Professor Messer’s SY0-601 CompTIA Security+ Course Notes James “Professor” Messer hƩp://www.ProfessorMesser.com Professor Messer’s SY0-601 CompTIA Security+ Course Notes WriƩen by James “Professor” Messer Copyright © 2020 by Messer Studios, LLC hƩp://www.ProfessorMesser.com All rights reserved. No part of this book may be reproduced or transmiƩed in any form or by any means, electronic or mechanical, including photocopying, recording, or by any informaƟon storage and retrieval system, without wriƩen permission from the publisher. First EdiƟon: November 2020 This is version 1.05 Trademark Acknowledgments All product names and trademarks are the property of their respecƟve owners, and are in no way associated or aĸliated with Messer Studios, LLC. “Professor Messer” is a registered trademark of Messer Studios LLC. “CompTIA” and “Security+” are registered trademarks of CompTIA, Inc. Warning and Disclaimer This book is designed to provide informaƟon about the CompTIA SY0-601 Security+ cerƟĮcaƟon exam. However, there may be typographical and/or content errors. Therefore, this book should serve only as a general guide and not as the ulƟmate source of subject informaƟon. The author shall have no liability or responsibility to any person or enƟty regarding any loss or damage incurred, or alleged to have incurred, directly or indirectly, by the informaƟon contained in this book. Contents 1.0 - AƩacks, Threats, and VulnerabiliƟes 1.1 - Phishing 1.1 - ImpersonaƟon 1.1 - Dumpster Diving 1.1 - Shoulder SurĮng 1.1 - Hoaxes 1.1 - Watering Hole AƩacks 1.1 - Spam 1.1 - InŇuence Campaigns 1.1 - Other Social Engineering AƩacks 1.1 - Principles of Social Engineering 1.2 - An Overview of Malware 1.2 - Viruses and Worms 1.2 - Ransomware and Crypto-malware 1.2 - Trojans and RATs 1.2 - Rootkits 1.2 - Spyware 1.2 - Bots and Botnets 1.2 - Logic Bombs 1.2 - Password AƩacks 1.2 - Physical AƩacks 1.2 - Adversarial ArƟĮcial Intelligence 1.2 - Supply Chain AƩacks 1.2 - Cloud-based vs. On-Premises AƩacks 1.2 - Cryptographic AƩacks 1.3 - Privilege escalaƟon 1.3 - Cross-site ScripƟng 1.3 - InjecƟon AƩacks 1.3 - Buīer OverŇows 1.3 - Replay AƩacks 1.3 - Request Forgeries 1.3 - Driver ManipulaƟon 1.3 - SSL Stripping 1.3 - Race CondiƟons 1.3 - Other ApplicaƟon AƩacks 1.4 - Rogue Access Points and Evil Twins 1.4 - Bluejacking and BluesnarĮng 1.4 - Wireless DisassociaƟon AƩacks 1.4 - Wireless Jamming 1.4 - RFID and NFC AƩacks 1.4 - Randomizing Cryptography 1.4 - On-Path AƩacks 1.4 - MAC Flooding and Cloning 1.4 - DNS AƩacks 1.4 - Denial of Service 1 1 1 2 2 3 3 3 4 4 5 5 6 7 7 8 8 8 9 9 10 11 11 12 12 12 13 13 14 14 15 16 17 17 18 19 19 19 20 20 20 21 21 21 22 1.4 - Malicious Scripts 1.5 - Threat Actors 1.5 - AƩack Vectors 1.5 - Threat Intelligence 1.5 - Threat Research 1.6 - Vulnerability Types 1.6 - Third-party Risks 1.6 - Vulnerability Impacts 1.7 - Threat HunƟng 1.7 - Vulnerability Scans 1.7 - Security InformaƟon and Event Management 1.8 - PenetraƟon TesƟng 1.8 - Reconnaissance 1.8 - Security Teams 2.0 - Architecture and Design 2.1 - ConĮguraƟon Management 2.1 - ProtecƟng Data 2.1 - Data Loss PrevenƟon 2.1 - Managing Security 2.1 - Site Resiliency 2.1 - Honeypots and DecepƟon 2.2 - Cloud Models 2.2 - Edge and Fog CompuƟng 2.2 - Designing the Cloud 2.2 - Infrastructure as Code 2.2 - VirtualizaƟon Security 2.3 - Secure Deployments 2.3 - Provisioning and Deprovisioning 2.3 - Secure Coding Techniques 2.3 - SoŌware Diversity 2.3 - AutomaƟon and ScripƟng 2.4 - AuthenƟcaƟon Methods 2.4 - Biometrics 2.4 - MulƟ-factor AuthenƟcaƟon 2.5 - Disk Redundancy 2.5 - Network Redundancy 2.5 - Power Redundancy 2.5 - ReplicaƟon 2.5 - Backup Types 2.5 - Resiliency 2.6 - Embedded Systems 2.6 - Embedded Systems CommunicaƟon 2.6 - Embedded Systems Constraints 2.7 - Physical Security Controls 2.7 - Secure Areas 23 23 24 25 26 27 28 29 30 30 31 32 32 33 33 33 34 35 35 36 37 37 38 39 40 41 41 42 42 43 44 44 45 46 47 47 47 48 48 49 50 51 52 52 54 2.7 - Secure Data DestrucƟon 2.8 - Cryptography Concepts 2.8 - Symmetric and Asymmetric Cryptography 2.8 - Hashing and Digital Signatures 2.8 - Cryptographic Keys 2.8 - Steganography 2.8 - Quantum CompuƟng 2.8 - Stream and Block Ciphers 2.8 - Blockchain Technology 2.8 - Cryptography Use Cases 2.8 - Cryptography LimitaƟons 3.0 - ImplementaƟon 3.1 - Secure Protocols 3.2 - Endpoint ProtecƟon 3.2 - Boot Integrity 3.2 - Database Security 3.2 - ApplicaƟon Security 3.2 - ApplicaƟon Hardening 3.3 - Load Balancing 3.3 - Network SegmentaƟon 3.3 - Virtual Private Networks 3.3 - Port Security 3.3 - Secure Networking 3.3 - Firewalls 3.3 - Network Access Control 3.3 - Proxies 3.3 - Intrusion PrevenƟon 3.3 - Other Network Appliances 3.4 - Wireless Cryptography 3.4 - Wireless AuthenƟcaƟon Methods 3.4 - Wireless AuthenƟcaƟon Protocols 3.4 - Installing Wireless Networks 3.5 - Mobile Networks 3.5 - Mobile Device Management 3.5 - Mobile Device Security 3.5 - Mobile Device Enforcement 3.5 - Mobile Deployment Models 3.6 - Cloud Security Controls 3.6 - Securing Cloud Storage 3.6 - Securing Cloud Networks 3.6 - Securing Compute Clouds 3.6 - Cloud Security SoluƟons 3.7 - IdenƟty Controls 3.7 - Account Types 3.7 - Account Policies 55 55 56 57 58 59 59 60 61 62 63 63 63 65 65 66 67 68 69 69 70 73 74 75 76 76 77 78 79 79 80 81 82 83 84 85 86 86 87 87 88 88 89 89 90 3.8 - AuthenƟcaƟon Management 3.8 - PAP and CHAP 3.8 - IdenƟty and Access Services 3.8 - Federated IdenƟƟes 3.8 - Access Control 3.9 - Public Key Infrastructure 3.9 - CerƟĮcates 3.9 - CerƟĮcate Formats 3.9 - CerƟĮcate Concepts 4.0 - OperaƟons and Incident Response 4.1 - Reconnaissance Tools 4.1 - File ManipulaƟon Tools 4.1 - Shell and Script Environments 4.1 - Packet Tools 4.1 - Forensic Tools 4.2 - Incident Response Process 4.2 - Incident Response Planning 4.2 - AƩack Frameworks 4.3 - Vulnerability Scan Output 4.3 - SIEM Dashboards 4.3 - Log Įles 4.3 - Log Management 4.4 - Endpoint Security ConĮguraƟon 4.4 - Security ConĮguraƟons 4.5 - Digital Forensics 4.5 - Forensics Data AcquisiƟon 4.5 - On-Premises vs. Cloud Forensics 4.5 - Managing Evidence 5.0 - Governance, Risk, and Compliance 5.1 - Security Controls 5.2 - Security RegulaƟons and Standards 5.2 - Security Frameworks 5.2 - Secure ConĮguraƟons 5.3 - Personnel Security 5.3 - Third-party Risk Management 5.3 - Managing Data 5.3 - CredenƟal Policies 5.3 - OrganizaƟonal Policies 5.4 - Risk Management Types 5.4 - Risk Analysis 5.4 - Business Impact Analysis 5.5 - Privacy and Data Breaches 5.5 - Data ClassiĮcaƟons 5.5 - Enhancing privacy 5.5 - Data Roles and ResponsibiliƟes 91 91 92 93 93 94 95 96 97 98 98 99 100 100 101 101 103 104 104 105 105 106 107 107 108 109 110 111 111 111 112 112 113 114 115 116 116 117 117 118 119 119 120 120 121 IntroducƟon InformaƟon technology security is a signiĮcant concern for every IT specialist. Our systems are under constant aƩack, and the next generaƟon of security professionals will be at the forefront of keeping our criƟcal informaƟon safe. CompTIA’s Security+ exam tests you on the speciĮcs of network security, vulnerabiliƟes and threats, cryptography, and much more. I’ve created these Course Notes to help you through the details that you need to know for the exam. Best of luck with your studies! - Professor Messer The CompTIA Security+ cerƟĮcaƟon To earn the Security+ cerƟĮcaƟon, you must pass a single SY0-601 cerƟĮcaƟon exam. The