DOMAIN 3
PROVEN FAST, EFFECTIVE &
AFFORDABLE EXAM PREP
with Pete Zerger CISSP, vCISO, MVP
securiTY+
EXAM
CRAM
EXAM OBJECTIVES (DOMAINS)
1.0 Attacks, Threats, and Vulnerabilities
24%
2.0 Architecture and Design
21%
3.0 Implementation
25%
4.0 Operations and Incident Response
16%
5.0 Governance, Risk, and Compliance
14%
EXAM OBJECTIVES (DOMAINS)
1.0 Attacks, Threats, and Vulnerabilities
24%
2.0 Architecture and Design
21%
3.0 Implementation
25%
4.0 Operations and Incident Response
16%
5.0 Governance, Risk, and Compliance
14%
I N T R O D U C T I O N : SERIES OVERVIEW
LESSONS IN THIS SERIES
1
1 2 3 4 5 6
Intro + one lesson for each exam domain
+ 5-10 shorter supplemental lessons
CompTIA Security+
Exam Cram
EXAM NUMBER: SY0-601
• 3.0 Implementation
Covering all topics in the official
Security+ exam objectives
SECURITY+
EXAM STUDY GUIDE
& PRACTICE TESTS BUNDLE
1,000 flashcards
1,000 practice questions
2 practice exams
SECURITY+
EXAM STUDY GUIDE
& PRACTICE TESTS BUNDLE
1,000 flashcards
1,000 practice questions
2 practice exams
SECURITY+
EXAM STUDY GUIDE
& PRACTICE TESTS BUNDLE
Includes
10% exam
discount
coupon
link to the 2021 exam bundle in the video description !
A pdf copy of the presentation is
available in the video description!
SUBSCRIBE
Subscribed
3.0 implementation
3.1 Given a scenario, implement secure protocols
• Protocols
• Domain Name System Security
Extensions (DNSSEC)
• SSH
• Secure/Multipurpose Internet
Mail Extensions (S/MIME)
• Secure Real-time Transport
Protocol (SRTP)
• Lightweight Directory Access
Protocol Over SSL (LDAPS)
• File Transfer Protocol, Secure
(FTPS)
• SSH File Transfer Protocol (SFTP)
• Simple Network Management
• Protocol, version 3 (SNMPv3)
• Hypertext transfer protocol
over SSL/TLS (HTTPS)
• IPSec
• Authentication header
(AH)/Encapsulating Security
Payloads (ESP)
• Tunnel/transport
• Post Office Protocol (POP)/
Internet Message Access
Protocol (IMAP)
• Use cases
•
•
•
•
•
•
•
•
•
•
Voice and video
Time synchronization
Email and web
File transfer
Directory services
Remote access
Domain name resolution
Routing and switching
Network address allocation
Subscription services
Implement = choose the right protocol for a use case
SECURE PROTOCOLS & USE CASES
PROTOCOL
PORT
USE CASES
Secure Shell (SSH)
22
Secure remote access (Linux and network)
Secure copy protocol (SCP)
22
Secure copy to Linux/Unix
SSH File Transfer Protocol (SFTP)
22
Secure FTP download
53
Secure DNS traffic
88
Secure authentication
DNSSEC
TCP/UDP
TCP/UDP
Kerberos
Simple Network Management
Protocol version 3 (SNMP v3)
Lightweight Directory Access
Protocol over SSL (LDAPS)
Hypertext Transport Protocol
over TLS/SSL (HTTPS)
Transport Layer Security (TLS) /
Secure Sockets Layer (SSL)
Internet Protocol Security (IPSec)
UDP
162
636
UDP
remote monitoring and configuration of
SNMP entities (such as network devices)
Secure directory services information
(e.g. - Active Directory Domain Services)
443
Secure web browsing
443
Secure data in transit
500
Secure VPN session between two hosts
Know the protocols and modes for IPSec
SECURE PROTOCOLS & USE CASES
PROTOCOL
Secure Simple Mail Transfer
Protocol (SMTPS)
Secure Internet Message
Access Protocol (IMAP4)
TCP/UDP
PORT
USE CASES
587
Secure SMTP (email)
993
Secure IMAP (email)
Secure Post Office Protocol 3 (POP3)
995
Secure POP3 (email)
Secure/Multipurpose Internet
Mail Extensions (S/MIME)
993
Encrypt or digitally sign email
File Transfer Protocol, Secure (FTPS)
989/990
Download large files securely
Remote Desktop Protocol (RDP)
3389
Session Initiated Protocol (SIP)
5060/5061
Secure Real Time Protocol (SRTP)
5061
Secure remote access
Signaling and controlling in Internet
telephony for voice and video
Encryption, message auth, and integrity
for audio and video over IP networks
For the exam,, grouping by use case may be helpful in memorization
IPSec Protocols and Modes
Authentication Header (AH) and Encapsulating Security Payload (ESP)
protocols
AH protocol provides a mechanism for authentication only.
Because AH does not perform encryption, it is faster than ESP.
ESP protocol provides data confidentiality (encryption) and authentication
(data integrity, data origin authentication, and replay protection).
ESP can be used with confidentiality only, authentication only, or both
confidentiality and authentication.
In transport mode, the IP addresses in the outer header are used to
determine the IPsec policy that will be applied to the packet.
It is good for ESP host-to-host traffic
In tunnel mode, two IP headers are sent. The inner IP packet determines the
IPsec policy that protects its contents.
It is good for VPNs, and gateway-to-gateway security.
3.0 implementation
Given a scenario, implement host or
3.2 application security controls
• Endpoint protection
• Antivirus
• Anti-malware
• Endpoint detection and response
(EDR)
• DLP
• Next-generation firewall (NGFW)
• Host-based intrusion prevention
system (HIPS)
• Host-based intrusion detection
system (HIDS)
• Host-based firewall
• Boot integrity
• Boot security/Unified Extensible
Firmware Interface (UEFI)
• Measured boot
• Boot attestation
• Database
• Tokenization
• Salting
• Hashing
• Application security
• Input validations
• Secure cookies
• Hypertext Transfer Protocol
(HTTP) headers
• Code signing
• Allow list
• Block list/deny list
• Secure coding practices
• Static code analysis
• Manual code review
• Dynamic code analysis
• Fuzzing
• Hardening
•
•
•
•
•
Open ports and services
Registry
Disk encryption
OS
Patch management
• Third-party updates
• Auto-update
• Self-encrypting drive (SED)/
full-disk encryption (FDE)
• Opal
• Hardware root of trust
• Trusted Platform Module
(TPM)
• Sandboxing
Endpoint protection
These capabilities are generally delivered together in a single solution
Antivirus
is a software program designed to detect and destroy viruses and
other malicious software from the system.
Anti-malware
a program that protects the system from all kinds of malware
including viruses, Trojans, worms, and potentially unwanted programs.
Endpoint Detection and Response (EDR)
an integrated endpoint security solution that combines:
real-time continuous monitoring and collection of endpoint data
with rules-based automated response and analysis capabilities.
Usually go beyond AV signature-based protection to identify
potentially malicious behaviors (aka zero-day or “emerging threats”)
describe Data Loss Prevention (DLP)
is a way to protect sensitive information and
prevent its inadvertent disclosure.
Data Loss
Prevention
can identify, monitor, and automatically
protect sensitive information in documents
Protects personally identifiable information (PII),
protected health information (PHI) and more
policies can be typically applied to email, SharePoint,
cloud storage, and in some cases, even databases
modern firewalls
protect web applications by filtering and
monitoring HTTP traffic between a web
application and the Internet.
Web Application
aka “WAF”
typically protects web applications from common
attacks like XSS, CSRF, and SQL injection.
Some come pre-configured with OWASP rulesets
a deep-packet inspection firewall that moves
beyond port/protocol inspection and blocking.
Next Generation
aka “NGFW”
adds application-level inspection, intrusion
prevention, and brings intelligence from
outside the firewall.
IDS and IPS
analyzes whole packets, both header and
payload, looking for known events. When a
known event is detected, a log message is
generated.
analyzes whole packets, both header and
payload, looking for known events. When a
known event is detected, packet is rejected.
Host-based IDS and IPS
IDS/IPS in software form, installed on a host (often a server)
Host-based Intrusion
Detection System
Host-based Intrusion
Prevention System
analyzes whole packets, both header and
payload, looking for known events. When a
known event is detected, a log message is
generated.
analyzes whole packets, both header and
payload, looking for known events. When a
known event is detected, packet is rejected.
Endpoint protection
an application firewall that is built into desktop
operating systems, like Windows or Linux.
Because it is an application, it is more vulnerable to
attack in some respects (versus hardware FW).
Restricting service/process access to ensure
malicious parties cannot stop/kill is important.
Host-based and network-based firewalls are
often used together in a layered defense
BOOT INTEGRITY
Boot integrity ensures host are protected during the boot process,
so all protections are in place when system is fully operational.
Unified Extensible Firmware Interface (UEFI)
a modern version of the Basic Input/Output System (BIOS) that is more secure and is
needed for a secure boot of the OS. The older BIOS cannot provide secure boot.
Measured Boot
where all components from the firmware, applications, and software are measured and
information stored in a log file
The log file is on the Trusted Platform Module (TPM) chip on the motherboard.
Trusted Secure Boot and Boot Attestation
Operating Systems such as Windows 10 can perform a secure boot at startup where the
OS checks that all of the drivers have been signed.
If they have not, the boot sequence fails as the system integrity has been compromised.
This can be coupled with attestation, where the software integrity has been confirmed.
Bitlocker implements attestation and its keys are stored on the TPM
databases
is deemed more secure than encryption because it cannot be reversed
takes sensitive data, such as a credit card number, and replaces it with random data.
For example, many payment gateway providers store the credit card details securely
and generate a random token.
Tokenization can help companies meet PCI DSS, HIPAA compliance requirements
A database may contain a massive amount of data, and hashing is used to index and
fetch items from a database.
This makes the search faster as the hash key is shorter than the data.
The hash function maps data to where the actual records are held.
Salting passwords in a database adds random text before hashing to increase the
compute time for a brute-force attack. and renders rainbow tables ineffective
APPLICATION SECURITY
Implement application security controls to prevent attacks.
