in China
– Local privilege escalations • Hardware simulation bug in VMware – There’s a lot at stake – Sold as authentic Cisco products
– Command injection – Escape to the host Service providers – Until they started breaking and catching on fire
– Information disclosure • Patches were released soon afterwards • You can control your own security posture Software providers
VM escape protection Resource reuse – You can’t always control a service provider • Trust is a foundation of security
• The virtual machine is self-contained • The hypervisor manages the relationship between • Service providers often have access to internal services – Every software installation questions our trust
– There’s no way out physical and virtual resources – An opportunity for the attacker • Initial installation
– Or is there? – Available RAM, storage space, CPU availability, etc. • Many different types of providers – Digital signature should be confirmed during
• Virtual machine escape • These resources can be reused between VMs – Network, utility, office cleaning, payroll/accounting, installation
– Break out of the VM and interact with the host – Hypervisor host with 4 GB of RAM cloud services, system administration, etc. • Updates and patches
operating system or hardware – Supports three VMs with 2 GB of RAM each • Consider ongoing security audits of all providers – Some software updates are automatic
• Once you escape the VM, you have great control – RAM is allocated and shared between VMs – Should be included with the contract – How secure are the updates?
– Control the host and control other guest VMs • Data can inadvertently be shared between VMs Target service provider attack • Open source is not immune
• This would be a huge exploit – Time to update the memory management features • Target Corp. breach - November 2013 – Compromising the source code itself
– Full control of the virtual world – Security patches can mitigate the risk – 40 million credit cards stolen Solarwinds supply chain attack
• Heating and AC firm in Pennsylvania was infected • Solarwinds Orion
2.3 - Cloud-specific Vulnerabilities – Malware delivered in an email – Used by 18,000 customers
Security in the cloud Attack the service – VPN credentials for HVAC techs was stolen – Including Fortune 500 and US Federal Government
• Cloud adoption has been nearly universal • Denial of Service (DoS) • HVAC vendor was the supplier • Software updates compromised in March and June 2020
– It’s difficult to find a company NOT using the cloud – A fundamental attack type – Attackers used a wide-open Target network to infect – Upgrades to existing installations
• We’ve put sensitive data in the cloud • Authentication bypass every cash register at 1,800 stores – Not detected until December 2020
– The attackers would like this data – Take advantage of weak or faulty authentication • Do these technicians look like an IT security issue? • Additional breaches took advantage of the exploit
• We’re not putting in the right protections • Directory traversal – Microsoft, Cisco, Intel, Deloitte
Hardware providers
– 76% of organizations aren’t using – Faulty configurations put data at risk – Pentagon, Homeland Security, State Department,
• Can you trust your new server/router/switch/firewall/
– MFA for management console users Department of Energy, National Nuclear Security
• Remote code execution software?
Administration, Treasury
• Simple best-practices aren’t being used – Take advantage of unpatched systems – Supply chain cyber security
– 63% of code in production are unpatched – Attack the application • Use a small supplier base
– Vulnerabilities rated high or critical (CVSS >= 7.0) • Web application attacks have increased – Tighter control of vendors
– Log4j and Spring Cloud Function • Strict controls over policies and procedures
– Easy to exploit, rewards are extensive – Ensure proper security is in place
• Cross-site scripting (XSS) • Security should be part of the overall design
– Take advantage of poor input validation – There’s a limit to trust
• Out of bounds write
– Write to unauthorized memory areas 2.3 - Misconfiguration Vulnerabilities
– Data corruption, crashing, or code execution Open permissions Unsecured admin accounts
• SQL injection • Very easy to leave a door open • The Linux root account
– Get direct access to a database – The hackers will always find it – The Windows Administrator or superuser account
• Increasingly common with cloud storage • Can be a misconfiguration
– Statistical chance of finding an open permission – Intentionally configuring an easy-to-hack password
• June 2017 - 14 million Verizon records exposed – 123456, ninja, football
– Third-party left an Amazon S3 data repository open • Disable direct login to the root account
– Researcher found the data before anyone else – Use the su or sudo option
• Many, many other examples • Protect accounts with root or administrator access
– Secure your permissions! – There should not be a lot of these
© 2023 Messer Studios, LLC Professor Messer’s CompTIA SY0-701 Security+ Course Notes - Page 27 https://ProfessorMesser.com © 2023 Messer Studios, LLC Professor Messer’s CompTIA SY0-701 Security+ Course Notes - Page 28 https://ProfessorMesser.com
 2.3 - Misconfiguration Vulnerabilities (continued) 2.4 -An Overview of Malware
Insecure protocols • Mirai released as open-source software Malware Your data is valuable
• Some protocols aren’t encrypted – There’s a lot more where that came from • Malicious software • Personal data
– All traffic sent in the clear Open ports and services – These can be very bad – Family pictures and videos
– Telnet, FTP, SMTP, IMAP • Services will open ports • Gather information – Important documents
• Verify with a packet capture – It’s important to manage access – Keystrokes • Organization data
– View everything sent over the network • Often managed with a firewall • Show you advertising – Planning documents
• Use the encrypted versions - SSH, SFTP, IMAPS, etc. – Manage traffic flows – Big money – Employee personally identifiable information (PII)
– Allow or deny based on port number • Viruses and worms – Financial information
Default settings
or application – Encrypt your data – Company private data
• Every application and network device has a default login
– Not all of these are ever changed • Firewall rulesets can be complex – Ruin your day • How much is it worth?
– It’s easy to make a mistake – There’s a number
• Mirai botnet Malware types and methods
– Takes advantage of default configurations • Always test and audit • Viruses Ransomware
– Takes over Internet of Things (IoT) devices – Double and triple check • Worms • A particularly nasty malware
– 60+ default configurations • Ransomware – Your data is unavailable until you provide cash
– Cameras, routers, doorbells, garage door openers, etc. • Trojan Horse • Malware encrypts your data files
• Rootkit – Pictures, documents, music, movies, etc.
2.3 - Mobile Device Vulnerabilities • Keylogger – Your OS remains available
Mobile device security • Gaining access • Spyware – They want you running, but not working
• Challenging to secure – Android - Rooting • Bloatware • You must pay the attackers to obtain the decryption key
– Often need additional security policies – Apple iOS - Jailbreaking • Logic bomb – Untraceable payment system
and systems • Install custom firmware How you get malware – An unfortunate use of public-key cryptography
• Relatively small – Replaces the existing operating system • These all work together Protecting against ransomware
– Can be almost invisible • Uncontrolled access – A worm takes advantage of a vulnerability • Always have a backup
• Almost always in motion – Circumvent security features – Installs malware that includes a remote access – An offline backup, ideally
– You never know where it might be – The MDM becomes relatively useless backdoor – Keep your operating system up to date
• Packed with sensitive data Sideloading – Additional malware may be installed later – Patch those vulnerabilities
– Personal and organizational • Malicious apps can be a significant security concern • Your computer must run a program • Keep your applications up to date
• Constantly connected to the Internet – One Trojan horse can create a data breach – Email link - Don’t click links – Security patches
– Nothing bad happens on the Internet • Manage installation sources – Web page pop-up • Keep your anti-virus/anti-malware signatures up to date
– The global or local app store – Drive-by download – New attacks every hour
Jailbreaking/rooting
– Worm
• Mobile devices are purpose-built systems • Jailbreaking circumvents security • Keep everything up to date
– You don’t have access to the operating system – Sideloading • Your computer is vulnerable
– Apps can be installed manually without using an app store – Operating system - Keep your OS updated!
– An MDM becomes relatively useless – Applications - Check with the publisher

2.3 - Zero-day Vulnerabilities 2.4 - Viruses and Worms

Vulnerabilities • Common Vulnerabilities and Exposures (CVE) Virus Fileless virus
• Many applications have vulnerabilities – https://cve.mitre.org/ • Malware that can reproduce itself • A stealth attack
– We’ve just not found them yet Zero-day attacks in the wild – It needs you to execute a program – Does a good job of avoiding anti-virus detection
• Someone is working hard to find the next big vulnerability • April 2023 - Chrome zero-day • Reproduces through file systems or the network • Operates in memory
– The good guys share these with developers – Memory corruption, sandbox escape – Just running a program can spread a virus – But never installed in a file or application
• Attackers keep these yet-to-be-discovered holes to themselves • May 2023 - Microsoft zero-day patch • May or may not cause problems Worms
– They want to use these vulnerabilities for personal gain – Secure boot zero-day vulnerability – Some viruses are invisible, some are annoying • Malware that self-replicates
Zero-day attacks – Attacker can run UEFI-level self-signed code • Anti-virus is very common – Doesn’t need you to do anything
• Attackers search for unknown vulnerabilities • May 2023 - Apple iOS and iPadOS zero-days – Thousands of new viruses every week – Uses the network as a transmission medium
– They create exploits against these vulnerabilities – Three zero-day patches – Is your signature file updated? – Self-propagates and spreads quickly
• The vendor has no idea the vulnerability exists – Sandbox escape, disclosure of sensitive Virus types • Worms are pretty bad things
– They don’t have a fix for an unknown problem information, arbitrary code execution • Program viruses - It’s part of the application – Can take over many systems very quickly
• Zero-day attacks – Active exploitations • Boot sector viruses - Who needs an OS? • Firewalls and IDS/IPS can mitigate many worm infestations
– An attack without a patch or method of mitigation • Script viruses - Operating system and browser-based – Doesn’t help much once the worm gets inside
– A race to exploit the vulnerability or create a patch • Macro viruses - Common in Microsoft Office
– Difficult to defend against the unknown
© 2023 Messer Studios, LLC Professor Messer’s CompTIA SY0-701 Security+ Course Notes - Page 29 https://ProfessorMesser.com © 2023 Messer Studios, LLC Professor Messer’s CompTIA SY0-701 Security+ Course Notes - Page 30 https://ProfessorMesser.com
 2.4 - Viruses and Worms (continued) 2.4 - Other Malware Types
Fileless virus infection process Keyloggers Preventing a logic bomb
• Your keystrokes contain valuable information • Difficult to recognize
– Web site login URLs, passwords, email messages – Each is unique
• Save all of your input and send it to the bad guys – No predefined signatures
• Circumvents encryption protections • Process and procedures
– Your keystrokes are in the clear – Formal change control
• Other data logging • Electronic monitoring
– Clipboard logging, screen logging, instant messaging, – Alert on changes
search engine queries – Host-based intrusion detection,
Tripwire, etc.
Logic bomb
• Waits for a predefined event • Constant auditing
– Often left by someone with grudge – An administrator can circumvent
existing systems
• Time bomb - Time or date
• User event - Logic bomb Rootkits
• Originally a Unix technique
• Difficult to identify - Difficult to recover if it goes off
– The “root” in rootkit
Worm infection process Real-world logic bombs • Modifies core system files
Vulnerable • March 19, 2013, South Korea – Part of the kernel

1
Infected computer
searches for
2 computer
is exploited
– Email with malicious attachment sent to
South Korean organizations
• Can be invisible to the operating system
– Won’t see it in Task Manager
vulnerable system – Posed as a bank email - Trojan installs malware
• Also invisible to traditional anti-virus utilities
• March 20, 2013, 2 p.m. local time
– If you can’t see it, you can’t stop it
– Malware time-based logic-bomb activates
– Storage and master boot record deleted, system reboots Finding and removing rootkits
• Boot device not found. • Look for the unusual
Please install an operating system on your hard disk. – Anti-malware scans
• December 17, 2016, 11:53 p.m. • Use a remover specific to the rootkit
Backdoor is – Usually built after the rootkit is discovered
3 installed and
downloads worm
– Ukraine high-voltage substation. Logic bomb begins disabling
electrical circuits. Malware mapped out the control network • Secure boot with UEFI
– Security in the BIOS
• Began disabling power at a predetermined time
• Customized for SCADA networks
– Supervisory Control and Data Acquisition
2.4 - Spyware and Bloatware
Spyware Bloatware 2.4 - Physical Attacks
• Malware that spies on you • A new computer or phone
– Advertising, identity theft, affiliate fraud – Includes the operating system and important apps Physical attacks RFID cloning
• Old-school security • RFID is everywhere - Access badges, key fobs
• Can trick you into installing • Also includes applications you didn’t expect
– No keyboard, no mouse, no command line • Duplicators are on Amazon - Less than $50
– Peer to peer, fake security software – And often don’t need
• Many different ways to circumvent digital security • The duplication process takes seconds
• Browser monitoring • Apps are installed by the manufacturer
– A physical approach must be considered – Read one card, copy to another
– Capture surfing habits – You don’t get a choice
• If you have physical access to a server, you have full • This is why we have MFA
• Keyloggers • Uses valuable storage space
control – Use another factor with the card
– Capture every keystroke – May also add to overall resource usage
– An operating system can’t stop an in-person attack
– Send your keystrokes back to the attacker – The system may be slower than expected Environmental attacks
– Could open your system to exploits • Door locks keep out the honest people • Attack everything supporting the technology
Protecting against spyware – There’s always a way in
• Maintain your anti-virus / anti-malware Removing bloatware – The operating environment
– Always have the latest signatures • Identify and remove - This may be easier said than done Brute force • Power monitoring
• The physical version - No password required – An obvious attack
• Always know what you’re installing • Use the built-in uninstaller - Works for most applications
– And watch your options during the installation • Push through the obstruction - Brawn beats brains • HVAC (Heating, Ventilation, and Air Conditioning) and
• Some apps have their own uninstaller
• Where’s your backup? – That’s how bad they are • Check your physical security humidity controls
– You might need it someday – Check the windows, try the doors – Large data centers must be properly cooled
• Third-party uninstallers and cleaners
– Cleaning adware isn’t easy – Probably not the first option • Attackers will try everything • Fire suppression
• Run some scans - Malwarebytes – Always have a backup – You should be prepared for anything – Watch for smoke or fire
© 2023 Messer Studios, LLC Professor Messer’s CompTIA SY0-701 Security+ Course Notes - Page 31 https://ProfessorMesser.com © 2023 Messer Studios, LLC Professor Messer’s CompTIA SY0-701 Security+ Course Notes - Page 32 https://ProfessorMesser.com
 2.4 - Denial of Service 2.4 - Wireless Attacks
Denial of service Distributed Denial of Service (DDoS) It started as a normal day Radio frequency (RF) jamming
• Force a service to fail • Launch an army of computers to bring down a service • Surfing along on your wireless network • Denial of Service
– Overload the service – Use all the bandwidth or resources - traffic spike – And then you’re not – Prevent wireless communication
• Take advantage of a design failure or vulnerability • This is why the attackers have botnets • And then it happens again - And again • Transmit interfering wireless signals
– Keep your systems patched! – Thousands or millions of computers at your command • You may not be able to stop it – Decrease the signal-to-noise ratio at the receiving
• Cause a system to be unavailable – At its peak, Zeus botnet infected over 3.6 million PCs – There’s (almost) nothing you can do device
– Competitive advantage – Coordinated attack – Time to get a long patch cable – The receiving device can’t hear the good signal
• Create a smokescreen for some other exploit • Asymmetric threat • Wireless deauthentication • Sometimes it’s not intentional
– Precursor to a DNS spoofing attack – The attacker may have fewer resources than the victim – A significant wireless denial of service (DoS) attack – Interference, not jamming
• Doesn’t have to be complicated DDoS reflection and amplification – Microwave oven, fluorescent lights
802.11 management frames
– Turn off the power • Turn your small attack into a big attack • 802.11 wireless includes a number of • Jamming is intentional
A “friendly” DoS – Often reflected off another device or service management features – Someone wants your network to not work
• Unintentional DoSing • An increasingly common network DDoS technique – Frames that make everything work Wireless jamming
– It’s not always a ne’er-do-well – Turn Internet services against the victim – You never see them • Many different types
• Network DoS - Layer 2 loop without STP • Uses protocols with little (if any) authentication or checks • Important for the operation of 802.11 wireless – Constant, random bits / Constant, legitimate frames
• Bandwidth DoS – NTP, DNS, ICMP A common example of protocol abuse – How to find access points, manage QoS, associate/ – Data sent at random times - random data and
– Downloading multi-gigabyte disassociate with an access point, etc. legitimate frames
– Linux distributions over a DSL line • Original wireless standards did not add protection for – Reactive jamming - only when someone else tries to
management frames communicate
• The water line breaks
– Get a good shop vacuum – Sent in the clear • Needs to be somewhere close
– No authentication or validation – Difficult to be effective from a distance
2.4 - DNS Attacks Protecting against deauth attacks • Time to go fox hunting
• IEEE has already addressed the problem – You’ll need the right equipment to hunt down the jam
DNS poisoning URL hijacking – Directional antenna, attenuator
– 802.11w - July 2014
• Modify the DNS server • Make money from your mistakes
– Requires some crafty hacking – There’s a lot of advertising on the ‘net • Some of the important management frames are encrypted
– Disassociate, deauthenticate, channel switch
• Modify the client host file • Sell the badly spelled domain to the actual owner
announcements, etc.
– The host file takes precedent over DNS queries – Sell a mistake
• Not everything is encrypted
• Send a fake response to a valid DNS request • Redirect to a competitor
– Beacons, probes, authentication, association
– Requires a redirection of the original request or the – Not as common, legal issues
resulting response • 802.11w is required for 802.11ac compliance
• Phishing site
– Real-time redirection – This will roll out going forward
– Looks like the real site, please login
– This is an on-path attack • Infect with a drive-by download
Domain hijacking – You’ve got malware!
• Get access to the domain registration, and you have control 2.4 - On-path Attacks
Types of URL hijacking
where the traffic flows • Typosquatting / brandjacking On-path network attack On-path browser attack
– You don’t need to touch the actual servers – Take advantage of poor spelling • How can an attacker watch without you knowing? • What if the middleman was on the same computer
– Determines the DNS names and DNS IP addresses – Formerly known as man-in-the-middle as the victim?
• Outright misspelling
• Many ways to get into the account • Redirects your traffic – Malware/Trojan does all of the proxy work
– professormesser.com vs. professormessor.com
– Brute force – Then passes it on to the destination – Formerly known as man-in-the-browser
• A typing error
– Social engineer the password – You never know your traffic was redirected • Huge advantages for the attackers
– professormeser.com
– Gain access to the email address that manages the account • ARP poisoning – Relatively easy to proxy encrypted traffic
– The usual things • A different phrase – Everything looks normal to the victim
– On-path attack on the local IP subnet
– professormessers.com
• Saturday, October 22, 2016, 1 PM – ARP has no security • The malware in your browser waits for you to
– Domain name registrations of 36 domains are changed • Different top-level domain login to your bank
– Brazilian bank – professormesser.org – And cleans you out
– Desktop domains, mobile domains, and more
• Under hacker control for 6 hours
– The attackers became the bank
• 5 million customers, $27 billion in assets
– Results of the hack have not been publicly released

© 2023 Messer Studios, LLC Professor Messer’s CompTIA SY0-701 Security+ Course Notes - Page 33 https://ProfessorMesser.com © 2023 Messer Studios, LLC Professor Messer’s CompTIA SY0-701 Security+ Course Notes - Page 34 https://ProfessorMesser.com
 2.4 - Replay Attacks 2.4 - Replay Attacks (continued)
Replay attack Browser cookies and session IDs Header manipulation Prevent session hijacking
• Useful information is transmitted over the network • Cookies • Information gathering • Encrypt end-to-end
– A crafty hacker will take advantage of this – Information stored on your computer by the browser – Wireshark, Kismet – They can’t capture your session ID if they can’t see it
• Need access to the raw network data • Used for tracking, personalization, session management • Exploits – Additional load on the web server (HTTPS)
– Network tap, ARP poisoning, – Not executable, not generally a security risk – Cross-site scripting – Firefox extension: HTTPS Everywhere, Force-TLS
– Malware on the victim computer – Unless someone gets access to them • Modify headers – Many sites are now HTTPS-only
• The gathered information may help the attacker • Could be considered be a privacy risk – Tamper, Firesheep, Scapy • Encrypt end-to-somewhere
– Replay the data to appear as someone else – Lots of personal data in there • Modify cookies – At least avoid capture over a local wireless network
• This is not an on-path attack • Session IDs are often stored in the cookie – Cookies Manager+ (Firefox add-on) – Still in-the-clear for part of the journey
– The actual replay doesn’t require – Maintains sessions across multiple browser sessions – Personal VPN
the original workstation
2.4 - Malicious Code
Exploiting a vulnerability • Protection comes from many different sources
Pass the Hash • An attacker can use many techniques – Anti-malware
– Social engineering – Firewall
Client authen,cates to – Default credentials – Continuous updates and patches
1 the server with a username – Misconfiguration – Secure computing habits
and hashed password • These don’t require technical skills Malicious code examples
– The door is already unlocked • WannaCry ransomware
• There are still ways to get into a well-secured system – Executable exploited a vulnerability in Windows SMBv1
– Exploit with malicious code – Arbitrary code execution
– Knock the pins out of a door hinge • British Airways cross-site scripting
Malicious code – 22 lines of malicious JavaScript code placed on checkout
• The attackers use any opportunity pages
Client – The types of malicious code are varied and many – Information stolen from 380,000 victims
Server • Estonian Central Health Database
• Many different forms
During authen,ca,on, – Executable, scripts, macro viruses, worms, Trojan – SQL injection
horse, etc. – Breached all healthcare information for an entire country
the a:acker captures
2 the username A:acker sends his own
and password hash 3 authen,ca,on request 2.4 - Application Attacks
A+acker using the captured creden,als Injection attacks Buffer overflows
• Code injection • Overwriting a buffer of memory
– Adding your own information into a data stream – Spills over into other memory areas
Session hijacking (Sidejacking) • Enabled because of bad programming • Developers need to perform bounds checking
– The application should properly handle input and – The attackers spend a lot of time looking for openings
Vic*m authen*cates output • Not a simple exploit
to the server Server provides • So many different injectable data types – Takes time to avoid crashing things
Client authen*ca*on – HTML, SQL, XML, LDAP, etc. – Takes time to make it do what you want
1 a session ID
SQL injection • A really useful buffer overflow is repeatable
to the client
Your session ID: 3B0027A38FDF37
2 • SQL - Structured Query Language
– The most common relational database management
– Which means that a system can be compromised
Replay attack
system language • Useful information is transmitted over the network