exam is 90 minutes in duraƟon and includes both mulƟple choice quesƟons and performance-based quesƟons. Performancebased quesƟons can include Įll-in-the-blank, matching, sorƟng, and simulated operaƟonal environments. You will need to be very familiar with the exam topics to have the best possible exam results. Here’s the breakdown of each technology secƟon and the percentage of each topic on the SY0-601 exam: SecƟon 1.0 - AƩacks, Threats, and VulnerabiliƟes - 24% SecƟon 2.0 - Architecture and Design - 21% SecƟon 3.0 - ImplementaƟon - 25% SecƟon 4.0 - OperaƟons and Incident Response - 16% SecƟon 5.0 - Governance, Risk, and Compliance - 14% CompTIA provides a detailed set of exam objecƟves that provide a list of everything you need to know before you take your exam. You can Įnd a link to the exam objecƟves here: hƩps://professormesser.com/objecƟves/ How to use this book Once you’re comfortable with all of the secƟons in the oĸcial CompTIA SY0-601 exam objecƟves, you can use these notes as a consolidated summary of the most important topics. These Course Notes follow the same format and numbering scheme as the exam objecƟves, so it should be easy to cross reference these notes with the Professor Messer video series and all of your other study materials. The CompTIA Security+ video training series can be found on the Professor Messer website at hƩps://ProfessorMesser.com. Professor Messer’s CompTIA Security+ SY0-601 Course Notes hƩp://www.ProfessorMesser.com 1.1 - Phishing Phishing • Social engineering with a touch of spooĮng – OŌen delivered by email, text, etc. – Very remarkable when well done • Don’t be fooled – Check the URL • Usually there’s something not quite right – Spelling, fonts, graphics Tricks and misdirecƟon • How are they so successful? – Digital slight of hand - it fools the best of us • Typosquaƫng – A type of URL hijacking - hƩps://professormessor.com – Prepending: hƩps://pprofessormesser.com • PretexƟng – Lying to get informaƟon – AƩacker is a character in a situaƟon they create – Hi, we’re calling from Visa regarding an automated payment to your uƟlity service… Pharming • Redirect a legit website to a bogus site – Poisoned DNS server or client vulnerabiliƟes • Combine pharming with phishing – Pharming - Harvest large groups of people – Phishing - Collect access credenƟals • Diĸcult for anƟ-malware soŌware to stop – Everything appears legiƟmate to the user Phishing with diīerent bait • Vishing (Voice phishing) is done over the phone or voicemail – Caller ID spooĮng is common – Fake security checks or bank updates • Smishing (SMS phishing) is done by text message – SpooĮng is a problem here as well – Forwards links or asks for personal informaƟon • VariaƟons on a theme – The fake check scam, phone veriĮcaƟon code scam, – Boss/CEO scam, advance-fee scam – Some great summaries on hƩps://reddit.com/r/Scams Finding the best spot to phish • Reconnaissance – Gather informaƟon on the vicƟm • Background informaƟon – Lead generaƟon sites – LinkedIn, TwiƩer, Facebook, Instagram – Corporate web site • AƩacker builds a believable pretext – Where you work – Where you bank – Recent Įnancial transacƟons – Family and friends Spear phishing • Targeted phishing with inside informaƟon – Makes the aƩack more believable • Spear phishing the CEO is “whaling” – Targeted phishing with the possibility of a large catch – The CFO (Chief Financial Oĸcer) is commonly speared • These execuƟves have direct access to the corporate bank account – The aƩackers would love to have those credenƟals 1.1 - ImpersonaƟon The pretext • Before the aƩack, the trap is set – There’s an actor and a story • “Hello sir, my name is Wendy and I’m