Input Validation
ensures buffer overflow, integer overflow, and SQL injection attacks
cannot be launched against applications and databases.
use where data is entered either using a web page or wizard.
only accept data in the correct format within a range of minimum and
maximum values.
Incorrect format should be rejected, forcing user to re-enter
Secure Cookies
used by web browsers and contain information about your session.
can be stolen by attackers to carry out a session hijacking attack.
setting the secure flag in website code to ensure that cookies are only
downloaded when there is a secure HTTPS session.
APPLICATION SECURITY
Implement application security controls to prevent attacks.
Hypertext Transfer Protocol (HTTP) Headers
HTTP headers are designed to transfer information between the host and the web server.
an attacker can carry out cross-site scripting (XSS) as it is mainly delivered through
injecting HTTP response headers.
can be prevented by entering the HTTP Strict Transport Security (HSTS) header:
HSTS ensures that the browser will ignore all HTTP connections
Code Signing
uses a certificate to digitally sign scripts and executables to verify their authenticity and
to confirm that they are genuine.
Allow List
An allow list enable only explicitly allowed applications to run. This can be done by
setting up an application whitelist.
Firewalls, IDS/IPS, and EDR systems can have an allow list
APPLICATION SECURITY
Implement application security controls to prevent attacks.
Block List/Deny List
prevents specified applications from being installed or run by using a block/deny list in the
specified security solution.
Firewalls, IDS/IPS, and EDR systems can have a block list.
APPLICATION SECURITY
Implement application security controls to prevent attacks.
Secure Coding Practices: developer who creates software writes code in a
manner that ensures that there are no bugs or flaws.
Intent is to prevent attacks such as buffer overflow or integer injection.
Static Code Analysis: analysis where the code is not executed locally but is
analyzed by a static code analyzer tool.
source code is run inside the tool that reports any flaws or weaknesses.
Requires source code access
Dynamic Code Analysis: code is executed, and a technique called fuzzing
is used to inject random input into the application.
output is reviewed to ensure appropriate handling of unexpected input.
exposes flaws in an application before it is rolled out to production.
Does not require source code access
APPLICATION SECURITY
Static and dynamic testing, as described in the CISSP exam
analysis of computer software performed
without actually executing programs
Application Security
Testing
tests “inside out”
tester has access to the underlying
framework, design, and implementation
requires source code
a program which communicates with a
web application (executes the application).
Application Security
Testing
tests “outside in”
tester has no knowledge of the
technologies or frameworks that the
application is built on
no source code required
APPLICATION SECURITY
Implement application security controls to prevent attacks.
Manual Code Review
code is reviewed line by line to ensure that the code is well-written and
error free.
tends to be tedious and time-consuming.
Fuzzing
random information is input into an application to see if the application
crashes or memory leaks result, or if error information is returned.
used to remedy any potential problems within application code before a
new application is released. white box testing scenario
can also be used to find any vulnerabilities with the application after
release. This is called improper input validation. black box testing scenario
HARDENING
listening ports should be restricted to those necessary, filtered to restrict
traffic, and disabled entirely if unneeded.
Block through firewalls, disable by disabling underlying service.
access should be restricted, and updates controlled through policy
where possible.
always take a backup of the registry before you start making changes.
drive encryption can prevent unwanted access to data in a variety of
circumstances. Using FDE or SED, described later in this module
OS hardening can often be implemented through security baselines
Can be applied through group policies or management tools (like MDM)
Baselines can implement all the above
Hardening
ensures that systems are kept up-to-date
with current patches.
will evaluate, test, approve, and deploy
patches.
system audits verify the deployment of
approved patches to system
aka “update management”
Patch both native OS and 3rd party apps
Apply out-of-band updates promptly.
Orgs without patch management will experience outages
from known issues that could have been prevented
Drive encryption
Full Disk Encryption
Self-Encrypting
Device
Full Disk Encryption is built into the Windows
operating system.
Bitlocker is an implementation of FDE.
Keys are stored on the TPM
encryption on a SED that’s built into the
hardware of the drive itself.
anything that’s written to that drive is
automatically stored in encrypted form.
A good SED should follow the Opal Storage Specification
HARDENING
When certificates are used in FDE, they use a
hardware root of trust for key storage.
It verifies that the keys match before the secure
boot process takes place
TPM is often used as the basis
for a hardware root of trust
HARDENING
A chip that resides on the motherboard of the
device.
Multi-purpose, like storage and management of
keys used for full disk encryption (FDE) solutions.
Provides the operating system with access to keys,
but prevents drive removal and data access
HARDENING
application is installed in a virtual machine
environment isolated from our network.
enables patch, test, and ensure that it is secure before
putting it into a production environment.
Also facilitates investigating dangerous malware.
In a Linux environment, this is known as “chroot Jail“.
3.0 implementation
Given a scenario, implement
3.3 secure network designs
• Load balancing
•
•
•
•
•
Active/active
Active/passive
Scheduling
Virtual IP
Persistence
• Network segmentation
• Virtual local area network (VLAN)
• Screened subnet (previously
known as demilitarized zone)
• East-west traffic
• Extranet
• Intranet
• Zero Trust
• Virtual private network
(VPN)
Always-on
Split tunnel vs. full tunnel
Remote access vs. site-to-site
IPSec
SSL/TLS
HTML5
Layer 2 tunneling protocol
(L2TP)
• DNS
• Network access control (NAC)
• Agent and agentless
•
•
•
•
•
•
•
• Out-of-band
management
• Port security
• Broadcast storm prevention
• Bridge Protocol Data Unit
(BPDU) guard
• Loop prevention
• Dynamic Host Configuration
Protocol (DHCP) snooping
• Media access control (MAC)
filtering
LOAD BALANCING
A network load balancer (NLB) is a device that is used to direct traffic to
an array of web servers, application servers, or other service endpoints
Configurations
There are several ways to set up a load balancer (LB).
Active/Active. the load balancers act like an array, dealing with the traffic
together as both are active. Single LB failure may degrade performance
Active/Passive. the active node is fulfilling load balancing duties and the
passive node is listening and monitoring the active node.
Should the active node fail, then the passive node will take over, providing
redundancy.
NLB = network load balancer = load balancer
LOAD BALANCING
A network load balancer (NLB) is a device that is used to direct traffic to
an array of web servers, application servers, or other service endpoints
Virtual IP
A virtual IP address eliminates a host's dependency upon individual
network interfaces.
Web traffic comes into the NLB from the Virtual IP address (VIP) on the
frontend
Request is sent to one of the web servers in the server farm (on the
backend).
VIP
FE
NLB
BE
LOAD BALANCING
A network load balancer (NLB) is a device that is used to direct traffic to
an array of web servers, application servers, or other service endpoints
Scheduling
Scheduling options, which determine how the load is distributed by the load
balancer, include:
Least Utilized Host: NLB knows the status of all servers in the server farms and
which web servers are the least utilized by using a scheduling algorithm.
DNS Round Robin. when the request comes in, the load balancer contacts the
DNS server and rotates the request based on the lowest IP address first.
Affinity. When the LB is set to Affinity, the request is sent to the same web
server based on the requester's IP address, IP+port, and/or session ID.
Affinity configuration may be referred to in tuples (2-tuple, 3-tuple)
This is also known as persistence or a sticky session, where the load
balancer uses the same server for the session.
network segmentation
a private network that is designed to host the
information internal to the organization.
a cross between
Internet & intranet
a section of an organization’s network that has
been sectioned off to act as an intranet for the
private network but also serves information to
external business partners or the public Internet.
an extranet for public consumption is typically
labeled a demilitarized zone (DMZ) or
perimeter network.
used to control traffic and isolate static/sensitive environments
addresses the limitations of the legacy
network perimeter-based security model.
treats user identity as the control plane
Assumes compromise / breach in verifying
every request. no entity is trusted by default
VERIFY
IDENTITY
MANAGE
DEVICES
MANAGE
APPS
PROTECT
DATA
network segmentation
Boosting Performance
can improve performance through an organizational scheme in which
systems that often communicate are located in the same segment, while
systems that rarely or never communicate are located in other segments.
Reducing Communication Problems
reduces congestion and contains communication problems, such as
broadcast storms, to individual subsections of the network.
Providing Security
can also improve security by isolating traffic and user access to those
segments where they are authorized.
Secure Network Design
where traffic moves laterally between servers within
a data center.
north-south traffic moves outside of the data center.
Virtual Local Area
Network
a collection of devices that communicate with one
another as if they made up a single physical LAN.
Creates a distinct broadcast domain
a subnet is placed between two routers or firewalls.
bastion host(s) are located within that subnet.
aka “DMZ”:
Virtual private network (vpn)
extends a private network across a public network, enabling users and
devices to send and receive data across shared or public networks as if
their computing devices were directly connected to the private network.
Always On mode. a low-latency point-to-point connection between two
sites. A tunnel between two gateways that is “always connected”
L2TP/IPSec: This is the most secure tunneling protocol that can use
certificates, Kerberos authentication, or a pre-shared key.
L2TP/IPSec provides both a secure tunnel and authentication.
Secure Socket Layer (SSL) VPN: works with legacy systems and uses SSL
certificates for authentication.
HTML 5 VPN: similar to the SSL VPN, as it uses certificates for authentication.
easy to set up and you just need an HTML5-compatible browser such as
Opera, Edge, Firefox, or Safari.
Virtual private network (vpn)
extends a private network across a public network, enabling users and
devices to send and receive data across shared or public networks as if
their computing devices were directly connected to the private network.
Split tunnel vs full tunnel
Full tunnel means using VPN for all traffic, both to the Internet and
corporate network.
Split tunnel uses VPN for traffic destined for the corporate network
only, and Internet traffic direct through its normal route.
Remote access vs site-to-site
In site-to-site, IPSec site-to-site VPN uses an always on mode where
both packet header and payload are encrypted. IPSec tunnel mode
In a remote access scenario, a connection is initiated from a users
PC or laptop for a connection of shorter duration. IPSec transport mode
DOMAIN NAME SYSTEM (DNS)
a hierarchical naming system that resolves a hostname to an IP address.
Fully-Qualified Domain Name (FQDN)
A hostname + domain, for example server1.contoso.com
Record Types
A: IPv4 host
Used together to secure email
AAAA: IPv6 host
CNAME: Alias
SRV records: Finds services such as a domain controller
MX: Mail server
Sender Policy Framework (SPF) : This is a text (TXT) record used by DNS to prevent
spam and confirm the email has come from the domain it appears to come from.