Vic*m
3 • SQL injection (SQLi)
– Put your own SQL requests into an existing application
– A crafty hacker will take advantage of this
• Need access to the raw network data
A"acker intercepts ID:
Session 37
– Your application shouldn’t allow this – Network tap, ARP poisoning,
the session ID and A FDF
3 8 • Can often be executed in a web browser – Malware on the victim computer
3B0027 – Inject in a form or field
uses it to access the • The gathered information may help the attacker
A"acker Web Server – Replay the data to appear as someone else
server with the
• This is not an on-path attack
vic*m’s creden*als – The actual replay doesn’t require the original
workstation
© 2023 Messer Studios, LLC Professor Messer’s CompTIA SY0-701 Security+ Course Notes - Page 35 https://ProfessorMesser.com © 2023 Messer Studios, LLC Professor Messer’s CompTIA SY0-701 Security+ Course Notes - Page 36 https://ProfessorMesser.com
 2.4 - Application Attacks (continued) 2.4 - Cryptographic Attacks
Privilege escalation • HTML on ProfessorMesser.com directs requests Cryptographic attacks • December 2008: Researchers created CA certificate
• Gain higher-level access to a system from your browser • You’ve encrypted data and sent it to another person that appeared legitimate when MD5 is checked
– Exploit a vulnerability – This is normal and expected – Is it really secure? – Built other certificates that appeared to be
– Might be a bug or design flaw – Most of these are unauthenticated requests – How do you know? legit and issued by RapidSSL
• Higher-level access means more capabilities The client and the server • The attacker doesn’t have the combination (the key) Downgrade attack
– This commonly is the highest-level access • Website pages consist of client-side code and – So they break the safe (the cryptography) • Instead of using perfectly good encryption, use
– This is obviously a concern server-side code • Finding ways to undo the security something that’s not so great
• These are high-priority vulnerability patches – Many moving parts – There are many potential cryptographic shortcomings – Force the systems to downgrade their security
– You want to get these holes closed very quickly • Client side – The problem is often the implementation • 2014 - TLS vulnerability POODLE (Padding Oracle
– Any user can be an administrator – Renders the page on the screen (HTML, JavaScript) Birthday attack On Downgraded Legacy Encryption)
• Horizontal privilege escalation • Server side • In a classroom of 23 students, what is the chance of – On-path attack
– User A can access user B resources – Performs requests from the client (HTML, PHP) two students sharing a birthday? – Forces clients to fallback to SSL 3.0
Mitigating privilege escalation – Transfer money from one account to another – About 50% – SSL 3.0 has significant cryptographic vulnerabilities
• Patch quickly - Fix the vulnerability – Post a video on YouTube – For a class of 30, the chance is about 70% – Because of POODLE, modern browsers won’t
• In the digital world, this is a hash collision fall back to SSL 3.0
• Updated anti-virus/anti-malware software Cross-site request forgery
– Block known vulnerabilities • One-click attack, session riding – A hash collision is the same hash value for two
• Data Execution Prevention – XSRF, CSRF (sea surf) different plaintexts
– Only data in executable areas can run • Takes advantage of the trust that a web application – Find a collision through brute force
• Address space layout randomization has for the user • The attacker will generate multiple versions of plaintext
– Prevent a buffer overrun at a known memory address – The web site trusts your browser to match the hashes
– Elevation of privilege vulnerability – Requests are made without your consent or your – Protect yourself with a large hash output size
• CVE-2023-29336 knowledge Collisions
– Win32k Elevation of Privilege Vulnerability – Attacker posts a Facebook status on your account • Hash digests are supposed to be unique
– May 2023 • Significant web application development oversight – Different input data should not create the same hash
• Win32k Kernel driver – The application should have anti-forgery techniques added • MD5 hash
– Server 2008, 2008 R2, 2012, 2012 R2, 2016 – Usually a cryptographic token to prevent a forgery – Message Digest Algorithm 5
– Windows 10 Directory traversal – First published in April 1992
• Attacker would gain SYSTEM privileges • Directory traversal / path traversal – Collisions identified in 1996
– The highest level access – Read files from a web server that are outside of the
website’s file directory
Cross-site requests
– Users shouldn’t be able to browse the Windows folder
• Cross-site requests are common and legitimate
– You visit ProfessorMesser.com • Web server software vulnerability SSL stripping
– Your browser loads text from ProfessorMesser.com – Won’t stop users from browsing past the web server root
– Your browser loads a video from YouTube • Web application code vulnerability
– Your browser loads pictures from Instagram – Take advantage of badly written code GET h.p://example.com
GET h.p://example.com
Cross-site request forgery Visitor clicks the link and
Web site 301 Moved Web Server
unknowingly sends the
Request is sent as a 3 transfer request to
Visitor A.acker
GET h.ps://example.com
hyperlink to a user who the bank web site
may already be logged
into the bank web site
2 Bank Site Visitor
200 OK (HTTPS)
200 OK (HTTP)

On-path a.ack
POST h.p://example.com Rewrites URLs
user: professor & password: ninja1 HTTP/HTTPS POST h.ps://example.com

1 A"acker creates a
funds transfer request Bank Web Server
user: professor & password: ninja1

Bank validates the transfer

A2acker 4 and sends the visitor’s funds
to the a"acker
© 2023 Messer Studios, LLC Professor Messer’s CompTIA SY0-701 Security+ Course Notes - Page 37 https://ProfessorMesser.com © 2023 Messer Studios, LLC Professor Messer’s CompTIA SY0-701 Security+ Course Notes - Page 38 https://ProfessorMesser.com
 2.4 - Password Attacks 2.4 - Indicators of Compromise (continued)
Plaintext / unencrypted passwords Spraying attack Impossible travel Out-of-cycle logging
• Some applications store passwords “in the clear” • Try to login with an incorrect password • Authentication logs can be telling • Out-of-cycle - Occurs at an unexpected time
– No encryption. You can read the stored password. – Eventually you’re locked out – Logon and logoff • Operating system patch logs
– This is rare, thankfully • There are some common passwords • Login from Omaha, Nebraska, United States – Occurring outside of the normal patch day
• Do not store passwords as plaintext – https://en.wikipedia.org/wiki/List_of_the_most_ – The company headquarters – Keep that exploited system safe from other attackers!
– Anyone with access to the password file or common_passwords • Three minutes later, a login from Melbourne, Australia • Firewall log activity
database has every credential • Attack an account with the top three (or more) – Alarm bells should be ringing – Timestamps of every traffic flow
• What to do if your application saves passwords passwords • This should be easy to identify – Protocols and applications used
as plaintext: – If they don’t work, move to the next account – Log analysis and automation Missing logs
– Get a better application – No lockouts, no alarms, no alerts • Log information is evidence
Resource consumption
Hashing a password Brute force • Every attacker’s action has an equal and – Attackers will try to cover their tracks by removing logs
• Hashes represent data as a fixed-length string of text • Try every possible password combination until the opposite reaction • Information is everywhere
– A message digest, or “fingerprint” hash is matched – Watch carefully for significant changes – Authentication logs
• Will not have a collision (hopefully) • This might take some time • File transfers use bandwidth – File access logs
– Different inputs will not have the same hash – A strong hashing algorithm slows things down – An unusual spike at 3 AM – Firewall logs
• One-way trip – The hash: • Firewall logs show the outgoing transfer – Proxy logs
– Impossible to recover the original message Brute force – IP addresses, timeframes – Server logs
from the digest • Brute force attacks - Online • Often the first real notification of an issue • The logs may be incriminating
– A common way to store passwords – Keep trying the login process – The attacker may have been here for months – Missing logs are certainly suspicious
A hash example – Very slow – Resource inaccessibility – Logs should be secured and monitored
• SHA-256 hash – Most accounts will lockout after a number of • The server is down - Not responding Published/documented
– Used in many applications failed attempts • The entire attack and data exfiltration may go unnoticed
• Network disruption - A cover for the actual exploit
The password file • Brute force the hash - Offline – It happens quite often
• Server outage - Result of an exploit gone wrong
• Different across operating systems and applications – Obtain the list of users and hashes • Company data may be published online
– Calculate a password hash, compare it to a stored hash • Encrypted data - A potential ransomware attack begins
– Different hash algorithms • The attackers post a portion or all data
– Large computational resource requirement • Brute force attack - Locks account access
– This may be in conjunction with ransomware
• Raw data may be released without context
2.4 - Indicators of Compromise – Researchers will try to find the source
Indicators of compromise (IOC) Concurrent session usage
• An event that indicates an intrusion • It’s challenging to be two places at one time 2.5 - Segmentation and Access Control
– Confidence is high – Laws of physics Segmenting the network Access control lists
– He’s calling from inside the house • Multiple account logins from multiple locations • Physical, logical, or virtual segmentation • List the permissions
• Indicators – Interactive access from a single user – Devices, VLANs, virtual networks – Bob can read files
– Unusual amount of network activity – You don’t have a clone • Performance – Fred can access the network
– Change to file hash values • This can be difficult to track down – High-bandwidth applications – James can access network 192.168.1.0/24 using tcp
– Irregular international traffic – Multiple devices and desktops • Security ports 80, 443, and 8088
– Changes to DNS data – Automated processes – Users should not talk directly to database servers • Many operating systems use ACLs to provide access to files
– Uncommon login patterns – The only applications in the core are SQL and SSH – A trustee and the access rights allowed
Blocked content
– Spikes of read requests to certain files • Compliance – Application allow list / deny list
• An attacker wants to stay as long as possible
Account lockout – Your system has been unlocked – Mandated segmentation (PCI compliance) Examples of allow and deny lists
• Credentials are not working – Keep the doors and windows open – Makes change control much easier • Decisions are made in the operating system
– It wasn’t you this time • There’s probably a security patch available Access control lists (ACLs) – Often built-in to the operating system management
• Exceeded login attempts – Time to play keep-away • Allow or disallow traffic • Application hash
– Account is automatically locked • Blocked content – Groupings of categories – Only allows applications with this unique identifier
• Account was administratively disabled – Auto-update connections – Source IP, Destination IP, port number, time of day, • Certificate
– This would be a larger concern – Links to security patches application, etc. – Allow digitally signed apps from certain publishers
• This may be part of a larger plan – Third-party anti-malware sites • Restrict access to network devices • Path
– Attacker locks account – Removal tools – Limit by IP address or other identifier – Only run applications in these folders
– Calls support line to reset the password – Prevent regular user / non-admin access • Network zone
• Be careful when configuring these – The apps can only run from this network zone
– You can accidentally lock yourself out
© 2023 Messer Studios, LLC Professor Messer’s CompTIA SY0-701 Security+ Course Notes - Page 39 https://ProfessorMesser.com © 2023 Messer Studios, LLC Professor Messer’s CompTIA SY0-701 Security+ Course Notes - Page 40 https://ProfessorMesser.com
 2.5 - Mitigation Techniques 2.5 - Hardening Techniques (continued)
Patching Least privilege The endpoint • HIPS identification
• Incredibly important • Rights and permissions should be set to the bare • The user’s access - Applications and data – Signatures, heuristics, behavioral
– System stability, security fixes minimum • Stop the attackers - Inbound attacks, outbound attacks – Buffer overflows, registry updates, writing files to the
• Monthly updates – You only get exactly what’s needed to complete Windows folder
your objective • Many different platforms - Mobile, desktop
– Incremental (and important) – Access to non-encrypted data
• All user accounts must be limited • Protection is multi-faceted - Defense in depth
• Third-party updates Open ports and services
– Application developers, device drivers – Applications should run with minimal privileges Endpoint detection and response (EDR)
• Every open port is a possible entry point
• Auto-update • Don’t allow users to run with administrative privileges • A different method of threat protection
– Close everything except required ports
– Not always the best option – Limits the scope of malicious behavior – Scale to meet the increasing number of threats
• Control access with a firewall
• Emergency out-of-band updates • Detect a threat
Configuration enforcement – NGFW would be ideal
– Zero-day and important security discoveries – Signatures aren’t the only detection tool
• Perform a posture assessment – Behavioral analysis, machine learning, • Unused or unknown services
Encryption – Each time a device connects process monitoring – Installed with the OS or from other applications
• Prevent access to application data files • Extensive check – Lightweight agent on the endpoint • Applications with broad port ranges
– File system encryption – OS patch version • Investigate the threat - Root cause analysis – Open port 0 through 65,535
• Full disk encryption (FDE) – EDR (Endpoint Detection and Response) version • Use Nmap or similar port scanner to verify
– Status of firewall and EDR • Respond to the threat
– Encrypt everything on the drive – Isolate the system, quarantine the threat, – Ongoing monitoring is important
– BitLocker, FileVault, etc. – Certificate status
rollback to a previous config Default password changes
• File level encryption • Systems out of compliance are quarantined – API driven, no user or technician • Every network device has a management interface
– Windows EFS – Private VLAN with limited access intervention required – Critical systems, other devices
• Application data encryption – Recheck after making corrections
Host-based firewall • Many applications also have management or
– Managed by the app Decommissioning • Software-based firewall maintenance interfaces
– Stored data is protected • Should be a formal policy – Personal firewall, runs on every endpoint – These can contain sensitive data
Monitoring – Don’t throw your data into the trash • Change default settings
– Someone will find this later • Allow or disallow incoming or outgoing
• Aggregate information from devices application traffic – Passwords
– Built-in sensors, separate devices • Mostly associated with storage devices – Control by application process • Add additional security
– Integrated into servers, switches, routers, firewalls, etc. – Hard drive – View all data – Require additional logon
• Sensors – SSD – Add 3rd-party authentication
– USB drives • Identify and block unknown processes
– Intrusion prevention systems, firewall logs, – Stop malware before it can start Removal of unnecessary software
authentication logs, web server access logs, database • Many options for physical devices • Manage centrally
– Recycle the device for use in another system • All software contains bugs
transaction logs, email logs – Some of those bugs are security vulnerabilities
– Destroy the device Finding intrusions
• Collectors • Host-based Intrusion • Every application seems to have a completely different
– Proprietary consoles (IPS, firewall), – Prevention System (HIPS) Recognize and block known patching process
– SIEM consoles, syslog servers attacks – Can be challenging to manage ongoing updates
– Many SIEMs include a correlation engine to compare – Secure OS and application configs, validate incoming • Remove all unused software
diverse sensor data service requests – Reduce your risk
2.5 - Hardening Techniques – Often built into endpoint protection software – An easy fix
System hardening Encryption
• Many and varied • Prevent access to application data files 3.1 - Cloud Infrastructures
– Windows, Linux, iOS, Android, et al. – File system encryption Cloud responsibility matrix Hybrid considerations
• Updates – Windows Encrypting File System (EFS) • IaaS, PaaS, SaaS, etc. • Hybrid cloud
– Operating system updates/service packs, security • Full disk encryption (FDE) – Who is responsible for security? – More than one public or private cloud
patches – Encrypt everything on the drive • Security should be well documented – This adds additional complexity
• User accounts – Windows BitLocker, Apple FileVault, etc. – Most cloud providers provide a matrix of • Network protection mismatches
– Minimum password lengths and complexity • Encrypt all network communication responsibilities – Authentication across platforms
– Account limitations – Virtual Private Networking (VPN) – Everyone knows up front – Firewall configurations
• Network access and security – Application encryption • These responsibilities can vary – Server settings
– Limit network access – Different cloud providers • Different security monitoring
• Monitor and secure – Contractual agreements – Logs are diverse and cloud-specific
– Anti-virus, anti-malware – Responsibility matrix example • Data leakage
– Data is shared across the public Internet

© 2023 Messer Studios, LLC Professor Messer’s CompTIA SY0-701 Security+ Course Notes - Page 41 https://ProfessorMesser.com © 2023 Messer Studios, LLC Professor Messer’s CompTIA SY0-701 Security+ Course Notes - Page 42 https://ProfessorMesser.com
 3.1 - Cloud Infrastructures (continued) 3.1 - Network Infrastructure Concepts
Third-party vendors in the cloud Serverless architecture Physical isolation SDN (Software Defined Networking)
• You, the cloud provider, and third parties • Function as a Service (FaaS) • Devices are physically separate • Networking devices have different functional
– Infrastructure technologies – Apps are separated into individual, autonomous functions – Air gap between Switch A and Switch B planes of operation
– Cloud-based appliances – Remove the operating system from the equation • Must be connected to provide communication – Data, control, and management planes
• Ongoing vendor risk assessments • Developer still creates the server-side logic – Direct connect, or another switch or router • Split the functions into separate logical units
– Part of an overall vendor risk management policy – Runs in a stateless compute container • Web servers in one rack – Extend the functionality and management of
• Include third-party impact for incident response • May be event triggered and ephemeral – Database servers on another a single device
– Everyone is part of the process – May only run for one event • Customer A on one switch, customer B on another – Perfectly built for the cloud
• Constant monitoring • Managed by a third-party – No opportunity for mixing data • Infrastructure layer / Data plane
– Watch for changes and unusual activity – All OS security concerns are at the third-party – Process the network frames and packets
Physical segmentation
– Forwarding, trunking, encrypting, NAT
Infrastructure as code Microservices and APIs • Separate devices
• Describe an infrastructure • Monolithic applications – Multiple units, separate infrastructure • Control layer / Control plane
– Define servers, network, and applications as code – One big application that does everything – Manages the actions of the data plane
Logical segmentation with VLANs – Routing tables, session tables, NAT tables
• Modify the infrastructure and create versions • Application contains all decision making processes • Virtual Local Area Networks (VLANs) – Dynamic routing protocol updates
– The same way you version application code – User interface, business logic, data input and output – Separated logically instead of physically
• Application layer / Management plane
• Use the description (code) to build other application • Code challenges – Cannot communicate between VLANs without a Layer
– Configure and manage the device
instances – Large codebase, change control challenges 3 device / router
– SSH, browser, API
– Build it the same way every time based on the code • APIs - Application Programming Interfaces
• An important concept for cloud computing • API is the “glue” for the microservices 3.1 - Other Infrastructure Concepts
– Build a perfect version every time – Work together to act as the application Attacks can happen anywhere Virtualization
• Scalable - Scale just the microservices you need • Two categories for IT security • Virtualization
• Resilient - Outages are contained – The on-premises data is more secure! – Run many different operating systems on
• Security and compliance - Containment is built-in – The cloud-based data is more secure! the same hardware
• Cloud-based security is centralized and costs less • Each application instance has its own
Responsibility matrix Monolithic architecture – No dedicated hardware, no data center to secure operating system
– A third-party handles everything – Adds overhead and complexity
On Client • On-premises puts the security burden on the client – Virtualization is relatively expensive
SaaS PaaS IaaS Prem – Data center security and infrastructure costs Application containerization
• Attackers want your data - They don’t care where it is • Container
Informa(on and Data – Contains everything you need to run an application
On-premises security
• Customize your security posture – Code and dependencies
Devices (Mobile and PCs) – Full control when everything is in-house – A standardized unit of software
• On-site IT team can manage security better • An isolated process in a sandbox
Accounts and Iden((es – The local team can ensure everything is secure – Self-contained
– A local team can be expensive and difficult to staff – Apps can’t interact with each other
Iden(ty and Database
• Local team maintains uptime and availability • Container image
Directory Infrastructure
– System checks can occur at any time – A standard for portability
Applica(ons Microservice
Microservice Architecture
architecture – No phone call for support – Lightweight, uses the host kernel
– Secure separation between applications
• Security changes can take time
Network Controls Client IoT (Internet of Things)
– New equipment, configurations, and additional costs
• Sensors
Centralized vs. decentralized
Opera(ng Systems – Heating and cooling, lighting
API Gateway • Most organizations are physically decentralized
– Many locations, cloud providers, operating systems, etc. • Smart devices
Physical Hosts – Home automation, video doorbells
• Difficult to manage and protect so many diverse systems
– Centralize the security management • Wearable technology
Physical Network – Watches, health monitors
Microservice Microservice Microservice
• A centralized approach
– Correlated alerts • Facility automation
Physical Datacenter – Consolidated log file analysis – Temperature, air quality, lighting
– Comprehensive system status and maintenance/patching • Weak defaults
• It’s not perfect – IOT manufacturers are not security professionals
Provider Managed Customer Managed Database Database Database
– Single point of failure, potential performance issues
© 2023 Messer Studios, LLC Professor Messer’s CompTIA SY0-701 Security+ Course Notes - Page 43 https://ProfessorMesser.com © 2023 Messer Studios, LLC Professor Messer’s CompTIA SY0-701 Security+ Course Notes - Page 44 https://ProfessorMesser.com
 3.1 - Other Infrastructure Concepts (continued) 3.1 - Infrastructure Considerations (continued)
SCADA / ICS Embedded systems Cost Ease of recovery
• Supervisory Control and Data Acquisition System • Hardware and software designed for a specific function • How much money is required? • Something will eventually go wrong
– Large-scale, multi-site Industrial Control Systems (ICS) – Or to operate as part of a larger system – Everything ultimately comes down to cost – Time is money
• PC manages equipment • Is built with only this task in mind – Initial installation – How easily can you recover?
– Power generation, refining, manufacturing equipment – Can be optimized for size and/or cost – Very different across platforms • Malware infection
– Facilities, industrial, energy, logistics • Common examples • Ongoing maintenance – Reload operating system from original media - 1 hour
• Distributed control systems – Traffic light controllers – Annual ongoing cost – Reload from corporate image - 10 minutes
– Real-time information – Digital watches • Replacement or repair costs • Another important design criteria
– System control – Medical imaging systems – You might need more than one – This may be critical to the final product
• Requires extensive segmentation High availability • Tax implications Patch availability
– No access from the outside • Redundancy doesn’t always mean always available – Operating or capital expense • Software isn’t usually static
RTOS (Real-Time Operating System) – May need to be powered on manually Responsiveness – Bug fixes, security updates, etc.
• An operating system with a deterministic processing • HA (high availability) • Request information • This is often the first task after installation
schedule – Always on, always available – Get a response – Make sure you’re running the latest version
– No time to wait for other processes • May include many different components working – How quickly did that happen? • Most companies have regular updates
– Industrial equipment, automobiles, together • Especially important for interactive applications – Microsoft’s monthly patch schedule
– Military environments – Active/Active can provide scalability advantages – Humans are sensitive to delays • Some companies rarely patch
• Extremely sensitive to security issues • Higher availability almost always means higher costs • Speed is an important metric – This might be a significant concern
– Non-trivial systems – There’s always another contingency you could add – All parts of the application contribute Inability to patch
– Need to always be available – Upgraded power, high-quality server components, etc. – There’s always a weakest link • What if patching wasn’t an option?
– Difficult to know what type of security is in place
Scalability – This happens more often than you might think
• How quickly and easily can we increase or • Embedded systems
Virtualized Applica2ons Containerized Applica2ons decrease capacity? – HVAC controls
– This might happen many times a day – Time clocks
Virtual Virtual Virtual – Elasticity • Not designed for end-user updates
Machine Machine Machine • There’s always a resource challenge – This is a bit short sighted