from MicrosoŌ Windows. This is an urgent check up call for your computer as we have found several problems with it.” • Voice mail: “This is an enforcement acƟon executed by the US Treasury intending your serious aƩenƟon.” • “CongratulaƟons on your excellent payment history! You now qualify for 0% interest rates on all of your credit card accounts.” © 2020 Messer Studios, LLC ImpersonaƟon • AƩackers pretend to be someone they aren’t – Halloween for the fraudsters • Use some of those details from reconnaissance – You can trust me, I’m with your help desk • AƩack the vicƟm as someone higher in rank – Oĸce of the Vice President for Scamming • Throw tons of technical details around – Catastrophic feedback due to the depolarizaƟon of the diīerenƟal magnetometer • Be a buddy – How about those Cubs? Professor Messer’s CompTIA SY0-601 Security+ Course Notes - Page 1 Ʃp Profe orMe er.com 1.1 - ImpersonaƟon (conƟnued) EliciƟng informaƟon • ExtracƟng informaƟon from the vicƟm – The vicƟm doesn’t even realize this is happening – Hacking the human • OŌen seen with vishing (Voice Phishing) – Can be easier to get this informaƟon over the phone • These are well-documented psychological techniques – They can’t just ask, “So, what’s your password?” IdenƟty fraud • Your idenƟty can be used by others – Keep your personal informaƟon safe! • Credit card fraud – Open an account in your name, or use your credit card informaƟon • Bank fraud – AƩacker gains access to your account or opens a new account • Loan fraud – Your informaƟon is used for a loan or lease • Government beneĮts fraud – AƩacker obtains beneĮts on your behalf Protect against impersonaƟon • Never volunteer informaƟon – My password is 12345 • Don’t disclose personal details – The bad guys are tricky • Always verify before revealing info – Call back, verify through 3rd parƟes • VeriĮcaƟon should be encouraged – Especially if your organizaƟon owns valuable informaƟon 1.1 - Dumpster Diving Dumpster diving • Mobile garbage bin – United States brand name “Dumpster” – Similar to a rubbish skip • Important informaƟon thrown out with the trash – Thanks for bagging your garbage for me! • Gather details that can be used for a diīerent aƩack – Impersonate names, use phone numbers • Timing is important – Just aŌer end of month, end of quarter – Based on pickup schedule Is it legal to dive in a dumpster? • I am not a lawyer. – In the United States, it’s legal – Unless there’s a local restricƟon • If it’s in the trash, it’s open season – Nobody owns it • Dumpsters on private property or “No Trespassing” signs may be restricted – You can’t break the law to get to the rubbish • QuesƟons? Talk to a legal professional. Protect your rubbish • Secure your garbage – Fence and a lock • Shred your documents – This will only go so far – Governments burn the good stuī • Go look at your trash – What’s in there? 1.1 - Shoulder SurĮng Shoulder surĮng • You have access to important informaƟon – Many people want to see – Curiosity, industrial espionage, compeƟƟve advantage • This is surprisingly easy – Airports / Flights – Hallway-facing monitors – Coīee shops • Surf from afar – Binoculars / Telescopes – Easy in the big city – Webcam monitoring © 2020 Messer Studios, LLC • PrevenƟng shoulder surĮng • Control your input – Be aware of your surroundings • Use privacy Įlters – It’s amazing how well they work • Keep your monitor out of sight – Away from windows and hallways • Don’t sit in front of me on your Ňight – I can’t help myself Professor Messer’s CompTIA SY0-601 Security+ Course Notes - Page 2 Ʃp Profe orMe er.com 1.1 - Hoaxes Computer hoaxes • A threat that doesn’t actually exist – But they seem like