Domain-based Message Authentication, Reporting and Conformance (DMARC):
This is another DNS text (TXT) that is used by Internet Service Providers (ISPs) to
prevent malicious email, such as phishing or spear phishing attacks.
DOMAIN NAME SYSTEM (DNS)
a hierarchical naming system that resolves a hostname to an IP address.
DNS Cache: stores recently resolved DNS requests for later reuse,
reducing calls to the DNS server.
Hosts File: This is a flat-file where name and IP pairs are stored on a
client. Often checked before request is sent to DNS server
DNS Server: This normally maintains only the hostnames for domains it is
configured to serve. Server is said to be “authoritative” for those domains
Root Server: DNS nameservers that operate in the root zone. they can
also refer requests to the appropriate Top-Level Domain (TLD) server.
DNSSEC
a digitally signed record
Prevents unauthorized access to DNS records on the server. Each DNS record
is digitally signed, creating an RRSIG record to protect against attacks
DNS attacks
DNS Poisoning
when an attacker alters the domain-name-to-IP-address mappings in a DNS
system to redirect traffic to a rogue system or perform DoS against a system.
DNS Spoofing
occurs when an attacker sends false replies to a requesting system, beating
the real reply from the valid DNS server.
DNS Hijacking
aka “DNS Redirection” attack
many ways to perform DNS Hijacking, the most common way we see is used
by a captive portal such as a pay-for-use WiFi hotspot.
Homograph Attack
leverages similarities in character sets to register phony international domain
names (IDNs) that appear legitimate to the naked eye.
e.g. Latin character "a" is replaced with the Cyrillic character "а“ in example.com
DNS attacks
End goal of most DNS attacks
Network access control
A desktop or laptop off the network for an extended
period may need multiple updates upon return.
After a remote client has authenticated, Network Access
Control (NAC) checks that the device being used is patched
and compliant with corporate security policies.
A compliant device is allowed access to the LAN.
A non-compliant device may be redirected to a boundary
network where a remediation service address issues
Boundary network is sometimes called a “quarantine network”
Network access control
These are “agentless”
Some operating systems include network access control as part of the
operating system itself. And no additional agent is required.
These generally perform checks when the system logs into the network
and logs out of the network, making them less configurable.
If you need additional functionality, you may require a persistent or
dissolvable agent.
Persistent: A permanent agent is installed on the host.
Dissolvable: A dissolvable agent is known as temporary
and is installed for a single use.
Out-of-band management
These are “agentless”
Enable IT to work around problems that may be
occurring on the network.
Out-of-Band
Management
Out-of-band management on devices may
include cellular modems and serial interfaces
In larger environments, this out-of-band
management function may be centralized.
PORT SECURITY
There are two types, 802.1x and switch port security
Port Security. When anyone, authorized or not, plugs their Ethernet cable into the wall
jack, the switch allows all traffic. With port security, the port is turned off.
Undesirable as it limits the functionality of the switch
802.1x. user or device is authenticated by a certificate before a connection is made.
prevents an unauthorized device from connecting and allows an authorized device to
connect. Preferred, as it does not require limiting switch functionality
and other protection that can be configured:
Loop Protection: When two or more switches are joined together, they can create loops
that create broadcast storms. Spanning Tree Protocol (STP) prevents this from
happening by forwarding, listening, or blocking on some ports.
Bridge Protocol Data Units (BPDU): These are frames that contain information about
the STP. A BPDU attack will try and spoof the root bridge so that the STP is recalculated.
A BPDU Guard enables the STP (Spanning Tree Protocol) to stop such attempts.
DHCP Snooping: layer 2 security that prevents a rogue DHCP server from allocating IP
addresses to a host on your network.
Port security
a list of authorized wireless client interface
MAC addresses
used by a wireless access point to block
access to all non-authorized devices.
also factors in some Ethernet (wired)
network scenarios.
“MAC spoofing” is a way some attackers get around this
3.0 implementation
Given a scenario, implement
3.3 secure network designs
• Network appliances
• Jump servers
• Proxy servers
• Forward
• Reverse
• Network-based intrusion
detection system (NIDS)
/network-based intrusion
prevention system (NIPS)
• Signature-based
• Heuristic/behavior
• Anomaly
• Inline vs. passive
• HSM
• Sensors
• Collectors
• Aggregators
• Firewalls
• Web application firewall (WAF)
• NGFW
• Stateful
• Stateless
• Unified threat management
(UTM)
• Network address translation
(NAT) gateway
• Content/URL filter
• Open-source vs. proprietary
• Hardware vs. software
• Appliance vs. host-based vs.
virtual
•
•
•
•
•
Access control list (ACL)
Route security
Quality of service (QoS)
Implications of IPv6
Port spanning/port
mirroring
• Port taps
• Monitoring services
• File integrity monitors
Network appliances
typically placed on a screened subnet, allows
admins to connect remotely to the network.
server that controls requests from clients
seeking resources on the internet or an
external network.
placed on a screened subnet, performs the
authentication and decryption of a secure
session to enable it to filter the incoming traffic.
flavors of intrusion detection systems
host-based IDS
network-based IDS
can monitor activity on a single system
only. A drawback is that attackers can
discover and disable them.
can monitor activity on a network,
and a NIDS isn’t as visible to
attackers.
Network-based IDS and IPS
IDS/IPS at the network level, often in hardware form
Network-based Intrusion
Detection System
Network-based Intrusion
Prevention System
analyzes whole packets, both header and
payload, looking for known events. When a
known event is detected, a log message is
generated.
analyzes whole packets, both header and
payload, looking for known events. When a
known event is detected, packet is rejected.
types of ids systems
aka “anomaly-based”
or “heuristic-based”
creates a baseline of activity to identify
normal behavior and then measures system
performance against the baseline to detect
abnormal behavior.
can detect previously unknown attack methods
uses signatures similar to the signature
definitions used by anti-malware software.
aka “knowledge-based”
only effective against known attack methods
Both host-based and network-based systems can be
knowledge based, behavior based, or a combination of both.
Modes of Operation
aka “in-band”
aka “out-of-band”
NIDS/NIPS placed on or near the firewall
as an additional layer of security.
traffic does not go through the
NIPS/NIDS.
sensors and collectors forward
alerts to the NIDS.
Network appliances
can be placed on a network to alert NIDS of
any changes in traffic patterns on the network.
If you place a sensor on the Internet side of the
network, it can scan all of the traffic from the
Internet.
Hardware security module (hsm)
a physical computing device that safeguards and
manages digital keys, performs encryption and
decryption functions for digital signatures, strong
authentication and other cryptographic functions.
Like a TPM, but are often removable or external devices
Types of firewalls
Web Application
aka “WAF”
protect web applications by filtering and
monitoring HTTP traffic between a web
application and the Internet.
typically protects web applications from common
attacks like XSS, CSRF, and SQL injection.
Some come pre-configured with OWASP rulesets
Next Generation
aka “NGFW”
a “deep-packet inspection” firewall that
moves beyond port/protocol inspection and
blocking.
adds application-level inspection, intrusion
prevention, and brings intelligence from
outside the firewall.
types of firewalls
packet inspection inspects and filters both
the header and payload of a packet that is
transmitted through an inspection point.
can detect protocol non-compliance, spam, viruses, intrusions
a multifunction device (MFD) composed of
several security features in addition to a firewall;
aka “UTM”
may include IDS, IPS, a TLS/SSL proxy, web
filtering, QoS management, bandwidth throttling,
NAT, VPN anchoring, and antivirus.
More common in small and medium businesses (SMB)
Firewall and state
Watch network traffic and restrict or block packets based
on source and destination addresses or other static values.
Not 'aware' of traffic patterns or data flows.
Typically, faster and perform better under heavier traffic
loads.
Can watch traffic streams from end to end.
Are aware of communication paths and can implement
various IP security functions such as tunnels and encryption.
Better at identifying unauthorized and forged
communications.
Types of firewalls
Network Address
Translation Gateway
allows private subnets to communicate with
other cloud services and the Internet but hides
the internal network from Internet users.
The NAT gateway has the Network Access
Control List (NACL) for the private subnets. .
Looks at the content on the requested web
page and blocks request depending on filters.
Used to block inappropriate content in the
context of the situation.
Open-source vs proprietary firewalls
one in which the vendor makes the license freely available and allows
access to the source code, though it might ask for an optional donation.
There is no vendor support with open source, so you might pay a third
party to support in a production environment
One of the more popular open-source firewalls is pfsense, the
details for which can be found at https://www.pfsense.org/.
are more expensive but tend to provide more/better protection and
more functionality and support (at a cost).
many vendors in this space, including Cisco, Checkpoint, Pal Alto,
Barracuda. but “no source code access”
hardware vs software
A piece of purpose-built network hardware.
May offer more configurable support for LAN and WAN connections.
Often has superior throughput versus software because it is hardware
designed for the speeds and connections common to an enterprise network.
Software based firewalls that you might install on your own hardware.
Provide flexibility to place firewalls anywhere you’d like in your organization.
On servers and workstations, you can run a host-based firewall.
Host-based (software) are more vulnerable
in some respects as discussed earlier
application vs host-based vs virtual
typically catered specifically to application communications.
often that is HTTP or Web traffic.
an example is called a next generation firewall (NGFW)
An application installed on a host OS, such as Windows
or Linux, both client and server operating systems.
In the cloud, firewalls are implemented as virtual
network appliances (VNA).
Available from both the CSP directly and third-party
partners (commercial firewall vendors)
network device types
Firewalls Varies by type, but may filter at layers 3 through 7
Firewalls are essential tools in managing and controlling network traffic. A firewall is a
network device used to filter traffic.
Switch
repeats traffic only out of the port on which the destination is known to exist. Switches
offer greater efficiency for traffic delivery, create separate collision domains, and
improve the overall throughput of data. usually layer 2, sometimes layer 3
Routers
used to control traffic flow on networks and are often used to connect similar
networks and control traffic flow between the two. They can function using statically
defined routing tables, or they can employ a dynamic routing system. layer 3
Gateways
a gateway connects networks that are using different network protocols. Also known
as protocol translators, can be stand-alone hardware devices or a software service.
network gateways work at layer 3.