App G
App D
App A

App B

App C

App E

App F
– What’s preventing scalability? – Especially these days
App A App B App C • Needs to include security monitoring • May need additional security controls
– Increases and decreases as the system scales – A firewall for your time clock
Guest Guest Guest Ease of deployment Power
Opera5ng Opera5ng Opera5ng • An application has many moving parts • A foundational element
System System System Docker – Web server, database, caching server, firewall, etc. – This can require extensive engineering
• This might be an involved process • Overall power requirements
– Hardware resources, cloud budgets, change control – Data center vs. office building
Hypervisor Host Opera5ng System
• This might be very simple • Primary power
– Orchestration / automation – One or more providers
Infrastructure Infrastructure • Important to consider during the product • Backup services
engineering phase – UPS (Uninterruptible Power Supply)
– One missed detail can cause deployment issues – Generators
3.1 - Infrastructure Considerations Risk transference Compute
Availability Resilience • Many methods to minimize risk • An application’s heavy lifting
• System uptime • Eventually, something will happen – Transfer the risk to a third-party – More than just a single CPU
– Access data, complete transactions – Can you maintain availability? • Cybersecurity insurance • The compute engine
– A foundation of IT security – Can you recover? How quickly? – Attacks and downtime can be covered – More options available in the cloud
• A balancing act with security • Based on many different variables – Popular with the rise in ransomware • May be limited to a single processor
– Available, but only to the right people – The root cause • Recover internal losses – Easier to develop
• We spend a lot of time and money on availability – Replacement hardware installation – Outages and business downtime • Use multiple CPUs across multiple clouds
– Monitoring, redundant systems – Software patch availability • Protect against legal issues from customers – Additional complexity
• An important metric – Redundant systems – Limit the costs associated with legal proceedings – Enhanced scalability
– We are often evaluated on total available time • Commonly referenced as MTTR
– Mean Time to Repair
© 2023 Messer Studios, LLC Professor Messer’s CompTIA SY0-701 Security+ Course Notes - Page 45 https://ProfessorMesser.com © 2023 Messer Studios, LLC Professor Messer’s CompTIA SY0-701 Security+ Course Notes - Page 46 https://ProfessorMesser.com
 3.2 - Secure Infrastructures 3.2 - Intrusion Prevention
Device placement Attack surface Failure modes • Passive monitoring
• Every network is different • How many ways into your home? • We hope for 100% uptime – A copy of the network traffic is examined using a
– There are often similarities – Doors, windows, basements – This obviously isn’t realistic tap or port monitor
• Firewalls • Everything can be a vulnerability – Eventually, something will break – Data cannot be blocked in real-time
– Separate trusted from untrusted – Application code • Fail-open – Intrusion detection is commonly passive
– Provide additional security checks – Open ports – When a system fails, data continues to flow Intrusion Prevention System (IPS)
• Other services may require their own security technologies • Authentication process • Fail-closed • Intrusion Prevention System
– Honeypots, jump server, load balancers, sensors – Human error – When a system fails, data does not flow – Watch network traffic
Security zones • Minimize the surface Device connections • Intrusions
• Zone-based security technologies – Audit the code • Active monitoring – Exploits against operating systems, applications, etc.
– More flexible (and secure) than IP address ranges – Block ports on the firewall – System is connected inline – Buffer overflows, cross-site scripting, other vulnerabilities
• Each area of the network is associated with a zone – Monitor network traffic in real-time – Data can be blocked in real-time as it passes by • Detection vs. Prevention
– Trusted, untrusted Connectivity – Intrusion prevention is commonly active – Intrusion Detection System (IDS) – Alarm or alert
– Internal, external • Everything contributes to security – Prevention – Stop it before it gets into the network
– Inside, Internet, Servers, Databases, Screened – Including the network connection
• This simplifies security policies • Secure network cabling
– Trusted to Untrusted – Protect the physical drops Active monitoring The inline IPS can allow
Network traffic is sent
– Untrusted to Screened
– Untrusted to Trusted
• Application-level encryption
– The hard work has already been done 1 from the Internet to 2 or deny traffic in real-Ame
the core switch, which passes
• Network-level encryption
– IPsec tunnels, VPN connections through the IPS

Security zones

Internet Firewall IPS Core Switch

Passive monitoring
Network traffic is sent from client to
server through the network switch 1

A copy of
IPS 2 the traffic is
sent to the IDS/IPS
Switch

3.2 - Network Appliances

Jump server Proxies
• Access secure network zones • Sits between the users and the external network
– Provides an access mechanism to a protected network • Receives the user requests and sends the request on
• Highly-secured device their behalf (the proxy)
– Hardened and monitored • Useful for caching information, access control, URL
• SSH / Tunnel / VPN to the jump server filtering, content scanning
– RDP, SSH, or jump from there • Applications may need to know how to use the proxy
• A significant security concern (explicit)
– Compromise of the jump server is a significant breach • Some proxies are invisible (transparent)

© 2023 Messer Studios, LLC Professor Messer’s CompTIA SY0-701 Security+ Course Notes - Page 47 https://ProfessorMesser.com © 2023 Messer Studios, LLC Professor Messer’s CompTIA SY0-701 Security+ Course Notes - Page 48 https://ProfessorMesser.com
 3.2 - Network Appliances (continued) 3.2 - Network Appliances (continued)
Balancing the load Active/passive load balancing
• Distribute the load • Some servers are active
Forward Proxy – Multiple servers – Others are on standby
• An “internal proxy” – Invisible to the end-user • If an active server fails, the passive server takes its place
• Commonly used to • Large-scale implementations Sensors and collectors
protect and control Internet – Web server farms, database farms • Aggregate information from network devices
user access • Fault tolerance – Built-in sensors, separate devices
to the Internet – Server outages have no effect – Integrated into switches, routers, servers, firewalls, etc.
User Proxy – Very fast convergence • Sensors
www.example.com Active/active load balancing – Intrusion prevention systems, firewall logs,
• Configurable load - Manage across servers authentication logs, web server access logs,
Internal Network • TCP offload - Protocol overhead database transaction logs, email logs
• SSL offload - Encryption/Decryption • Collectors
• Caching - Fast response – Proprietary consoles (IPS, firewall),
– SIEM consoles, syslog servers
• Prioritization - QoS
– Many SIEMs include a correlation engine to compare
• Content switching - Application-centric balancing diverse sensor data
Reverse Proxy
• Inbound traffic from
the Internet to your Internet 3.2 - Port Security
internal service Port security IEEE 802.1X
Proxy Web Server • We’ve created many authentication methods through • IEEE 802.1X
www.example.com the years – Port-based Network Access Control (NAC)
– A network administrator has many choices – You don’t get access to the network until you
• Use a username and password authenticate
Internal Network – Other factors can be included • EAP (Extensible Authentication Protocol)
• Commonly used on wireless networks – 802.1X prevents access to the network until the
– Also works on wired networks authentication succeeds
EAP • Used in conjunction with an authentication database
Open Proxy • Extensible Authentication Protocol (EAP) – RADIUS, LDAP, TACACS+, Kerberos, etc.
• A third-party, – An authentication framework IEEE 802.1X and EAP
uncontrolled proxy • Supplicant - the client
• Can be a significant Internet Internet • Many different ways to authenticate based on RFC
standards • Authenticator - The device that provides access
security concern – Manufacturers can build their own EAP methods • Authentication server - Validates the client credentials
• Often used to Proxy • EAP integrates with 802.1X
circumvent existing
security controls www.example.com – Prevents access to the network until the
authentication succeeds

Application proxies Forward proxy

3.2 - Firewall Types
• One of the simplest “proxies” is NAT • An “internal proxy” The universal security control Network-based firewalls
– A network-level proxy – Commonly used to protect and control user access to • Standard issue • Filter traffic by port number or application
• Most proxies in use are application proxies the Internet – Home, office, and in your operating system – OSI layer 4 vs. OSI layer 7
– The proxy understands the way the application works • Control the flow of network traffic – Traditional vs. NGFW firewalls
Reverse proxy
• A proxy may only know one application • Inbound traffic from the Internet to your internal – Everything passes through the firewall • Encrypt traffic
– HTTP service • Corporate control of outbound and inbound data – VPN between sites
• Many proxies are multipurpose proxies – Sensitive materials • Most firewalls can be layer 3 devices (routers)
Open proxy
– HTTP, HTTPS, FTP, etc. • Control of inappropriate content – Often sits on the ingress/egress of the network
• A third-party, uncontrolled proxy
– Not safe for work, parental controls – Network Address Translation (NAT) functionality
– Can be a significant security concern
• Protection against evil – Authenticate dynamic routing communication
– Often used to circumvent existing security controls
– Anti-virus, anti-malware

© 2023 Messer Studios, LLC Professor Messer’s CompTIA SY0-701 Security+ Course Notes - Page 49 https://ProfessorMesser.com © 2023 Messer Studios, LLC Professor Messer’s CompTIA SY0-701 Security+ Course Notes - Page 50 https://ProfessorMesser.com
 3.2 - Firewall Types (continued) 3.2 - Secure Communication (continued)
UTM / All-in-one security appliance NGFWs Selection of effective controls • SD-WAN
• Unified Threat Management (UTM) / • Network-based Firewalls • Many different security options – Manage the network connectivity to the cloud
– Web security gateway – Control traffic flows based on the application – Selecting the right choice can be challenging – Does not adequately address security concerns
• URL filter / Content inspection – Microsoft SQL Server, Twitter, YouTube • VPN • SASE
– Malware inspection • Intrusion Prevention Systems – SSL/TLS VPN for user access – A complete network and security solution
• Spam filter – Identify the application – IPsec tunnels for site-to-site access – Requires planning and implementation
– CSU/DSU – Apply application-specific vulnerability signatures to
• Router, Switch the traffic
SSL/TLS VPN
– Firewall • Content filtering VPN concentrator

• IDS/IPS – URL filters

– Control website traffic by category
2 decrypts the tunneled
traffic and routes it Remote user creates
– Bandwidth shaper
– VPN endpoint Web application firewall (WAF)
into the corporate network
1 a secure tunnel to
the VPN concentrator
Next-generation firewall (NGFW) • Not like a “normal” firewall
• The OSI Application Layer – Applies rules to HTTP/HTTPS conversations Corporate
– All data in every packet • Allow or deny based on expected input Network
• Can be called different names – Unexpected input is a common method of exploiting
an application Remote
– Application layer gateway VPN Concentrator
User
– Stateful multilayer inspection • SQL injection
– Deep packet inspection – Add your own commands to an application’s SQL query 3 The process is reversed
for the return traffic
Internet

• Requires some advanced decodes • A major focus of Payment Card Industry Data Security
– Every packet must be analyzed and categorized Standard (PCI DSS)
before a security decision is determined Site-to-site Traffic is decrypted
Traffic is encrypted
in the VPN concentrator
IPsec VPN 1 as it passes through the 2 on the other side of
3.2 - Secure Communication local VPN concentrator
the tunnel

VPNs SSL/TLS VPN

• Virtual Private Networks • On-demand access from a remote device Corporate Remote
– Encrypted (private) data traversing a public network – Software connects to a VPN concentrator Network Site
• Concentrator • Some software can be configured as always-on
– Encryption/decryption access device Site-to-site IPsec VPN
– Often integrated into a firewall Firewall / Firewall /
• Always-on VPN Concentrator
VPN Concentrator
• Many deployment options – Or almost always
– Specialized cryptographic hardware • Firewalls often act as VPN concentrators
– Software-based options available – Probably already have firewalls in place
• Used with client software - Sometimes built into the OS Secure Access Service Edge (SASE)
SD-WAN
Encrypted tunnel • Software Defined Networking in a Wide Area Network
• Keep data private across the public Internet – A WAN built for the cloud
– Encryption is the key Public Cloud
• The data center used to be in one place
• Encrypt your data - Add new headers and trailers – The cloud has changed everything Secure Access Service Edge (SASE) Corporate
• Decrypt on the other side - Original data is delivered • Cloud-based applications communicate directly Offices
SSL/TLS VPN (Secure Sockets Layer VPN) to the cloud Network as a Service Security as a Service User Experience
• Uses common SSL/TLS protocol (tcp/443) – No need to hop through a central point
– (Almost) No firewall issues! Secure Access Service Edge (SASE) Data Center SD-WAN Zero Trust Network Access SASE client on all devices
• No big VPN clients • Update secure access for cloud services VPNs Cloud secure web gateway Automa.c connec.ons
– Usually remote access communication – Securely connect from different locations QoS Cloud access security broker Consistent process Home
Rou.ng Firewall as a Service Users
• Authenticate users • Secure Access Service Edge (SASE) SaaS
SaaS accelera.on DLP
– No requirement for digital certificates or shared – A “next generation” VPN DNS security
passwords (like IPSec) • Security technologies are in the cloud Threat preven.on
• Can be run from a browser or from a (usually light) – Located close to existing cloud services
VPN client • SASE clients on all devices Internet Mobile
– Across many operating systems – Streamlined and automatic Users

