Role of the audio review
- This is an audio course, thank you for listening. - Hi there it's me, Mike Chapel. I
hope that you enjoyed watching my series of video courses on preparing for the
Security+ exam. You can consider what you're listening to right now, this audio
only course, as a summary of some of the key points from those longer video
courses. My hope is that you can use these a couple of times. First, you can listen
to this audio course immediately after watching the video courses to help you
remember the material. Second, I encourage you to set aside some time to listen
to this audio review again right before you take the Security+ exam. All right, let's
dive right into the material.
Objective 1.1
- Let's dive in by starting to explore the first domain of the Security+ exam,
threats, attacks, and vulnerabilities. The first objective that we encounter in this
domain, objective 1.1, is to compare and contrast different types of social
engineering techniques. Now social engineering is the use of some kind of trickery
to manipulate someone into performing an action that you'd like them to
perform. And in the cybersecurity world, our adversaries often use social
engineering to try to obtain passwords or other credentials, get someone to
modify an access control list, let them in a building, or some other type of similar
adverse action. Social engineering is effective for a number of reasons. And the
perpetrators of social engineering rely upon seven principles to help them be
more effective in their attacks and gain the trust of their victims. These seven
principles are authority, intimidation, consensus, scarcity, familiarity, trust, and
urgency. So with those general principles under our belt, let's move on and talk
about some of the specific types of social engineering attacks that take place. The
big one is phishing and phishing is sending an email to someone trying to
manipulate them into clicking a link, providing a username and password, or
performing some other action. That's a very general definition of phishing, but
there are a lot of variations on it as well. So while phishing uses email, there's also
SMShing, which uses text messages or SMS messages. When we combine the
words SMS and phishing, we get SMShing. There's also vishing, which is voice
phishing. That's using the telephone to engage in a phishing attack. Phishing
attacks can also vary based upon their target. While general phishing attacks
might be just blasted out to hundreds or thousands of people hoping to trap
anyone, spear phishing attacks are specifically targeted at an individual or a
specific group of people, and they use some insider knowledge about a company
and its environment or an organization and the people around it in order to make
the message more effective. One more variant is the whaling attack. Now a whale
is a big fish. So a whaling attack is a phishing attack that's targeted at someone
who's really important, either they're a senior executive or a politician or public
figure. Whaling is going after a really large lucrative target. Phishing attacks can
also vary in their purpose. We've talked about credential theft. That's one aspect
of identity fraud, basically trying to assume someone else's identity to log onto a
system or engage in a financial transaction, or whatever else you're trying to do as
that person. Another very common thing that happens with phishing attacks are
invoice scams. In an invoice scam, the perpetrator sends an email to someone in
an account's payable department or a manager with an invoice attached saying,
please process this invoice for my services. Now of course there weren't any
services, but the hope is that the busy accounts payable clerk is just going to get
that message and process the invoice without realizing that it's not legitimate.
Spam is another type of social engineering attack. Spam is just unsolicited
commercial email. These are email messages that are sent without someone
requesting them. They're usually for advertising or marketing purposes. Now they
don't have quite the malicious intent that a phishing email does, but spam is
unsolicited junk email. We can also see this happening over text messages, SMS,
and other instant messaging services. And in those cases, spam is referred to as
SPIM, for spam over instant messaging. The last thing we need to look at from this
objective are a few physical types of social engineering. These are ways that we
can social engineer someone when we're physically present with them. One of
these is shoulder surfing. That's just looking over someone's shoulder when
they're working at their desk and seeing what they're doing on their computer
screen, or maybe sitting next to someone on an airplane when you can see their
laptop. Dumpster diving is another physical type of social engineering attack. In a
dumpster diving attack, the perpetrator just goes through an organization's
garbage, and they know that people aren't always diligent about shredding or
destroying paper records. And if they look carefully, they can find information
that might be very sensitive on its own, or it might give them the clues that they
need to engage in a social engineering attack to get credentials. Maybe they find
an organizational chart, for example. So they know who supervises who within
the organization. The last type of social engineering attack that we need to talk
about is the tailgating attack. In a tailgating attack, the attacker tries to gain
physical access to a building, and they do this by watching for someone who is
allowed to enter the building go ahead and swipe their ID card, or enter their ID
code or whatever the case may be. And then as the door closes behind that
person, the perpetrator just slips in right behind them, gaining access to the
building. The analogy here is tailgating in a car. You're following too closely to
someone and that's what's happening in a tailgating attack in the physical world.
Objective 1.2
Selecting transcript lines in this section will navigate to timestamp in the video
- [Instructor] The second objective in the threats, attacks, and vulnerabilities
domain is objective 1.2. Given a scenario, analyze potential indicators to
determine the type of attack. In this objective, what we're looking to do is
understand a lot of the different ways that adversaries might attack us and be
able to recognize those attacks when we see them in the wild. The first major
category of these indicators is malware, malicious software. There are many types
of malware that can impact our organizations, either by exploiting some
vulnerability that we have, or by tricking a user into installing malicious code.
Viruses are the original type of malware. These are pieces of malware that spread
from system to system when the user performs some action. Whether that's
inserting an infected USB drive into a computer, downloading software from a
malicious website, clicking a link in a malicious email. Or just some other thing
that allows software to gain a foothold on the system. Now there are a lot of
variants of malicious software besides the typical virus. Ransomware is a very
common one. And what this malicious software does is encrypt all the files on a
computer system, and then demand payment of a ransom in cryptocurrency,
usually in Bitcoin, before the attackers will provide the decryption key that the
victim needs to access their files again. Worms are very similar to viruses in that
they spread from system to system, but they don't require any action on behalf of
the user to do that spreading. Worms exploit vulnerabilities in different systems,
and use those vulnerabilities to spread. We also have Trojan horses, which are
pieces of malicious software that are disguised as something that we want, like a
game or some other application. But once we run the Trojan horse on our system,
it performs some malicious activity in the background. Logic bombs are a type of
malicious code that are embedded into some other software. In a logic bomb,
what happens is the programmer who created that software writes some logical
conditions that cause a malicious action to happen at some point in the future
when those conditions are met. Say, for example, that a programmer is no longer
employed by the organization. They might set up a logic bomb that notices that
their account no longer exists, and then performs malicious activity on other
systems. A lot of malicious software is designed to steal information from people.
And this software falls into the general category of spyware. Spyware is malicious
software that intends to spy on the activities of a user. This could be a keylogger,
where the spyware is watching every keystroke that the user types. Hoping to
capture a password or credit card number, or some other type of information. It
could also be a remote access Trojan, where the attacker can not only monitor
what's happening on a system, but they can also connect to that user system and
control it. That type of commanding control over user systems is very often a goal
of malicious software. And more generally, when an adversary is able to take
control of lots and lots of systems, we call those individual compromised systems
bots. And together, we call them a botnet. A collection of compromised systems
that the attacker is able to use to gain some type of advantage. That's an
overview of some of the main types of malware. The second category of indicator
that you need to know about for the exam are password attacks. Passwords are
the most common type of authentication that we use and they are vulnerable to
attack. That attack could just be guessing, a brute force attack that just guesses
every possible combination of passwords trying to find a match. Or the attack
could be more intelligent and use a dictionary attack, where we take common
passwords and then use those against accounts that we know exist. One of the
best defenses against password attacks is to use strong passwords and store them
securely. When we store them, we usually store them as the hash of a password.
And those hashes are vulnerable to a different type of attack called a rainbow
table attack. In a rainbow table attack, the attacker pre-computes hashes for a lot
of common passwords and then checks the password file to see if it includes any
of those hashes. When it finds a matching hash, it then knows the password that
corresponds to that hash. A more insidious type of password attack is password
spraying. This attack depends upon the fact that people use the same passwords
on different websites. It takes the password files from compromised websites,
and then tries to use those same username and password combinations on other
sites. This is a way to take a password file from a pretty innocuous site, like your
supermarket website, and then use it to gain access to really sensitive sites, such
as a bank or other financial institution. Attacks can also be physical. Physical
attacks can be done using a malicious cable, either a USB cable or maybe even a
flash drive that contains malicious software. And then when it's plugged into a
system, the malicious software is installed on the computer and infects it. Physical
attacks are also very common with credit card readers in ATM machines, where
the attacker fixes a physical card reader right on top of the real card reader of the
device. When somebody comes up to use the machine, they slide their card
through both the skimmer, which is what that fake card reader is called, and
through the skimmer into the actual machine. So the machine works properly, but
the attacker is able to read all the information off the card and use it to create
their own fake credit card with the same information on it. That type of attack is
called card cloning, where the attacker is making a copy of a card based upon
data that they've read with a skimmer. Attackers can use artificial intelligence
techniques against us as well, in an approach known as adversarial artificial
intelligence. In these attacks, they're either tainting the training data for a
machine learning algorithm, or they're attacking the security of the machine
learning algorithm itself. The last category of attacks we're going to look at in this
review are cryptographic attacks. These are attacks against encryption. The first
type of these attacks that I like to talk about are collision attacks. This happens
when we have two files that have the same exact hash value. Those duplicate
hash values are what we call a collision, and collisions can have dire consequences
for digital signatures and other technologies that depend upon those hashes. The
other type of cryptographic attack that you want to be familiar with is the
downgrade attack. Where if two people, either a user and a server or two users,
are using a strong encryption technology to communicate with each other and an
adversary is able to trick them both into downgrading the sophistication of their
encryption. That new downgraded weaker encryption might then be vulnerable to
attack. Those are the major types of attack that you need to know about for
objective 1.2 on the Security Plus exam.
Objective 1.3
Selecting transcript lines in this section will navigate to timestamp in the video
- Objective 1.3 of the Security+ exam is that when given a scenario, you're able to
analyze potential indicators that are associated with application attacks. These
are attacks against software, ways that an adversary can exploit applications that
we use in our organizations to gain access to information and systems. One of the
common goals of this type of attack is privilege escalation, trying to exploit
vulnerabilities that allow you to take a normal user account and turn it into a
privileged administrator account. So let's review some of the types of application
attacks that exist out there. One is cross-site scripting or XSS attacks. In a crosssite scripting attack, the attacker fools a user's web browser into executing some
code that's written in JavaScript or another scripting language. This commonly
happens in a type of attack known as a stored or persistent cross-site scripting
attack. In these attacks, the attacker might post a message on a message board or
some other place that they can put web content. And if that website doesn't filter
out scripts, those scripts can then be related to other users who visit the site,
causing their browsers to execute the code. The code might then throw out a
popup window asking for their password, for example, hoping that some user
who visits the site is going to fall victim to the attack and type in their password,
which is then relayed to the attacker. Injection attacks are another very common
type of application attack. In an injection attack, the adversary looks for places on
websites where they can provide input, and then that input gets inserted into
some other type of command that's executed on the system or another server.
The most common type of injection attack is a Structured Query Language or SQL
injection attack. In this attack, the adversary carefully crafts input that's given to a
web application, knowing that that input is going to be used in a SQL query. They
can then cause the database to execute not only the intended query, but also
another command that the attacker provides as part of the malicious input. SQL
isn't the only technology that's vulnerable to injection attacks. These attacks can
also be used against dynamic-link libraries, DLL files, in the Lightweight Directory
Access Protocol, LDAP, and with the Extensible Markup Language, XML. Now
there are many other types of application attacks. One of those is directory
traversal, where the attacker uses directory navigation commands in a URL in an
attempt to work their way out of the portions of a server that are dedicated to
the web content that we're supposed to view, and look at other sensitive files
that are stored on the server in other locations. There are also overflow attacks
such as buffer overflows and integer overflows. These are also input based
attacks where an attacker finds a place where an application is expecting some
input, and then puts far more information in that field than should ever be
inserted there. This causes the location in memory, the buffer that set aside for
that field, to overflow and lets attacker potentially execute their own malicious
commands on that server. Many of these application attacks can be mitigated
through the use of input validation. This is a control where when you're
developing a web application, you look at all the input that you're receiving from
users, and you make sure that it matches the type of input that you expect to see.