Route security
Routers are not designed to be security devices but include some
built-in capabilities that do provide some security functions.
One of these is an access control list (ACL), which is used to allow
or deny traffic. If no allow rules, last rule (deny) is applied (implicit deny)
Configure an access control list on the ingress (inbound traffic)
or egress (outbound traffic) of an interface
ACL evaluate traffic on multiple criteria similar to a firewall
Quality of Service (QOS)
Ensures that applications have the bandwidth they need to
operate by prioritizing traffic based on importance and function.
Traffic of real-time functions (like voice and video streaming)
might be given greater priority. Priorities are human-configurable
Implications of ipv6
Network security focus changes somewhat with IPv6
One change is that there are many more IPv6 addresses compared to IPv4.
This means it is more difficult to perform a complete port scan or interface scan when we’re
working with IPv6 addresses.
Many of the security tools like port scanners and vulnerability scanners have already been
updated to take advantage of IPv6.
Because there are so many IP addresses available with IPv6, there is less need to perform port
address translation (PAT) or outbound network address translation (NAT) on the network.
This can simplify the communications process, but…
Network address translation is itself a security feature, as it removes direct access to source
(user) in some use cases (like Internet browsing).
with IPv6 we removed the Address Resolution Protocol or ARP.
without ARP there cannot be any ARP spoofing!
Does not imply IPv6 is any more or less secure than IPv4 but changes the attack vectors!
For example, a Neighbor Cache Exhaustion attack can use IPv6 protocols to fill up the
neighbor cache, interrupting network communication.
PORT SPANNING/PORT MIRRORING
Port mirroring (also known as port spanning) sends a
copy of all data that arrives at a port to another device
or sensor for investigation later or in near real-time
the switch, a reserved port will “mirror” all traffic that passes
through to that reserved port.
works across multiple switches, whereas a physical device like a
network (port) tap requires installation connected to every switch
May be leveraged inform the Network Intrusion Detection
System (NIDS) of changes in traffic patterns.
Increases load on the switch, so should be configured
with knowledge of traffic type and volume
monitoring
To help provide additional security on the network, some organizations
employ a monitoring service -a group that monitors network security/activity.
Common with SIEM and SOAR functions (covered in 1.7)
Often an outsourced security operations center (SOC) function to provide 24x7
monitoring and alert or remediate issues after business hours.
May also be helpful in maintaining compliance (HIPAA, GDPR, PCI DSS).
Monitors and detects changes to files that should not be modified,
automating notification (and potentially remediation).
Commonly monitors files that would never change: things like your operating
system files, where changes indicate some type of malicious activity.
Can also be used to detect unwanted changes to baseline configurations
3.0 implementation
Given a scenario, install and configure
3.4 wireless security settings
• Cryptographic protocols
•
•
•
•
•
Wi-Fi Protected Access 2 (WPA2)
Wi-Fi Protected Access 3 (WPA3)
Counter-mode/CBC-MAC
Protocol (CCMP)
Simultaneous Authentication of
Equals (SAE)
• Authentication protocols
• Extensible Authentication
Protocol (EAP)
• Protected Extensible
Authentication Protocol (PEAP)
• EAP-FAST
• EAP-TLS
• EAP-TTLS
• IEEE 802.1X
• Remote Authentication
Dial-in User Service
(RADIUS) Federation
• Methods
• Pre-shared key (PSK) vs.
Enterprise vs. Open
• Wi-Fi Protected Setup
(WPS)
• Captive portals
• Installation
considerations
• Site surveys
• Heat maps
• Wi-Fi analyzers
• Channel overlaps
• Wireless access point
(WAP) placement
• Controller and access
point security
wireless technologies
Version
Speed
Frequency
2 Mbps
2.4 GHz
802.11a
54 Mbps
5 GHz
802.11b
11 Mbps
2.4 GHz
802.11g
54 Mbps
2.4 GHz
802.11n
200+ Mbps
2.4 GHz
802.11ac
1 Gbps
5 GHz
* 802.11
802.11 standard also defines WEP
TKIP
was designed as the replacement for WEP
without the need to replace legacy hardware
Temporal Key
Integrity Protocol
implemented into 802.11 wireless networking
under the name WPA (Wi-Fi Protected Access).
CCMP
Counter Mode with Cipher Block Chaining
Message Authentication Code Protocol
Counter-mode /
CBC-MAC Protocol
created to replace WEP and TKIP/WPA
uses AES (Advanced Encryption Standard)
with a 128-bit key
used with WPA2, which replaced WEP and WPA
wpa2
an encryption scheme that implemented the
Counter Mode with Cipher Block Chaining
Message Authentication Code Protocol (CCMP),
CCMP is based on the AES encryption scheme
wpa3
released in 2018 to address the weaknesses
in WPA2.
uses a much stronger 256-bit Galois/Counter
Mode Protocol (GCMP-256) for encryption
There are two versions: WPA3-Personal for home
users, and WPA3-Enterprise for corporate users
SAE
SAE is a relatively new 802.11 authentication method.
used with WPA3-Personal and replaces the
WPA2-PSK Protects against brute-force attacks
Simultaneous
Authentication of
Equals
uses a secure Diffie Hellman handshake,
called dragonfly
uses perfect forward secrecy, so immune to
offline attacks
Wpa3 personal Vs enterprise
uses Simultaneous Authentication of
Equals (SAE).
PERSONAL
SAE means users can use passwords
that are easier to remember.
uses perfect forward secrecy (PFS)
supports 256-bit AES, whereas, WPA2 only
supported 128 bits 256-bit required by US gov’t
ENTERPRISE
uses Elliptic-Curve Diffie Hellman Ephemeral
(ECDHE) for the initial handshake.
Wireless authentication protocols
Lightweight…
Protected…
extensible
authentication
protocol
a Cisco proprietary alternative to TKIP for WPA. developed
to address deficiencies in TKIP before the 802.11i/WPA2
system was ratified as a standard.
encapsulates EAP methods within a TLS tunnel that
provides authentication and potentially encryption.
an authentication framework. allows for new authentication
technologies to be compatible with existing wireless or
point-to-point connection technologies
WIRELESS AUTHENTICATION PROTOCOLS
EAP-FAST
developed by Cisco, is used in wireless networks and point-to-point
connections to perform session authentication.
It replaced LEAP, which was insecure.
EAP-TLS
a secure version of wireless authentication that requires X509
certification.
involves 3 parties: the supplicant (user’s device), the authenticator
(switch or controller), and the authentication server (RADIUS server).
EAP-TTLS
uses two phases; the first is to set up a secure session with the server, by
creating a tunnel, utilizing certificates that are seamless to the client
Second phase use a protocol such as MS-CHAP to complete the session.
designed to connect older legacy systems.
WIRELESS AUTHENTICATION PROTOCOLS
IEEE 802.1x
is transparent to users because it uses certificate authentication
can be used in conjunction with a RADIUS server for enterprise networks.
RADIUS Federation
enables members of one organization to authenticate to another with
their normal credentials.
trust is across multiple RADIUS servers across multiple organizations.
a federation service where network access is gained using wireless
access points (WAPs).
WAP forwards the wireless device's credentials to the RADIUS server for
authentication.
commonly uses 802.1X as the authentication method. which relies on EAP
WIRELESS AUTHENTICATION METHODS
was introduced for the home user who does not have an
enterprise setup.
the home user enters the password of the wireless router to gain
access to the home network.
PSK in WPA2 Replaced by SAE in WPA3
Home use scenario
password is already stored and all you need to do is to press the
button to get connected to the wireless network.
Password is stored locally, so could be brute-forced
a corporate version of WPA2 or WPA3, used in a centralized
domain environment.
Often where a RADIUS server combines with 802.1x, using
certificates for authentication
CAPTIVE PORTALS
Common in airports and public spaces, wi-fi redirects
users to a webpage when they connect to SSID.
User provides additional validation of identity,
normally through an email address or social identity.
May include acceptable use policy and
premium upgrade offer
site survey
The process of investigating the presence,
strength, and reach of wireless access
points deployed in an environment.
site survey
usually involves walking around with a
portable wireless device, taking note of the
wireless signal strength, and mapping this on
a plot or schematic of the building.
CONTROLLER AND ACCESS POINT SECURITY
If you’re installing a new access point, you want to make sure that
you place it in the right location.
You want minimal overlap with other access points and maximize
the coverage that’s being used in your environment.
This should minimize the number of physical access points,
optimizing costs
Avoid placement near electronic devices that could create
interference, and areas where signals can be absorbed.
Metal objects and bodies (like elevators) and concrete
walls absorb signal.
Ensure access point in a place doesn’t send signal outside of
your existing work areas, enabling unwanted access attempts.
CONTROLLER AND ACCESS POINT SECURITY
In addition to minimizing coverage overlap, choose different channels
per device so there are no conflicts between access points.
In a large office, you will deploy a large number of access points, which
need to be managed. And each one has a separate configuration.
A wireless controller enables central management of configuration, as
well as security patches and firmware updates of the access points.
Use HTTPS to encrypt traffic to controller and WAP web interfaces.
On the access points themselves, use strong authentication methods.
3.0 implementation
Given a scenario, implement
3.5 secure mobile solutions
• Connection methods and
receivers
•
•
•
•
•
•
•
•
•
•
Cellular
Wi-Fi
Bluetooth
NFC
Infrared
USB
Point-to-point
Point-to-multipoint
Global Positioning System (GPS)
RFID
• Mobile device
management (MDM)
•
•
•
•
•
•
•
•
Application management
Content management
Remote wipe
Geofencing
Geolocation
Screen locks
Push notifications
Passwords and PINs
• Mobile devices
• MicroSD hardware security
module (HSM)
• MDM/Unified Endpoint
Management (UEM)
• Mobile application
management (MAM)
• SEAndroid
Communication considerations
Faster speeds and lower latency
Unlike 4G, 5G doesn’t identify each user through
their SIM card. Can assign identities to each device.
5th
Generation
Cellular
Some air interface threats, such as session
hijacking, are dealt with in 5G.