© 2023 Messer Studios, LLC Professor Messer’s CompTIA SY0-701 Security+ Course Notes - Page 51 https://ProfessorMesser.com © 2023 Messer Studios, LLC Professor Messer’s CompTIA SY0-701 Security+ Course Notes - Page 52 https://ProfessorMesser.com
 3.3 - Data Types and Classifications 3.3 - States of Data (continued)
Data types Classifying sensitive data Data sovereignty Geolocation
• Regulated • Not all data has the same level of categorization • Data sovereignty • Location details
– Managed by a third-party – License tag numbers vs. health records – Data that resides in a country is subject to the – Tracks within a localized area
– Government laws and statutes • Different levels require different security and handling laws of that country • Many ways to determine location
• Trade secret – Additional permissions – Legal monitoring, court orders, etc. – 802.11, mobile providers, GPS
– An organization’s secret formulas – A different process to view • Laws may prohibit where data is stored • Can be used to manage data access
– Often unique to an organization – Restricted network access – GDPR (General Data Protection Regulation) – Prevent access from other countries
• Intellectual property Data classifications – Data collected on EU citizens must be stored in the EU • Limit administrative tasks unless secure area is used
– May be publicly visible • Proprietary – A complex mesh of technology and legalities – Permit enhanced access when inside the building
– Copyright and trademark restrictions – Data that is the property of an organization • Where is your data stored?
• Legal information – May also include trade secrets – Your compliance laws may prohibit moving data
– Court records and documents, judge and attorney – Often data unique to an organization out of the country
information, etc. • PII - Personally Identifiable Information
– PII and other sensitive details – Data that can be used to identify an individual
– Usually stored in many different systems – Name, date of birth, mother’s maiden name, 3.3 - Protecting Data
• Financial information biometric information Geographic restrictions Hashing
– Internal company financial details • PHI - Protected Health Information • Network location • Represent data as a short string of text
– Customer financials – Health information associated with an individual – Identify based on IP subnet – A message digest, a fingerprint
– Payment records – Health status, health care records, payments for – Can be difficult with mobile devices • One-way trip
– Credit card data, bank records, etc. health care, and much more • Geolocation - determine a user’s location – Impossible to recover the original message from the digest
• Human-readable Data classifications – GPS - mobile devices, very accurate – Used to store passwords / confidentiality
– Humans can understand the data • Sensitive - Intellectual property, PII, PHI – 802.11 wireless, less accurate • Verify a downloaded document is the same as the original
– Very clear and obvious – IP address, not very accurate
• Confidential - Very sensitive, must be approved to view – Integrity
• Non-human readable • Geofencing
• Public / Unclassified - No restrictions on viewing the data • Can be a digital signature
– Not easily understood by humans – Automatically allow or restrict access when the
• Private / Classified / Restricted – Authentication, non-repudiation, and integrity
– Encoded data user is in a particular location
– Restricted access, may require an NDA – Will not have a collision (hopefully)
– Barcodes – Don’t allow this app to run unless you’re near
• Critical - Data should always be available – Different messages will not have the same hash
– Images the office
• Some formats are a hybrid Obfuscation
Protecting data • Obfuscate
– CSV, XML, JSON, etc.
• A primary job task – Make something normally understandable very difficult to
3.3 - States of Data – An organization is out of business without data understand
• Data is everywhere • Take perfectly readable code and turn it into nonsense
Data at rest Data in use
– On a storage drive, on the network, in a CPU – The developer keeps the readable code and gives you the
• The data is on a storage device • Data is actively processing in memory
– Hard drive, SSD, flash drive, etc. – System RAM, CPU registers and cache • Protecting the data chicken scratch
– Encryption, security policies – Both sets of code perform exactly the same way
• Encrypt the data • The data is almost always decrypted
– Whole disk encryption – Otherwise, you couldn’t do anything with it • Data permissions • Helps prevent the search for security holes
– Database encryption – Not everyone has the same access – Makes it more difficult to figure out what’s happening
• The attackers can pick the decrypted information out of
– File- or folder-level encryption Encryption – But not impossible
RAM
• Apply permissions – A very attractive option • Encode information into unreadable data Masking
– Access control lists • Target Corp. breach - November 2013 – Original information is plaintext, encrypted form • A type of obfuscation
– Only authorized users can access the data – 110 million credit cards is ciphertext – Hide some of the original data
Data in transit – Data in-transit encryption and data at-rest encryption • This is a two-way street • Protects PII
• Data transmitted over the network – Attackers picked the credit card numbers out of the – Convert between one and the other – And other sensitive data
– Also called data in-motion point-of-sale RAM – If you have the proper key • May only be hidden from view
• Not much protection as it travels • Confusion – The data may still be intact in storage
– Many different switches, routers, devices – The encrypted data is drastically different than – Control the view based on permissions
the plaintext • Many different techniques
• Network-based protection
– Firewall, IPS – Substituting, shuffling, encrypting, masking out, etc.
• Provide transport encryption
– TLS (Transport Layer Security)
– IPsec (Internet Protocol Security)
© 2023 Messer Studios, LLC Professor Messer’s CompTIA SY0-701 Security+ Course Notes - Page 53 https://ProfessorMesser.com © 2023 Messer Studios, LLC Professor Messer’s CompTIA SY0-701 Security+ Course Notes - Page 54 https://ProfessorMesser.com
 3.3 - Protecting Data (continued) 3.4 - Resiliency (continued)
Tokenization Permission restrictions Warm site Multi-cloud systems
• Replace sensitive data with a non-sensitive placeholder • Control access to an account • Somewhere between cold and hot • There are many cloud providers
– SSN 266-12-1112 is now 691-61-8539 – It’s more than just username and password – Just enough to get going – Amazon Web Service, Microsoft Azure,
• Common with credit card processing – Determine what policies are best for an organization • Big room with rack space Google Cloud, etc.
– Use a temporary token during payment • The authentication process – You bring the hardware • Plan for cloud outages
– An attacker capturing the card numbers can’t use – Password policies • Hardware is ready and waiting – These can sometimes happen
them later – Authentication factor policies – You bring the software and data • Data is both geographically dispersed and
• This isn’t encryption or hashing – Other considerations – Geographic dispersion cloud service dispersed
– The original data and token aren’t mathematically • Permissions after login • These sites should be physically different than the – A breach with one provider would not affect the
related – Another line of defense organization’s primary location others
– No encryption overhead – Prevent unauthorized access – Many disruptions can affect a large area – Plan for every contingency
Segmentation – Hurricane, tornado, floods, etc. Continuity of operations planning (COOP)
• Many organizations use a single data source • Can be a logistical challenge • Not everything goes according to plan
– One large database – Transporting equipment – Disasters can cause a disruption to the norm
• One breach puts all of the data at risk – Getting employee’s on-site • We rely on our computer systems
– You’re making it easy for the attacker – Getting back to the main office – Technology is pervasive
• Separate the data Platform diversity • There needs to be an alternative
– Store it in different locations • Every operating system contains potential security issues – Manual transactions
• Sensitive data should have stronger security – You can’t avoid them – Paper receipts
– The most sensitive data should be the most secure • Many security vulnerabilities are specific to a single OS – Phone calls for transaction approvals
– Windows vulnerabilities don’t commonly affect Linux • These must be documented and tested before a
or macOS problem occurs
3.4 - Resiliency – And vice versa
High availability Site resiliency • Use many different platforms
• Redundancy doesn’t always mean always available • Recovery site is prepped – Different applications, clients, and OSes
– May need to be powered on manually – Data is synchronized – Spread the risk around
• HA (high availability) • A disaster is called
– Always on, always available – Business processes failover to the alternate
• May include many different components processing site
working together • Problem is addressed 3.4 - Capacity Planning
– Active/Active can provide scalability advantages – This can take hours, weeks, or longer Capacity planning Technology
• Higher availability almost always means higher costs • Revert back to the primary location • Match supply to the demand • Pick a technology that can scale
– There’s always another contingency you could add – The process must be documented for – This isn’t always an obvious equation – Not all services can easily grow and shrink
– Upgraded power, high-quality server components, etc. both directions • Too much demand • Web services
Server clustering Hot site – Application slowdowns and outages – Distribute the load across multiple web services
• Combine two or more servers • An exact replica • Too much supply • Database services
– Appears and operates as a single large server – Duplicate everything – You’re paying too much – Cluster multiple SQL servers
– Users only see one device • Stocked with hardware • Requires a balanced approach – Split the database to increase capacity
• Easily increase capacity and availability – Constantly updated – Add the right amount of people • Cloud services
– Add more servers to the cluster – You buy two of everything – Apply appropriate technology – Services on demand
• Usually configured in the operating system • Applications and software are constantly updated – Build the best infrastructure – Seemingly unlimited resources (if you pay the money)
– All devices in the cluster commonly use the same OS – Automated replication People Infrastructure
Load balancing • Flip a switch and everything moves • Some services require human intervention • The underlying framework
• Load is distributed across multiple servers – This may be quite a few switches – Call center support lines – Application servers, network services, etc.
– The servers are often unaware of each other Cold site – Technology services – CPU, network, storage
• Distribute the load across multiple devices • No hardware • Too few employees • Physical devices
– Can be different operating systems – Empty building – Recruit new staff – Purchase, configure, and install
• The load balancer adds or removes devices • No data – It may be time consuming to add more staff • Cloud-based devices
– Add a server to increase capacity – Bring it with you • Too many employees – Easier to deploy
– Remove any servers not responding • No people – Redeploy to other parts of the organization – Useful for unexpected capacity changes
– Bus in your team – Downsize