So for example, if you're asking someone for the number of children that they
have, the input that you get should be an integer number, and it should probably
be less than 20 and greater than or equal to 0. You shouldn't see negative
numbers or very long numbers or text written in that field. Using strong input
validation protects against many types of application attack
Objective 1.4
Selecting transcript lines in this section will navigate to timestamp in the video
- Objective 1.4 of the Security+ exam says that when given a scenario, you need to
be able to analyze potential indicators associated with network attacks. So let's
talk about a few different categories of network attack. The first of these
categories are wireless attacks. Wireless networks are very vulnerable to attack
because they're intentionally broadcasting signals over a large area. So if an
attacker is able to get in range of a wireless access point, they have the ability to
at least attempt a wireless network attack. The first thing they might do is place
their own access point in an area where they think that legitimate users will
connect, and then give that wireless network the same name that authorized
users are expecting to see. So if I take a wireless access point and set it up at
Jones Corporation, and call the network Jones because I know that's the normal
network used by the company, I'm hoping I'm going to trick users of Jones
Corporation into connecting to my wireless access point, and then providing their
username and password, allowing me to steal their credentials. This type of attack
is called an evil twin attack, where I'm creating a malicious clone of a wireless
access point and installing it on a network myself. Another type of wireless attack
is the disassociation attack. This is an attack where the adversary sends signals
that force a user to disconnect from a wireless network. Then when the user
reconnects, the attacker can capture information about that authentication
session to try to gain access to the wireless network themselves. Wireless attacks
can also take place against Bluetooth connections that users are using to connect
peripherals to their smartphones and other devices. These include bluejacking,
which is a technique where the attacker can send messages to users through
Bluetooth, and bluesnarfing, where the attacker is actually able to hack into
someone's phone through a Bluetooth connection, and gain access to the
information stored on the device. And other type of network attack has a few
names. It's most commonly known as the man-in-the-middle attack, but now, it's
more generally known as the on-path attack. In this type of attack, the attacker
tricks a user into connecting to the attacker system, instead of to a third party
website that the user is trying to access. The attacker then becomes the person in
the middle. The attacker is in the middle of the connection between the user and
the legitimate server. The user connects to the attacker, and the attacker
connects to the server, so the attacker can act as a go-between between the user
and the server and they're able to monitor all the communications that take place
between the user and the remote system. Some network attacks happen at layer
two. This is the data link layer of the OSI model. And that's where the address
resolution protocol, or ARP works. ARP translates for network devices between
the media access control, or MAC addresses that are hard-coded into a network
interface, and the IP addresses that are used on modern networks. There are a
few different types of attacks that take place against MAC addresses in the ARP
protocol. First, MAC addresses are assigned to hardware devices when they're
manufactured, but they're very easy to modify. So if an attacker is able to clone
the MAC address of a legitimate device, they can then pretend to be that device
on the network. Attackers can also exploit the ARP protocol itself. One of these
attacks is called a MAC flooding attack. In a MAC flooding attack, the attacker
sends thousands of requests to a network switch trying to register different MAC
addresses with that switch. This causes the memory space that the switch has set
aside for storing MAC addresses to fill up and overflow. When that overflow
occurs, the switch starts to receive traffic for devices on the local network, and
instead of sending it directly to that device, it just broadcasts it to everybody on
the network, hoping that it reaches the end device and opening up an avenue for
eavesdropping attacks. The last type of attack that happens at layer two is ARP
poisoning. This is where the attacker injects invalid MAC address information into
a switch, and then causes the switch to provide that information to users on the
network, leading them to believe that they're connecting to legitimate systems,
when in fact, they're connecting to malicious systems. Just like the ARP protocol,
which translates between MAC and IP addresses is vulnerable to attack, so is the
DNS protocol, the domain name system, or DNS translates between the domain
names that we commonly use, like linkedin.com and the IP addresses that
computers need to use to communicate on the network. Attackers who are able
to disrupt DNS can redirect traffic from a legitimate site to their own. The most
common DNS attack is something called domain hijacking, where an attacker
manages to steal a domain name by hacking into account at the service where the
company registered that domain name and then changes the password on that
account and the IP address where traffic from that domain should be sent. On a
smaller scale, DNS can be disrupted with DNS poisoning attacks, where the
attackers inject invalid DNS information into a DNS server on the victim's local
network, causing the victim to visit a malicious site instead of the legitimate site
that they want to visit. The last type of network attack we'll look at is the denial of
service attack. In a denial of service attack, the attacker just bombards a system
with traffic, hoping to overwhelm it so that it can't process any legitimate traffic
that it receives. The most common type of denial of service attack is the
distributed denial of service, or DDoS attack. In a DDoS attack, the traffic comes
from all over the place. Thousands of systems are all bombarding the victim with
traffic so the victim system is not only overwhelmed, but it's also not easy to
block the traffic because it's coming from so many different places. The most
common way that attackers engage in DDoS attacks is to use a botnet of
compromised systems that they've already gathered that are located all around
the world, and then instruct those systems to bombard their victim with traffic.
Those are the most common types of network attacks that you'll need to be
familiar with when you take the Security+ exam.
Objective 1.5
Selecting transcript lines in this section will navigate to timestamp in the video
- Objective 1.5 on the Security+ exam is that you must be able to explain different
threat actors, threat vectors, and intelligence sources. So let's talk about those.
We'll start with threat actors. These are the adversaries who are trying to
undermine the confidentiality, integrity, and availability of our information
systems. Threat actors come in a variety of different forms. They can either be
internal to our organization, such as the insider threat, individuals who work with
us and for us who are actually trying to engage in attacks against us. Or they can
be external threats. People on the outside who are trying to gain access to our
systems for a whole variety of different reasons. Threat actors also differ based
upon their level of sophistication. We have some who are not very skilled at all.
These are script kiddies, people who are just taking exploits developed by others
and running them against targeted systems. Usually without a lot of focus on who
they're targeting but just trying to execute code that they didn't necessarily
create themselves. At the other end of the spectrum, we had the advanced
persistent threat, or APT. APTs are really determined attackers with a lot of skill
and talent and sophistication. They're often sponsored by nation states or
criminal syndicates or people with a lot of resources and funding to put behind
those attacks. Advanced persistent threats can engage in very, very sophisticated
attacks that are custom developed to take down a particular target. And different
threat actors are motivated by different things. For example, those advanced
persistent threat actors we just talked about are sponsored by nation states and
they're motivated by political or military and intelligence goals. On the other
hand, if they're sponsored by a criminal syndicate, the motivation is financial.
They're looking for ways to exploit the access that they've gained to steal money
or services. Attackers can also be motivated by ideology. So we might have a
hacktivist. That's someone who engages in hacking in order to spread their own
message of either speaking out against the government or for a political cause.
Hacking activity isn't always malicious. There are three different ways this can
take place. We might have hackers who are authorized, in the past called white
hat hackers, who are sponsored by an organization. They're either employees or
consultants or contractors who are going out and conducting penetration testing
in an attempt to hack into an organization's systems to expose any vulnerabilities
that might exist so they can be fixed. At the other end of the spectrum, we have
what used to be called black hat hackers, who are unauthorized. They were not
given permission. And they're going out there with malicious intent. Now in the
spectrum in between authorized and unauthorized, there's a lot of gray area of
semi-authorized attacks. These are cases where the individual might not have
explicit permission to engage in this type of activity, but they're doing it with good
intent. They're trying to find vulnerabilities in systems. And then they're going to
tell the target about those vulnerabilities when they discover them. Attackers can
use a variety of different threat vectors when they're trying to gain access to a
system. Now they might have direct access where they can walk up to a system
and touch it. And then they're able to engage in their attack that way. Or they
might conduct their attack over a wired or wireless network. They might engage
in attacks through email using phishing and other social engineering techniques to
reach into an organization and try to get people to unwittingly assist them in their
attack. Threats can also be delivered through removable media and the cloud, or
even injected directly into an organization's supply chain by corrupting suppliers
or devices before they even reach the organization's network. For a cyber security
team to protect against these different threat actors and threat vectors, they
really need to understand how the threat environment is changing over time.
There are new threats every day and threat intelligence allows us to stay on top
of how the threat environment is evolving and design our own security controls in
a way that protects against these evolving threats. There are a lot of different
sources of threat intelligence. We can use open source intelligence or we can use
proprietary or closed source intelligence that we purchase. There are databases
of vulnerabilities out there and there are even information sharing centers, called
ISACs, that bring together the public and private sector to share information. We
can also look for threat intelligence on the dark web, trying to see mentions of
our organization and our systems on hacking forums and in other places where
these topics are discussed. As you're conducting threat intelligence research, you
can use a variety of different sources. These might include vendor websites,
vulnerability and threat feeds, conferences, academic journals, the request for
comments or RFC documents that define how protocols and services work, social
media, local groups. All of these things are designed to help you get a strong
understanding of the tactics, techniques, and procedures used by your
adversaries so that you can build better defenses against them.
Objective 1.6
Selecting transcript lines in this section will navigate to timestamp in the video
- Objective 1.6 on the Security+ exam is that you must be able to explain the
security concerns associated with different types of vulnerabilities. You need to
be familiar with vulnerabilities that occur both on-premises and in the cloud
because different types of risks that your organization faces can alter the way that
you develop, implement, and maintain security controls. Now, one of the most
serious types of vulnerabilities you might encounter is the zero-day vulnerability.
It's given this name because the vulnerability itself is brand new. When an
adversary discovers a new vulnerability, there's a window of time where they are
the only people who know about that vulnerability, and they can exploit it very
easily because the vendor of the service or system that has the vulnerability
doesn't know about it yet, so they haven't been able to develop a security patch,
making it very difficult for organizations to defend against a zero-day attack. Zeroday attacks are a hallmark of the advanced persistent threat, or APT. These are
state sponsored, very sophisticated hacking organizations that because of their
level of sophistication are able to identify vulnerabilities themselves, and then
keep those vulnerabilities secret for a long period of time while they exploit them
as zero-day vulnerabilities. Vulnerabilities can also arise from weak configurations
of systems and software. These could be open permissions, insecure root or
administrative accounts, errors that display too much information and allow
someone to gain intelligence about how to hack into a system, the use of weak
encryption or insecure protocols, leaving default settings enabled that present
security vulnerabilities, or leaving too many open ports on services on a system.
This increases the attack service and provides an attacker with a lot of different
ways that they could gain access to a system. Another source of vulnerabilities is
improper or weak patch management. Now, while zero-day attacks can exploit
brand new vulnerabilities, most vulnerabilities that exist out there are ones that
have been known about for a long time. And technology professionals have the
tools to protect against them by applying security patches and updating their
configurations. But sometimes, they just don't get around to it, and that leaves
their systems open to attack. We need to make sure that we fully patch, not only
our operating systems and applications, but also the firmware of network devices
and other embedded systems. When we use legacy platforms, that also creates
vulnerabilities for us. If those systems are no longer being maintained by their
manufacturer, then they're not receiving security updates. And when new
vulnerabilities arise, it's very, very difficult, if not impossible, to correct them. We
also need to consider third-party risks to our organization because we use so
many different vendors to assist us in getting our IT work done. These vendors
range from hardware and software providers to the cloud service providers that
are so integral to the way that we work today. Organizations need to have strong
vendor management practices that monitor their vendors and their entire supply
chain, looking for places where security vulnerabilities might arise and then
addressing them. So we have vulnerabilities on-premises and in the cloud due to
weak configurations, zero-day attacks, third-parties, missing patches. And what all
this boils down to is that we need to have a strong vulnerability management
program in place. Because if we don't address these vulnerabilities, they can have
a significant impact on our organization. These impacts might include the loss of
data through data breaches and exfiltration, identity theft, financial or
reputational damage to our organization, or the disruption of business activities
through attacks that cause a loss of availability of systems.
Objective 1.7
Selecting transcript lines in this section will navigate to timestamp in the video
- [Instructor] Objective 1.7 of the Security+ exam is that you be able to summarize
the techniques used in security assessments. We're going to break this up into
three major categories. The first of these categories is vulnerability scanning.
Vulnerability scanning is the core of security assessments. It's also one of the
most important security assessment tools. What vulnerability scans do is they use
technology to automate checking systems on your network for vulnerabilities and
then provide you with important information about what you need to fix to keep
your network secure. There are some different ways that we can categorize
vulnerability scans. First, we can look at what those scans are targeting, either a
network, applications, or web applications. Network vulnerability scans reach out
and probe systems on the network, looking across IP addresses, trying to find
systems that contain vulnerabilities. Application scans target the software that we
run, looking at whether there are opportunities for buffer overflows or other
issues in our source code that could create an avenue for an attacker to break
into our systems. Web application scans look specifically at applications that run
over the web. These scans look for web-specific vulnerabilities, including SQL
injection, cross-site scripting, and cross-site request forgery. So that's the first way
that we can categorize vulnerability scans, by their target. The second way we can
categorize them is by the type of access that they have. And this boils down to
whether they're credentialed scans or non-credentialed scans. In a credentialed
scan, we give the scanner a username and password that it can use to access the
systems that are being scanned. This allows the scan to reach more deeply into
the target systems and analyze their configurations, giving the scan extra
information to be able to uncover vulnerabilities. Non-credentialed scans on the
other hand don't have that access. They don't have credentials to reach into
systems so they're only looking at them from an external perspective. They're
trying to find what an attacker who doesn't have credentials yet would see as
they're trying to break into a system. The third way that we can categorize
vulnerability scans is whether they're intrusive or non-intrusive. Intrusive scans
have the potential to actually disrupt the system. The scan itself can cause
problems for the environment. These scans are the most accurate because
they're trying all possible types of vulnerabilities but they could also cause a
system outage. So we want to be really careful about how we use intrusive scans
and make sure that we coordinate with system owners to know that the scan isn't
going to disrupt important operational activity. Non-intrusive scans on the other
hand limit the types of exploits being tested so that they don't accidentally bring
down a system. Vulnerability scanners all work off of a database of vulnerabilities
and many share a common database called Common Vulnerabilities and
Exposures or CVE. CVE is a centralized database of vulnerabilities from all sorts of
operating systems, applications, network devices, and other components. And it's
shared among many different vulnerability scanners. CVE provides each
vulnerability with a number that can be used to cross-reference the results from
different scans. These vulnerabilities are also rated according to their impact, how
significant they are, how easy they are to exploit, and the potential damage that
could be caused if they are exploited. These ratings are evaluated using a shared
system called the Common Vulnerability Scoring System or CVSS. So when we
look at a vulnerability, we often refer to its severity by using its CVSS score. The
last thing we want to talk about with vulnerability scans are the results of those
scans. Each time a vulnerability scanner reports a vulnerability that's either a real
vulnerability that exists on a system, a situation known as a true positive, or in
some cases the vulnerability scanner might report a vulnerability that doesn't
actually exist. That's an error and it's a situation known as a false positive report.
Other times the vulnerability scanner doesn't report that an issue exists. If in
reality, there is no issue, that's correct and it's a situation known as a true
negative. On the other hand, if there is a vulnerability on a system and the
vulnerability scan reports that there is no vulnerability, that's a false negative
report. So of course we want to tune our vulnerability scans so that we have true
positives and true negatives and not false positives and false negatives. The
second type of security assessment we need to talk about is threat hunting.
Threat hunting follows the presumption of compromise. That just means that we
assume that an attacker has already gained access to our system and then we go
around our network hunting for signs of their presence. We can use a lot of
different sources of information to find these indicators of compromise. Those
sources include threat feeds, advisories and bulletins from the government and
vendors, and we can look for signs of known attackers that tell us that somebody
has already compromised our network. The third category of tools that fall under
this objective are the tools that help us do log analysis. Most organizations use a
Security Information and Event Management or a SIEM system to bring together
all of the different log entries that are being generated by security tools,
applications, and operating systems, and correlate those entries to detect signs of
an intrusion or other security event. The important thing that a SIEM does is
aggregate all of those different logs and then discover patterns that exist across
different log sources in a way that we wouldn't see if we were just looking at the
logs from one system. We can take this a step further and actually automate our
responses to those events and have workflows that kick off in response to
detections by a SIEM. When we do that, we move from SIEM technology to a
more advanced technology called Security Orchestration, Automation, and
Response or a SOAR. We often hear about these tools together, SIEM and SOAR.
You can just think of them as the SIEM system is performing correlation and
analysis and identifying that an issue exists. And then the SOAR system is
automating the response to that issue.