they COULD be real • SƟll oŌen consume lots of resources – Forwarded email messages, printed memorandums, wasted Ɵme • OŌen an email – Or Facebook wall post, or tweet, or... • Some hoaxes will take your money – But not through electronic means • A hoax about a virus can waste as much Ɵme as a regular virus De-hoaxing • It’s the Internet. Believe no one. – Consider the source • Cross reference – hƩp://www.hoax-slayer.net – hƩp://www.snopes.com • Spam Įlters can help – There are so many other ways... • If it sounds too good to be true... – So many sad stories 1.1 - Watering Hole AƩacks Watering Hole AƩack • What if your network was really secure? – You didn’t even plug in that USB key from the parking lot • The aƩackers can’t get in – Not responding to phishing emails – Not opening any email aƩachments • Have the mountain come to you – Go where the mountain hangs out – The watering hole – This requires a bit of research ExecuƟng the watering hole aƩack • Determine which website the vicƟm group uses – Educated guess - Local coīee or sandwich shop – Industry-related sites • Infect one of these third-party sites – Site vulnerability – Email aƩachments • Infect all visitors – But you’re just looking for speciĮc vicƟms – Now you’re in! Because that’s where the money is • January 2017 • Polish Financial Supervision Authority, NaƟonal Banking and Stock Commission of Mexico, State-owned bank in Uruguay – The watering hole was suĸciently poisoned • VisiƟng the site would download malicious JavaScript Įles – But only to IP addresses matching banks and other Įnancial insƟtuƟons • Did the aƩack work? – We sƟll don’t know Watching the watering hole • Defense-in-depth – Layered defense – It’s never one thing • Firewalls and IPS – Stop the network traĸc before things get bad • AnƟ-virus / AnƟ-malware signature updates – The Polish Financial Supervision Authority aƩack code was recognized and stopped by generic signatures in Symantec’s anƟ-virus soŌware 1.1 - Spam Spam • Unsolicited messages – Email, forums, etc. – Spam over Instant Messaging (SPIM) • Various content – Commercial adverƟsing – Non-commercial proselyƟzing – Phishing aƩempts • SigniĮcant technology issue – Security concerns – Resource uƟlizaƟon – Storage costs – Managing the spam © 2020 Messer Studios, LLC Mail gateways • Unsolicited email – Stop it at the gateway before it reaches the user – On-site or cloud-based IdenƟfying spam • Allowed list – Only receive email from trusted senders • SMTP standards checking – Block anything that doesn’t follow RFC standards • rDNS - Reverse DNS – Block email where the sender’s domain doesn’t match the IP address • Tarpiƫng – IntenƟonally slow down the server conversaƟon • Recipient Įltering – Block all email not addressed to a valid recipient email address Professor Messer’s CompTIA SY0-601 Security+ Course Notes - Page 3 Ʃp Profe orMe er.com 1.1 - InŇuence Campaigns Hacking public opinion • InŇuence campaigns – Sway public opinion on poliƟcal and social issues • NaƟon-state actors – Divide, distract, and persuade • AdverƟsing is an opƟon – Buy a voice for your opinion • Enabled through Social media – CreaƟng, sharing, liking – AmpliĮcaƟon Hybrid warfare • Military strategy – A broad descripƟon of the techniques – Wage war non-tradiƟonally • Not a new concept – The Internet adds new methods • Cyberwarfare – AƩack an enƟty with technology • InŇuence with a military spin – InŇuencing foreign elecƟons – “Fake news” 1.1 - Other Social Engineering AƩacks TailgaƟng • Use an authorized person to gain unauthorized access to a building – Not an accident • Johnny Long / No Tech Hacking – Blend in with clothing – 3rd-party with a legiƟmate