© 2023 Messer Studios, LLC Professor Messer’s CompTIA SY0-701 Security+ Course Notes - Page 55 https://ProfessorMesser.com © 2023 Messer Studios, LLC Professor Messer’s CompTIA SY0-701 Security+ Course Notes - Page 56 https://ProfessorMesser.com
 3.4 - Recovery Testing 3.4 - Backups (continued)
Recovery testing Simulation Snapshots
• Test yourselves before an actual event • Test with a simulated event • Became popular on virtual machines
– Scheduled update sessions (annual, semi-annual, etc.) – Phishing attack, password requests, data breaches – Very useful in cloud environments
• Use well-defined rules of engagement • Going phishing • Take a snapshot
– Do not touch the production systems – Create a phishing email attack – An instant backup of an entire system
• Very specific scenario – Send to your actual user community – Save the current configuration and data
– Limited time to run the event – See who bites • Take another snapshot after 24 hours
• Evaluate response • Test internal security – Contains only the changes between snapshots
– Document and discuss – Did the phishing get past the filter? • Take a snapshot every day
Tabletop exercises • Test the users – Revert to any snapshot
• Performing a full-scale disaster drill can be costly – Who clicked? – Very fast recovery
– And time consuming – Additional training may be required Recovery testing
• Many of the logistics can be determined through analysis Parallel processing • It’s not enough to perform the backup
– You don’t physically have to go through a disaster or drill • Split a process through multiple (parallel) CPUs – You have to be able to restore
• Get key players together for a tabletop exercise – A single computer with multiple CPU cores or • Disaster recovery testing
– Talk through a simulated disaster multiple physical CPUs – Simulate a disaster situation
– Multiple computers – Restore from backup
Fail over
• Improved performance • Confirm the restoration
• A failure is often inevitable
– Split complex transactions across – Test the restored application and data
– It’s “when,” not “if”
multiple processors • Perform periodic audits
• We may be able to keep running
• Improved recovery – Always have a good backup
– Plan for the worst
– Quickly identify a faulty system – Weekly, monthly, quarterly checks
• Create a redundant infrastructure – Take the faulty device out of the list of available
– Multiple routers, firewalls, switches, etc. Replication
processors Journaling
• If one stops working, fail over to the operational unit • An ongoing, almost real-time backup
– Continue operating with the remaining processors • Power goes out while writing data to storage
– Many infrastructure devices and services can do this – Keep data synchronized in multiple locations
– The stored data is probably corrupted
automatically • Data is available
• Recovery could be complicated
– There’s always a copy somewhere
3.4 - Backups – Remove corrupted files, restore from backup
• Data can be stored locally to all users
• Before writing to storage, make a journal entry
Backups Frequency – Replicate data to all remote sites
– After the journal is written, write the data to storage
• Incredibly important • How often to backup • Data is recoverable
– Recover important and valuable data – Every week, day, hour? • After the data is written to storage, update the journal
– Disasters can happen at any time
– Plan for disaster – Clear the entry and get ready for the next
• This may be different between systems
• Many different implementations – Some systems may not change much each day
– Total amount of data • May have multiple backup sets
– Type of backup – Daily, weekly, and monthly 3.4 - Power Resiliency
– Backup media • This requires significant planning Power resiliency • UPS types
– Storage location – Multiple backup sets across different days • Power is the foundation of our technology – Offline/Standby UPS
– Backup and recovery software – Lots of media to manage – It’s important to properly engineer and plan for outages – Line-interactive UPS
– Day of the week – On-line/Double-conversion UPS
Encryption • We usually don’t make our own power
Onsite vs. offsite backups • A history of data is on backup media – Power is likely provided by third-parties • Features
• On site backups – Some of this media may be offsite – We can’t control power availability – Auto shutdown, battery capacity, outlets,
– No Internet link required • There are ways to mitigate power issues phone line suppression
• This makes it very easy for an attacker
– Data is immediately available – Short power outages
– All of the data is in one place Generators
– Generally less expensive than off site – Long-term power issues
• Protect backup data using encryption • Long-term power backup
• Off site backups – Fuel storage required
– Everything on the backup media is unreadable UPS
– Transfer data over Internet or WAN link
– The recovery key is required to restore the data • Uninterruptible Power Supply • Power an entire building
– Data is available after a disaster
• Especially useful for cloud backups and storage – Short-term backup power – Some power outlets may be marked
– Restoration can be performed from anywhere
– Prevent anyone from eavesdropping – Blackouts, brownouts, surges as generator-powered
• Organizations often use both
• It may take a few minutes to get the generator
– More copies of the data
up to speed
– More options when restoring
– Use a battery UPS while the generator is starting
© 2023 Messer Studios, LLC Professor Messer’s CompTIA SY0-701 Security+ Course Notes - Page 57 https://ProfessorMesser.com © 2023 Messer Studios, LLC Professor Messer’s CompTIA SY0-701 Security+ Course Notes - Page 58 https://ProfessorMesser.com
 4.1 - Secure Baselines 4.1 - Hardening Targets (continued)
Secure baselines Deploy baselines Servers • Can be difficult to upgrade
• The security of an application environment should be • We now have established detailed security baselines • Many and varied – Watches and televisions are relatively easy
well defined – How do we put those baselines into action? – Windows, Linux, iOS, Android, etc. – Other devices may not be easily modified
– All application instances must follow this baseline • Deploy the baselines • Updates • Correct vulnerabilities
– Firewall settings, patch levels, OS file versions – Usually managed through a centrally – Operating system updates/service packs, – Security patches remove potential threats
– May require constant updates administered console security patches • Segment and firewall
• Integrity measurements check for the secure baseline • May require multiple deployment mechanisms • User accounts – Prevent access from unauthorized users
– These should be performed often – Active Directory group policy, MDM, etc. – Minimum password lengths and complexity RTOS (Real-Time Operating System)
– Check against well-documented baselines • Automation is the key – Account limitations • An operating system with a deterministic processing
– Failure requires an immediate correction – Deploy to hundreds or thousands of devices • Network access and security schedule
Establish baselines Maintain baselines – Limit network access – No time to wait for other processes
• Create a series of baselines • Many of these are best practices • Monitor and secure – Industrial equipment, automobiles, military
– Foundational security policies – They rarely change – Anti-virus, anti-malware environments
• Security baselines are often available from the • Other baselines may require ongoing updates SCADA / ICS • Isolate the system
manufacturer – A new vulnerability is discovered • Supervisory Control and Data Acquisition System – Prevent access from other areas
– Application developer – An updated application has been deployed – Large-scale, multi-site Industrial Control Systems (ICS) • Run with the minimum services
– Operating system manufacturer – A new operating system is installed – Prevent the potential for exploit
• PC manages equipment
– Appliance manufacturer
• Test and measure to avoid conflicts – Power generation, refining, manufacturing equipment • Use secure communication
• Many operating systems have extensive options – Some baselines may contradict others – Facilities, industrial, energy, logistics – Protect with a host-based firewall
– There are over 3,000 group policy settings in Windows 10 – Enterprise environments are complex • Distributed control systems IoT devices
– Only some of those are associated with security
– Real-time information • Heating and cooling, lighting, home automation,
– System control wearable technology, etc.
4.1 - Hardening Targets • Requires extensive segmentation • Weak defaults
Hardening targets Network infrastructure devices – No access from the outside – IOT manufacturers are not security professionals
• No system is secure with the default configurations • Switches, routers, etc. Embedded systems – Change those passwords
– You need some guidelines to keep everything safe – You never see them, but they’re always there • Hardware and software designed for a • Deploy updates quickly
• Hardening guides are specific to the software or • Purpose-built devices specific function – Can be a significant security concern
platform – Embedded OS, limited OS access – Or to operate as part of a larger system • Segmentation - Put IoT devices on their own VLAN
– Get feedback from the manufacturer or • Configure authentication
Internet interest group – Don’t use the defaults
– They’ll have the best details
• Other general-purpose guides are available online
• Check with the manufacturer 4.1 - Securing Wireless and Mobile
– Security updates
– Not usually updated frequently Site surveys Mobile Device Management (MDM)
Mobile devices
– Updates are usually important • Determine existing wireless landscape • Manage company-owned and user-owned mobile devices
• Always-connected mobile technologies
– Sample the existing wireless spectrum – BYOD - Bring Your Own Device
– Phones, tablets, etc. Cloud infrastructure
– Hardening checklists are available from manufacturers • Identify existing access points • Centralized management of the mobile devices
• Secure the cloud management workstation
– You may not control all of them – Specialized functionality
• Updates are critical – The keys to the kingdom
– Bug fixes and security patches • Work around existing frequencies • Set policies on apps, data, camera, etc.
• Least privilege
– Prevent any known vulnerabilities – Layout and plan for interference – Control the remote device
– All services, network settings, application rights
• Plan for ongoing site surveys – The entire device or a “partition”
• Segmentation can protect data and permissions
– Company and user data are separated – Things will certainly change • Manage access control
• Configure Endpoint Detection and Response (EDR)
• Heat maps – Force screen locks and PINs on these single user devices
• Control with an MDM - Mobile Device Manager – All devices accessing the cloud should be secure
– Identify wireless signal strengths BYOD
Workstations • Always have backups
– Cloud to Cloud (C2C) Wireless survey tools • Bring Your Own Device
• User desktops and laptops - Windows, macOS, Linux, etc.
• Signal coverage – Bring Your Own Technology
• Constant monitoring and updates
• Potential interference • Employee owns the device
– Operating systems, applications, firmware, etc.
• Built-in tools – Need to meet the company’s requirements
• Automate the monthly patches
• 3rd-party tools • Difficult to secure
– There’s likely an existing process
– It’s both a home device and a work device
• Connect to a policy management system • Spectrum analyzer
– How is data protected?
– Active Directory group policy – What happens to the data when a device is sold or
• Remove unnecessary software - Limit the threats traded in?
© 2023 Messer Studios, LLC Professor Messer’s CompTIA SY0-701 Security+ Course Notes - Page 59 https://ProfessorMesser.com © 2023 Messer Studios, LLC Professor Messer’s CompTIA SY0-701 Security+ Course Notes - Page 60 https://ProfessorMesser.com
 4.1 - Securing Wireless and Mobile (continued) 4.1 - Wireless Security Settings (continued)
COPE Wi-Fi Wireless authentication methods RADIUS (Remote Authentication Dial-in User Service)
• Corporate owned, personally enabled • Local network access • Gain access to a wireless network • One of the more common AAA protocols
– Company buys the device – Local security problems – Mobile users, temporary users – Supported on a wide variety of platforms and devices
– Used as both a corporate device and a personal device • Same security concerns as other Wi-Fi devices • Credentials – Not just for dial-in
• Organization keeps full control of the device • Data capture – Shared password / pre-shared key (PSK) • Centralize authentication for users
– Similar to company-owned laptops and desktops – Encrypt your data! – Centralized authentication (802.1X) – Routers, switches, firewalls
– Information is protected using corporate policies • On-path attack • Configuration – Server authentication
– Information can be deleted at any time – Modify and/or monitor data – Part of the wireless network connection – Remote VPN access
• CYOD - Choose Your Own Device • Denial of service – Prompted during the connection process – 802.1X network access
– Similar to COPE, but with the user’s choice of device – Frequency interference Wireless security modes • RADIUS services available on almost any server
Cellular networks • Configure the authentication on your wireless access operating system
Bluetooth
• Mobile devices • High speed communication over short distances point / wireless router IEEE 802.1X
– “Cell” phones – PAN (Personal Area Network) • Open System • Port-based Network Access Control (NAC)
– 4G, 5G • Connects our mobile devices – No authentication password is required – You don’t get access to the network until you
• Separate land into “cells” – Smartphones • WPA3-Personal / WPA3-PSK authenticate
– Antenna coverages a cell with certain frequencies – Tethering – WPA2 or WPA3 with a pre-shared key • Used in conjunction with an access database
• Security concerns – Headsets and headphones – Everyone uses the same 256-bit key – RADIUS, LDAP, TACACS+
– Traffic monitoring – Health monitors • WPA3-Enterprise / WPA3-802.1X EAP
– Location tracking – Automobile and phone integration – Authenticates users individually with an • Extensible Authentication Protocol (EAP)
– Worldwide access to a mobile device – Smartwatches authentication server (i.e., RADIUS) – An authentication framework
– External speakers AAA framework • Many different ways to authenticate based on
• Identification RFC standards
4.1 - Wireless Security Settings – Manufacturers can build their own EAP methods
– This is who you claim to be - Usually your username
Securing a wireless network WPA3 and GCMP • Authentication • EAP integrates with 802.1X
• An organization’s wireless network can contain • Wi-Fi Protected Access 3 (WPA3) – Prove you are who you say you are – Prevents access to the network until the
confidential information – Introduced in 2018 – Password and other authentication factors authentication succeeds
– Not everyone is allowed access • GCMP block cipher mode • Authorization IEEE 802.1X and EAP
• Authenticate the users before granting access – Galois/Counter Mode Protocol – Based on your identification and authentication, • Supplicant - the client
– Who gets access to the wireless network? – A stronger encryption than WPA2 what access do you have?
– Username, password, multi-factor authentication • Authenticator - The device that provides access
• GCMP security services • Accounting
• Ensure that all communication is confidential – Data confidentiality with AES • Authentication server - Validates the client credentials
– Resources used: Login time, data sent and received,
– Encrypt the wireless data – Message Integrity Check (MIC) with logout time
• Verify the integrity of all communication – Galois Message Authentication Code (GMAC)
– The received data should be identical to the original SAE 4.1 - Application Security
sent data • WPA3 changes the PSK authentication process Secure coding concepts Secure cookies
– A message integrity check (MIC) – Includes mutual authentication • A balance between time and quality • Information stored on your computer by the browser
The WPA2 PSK problem – Creates a shared session key without sending that – Programming with security in mind is often secondary • Used for tracking, personalization, session management
• WPA2 has a PSK brute-force problem key across the network • Testing, testing, testing – Not executable, not generally a security risk
– Listen to the four-way handshake – No more four-way handshakes, no hashes, no – The Quality Assurance (QA) process – Unless someone gets access to them
– Some methods can derive the PSK hash without the brute force attacks
• Vulnerabilities will eventually be found • Secure cookies have a Secure attribute set
handshake • Simultaneous Authentication of Equals (SAE) – And exploited – Browser will only send it over HTTPS
– Capture the hash – A Diffie-Hellman derived key exchange with an
authentication component Input validation • Sensitive information should not be saved in a cookie
• With the hash, attackers can brute force the – This isn’t designed to be secure storage
pre-shared key (PSK) – Everyone uses a different session key, even with • What is the expected input?
the same PSK – Validate actual vs. expected
• This has become easier as technology improves
– A weak PSK is easier to brute force – An IEEE standard - the dragonfly handshake • Document all input methods - Forms, fields, type
– GPU processing speeds • Check and correct all input (normalization)
– Cloud-based password cracking – A zip code should be only X characters long with a
• Once you have the PSK, you have everyone’s wireless letter in the X column
key – Fix any data with improper input
– There’s no forward secrecy • The fuzzers will find what you missed
– Don’t give them an opening
© 2023 Messer Studios, LLC Professor Messer’s CompTIA SY0-701 Security+ Course Notes - Page 61 https://ProfessorMesser.com © 2023 Messer Studios, LLC Professor Messer’s CompTIA SY0-701 Security+ Course Notes - Page 62 https://ProfessorMesser.com
 4.1 - Application Security (continued) 4.2 - Asset Management (continued)
Static code analyzers Sandboxing Physical destruction Data retention
• Static Application Security Testing (SAST) • Applications cannot access unrelated resources • Shredder / pulverizer • Backup your data
– Help to identify security flaws – They play in their own sandbox – Heavy machinery - complete destruction – How much and where?
• Many security vulnerabilities found easily • Commonly used during development • Drill / Hammer – Copies, versions of copies, lifecycle of data,
– Buffer overflows, database injections, etc. – Can be a useful production technique – Quick and easy purging old data
• Not everything can be identified through analysis • Used in many different deployments – Platters, all the way through • Regulatory compliance
– Authentication security, insecure cryptography, etc. – Virtual machines • Electromagnetic (degaussing) – A certain amount of data backup may be required
– Don’t rely on automation for everything – Mobile devices – Remove the magnetic field – Emails, corporate financial data
• Still have to verify each finding – Browser iframes (Inline Frames) – Destroys the drive data and renders the drive unusable • Operational needs
– False positives are an issue – Windows User Account Control (UAC) • Incineration – Accidental deletion
Application security monitoring – Fire hot. – Disaster recovery
Code signing
• An application is deployed • Real-time information Certificate of destruction • Differentiate by type and application
– Users run application executable or scripts – Application usage, access demographics • Destruction is often done by a 3rd party – Recover the data you need when you need it
• So many security questions • View blocked attacks – How many drills and degaussers do you have?
– Has the application been modified in any way? – SQL injection attempts, patched vulnerabilities • Need confirmation that your data is destroyed
– Can you confirm that the application was written by a • Audit the logs – Service should include a certificate
specific developer? – Find the information gathering and hidden attacks • A paper trail of broken data
• The application code can be digitally signed by the • Anomaly detection – You know exactly what happened
developer – Unusual file transfers
– Asymmetric encryption – Increase in client access 4.3 - Vulnerability Scanning
– A trusted CA signs the developer’s public key Vulnerability scanning Fuzzing engines and frameworks
– Developer signs the code with their private key • Usually minimally invasive • Many different fuzzing options
– For internal apps, use your own CA – Unlike a penetration test – Platform specific, language specific, etc.
• Port scan • Very time and processor resource heavy
– Poke around and see what’s open – Many, many different iterations to try
4.2 - Asset Management • Identify systems – Many fuzzing engines use high-probability tests
– And security devices • Carnegie Mellon Computer
Acquisition/procurement process Monitoring / asset tracking – Emergency Response Team (CERT)
• Test from the outside and inside
• The purchasing process • Inventory every asset – CERT Basic Fuzzing Framework (BFF)
– Don’t dismiss insider threats
– Multi-step process for requesting and obtaining – Laptops, desktops, servers, routers, switches, cables, – https://professormesser.link/bff
goods and services fiber modules, tablets, etc. • Gather as much information as possible
– We’ll separate wheat from chaff later Package monitoring
• Start with a request from the user • Associate a support ticket with a device make and model
Static code analyzers • Some applications are distributed in a package
– Usually includes budgeting information and formal – Can be more detailed than a user’s description
– Especially open source
approvals • Enumeration • Static Application Security Testing (SAST)
– Supply chain integrity
• Negotiate with suppliers – List all parts of an asset – Help to identify security flaws
• Confirm the package is legitimate
– Terms and conditions – CPU, memory, storage drive, keyboard, mouse • Many security vulnerabilities found easily
– Trusted source
• Purchase, invoice, and payment • Add an asset tag – Buffer overflows, database injections, etc.
– No added malware
– The money part – Barcode, RFID, visible tracking number, organization name • Not everything can be identified through analysis – No embedded vulnerabilities
Assignment/accounting – Media sanitization – Authentication security, insecure cryptography, etc.
• Confirm a safe package before deployment
• A central asset tracking system • System disposal or decommissioning – Don’t rely on automation for everything
– Verify the contents
– Used by different parts of the organization – Completely remove data • Still have to verify each finding
• Ownership – No usable information remains – False positives are an issue
– Associate a person with an asset • Different use cases Dynamic analysis (fuzzing)
– Useful for tracking a system – Clean a hard drive for future use • Send random input to an application
• Classification – Permanently delete a single file – Fault-injecting, robustness testing, syntax testing,
– Type of asset • A one-way trip negative testing
– Hardware (capital expenditure) – Once it’s gone, it’s really gone • Looking for something out of the ordinary
– Software (operating expenditure) – No recovery with forensics tools – Application crash, server error, exception
• Reuse the storage media • 1988 class project at the University of Wisconsin
– Ensure nothing is left behind – “Operating System Utility Program Reliability”
– Professor Barton Miller
– The Fuzz Generator
© 2023 Messer Studios, LLC Professor Messer’s CompTIA SY0-701 Security+ Course Notes - Page 63 https://ProfessorMesser.com © 2023 Messer Studios, LLC Professor Messer’s CompTIA SY0-701 Security+ Course Notes - Page 64 https://ProfessorMesser.com
 4.3 - Threat Intelligence 4.3 - Penetration Testing
Threat intelligence Information-sharing organization The process Responsible disclosure program
• Research the threats • Public threat intelligence • Initial exploitation • It takes time to fix a vulnerability
– And the threat actors – Often classified information – Get into the network – Software changes, testing, deployment, etc.
• Data is everywhere • Private threat intelligence • Lateral movement • Bug bounty programs
– Hacker group profiles, tools used by the attackers, – Private companies have extensive resources – Move from system to system – A reward for discovering vulnerabilities
and much more • Need to share critical security details – The inside of the network is relatively unprotected – Earn money for hacking a system
• Make decisions based on this intelligence – Real-time, high-quality cyber threat information sharing • Persistence – Document the vulnerability to earn cash
– Invest in the best prevention • Cyber Threat Alliance (CTA) – Once you’re there, you need to make sure there’s a way back in • A controlled information release
• Used by researchers, security operations teams, – Members upload specifically formatted – Set up a backdoor, build user accounts, change or verify – Researcher reports the vulnerability
and others threat intelligence default passwords – Manufacturer creates a fix
Open-source intelligence (OSINT) – CTA scores each submission and validates across • The pivot – The vulnerability is announced publicly
• Open-source other submissions – Gain access to systems that would normally not be accessible
– Publicly available sources - A good place to start – Other members can extract the validated data – Use a vulnerable system as a proxy or relay
• Internet - Discussion groups, social media Dark web intelligence
• Government data • Dark web
– Mostly public hearings, reports, websites, etc. – Overlay networks that use the Internet 4.3 - Analyzing Vulnerabilities
– Requires specific software and configurations to access Dealing with false information CVE
• Commercial data
– Maps, financial reports, databases • Hacking groups and services • False positives • The vulnerabilities can be cross-referenced online
– Activities – A vulnerability is identified that doesn’t really exist – Almost all scanners give you a place to go
Proprietary/third-party intelligence – Tools and techniques
• Someone else has already compiled the threat • This is different than a low-severity vulnerability • National Vulnerability Database: http://nvd.nist.gov/
– Credit card sales – It’s real, but it may not be your highest priority – Common Vulnerabilities and Exposures (CVE):
information - You can buy it – Accounts and passwords
• False negatives – https://cve.mitre.org/cve/
• Threat intelligence services • Monitor forums for activity
– Threat analytics – A vulnerability exists, but you didn’t detect it • Microsoft Security Bulletins:
– Company names, executive names – https://www.microsoft.com/technet/security/
– Correlation across different data sources • Update to the latest signatures
– If you don’t know about it, you can’t see it current.aspx
• Constant threat monitoring
– Identify new threats • Work with the vulnerability detection manufacturer • Some vulnerabilities cannot be definitively identified
– Create automated prevention workflows – They may need to update their signatures for your – You’ll have to check manually to see if a system is
environment vulnerable
– The scanner gives you a heads-up
4.3 - Penetration Testing Prioritizing vulnerabilities
• Not every vulnerability shares the same priority Vulnerability classification
Penetration testing Exploiting vulnerabilities • The scanner looks for everything
• Pentest - Simulate an attack • Try to break into the system – Some may not be significant
– Others may be critical – Well, not everything - The signatures are the key
• Similar to vulnerability scanning – Be careful; this can cause a denial of service or
loss of data • This may be difficult to determine • Application scans
– Except we actually try to exploit the vulnerabilities – Desktop, mobile apps
– Buffer overflows can cause instability – The research has probably already been done
• Often a compliance mandate • Web application scans
– Regular penetration testing by a 3rd-party – Gain privilege escalation • Refer to public disclosures and vulnerability databases
• You may need to try many different vulnerability types – The industry is well versed – Software on a web server
• National Institute of Standards and Technology • Network scans
– Password brute-force – Online discussion groups, public disclosure mailing lists
– Technical Guide to Information Security – Misconfigured firewalls, open ports, vulnerable
– Testing and Assessment – Social engineering CVSS
– Database injections • National Vulnerability Database: http://nvd.nist.gov/ devices
– https://professormesser.link/800115 (PDF download)
– Buffer overflows – Synchronized with the CVE list Exposure factor
Rules of engagement • Loss of value or business activity if the
• You’ll only be sure you’re vulnerable if you – Enhanced search functionality
• An important document vulnerability is exploited
can bypass security • Common Vulnerability Scoring System (CVSS)
– Defines purpose and scope – Usually expressed as a percentage
– If you can get through, the attackers can get through – Quantitative scoring of a vulnerability - 0 to 10
– Makes everyone aware of the test parameters
– The scoring standards change over time • A small DDoS may limit access to a service
• Type of testing and schedule – 50% exposure factor
– Different scoring for CVSS 2.0 vs CVSS 3.x
– On-site physical breach, internal test, external test
– Normal working hours, after 6 PM only, etc. • Industry collaboration • A buffer overflow may completely disable a service
– Enhanced feed sharing and automation – 100% exposure factor
• The rules
– IP address ranges • A consideration when prioritizing
– Emergency contacts – Worst possible outcome probably gets priority
– How to handle sensitive information
– In-scope and out-of-scope devices or applications
© 2023 Messer Studios, LLC Professor Messer’s CompTIA SY0-701 Security+ Course Notes - Page 65 https://ProfessorMesser.com © 2023 Messer Studios, LLC Professor Messer’s CompTIA SY0-701 Security+ Course Notes - Page 66 https://ProfessorMesser.com
 4.3 - Analyzing Vulnerabilities (continued) 4.3 - Vulnerability Remediation (continued)
Environmental variables Risk tolerance Exceptions and exemptions • Audit
• What type of environment is associated with this • The amount of risk acceptable to an organization • Removing the vulnerability is optimal – Check remediated systems to ensure the patch
vulnerability? – It’s impractical to remove all risk – But not everything can be patched was successfully deployed
– Internal server, public cloud, test lab • The timing of security patches • A balancing act • Verification
• Prioritization and patching frequency – Patching immediately doesn’t allow for proper – Provide the service, but also protect the data and – Manually confirm the security of the system
– A device in an isolated test lab testing systems Reporting
– A database server in the public cloud • Testing takes time • Not all vulnerabilities share the same severity • Ongoing checks are required
– Which environment gets priority? – While you’re testing, you’re also vulnerable – May require local login, physical access, or other criteria – New vulnerabilities are continuously discovered
• Every environment is different • There’s a middle ground • An exception may be an option • Difficult (or impossible) to manage without
– Number and type of users (internal, external) – May change based on the severity – Usually a formal process to approve automation
– Revenue generating application – Manual checks would be time consuming
Validation of remediation
– Potential for exploit
• The vulnerability is now patched • Continuous reporting
Industry/organizational impact – Does the patch really stop the exploit? – Number of identified vulnerabilities
• Some exploits have significant consequences – Did you patch all vulnerable systems? – Systems patched vs. unpatched
– The type of organization is an important consideration • Rescanning – New threat notifications
• Tallahassee Memorial HealthCare - February 2023 – Perform an extensive vulnerability scan – Errors, exceptions, and exemptions
– Ransomware - closed for two weeks
– Diverted emergency cases, surgeries canceled 4.4 - Security Monitoring
• Power utilities - Salt Lake City, LA County CA - March 2019
Security monitoring Scanning
– DDoS attacks from an unpatched known vulnerability
• The attackers never sleep - 24/7/365 • A constantly changing threat landscape
• Monitor all entry points – New vulnerabilities discovered daily
4.3 - Vulnerability Remediation – Logins, publicly available services, data storage – Many different business applications and services
Patching Segmentation locations, remote access – Systems and people are always moving
• The most common mitigation technique • Limit the scope of an exploit • React to security events • Actively check systems and devices
– We know the vulnerability exists – Separate devices into their own networks/VLANs – Account access, firewall rulebase, additional scanning – Operating system types and versions
– We have a patch file to install • A breach would have limited scope – Device driver versions
• Status dashboards
• Scheduled vulnerability/patch notices – It’s not as bad as it could be – Get the status of all systems at a glance – Installed applications
– Monthly, quarterly • Can’t patch? – Potential anomalies
Monitoring computing resources
• Unscheduled patches – Disconnect from the world • Gather the raw details
• Systems
– Zero day, often urgent – Air gaps may be required – A valuable database of information
– Authentication - logins from strange places
• This is an ongoing process • Use internal NGFWs – Server monitoring - Service activity, backups, software Reporting
– The patches keep coming – Block unwanted/unnecessary traffic between VLANs versions • Analyze the collected data
– An easy way to prevent most exploits – Identify malicious traffic on the inside – Create “actionable” reports
• Applications
Insurance Physical segmentation – Availability - Uptime and response times • Status information
• Cybersecurity insurance coverage • Separate devices - Multiple units, separate infrastructure – Data transfers - increases or decreases in rates – Number of devices up to date/in compliance
– Lost revenue Logical segmentation with VLANs – Security notifications - From the developer/ – Devices running older operating systems
– Data recovery costs • Virtual Local Area Networks (VLANs) manufacturer • Determine best next steps
– Money lost to phishing – Separated logically instead of physically • Infrastructure – A new vulnerability is announced
– Privacy lawsuit costs – Cannot communicate between VLANs without a – Remote access systems - Employees, vendors, guests – How many systems are vulnerable?
• Doesn’t cover everything Layer 3 device / router – Firewall and IPS reports - Increase or type of attack • Ad hoc information summaries
– Intentional acts, funds transfers, etc. – Prepare for the unknown
Compensating controls Log aggregation
• Ransomware has increased popularity of • Optimal security methods may not be available • SIEM or SEM (Security Information and Event Manager) Archiving
cybersecurity liability insurance – Can’t deploy a patch right now – Consolidate many different logs to a central database • It takes an average of about 9 months for a
– Applies to every organization – No internal firewalls – Servers, firewalls, VPN concentrators, SANs, cloud company to identify and contain a breach
• Compensate in other ways services – IBM security report, 2022
– Disable the problematic service • Centralized reporting • Access to data is critical
– Revoke access to the application – All information in one place – Archive over an extended period
– Limit external access • Correlation between diverse systems • May have a mandate
– Modify internal security controls and software firewalls – View authentication and access – State or federal law
• Provide coverage until a patch is deployed – Track application access – Or organizational requirements
– Or similar optimal security response – Measure and report on data transfers
© 2023 Messer Studios, LLC Professor Messer’s CompTIA SY0-701 Security+ Course Notes - Page 67 https://ProfessorMesser.com © 2023 Messer Studios, LLC Professor Messer’s CompTIA SY0-701 Security+ Course Notes - Page 68 https://ProfessorMesser.com
 4.4 - Security Monitoring (continued) 4.4 - Security Tools (continued)
Alerting Alert response and remediation Data Loss Prevention (DLP) NetFlow
• Real-time notification of security events • Quarantine • Where’s your data? • Gather traffic statistics from all traffic flows
– Increase in authentication errors – A foundational security response – Social Security numbers, credit card numbers, – Shared communication between devices
– Large file transfers – Prevent a potential security issue from spreading medical records • NetFlow
• Actionable data • Alert tuning • Stop the data before the attacker gets it – Standard collection method
– Keep the right people informed – A balancing act – Data “leakage” – Many products and options
– Enable quick response and status information – Prevent false positives and false negatives • So many sources, so many destinations • Probe and collector
• Notification methods • An alert should be accurate – Often requires multiple solutions – Probe watches network communication
– SMS/text – This is an ongoing process – Endpoint clients – Summary records are sent to the collector
– Email – The tuning gets better as time goes on – Cloud-based systems • Usually a separate reporting app
– Security console / SOC – Email, cloud storage, collaboration tools – Closely tied to the collector
SNMP Vulnerability scanners
4.4 - Security Tools • Simple Network Management Protocol • Usually minimally invasive
– A database of data (MIB) - Management Information Base – Unlike a penetration test
Security Content Automation Protocol (SCAP) Agents/agentless
– The database contains OIDs - Object Identifiers • Port scan
• Many different security tools on the market • Check to see if the device is in compliance
– Poll devices over udp/161 – Poke around and see what’s open
– NGFWs, IPS, vulnerability scanners, etc. – Install a software agent onto the device
– They all have their own way of evaluating a threat – Run an on-demand agentless check • Request statistics from a device • Identify systems
– Server, firewall, workstation, switch, router, etc. – And security devices
• Managed by National Institute of • Agents can usually provide more detail
– Standards and Technology (NIST) http://scap.nist.gov – Always monitoring for real-time notifications • Poll devices at fixed intervals • Test from the outside and inside
– Must be maintained and updated – Create historical performance graphs – Don’t dismiss insider threats
• Allows tools to identify and act on the same criteria
– Validate the security configuration • Agentless runs without a formal install SNMP traps • Gather as much information as possible
– Confirm patch installs – Performs the check, then disappears • Most SNMP operations expect a poll – We’ll separate wheat from chaff later
– Scan for a security breach – Does not require ongoing updates to an agent – Devices then respond to the SNMP request
– Will not inform or alert if not running – This requires constant polling
Using SCAP
• SCAP content can be shared between tools SIEM • SNMP traps can be configured on the monitored device
– Focused on configuration compliance • Security Information and Event Management – Communicates over udp/162
– Easily detect applications with known vulnerabilities – Logging of security events and information • Set a threshold for alerts
• Especially useful in large environments • Log collection of security alerts – If the number of CRC errors increases by 5, send a trap
– Many different operating systems and applications – Real-time information – Monitoring station can react immediately
• This specification standard enables automation • Log aggregation and long-term storage
– Even between different tools – Usually includes advanced reporting features 4.5 - Firewalls
• Automation types • Data correlation
Network-based firewalls Ports and protocols
– Ongoing monitoring – Link diverse data types
• Filter traffic by port number or application • Make forwarding decisions based on protocol
– Notification and alerting • Forensic analysis – Traditional vs. NGFW (TCP or UDP) and port number
– Remediation of noncompliant systems – Gather details after an event
• Encrypt traffic – Traditional port-based firewalls
Benchmarks Anti-virus and anti-malware – VPN between sites – Add to an NGFW for additional security
• Apply security best-practices to everything • Anti-virus is the popular term policy options
• Most firewalls can be layer 3 devices (routers)
– Operating systems, cloud providers, mobile devices, etc. – Refers specifically to a type of malware • Based on destination protocol and port
– Often sits on the ingress/egress of the network
– The bare minimum for security settings – Trojans, worms, macro viruses – Web server: tcp/80, tcp/443
– Network Address Translation (NAT)
• Example: Mobile device • Malware refers to the broad malicious – Dynamic routing – SSH server: tcp/22
– Disable screenshots, disable screen recordings, prevent software category – Microsoft RDP: tcp/3389
voice calls when locked, force encryption backups, Next-generation Firewalls (NGFW)
– Anti-malware stops spyware, ransomware, – DNS query: udp/53
disable additional VPN profiles, configure a “lost phone” • The OSI Application Layer
fileless malware – NTP: udp/123
message, etc. – Layer 7 firewall
• The terms are effectively the same these days
• Popular benchmarks - Center for Internet Security (CIS) • Can be called different names
– The names are more of a marketing tool
– https://www.cisecurity.org/cis-benchmarks/ – Application layer gateway
– Anti-virus software is also anti-malware
– Stateful multilayer inspection
software now
– Deep packet inspection
– Make sure your system is using a
comprehensive solution • Requires some advanced decodes
– Every packet must be analyzed, categorized, and
a security decision determined