Objective 1.8
Selecting transcript lines in this section will navigate to timestamp in the video
- The final objective of the threats, attacks, and vulnerabilities domain is objective
1.8, explain the techniques used in penetration testing. In a penetration test, the
testers adopt the tactics, tools, and procedures of an actual hacker. We assume
the mindset of the hacker and try to put ourselves in their shoes and then use the
techniques that they would use to try to actually gain access to our own systems.
These go beyond security assessments, because we're actively trying to break into
systems and exploit vulnerabilities in our own security. When we conduct
penetration testing, we can use three different methods. These are known
commonly as black box, white box, and gray box testing. In a black box test, or an
unknown environment test, the tester doesn't have access to any inside
information about the systems or networks being attacked. They simply get
pointed at the company and then are given free reign to go and explore and try to
figure out things on their own. These black box tests very closely approximate a
real attack because an attacker wouldn't likely have inside information. A white
box test, which is also called a known environment test, provides the testers with
a lot of information about the systems and networks that are being tested. This
approach has the advantage of speeding up the test by skipping the discovery
phase. It gives the testers access to a lot of information that they can use to begin
identifying vulnerabilities that they might exploit during their test. The final type
of test is a gray box test, which is also called a partially known environment test.
These tests lay somewhere in the middle between white box and black box tests.
The attackers are given access to some information, but they don't have the
complete details of the environment that's being assessed. During a penetration
test, the testers are actually trying to exploit real vulnerabilities on the target
systems, and those exploits can have negative impacts on the organization's
operations. Because of this, it's really important to define the rules of
engagement in advance of the test and make sure that the testers know what
they are and are not allowed to do, and the procedures that they should follow if
they discover a vulnerability or an actual attack in progress. As they are engaging
in penetration testing, penetration testers are going to use the same tactics that
hackers use. They're going to try to gain initial access to a system and then move
laterally around the network once they have that foothold, finding other systems
that they can exploit. Then they're going to try to perform privilege escalation
attacks that take them from having normal user access to having administrative
access. Once the testers gain a strong foothold on the network, they're also going
to try to establish persistence. That means that they'll set up ways that they can
later regain access to systems, even if the original path that they used to gain that
access is now closed. Then, at the end of the test, they clean up and restore
normal operations. After all, this is a test that's being performed by the
organization so we want to make sure that when we're done, we leave the
organization in a secure state Penetration testers also perform a lot of
reconnaissance, especially when they're performing a black box test. They have to
go and figure out how the organization is structured and what types of systems
exist. This may involve performing physical reconnaissance, walking around and
looking at a facility trying to figure out who and what is entering the facility. As
they do this, they might even use drones. They might use a technique called war
driving or war flying, where they either drive a car or fly a drone with wifi
antennas on it, to try to figure out what wireless networks are present around the
facility. These are all different physical reconnaissance techniques that
penetration testers might use. But reconnaissance can also be electronic, using
footprinting to perform scans and try to figure out what systems are present on a
network. Attackers will basically use any information available to them, whether
it's from reconnaissance that they're performing themselves, or whether it's from
open source intelligence, just looking around the internet, trying to learn
everything they can about the organization that they're targeting. The last
important assessment tool covered under this objective are cybersecurity
exercises. These exercises provide security teams with experience in handling real
world incidents. During a cybersecurity exercise, the players are organized into
teams. The red team are the attackers. They're the ones who are on the offensive.
They're basically performing a real life penetration test, trying to gain access to
systems. The blue team is the defense. They're trying to prevent the red team
from gaining access to systems by actively monitoring and updating security
controls in real time. There's also usually a white team that serves as the sort of
referees of the exercise. They're moderating and making sure that everybody is
playing within the rules of engagement and keeping the exercise moving along At
the end of an exercise, it's common for teams to come together as a purple team,
bringing together the red team, blue team, and white team to debrief on what
they discovered during the exercise, what they learned, and maybe even sit
beside each other and watch each other engaging in offensive and defensive
tactics, because after all, the whole purpose of a cybersecurity exercise is for
everybody to learn, so they learn by doing as members of the red team or blue
team, but they also learn from each other as members of the purple team.
Objective 2.1
- [Instructor] The second domain of the security plus exam is architecture and
design. This domain has eight objectives. The first of those is that you be able to
explain the importance of security concepts in an enterprise environment. You'll
need to know the importance of configuration management. These are the tools
and processes that we use to gather and monitor the configuration of systems,
software, and devices in our organization and making sure that those
configurations comply with our security standards. We can use a number of tools
to help us with this process. First, we use a lot of diagrams. These are just pictures
of the environment showing us how systems are set up and configured. They're a
really important tool, and they're probably the first place that most IT
professionals go when they're looking to understand a system. We also use
baseline configurations for operating systems, applications, and devices. These
baseline configurations are the standard security settings that we use across all of
our systems. Using these baselines allows us to then compare running systems
against the baseline and look for deviations. Places where settings have changed
and are deviating from our security standards. That gives us the opportunity to
investigate and correct those issues. As we perform configuration management,
we should try to standardize the way that we name and address systems. This
involves using standard naming conventions so that our systems all have names
that explain what they do and where they're located on the network, and
standard IP address schemes that help us identify the location of systems by their
IP address. Data protection is another crucial security concept. This is the
collection of actions that we take and tools that we use to ensure that our data
remains safe. Data loss prevention or DLP tools are an important data protection
technique. They monitor systems and networks for signs that someone or some
process is trying to take sensitive information outside the organization. They do
this by looking for data that's in motion on our network and being moved outside
the organization that might be in violation of our security policies. Some of the
other tools we can use for data protection are designed to obscure the meaning
of data. We can use encryption to do this where we're using mathematical
techniques to encrypt data in such a way that it can't be viewed without access to
the appropriate decryption key. We can also mask data. This is taking our data
and simply x-ing out sensitive parts. So for example, if we have 16 digit credit card
numbers stored in our system, that's really sensitive data that we probably don't
want to keep accessible. So we might use masking by x-ing out the first 12 digits
of those credit card numbers, leaving only the last four for identification
purposes. When we're thinking about how we protect data, we want to consider
data in three different states. Data at rest, which is data that's being stored
without actively being used. Data in motion, which is data that's in transit over a
network and data in processing, which is data that's in memory and actively being
used by a system. The next essential security concept we need to consider is data
sovereignty. This is looking at the geographic considerations around where our
data is being kept and what jurisdictions have authority over that data. Data
sovereignty becomes especially important in the world of cloud computing, where
it might be making use of data centers located around the world. Data
sovereignty says that we need to be careful about where we store our data and
know the laws and regulations that apply based upon the locations of that
storage. We also need to consider site resiliency as we're considering security in
an enterprise environment. This means that we want to have backup places to
process our data. We can have hot sites, cold sites, and warm sites. A hot site is a
data center that's set up and ready to go. It has everything in place. Electricity,
cooling, networking, systems, and data. So the hot site can pick up processing for
our organization at a moment's notice. Hot sites are the most effective type of
alternate processing facility but they're also the most expensive. At the other
extreme, we can have cold sites. These are the least effective but also the least
expensive type of facility. A cold site is a data center that has basic utilities and
network connections in place but it has none of the systems or data. When we
want to activate a cold site, we need to install and configure systems and get the
data loaded. That's going to take weeks in order to get a cold site up and running.
Warm sites are somewhere in the middle. We have systems that are ready to go
and we might even have applications loaded but we need to load our data before
we activate the warm site. So it's still going to take some time but while a cold site
might take weeks to activate, a warm site might just take hours or days. The last
topic I want to review in this domain are deception and disruption tools. These
are ways that we can try to confuse our adversary. The most common of these is
the honey pot. This is a system that's set up to look like an attractive target for an
attacker. The honey pot might have an attractive name like accounting server, or
it might have files stored on it that look like they contain sensitive information.
But in reality, the honey pot is a system that's carefully instrumented and
designed to detect attack attempts. There's no real sensitive data on the system
and the honeypot has no purpose other than attracting attackers and then tipping
us off to their presence. Honey nets are entire networks of honey potted systems.
Honey nets have no legitimate purpose on our network other than to detect
hacking activity. So if we see people trying to connect to addresses on a honey
net, we know that they're most likely engaging in some type of malicious activity.
We can also have honey files. These are files that look like they contain sensitive
information but they have no legitimate use. And they are embedded in our other
file systems. Just like with honey pots and honey nets, we watch for attempts to
access those honey files and then investigate those attempts as potential sources
of malicious activity.
Objective 2.2
- [Instructor] Objective 2.2 of the Security Plus exam is that you be able to
summarize virtualization and cloud computing concepts. In this domain, we cover
a wide variety of topics that are really important to cloud computing. The first of
those is virtualization. As you learned in the video course, virtualization is the core
technology that makes cloud computing work. Virtualization allows us to run
many different guest virtual computers on a single hardware platform, and it does
this by using a hypervisor. A hypervisor is just software that serves as the
middleman between the guest operating systems and the actual hardware, and
isolates them from each other. Virtualization allows us to have massive
computing at scale in the cloud. When we use the cloud, we think about different
ways that it can be delivered to us, the environments in which we can operate.
The most common thing we usually think of is the public cloud. The public cloud is
just when a cloud service provider makes cloud services available to anyone who
wants to use them. The public cloud relies upon the multi-tenancy model, where
many different customers can be sharing the same physical hardware, but have
their guest operating systems isolated from each other. The opposite of the public
cloud is a private cloud. And in a private cloud, we have the same benefits of
being able to use multiple operating systems and share resources across guests.
But all of the hardware is dedicated to a single customer, usually in our own data
centers where we have somebody manage it for us. Hybrid cloud combines
resources from both public and private cloud environments. Many organizations
create hybrid clouds, where they have public cloud operations along with their
own private cloud, and then shift workloads back and forth. There are different
types of services that can be delivered through the cloud. In an infrastructure as a
service environment, the cloud service provider is giving us the core building
blocks of computing. Virtual server instances, storage, networking, all of the
components that we can put together to build our own cloud services.
Infrastructure as a service is where the customer does the most work of any cloud
service, but it also gives us the most flexibility as a result. In software as a service,
the service provider is doing most of the work because they're providing a fully
developed application to us that we can use in the cloud. The provider manages
everything and we just access the application, usually over the web. In the middle
is platform as a service. Platform as a service is an environment where we can
write code, and then give it to a cloud service provider to have them execute that
code for us. One sub-category of platform as a service is function as a service
computing, or serverless computing. In function as a service computing, we create
discrete code functions and then have our cloud providers execute those
functions for us in response to an event or on a planned schedule. In addition to
using these types of cloud services, we also rely on a variety of other managed
service providers and managed security service providers who can run portions of
our IT infrastructure for us. Whether that infrastructure is on premises, or off
premises in the cloud. The cloud also enables us to use a model known as
infrastructure as code. Where instead of creating servers or other infrastructure
elements by hand as we need them, we instead write code that creates those
elements for us. The benefit is that we can reuse that code if we need to recreate
those services in the future. This is very commonly done in infrastructure as a
service environments. And it's also what allows us to start moving towards
software defined networking, SDN, where we can reconfigure our network by
writing code. And have the network even reconfigure itself in response to events.
Those are some of the ways that virtualization and cloud computing play an
important role in the world of cybersecurity.
Objective 2.3
Selecting transcript lines in this section will navigate to timestamp in the video
- [Instructor] Objective 2.3 of the Security Plus exam is that you be able to
summarize secure application development, deployment, and automation
concepts. Let's begin by talking about the different environments where code
might exist. First, we have development environments. This is where
programmers actually begin to create code. They're actively working on code in a
development environment that's isolated and dedicated for this purpose. You
never want to have developers working on code that's actually being used by end
users, because the developers might make mistakes as they're performing their
development work. The development environment provides a sandbox where
developers can perform their day to day work. Once a developer finishes their
work it's time to test that code. The code then moves from the development
environment to the test environment, where developers, quality assurance
personnel, and end users can make sure that the code works properly before it
moves on to being actively used. When testing is complete, the code moves from
the test environment to a staging environment where it's configured and
prepared for active use. Once it's ready to go, the code that's in the staging
environment moves to the production environment. The production environment
contains the code that's actively being used on a day to day basis. As developers
create code they need to use secure coding techniques. These are time tested
software development practices that promote good code that's secure and
efficient. One of the most important concepts in this area is the reuse of code.
Making sure that developers don't write the same code over and over again.
Instead, commonly used code can be placed in shared libraries where different
developers can access it, and leverage each other's work. When working with
databases, it's good practice for developers to normalize their databases.
Database normalization is just a set of best practices for how we organize the
data in a database to avoid redundancy and other issues that might arise. When
accessing databases from code, the use of stored procedures and parameterized
queries helps avoid sequel injection attacks. Developers also need to be sensitive
to memory management, making sure that they're allocating memory and using it
appropriately to avoid buffer overflow attacks, where an attacker attempts to put
more data into a memory location than is allocated for its use, in an attempt to
get the system to execute code that it shouldn't be executing. Developers working
on web applications should pay careful attention to the standards and
documentation published by a group called the Open Web Application Security
Project, or OWASP, in particular OWOSP publishes a list of the top 10
vulnerabilities in web applications that provides developers with a great roadmap
for avoiding the most common and most serious security issues that affect web
applications. Version controls and other key software development security
concept. When a lot of developers are working on the same code, it can become
very confusing what the current version of that code is. Version control
techniques try to sort all of this out. They use code repositories and other tools to
allow developers to check out code that they're working on, and then check that
code back in when they're finished with their work. This approach allows for the
orderly and consistent modification of code by different developers without
having those step all over each other. Mature IT organizations also benefit from
the use of automation and scripting. Automating courses of action allows IT teams
to become much more efficient in the way that they work. Instead of having to
manually configure things, they can rely upon automation to perform repetitive
tasks in a consistent manner. Some of the automation tools they might use
include continuous monitoring, continuous validation, continuous integration,
continuous delivery, and continuous deployment. The final two concepts we need
to talk about related to automation, are scalability and elasticity. These are
measures of how a system responds to changing demand. Scalability means that
we design systems that are capable of expanding as the demand on those systems
increases. To achieve scalability, we might add additional memory or CPUs to a
server or add additional servers to a pool of servers in order to allow the system
to scale up as it faces increased demand. Elasticity builds upon scalability by also
adding the capability to scale back down again when the demand decreases.