reason – Temporarily take up smoking – I sƟll prefer bringing doughnuts • Once inside, there’s liƩle to stop you – Most security stops at the border Watching for tailgaƟng • Policy for visitors – You should be able to idenƟfy anyone • One scan, one person – A maƩer of policy or mechanically required • Mantrap / Airlock – You don’t have a choice • Don’t be afraid to ask – Who are you and why are you here? © 2020 Messer Studios, LLC Invoice scams • Starts with a bit of spear phishing – AƩacker knows who pays the bills • AƩacker sends a fake invoice – Domain renewal, toner cartridges, etc. – From: address is a spoofed version of the CEO • AccounƟng pays the invoice – It was from the CEO, aŌer all • Might also include a link to pay – Now the aƩacker has payment details CredenƟal harvesƟng • Also called password harvesƟng – AƩackers collect login credenƟals • There are a lot of stored credenƟals on your computer – The aƩacker would like those – Chrome, Firefox, Outlook, Windows CredenƟal Manager, etc. • User receives an email with a malicious MicrosoŌ Word doc – Opening the document runs a macro – The macro downloads credenƟal-harvesƟng malware • User has no idea – Everything happens in the background Professor Messer’s CompTIA SY0-601 Security+ Course Notes - Page 4 Ʃp Profe orMe er.com 1.1 - Principles of Social Engineering EīecƟve social engineering • Constantly changing – You never know what they’ll use next • May involve mulƟple people – And mulƟple organizaƟons – There are Ɵes connecƟng many organizaƟons • May be in person or electronic – Phone calls from aggressive “customers” – Emailed funeral noƟĮcaƟons of a friend or associate Social engineering principles • Authority – The social engineer is in charge – I’m calling from the help desk/oĸce of the CEO/police • InƟmidaƟon – There will be bad things if you don’t help – If you don’t help me, the payroll checks won’t be processed • Consensus / Social proof – Convince based on what’s normally expected – Your co-worker Jill did this for me last week • Scarcity – The situaƟon will not be this way for long – Must make the change before Ɵme expires • Urgency – Works alongside scarcity – Act quickly, don’t think • Familiarity / Liking – Someone you know, we have common friends • Trust – Someone who is safe – I’m from IT, and I’m here to help How I Lost My $50,000 TwiƩer Username • Naoki Hiroshima - @N – hƩps://professormesser.link/twiƩername • AƩacker calls PayPal and uses social engineering to get the last four digits of the credit card on Įle • AƩacker calls GoDaddy and tells them he lost the card, so he can’t properly validate. But he has the last four, does that help? – GoDaddy let the bad guy guess the Įrst two digits of the card – He was allowed to keep guessing unƟl he got it right – Social engineering done really, really well How to steal a $50,000 TwiƩer name • AƩacker is now in control of every domain name – And there were some good ones • AƩacker extorts a swap – Domain control for @N – Owner agrees • TwiƩer reviewed the case for a month – Eventually restored access to @N • How I Lost My $50,000 TwiƩer Username – hƩps://professormesser.link/twiƩername 1.2 - An Overview of Malware Malware • Malicious soŌware – These can be very bad • Gather informaƟon – Keystrokes • ParƟcipate in a group – Controlled over the ‘net • Show you adverƟsing – Big money • Viruses and worms – Encrypt your data – Ruin your day Malware Types and Methods • Viruses • Crypto-malware • Ransomware • Worms • Trojan Horse © 2020 Messer Studios, LLC • Rootkit • Keylogger • Adware/Spyware • Botnet How you get malware • These all work together – A worm takes advantage of a vulnerability – Installs