© 2023 Messer Studios, LLC Professor Messer’s CompTIA SY0-701 Security+ Course Notes - Page 69 https://ProfessorMesser.com © 2023 Messer Studios, LLC Professor Messer’s CompTIA SY0-701 Security+ Course Notes - Page 70 https://ProfessorMesser.com
 4.5 - Firewalls (continued) 4.5 - Web Filtering (continued)
Firewall rules IPS rules Reputation DNS filtering
• A logical path • Intrusion Prevention System • Filter URLs based on perceived risk • Before connecting to a website, get the IP address
– Usually top-to-bottom – Usually integrated into an NGFW – A good reputation is allowed – Perform a DNS lookup
• Can be very general or very specific • Different ways to find malicious traffic – A bad reputation is blocked • DNS is updated with real-time threat intelligence
– Specific rules are usually at the top – Look at traffic as it passes by – Risk: Trustworthy, Low risk, Medium risk, Suspicious, – Both commercial and public lists
• Implicit deny • Signature-based - Look for a perfect match High risk • Harmful sites are not resolved
– Most firewalls include a deny at the bottom • Anomaly-based • Automated reputation – No IP address, no connection
– Even if you didn’t put one – Build a baseline of what’s “normal” – Sites are scanned and assigned a reputation • This works for any DNS lookup
• Access control lists (ACLs) – Unusual traffic patterns are flagged • Manual reputation – Not just web filtering
– Allow or disallow traffic • You determine what happens when unwanted – Managers can administratively assign a rep
– Groupings of categories - traffic appears • Add these dispositions to the URL filter
– Source IP, Destination IP, port number, time of day, – Block, allow, send an alert, etc. – High risk: Block, Trustworthy: Allow
application, etc. • Thousands of rules - Or more
Screened subnet • Rules can be customized by group
4.5 - Operating System Security
• An additional layer of security between the you and – Or as individual rules Active Directory • A central console
the Internet • This can take time to find the right balance • A database of everything on the network – Login scripts
– Public access to public resources – Security / alert “noise” / false positives – Computers, user accounts, file shares, printers, groups, – Network configurations (QoS)
– Private data remains inaccessible and more – Security parameters
– Primarily Windows-based • Comprehensive control
4.5 - Web Filtering • Manage authentication – Hundreds of configuration options
– Users login using their AD credentials Security-Enhanced Linux (SELinux)
Content filtering Proxies
• Control traffic based on data within the content • Sits between the users and the external network • Centralized access control • Security patches for the Linux kernel
– URL filtering, website category filtering – Determine which users can access resources – Adds mandatory access control (MAC) to Linux
• Receives the user requests and sends the request
• Corporate control of outbound and inbound data on their behalf (the proxy) • Commonly used by the help desk – Linux traditionally uses
– Sensitive materials – Reset passwords, add and remove accounts – Discretionary Access Control (DAC)
• Useful for caching information, access control,
• Control of inappropriate content URL filtering, content scanning Group Policy • Limits application access
– Not safe for work • Manage the computers or users with Group Policies – Least privilege
• Applications may need to know how to use
– Parental controls – Local and Domain policies – A potential breach will have limited scope
the proxy (explicit)
• Protection against evil – Group Policy Management Editor • Open source
• Some proxies are invisible (transparent)
– Anti-virus, anti-malware – Already included as an option with many Linux
Forward proxy distributions
URL scanning • A centralized “internal proxy”
• Allow or restrict based on Uniform Resource Locator – Commonly used to protect and control user
– Also called a Uniform Resource Identifier (URI)
4.5 - Secure Protocols
access to the Internet
– Allow list / Block list Unencrypted network data • HTTP and HTTPS
Block rules • Network traffic is important data – In-the-clear and encrypted web browsing
• Managed by category
• Based on specific URL – Everything must be protected – HTTP: Port 80
– Auction, Hacking, Malware,
– *.professormesser.com: Allow • Some protocols aren’t encrypted – HTTPS: Port 443
– Travel, Recreation, etc.
• Category of site content – All traffic sent in the clear • The port number does not guarantee security
• Can have limited control
– Usually divided into over 50 different topics – Telnet, FTP, SMTP, IMAP – Confirm the security features are enabled
– URLs aren’t the only way to surf
– Adult, Educational, Gambling, Government, • Verify with a packet capture – Packet captures may be necessary
• Often integrated into an NGFW Home and Garden, Legal, Malware, News, etc.
– Filters traffic based on category or specific URL – View everything sent over the network
• Different dispositions
Agent based Protocol selection
– Educational: Allow
• Install client software on the user’s device – Home and Garden: Allow and Alert • Use a secure application protocol
– Usually managed from a central console – Gambling: Block – Built-in encryption
• Users can be located anywhere • A secure protocol may not be available
– The local agent makes the filtering decisions – This may be a deal-breaker
– Always-on, always filtering Port selection
• Updates must be distributed to all agents • Secure and insecure application connections may be
– Cloud-based updates available
– Update status shown at the console – It’s common to run secure and insecure on different ports

© 2023 Messer Studios, LLC Professor Messer’s CompTIA SY0-701 Security+ Course Notes - Page 71 https://ProfessorMesser.com © 2023 Messer Studios, LLC Professor Messer’s CompTIA SY0-701 Security+ Course Notes - Page 72 https://ProfessorMesser.com
 4.5 - Secure Protocols (continued) 4.5 - Monitoring Data (continued)
Transport method • Virtual Private Network (VPN) Cloud-based DLP • Inbound
• Don’t rely on the application – Create an encrypted tunnel • Located between users and the Internet – Block keywords, identify impostors, quarantine email messages
– Encrypt everything over the current – All traffic is encrypted and protected – Watch every byte of network traffic • Outbound
network transport – Often requires third-party services and software – No hardware, no software – Fake wire transfers, W-2 transmissions, employee information
• 802.11 Wireless • Block custom defined data strings Emailing a spreadsheet template
– Open access point: No transport-level encryption – Unique data for your organization • November 2016
– WPA3: All user data is encrypted • Manage access to URLs • Boeing employee emails spouse a spreadsheet to use as a
– Prevent file transfers to cloud storage template
4.5 - Email Security • Block viruses and malware • Contained the personal information of 36,000
Email security challenges • List of authorized mail servers are added to a – Anything traversing the network Boeing employees
• The protocols used to transfer emails include DNS TXT record DLP and email – In hidden columns
relatively few security checks – Receiving mail servers perform a check to see if • Email continues to be the most critical risk vector – Social security numbers, date of birth, etc.
– It’s very easy to spoof an email incoming mail really did come from an authorized host – Inbound threats, outbound data loss • Boeing sells its own DLP software
• Spoofing happens all the time Domain Keys Identified Mail (DKIM) • Check every email inbound and outbound – But only uses it for classified work
– Check your spam folder • A mail server digitally signs all outgoing mail – Internal system or cloud-based
• The email looks as if it originated from – The public key is in the DKIM TXT record
james@professormesser.com • The signature is validated by the receiving mail servers 4.5 - Endpoint Security
– But did it? How can you tell? – Not usually seen by the end user
The endpoint Health checks/posture assessment
• A reputable sender will configure email validation DMARC • The user’s access • Persistent agents
– Publicly available on the sender’s DNS server • Domain-based Message Authentication, – Applications and data – Permanently installed onto a system
Mail gateway – Reporting, and Conformance (DMARC) • Stop the attackers – Periodic updates may be required
• The gatekeeper – An extension of SPF and DKIM – Inbound attacks • Dissolvable agents
– Evaluates the source of inbound email messages • The domain owner decides what receiving email servers – Outbound attacks – No installation is required
– Blocks it at the gateway before it reaches the user should do with emails not validating using SPF and DKIM – Runs during the posture assessment
• Many different platforms
– On-site or cloud-based – That policy is written into a DNS TXT record – Terminates when no longer required
– Mobile, desktop
Sender Policy Framework (SPF) – Accept all, send to spam, or reject the email • Agentless NAC
• Protection is multi-faceted
• SPF protocol • Compliance reports are sent to the email administrator – Defense in depth – Integrated with Active Directory
– Sender configures a list of all servers authorized to – The domain owner can see how emails are received – Checks are made during login and logoff
send emails for a domain Edge vs. access control
– Can’t be scheduled
• Control at the edge
4.5 - Monitoring Data – Your Internet link Failing your assessment
– Managed primarily through firewall rules • What happens when a posture assessment fails?
FIM (File Integrity Monitoring) Data Loss Prevention (DLP) systems
– Firewall rules rarely change – Too dangerous to allow access
• Some files change all the time • On your computer
– Some files should NEVER change – Data in use • Access control • Quarantine network, notify administrators
– Endpoint DLP – Control from wherever you are – Just enough network access to fix the issue
• Monitor important operating system and application files
– Identify when changes occur • On your network – Inside or outside • Once resolved, try again
– Data in motion – Access can be based on many rules – May require additional fixes
• Windows - SFC (System File Checker)
– By user, group, location, application, etc. Endpoint detection and response (EDR)
• Linux - Tripwire • On your server
– Access can be easily revoked or changed • A different method of threat protection
• Many host-based IPS options – Data at rest
– Change your security posture at any time – Scale to meet the increasing number of threats
Data Loss Prevention (DLP) USB blocking
Posture assessment • Detect a threat
• Where’s your data? • DLP on a workstation
• You can’t trust everyone’s computer – Signatures aren’t the only detection tool
– Social Security numbers, credit card numbers, – Allow or deny certain tasks
– BYOD (Bring Your Own Device) – Behavioral analysis, machine learning, process
medical records • November 2008 - U.S. Department of Defense – Malware infections / missing anti-malware monitoring
• Stop the data before the attackers get it – Worm virus “agent.btz” replicates – Unauthorized applications – Lightweight agent on the endpoint
– Data “leakage” using USB storage
• Before connecting to the network, perform a health • Investigate the threat
– Bans removable flash media and
• So many sources, so many destinations check – Root cause analysis
storage devices
– Often requires multiple solutions in different places – Is it a trusted device? • Respond to the threat
• All devices had to be updated – Is it running anti-virus? Which one? Is it updated?
– Local DLP agent handled USB blocking – Isolate the system, quarantine the threat,
– Are the corporate applications installed? rollback to a previous config
• Ban was lifted in February 2010 – Is it a mobile device? Is the disk encrypted? – API driven, no user or technician intervention required
– Replaced with strict guidelines – The type of device doesn’t matter - Windows, Mac,
Linux, iOS, Android
© 2023 Messer Studios, LLC Professor Messer’s CompTIA SY0-701 Security+ Course Notes - Page 73 https://ProfessorMesser.com © 2023 Messer Studios, LLC Professor Messer’s CompTIA SY0-701 Security+ Course Notes - Page 74 https://ProfessorMesser.com
 4.5 - Endpoint Security (continued) 4.6 - Identity and Access Management (continued)
Extended Detection and Response (XDR) User behavior analytics LDAP (Lightweight Directory Access Protocol) Federation
• An evolution of EDR • XDR commonly includes user behavior analytics • Protocol for reading and writing directories over • Provide network access to others
– Improve missed detections, false positives, and – Extend the scope of anomaly detection an IP network – Not just employees - Partners, suppliers,
long investigation times • Watch users, hosts, network traffic, data repositories, etc. – An organized set of records, like a phone directory customers, etc.
– Attacks involve more than just the endpoint – Create a baseline or normal activity • X.500 specification was written by the International – Provides SSO and more
• Add network-based detection – Requires data analysis over an extended period Telecommunications Union (ITU) • Third-parties can establish a federated network
– Investigate and respond to network anomalies • Watch for anything unusual – They know directories! – Authenticate and authorize between the two
• Correlate endpoint, network, and cloud data – Use a set of rules, pattern matching, statistical analysis • DAP ran on the OSI protocol stack organizations
– Improve detection rates • Real-time detection of unusual activity – LDAP is lightweight – Login with your Facebook credentials
– Simplify security event investigations – Catch the threat early • LDAP is the protocol used to query and update an • The third-parties must establish a trust relationship
X.500 directory – And the degree of the trust
– Used in Windows Active Directory, Apple OpenDirectory, Interoperability
Novell eDirectory, etc. • Many different ways to communicate with an
4.6 - Identity and Access Management X.500 Directory Information Tree authentication server
Identity and Access Management (IAM) Permission assignments • Hierarchical structure – More than a simple login process
• Applications are available anywhere • Each entity gets limited permissions – Builds a tree • Often determined by what is at hand
– Desktop, browser, mobile device, etc. – Just enough to do their job • Container objects – VPN concentrator can talk to a LDAP server
• Data can be located anywhere – Group assignments are common – Country, organization, organizational units – We have an LDAP server
– Cloud storage, private data centers, etc. • Storage and files can be private to that user • Leaf objects • A new app uses OAuth
• Many different application users – Even if another person is using the same computer – Users, computers, printers, files – Need to allow authentication API access
– Employees, vendors, contractors, customers • No privileged access to the operating system Security Assertion Markup Language (SAML) • The interoperability is dependent on the
• Give the right permissions to the right people at – Specifically not allowed on a user account • Open standard for authentication and authorization environment
the right time Identity proofing – You can authenticate through a third-party to – This is often part of a much larger IAM strategy
– Prevent unauthorized access • I could be anyone gain access
• Identify lifecycle management – The IAM process should confirm who I am – One standard does it all, sort of
– Every entity (human and non-human) gets a • Resolution • Not originally designed for mobile apps
digital identity – Who the system thinks you are – This has been SAML’s largest roadblock
• Access control • Validation OAuth
– An entity only gets access to what they need – Gathering information from the user • Authorization framework
• Authentication and authorization (password, security questions, etc.) – Determines what resources a user will be able to access
– Entities must prove they are who they claim to be • Verification / Attestation • Created by Twitter, Google, and many others
• Identity governance – Passport, in-person meeting, etc. – Significant industry support
– Track an entity’s resource access – Automated verification is also an option • Not an authentication protocol
– May be a regulatory requirement Single sign-on (SSO) – OpenID Connect handles the single sign-on
• Provisioning/de-provisioning user accounts • Provide credentials one time authentication
• The user account creation process – Get access to all available or assigned resources – OAuth provides authorization between applications
– And the account removal process – No additional authentication required • Relatively popular
• Provisioning and de-provisioning occurs for certain events • Usually limited by time – Used by Twitter, Google, Facebook, LinkedIn, and more
– Hiring, transfers, promotions, job separation – A single authentication can work for 24 hours
• Account details – Authenticate again after the timer expires
– Name, attributes, group permissions, other permissions • The underlying authentication infrastructure must
• An important part of the IAM process support SSO
– An initial checkpoint to limit access – Not always an option
– Nobody gets Administrator access

© 2023 Messer Studios, LLC Professor Messer’s CompTIA SY0-701 Security+ Course Notes - Page 75 https://ProfessorMesser.com © 2023 Messer Studios, LLC Professor Messer’s CompTIA SY0-701 Security+ Course Notes - Page 76 https://ProfessorMesser.com
 4.6 - Access Controls 4.6 - Multifactor Authentication
Access control Role-based access control (RBAC) Multifactor authentication • Hardware or software tokens
• Authorization • You have a role in your organization • Prove who you are – Generates pseudo-random authentication codes
– The process of ensuring only authorized rights are – Manager, director, team lead, project manager – Use different methods • Your phone
exercised • Administrators provide access based on the role of the – A memorized password – SMS a code to your phone
– Policy enforcement user – A mobile app
Something you are
– The process of determining rights – Rights are gained implicitly instead of explicitly – Your GPS location
• Biometric authentication
– Policy definition • In Windows, use Groups to provide role-based access • Factors – Fingerprint, iris scan, voice print
• Users receive rights based on control – Something you know
• Usually stores a mathematical representation of your
– Access Control models – You are in shipping and receiving, so you can use the – Something you have
biometric
– Different business needs or mission requirements shipping software – Something you are
– Your actual fingerprint isn’t usually saved
Least privilege – You are the manager, so you can review shipping logs – Somewhere you are
• Difficult to change
• Rights and permissions should be set to the bare Rule-based access control • There are other factors as well
– You can change your password
minimum • Generic term for following rules Something you know – You can’t change your fingerprint
– You only get exactly what’s needed to complete your – Conditions other than who you are • Password • Used in very specific situations
objective • Access is determined through system-enforced rules – Secret word/phrase, string of characters – Not foolproof
• All user accounts must be limited – System administrators, not users – Very common authentication factor
– Applications should run with minimal privileges Somewhere you are
• The rule is associated with the object • PIN
• Provide a factor based on your location
• Don’t allow users to run with administrative privileges – System checks the ACLs for that object – Personal identification number
– The transaction only completes if you are in a
– Limits the scope of malicious behavior • Rule examples – Not typically contained anywhere on a smart card
particular geography
Mandatory Access Control (MAC) – Lab network access is only available between 9 AM or ATM card
• IP address
• The operating system limits the operation on an object and 5 PM • Pattern
– Not perfect, but can help provide more info
– Based on security clearance levels – Only Chrome browsers may complete this web form – Complete a series of patterns
– Works with IPv4, not so much with IPv6
• Every object gets a label – Only you know the right format
Attribute-based access control (ABAC) • Mobile device location services
– Confidential, secret, top secret, etc. • Users can have complex relationships to applications Something you have – Geolocation to a very specific area
• Labeling of objects uses predefined rules and data • Smart card – Must be in a location that can receive GPS information
– The administrator decides who gets access to what – Access may be based on many different criteria – Integrates with devices or near an identified mobile or 802.11 network
security level • ABAC can consider many parameters – May require a PIN – Still not a perfect identifier of location
– Users cannot change these settings – A “next generation” authorization model • USB security key - Certificate is on the USB device
Discretionary Access Control (DAC) – Aware of context
• Used in most operating systems • Combine and evaluate multiple parameters 4.6 - Password Security
– A familiar access control model – Resource information, IP address, time of day, desired
Password complexity and length Password managers
• You create a spreadsheet action, relationship to the data, etc.
• Make your password strong • Important to use different passwords for each account
– As the owner, you control who has access Time-of-day restrictions – Resist guessing or brute-force attack – Remembering all of them would be impractical
– You can modify access at any time • Almost all security devices include a time-of-day option • Increase password entropy • Store all of your passwords in a single database
• Very flexible access control – Restrict access during certain times or days of the – No single words, no obvious passwords – Encrypted, protected
– And very weak security week – Mix upper and lower case, letters, and special characters – Can include multifactor tokens
– Usually not the only access control
• Stronger passwords are commonly at least 8 characters • Built-in to many operating systems
• Can be difficult to implement – These requirements change as processing – And some browsers
– Especially in a 24-hour environment speed gets faster • Enterprise password managers
• Time-of-day restrictions – Consider a phrase or set of words – Centralized management and recovery options
– Training room network is inaccessible between
Password age and expiration Passwordless authentication
midnight and 6 AM
• Password age • Many breaches are due to poor password control
– Conference room access is limited after 8 PM
– How long since a password was modified – Weak passwords, insecure implementation
– R&D databases are only after between 8 AM and 6 PM
• Password expiration • Authenticate without a password
– Password works for a certain amount of time – This solves many password management issues
– 30 days, 60 days, 90 days, etc. • You may already be passwordless
– After the expiration date, the password does not work – Facial recognition, security key, etc.
– System remembers password history, requires
• Passwordless may not be the primary
unique passwords
authentication method
• Critical systems might change more frequently – Used with a password or additional factors
– Every 15 days or every week
© 2023 Messer Studios, LLC Professor Messer’s CompTIA SY0-701 Security+ Course Notes - Page 77 https://ProfessorMesser.com © 2023 Messer Studios, LLC Professor Messer’s CompTIA SY0-701 Security+ Course Notes - Page 78 https://ProfessorMesser.com
 4.6 - Password Security (continued) 4.7 - Scripting and Automation (continued)
Just-in-time permissions • Password vaulting Scripting considerations • Technical debt
• In many organizations, the IT team is assigned – Primary credentials are stored in a password vault • Complexity – Patching problems may push the issue down the road
administrator/root elevated account rights – The vault controls who gets access to credentials – Many moving parts – It’s going to be more expensive to fix later
– This would be a great account to attack • Accounts are temporary – All of the parts have to reliably work together • Ongoing supportability
• Grant admin access for a limited time – Just-in-time process creates a time-limited account • Cost – The script works great today
– No permanent administrator rights – Administrator receives ephemeral credentials – It takes money to create the script – The script may not work great tomorrow
– The principle of least privilege – Primary passwords are never released – It takes money to implement the automation – Plan for changes and updates
• A breached user account never has elevated rights – Credentials are used for one session then deleted • Single point of failure
– Narrow the scope of a breach – What happens if the script stops working?
• Request access from a central clearinghouse – This could be a significant deal-breaker
– Grants or denies based on predefined security policies
4.8 - Incident Response
4.7 - Scripting and Automation Security incidents The challenge of detection
Scripting and automation Cases for automation • User clicks an email attachment and executes malware • Many different detection sources
• Automate and orchestrate • User and resource provisioning – Malware then communicates with external servers – Different levels of detail, different levels of perception
– You don’t have to be there – On-boarding and off-boarding • DDoS • A large amount of “volume”
– Solve problems in your sleep – Assign access to specific resources – Botnet attack – Attacks are incoming all the time
– Monitor and resolve problems before they happen • Guard rails • Confidential information is stolen – How do you identify the legitimate threats?
• The need for speed – A set of automated validations – Thief wants money or it goes public • Incidents are almost always complex
– The script is as fast as the computer – Limit behaviors and responses • User installs peer-to-peer software and allows – Extensive knowledge needed
– No typing or delays – Constantly check to ensure proper implementation external access to internal servers – Analysis
– No human error – Reduce errors NIST SP800-61 • An incident might occur in the future
• Automate mundane tasks Cases for automation • National Institute of Standards and Technology – This is your heads-up
– You can do something more creative • Security groups – NIST Special Publication 800-61 Revision 2 • Web server log
Automation benefits – Assign (or remove) group access – Computer Security Incident – Vulnerability scanner in use
• Save time - No typing required – Constant audits without human intervention – Handling Guide • Exploit announcement
– Run multiple times, over and over • Ticket creation • The incident response lifecycle: – Monthly Microsoft patch release,
• Enforce baselines – Automatically identify issues – Preparation – Adobe Flash update
– Missing an important security patch – Script email submissions into a ticket – Detection and Analysis • Direct threats - A hacking group doesn’t like you
– Automatically install when identified • Escalation – Containment, Eradication, and Recovery Analysis
• Standard infrastructure configurations – Correct issues before involving a human – Post-incident Activity • An attack is underway - Or an exploit is successful
– Use a script to build a default router configuration – If issue isn’t resolved, contact the on-call tech Preparing for an incident • Buffer overflow attempt
– Add firewall rules to a new security appliance • Controlling services and access • Communication methods – Identified by an intrusion detection/prevention system
– IP configurations, security rules, standard – Automatically enable and disable services – Phones and contact information • Anti-virus software identifies malware
configuration options – No set and forget • Incident handling hardware and software – Deletes from OS and notifies administrator
• Secure scaling • Continuous integration and testing – Laptops, removable media, forensic software, • Host-based monitor detects a configuration change
– Orchestrate cloud resources – Constant development and code updates digital cameras, etc. – Constantly monitors system files
– Quickly scale up and down – Securely test and deploy • Incident analysis resources • Network traffic flows deviate from the norm
– Automation ensures proper security also scales • Integrations and application programming interfaces (APIs) – Documentation, network diagrams, baselines, – Requires constant monitoring
• Employee retention – Interact with third-party devices and services critical file hash values
– Automate the boring stuff – Cloud services, firewalls, operating systems Isolation and containment
• Incident mitigation software
– Ease the workload – Talk their language • Generally a bad idea to let things run their course
– Clean OS and application images
– Minimize the mundane tasks – An incident can spread quickly
• Policies needed for incident handling – It’s your fault at that point
– Employees work is rewarding instead of repetitive – Everyone knows what to do
• Reaction time • Sandboxes
– The computer is much faster than you – An isolated operating system
– An event can be addressed immediately – Run malware and analyze the results
– A script doesn’t need a wake-up call – Clean out the sandbox when done
• Workforce multiplier • Isolation can be sometimes be problematic
– Scripting works 24/7 – Malware or infections can monitor connectivity
– Allows the smart people to do smarter work – When connectivity is lost, everything could be
somewhere else deleted/encrypted/damaged