Elasticity is very commonly found in cloud applications, because it allows us to
make optimal use of our resources. The environment grows when necessary to
meet increased demand, but when that demand decreases the environment then
shrinks so that we're not using and paying for resources that we no longer need.
Objective 2.4
Selecting transcript lines in this section will navigate to timestamp in the video
- [Instructor] Objective 2.4 of the security plus exam is that you be able to
summarize authentication and authorization design concepts. In the world of
security, we often talk about the concept of triple A. That's authentication,
authorization, and accounting. When a user tries to gain access to a system, the
first thing we do is authenticate that user. We ask them to prove their claim of
identity through a password or some other means. Once we're confident that
they are who they claim to be, we then perform authorization to determine what
that person is allowed to do. And then finally after granting them the ability to do
something, we perform accounting, which is tracking what the user does and
keeping a record so that we can later look back and see what actions took place.
Together these three triple A activities of authentication, authorization, and
accounting form the core of identity and access management programs. There are
three common ways that users can authenticate themselves to systems. The first
of these is something you know. The most common example of something you
know is a password. Answers to security questions and pin codes also fit into this
category. These are facts that are in the user's memory and are then repeated to
the authentication system as proof of the user's identity. The second way that
users can authenticate to a system is something you have. This is some device
such as a smartphone, a key fob, or a smart card that the user produces in order
to prove their claim of identity. And the third way that users can authenticate to
systems is biometric authentication or something you are. This is by using some
characteristic of their body to prove their identity to a system. This could be as
simple as a fingerprint scan or it could be a retinal or iris scan of their eye. We can
use facial recognition or voice recognition or even things like analyzing the
pattern of veins in a hand or the way that a person walks. All of these biometric
authentication techniques provide very secure authentication. Strong
authentication systems use a technique called multi-factor authentication or MFA
where we combine two or more authentication techniques that represent two or
more different factors. For example, we might take a password, something you
know, and combine it with a fingerprint scan, something you are. We also might
combine a password, something you know with a smart card, something you
have. Either of these approaches provide strong authentication. If an attacker
steals a user's password, they're still going to have to have access to that user's
smart card or fingerprint in order to gain access to the system. One of the most
important things that you can remember about multifactor authentication is that
the authentication techniques have to represent two different factors. Something
you know, something you have, and something you are. For example, if we
combine a password, which is something you know, with a pin or the answers to
security questions, which are also something you know, that is not multi-factor
authentication, because we haven't brought in something that you have or
something that you are. There are also other ways that we can add assurance to
the authentication process by using different attributes. In addition to the
something you know, something you have, and something you are factors, we can
bring in information such as where the user is or how they behave to add
additional context to the authentication process.
Objective 2.5
Selecting transcript lines in this section will navigate to timestamp in the video
- [Instructor] Objective 2.5 of the Security Plus Exam is that, when given a
scenario, you'll be able to implement cybersecurity resilience. Resilience is the
ability of a system to withstand potential sources of disruption. When we conduct
resilience activities, what we're doing is trying to make our systems stronger so
that they're able to face all those threats that are out there in the world without
being disrupted. One of the key elements of resilience is redundancy. By taking
systems and their components, and having multiple backup parts, we protect
ourselves in the event that one of those components fails. Let's talk about four
ways that you can implement redundancy. The first of these is geographic
dispersal. Geographic dispersal spreads our systems over a large geographic area.
For example, if we have four web servers providing access to our organization's
website, we might place one of those servers in New York, another in Los Angeles,
another in Tokyo, and the fourth in Rome. Having this geographic dispersion of
our servers helps protect us against failures that might occur because of where
those servers are located. The second type of redundancy we can have is disc
redundancy. Discs are one of the most common parts of a server to fail, and by
placing multiple discs inside a single server and spreading data across those discs,
we can protect ourselves against those failures. We most commonly do this using
a technology called RAID, that's Redundant Arrays of Inexpensive Discs. RAID
technology spreads our data across discs in a way such that if one of those discs
fails, all of the data is still available from using the other discs. The third place we
can achieve redundancy is in networking. We can do this by having load balancers
that distribute our traffic across multiple servers. And we can also do it at the
server level by using a technology called NIC teaming. NIC teaming lets us use
multiple Network Interface Cards, or NICs, to access the network, so that if one of
those cards fails, another is able to pick up the load. And the fourth place that we
use redundancy is when it comes to power. At a very high level, when we speak of
the sources of power coming into our facility, it's great if we're able to have two
independent sources of power entering our buildings so that a power outage at
an external facility is less likely to affect us. Power redundancy also refers to the
way that we provide power within our facility, making sure that we have
Uninterruptable Power Supplies or UPS's, that are able to cover momentary
glitches in the power, and generators that are able to provide our own power in
the event of a longer term disruption. The third place that we worry about power
is in the server itself, because every server contains its own power supply. These
power supply components are also likely to fail, so redundancy says that we
should put two different power supplies in the same server, so that if one fails,
the other is able to provide power to the server. Data protection is another form
of resilience. Data protection means that we make sure that we replicate our data
across multiple locations, and we keep backups in order to have access to our
data if the original location where that data is stored somehow becomes
corrupted. There are three different types of backup that you need to know
about. A full backup backs up all of the data that's stored on a system. A
differential backup backs up only the data that's been modified on a system since
the last full backup, and an incremental backup backs up all of the data that's
been modified since the last full or incremental backup. These backups can be
stored in many different places, they might be stored on discs, they might be
written to tape, or they might be moved to cloud services. The important thing is
making sure that your backups are stored in a different location than your
primary servers. This makes sure that if some kind of disaster affects the building
where your servers are located, the backups still remain available. When planning
resilience activities, you should keep diversity in mind. And the diversity that
we're talking about here is the diversity of the technologies, vendors,
cryptography, and controls that we're implementing in our environments. Having
different vendors in our supply chain minimizes the likelihood that some sort of
failure at a single vendor is going to significantly disrupt our business operations.
Those are the key things that you need to know about cyber security resilience as
you prepare for the Security Plus Exam.
Objective 2.6
Selecting transcript lines in this section will navigate to timestamp in the video
- [Instructor] Objective 2.6 of the Security+ exam is that you be able to explain the
security implications of embedded and specialized systems. So let's first talk
about what these systems are. Embedded systems are systems that are placed
inside other things that we use in our everyday lives. You might find embedded
systems in everything, ranging from your refrigerator or car to the industrial
equipment that operates a factory floor. There are some common technologies
that are used to create embedded systems. These are technologies like Raspberry
Pis, Arduino devices, and field-programmable gate arrays. When we use these
embedded systems in an industrial setting there are two terms that apply to
them. They're called Supervisory Control And Data Acquisition, or SCADA systems.
And they're also called Industrial Control Systems, or ICS technologies. We find
these systems in all sorts of facilities. Industrial facilities, manufacturing plants,
energy production and distribution facilities, and in logistics and supply chain
operations. When we use embedded systems in our everyday lives, we often call
them the Internet of Things. These are the sensors, smart devices, wearables, and
other systems that make our homes smart and our lives more efficient. Now of
course, having all of these systems in our homes and businesses makes our lives
easier, but it also opens up new avenues for attackers to try to exploit us. That's
why we have to be really careful about making sure that our systems are designed
in a secure way. And they're maintained to protect against security vulnerabilities.
One of the most important things that you can do as you're thinking about
embedded systems security is to make sure that you have an accurate inventory
of all of the places that embedded systems exist in your environment. Now, some
of them are obvious, but some you might not think of it first. Some of the things
you should look for are medical systems, cars, aircraft, smart meters, voice over IP
telephones, heating ventilation and air conditioning or HVAC systems, drones,
multifunction printers, surveillance systems, and anything else that might contain
a computer inside of it that needs to be protected against security threats.
Embedded systems have specialized constraints because they're generally small,
and they're often deployed in places where they don't have convenient access to
networks or power. So when you're thinking about embedded systems, be
familiar with these constraints. They include limited power consumption, low
computing power, low network bandwidth, or no network connectivity at all, and
the inability to use strong cryptography. These constraints increase the
importance of providing security and making sure that you're able to patch those
systems, and making sure that those systems use strong authentication to ensure
that people accessing them are who they claim to be. Because of their nature,
embedded systems are often placed in remote locations. And this means that we
need to think about different ways to connect them back to our networks. It's not
always possible to have an ethernet or wifi network reaching out to a remote
facility. To facilitate communications for embedded systems, we sometimes use
other technologies, such as using SIM cards, to allow these systems to access a
5G, or other cellular network. Narrowband communications. Baseband radio
communications. Or specialized technologies designed for embedded systems,
like ZigBee and Z-Wave networks. Those are the main things that you need to
know about embedded and specialized systems as you're preparing for the
Security+ exam.
Objective 2.7
Selecting transcript lines in this section will navigate to timestamp in the video
- [Educator] Objective 2.7 of the security plus exam is that you be able to explain
the importance of physical security controls. These are the controls that we use to
affect security in the physical world. One of our main objectives with physical
security is to prevent unauthorized people from accessing a facility. And there are
a lot of different techniques that we can use to enforce this. Of course, we can
build fences around our facility to make sure that nobody's able to enter an area
unless they go through an authorized gate. We can also use a special room called
an access control vestibule or a mantrap. These rooms prevent tailgating attacks
where two people might try to enter the facility at the same time. When we're
using an access control vestibule, someone who wants to enter a facility first
opens the exterior door of the vestibule, then they enter the vestibule and close
the exterior door. They're not able to open the interior door that allows them into
the facility until the exterior door is fully closed, ensuring that nobody's able to
sneak in behind them. Locks are also an important part of preventing people from
accessing a facility that they're not authorized to access. We can use all different
kinds of locks, from traditional physical locks to electronic locks that use keypads
or smart cards or even biometric locks that look at fingerprint scans, eye scans, or
other biometric techniques to grant someone access to a facility. We can also use
locks to protect equipment by using cable locks to secure laptops and other
portable equipment to a desk, table, wall, or other permanent part of the
building. Physical security controls also help us to detect intrusions. We can use
traditional burglar alarms to help identify intruders that are trying to access the
facility. We should have strong lighting around the outside of our facility so that
guards can see people trying to enter a secure area. Those guards might be
human beings, or they might even be robot sentries that are designed to watch
for the presence of unauthorized individuals. Intrusion detection also uses a
variety of sensors ranging from closed-circuit television surveillance cameras that
can perform motion recognition and object detection to noise detection sensors,
moisture detection, temperature detection, and other signs that something might
be going wrong in an area from a physical perspective. Now, of course, we
sometimes have authorized visitors to our area and it's important that we have
visitor management procedures in place that allow us to track and manage those
visitors. There are two important elements here. The first is a visitor log. This log
gives us a record of who entered the facility, when they came and left, and who
granted that access. The second is badging that allows us to clearly and easily
distinguish between employees and visitors who might require an escort when
they're accessing our facility. Faraday cages are physical security controls that
prevent electronic eavesdropping by preventing electronic signals from leaving an
area. Now, these are very disruptive security controls because Faraday cages
block all electronic signals including those we might want to have, but they do
protect against unintentional electronic emanations. As we're thinking about
physical security, we should look at all of the different places in our facility that
might be considered secure areas. These include data centers, executive office
spaces, vaults, safes, and other places where sensitive material is maintained. The
last physical security control we're going to talk about is secure data destruction.
When paper or electronic records reach the end of their life cycle, we need to
destroy them in a way that someone isn't able to pick them up out of the trash
and gain access to the sensitive information that they contain. Secure data
destruction techniques include burning, shredding, pulping, and pulverizing for
physical materials and the degaussing of electronic media. Degaussing uses strong
magnetic fields to eliminate traces of data that might still be stored on a device.
We can either perform these data destruction techniques ourselves or we can
hire a third-party vendor to perform data destruction for us. Those are the things
that you need to know about physical security as you prepare for the security plus
exam.
Objective 2.8
Selecting transcript lines in this section will navigate to timestamp in the video
- [Instructor] Objective 2.8 of the Security+ exam is that you be able to summarize
the basics of cryptographic concepts. Cryptography is the practice of using
mathematics to obscure the meaning of sensitive information to people who
aren't authorized to view it. Cryptography has two basic operations. The first is
encryption. Encryption uses an encryption key to take plain text sensitive
information and transform it into encrypted cipher text. The second is decryption.
Decryption takes that encrypted cipher text and uses a decryption key to return
encrypted information back into its plain text form. There are two major
categories of encryption algorithms: Symmetric encryption techniques use the
same key to encrypt and decrypt information. In those cases, you can think of a
shared secret key as the password to encrypt and decrypt the file. In asymmetric
encryption algorithms, different keys are used to encrypt and decrypt the
information. These are known as a public and a private key. When we're
encrypting information for confidentiality, we encrypt that information with the
public key belonging to the person that we want to read the information. When
that person receives the encrypted information, they decrypt it using their own
private key, and then they're able to see the original plain text. When you're
evaluating encryption algorithms, you should check for two things. First, that the
encryption algorithm itself is secure against attack. And second, that you're using
a key that's long enough to protect against exploits where attackers might try to
guess the key. One of the easiest ways that you can make an encryption algorithm
more secure is to increase the key length. We can use encryption to achieve many
different security objectives. We can use it to support confidentiality, integrity,
obfuscation, authentication and non-repudiation. In confidentiality, we're
protecting the secrecy of information. In integrity, we're making sure that
information isn't altered by unauthorized individuals. With obfuscation, we're
trying to avoid sharing the intent of our information with other people. And in
authentication, we're gaining the ability to verify a user's claim of identity. Nonrepudiation allows us to prevent someone from later denying that they've sent a
message. The main way that we achieve non-repudiation is through the use of
digital signatures. In a digital signature, the sender of a message uses
cryptography to affix their digital signature to a message in a way that the
recipient can then later prove to someone else that the originator actually sent
that message. Let's talk a little bit about how that works. When you digitally sign a
document, The first thing that you do is create a message digest by taking that
document and running it through a hashing algorithm. This produces a short
summary of the message which the signer then encrypts using their own private
key. That encrypted message digest is then known as a digital signature. The
sender then attaches that digital signature to the message and sends it on. When
the recipient receives a digitally signed message, they remove the digital
signature. They then decrypt that signature with the sender's public key, and in
doing so, they obtain the message digest that was originally encrypted by the
sender. Then using the same hash function that the sender used, they compute
their own message digest from the plain text message. They then compare the
message digest that they computed with the message digest that they decrypted
from the digital signature. If those two values match, the recipient then knows
that the message is authentic and did indeed come from the person who owns
that public key. Another use of cryptography that you should be familiar with is
steganography. This is hiding message in either plain text or encrypted form
inside of other files. Steganography can be used to exchange secret information in
plain sight. Steganography often embeds messages in audio files, video files, and
images. As you prepare for the exam, you should also be familiar with the concept
of quantum computing and quantum communications. This is taking the
principles of quantum physics and applying them to computing in a way that
provides massive computing power. Now there aren't practical applications of
quantum computing today, but we have to prepare for a potential post-quantum
world. Because if quantum computing is ever achieved in any useful form, it has
the potential to undermine all of the encryption technologies that we're using
today. Those are the important things that you need to know about cryptography
as you prepare for the Security+ exam.