malware that includes a remote access backdoor – Bot may be installed later • Your computer must run a program – Email link - Don’t click links – Web page pop-up – Drive-by download – Worm • Your computer is vulnerable – OperaƟng system - Keep your OS updated! – ApplicaƟons - Check with the publisher Professor Messer’s CompTIA SY0-601 Security+ Course Notes - Page 5 Ʃp Profe orMe er.com 1.2 - Viruses and Worms Virus • Malware that can reproduce itself – It needs you to execute a program • Reproduces through Įle systems or the network – Just running a program can spread a virus • May or may not cause problems – Some viruses are invisible, some are annoying • AnƟ-virus is very common – Thousands of new viruses every week – Is your signature Įle updated? Virus types • Program viruses – It’s part of the applicaƟon • Boot sector viruses – Who needs an OS? • Script viruses – OperaƟng system and browser-based • Macro viruses – Common in MicrosoŌ Oĸce Fileless virus • A stealth aƩack – Does a good job of avoiding anƟ-virus detecƟon • Operates in memory – But never installed in a Įle or applicaƟon Fileless virus infecƟon process Worms • Malware that self-replicates – Doesn’t need you to do anything – Uses the network as a transmission medium – Self-propagates and spreads quickly 1 • Worms are preƩy bad things – Can take over many systems very quickly • Firewalls and IDS/IPS can miƟgate many worm infestaƟons – Doesn’t help much once the worm gets inside 2 Infected computer searches for vulnerable system Vulnerable computer is exploited 3 © 2020 Messer Studios, LLC Professor Messer’s CompTIA SY0-601 Security+ Course Notes - Page 6 Ʃp Backdoor is installed and downloads worm Profe orMe er.com 1.2 - Ransomware and Crypto-malware Your data is valuable • Personal data – Family pictures and videos – Important documents • OrganizaƟon data – Planning documents – Employee personally idenƟĮable informaƟon (PII) – Financial informaƟon – Company private data • How much is it worth? – There’s a number Ransomware • The aƩackers want your money – They’ll take your computer in the meanƟme • May be a fake ransom – Locks your computer “by the police” • The ransom may be avoided – A security professional may be able to remove these kinds of malware Crypto-malware • A newer generaƟon of ransomware – Your data is unavailable unƟl you provide cash • Malware encrypts your data Įles – Pictures, documents, music, movies, etc. – Your OS remains available – They want you running, but not working • You must pay the bad guys to obtain the decrypƟon key – Untraceable payment system – An unfortunate use of public-key cryptography ProtecƟng against ransomware • Always have a backup – An oŋine backup, ideally • Keep your operaƟng system up to date – Patch those vulnerabiliƟes • Keep your applicaƟons up to date – Security patches • Keep your anƟ-virus/anƟ-malware signatures up to date – New aƩacks every hour • Keep everything up to date 1.2 - Trojans and RATs Trojan horse • Used by the Greeks to capture – Troy from the Trojans – A digital wooden horse • SoŌware that pretends to be something else – So it can conquer your computer – Doesn’t really care much about replicaƟng • Circumvents your exisƟng security – AnƟ-virus may catch it when it runs – The beƩer Trojans are built to avoid and disable AV • Once it’s inside it has free reign – And it may open the gates for other programs PotenƟally Unwanted Program (PUP) • IdenƟĮed by anƟ-virus/anƟ-malware – PotenƟally undesirable soŌware – OŌen installed along with other soŌware • Overly aggressive browser toolbar • A backup uƟlity that displays ads • Browser search engine hijacker Backdoors • Why go through normal