Standalone (SA) version of 5G will be more secure
than the non-standalone (NSA) version
NSA anchors the control signaling of 5G networks to the 4G Core
Communication considerations
Diameter protocol, which provides authentication,
authorization, and accounting (AAA), will be a
target.
5th Generation
Cellular
Because 5G has to work alongside older tech
(3G/4G), old vulnerabilities may be targeted.
Because scale of IoT endpoint counts on 5G is
exponentially greater, DDoS is a concern.
Some carriers originally launched an NSA version of 5G,
which continues to rely on availability of the 4G core.
Communication considerations
small computer chips that contain the
information about mobile subscription
Subscriber
Identity
Module cards
allows user to connect to telecommunication
provider to make calls, send text messages,
or use the Internet.
Used as a second factor in authentication
One of the auth factors most prone to attack
BLUETOOTH
Bluetooth, or IEEE 802.15, personal area
networks (PANs) are another area of
wireless security concern.
(IEEE 802.15)
Connects headsets for cell phones, mice,
keyboards, GPS, and other devices
Connections are set up using pairing, where
primary device scans the 2.4 GHz radio
frequencies for available devices
Pairing uses a 4-digit code (often 0000) to reduce
accidental pairings but is not actually secure.
Mobile connection methods & receivers
RADIO FREQUENCY
IDENTIFICATION
uses radio frequency to identify electromagnetic
fields in a tag to track assets.
commonly used in shops as the tags are attached
to high-value assets to prevent theft.
Common in access badge systems and retail anti-theft use cases
NEAR FIELD
COMMUNICATION
Built on RFID, often used with payment systems.
Subject to many of the same vulnerabilities as RFID
The touch pay system at the grocery
uses satellites in the Earth's orbit to
measure the distance between two points.
Used in map and find-my-phone use cases
Mobile connection methods & receivers
UNIVERSAL
SERIAL BUS
Some mobile devices can be tethered to a USB
dongle to gain access to the internet.
A flash USB device can be used to transfer data
between devices
It is a data exfiltration concern, often blocked through policy
device is purely line-of-sight and has a maximum
range of about 1 meter. Can be used to print from
your laptop to an infrared printer.
Not encrypted, but attack requires close physical proximity
Mobile connection methods & receivers
one-to-one connection between the two devices
communicating on a network, typically wireless
A directional antenna connecting two wireless
networks or wireless repeater connecting WAPs
802.11 networks are more commonly
communicating from point-to-multipoint.
A WAP connecting to multiple wireless devices
Mobile device management (MDM)
Common features in secure mobile device management
Passwords and PINs: Some mobile devices, such as smartphones, are very
easy to steal and you can conceal them by putting them in a pocket.
Strong passwords and PINs with six or more characters must be used.
Also allows device to be disabled on X failed attempts
Geofencing: Geofencing uses the Global Positioning System (GPS) or RFID
to define geographical boundaries.
Once the device is taken past the defined boundaries, the security team
will be alerted.
For the exam: remember Geofencing prevents mobile devices from being
removed from the company's premises.
Mobile device management (MDM)
Application Management: Application management uses whitelists to control
which applications are allowed to be installed onto the mobile device.
Content Management: Content management stores business data in a
secure area of the device in an encrypted format to protect it against attacks.
Prevents confidential or business data from being shared with external users.
Remote Wipe: When a mobile device has been lost or stolen, it can be
remotely wiped.
Device will revert to its factory settings and the data will no longer be
available. wipe options allow removing business data only (BYOD)
Screen Locks: Screen locks are activated once the mobile device has not
been accessed for a period of time.
After it is locked, the user gets a fixed number of attempts to correctly enter
the PIN before the device is disabled.
Mobile device management (MDM)
Geolocation: Geolocation uses GPS to give the actual location of a
mobile device.
can be very useful if you lose or drop a device.
For the exam: remember that geo-tracking will tell you the location of
a stolen device.
Push Notification: messages that appear on your screen,
even when your system is locked.
this information is usually pushed your device without intervention
from the end user and may include sensitive information.
some MDM platforms provide policy-based control whether app
notifications can appear with the notifications on lock screen.
Mobile devices
a physical device that provides cryptographic features for your computer in
a smaller, mobile form factor.
enables associating a smaller piece of hardware with the cryptographic
functions for encryption, key generation, digital signatures or authentication.
provides management of the hardware, such as desktops, tablets,
smartphones, and IoT devices ensuring that they secure and compliant.
can manage the security and applications running on the devices
can identify and block devices have been jailbroken (iOS) or rooted
(Android).
Multi-platform support is a key characteristic
An example is Microsoft Intune, which manages Windows, iOS, Android, and MacOS
Mobile devices
allows a security team to manage application and data security, even on
unmanaged devices.
controls access to company applications and data and can restrict the
exfiltration of data from the company applications.
Useful in BYOD scenarios, enabling business data access on
personal mobile devices
includes SELinux functionality as part of the Android operating system.
provides additional access controls (MAC and DAC), security policies and
includes policies for configuring the security of these mobile devices.
prevents any direct access to the kernel of the Android operating system
provides centralized management for policy configuration and device
management.
3.0 implementation
Given a scenario, implement
3.5 secure mobile solutions
• Enforcement and monitoring of:
Third-party application stores
Rooting/jailbreaking
Sideloading
Custom firmware
Carrier unlocking
Firmware over-the-air (OTA) updates
Camera use
SMS/Multimedia Messaging Service
(MMS)/Rich Communication
• Services (RCS)
• External media
• USB On-The-Go (USB OTG)
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Recording microphone
GPS tagging
Wi-Fi direct/ad hoc
Tethering
Hotspot
Payment methods
• Deployment models
• Bring your own device (BYOD)
• Corporate-owned personally
enabled (COPE)
• Choose your own device (CYOD)
• Corporate-owned
• Virtual desktop infrastructure (VDI)
Enforcement and monitoring
There is a danger of downloading apps from third-party app stores
as there is no guarantee of the security of the app being installed.
This could pose a security risk, as vetting process for mobile apps in
third-party stores may be less rigorous than official app stores.
Enables installing an application package in .apk format on a
mobile device.
Useful for developers to run trial of third-party apps, but also
allows unauthorized software to be run on a mobile device.
Enforcement and monitoring
Custom firmware downloads are used to root an Android mobile
device.
Gives user a higher level of permissions on that device and
removes some elements of vendor security.
Jailbreaking is the Apple's iOS equivalent of rooting on Android:
it allows you to run unauthorized software and remove device
security restrictions.
You can still access the Apple App Store even though
jailbreaking has been carried out.
For the exam: Rooting and jailbreaking remove the vendor restrictions
on a mobile device to allow unsupported software to be installed.
Enforcement and monitoring
Custom firmware downloads are used so that you can root your mobile
device.
Gives the user a higher level of permissions on that device and removes
some elements of vendor security.
When a mobile device is no longer tied to the original carrier. This will allow
you to use your device with any provider, and also install third-party apps.
Firmware is software that is installed on a small, read-only memory chip on
a hardware device and is used to control the hardware running on device.
Firmware OTA updates are pushed out periodically by the vendor, ensuring
that the mobile device is secure.
One example is when the mobile device vendor sends a notification that
there is a software update.
Enforcement and monitoring
Text messaging and has become a common method of communication.
Can be sent between two people in a room without other people in the
room knowing about their communication.
Text messages can be used to launch an attack.
A way to send pictures as attachments, similar to sending SMS messages.
An enhancement to SMS and is used in Facebook and WhatsApp to send
messages so that you can see the read receipts.
You can also send pictures and videos.
Image capability makes MMS and RCS paths for data theft.
Enforcement and monitoring
External media. SD card or other external storage media may enable
unauthorized transfer of corporate data
USB On-The-Go (USB OTG). allows USB devices plugged into smartphones
and tablets to act as a host for other USB devices.
Attaching USB devices can pose security problems as it makes it easy to
steal information.
Apple does not allow USB OTG.
Recording microphone. smartphones and tablets can record
conversations with their built-in microphones.
They could be used to take notes, but they could also be used to tape
conversations or record the proceedings of a confidential meeting.
GPS tagging. When you take a photograph, GPS tagging adds the location
where the photograph was taken.
Most modern smartphones do this by default.
Enforcement and monitoring
Wi-Fi direct wireless network allows two Wi-Fi devices to connect to each other
without requiring a WAP.
It is single-path and therefore cannot be used for internet sharing.
Ad-hoc wireless network is where two wireless devices can connect without a WAP,
but it is multipath and can share an internet connection with someone else.
When a GPS-enabled smartphone can be attached to a laptop or mobile device
device to provide internet access.
If a user uses a laptop to connect to the company's network and then tethers to
the internet, it may result in split tunneling. This presents a security risk if device is
compromised.
Mobile devices can often function as a wifi hotspot
over USB or Bluetooth.
Enforcement and monitoring
Smartphones allow credit card details to be stored locally so that the
phone can be used to make contactless payments using Near-Field
Communications (NFC).
For BYOD, it needs to be carefully monitored as someone could leave the
company with a company credit card and continue to use it.
MDM may prevent the payment function by disabling this tool in the mobile
device management policies.
MDM can also disable screen captures
Smartphone cameras pose a security risk to companies, as trade secrets
could be stolen very easily.
Research and development departments ban the use of personal
smartphones in the workplace. Prevents theft of intellectual property
MDM policies can disable cameras on company-owned smartphones.
Deployment models
is where an employee is encouraged to bring in their own device so that they can
use it for work.
cost effective for the company and more convenient for the user.
needs two policies to be effective, Acceptable Use Policy and On/Offboarding
Acceptable Use Policy (AUP): An AUP outlines what the employee can do with the
device during the working day.
Onboarding Policy: Device configuration requirements to access corporate data
(min OS system, not rooted/jailbroken, etc.)
Offboarding Policy: How corporate data will be wiped from the device (most MDM
platforms support a selective wipe, removing only company data).
MDM solutions with MAM (mobile app management) functionality
can manage corporate data on BYOD devices
Deployment models
fully owned and managed by the company, enabling full IT control over MAM and
MDM options.
new employee chooses from a list of approved devices.
avoids problems of ownership because the company has a limited number of
tablets, phones, and laptops, simplifying management compared to BYOD.
when they leave the company and offboard, the devices are taken from them as
they belong to the company (corporate-owned).
when the company purchases the device, such as a tablet, phone, or laptop, and
allows the employee to use it for personal use.
often better solution for the company than BYOD from a management perspective,
as IT can limit what applications run on the devices.
also frees the company to perform full device wipe if lost or stolen.