Objective 3.1
Selecting transcript lines in this section will navigate to timestamp in the video
- The third domain of the Security Plus Exam is implementation. This domain has
nine objectives. The first objective, Objective 3.1 is that when given a
scenario, you'd be able to implement secure protocols. So let's talk through those
protocols for some different use cases. First, for voice and video, the
recommended secure protocol is SRTP, the Secure Real-Time Transport
Protocol. It's also important that you keep the times on all of your devices
synchronized so that you can easily correlate log entries that are generated by
different devices. The Network Time Protocol, NTP, provides the service for your
network. There are a number of protocols associated with email. The first of these
is the Simple Mail Transfer Protocol, SMTP. SMTP is used to transfer email
messages between mail servers. Now the standard version of SMTP is not
encrypted but you can use the secure version of SMTP, SMTPS to have a secure
connection as you transfer mail messages. Email clients used by end users use
two different protocols to retrieve email from email servers, the Post Office
Protocol, POP3, and the Internet Message Access Protocol, IMAP. As with SMTP,
the plain versions of POP3, and IMAP are not secure, but there are secure
alternatives. POP3 over SSL, and the IMAP Secure or IMAPS protocol. You can
achieve end-to-end encryption for email messages using the Secure Multipurpose
Internet Mail Extensions or SMI Protocol. SMI adds encryption on top of
whatever other email transfer protocols you're using. Users access websites using
the insecure, and unencrypted Hypertext Transfer Protocol, HTTP. The secure
version of this protocol is the Hypertext Transfer Protocol over SSL or TLS called
HTTPS. Basic file transfers are handled by the File Transfer Protocol, FTP. As with
the other protocols we've discussed, the original version of FTP was not
secure. There are two different secure alternatives. The File Transfer Protocol
Secure, FTPS, and the SSH File Transfer Protocol, SFTP. You can access directory
services using the Lightweight Directory Access Protocol, LDAP, and the secure
version of this protocol is LDAP Secure or LDAPS. The Secure Shell or SSH
Protocol provides for encrypted administrative connections to remote
servers. You can build secure remote access virtual private network tunnels using
a variety of protocols including the Internet Protocol Secure or IPsec. IPsec uses
two distinct protocols, Authentication Header, AH, which provides authentication
for packets sent over the VPN connection, and the Encapsulating Security
Payload or ESP that provides both confidentiality and authentication. IPsec can be
run in two different modes, transport mode and tunnel mode. In tunnel
mode, two remote sites are connected to each other, and any packet sent
between those sites are wrapped in a new packet that's completely encrypted
using Ipsec. In transport mode, the IP header remains unencrypted, and the
remainder of the packet is sent securely. Domain name resolution is an important
network function that allows us to use friendly domain names instead of IP
addresses. We use the Domain Name System, DNS to perform these look-ups. The
DNS Security Extensions or DNSSEC add strong authentication to DNS queries to
ensure that the responses from servers that you receive are actually
legitimate. When managing routers and switches, administrators often use the
Simple Network Management Protocol, SNMP. If you're using SNMP, it's
important to ensure that you're using SNMP version three because that version is
secure while earlier versions of SNMP are insecure. Finally, Network Address
Allocation provides systems with IP addresses that they can use on a local
network. The main protocol used for this purpose is the Dynamic Host
Configuration Protocol, DHCP. Those are the important protocols that you need to
know as you prepare for the Security Plus Exam.
Objective 3.2
Selecting transcript lines in this section will navigate to timestamp in the video
- [Instructor] Objective 3.2 of the Security Plus exam is that when given a
scenario, you can implement host or application security solutions. Let's begin by
talking about endpoint protection solutions. You should use standard antivirus
and anti-malware software to protect your endpoints against malicious
software. Going beyond that, endpoint detection and response, or EDR solutions,
provide added security that allows administrators to manage the quarantine and
removal of malicious code found on systems. Data loss prevention, or DLP
technology, watches for endpoints that contain sensitive information that they
shouldn't, or that attempt to move sensitive information outside of the
organization. DLP solutions can then block those attempts. Next generation
firewall, or NGFW capabilities, block unwanted inbound network
connections. Host intrusion detection systems watch incoming traffic to a system
for signs of malicious activity. And host intrusion prevention systems go a step
further and actually block potentially malicious connections. Boot integrity is an
extremely important part of endpoint protection because if malicious code is
inserted into the boot process, that code can bypass many other operating
system protections. The unified extensible firmware interface, or UEFI, is the
primary method used for booting modern systems. When securing databases, one
of the most important things you can do is look for sensitive information in the
database that isn't necessary and remove that information. If you aren't able to
remove it, you can use techniques like hashing to transform it into a version that's
not sensitive. Tokenization similarly takes sensitive values and transforms them
into nonsensitive variants. The difference between hashing and tokenization is
that tokenization is reversible using a lookup table, while hashing is not
reversible. In the world of application security, one of the most important things
that you can do is perform input validation. That's checking any input that an
application receives from a user for signs of potentially malicious content before
passing it on to the application. You can also manage applications in your
environment by using an allow list or a block list. In the allow list approach, you
list the applications that are allowed to run in an organization, and no other
applications may be executed. Block lists take the opposite approach and list
applications that are not allowed to run in the organization, and presume that any
other code may be executed. Code signing is a technique that allows
developers to apply digital signatures to their code to show that it came from a
legitimate source. As developers create code, they should use secure coding
practices. They can then perform testing to verify that those practices are
functioning properly. This testing may include static code analysis, that simply
looks at the code for security flaws without executing it. Or dynamic code
analysis, which actually executes the code, probing it for vulnerabilities. Fuzzing is
a common dynamic code analysis technique that supplies many different
possible input values to an application. It's important to harden the systems that
reside on your network. Some of the key things that you can do are
removing open ports and unnecessary services on servers. Locking down registry
settings to make sure that they match your secure baseline. Encrypting discs using
full disc encryption or self-encrypting drives. Configuring the operating system to
operate in a secure manner. And performing regular patch management on both
the operating system and any applications, to make sure that you're automatically
receiving security updates as they become available. The last concept that you
need to know for this objective is the use of hardware security to manage
encryption keys. Most modern computers contain a special chip called the trusted
platform module, or TPM, that helps establish a hardware route of trust. This
ensures that an encrypted drive is actually placed in a computer that's authorized
to access that drive, before allowing the user to retrieve data from it. Those are
the important host and application security solutions that you need to know as
you prepare for the Security Plus exam.
Objective 3.3
Selecting transcript lines in this section will navigate to timestamp in the video
- [Instructor] Objective 3.3 of the Security+ exam is that when given a
scenario, you're able to implement secure network designs. Let's talk about a few
of these network design concepts. The first is load balancing. Load balancing
allows you to distribute work for a particular function amongst several different
servers. This provides resiliency because those servers provide redundancy to
each other, and it also adds security because if one server is compromised, you
can just take it out of the load balancer pool and continue operations. Load
balancing can be done in an active-active mode, where all of the servers are up
and running at any given time, or in an active-passive mode, where one or more
servers are the primary servers that are in active running mode, and the others
are in passive mode, and only become active if one of the active servers
fails. Network segmentation is used to group systems onto network
segments with systems of similar security levels. This is often achieved using
virtual local area networks, or VLANs. When designing an organization's network
segments, designers commonly use several different approaches. They use
firewalls to separate the internet from their intranet, which is designed for
internal users, and then they also create a demilitarized zone, or DMZ network,
also known as a screen subnet, where they can place systems that need to be
accessible from the outside world. This screened subnet approach limits the
damage that an attacker can cause if they compromise a system, because systems
on the screen subnet can't communicate with the internal network without
passing through the firewall. Many organizations also implement an extranet that
provides access to vendors and other trusted partners who need limited access to
the organization's network. Virtual private networks, or VPNs, provides secure
remote access for users, and they also connect different locations of a business
together over the internet. Virtual private networks function over public
networks by using encryption to keep traffic away from prying eyes. The primary
protocols used to implement VPNs are IP Sec, TLS, HTML 5, and the layer two
tunneling protocol, L2TP. Network access control systems, or NAC systems, are
used to authenticate devices before they're allowed to connect to the
organization's network. This authentication includes ensuring that the device is a
legitimate device owned by the organization and performing posture checking to
verify that the device is configured securely. This may be done using an agent
that's installed on the device or an agentless approach. Port security is a function
of network switches that verifies the MAC address of systems communicating on
the network. When port security is used, the switch registers the MAC address of
the first device that it sees on a switch port, and then doesn't allow any other
devices to use that port unless the port security is reset by an administrator. Jump
servers are devices that provide a way for administrators to move between
networks in a secure fashion. An administrator can connect to a jump server from
a remote network and then use that jump server to access internal systems. Proxy
servers are used to negotiate network connections for users inside a secure
network. Instead of connecting directly to remote web servers, users pass their
traffic through the proxy server, which then connects to the remote web server
on their behalf and performs content filtering to ensure that malicious traffic isn't
sent over the network. Networks also have intrusion detection systems and
intrusion prevention systems that use signature and anomaly detection
techniques to watch for signs of potentially malicious activity on the
network. Intrusion detection systems can alert administrators to that traffic, while
intrusion prevention systems can go a step further and actually block that
traffic from reaching the network.
Objective 3.4
Selecting transcript lines in this section will navigate to timestamp in the video
- [Instructor] Objective 3.4 of the Security Plus exam is that when given a
scenario, you'll be able to install and configure wireless security settings. The first
of these settings that you need to consider is the cryptographic protocol that
you're going to use. The options for cryptographic protocols are wired equivalent
privacy, otherwise known as WEP, wifi protected access, WPA, and WPA versions
two and three. Of these, WEP and the original WPA protocol are now considered
insecure and no longer acceptable for use. So they should not be used on modern
networks. That leaves us with two possibilities, WPA2 and WPA3. WPA2 uses a
technology called counter mode cipher blockchaining message authentication
protocol, or just CCMP. CCMP implements the advanced encryption standard on
wireless networks. Now while there are some security vulnerabilities in
WPA2, most security professionals still consider the protocol secure enough for
use on modern networks. WPA3, the more secure replacement for WPA2, is now
starting to be used on wireless networks. WPA3 uses a technology
called simultaneous authentication of equals, or SAE. SAE uses a key exchange
protocol that's based upon the Diffie-Hellman algorithm to exchange encryption
keys between a wireless network and a wireless client. The second major factor
that you need to consider is the method that you're going to use for
authentication. The first option is to use a pre-shared key in PSK mode. This
simply means that you have a password on your wireless network that you share
with anyone who wants to use the network. This approach is very easy to
implement at first, but it has a significant drawback. Anytime you want to change
the network password, you need to reconfigure all of the devices that connect to
your network. A better approach for wireless authentication is to use enterprise
mode. Networks running in enterprise mode use an individual's regular username
and password to allow access to the network. This has the advantage of being
able to uniquely identify users, and also control access to the network on a user
by user basis. When you're granting access to your wireless network to people
that you don't know, you have a couple of options. First, you could simply run an
open, unencrypted wireless network that allows anyone to use it. Second, you can
implement a captive portal. A captive portal is a webpage that pops up whenever
users want to access the network, that requires them to authenticate before they
gain access to the network. The standard for authentication on both wired and
wireless networks in enterprise mode is a protocol called IEEE 802.1x. This
standard uses the extensible authentication protocol, or EAP, to create a secure
connection between a wireless user and the wireless network. In these situations,
authentication is normally performed by a server running the RADIUS
protocol. RADIUS stands for remote authentication dial in user service. And while
it was originally created for dial up modem users, it's now widely used for
authentication to enterprise networks. As you're planning a wireless network, you
should think through a number of installation considerations. First, the physical
environment where you're installing the network may have a significant impact
on how radio waves travel around that environment. You should perform a site
survey to get a sense of the built environment in your organization, and how it
will affect wireless network propagation. This will help you place your wireless
access points appropriately and also decide on the channels that you want to use
to minimize interference with other wireless networks in the area. When your
wireless network is running, you can use a wifi analyzer to assess the coverage of
the wireless network in your organization. It's also very helpful to produce a heat
map. That's a visualization of the layout of your offices, showing graphically where
the wireless signal is weaker and where it's stronger. Those are the important
things that you need to know about wireless network security as you prepare for
the Security Plus exam.