© 2023 Messer Studios, LLC Professor Messer’s CompTIA SY0-701 Security+ Course Notes - Page 79 https://ProfessorMesser.com © 2023 Messer Studios, LLC Professor Messer’s CompTIA SY0-701 Security+ Course Notes - Page 80 https://ProfessorMesser.com
 4.8 - Incident Response (continued) 4.8 - Digital Forensics
Recovery after an incident Answer the tough questions Digital forensics Reporting
• Get things back to normal • What happened, exactly? • Collect and protect information relating to an intrusion • Document the findings
– Remove the bad, keep the good – Timestamp of the events – Many different data sources and – For Internal use, legal proceedings, etc.
• Eradicate the bug • How did your incident plans work? protection mechanisms • Summary information
– Remove malware – Did the process operate successfully? • RFC 3227 - Guidelines for – Overview of the security event
– Disable breached user accounts • What would you do differently next time? – Evidence Collection and Archiving • Detailed explanation of data acquisition
– Fix vulnerabilities – Retrospective views provide context – A good set of best practices – Step-by-step method of the process
• Recover the system • Which indicators would you watch next time? • Standard digital forensic process • The findings
– Restore from backups – Different precursors may give you better alerts – Acquisition, analysis, and reporting – An analysis of the data
– Rebuild from scratch • Must be detail oriented • Conclusion
Training for an incident
– Replace compromised files – Take extensive notes – Professional results, given the analysis
• There’s limited on-the-job training when a security event occurs
– Tighten down the perimeter
– Be ready when an incident is identified Legal hold Preservation
Lessons learned • Train the team prior to an incident • A legal technique to preserve relevant information • Handling evidence
• Learn and improve – Initial response – Prepare for impending litigation – Isolate and protect the data
– No system is perfect – Investigation plans – Initiated by legal counsel – Analyze the data later without any alterations
• Post-incident meeting – Incident reporting • Hold notification • Manage the collection process
– Invite everyone affected by the incident – And more – Custodians are instructed to preserve data – Work from copies
• Don’t wait too long • This can be an expensive endeavor • Separate repository for electronically stored information – Manage the data collection from mobile devices
– Memories fade over time – Especially with larger response teams (ESI) • Live collection has become an important skill
– Some recommendations can be applied to – Many different data sources and types – Data may be encrypted or difficult to collect after
the next event – Unique workflow and retention requirements powering down
• Ongoing preservation • Follow best practices to ensure admissibility of data in
4.8 - Incident Planning – Once notified, there’s an ongoing obligation to court
Exercising Root cause analysis preserve data – What happens now affects the future
• Test yourselves before an actual event • Determine the ultimate cause of an incident Chain of custody E-discovery
– Scheduled update sessions (annual, semi-annual, etc.) – Find the root cause by asking “why” • Control evidence • Electronic discovery
• Use well-defined rules of engagement • Create a set of conclusions regarding the incident – Maintain integrity – Collect, prepare, review, interpret, and produce
– Do not touch the production systems – Backed up by the facts • Everyone who contacts the evidence electronic documents
• Very specific scenario • Don’t get tunnel vision – Use hashes and digital signatures • E-discovery gathers data required by the legal process
– Limited time to run the event – There can be more than a single root cause – Avoid tampering – Does not generally involve analysis
• Evaluate response • Mistakes happen • Label and catalog everything – There’s no consideration of intent
– Document and discuss – The response to the mistake is the difference – Digitally tag all items for ongoing documentation • Works together with digital forensics
Tabletop exercises Threat hunting – Seal and store – The e-discovery process obtains a storage drive
• Performing a full-scale disaster drill can be costly • The constant game of cat and mouse Acquisition – Data on the drive is smaller than expected
– And time consuming – Find the attacker before they find you • Obtain the data – Forensics experts determine that data was deleted and
• Many of the logistics can be determined through analysis • Strategies are constantly changing – Disk, RAM, firmware, OS files, etc. attempt to recover the data
– You don’t physically have to go through a disaster or drill – Firewalls get stronger, so phishing gets better • Some of the data may not be on a single system
• Get key players together for a tabletop exercise • Intelligence data is reactive – Servers, network data, firewall logs
– Talk through a simulated disaster – You can’t see the attack until it happens • For virtual systems, get a snapshot
Simulation • Speed up the reaction time – Contains all files and information about a VM
• Test with a simulated event – Use technology to fight • Look for any left-behind digital items
– Phishing attack, password requests, data breaches – Artifacts
• Going phishing – Log information, recycle bins, browser bookmarks,
– Create a phishing email attack saved logins, etc.
– Send to your actual user community
– See who bites
• Test internal security
– Did the phishing get past the filter?
• Test the users
– Who clicked?
– Additional training may be required
© 2023 Messer Studios, LLC Professor Messer’s CompTIA SY0-701 Security+ Course Notes - Page 81 https://ProfessorMesser.com © 2023 Messer Studios, LLC Professor Messer’s CompTIA SY0-701 Security+ Course Notes - Page 82 https://ProfessorMesser.com
 4.8 - Log Data 4.8 - Log Data (continued)
Security log files IPS/IDS logs Automated reports Dashboards
• Detailed security-related information • Intrusion prevention system/Intrusion detection system • Most SIEMs include a report generator • Real-time status information
– Blocked and allowed traffic flows – Usually integrated into an NGFW – Automate common security reports – Get summaries on a single screen
– Exploit attempts • Logs contain information about predefined • May be easy or complex to create • Add or remove information
– Blocked URL categories vulnerabilities – The SIEM may have its own report generator – Most SIEMs and reporting systems allow for customization
– DNS sinkhole traffic – Known OS vulnerabilities, generic security events – Third-party report generators may be able to • Shows the most important data
• Critical security information • Common data points access the database – Not designed for long-term analysis
– Documentation of every traffic flow – Timestamp • Requires human intervention Packet captures
– Summary of attack info – Type or class of attack – Someone has to read the reports • Solve complex application issues
– Correlate with other logs – Source and destination IP • These can be involved to create – Get into the details
Firewall logs – Source and destination port – Huge data storage and extensive processing time • Gathers packets on the network
• Traffic flows through the firewall Network logs – Or in the air
– Source/destination IP, port numbers, disposition • Switches, routers, access points, VPN concentrators – Sometimes built into the device
• Next Generation Firewalls (NGFW) – And other infrastructure devices • View detailed traffic information
– Logs the application used, • Network changes – Identify unknown traffic
– URL filtering categories, anomalies and suspicious data – Routing updates – Verify packet filtering and security controls
Application logs – Authentication issues – View a plain-language description of the application data
• Specific to the application – Network security issues
– Information varies widely Metadata 5.1 - Security Policies
• Windows • Metadata
Security policy guidelines Business continuity
– Event Viewer / Application Log – Data that describes other data sources
• What rules are you following to provide CIA? • Not everything goes according to plan
• Linux / macOS/ • Email – Confidentiality, Integrity, and Availability – Disasters can cause a disruption to the norm
– var/log – Header details, sending servers, destination address
• High level strategies • We rely on our computer systems
• Parse the log details on the SIEM • Mobile – Data storage requirements, security event procedures – Technology is pervasive
– Filter out unneeded info – Type of phone, GPS location
• Detailed security goals • There needs to be an alternative
Endpoint logs • Web – Appropriate Wi-Fi usage, requirements for remote – Manual transactions
• Attackers often gain access to endpoints – Operating system, browser type, IP address access – Paper receipts
– Phones, laptops, tablets, desktops, servers, etc. • Files • Security policies answer the “what” and “why” – Phone calls for transaction approvals
• There’s a lot of data on the endpoint – Name, address, phone number, title – Technical security controls answer the “how” • These must be documented and tested before a
– Logon events, policy changes, system events, Vulnerability scans problem occurs
Information security policies
processes, account management, directory services, • Lack of security controls Disaster recovery plan
• The big list of all security-related policies
etc. – No firewall • If a disaster happens, IT should be ready
– A centralized resource for processes
• Everything rolls up to the SIEM – No anti-virus – Part of business continuity planning
• Compliance requirements
– Security Information and Event Manager – No anti-spyware – Keep the organization up and running
– Can be critical to an organization
• Use with correlation of security events • Misconfigurations – Detailed security procedures • Disasters are many and varied
– Combine IPS events with endpoint status – Open shares – What happens when…? – Natural disasters
OS-specific security logs – Guest access – Technology or system failures
• A list of roles and responsibilities
• OS security events • Real vulnerabilities – You got this – Human-created disasters
– Monitoring apps – Especially newer ones • A comprehensive plan
• This is just words and letters
– Brute force, file changes – Occasionally the old ones – An organization must enforce the policy – Recovery location
– Authentication details – Data recovery method
Acceptable use policies (AUP)
• Find problems before they happen – Application restoration
• What is acceptable use of company assets?
– Brute force attacks – IT team and employee availability
– Detailed documentation
– Disabled services Security incidents
– May be documented in the Rules of Behavior
• May require filtering • User clicks an email attachment and executes malware
• Covers many topics
– Don’t forward everything – Malware then communicates with external servers
– Internet use, telephones, computers,
mobile devices, etc. • DDoS - Botnet attack
• Used by an organization to limit legal liability • Confidential information is stolen
– If someone is dismissed, these are the well- – Thief wants money or it goes public
documented reasons why • User installs peer-to-peer software and allows external
access to internal servers
© 2023 Messer Studios, LLC Professor Messer’s CompTIA SY0-701 Security+ Course Notes - Page 83 https://ProfessorMesser.com © 2023 Messer Studios, LLC Professor Messer’s CompTIA SY0-701 Security+ Course Notes - Page 84 https://ProfessorMesser.com
 5.1 - Security Policies (continued) 5.1 - Security Procedures
Incident response roles Software development lifecycle (SDLC) Change management Playbooks
• Incident response team • Systems development life cycle • How to make a change • Conditional steps to follow; a broad process
– Specialized group, trained and tested – Or application development life cycle – Upgrade software, change firewall configuration, – Investigate a data breach, recover from ransomware
• IT security management • Many ways to get from idea to app modify switch ports • Step-by-step set of processes and procedures
– Corporate support – And many moving parts • One of the most common risks in the enterprise – A manual checklist
• Compliance officers – Customer requirements – Occurs very frequently – Can be used to create automated activities
– Intricate knowledge of compliance rules – Keep the process on schedule • Often overlooked or ignored • Often integrated with a SOAR platform
• Technical staff – Stay in budget – Did you feel that bite? – Security Orchestration, Automation, and Response
– Your team in the trenches • There’s no “best way” • Have clear policies – Integrate third-party tools and data sources
• User community – But it helps to have a framework – Frequency, duration, installation process, – Make security teams more effective
– They see everything – There are many options fallback procedures Monitoring and revision
NIST SP800-61 Change management • Sometimes extremely difficult to implement • IT security is constantly changing
• National Institute of Standards and Technology • How to make a change – It’s hard to change corporate culture – Processes and procedures also must change
– NIST Special Publication 800-61 Revision 2 – Upgrade software, change firewall configuration, modify Change control • Update to security posture
– Computer Security Incident switch ports • A formal process for managing change – Tighter change control, additional playbooks
– Handling Guide • One of the most common risks in the enterprise – Avoid downtime, confusion, and mistakes • Change to an individual procedure
• The incident response lifecycle: – Occurs very frequently • Nothing changes without the process – Update the playbooks, include additional checks
– Preparation • Often overlooked or ignored - Did you feel that bite? – Determine the scope of the change • New security concerns
– Detection and Analysis • Have clear policies – Analyze the risk associated with the change – Protect against emerging threats
– Containment, Eradication, and Recovery – Frequency, duration, installation process, fallback procedures – Create a plan Governance structures
– Post-incident Activity • Sometimes extremely difficult to implement – Get end-user approval • Boards
– It’s hard to change organizational culture – Present the proposal to the change control board – A panel of specialists
– Have a backout plan if the change doesn’t work – Often responsible for gathering information
5.1 - Security Standards – Document the changes for a committee
Security standards • Determine how a user gets access Onboarding • Committees
• A formal definition for using security technologies – Require privilege documentation • Bring a new person into the organization – Primary decision makers
and processes • Document how access may be removed – New hires or transfers – Considers the input from a board
– Complete documentation reduces security risk – Security issue, expiration, contract renewals, etc. • IT agreements need to be signed – Determines next steps for a topic at hand
– Everyone understands the expectations – May be part of the employee handbook or a
Physical security • Government entities
• These may be written in-house • Rules and policies regarding physical security controls separate AUP – A different kind of machine
– Your requirements may be unique – Doors, building access, property security • Create accounts – Legal concerns, administrative requirements,
• Many standards are already available • Granting physical access – Associate the user with the proper groups political issues
– ISO (International Organization for Standardization) – Different for employees vs. visitors and departments – Often open to the public
– NIST (National Institute of Standards and Technology) • Provide required IT hardware • Centralized/decentralized
• Define specific physical security systems
Password – Electronic door locks, ongoing monitoring, – Laptops, tablets, etc. – The source of the processes and procedures
• What makes a good password? motion detection, etc. – Preconfigured and ready to go – Centralized governance is located in one location
– Every organization has their own requirements • Additional security concerns Offboarding with a group of decision makers
– Create a formal password complexity policy – Mandatory escorts, off-boarding, etc. • All good things… – Decentralized governance spreads the
• Define acceptable authentication methods – But you knew this day would come decision-making process around to other
Encryption
– No local accounts, only LDAP to the AD database, etc. individuals or locations
• Define specific standards for encrypting and • This process should be pre-planned
• Create policies for secure password resets securing data – You don’t want to decide how to do things at this point
– Avoid unauthorized resets and access – All things cryptographic • What happens to the hardware?
• Other password policies – Can include implementation standards • What happens to the data?
– Password change frequency, secure password storage • Password storage
requirements, password manager options, etc. • Account information is usually deactivated
– Methods and techniques – But not always deleted
Access control • Data encryption minimums
• How does an organization control access to data? – Algorithms for data in use, data in transit,
– Determine which information, at what time data at rest
– And under which circumstances – Will probably be different for each state
• Define which access control types can be used
– No discretionary, mandatory only, etc.

© 2023 Messer Studios, LLC Professor Messer’s CompTIA SY0-701 Security+ Course Notes - Page 85 https://ProfessorMesser.com © 2023 Messer Studios, LLC Professor Messer’s CompTIA SY0-701 Security+ Course Notes - Page 86 https://ProfessorMesser.com
 5.1 - Security Considerations 5.2 - Risk Management
Regulatory Industry Risk identification Ad hoc assessments
• Regulations are often mandated • The industry may require specific • The only certainty is uncertainty • An organization may not have a formal risk
– Security processes are usually a foundational security considerations – Risk management helps to understand potential risks assessment process
consideration – Every market is a bit different – Identify weaknesses before they become an issue – Perform an assessment when the situation requires
– Logging, data storage, data protection, and retention • Electrical power and public utilities • An important part of any organization • CEO is back from a conference
• Sarbanes-Oxley Act (SOX) – Isolated and protected system controls – Growth brings risk – Wants to know if the organization is protected from
– The Public Company Accounting Reform and • Medical – It’s useful to get ahead of any potential problems a new attack type
– Investor Protection Act of 2002 – Highly secure data storage and access logs • Risk management • A committee is created and the risk assessment
• The Health Insurance Portability and – Data encryption and protection – Manage potential risk proceeds
Accountability Act (HIPAA) Geographical security – Qualify internal and external threats – Once the assessment is complete, the committee
– Extensive healthcare standards for storage, use, and • Local/regional – Risk analysis helps plan for contingencies is disbanded
transmission of health care information – City and state government records Performing a risk assessment – There may not be a need to investigate this specific
Legal – Uptime and availability of end-user services • Not all risk requires constant evaluation risk again
• The security team is often tasked with legal responsibilities • National – Or it might be required to always assess the Recurring assessments
– Reporting illegal activities – Federal governments and national defense amount of risk • Recurring assessments
– Holding data required for legal proceedings – Multi-state organizations • One-time – The evaluation occurs on standard intervals
• Security breach notifications – State secrets remain secret – The assessment may be part of a one-time project • An internal assessment
– A legal requirement in many jurisdictions • Global – Company acquisition, new equipment installation, – Performed every three months at the beginning
• Cloud computing can make this challenging – Large multinational companies unique new security threats, etc. of the quarter
– Data moves between jurisdictions without – Global financial markets • Continuous assessments • A mandated risk assessment
human intervention – Legal concerns will vary widely – May be part of an existing process – Required by certain organizations
– The security team must follow legal guidelines – Change control requires a risk assessment as part of – Some legal requirements will mandate an assessment
the change – PCI DSS requires annual risk assessments