Deployment models
Hosted desktop environments on a central server / cloud
environment.
Provides a high degree of control and management automation.
In the event of security issues, the endpoint can easily be isolated
for forensic investigation if desired.
Provisioning a new desktop is also generally a push-button
operation.
VDI is a common deployment solution for
contractors and offshore teams.
3.0 implementation
Given a scenario, apply cybersecurity
3.6 solutions to the cloud
• Cloud security controls
• High availability across zones
• Resource policies
• Secrets management
• Integration and auditing
• Storage
• Permissions
• Encryption
• Replication
• High availability
• Network
• Virtual networks
• Public and private subnets
• Segmentation
• API inspection and
integration
• Compute
• Security groups
• Dynamic resource
allocation
• Instance awareness
• Virtual private cloud
(VPC) endpoint
• Container security
• Solutions
• CASB
• Application security
• Next-generation secure
web gateway (SWG)
• Firewall considerations in
a cloud environment
• Cost
• Need for segmentation
• Open Systems
Interconnection (OSI)
layers
• Cloud native controls vs.
third-party solutions
High availability across zones
GEOGRAPHIES
High availability across zones
REGIONS
High availability across zones
REGION PAIRS
chosen by the CSP
300+ miles
High availability across zones
Zone redundant
Availability Zones
Unique physical locations within
a region with independent
power, network, and cooling
Comprised of two or more
datacenters
Tolerant to datacenter failures
via redundancy and isolation
Cloud Security Controls
policies that state what access level a
user has to a particular resource.
ensuring the principle of least privilege
is followed is crucial for resource
security and audit compliance.
CSP will provide details on how their cloud platform can
help organizations meet a variety of compliance standards
Cloud security controls
CSPs offer a cloud service for centralized secure storage and
access for application secrets
A secret is anything that you want to control access to, such as API
keys, passwords, certificates, tokens, or cryptographic keys.
Service will typically offer programmatic access via API to support
DevOps and continuous integration/continuous deployment (CI/CD)
Access control at vault instance-level and to secrets stored within.
Cloud Security Controls
Integration and Auditing
Integration is the process of how data is being handled from input to
output.
A cloud auditor is responsible for ensuring that the policies, process, and
security controls defined have been implemented.
Auditor will be a third party from outside the company
They test to verify that process and security controls and the system
integration are working as expected.
Some of these controls may include the following:
- Encryption Levels
- Access Control Lists
- Privilege Account Use
- Password Policies
- Anti-Phishing Protection
- Data Loss Prevention Controls
Process will be repeated
periodically (annually)
Self-audits ahead of
external audits are common
Cloud Security Controls - storage
permissions, encryption, replication, and high availability for cloud storage.
Permissions: Customers have a storage identity and are put into different storage
groups that have appropriate rights to restrict access at a tenant/subscription level.
Encryption: With cloud storage, encryption at the service level is generally in place
by default, with configurable encryption within the storage service
For relational databases (SQL), Transparent Data Encryption (TDE) is common.
Encryption for data in transit, such as TLS/SSL.
Replication: a method wherein data is copied from one location to another
immediately to ensure recovery in case of an outage.
In the cloud, multiple copies of your data are always held for redundancy.
There are locally redundant, zone redundant, and geo-redundant options.
High Availability:
High availability ensures that copies of your data are held in different locations.
Automatic failover between region pair in event of an outage is common
Cloud Security Controls - network
virtual networks, public and private subnets, segmentation, and API
inspection and integration are important elements of cloud network security.
A virtual network that consists of cloud resources, where the VMs for one
company are isolated from the resources of another company.
Separate VPCs can be isolated using public and private networks.
The environment needs to be segmented public subnets that can access
the Internet directly (through a firewall) and protected private networks.
Virtual networks can be connected to other networks with a VPN gateway
or network peering.
For VDI/client scenarios, a NAT gateway for Internet access makes sense.
Cloud Security Controls - network
Not for public services (like websites)
Our VPC contains private subnets. Each of these subnets has its own CIDR IP
address range and cannot connect directly to the internet.
They could be configured go through the NAT gateway if outbound internet
connectivity is desired.
Client VMs and database servers will often be hosted in a private subnet.
The private subnet will use one of the
following IP address ranges:
10.0.0.0
172.16.x.x – 172.31.x.x
192.168.0.0
Private IP ranges are
defined in RFC 1918
All other IP address ranges, except the APIPA 169.254.x.x, are public addresses.
Cloud Security Controls - network
Resources on the public subnet can connect directly to the internet. Therefore,
public-facing web servers will be placed within this subnet.
Public subnet will have a NAT gateway or firewall for communicating with the
private subnets, and an internet gateway.
Public services, like websites, will be published through a firewall
To create a secure connection to your VPC, you can connect a VPN using
L2TP/IPsec using a VPN gateway (aka transit gateway).
Network peering is another method is another method for connecting virtual
networks in the cloud.
Peering is the more common option between cloud networks
Site-to-site VPN common for on-premises to cloud connectivity
Cloud Security Controls - network
Security of services that are permitted to access or be accessible
from other zones involves a strict set of rules controlling this traffic.
Rules are enforced by the IP address ranges of each subnet.
Within a private subnet, segmentation can be used to achieve
departmental isolation.
Representational State Transfer (REST) is the modern approach to
writing web service APIs.
Enables multi-language support, can handle multiple types of
calls, return different data formats.
APIs published by an organizations should include encryption,
authentication, rate limiting, throttling, and quotas. Covered in Domain 2
Cloud Security Controls - compute
Security controls and concerns for compute in the public cloud platforms
Security Groups
Cloud provider has to secure multiple customers. They do use firewalls but cannot
grant individual customers direct firewall access.
Instead, they use security groups to define permissible network traffic, consisting of
rules similar to a firewall ruleset.
Dynamic Resource Allocation
Varies by service and configuration
This uses virtualization technology to scale the cloud resources up and down as the
demand grows or falls.
Instance Awareness
VM instances need to be monitored to prevent VM sprawl and unmanaged VMs,
which would have security consequences, but also add costs in the cloud.
Tools like NIDS/NIPS can help to detect new instances, and process controls like
privileged identity management, change and configuration management help.
CSPs offer policy tooling to help tenants enforce governance policies
Cloud Security Controls - compute
Virtual Private Cloud (VPC) Endpoint
This allows you to create a private connection between your VPC
and another cloud service without crossing over the internet.
CSPs offer site-to-site connectivity options for hybrid cloud.
Most will offer a premium option to connect on-premises data
centers to cloud without the need to traverse the Internet.
Most enterprise (large) organizations today
have Implemented a hybrid cloud model
Container security
Containers offer a more granular option for application
and process isolation. Containers run in a VM
Managed
Kubernetes
Most CSPs offer hosted Kubernetes service,
handles critical tasks like health monitoring and
maintenance for you. Platform-as-a-Service
You pay only for the agent nodes within your clusters,
not for the management cluster.
Kubernetes has become the de facto standard
Containers enable more efficient utilization of hardware resources
Containers offer a more granular level of isolation for resources
(CPU, memory), process isolation, and restricted system access.
Cloud Security Controls - solutions
Enforces the company's policies between on-premises and the cloud.
Can detect (and optionally, prevent) data access with unauthorized apps and
data storage in unauthorized locations. Help stop “Shadow IT”
Using solutions such as Web App Firewalls (WAF), Next Gen Firewalls (NGFW),
IDP/IPS.
Firewalls function at the packet level, using rules to allow or deny each packet
inbound or outbound.
Secure web gateways work at the application level (layer 7), looking at the actual
traffic over the protocol to detect malicious intent.
Functions include web proxy, policy enforcement, malware detection, traffic
inspection, data loss protection, and URL filtering.
Cloud Security Controls - solutions
One reason that we need a good firewall is to filter incoming traffic to protect our cloudhosted infrastructure and applications from hackers or malware.
For example, the most common cloud firewall is
the Web Application Firewall (WAF)
Cost
Cost is one of the reasons for WAF popularity. It meets a common need, is easy to
configure, and is less expensive than more function-rich NGFW and SWG options.
Need for Segmentation:
Network segmentation should be supported with appropriate traffic filtering/restriction
with the firewall type that is most appropriate for the use case.
The firewall can filter traffic between virtual networks and the Internet.
Open Systems Interconnection (OSI) Layers
A network firewall works on Layer 3, stateful packet inspection at layers 3/4.
Many cloud firewalls, like Web Application Firewalls work at Layer 7 of the OSI.
THE OSI MODEL
7 Application
6 Presentation
5 Session
4 Transport
3 Network
2 Data Link
1 Physical
Where protocols live in the model
SSH, HTTP, FTP, LPD, SMTP, Telnet, TFTP, EDI,
POP3, IMAP, SNMP, NNTP, S-RPC, and SET
Encryption protocols and format types, such
as ASCII, EBCDICM, TIFF, JPEG, MPEG, MIDI
SMB, RPC, NFS, and SQL
SPX, SSL, TLS, TCP, and UDP
| ICMP,
RIP, OSPF, BGP, IGMP, IP, IPSec,
IPX, NAT, and SKIP
ARP, SLIP, PPP, L2F, L2TP, PPTP, FDDI, ISDN
EIA/TIA-232, EIA/TIA-449, X.21, HSSI, SONET,
V.24, V.35, Bluetooth, 802.11 – Wifi, and Ethernet
THE OSI MODEL
7
6 Presentation
5 Session
4 Transport
3 Network
2 Data Link
1 Physical
Application
Quick functionality overview
interfacing user applications, network services, or the
operating system with the protocol stack.
transforming data received from the Application layer into a
format that any system following the model can understand.
establishing, maintaining, and terminating communication
sessions between two computers.
managing the integrity of a connection and controlling the
session. [segment or datagram]
adding routing and addressing information (source
and destination) to the data. [packet]
formatting the packet from the Network
layer into the proper format for transmission. [frame]
contains the device drivers that tell the protocol how to use
the hardware for the transmission and reception of bits.