Objective 3.5
Selecting transcript lines in this section will navigate to timestamp in the video
- [Instructor] Objective 3.5 of the Security+ exam is that when given a
scenario, you'll be able to implement secure mobile solutions. As we work
through the objective, the first things that we need to consider are the
connection methods that you can use for mobile devices. For broad network
connectivity, the two main options are cellular networking and wifi
networking. These allow access to the global internet for mobile devices, but
there are also a number of other protocols that you should be aware of that are
used locally by devices. For example, you can use the Bluetooth protocol to
connect wireless headsets, computers and other devices to your mobile
phone. You can use near-field communication, or NFC technology, for contactless
payments. And you can even use infrared networks or USB cables to share data
between mobile devices and other systems. You should also be familiar with two
specialized protocols. The global positioning system, or GPS, allows you to use
satellites to pinpoint your location on the Earth's surface. Radiofrequency
identification, or RFID technology, can be used to track devices in a small
area such as on a factory floor. Organizations should use mobile device
management, or MDM technology, to ensure that they maintain all of their
mobile devices in a secure configuration. You can use MDM packages to manage
the applications that are installed on a device, to perform content filtering and to
make sure that users are abiding by your organization's security and acceptable
use policies. You can also use this software to allow the remote wiping of remote
devices and to perform geo-fencing, to notify you when devices leave a defined
geographic area. Mobile device management technology also allows you to locate
devices using GPS and ensure that those devices are securely configured. This can
include making sure that they have screen locking, passwords and PINs enabled or
that they use strong biometric or other authentication technology. It also includes
enforcing full device encryption policies that ensure that the data on a lost device
isn't compromised. In cases where you need to use mobile devices for highly
secure applications, you can consider the use of hardware security modules on
micro SD cards to manage encryption keys or even have highly secure operating
systems such as SE Android on a device. As you manage the mobile devices in
your organization, you'll want to make sure that you're enforcing and monitoring
all of your organization's mobile security policies. Some of the things you should
consider are managing the applications that are installed in your
organization. You can do this through a full blown mobile application
management solution or you may create policies that limit the use of third-party
application stores, the side loading of apps by bringing them onto device through
a USB connection or StorageGuard and limiting the ability of a user to root or jail
break a device and bypass security controls by gaining administrative access to
the device. Security policies can also ensure that devices have current
firmware and that they receive over the air updates. They can prohibit carrier
unlocking that would allow a user to take the device from the current mobile
carrier and move it to another carrier. Policies can also limit camera use, the use
of text messaging or other phone services and the connection of external media
to the device. They can enable and disable cameras and microphones and GPS
tagging. Security policies can also limit the networking capabilities of mobile
devices. They might prevent devices from being used to create their own wireless
networks, to generate a hotspot, and they might disallow the tethering of other
devices to the mobile device to share connectivity. Finally, as you develop your
organization's mobile device philosophy, you can consider four different
deployment models. The first of these is corporate-owned devices. This is simply
where the organization purchases devices
Objective 3.6
Selecting transcript lines in this section will navigate to timestamp in the video
- Objective 3.6 of the Security Plus exam is that when given a scenario, you'd be
able to apply cyber security solutions to the cloud. As you're developing secure
cloud solutions, there are a number of important considerations that you should
have in mind. First, you should design your cloud solutions to make use of
different zones of service offered by your service provider. This allows you to
build high availability, resilient environments, that can remain up and
running even if an entire zone fails. You should also create resource policies that
limit what users can do in the cloud to minimize your organization's exposure. For
example, you might limit the number or type of server instances that an individual
user can create to limit the financial risk that you face in the event that that user
account is compromised. As you're selecting a cloud provider, you should
evaluate the different integrations that they have available with the technologies
that you already use and the ability that you'll have to perform auditing to
ensure that your organization's security policies are maintained. There are also
some security controls that you should implement that are service specific. For
example, when you're using cloud storage solutions, you should be able to
manage and monitor the permissions that users have to access those storage
solutions, the encryption technology that's used to protect data while it's in cloud
storage, and the replication and high availability capabilities of storage services to
perform data protection tasks. When you're using network resources in the
cloud, you should understand that the cloud allows you to create your own virtual
networks using a technology called virtual private clouds. You can create public
and private sub nets that are either exposed to the public internet or protected
behind firewalls offered by your cloud provider. This allows you to build a
segmented approach to cloud networking that's similar to the approach that you
would use in an on premise data center. When you're securing cloud computing
resources, one of the primary controls that you have are security groups. These
are the access control lists that determine what devices on the network are going
to be able to access your compute instances. You can think of security groups as
the equivalent of firewall rules in the cloud. Cloud computing resources can be
dynamically allocated by individual users of the cloud service, so you should make
sure that you have visibility into the number and types of instances that are being
used by your organization and when they're no longer necessary so that you don't
have unused instances continuing to accrue both costs and security risks. There
are a number of cloud specific security technologies that you can use to enhance
your cloud security posture. Cloud access service brokers, or CASB
solutions, integrate with many different cloud providers and provide you with a
single point of enforcement where you can specify your organization's cloud
security policies and then automatically implement those policies across all of the
cloud service providers that you use. Secure web gateway products intercept and
filter user requests for web resources, allowing you to enforce your content and
acceptable use policies. You should also consider the use of application security
controls such as web application firewalls to protect your organization's cloud
hosted web applications from attack. As you're working through the options
available to you for cloud solutions, you may wish to consider both the cloud
native security controls offered by your cloud service provider and the use of third
party cloud security solutions. As you sort through these options, you should
consider both cost and functionality as important criteria. Those are the
important things that you need to know about cyber security solutions in the
cloud as you prepare for the Security Plus exam.
Objective 3.7
Selecting transcript lines in this section will navigate to timestamp in the video
- Objective 3.7 of the Security+ exam is that when given a scenario, you'll be able
to implement identity and account management controls. Identity management is
one of the crucial foundational elements of a security program. You won't be able
to make any other security decisions unless you have confidence in your ability to
identify and authenticate users. Identity and access management, or IAM
solutions, use the concepts of subjects and objects. Subjects are the people,
systems, or services that want to gain access to resources, and objects are the
resources that they want to gain access to. Each subject that has an identity in the
identity and excess management system has a number of attributes associated
with their identity. These attributes may include things such as their job role, their
affiliation with the organization, the department that they're in, or any other
characteristics that are tied to their identity. The identity provider, or IdP, is the
organization that's providing that digital identity to a user. IdPs are commonly an
individual's employer, school, or similar organization. Users can prove their
identities through a variety of techniques that we discussed when we reviewed
authentication controls. It's common to use technologies other than
passwords, such as digital certificates, hardware or software security tokens,
smart cards, or SSH keys to authenticate a claim of identity. As you're building an
account management solution, you should be aware of the different types of
accounts that might exist. There is, of course, the standard user account and
super user accounts that have administrative privileges. Individuals who do have
administrative privileges should normally have both, an administrative account
and a normal user account that they use for their day-to-day work. They should
only access the administrative account when they actually need to execute a
command that requires those administrative privileges. You should avoid having
accounts in your organization that are shared between multiple people. The
reason for this is that the activities taken with those accounts can't then be tied
back to a single individual violating the principle of accountability. The same thing
is true for guest accounts or vendor accounts that might be shared among
multiple people. The other type of account you will most likely have in your
organization are service accounts. These are accounts that are not set up for
interactive login to systems by people, but they're used by operating systems and
applications when they need to gain access to resources. You'll want to create a
number of different account policies in your identity and access management
program. Some of these are around passwords. You might want policies that
specify whether passwords expire, if users are allowed to reuse old
passwords, which you can track by maintaining a password history, and the
complexity requirements for passwords, that is how long they need to be and
how many different character types they should contain. When evaluating user
access requests, identity and access management systems can also take other
factors into consideration. These include the IP address of the user, which gives
you an idea of their net worth location, as well as their geolocation that you might
obtain from GPS data. Using this technology, you can ensure that users are
located in a specific geographic area when you're granting them access to
resources. Similarly, you can use geofencing to notify you when an actively logged
in user leaves a specific geographic area, and geotagging to annotate log
entries with the user's physical location. You can use time-based logins to restrict
the hours of the day during which a user can access systems. Having a user's
location and time information also allows you to create access policies that
prohibit users from accessing systems when there's an impossible travel time
involved. For example, if a user logs in from a system in New York at 5:00 pm, and
then two hours later, logs in from France, that's an impossible travel time. The
same person could not have been physically present in New York, and then two
hours later, be present in France. These access policies allow you to build out a
strong identity and access management environment and create the ability to
lock out and disable accounts when you suspect suspicious activity. They also
allow you to build an environment where you're conducting regular audits of user
accounts to ensure that user activity matches your expectations. Those are the
important things that you need to know about identity and account
management, as you prepare for the Security+ exam.
Objective 3.8
Selecting transcript lines in this section will navigate to timestamp in the video
- [Instructor] Objective 3.8 of the Security+ exam is that when given a scenario
you'll be able to implement authentication and authorization
solutions. Authentication management is one of the important subtopics of this
objective. Authentication management technologies allow you to safeguard the
credentials that are used to access other resources. Passwords are still the most
common access control, and protecting those passwords is extremely
important. Most organizations encourage users to make use of password vault
technology that allows them to have a strong, unique password for each site that
they visit, and then easily manage and use those passwords. You can also use
hardware security technologies to protect passwords and access keys. The
Trusted Platform Module, or TPM, is a chip that's installed directly in a
device such as a laptop to allow you to manage the keys associated with data
stored on that laptop, such as when you're using full-drive encryption. Hardware
Security Modules, or HSMs, provide an enterprise-wide management
capability for passwords and other sensitive knowledge-based authentication
mechanisms. A number of technologies can assist you in building out
authentication and authorization solutions. We've already discussed the role that
technologies like the Extensible Authentication Protocol 802.1X and RADIUS play
in network authentication and authorization. There are a number of other
technologies that exist that allow you to work towards a single sign-on, or
SSO, environment where users can authenticate once and then use that
authentication session to gain access to many systems throughout your
organization's environment. One of the most important of these is the Kerberos
protocol. Kerberos provides a centralized authentication and authorization
solution that can be used for access to many different services throughout an
organization. Services that are enabled for use with Kerberos are known as
Kerberized services. There are also some older protocols, such as the Password
Authentication Protocol, PAP, and the Challenge-Handshake Authentication
Protocol, CHAP. These two protocols use insecure technologies to exchange
passwords and should no longer be used. Federated authentication
solutions allow you to use credentials from one organization with resources
belonging to another organization. There are a number of technologies
available to help you support this. The Security Assertion Markup Language, or
SAML, is an XML-based solution that allows for federated single sign-on. OpenID
Connect is a solution that allows you to use an account from one identity
provider to access resources from another provider. For example, when you log
on to a third-party website using your Google, Amazon, or Facebook
credentials that authentication session is most likely using OpenID
Connect. OAuth is a technology that allows you to authorize a service to access
resources that belong to you at another organization. For example, you can use
OAuth to allow a web service to access your Gmail account or your
calendar. There are a number of access control models in use in modern
cybersecurity programs. Mandatory Access Control, or MAC, systems are set up to
enforce existing security requirements without allowing any exceptions. In a MAC
solution each object is labeled with a security level, and each user is given a
security clearance. The system then enforces policies that restrict users to only
accessing resources at their security level or below. In a Discretionary Access
Control, or DAC, environment the individual owners of files and resources are
able to grant permission to other users to access those resources. Most modern
file systems use Discretionary Access Control for file system permissions. That's
because DAC makes it easy for users to control access to the files that they
create. Role-based access control systems grant access to resources based upon a
user's role in the organization, while attribute-based access control systems look
at one or more attributes of a user's identity when deciding whether to grant or
deny an authorization request. Firewalls implement a model known as rule-based
access control where they operate off of a predefined set of security rules to
enforce a security policy. As you're building out your authentication and
authorization solutions you should consider the implementation of a Privileged
Access Management, or PAM, platform that carefully manages and monitors the
use of administrative and other privileged accounts in your organization. Those
are the important things that you need to know about authentication and
authorization solutions as you prepare for the Security+ exam.
Objective 3.9
Selecting transcript lines in this section will navigate to timestamp in the video
- [Instructor] Objective 3.9 of the Security+ exam is that when given a
scenario, you'd be able to implement a public key infrastructure. The public key
infrastructure is based on asymmetric cryptography and it provides the ability for
users to securely share their public encryption keys with others and provide
others with the assurance that those keys are legitimate. The primary mechanism
for sharing these keys is the use of digital certificates. Digital certificates are
files that contain a user's public encryption key and are digitally signed by a
trusted third party known as a certificate authority or CA. These CAs are normally
well-known organizations that are widely trusted around the world. Certificate
authorities may rely upon a network of intermediate certificate authorities and
registration authorities to distribute their workload. When a user or system wants
to rely upon a digital certificate, it must first verify whether the certificate is
valid. The first step of this process is confirming that the digital signature on the
certificate is authentic and was created by a trusted certificate authority. Once
satisfied that the certificate is authentic, the next step is to determine whether
the certificate is still valid. Certificates contain expiration dates and an expired
certificate should not be trusted. In addition, certificate authorities have the
ability to revoke digital certificates if the associated encryption keys are
compromised. They can do this in two ways. First, they can maintain a list of
invalid certificates called a certificate revocation list or CRL that users can check
when validating a certificate. And second, they can use the Online Certificate
Status Protocol, OCSP, to provide real-time validation of the status of a digital
certificate. When you want to create a new digital certificate, you do this by
creating a certificate signing request, or CSR, and sending that CSR to a certificate
authority. The certificate authority will then validate your identity and if
appropriate, issue a digital certificate. These certificates may be issued to an
individual user or email address or to a system for use on a web server or other
service requiring encrypted connections. Each certificate contains a common
name, or CM, which is also known as the fully qualified domain name. This is the
system to which a digital certificate is issued. Certificates may be valid for
additional names and if so, those are contained in the certificate as subject
alternative names. Organizations may also obtain wildcard certificates that are
valid for any system across an entire domain or subdomain. Organizations that
don't want to bear the expense of obtaining certificates from a third-party
certificate authority may decide to create their own self-signed certificates. These
certificates are useful within an organization but they're generally not useful on
the web because users outside of the organization will not trust the
organization's internal certificate authority. When purchasing a digital
certificate, organizations may choose to purchase a domain validated or DV
certificate or an extended validation or EV certificate. DV certificates go through a
fairly simple authentication process that just certifies that the organization
obtaining the certificate has control of the domain name under which the
certificate is issued. EV certificates go through a more thorough authentication
process to confirm the identity of the organization obtaining the
certificate. Certificates are stored in files that come in a number of different
formats. The most common is the Distinguished Encoding Rules or DER
format. This is a binary certificate format that's normally stored in a file with the
.der, .crt or .cer file extension. The PEM certificate format is closely related to the
DER format. PEM stands for Privacy-Enhanced Mail, and it's an ASCII text
version of the binary DER certificate. You can easily convert between DER and
PEM certificates using tools like OpenSSL. PEM certificates are normally stores in
files with the .pem or .crt extensions. The Personal Information Exchange or PFX
format is another binary format that's commonly used by Windows systems. PFX
certificates typically have either a .pfx or .p12 file extension. You can also store
PFX certificates in text format using the .p7b format. This is an ASCII text
equivalent for binary PFX certificates. Those are the most important things that
you need to know about the public key infrastructure as you prepare for the
Security+ exam.