5.1 - Data Roles and Responsibilities 5.2 - Risk Analysis

Data responsibilities • Data custodian/steward Qualitative risk assessment Impact
• High-level data relationships – Responsible for data accuracy, privacy, and security • Identify significant risk factors • Life
– Organizational responsibilities, not always technical • Works directly with the data – Ask opinions about the significance – The most important consideration
• Data owner – Associates sensitivity labels to the data – Display visually with traffic light grid or similar method • Property
– Accountable for specific data, often a senior officer – Ensures compliance with any applicable laws – Quantitative risk assessment – The risk to buildings and assets
– VP of Sales owns the customer relationship data and standards • ARO (Annualized Rate of Occurrence) • Safety
– Treasurer owns the financial information – Manages the access rights to the data – How likely is it that a hurricane will hit? – Some environments are too dangerous to work
Data roles – Implements security controls In Montana? In Florida? • Finance
• Data controller • Asset value (AV) – The resulting financial cost
– Manages the purposes and means by which personal – The value of the asset to the organization • Reputation
data is processed – Includes the cost of the asset, the effect on – An event can cause status or character problems
• Data processor company sales, potential regulatory fines, etc.
Likelihood and probability
– Processes data on behalf of the data controller • Exposure factor (EF)
• Risk likelihood
– Often a third-party or different group – The percentage of the value lost due to an incident
– A qualitative measurement of risk
• Payroll controller and processor – Losing a quarter of the value is .25
– Rare, possible, almost certain, etc.
– Payroll department (data controller) defines payroll – Losing the entire asset is 1.0
• Risk probability
amounts and timeframes • SLE (Single Loss Expectancy)
– A quantitative measurement of risk
– Payroll company (data processor) processes payroll – What is the monetary loss if a single event occurs?
– A statistical measurement
and stores employee information – Asset value (AV) x Exposure factor (EF)
– Can be based on historical performance
– Laptop stolen = $1,000 (AV) x 1.0 (EF) = $1,000 (SLE)
• Often considered similar in scope
• ALE (Annualized Loss Expectancy)
– Can be used interchangeably in casual
– ARO x SLE
– Seven laptops stolen a year (ARO) x $1,000 (SLE) = $7,000 conversation
• The business impact can be more than monetary
– Quantitative vs. qualitative

© 2023 Messer Studios, LLC Professor Messer’s CompTIA SY0-701 Security+ Course Notes - Page 87 https://ProfessorMesser.com © 2023 Messer Studios, LLC Professor Messer’s CompTIA SY0-701 Security+ Course Notes - Page 88 https://ProfessorMesser.com
 5.2 - Risk Analysis (continued) 5.3 - Third-party Risk Assessment
Risk appetite and tolerance • Risk tolerance Third-party risk Supply chain analysis
• Risk appetite – Drivers will be ticketed when the speed limit • Every organization works with vendors • The system involved when creating a product
– A broad description of risk-taking deemed acceptable is violated – Payroll, customer relationship management, – Involves organizations, people, activities,
– The amount of accepted risk before taking any action – Ticketing usually occurs well above the posted limit email marketing, travel, raw materials and resources
to reduce that risk – This tolerance can change with road conditions, • Important company data is often shared • Supply chain analysis
• Risk appetite posture weather, traffic, etc. – May be required for cloud-based services – Get a product or service from supplier to customer
– Qualitative description for readiness to take risk Risk register • Perform a risk assessment – Evaluate coordination between groups
– Conservative, neutral, and expansionary • Every project has a plan, but also has risk – Categorize risk by vendor and manage the risk – Identify areas of improvement
• Risk tolerance – Identify and document the risk associated • Use contracts for clear understanding – Assess the IT systems supporting the operation
– An acceptable variance (usually larger) from with each step – Make sure everyone understands the expectations – Document the business process changes
the risk appetite – Apply possible solutions to the identified risks – Use the contract to enforce a secure environment • Software update installs malware: March-June 2020
• Risk appetite – Monitor the results – Announced December 2020 by SolarWinds
Penetration testing
– A highway’s speed limit • Key risk indicators – Malware deployed with a valid SolarWinds
• Pentest
– Government authorities have set the speed limit – Identify risks that could impact the organization digital signature
– Simulate an attack
– The limit is an acceptable balance between safety • Risk owners – At least 18,000 of 300,000 customers
and convenience • Similar to vulnerability scanning potentially impacted
– Each indicator is assigned someone to manage the risk – Except we actually try to exploit the vulnerabilities
• Risk threshold Independent assessments
• Often a compliance mandate
– The cost of mitigation is at least equal to the value • Bring in a smart person or team to evaluate
– May include a legal requirement
gained by mitigation security and provide recommendations
• Regular penetration testing by a 3rd-party – An outside firm
5.2 - Risk Management Strategies – Very specialized
• Specialists in their field
Risk management strategies • Avoid – Third-party experts are well-versed
– They do this all day, every day
• Transfer – Stop participating in a high-risk activity Right-to-audit clauses • They’ve seen it all
– Move the risk to another party – This effectively removes the risk • Common to work with business partners – And can provide options you may not have considered
– Buy some cybersecurity insurance • Mitigate – Data sharing
– Decrease the risk level – Outsourcing Vendor selection process
• Accept
– Invest in security systems • Due diligence
– A business decision; we’ll take the risk! • Third-party providers
– Check a company out before doing business
– This is often the usual course Risk reporting – Can hold all of the data
– Investigate and verify information
• Accept with exemption • A formal document – Manage Internet access
– Financial status, pending or past legal issues, etc.
– A security policy or regulation cannot be followed – Identifies risks – Are they secure?
– Background checks, personnel interviews
– May be based on available security controls, size of the – Detailed information for each risk • Right-to-audit should be in the contract
• Conflict of interest
organization, total assets, etc. • Usually created for senior management – A legal agreement to have the option to perform a
– A personal interest could compromise judgment
– Exemption may need approval – Make decisions regarding resources, budgeting, security audit at any time
– A potential partner also does business with your
• Accept with exception additional security tasks – Everyone agrees to the terms and conditions
largest competitor
– Internal security policies are not applied • Commonly includes critical and emerging risks – Ability to verify security before a breach occurs
– A third-party employs the brother of the CFO
– Monthly security updates must be applied within 3 – The most important considerations Evidence of internal audits – A third-party offers gifts if a contract is signed
calendar days • Evaluate the effectiveness of security controls
– The monthly updates cause a critical software Vendor monitoring
– Have a third-party perform an audit
package to crash • Ongoing management of the vendor relationship
• May be required for compliance – This doesn’t end when the contract is signed
– An exception is made to the update timeframe – It’s a good idea, even without industry standards
• Reviews should occur on a regular basis
5.2 - Business Impact Analysis • Check for security controls and processes – Financial health check, IT security reviews,
Recovery • Mean time to repair (MTTR) – Access management, off boarding, password security, news articles, social media posts
• Recovery time objective (RTO) – Average time required to fix an issue VPN controls, etc.
• Different vendors may be checked for
– Get up and running quickly – This includes time spent diagnosing the problem – There’s always an opportunity for improvement
different indicators
– Get back to a particular service level – An important metric for determining the cost and • Perform at a reasonable frequency – Quantitative and qualitative analysis
– You’re not up and running until the database and time associated with unplanned outages – A single audit isn’t very helpful in the long-term
• Assign a person to be in charge of the
web server are operational • Mean time between failures (MTBF) vendor relationship
– How long did that take? – The time between outages – They’ll manage the monitoring process
• Recovery point objective (RPO) – Can be used as a prediction or calculated based on
– How much data loss is acceptable? historical performance
– Bring the system back online; how far back does data go? – Total uptime / number of breakdowns
– The database is up, but only provides the last twelve – Statistically plan for possible outages
months of data
© 2023 Messer Studios, LLC Professor Messer’s CompTIA SY0-701 Security+ Course Notes - Page 89 https://ProfessorMesser.com © 2023 Messer Studios, LLC Professor Messer’s CompTIA SY0-701 Security+ Course Notes - Page 90 https://ProfessorMesser.com
 5.3 - Third-party Risk Assessment (continued) 5.4 - Compliance
Questionnaires Rules of engagement Compliance Reputational damage
• An important part of due diligence and ongoing • An important document • Compliance • Getting hacked isn’t a great look
vendor monitoring – Defines purpose and scope – Meeting the standards of laws, policies, and – Organizations are often required to disclose
– Get answers directly from the vendor – Makes everyone aware of the test parameters regulations – Stock prices drop, at least for the short term
• Security-related questions • Type of testing and schedule • A healthy catalog of rules • October 2016 - Uber breach
– What is the vendor’s due diligence process? – On-site physical breach, internal test, external test – Across many aspects of business and life – 25.6 million Names, email addresses, mobile phone
– What plans are in place for disaster recovery? – Normal working hours, after 6 PM only, etc. – Many are industry-specific or situational numbers
– What secure storage method is used for company • The rules • Penalties • Didn’t publicly announce it until November 2017
data? – IP address ranges – Fines, loss of employment, incarceration – Allegedly paid the hackers $100,000 and had them
– And more – Emergency contacts • Scope sign an NDA
• Results are used to update a vendor risk analysis – How to handle sensitive information – Domestic and international requirements – 2018 - Uber paid $148 million in fines
– Updated during the life of the vendor relationship – In-scope and out-of-scope devices or applications • Hackers pleaded guilty in October 2019
Compliance reporting
• Internal – May 2023 - Uber’s former Chief Security Officer
– Monitor and report on organizational compliance sentenced
efforts – Three years probation and a $50,000 fine
5.3 - Agreement Types – Large organizations have a Central Compliance Other consequences
Common agreements Non-disclosure agreement (NDA) Officer (CCO) • Loss of license
• Service Level Agreement (SLA) • Confidentiality agreement between parties – Also used to provide details to customers or – Significant economic sanction
– Minimum terms for services provided – Information in the agreement should not potential investors – Organization cannot sell products
– Uptime, response time agreement, etc. be disclosed • External – Others cannot purchase from a sanctioned company
– Commonly used between customers and service providers • Protects confidential information – Documentation required by external or industry – May be expensive to re-license
• Contract with an Internet provider – Trade secrets regulators • Contractual impacts
– SLA is no more than four hours of unscheduled downtime – Business activities – May require annual or ongoing reporting – Some business deals may require a minimum
– Technician will be dispatched – Anything else listed in the NDA – Missing or invalid reporting could result in fines compliance level
– May require customer to keep spare equipment on-site • Unilateral or bilateral (or multilateral) and/or sanctions – Without compliance, the contract may be in breach
• Memorandum of Understanding (MOU) – One-way NDA or mutual NDA Regulatory compliance – May be resolved with or without a court of law
– Both sides agree in general to the contents of • Formal contract • Sarbanes-Oxley Act (SOX) Compliance monitoring
the memorandum – Signatures are usually required – The Public Company Accounting Reform and Investor • Compliance monitoring
– Usually states common goals, but not much more Protection Act of 2002 – Ensure compliance in day-to-day operations
Common agreements
– May include statements of confidentiality
• Business Partners Agreement (BPA) • The Health Insurance Portability and Accountability • Due diligence/care
– Informal letter of intent; not a signed contract
– Going into business together Act (HIPAA) – A duty to act honestly and in good faith
• Memorandum of Agreement (MOA) – Owner stake – Extensive healthcare standards for storage, use, and – Investigate and verify
– The next step above a MOU – Financial contract transmission of health care information – Due care tends to refer to internal activities
– Both sides conditionally agree to the objectives – Due diligence is often associated with third-party
• Decision-making • The Gramm-Leach-Bliley Act of 1999 (GLBA)
– Can also be a legal document, even without legal language activities
– Who makes the business decisions? – Disclosure of privacy information from financial
– Unlike a contract, may not contain legally
– The BPA lists specific individuals and scope institutions • Attestation and acknowledgment
enforceable promises
• Prepare for contingencies HIPAA non-compliance fines and sanctions – Someone must “sign off” on formal compliance
• Master Service Agreement (MSA) documentation
– Financial issues • Fine of up to $50,000, or up to 1 year in prison, or both;
– Legal contract and agreement of terms – Ultimately responsible if the documentation
– Disaster recovery (Class 6 Felony)
– A broad framework to cover later transactions is incorrect
– Many detailed negotiations happen here • Under false pretenses; a fine of up to $100,000, up to 5
years in prison, or both; (Class 5 Felony) • Internal and external
– Future projects will be based on this agreement
– Monitor compliance with internal tools
• Work order (WO) / Statement of Work (SOW) • Intent to sell, transfer, or use individually identifiable
– Provide access or information to third-party
– Specific list of items to be completed health information for commercial advantage, personal
participants
– Used in conjunction with a MSA gain, or malicious harm, a fine up to $250,000, or up to
– May require ongoing monitoring of third-party
– Details the scope of the job, location, deliverables 10 years in prison, or both. (Class 4 Felony)
operations
schedule, acceptance criteria, and more • Civil fines; maximum is $100 for each violation, with the
• Automation
– Was the job done properly? Let’s refer to the SOW. total amount not to exceed $25,000 for all violations
– A must-have for large organizations
of an identical requirement or prohibition during a
– Can be quite different across vertical markets
calendar year. (Class 3 Felony)
– Many third-party monitoring systems
– Collect data from people and systems
– Compile the data and report

© 2023 Messer Studios, LLC Professor Messer’s CompTIA SY0-701 Security+ Course Notes - Page 91 https://ProfessorMesser.com © 2023 Messer Studios, LLC Professor Messer’s CompTIA SY0-701 Security+ Course Notes - Page 92 https://ProfessorMesser.com
 5.4 - Privacy 5.5 - Audits and Assessments (continued)
Privacy legal implications Data responsibilities External audits
• A constantly evolving set of guidelines • High-level data relationships • Regulatory requirements
– We’re all concerned about privacy – Organizational responsibilities, not always technical – An independent third-party may be required to perform the audit
• Local/regional • Data owner – Audit type and frequency are often based on the regulation
– State and local governments set privacy limits – Accountable for specific data, often a senior officer • Examinations
– Legal information, vehicle registration details, – VP of Sales owns the customer relationship data – Audits will often require hands-on research
medical licensing – Treasurer owns the financial information – View records, compile reports, gather additional details
• National Data roles • Assessment
– Privacy laws for everyone in a country • Data controller – Audit will assess current activities
– HIPAA, online privacy for children under 13, etc. – Manages the purposes and means by which personal – May also provide recommendation for future improvements
• Global - Many countries are working together for privacy data is processed
GDPR - General Data Protection Regulation • Data processor
• European Union regulation – Processes data on behalf of the data controller 5.5 - Penetration Tests
– Data protection and privacy for individuals in the EU – Often a third-party or different group Physical penetration testing Reconnaissance
– Name, address, photo, email address, bank details, • Payroll controller and processor • Operating system security can be circumvented by • Need information before the attack
posts on social networking websites, medical – Payroll department (data controller) defines payroll physical means – Can’t rush blindly into battle
information, a computer’s IP address, etc. amounts and timeframes – Modify the boot process • Gathering a digital footprint
• Controls export of personal data – Payroll company (data processor) processes payroll – Boot from other media – Learn everything you can
– Users can decide where their data goes and stores employee information – Modify or replace OS files • Understand the security posture
– Can request removal of data from search engines Data inventory and retention • Physical security is key – Firewalls, security configurations
• Gives “data subjects” control of their personal data • What data does your organization store? – Prevent access by unauthorized individuals • Minimize the attack area
– A right to be forgotten – You should document your data inventory • Assess and test physical security – Focus on key systems
Data subject • Data inventory – Can you enter a building without a key? • Create a network map
• Any information relating to an identified or identifiable – A listing of all managed data – What access is available inside? – Identify routers, networks, remote sites
natural person – Owner, update frequency, format of the data – Doors, windows, elevators, physical security processes
Passive reconnaissance
– An individual with personal data • Internal use Pentesting perspectives • Learn as much as you can from open sources
• This includes everyone – Project collaboration, IT security, data quality checks • Offensive – There’s a lot of information out there
– Name, ID number, address information, genetic • External use – The red team – Remarkably difficult to protect or identify
makeup, physical characteristics, location data, etc. – Select data to share publicly – Attack the systems and look for vulnerabilities to exploit
• Social media
– You are the data subject – Follow existing laws and regulations • Defensive
• Corporate web site
• Laws and regulations – The blue team
– Privacy is ideally defined from the perspective of the – Identify attacks in real-time • Online forums, Reddit
data subject – Prevent any unauthorized access • Social engineering
• Integrated • Dumpster diving
– Create an ongoing process • Business organizations
5.5 - Audits and Assessments – Identify and patch exploitable systems and services Active reconnaissance
Audits and assessments Internal audits – Test again • Trying the doors
• Not just for taxes • Audits aren’t just for third-parties Working knowledge – Maybe one is unlocked
– There are good reasons to audit your technology – You should also have internal audits • How much do you know about the test? – Don’t open it yet
• Cybersecurity audit • Compliance – Many different approaches – Relatively easy to be seen
– Examines the IT infrastructure, software, devices, etc. – Is your organization complying with regulatory or • Known environment • Visible on network traffic and logs
– Checks for effectiveness of policies and procedures industry requirements? – Full disclosure • Ping scans, port scans
– Find vulnerabilities before the attackers • Audit committee • Partially known environment • DNS queries
– Can be performed internally or by a third-party – Oversees risk management activities – A mix of known and unknown • OS scans, OS fingerprinting
• Attestation – All audits start and stop with the committee – Focus on certain systems or applications • Service scans, version scans
– Provides an opinion of truth or accuracy of a • Self-assessments • Unknown environment
company’s security positioning – Have the organization perform their own checks – The pentester knows nothing about the systems
– An auditor will attest to a company’s cybersecurity – Consolidate the self-assessments into ongoing reports under attack
posture – “Blind” test

© 2023 Messer Studios, LLC Professor Messer’s CompTIA SY0-701 Security+ Course Notes - Page 93 https://ProfessorMesser.com © 2023 Messer Studios, LLC Professor Messer’s CompTIA SY0-701 Security+ Course Notes - Page 94 https://ProfessorMesser.com
 5.6 - Security Awareness 5.6 - User Training
Phishing campaigns Reporting and monitoring Security awareness training • Password management
• How many employees would click a link in • Track and analyze security awareness metrics • Before providing access, train your users – Many standards to choose from
a phishing email? – Automated – Detailed security requirements – Guide users with standard requirements
– There’s a way to find out – Phishing click rates • Specialized training (length, complexity, etc.)
• Many companies will perform their own – Password manager adoption, MFA use, – Each user role has unique security responsibilities – This is often controlled using technology (Group Policy)
phishing campaign password sharing • Also applies to third-parties • Removable media and cables
– Send a phishing email to your employees • Initial – Contractors, partners, suppliers – Unknown USB drives can contain malware
• An automated process – First occurrence is an opportunity for user training • Detailed documentation and records – Unknown cables can be connected to a
– Centralized reporting for incorrect clicks – Work towards avoiding the issue in the future – Problems later can be severe for everyone malicious system
– Users can receive immediate feedback and • Recurring • Social engineering
User guidance and training
security training – The value of long-term monitoring – Extensive and ongoing training
• Policy/handbooks
– Some organizations will schedule in-person training – Identify high-frequency security issues – The attackers are very good
– Document all security requirements
• Recognize a phishing attempt – Help users with multiple occurrences – The users are your front line defense
– Provide access online in policy guidelines
– Spelling and grammatical errors Development – Reference the policies in the employee handbook • Operational security
– Domain name and email inconsistencies • Create a Security Awareness team – View security from the attacker’s perspective
• Situational awareness
– Unusual attachments – Determine roles for training, monitoring, – Users need to identify sensitive data
– Users should always be looking for threats
– Request for personal information policy creation, etc. – Keep the sensitive data private
– Software attacks: Email links, attachments, unusual
• Respond to reported suspicious messages • Establish a minimum awareness level URLs, text messages, etc. • Hybrid/remote work environments
– Email filtering can get the worst offenders – Information delivery (emails, posters, – Physical attacks: USB drives in a FedEx envelope, – Working at home brings unusual security risks
– Never click a link in an email notices, training) unlocked building doors, etc. – No access to family and friends
– Never run an attachment from an email – Depth of training based on job function – Be ready for anything – Additional endpoint security
– All organizations should have a process for reporting • Integrate compliance mandates – Security policies for VPN access
• Insider threat
phishing – PCI DSS, HIPAA, GDPR, etc. – Difficult to guard against
Anomalous behavior recognition • Define metrics – Add multiple approvals for critical processes
• Risky behavior – Assess the performance of security awareness – Monitor files and systems as much as possible
– Modifying hosts file programs – It should be very difficult to make an unauthorized
– Replacing a core OS file – Make updates in lower-performing areas change
– Uploading sensitive files
Execution
• Unexpected behavior • Create the training materials
– Logon from another country – Provided to users in different forms
– Increase in data transfers
• Document success measurements
• Unintentional behavior – How will we know the awareness is working?
– Typing the wrong domain name
• Identify the stakeholders
– Misplacing USB drives
– Provide ongoing metrics and performance data
– Misconfiguring security settings
• Deploy the training materials
– Classroom training, posters, weekly emails, etc.
• Track user training efforts
– Ongoing monitoring, usually with an automated
reporting system

© 2023 Messer Studios, LLC Professor Messer’s CompTIA SY0-701 Security+ Course Notes - Page 95 https://ProfessorMesser.com © 2023 Messer Studios, LLC Professor Messer’s CompTIA SY0-701 Security+ Course Notes - Page 96 https://ProfessorMesser.com