Cloud native vs third-party solutions
Platforms like Microsoft Azure and Amazon Web Services (AWS) have their own
tools, such as Azure Resource Manager (ARM) and AWS Cloud Formation.
These tools make managing Microsoft and AWS cloud resources easier,
supporting Infrastructure-as-Code.
Separate tools, for separate platforms, separate skillsets
Third-party tools adds more flexibility, functionality, and multi-platform support.
Organizations will typically move to third-party solutions when the native cloud
solutions do not meet their functionality needs.
For example, some organizations move to Terraform for infrastructure-as-Code
because it supports the major CSPs using a single language .
CSPs offer a marketplace where third-parties can publish offers
3.0 implementation
Given a scenario, implement identity and
3.7 account management controls
• Identity
• Identity provider (IdP)
• Attributes
• Certificates
• Tokens
• SSH keys
• Smart cards
• Account types
• User account
• Shared and generic
accounts/credentials
• Guest accounts
• Service accounts
• Account policies
• Password complexity
• Password history
• Password reuse
• Network location
• Geofencing
• Geotagging
• Geolocation
• Time-based logins
Access policies
Account permissions
Account audits
Impossible travel
time/risky login
• Lockout
• Disablement
•
•
•
•
identity providers
Creates, maintains, and manages
identity information while providing
authentication services to applications.
Identity
Providers
For example, Azure Active Directory is the
identity provider for Office 365
Other examples include Active Directory,
OKTA, and DUO
identity
Attribute: a unique property in a user’s account details, such as
employee ID.
Smart Card: a credit card-like token with a certificate embedded on a
chip; it is used in conjunction with a pin. physical card
Certificates. a digital certificate where two keys are generated, a public
key and a private key. The private key is used for identity.
Token. a digital token, such as a SAML token used for federation
services, or a token used by Open Authentication (OAuth2).
SSH Keys. typically used by an administrator for secure authentication
to a remote Linux server, instead of using username and password.
The public key is stored on the server, with the private key remaining on
the administrator's desktop.
Account types
Types of accounts you may be tested on in Security+
a standard user account with limited privileges.
cannot install software, limited access to the computer systems.
two types of user accounts: those that are local to the machine, and
those that access a domain.
a legacy account that was designed to give limited access to a
single computer without the need to create a user account.
normally disabled as it is no longer used, and some administrators
see it as a security risk.
Account types
privileged accounts have greater access to the system and tend to
be used by members of the IT team.
Administrators are an example of privileged accounts.
can install software and manage the configuration of a server or
client computer computer.
also have privileges to create, delete, and manage user accounts.
administrators have been told they should have two accounts:
one for routine tasks, and another for administrative duties.
Account types
privileged accounts have greater access to the system and tend to
be used by members of the IT team.
Administrators are an example of privileged accounts.
can install software and manage the configuration of a server or
client computer computer.
also have privileges to create, delete, and manage user accounts.
administrators have been told they should have two accounts:
one for routine tasks, and another for administrative duties.
some cloud providers now eliminate this need, and instead enable
an admins to activate privilege just-in-time for a single account.
Account types
aka “Service Principal”
when software is installed on a computer or server, it may require
privileged access to run.
a lower-level administrative account, and the service account fits
the bill.
a service account is a type of administrator account used to run an
application. example: account to run an anti-virus application.
When a group of people performs the same duties, such as
members of customer services, they can use a shared account.
when user-level monitoring, auditing, or non-repudiation are
required, you must eliminate the use of shared accounts.
Most cloud IDPs have options to eliminate the need for shared accounts
Account types
default administrative accounts created by manufacturers of a wide
range smart and Internet-connected devices.
most have a default username and password.
default passwords should always be changed
identifying presence of these accounts should be part of the
onboarding process. address through configuration management
This is a common attack vector (covered in Domain 1)
Account policies
Complex passwords (sometimes known as strong passwords) are formatted by
choosing at least three of the following four groups:
lowercase (a, b, and c), uppercase (A, B, and C), numbers (1, 2, and 3), special
characters ($, @)
prevents someone from reusing the same password. For example, if number
remembered is 12 passwords, only on 13th change could it be reused.
is a term used in the exam that means the same as password history.
both prevent someone from reusing the same password.
For the Security+ exam, password reuse
and history are the same thing.
Account policies
an auditor will review accounts periodically to ensure that old accounts are not
being used after an employee changes departments or leaves the company.
auditor will also ensure that all employees have the only necessary permissions
and privileges to carry out their jobs. principle of least privilege
can be added as an additional factor in authentication.
Geofencing can be used to establish a region and can pinpoint whether you
are in that region. If you are not, you will not be able to log in.
Context-Aware Location: can be used to block any attempt to log in outside of
the locations that have been determined as allowed regions.
Geolocation can track your location by your IP address and the ISP.
Smart Phone Location Services: This can be used to identify where your phone
is located by using Global Positioning System (GPS).
Many identity providers enable admins to pre-define “trusted locations”
Account policies
This is a security feature used by cloud providers such as Microsoft with their
Office 365 package to prevent fraud.
If a person is in Houston and then 15 minutes later is determined to be New
York, their attempt to log in will be blocked.
A security feature used by cloud providers, leveraging a record of devices
used by each user.
Response will vary by provider but may include confirmation email to
validate identity or responding to a prompt in an authenticator app.
How user and sign-in risk are used varies by provider.
Account management (the identity lifecycle) ranges from account creation
at onboarding to its disablement when a user leaves the company.
Account policies
May be established for users based on role as a company may
have many different shift patterns
Employers may not wish their employees to access their
network outside of their working hours.
For example, employees may be restricted to accessing the
network between 7 am and 6 pm.
This prevents data theft by preventing users from coming in at
3 a.m. when nobody is watching and stealing corporate data.
Can be effective in preventing individual fraud, as well as
collusion, by enforcing restrictions of schedule rotations.
Common in some industries, such as financial services
3.0 implementation
Given a scenario, implement authentication
3.8 and authorization solutions
• Authentication management
• Password keys
• Password vaults
• TPM
• HSM
• Knowledge-based
authentication
• Authentication/authorization
• EAP
• Challenge-Handshake
Authentication Protocol
(CHAP)
• Password Authentication
Protocol (PAP)
802.1X
RADIUS
Single sign-on (SSO)
Security Assertion
Markup Language (SAML)
Terminal Access Controller
Access Control System
Plus (TACACS+)
• OAuth
• OpenID
• Kerberos
• Access control schemes
• Attribute-based access
control (ABAC)
•
•
•
•
•
•
Role-based access control
Rule-based access control
MAC
Discretionary access
control (DAC)
• Conditional access
• Privileged access
management
• File system permissions
•
•
•
•
Authentication management
looks like a USB device and works in
conjunction with your password to
provide multi-factor authentication
One example is YubiKey is a FIPS 140-2 validation that
provides code storage within a tamper-proof container
Authentication management
stored locally on the device and store
passwords so user does not need to
remember them.
Uses strong encryption (e.g. AES-256) for
secure storage.
only as secure as the owner password
that is used to protect the vault itself
Typically uses multi-factor authentication
A type of password vault exists in the cloud for DevOps
scenarios, which will be discussed later in this module.
Authentication management
are normally built into the motherboard of a
computer, and they are used when you are
using Full Disk Encryption (FDE)
used to store encryption keys, a key escrow
that holds the private keys for third parties
Authentication management
This is normally used by banks, financial institutions, or email
providers to identify someone when they want a password reset.
There are two different types of KBA, dynamic and static, and they
have their strengths and weaknesses:
Static KBA: These are questions that are common to the user.
For example, "What is the name of your first school?"
Dynamic KBA: These are deemed to be more secure because they
do not consist of questions provided beforehand.
For example, confirm identity, a bank may ask the customer to
name three direct debit mandates, the date, and the amount paid.
AUTHENTICATION PROTOCOLS
PASSWORD
AUTH PROTOCOL
CHALLENGE HANDSHAKE
AUTH PROTOCOL
EXTENSIBLE AUTH
PROTOCOL
password-based authentication protocol used by Pointto-Point Protocol to validate users.
supported by almost all network OS remote access
servers but is considered weak.
a user or network host to an authenticating entity. That
entity may be, for example, an Internet service provider.
requires that both the client and server know the plaintext
of the secret, although it is never sent over the network.
an authentication framework. allows for new authentication
technologies to be compatible with existing wireless or
point-to-point connection technologies
Authentication/Authorization
an authentication mechanism to devices
wishing to attach to a LAN or WLAN.
defines the encapsulation of EAP protocol.
involves three parties: a supplicant, an
authenticator, and an authentication server
supplicant = client
defines the encapsulation of EAP over IEEE 802.11,
which is also known as "EAP over LAN"
AAA protocols
Several protocols provide centralized authentication,
authorization, and accounting services.
Network Access Server
is a client to a RADIUS server, and the RADIUS server provides AAA services.
RADIUS
(remote access)
uses UDP and encrypts the password only.
TACACS+
(admin access to network devices)
uses TCP and encrypts the entire session.
Diameter
(4G)
is based on RADIUS and improves many of the weaknesses of
RADIUS, but Diameter is not compatible with RADIUS.
Network access (or remote access) systems use AAA protocols.
Authentication/Authorization
Single Signon (SSO)
Single sign-on means a user doesn't have
to sign into every application they use.
Authentication/Authorization
Single sign-on means a user doesn't have
to sign into every application they use.
Single Signon (SSO)
The user logs in once and that credential is
used for multiple apps.
Authentication/Authorization
Single sign-on means a user doesn't have
to sign into every application they use.
Single Signon (SSO)
The user logs in once and that credential is
used for multiple apps.
Single sign-on based authentication systems
are often called "modern authentication".
Authentication/Authorization
is a mechanism that allows subjects to authenticate once and access
multiple objects without authenticating again.
Common SSO methods/standards include:
— SAML
— SESAME
— KryptoKnight
— OAuth
— OpenID
Know enough to differentiate
these three on the exam
The three to know for the exam are SAML, Oauth 2.0, and OpenID.
Authentication / authorization
Security Assertion Markup Language (SAML)
is an XML-based, open-standard data format for exchanging authentication
and authorization data between parties, in particular, between an identity
provider and a service provider. common in on-prem federation scenarios
OAuth 2.0
Azure AD (the identity provider for Office 365)
is an open standard for authorization, commonly used as a way for
Internet users to log into third party websites using their Microsoft,
Google, Facebook, Twitter, One Network etc. accounts without exposing
their password.