Objective 4.1
Selecting transcript lines in this section will navigate to timestamp in the video
- The fourth domain of the Security+ exam is Operations and Incident
Response. This domain has five objectives. The first of these objectives, objective
4.1, is that when given a scenario, you be able to use the appropriate tool to
assess organizational security. This objective requires that you be familiar with a
large number of security tools. We'll look at these in a few different
categories. The first category is Network Reconnaissance and Discovery, and the
first tool in this category is the Traceroute command. Traceroute is used to
identify the current network path between two systems. The Ping command is
used to test whether a remote system is up and running on the network, and the
Hping command is a version of Ping that allows you to customize the packets used
in your scan. The PathPing command is a Windows tool that combines the
functionality of both Ping and Traceroute. The netstat, or network statistics
command, is used to show you the active network connections on a device, while
the nc command, which is short for netcat, allows you to send and receive raw
text over a network connection. The ipconfig command on Windows systems and
the ifconfig command on Mac and Linux systems allows you to display and
modify the configuration of a network interface. The nslookup and dig
commands are used to perform DNS queries, while the ARP command is used to
perform Lookups using the Address Resolution Protocol. IP Scanners are used to
probe the systems active on a network, and the Nmap command is used to
identify the open ports on a remote system. Nessus is a vulnerability scanner used
to probe systems for active security vulnerabilities. The route command displays a
system's current network routing table. The curl command is used to retrieve
webpages and files from servers using a command-line interface. theHarvester,
Sniper, Scanless, and Dnsenum commands are used to automatically retrieve a
large amount of information about a remote system for use in network
reconnaissance. Cuckoo is an automated malware analysis tool, and those are the
important network reconnaissance and discovery commands that you need to be
familiar with. The next category of tools you need to know are the file
manipulation commands. These are commonly used on Linux systems. The head
command is used to display the first few lines of a file, while the tail command is
used to display the last few lines of a file. The cat command is used to display an
entire file, and the grep command is used to search for content within a file. The
chmod command is used to change a file's permissions, and the logger command
is used to send log entries to a centralized log server. The third category of tools
you need to be familiar with are shell and script environments. Secure Shell, or
the SSH command, is used to securely access remote systems and it's commonly
found in Linux environments. PowerShell is a scripting environment used for
administrative control of Windows systems. Python is a general purpose
programming language that's widely used for system administration, and the
OpenSSL library is an open-source implementation of the Transport Layer Security
or TLS protocol. The fourth category of tools you need to know about are Packet
Capture and replay tools. The tcpdump tool is a command-line utility used to
capture and record network traffic, while Wireshark is a graphical tool that offers
similar capabilities. The tcpreplay tool may be used to replay network traffic that
was captured using tcpdump or Wireshark. The fifth category of tools you need to
know are forensic tools. These include tools like dd, the disk dump command that
is used to create forensic images of hard drives, the mem dump command that is
used to save the current contents of the computer's memory, the WinHex editor
that's a hexadecimal editor useful in forensics, and the FTK and Autopsy
suites, which provide high-end forensic capabilities. Finally, you also need to be
familiar with the use of exploitation frameworks to automate penetration
tests and other security activities, password crackers to attempt brute force and
other attacks against password files, and data sanitization tools that are used to
permanently purge information from media. Those are the important tools that
you need to be familiar with as you're preparing for the Security+ exam.
Objective 4.2
Selecting transcript lines in this section will navigate to timestamp in the video
- [Instructor] Objective 4.2 of the Security+ exam is that you be able to summarize
the importance of policies, processes and procedures for incident response. Every
organization should have a carefully defined incident response plan that describes
how the organization will identify and respond to security incidents that take
place. The standard incident response process has six steps. The first step is
preparation. This is the work that we put in before an incident takes place to
ensure that we have the right policies and procedures outlined, resources
available, and people trained to respond to a security incident should one
occur. The second step of the incident response process is identification. This is
when an organization's security operation center or other resources identify that
a security incident is taking place. After detecting a security incident, we move
into phase three of incident response, containment. During the containment
phase, the priority is to isolate the damage caused by the security incident to limit
its spread. This may involve disconnecting systems from the network or taking
other actions to ensure that the damage caused by a security incident is
contained. After containing the incident, we move on to the fourth phase of
incident response, eradication. In the eradication phase, we're negating the
effects of the security incident and removing compromised resources from our
networks. After eradication is complete, we move on to the fifth stage of the
process, recovery, where the organization restores and resumes normal
operations. Finally, the incident response process concludes with a lessons
learned session, where all the major players involved in the incident response
effort gather together, physically or virtually, to review the security incident and
identify lessons they can draw from it to improve the organization's ability to
detect and respond to future incidents. Exercises play an important role in
incident response because they help an organization's incident response
team prepare for future incidents. Tabletop exercises simply gather
people around a physical or virtual conference table to discuss their roles in the
incident response process and perhaps walk through a scenario that's provided by
a facilitator and describe how they would respond if that scenario were to
actually occur. A structured walkthrough is similar in that it gathers people
together and asks them to review the incident response procedures that govern
their own activities and ensure that they're current and up to date. A simulation
exercise goes a step further and actually creates a fictitious security incident that
the team then responds to as they would if it were an actual incident. You can
think of a simulation exercise as a fire drill for incident response. Incident
responders should be familiar with a number of different attack frameworks that
describe how intruders typically operate, because the knowledge of these
tools and techniques used by hackers is invaluable when you're attempting to
contain, eradicate and recover from their activities. Some of the common attack
frameworks used in these approaches are the MITRE ATT&CK framework, the
diamond model of intrusion analysis, and the Lockheed Martin Cyber Kill
Chain. When responding to a security incident, it's very important that you
perform solid stakeholder management. This means ensuring that employees,
subject matter experts, management, law enforcement, the media, and the many
other people who will be interested in the outcome of the security incident are
communicated to appropriately and that each has the ability to interact with the
incident response team in an appropriate manner. Incident response processes
are also tightly aligned to an organization's continuity of operations planning
efforts. So the incident response team should also be well versed in the
organization's business continuity plan that's designed to ensure continued
operations in the event of an emergency and the disaster recovery plan, which is
designed to quickly recover operations in the event they are disrupted. All of the
records generated during an incident response effort should be governed by the
organization's retention policy that describes how long those records will be
preserved. Those are the important things that you need to know about incident
response policies, processes and procedures as you prepare for the Security+
exam.
Objective 4.3
Selecting transcript lines in this section will navigate to timestamp in the video
- Objective 4.3 of the Security+ exam is that when given an incident, you're able
to utilize appropriate data sources to support an investigation. Incident
responders have a large amount of information available to them, including the
output of vulnerability scans. This output is crucial to helping responders
understand how an intruder might have gained access to systems and identify
other systems that might be vulnerable to the same exploits. Security information
and event management systems play an important role in facilitating incident
response because they act as centralized aggregation points for all of an
organization's security logs and other information. Incident response teams can
use these SIEM systems to conduct trend analysis, respond to alerts, and
correlate events happening across many different systems. SIEMs are driven by
access to log files. These log files might come from network devices, operating
systems, applications, security devices, web servers and web applications, DNS
servers, authentication servers, and many other systems throughout the
organization that generate large amounts of information. Now, in isolation, these
individual sources of information might not be so useful, but when they're
aggregated and correlated by a SIEM, they might provide crucial insight into the
evolution of a security incident. All of these devices report back to the SIEM using
standardized technologies, such as the syslog protocol, which provides an open
standard for the communication of security log entries to the SIEM. Incident
response teams should also have access to information about the network. This
might include bandwidth monitors that show the levels of network activity on
different circuits, NetFlow logs, which show which systems were
communicating with each other, when, and how much data was exchanged, and
the output of protocol analyzers that can show the full contents of packets that
traveled over the network. The final source of information that's important to
incident responders is the metadata, the header information attached to email
messages, web exchanges, files, and mobile communications. By digging into this
metadata, incident responders can often find important clues about the origin of
different files and communications. Those are the important things that you need
to know about using data sources to support an investigation, as you prepare for
the Security+ exam.
Objective 4.4
Selecting transcript lines in this section will navigate to timestamp in the video
- Objective 4.4 of the Security Plus exam is that when given an incident, you be
able to apply mitigation techniques or controls to secure an environment. The
focus of this objective is recovery, restoring an organization's operations, not only
to the state that they were in before an incident, but to an even more secure
state that isn't vulnerable to the same type of incident. One of the most
important things that you can do in response to a security incident is
reconfiguring endpoint security solutions to avoid the same type of incident from
occurring in the future. This might involve setting up a quarantine where endpoint
security is tested before a system is allowed to join the network. In this case,
devices that don't meet security standards are placed on the quarantine
network, where they can access the resources required to update their security
configuration, but they don't have access to any other network
resources. Endpoint security can also be used to implement application
control that uses either an approved list of authorized applications or a block list
of unapproved applications to limit the software that can be run on a
device. During the recovery phase, incident responders might also make other
configuration changes to security devices, such as updating firewall
rules, reconfiguring mobile device management policies, implementing data loss
prevention technology, updating or revoking digital certificates, and
implementing or reconfiguring content filtering solutions that limit the web
resources that users may access. When configuring network
security, organizations should consider strategies of segmentation, isolation, and
removal. Network administrators use segmentation to divide networks into
logical segments, grouped by types of users or systems. In incident response,
segmentation allows you to contain the spread of an attack from compromised
systems without alerting the attacker to the fact that you've detected their
activity. To perform this type of containment, you can create a new virtual land
called a quarantine land and then move impacted systems to the quarantine
land with access controls that prevent those compromised systems from
communicating with other systems on your network. Isolation takes
segmentation to the next level. Instead of simply moving the compromised
systems to a different VLAN, they're moved to a network that is completely
disconnected from the rest of the network. Depending upon the isolation strategy
being used, those systems may still be able to communicate with each other and
are still connected to the internet so that they can communicate with the
attacker. Removal completely disconnects impacted systems from any
network. They're completely unable to communicate with other systems or the
internet and the attacker is cut off from access to those systems because they're
totally isolated from the network. The last important technology that you need to
be familiar with for incident response is security orchestration, automation, and
response, or SOAR technology. SOAR platforms use runbooks and playbooks to
automate responses to security incidents. They're tightly integrated with security
information and event management, or SIEM solutions, so that when a SIEM
product detects a potential security incident, the SOAR solution can automatically
implement a rapid response that protects the organization from an attack. Those
are the important things that you need to know about mitigation techniques used
to secure an environment during a security incident.
Objective 4.5
Selecting transcript lines in this section will navigate to timestamp in the video
- [Educator] Objective 4.5 of the security plus exam is that you be able to
explain the key aspects of digital forensics. Security professionals must be
familiar with the standards of documentation for evidence collected during an
incident response effort. This includes ensuring that evidence collected will be
admissible in court by maintaining a chain of custody that documents the process
used to collect the evidence and every person who came in contact with that
evidence from the time it was collected until it was presented in court. This
includes maintaining comprehensive timelines of the sequence of events that
contain time stamps and a time offset if system clocks are not synchronized. It
also includes tagging evidence with attributes that are important during the
investigation, documenting interviews perhaps using video recordings, and
maintaining event logs that show what happened during an incident response
effort. Incident responders must also be familiar with the legal hold process that
requires that an organization preserve any records that they believe might be
used in a court proceeding. As you acquire different types of digital evidence, you
should consider the order of volatility, that is, how likely it is that evidence will be
destroyed. More volatile evidence should be gathered before less volatile
evidence. The most volatile category of evidence are the contents of random
excess memory or RAM, which will be destroyed whenever power is removed
from a computer. After gathering the contents of memory, you should move on to
gathering files that are stored on the disc. First considering files that are kept in
temporary spaces that might be overwritten quickly and then gathering files that
are written to more permanent storage locations. There are many different
sources of evidence that you might use in a forensic investigation. These include
endpoint devices, servers, network devices, applications, and all of the other
artifacts that might provide crucial evidence to the investigation. Teams creating
forensic procedures should also consider the different circumstances when
gathering evidence from on-premises and cloud-based resources. Teams typically
have unrestricted access to on-premises resources but they might have more
difficulty gathering evidence from cloud service providers. It's important to
understand before an incident occurs the capabilities and limitations of cloud
service providers and their willingness to provide support for forensic
investigations. Preserving evidence is of the utmost importance and incident
responders are responsible for ensuring the integrity of evidence that they
gather. One of the primary mechanisms used to demonstrate the integrity of
evidence is hashing. Hash functions can be used to create a cryptographic
checksum of a file. These hash values can then later be used to demonstrate that
a file has not been modified from the time it was collected until the time it was
used as evidence. Digital signatures may also be added to evidence to provide
non-repudiation. Those are the important things that you need to know about
digital forensics as you prepare for the security plus exam.