authenƟcaƟon methods? – Just walk in the back door • OŌen placed on your computer through malware – Some malware soŌware can take advantage of backdoors created by other malware • Some soŌware includes a backdoor (oops) – Old Linux kernel included a backdoor – Bad soŌware can have a backdoor as part of the app © 2020 Messer Studios, LLC Remote Access Trojans (RATs) • Remote AdministraƟon Tool – The ulƟmate backdoor – AdministraƟve control of a device • Malware installs the server/service/host – AƩacker connects with the client soŌware • Control a device – Key logging – Screen recording /screenshots – Copy Įles – Embed more malware ProtecƟng against Trojans and RATs • Don’t run unknown soŌware – Consider the consequences • Keep anƟ-virus/anƟ-malware signatures updated – There are always new aƩacks • Always have a backup – You may need to quickly recover Professor Messer’s CompTIA SY0-601 Security+ Course Notes - Page 7 Ʃp Profe orMe er.com 1.2 - Rootkits Rootkits • Originally a Unix technique – The “root” in rootkit • ModiĮes core system Įles – Part of the kernel • Can be invisible to the operaƟng system – Won’t see it in Task Manager • Also invisible to tradiƟonal anƟ-virus uƟliƟes – If you can’t see it, you can’t stop it Kernel drivers • Zeus/Zbot malware – Famous for cleaning out bank accounts • Now combined with Necurs rootkit – Necurs is a kernel-level driver • Necurs makes sure you can’t delete Zbot – Access denied • Trying to stop the Windows process? – Error terminaƟng process: Access denied Finding and removing rootkits • Look for the unusual – AnƟ-malware scans • Use a remover speciĮc to the rootkit – Usually built aŌer the rootkit is discovered • Secure boot with UEFI – Security in the BIOS 1.2 - Spyware Adware • Your computer is one big adverƟsement – Pop-ups with pop-ups • May cause performance issues – Especially over the network • Installed accidentally – May be included with other soŌware • Be careful of soŌware that claims to remove adware – Especially if you learned about it from a pop-up Spyware • Malware that spies on you – AdverƟsing, idenƟty theŌ, aĸliate fraud • Can trick you into installing – Peer to peer, fake security soŌware • Browser monitoring – Capture surĮng habits • Keyloggers - Capture every keystroke – Send it back to the mother ship Why is there so much adware and spyware? • Money – Your eyeballs are incredibly valuable • Money – Your computer Ɵme and bandwidth is incredibly valuable • Money – Your bank account is incredibly valuable – Yes, even your bank account ProtecƟng against adware/spyware • Maintain your anƟ-virus / anƟ-malware – Always have the latest signatures • Always know what you’re installing – And watch your opƟons during the installaƟon • Where’s your backup? – You might need it someday – Cleaning adware isn’t easy • Run some scans - Malwarebytes 1.2 - Bots and Botnets Bots (Robots) • Once your machine is infected, it becomes a bot – You may not even know • How does it get on your computer? – Trojan Horse (I just saw a funny video of you! Click here.) or... – You run a program or click an ad you THOUGHT was legit, but... – OS or applicaƟon vulnerability • A day in the life of a bot – Sit around. Check in with the Command and Control (C&C) server. Wait for instrucƟons. © 2020 Messer Studios, LLC Botnets • A group of bots working together – Nothing good can come from this • Distributed Denial of service (DDoS) – The power of many • Relay spam, proxy network traĸc, distributed compuƟng tasks • Botnets are for sale – Rent Ɵme from the botnet owner – Not a long-term business proposiƟon Professor Messer’s CompTIA SY0-601 Security+ Course Notes - Page 8 Ʃp Profe orMe er.com