OpenID
Example – logging into Spotify with your FB account
is an open standard, It provides decentralized authentication, allowing
users to log into multiple unrelated websites with one set of credentials
maintained by a third-party service referred to as an OpenID provider.
Authentication / authorization
authorization protocol in Microsoft’s Azure Directory
(and is preferred is to NTLM).
stronger encryption, interoperability, and mutual
authentication. client and server verified
runs as a third-party trusted server known as the
Key Distribution Center (KDC)
Includes an authentication server, a ticket granting service,
and database of secret keys for users and services.
Helps prevent replay attacks through timestamps
ACCESS CONTROL SCHEMES
Non-discretionary Access Control
Object = resource
Subject = user
Enables the enforcement of system-wide restrictions that override
object-specific access control. RBAC is considered non-discretionary
Discretionary Access Control (DAC) Use-based,
user-centric
A key characteristic of the Discretionary Access Control (DAC) model is that every
object has an owner, and the owner can grant or deny access to any other subject.
Example: New Technology File System (NTFS),
Role Based Access Control (RBAC)
A key characteristic is the use of roles or groups. Instead of assigning permissions
directly to users, user accounts are placed in roles and administrators assign
privileges to the roles. Typically mapped to job roles.
Rule-based access control
A key characteristic is that it applies global rules that apply to all subjects. Rules
within this model are sometimes referred to as restrictions or filters.
example: a firewall uses rules that allow or block traffic to all users equally.
MADATORY ACCESS CONTROL
“
A key point about the MAC model is that every
object and every subject has one or more labels.
These labels are predefined, and the system
determines access based on assigned labels.
D O M A I N 3 : ACCESS CONTROL SCHEMES
access is restricted based on an attribute
on the account, such as department,
location, or functional designation.
For example, admin my require user accounts have
the ‘Legal’ department attribute to view contracts
D O M A I N 3 : PRIVILEGED ACCESS MANAGEMENT
a solution that helps protect the privileged
accounts within a domain, preventing attacks
such as pass the hash and privilege escalation.
also provides visibility into who is using privileged
accounts and what tasks they are being used for
D O M A I N 3 : PRIVILEGED ACCESS MANAGEMENT
a solution that helps protect the privileged
accounts within a domain, preventing attacks
such as pass the hash and privilege escalation.
Native to some cloud identity providers today,
and may include a just-in-time elevation feature
FILE SYSTEM PERMISSIONS
NTFS (Windows)
SUID and SGID (Linux)
Are applied to every file and folder stored
on a volume with NTFS file system
The Linux permissions model has two special access
modes called suid (set user id) and sgid (set group id).
Recognizes three types of permissions at three levels:
read(r), write(w), and execute(x)
Read = 4
Write = 2
Execute = 1
7 = read, write, and execute
6 = read and write
5 = read and execute
3.0 implementation
Given a scenario, implement
3.9 public key infrastructure
• Public key infrastructure (PKI)
•
•
•
•
•
•
•
•
•
•
•
Key management
Certificate authority (CA)
Intermediate CA
Registration authority (RA)
Certificate revocation list (CRL)
Certificate attributes
Online Certificate Status Protocol
(OCSP)
Certificate signing request (CSR)
CN
Subject alternative name
Expiration
certificate services
• Types of certificates
•
•
•
•
•
•
•
•
•
•
Wildcard
Subject alternative name
Code signing
Self-signed
Machine/computer
Email
User
Root
Domain validation
Extended validation
• Certificate formats
• Distinguished encoding
rules (DER)
• Privacy enhanced mail
(PEM)
• Personal information
exchange (PFX)
• .cer
• P12
• P7B
• Concepts
•
•
•
•
•
•
Online vs. offline CA
Stapling
Pinning
Trust model
Key escrow
Certificate chaining
Public key infrastructure (pki)
CONCEPTS
Key management
management of cryptographic keys in a cryptosystem.
Operational considerations include dealing with the generation, exchange,
storage, use, crypto-shredding (destruction) and replacement of keys.
Design considerations include cryptographic protocol design, key servers,
user procedures, and other relevant protocols.
Certificate authority (CA)
Certification Authorities create digital certificates and own the policies.
PKI hierarchy can include a single CA that serves as root and issuing, but
this is not recommended.
Public key infrastructure (pki)
Subordinate CA
CONCEPTS
aka “Intermediate CA” or “Policy CA”
Also known as a Registration Authority (RA) sits below root CAs in the CA
hierarchy.
Regularly issue certificates, making it difficult for them to stay offline as
often as root CAs.
Do have the ability to revoke certificates, making it easier to recover from
any security breach that does happen
Certificate revocation list (CRL)
Contains information about any certificates that have been revoked by a
subordinate CA due to compromises to the certificate or PKI hierarchy.
CAs are required to publish CRLs, but it’s up to certificate consumers if they
check these lists and how they respond if a certificate has been revoked.
Public key infrastructure (pki)
CONCEPTS
Online Certificate Status Protocol (OCSP)
Offers a faster way to check a certificate’s status compared to
downloading a CRL.
With OCSP, the consumer of a certificate can submit a request to the
issuing CA to obtain the status of a specific certificate.
Certificate signing request (CSR)
Records identifying information for a person or device that owns a
private key as well as information on the corresponding public key.
It is the message that's sent to the CA in order to
get a digital certificate created.
CN (common name)
the Fully Qualified Domain Name (FQDN) of the entity (e.g. web server)
Public key infrastructure (pki)
Subject alternative name
CONCEPTS
SAN
an extension to the X. 509 specification that allows users to specify additional
host names for a single SSL certificate.
Is standard practice for SSL certificates, and it's on its way to replacing the use
of the common name.
Enables support for FQDNs from multiple domains in a single certificate.
Expiration
certificates are valid for a limited period from the date of issuance, as
specified on the certificate.
Current industry guidance on maximum certificate lifetime from widely
trusted issuing authorities (like Digicert) is currently 1 year (398 days).
Types of certificates
Wildcard
Supports multiple FQDNs in the same domain
Can be used for a domain and a subdomain. For example:
In the contoso.com domain, there are two servers called web and mail.
The wildcard certificate is *.contoso.com and, when installed, it would work for the
Fully Qualified Domain Names (FQDNs) for both of these.
A wildcard can be used for multiple servers in the same domain, saving costs.
Subject alternative name (SAN)
multiple domains in a single cert
Can be used on multiple domain names, such as abc.com or xyz.com.
You can also insert other information into a SAN certificate, such as an IP address.
Code signing
Provides proof of content integrity
When code is distributed over the Internet, it is essential that users can trust that it
was actually produced by the claimed sender.
An attacker would like to produce a fake device driver or web component (actually
malware) that purported to be from a software vendor.
Using a code signing certificate to digitally sign the code mitigates this danger.
Types of certificates
Self-signed
A self-signed certificate is issued by the same entity that is using it. However, it does
not have a CRL and cannot be validated or trusted.
It is the cheapest form of internal certificates and can be placed on multiple servers.
Machine/computer
A computer or machine certificate is used to identify a computer within a domain.
Email
Allow users to digitally sign their emails to verify their identity through the attestation
of a trusted third party known as a certificate authority (CA).
Allow users to encrypt the entire contents (messages, attachments, etc.)
Types of certificates
User
Used to represent a user's digital identity.
In most cases, a user certificate is mapped back to a user account.
Root
CA
Root
A trust anchor in a PKI environment is the root certificate from which the
whole chain of trust is derived; this is the root CA.
Domain validation
A Domain-Validated (DV) certificate is an X.509 certificate that
proves the ownership of a domain name.
Subordinate
CA
Extended validation
Extended validation certificates provide a higher level of trust in
identifying the entity that is using the certificate.
Commonly used in the financial services sector.
Issuing
CA
CERTIFICATE FORMATS
X.509 certificate formats and descriptions
FORMAT
EXT
PRI KEY
DESCRIPTION
Distinguished encoding rules
DER
NO
Secure remote access (Linux and network)
Privacy enhanced mail
Personal information
exchange
PEM
YES
Secure copy to Linux/Unix
PFX
YES
Supports storage of all certificates in path
Base64-encoded
CER
NO
Storage of a single certificate.
PKCS#12 standard
P12
YES
Supports storage of all certificates in path
Cryptographic Message
Syntax Standard
P7B
NO
Supports storage of all certificates in path.
KCS #12 is the successor to Microsoft's "PFX“.
EXT = File extension
PRI KEY = File includes private key?
Certificates are not whole without the private key!
example: asymmetric cryptography
Franco sends a message to Maria,
requesting her public key
Maria sends her public key to Franco
Franco uses Maria’s public key to encrypt
the message and sends it to her
Maria uses her private key to decrypt
the message
Concepts
Online vs. offline CA. Online CA is always running, offline kept offline
expect for specific issuance and renewal operation.
Offline is best practice for your root ca.
Stapling. a method used with OCSP, which allows a web server to provide
information on the validity of its own certificate.
Done by the web server essentially downloading the OCSP response from
the certificate vendor in advance and providing it to browsers.
Pinning. a method designed to mitigate the use of fraudulent certificates.
Once a public key or certificate has been seen for a specific host, that key
or certificate is pinned to the host.
Should a different key or certificate be seen for that host, that might
indicate an issue with a fraudulent certificate.
Concepts
Trust model
A model of how different certificate authorities trust each other and how
their clients will trust certificates from other certification authorities.
The four main types of trust models that are used with PKI are
bridge, hierarchical, hybrid, and mesh.
Key escrow
Addresses the possibility that a cryptographic key may be lost.
The concern is usually with symmetric keys or with the private key in
asymmetric cryptography.
If that occurs, then there is no way to get the key back, and the user cannot
decrypt messages.
Organizations establish key escrows to enable recovery of lost keys.
Concepts
Certificate chaining
Refers to the fact that certificates are handled by a chain of trust.
You purchase a digital certificate from a certificate authority (CA), so you
trust that CA’s certificate.
In turn, that CA trusts a root certificate.
INSIDE CLOUD
THANKS
F O R W A T C H I N G!