Objective 5.1
Selecting transcript lines in this section will navigate to timestamp in the video
- The fifth domain of the Security Plus exam is governance, risk, and
compliance. This domain has five objectives. The first of these, objective 5.1, is
that you be able to compare and contrast various types of security
controls. Security professionals use a variety of different categories to group
similar security controls. We'll talk about two different ways. First, we'll discuss
grouping controls by their purpose or type, whether they're designed to
prevent, detect, correct, deter, or compensate for security issues. Then we'll
discuss them by their mechanism of action, the way that they work. This groups
them into the categories of technical, operational, and managerial
controls. Preventive controls are designed to stop a security issue from occurring
in the first place. A firewall that blocks unwanted network traffic is an example of
a preventive control. Detective controls identify potential security breaches that
require further investigation. An intrusion detection system that searches for
signs of network breaches is an example of a detective control. Corrective
controls remediate security issues that have already occurred. If an attacker
breaks into a system and wipes out critical information, restoring that information
from backup is an example of a corrective control. Deterrent controls seek to
prevent an attacker from attempting to violate security policies. Vicious guard
dogs and barbed wire fences are examples of deterrent controls. Physical controls
are security controls that impact the physical world. Examples of physical security
controls include fences, perimeter lighting, locks, fire suppression systems, and
burglar alarms. The final type of security control commonly used is the
compensating control. Compensating controls are designed to fill a known gap in
a security environment. For example, imagine that a facility has a tall barbed wire
fence surrounding it, but then has one gate in the fence with a turn-style that
allows authorized individuals access. One risk with this approach is that someone
might simply hop over the turn-style. The organization might place a guard at this
gate to monitor individuals entering the facility as a compensating control. The
second way that we can categorize controls is by their mechanism of action. This
group's controls as technical, operational, or managerial controls. Technical
controls are what the name implies. The use of technology to achieve security
objectives. Think about all the components of an IT infrastructure that performs
security functions. Firewalls, intrusion prevention systems, encryption, data loss
prevention, and antivirus software are all examples of technical security
controls. Operational controls include the processes that we put in place to
manage technology in the secure manner. These include many of the tasks that
security professionals carry out each day, such as user access reviews, log
monitoring, background checks, and conducting security awareness training. Now
it's sometimes a little tricky to tell the difference between technical and
operational controls. If you get an exam question on this topic, one trick is to
remember that operational controls are carried out by individuals while technical
controls are carried out by technology. For example, a firewall enforcing rules is a
technical control, while a system administrator reviewing firewall logs is an
operational control. Managerial controls are focused on the mechanics of the risk
management process. For example, one common management control is
conducting regular risk assessments to identify the threats, vulnerabilities, and
risks facing an organization or a specific information system. Other management
controls include conducting regular security planning and including security
considerations in an organization's change management, service acquisition, and
project management methodologies. Those are the important things that you
need to know about security controls as you prepare for the Security Plus exam.
Objective 5.2
Selecting transcript lines in this section will navigate to timestamp in the video
- [Instructor] Objective 5.2 of the Security+ exam is that you be able to explain the
importance of applicable regulations, standards, or frameworks that impact an
organization's security posture. This includes knowing the regulations,
standards, and legislation that apply to your organization. You'll need to know all
of the different national, territory, or state laws that may apply in the jurisdictions
where you operate. Two important ones that are specifically mentioned in the
exam objectives are the European Union's General Data Protection
Regulation, GDPR, which regulates the handling of personal
information belonging to European Union residents, and the Payment Card
Industry Data Security Standard, PCIDSS, which is a private regulation that applies
to credit card information. You should also note key security frameworks used by
security professionals as they configure and protect systems. These include the
security benchmarks and configuration standards for the Center for Internet
Security, CIS, and the risk management framework and cybersecurity framework
available from the National Institute of Standards and Technology, NIST. You
should also be familiar with the key standards from the International Organization
for Standardization. These ISO standards all have numbers and you need to know
four of them as you prepare for the Security+ exam. ISO 27001 is a standard for
information security management. ISO 27002 provides a reference set of
information security controls. ISO 27701 contains standards for information
privacy and ISO 31000 is a standard covering risk management. The Cloud
Security Alliance provides a cloud control matrix and reference architecture
useful for security professionals working in the cloud. You should also be familiar
with the benchmarks and secure configuration guides available from the vendors
who create the operating systems, servers, and network devices used in your
organization. You'll also need to be familiar with the ways used to verify the
security standards of cloud service providers that your organization relies
upon. The most common way to do this is through service organization control
audits. In particular, SOC 2 audits are designed to perform detailed testing of a
service provider's confidentiality, integrity, availability, and privacy controls. The
reports from SOC 2 audits often contain sensitive information and they're not
widely shared unless you're willing to sign a non-disclosure agreement with the
cloud service provider. There are two different types of audit report that you can
receive from a SOC 2 audit. Type one report simply describe the controls that a
service provider has in place and report the auditor's opinion on the suitability of
those controls. In a type one report, the auditor does not give an opinion on
whether the controls are working in an effective way. Type two reports contain
the same opinions as type one reports, but go further and they include the results
of the auditor actually testing the controls to verify that they're working
properly. The test used in a type two report must be run over a period of time,
which is typically six months. Those are the important things that you need to
know about regulations, standards, and frameworks as you prepare for the
Security+ exam.
Objective 5.3
Selecting transcript lines in this section will navigate to timestamp in the video
- [Instructor] Objective 5.3 of the Security+ exam is that you be able to explain the
importance of policies to organizational security. Let's begin by talking
about some personnel security policies. An acceptable use policy outlines the
ways that employees are permitted to use the technology assets of an
organization. Job rotation policies move personnel in sensitive positions through a
series of different jobs to give them different experiences and also to prevent
someone from remaining in a single sensitive position for a long period of
time where they might engage in illicit activity. Mandatory vacation policies
require that individuals take time away from the office where they don't have
access to systems to provide an opportunity to uncover any fraudulent
activity that might be taking place. Separation of duties policies say that one
person should not have two different permissions that when combined together
allow them to perform sensitive actions. The most common example of this is the
ability to create a new vendor in an account's payable system and the ability to
issue a check to that vendor. The least privileged policy says that
individuals should have the minimum set of permissions necessary to carry out
their job functions. Clean desk policies are designed to ensure that sensitive
papers aren't left laying in the open where someone might observe
them. Organizations use background checks to check for criminal history before
hiring new employees as part of the onboarding process. Also during the
onboarding process, personnel are asked to sign non-disclosure agreements, or
NDAs, where they agree to maintain the confidentiality of sensitive information
that they encounter. During an organization's off-boarding process, an
employee's permissions should be revoked, and they should be reminded of their
obligations under the non-disclosure agreement. Organizations should conduct
user training on a regular basis to remind employees of their security
responsibilities and the role that each person plays in keeping the organization
secure. This may include role-based training, computer-based training, phishing
campaigns and simulations and games such as capture the flag exercises that help
build security skills. It's important to use a diversity of training techniques to make
sure that your message gets across. The next set of policies that you should have
in place are third-party risk management policies that ensure that the vendors
and business partners in your supply chain are doing what they need to do to
maintain the security of information and systems that they manage on your
behalf. There are a variety of different agreements that you can use to manage
vendors. The first is a service level agreement, or SLA, which outlines the
performance expectations that you have of the vendor and the consequences if
they fail to meet those standards. Memorandums of understanding, or MOUs, are
informal agreements usually used inside an organization between business units
to outline a relationship between different units. Business partnership
agreements, or BPAs, are used when you're building a new partnership with an
external organization to outline the parameters of that partnership. As you're
working with vendor equipment, you should also watch for the end of life,
EOL, and end of service life, EOSL, announcements to ensure that you're
continuing to use equipment that's supported by the vendor. There are three
important data policies that you should have in place in your organization. Data
classification policies outline the requirements for classifying data. Data
governance policies outline the procedures that the organization will use to
manage the data life cycle and data retention policies outline what data the
organization will keep and the period of time it will maintain different types of
information. Credential policies outline the requirements for employees and third
parties with access to systems to handle passwords and other credentials. These
policies should specifically address device-based credentials, the use of service
accounts and the protections around administrator or root accounts. Finally,
organizations should have strong change management, change control and asset
management policies in place to ensure that systems are maintained
properly. Those are the important things that you need to know about policies as
you prepare for the Security+ exam.
Objective 5.4
Selecting transcript lines in this section will navigate to timestamp in the video
- [Instructor] Objective 5.4 of the Security+ exam is that you be able to
summarize risk management processes and concepts. Organizations face a variety
of different kinds of risk. Some of these are external to the organization, like
hackers, and some are internal to the organizations, such as malicious
employees. You need to watch for the risks associated with legacy systems, the
theft of intellectual property, and software licensing compliance concerns. When
you face a risk, there are four risk management strategies that you can adopt to
manage that risk. The first of these is risk mitigation. Risk mitigation controls
reduce the likelihood or impact of a potential risk if it should materialize. The
second risk management strategy is risk transference. Risk transference shifts
some of the risk to an outside organization. The most common example of risk
transference is the purchase of an insurance policy where the insurance provider
will cover the financial loss that your organization will experience if a risk
occurs. The third risk management strategy is risk avoidance. This is changing your
business practices to make a risk irrelevant to your organization. The fourth
strategy, risk acceptance, involves management acknowledging that a risk
exists, but deciding to continue business, despite that risk. And organizations
should record the risks that it's aware of in a risk register that logs risks and the
risk management strategies used to address different risks. During a risk control
assessment, assessors might create a risk matrix or heat map that shows which
risks are most likely to affect the organization and cause the most damage. This
may be done by engaging an outside provider, or by performing a selfassessment. When managing risk, an organization has to make some decisions
about its risk tolerance. This is the amount of risk that it's willing to accept. As
they're performing this assessment, they first look at the inherent risk facing
them. Inherent risk is the risk that exists because of the way that they do
business. The organization then implements controls to reduce that inherent
risk. The risk that's leftover after the implementation of controls is the residual
risk. And implementing controls can sometimes create new risks generated by the
controls themselves. You can determine the total risk facing an organization by
beginning with the inherent risk, then determining the residual risk, and adding
on the control risk. The goal of risk management activities is to ensure that the
total combination of residual and control risk is within the organization's risk
appetite. When you're performing risk assessments, you can use either a
qualitative or quantitative approach. In a qualitative approach, use subjective
categories like low, medium, and high to rate the likelihood and impact of each
risk. When you use a quantitative approach, you use numeric values to perform
that analysis. You determine the impact of a risk by calculating the single loss
expectancy, the amount of financial damage that would occur if the risk
materialized. You then compute the likelihood of a risk by determining the
annualized rate of occurrence, the number of times that you expect the risk to
materialize each year. To get a measure of overall risk, you multiply the single loss
expectancy by the annualized rate of occurrence to determine the annualized loss
expectancy. When you're performing this type of analysis, you should prepare for
all types of disasters, including environmental and man-made disasters, and those
from internal and external sources. During the risk management process, you
conduct a business impact analysis, or BIA. This analysis uses a number of
metrics to determine how well-prepared an organization is to recover from a
disaster that disrupts their normal operations. This includes determining the
recovery time objective, or RTO, which is the amount of time that the
organization can tolerate an outage, and the recovery point objective, or
RPO, which is the amount of data that the organization is willing to accept the loss
of in the event of a disruption. As you conduct this analysis, you should also
determine how often each piece of equipment is expected to fail. This is
determined using the mean time between failures, or MTBF, and you should also
determine the amount of time that it normally takes to bring the equipment back
after a failure, which is the mean time to repair, or MTTR. All of this should be
documented in your organization's disaster recovery plan, which identifies
mission essential functions and the systems that are critical to those functions. It
also performs a risk assessment of those functions, and then identifies recovery
plans that are designed to restore service after a disaster. Those are the
important things that you need to know about risk management as you prepare
for the Security+ exam.
Objective 5.5
- [Instructor] Objective 5.5, the final objective covered on the Security+ exam is
that you'll be able to explain privacy and sensitive data concepts in relation to
security. You should be able to explain the organizational consequences of
privacy and data breaches. This of course includes the financial damage that
might occur from the fines that you experience, but you also need to consider
reputational damage, the impact of identity theft on your customers, employees,
and other stakeholders, and the potential loss of intellectual property. In many
cases, you'll need to notify affected individuals of a security breach. You should
understand the escalation procedures used for data breaches within your
organization and the requirements that you may face for public notifications and
disclosures. Every organization should perform data classification that looks at
categories of sensitive information and provides the handling controls required
for those categories. Organizations use a variety of terms for their data
classifications. Common schemes include levels like public, private, sensitive,
confidential, critical, and proprietary. You may also have very specific
classification levels for different types of personal information that you handle
about individuals. The most general of these is personally identifiable information
or PII, which is any information that uniquely identifies an individual person. You
might also have categories for health information, financial information,
government data, and customer data. Organizations should use privacyenhancing technologies to better protect sensitive information. This includes
following the principle of data minimization, which says that you should only keep
the data that's absolutely necessary for your business. You should also use data
masking approaches to remove sensitive elements from information, tokenization
to replace sensitive elements with alternative values that can be reversed using a
lookup table, and anonymization and pseudo anonymization techniques that take
personally identifiable information and remove all the elements that make it
personally identifiable. There are a number of different roles and responsibilities
related to data handling. The data owner in an organization is a senior
executive who bears overall responsibility for a data element. The data owner is
responsible for ensuring that the organization follows its own data handling
practices and is accountable for maintaining the security and privacy of data. The
data owner often delegates some of their authority to data custodians and data
stewards who carry out the day-to-day activities of data handling. Under GDPR
and other privacy regimes, there are some special terms that you need to know. A
data controller is an organization that determines why and how an organization
processes personal information. A data processor is a third-party
organization that handles data on behalf of the data controller. Every organization
that handles personal data under GDPR is required to appoint a data protection
officer or DPO. The DPO is an individual within the organization who is
responsible for implementing privacy policies and serving as the organization's
main contact for privacy issues. It's important to outline security controls that
follow information throughout its life cycle. From the time that the information is
initially created or collected until it's eventually destroyed or archived. Privacy
and security professionals should perform impact assessments to determine any
points during the information life cycle where information may be exposed to
unauthorized use. Finally, organizations should post a clear privacy policy that
provides stakeholders with information that they need to know about how the
organization is handling their information in accordance with the terms of any
agreements that apply. Those are the important things that you need to know
about privacy and sensitive data as you prepare for the Security+ exam.
Final thoughts
- [Instructor] We covered a lot of material in this course over the five domains of
the Security+ exam. Attacks, threats and vulnerabilities, architecture and design,
implementation, operations and incident response, and governance risk and
compliance. Remember to use this audio course as a quick review before you take
the test. If you're wrapping up your studies, I now recommend that you try taking
a few practice exams and then register for the real thing. Good luck on the
Security+ exam.