James "Professor" Messer
Professor Messer's
SY0-601 CompTIA
Security+ Course Notes
11
11
James Professor Messer
http://www. ProfessorMesser.com
Professor Messer's SY0-601 CompTIA Security+ Course Notes
W ritten by James "Professor" Messer
Copyright© 2020 by M esser Studios, LLC
http://www.ProfessorMesser.com
All rights reserved. No part of this book may be reproduced or t ransmitted in any form or by any means,
electronic or mechanical, including photocopying, recording, or by any information storage and retrieval
system, without written perm ission from the publisher.
First Edition: November 2020
This is version 1.05
Trademark Acknowledgments
All product names and trademarks are the property of their respective ow ners,
and are in no w ay associated or affiliated with Messer Studios, LLC.
"Professor Messer" is a registered trademark of Messer Studios LLC.
"Com p TIA" and " Securit y+" are registered trademarks of Comp TIA, Inc.
Warning and Disclaimer
This book is designed to provide information about the Comp TIA SY0-601 Security+ certification exam.
However, there may be typographical and/or content errors. Therefore, this book should serve only as a
general guide and not as the ultimate source of subject information. The author shall have no liability or
responsibility to any person or entity rega rding any loss or damage incurred, or alleged to have incurred,
directly or indirectly, by the information contained in this book.
Contents
1.0 - Attacks, Threats, and Vulnerabilities ...................................................................................
.
1
1.1 - Phishing·············· ................................................................................................................................................................................................................................1
1.1 - Impersonation
............................................................................................................................1
1.1 - Dumpster Diving .................................................................................................................................................................................................................2
1.1- Shoulder Surfing.................................................................................................................................................................................................................2
1.1 - Hoaxes. ................. .................
3
1.1 - Watering Hole Attacks ...............................................................................................................................................................................................3
1.1 - Spam
3
1.1 - Influence Campaigns............................................................................ ..... .. ...................................................................................
...4
1.1 - Other Social Engineering Attacks................................................................................................................................................................--4
1.1- Principles of Social Engineering.
............
5
1.2 -An Overview of Malware ........................................................................................................................................................................................5
1.2 - Viruses and Worms
1.2 - Ransomware and Crypto-malware. ...................................................... ...... . ............................................................................7
1.2 - Trojans and RATs...................................................................................................................................................................................................................7
1.2 - Rootkits. ..............................................................................................................................................................................................................................................8
1.2 - Spyware. ......
1.2 - Bots and Botnets
..................................................................................................................8
1.2 - Logic Bombs.............................................................................................................................................................................................. .....
...........9
1.2 - Password Attacks. ···························································----····················································································································9
1.2 - Physical Attacks..................................................................................................................................................................................................................10
1.2 - Adversarial Artificial Intelligence
........................................................................................................................................11
1.2 - Supply Chain Attacks..................................................................................................................................................................................................11
1.2 - Cloud-based vs. On-Premises Attacks..............................................................................................................................................12
1.2 - Cryptographic Attacks..............................................................................................................................................................................................12
1.3 - Privilege escalation .......................................................................................................................................................................................................12
1.3 - Cross-site Scripting .....................................................................................................................................................................................................13
1.3 - Injection Attacks.
..................................................................................................................13
1.3 - Buffer Overflows.............................................................................................................................................................................................................14
1.3 - Replay Attacks....................................................................................................................................................................................................................14
1.3 - Request Forgeries...........................................................................................................................................................................................................15
1.3 - Driver Manipulation ....................................................................................................................................................................................................16
1.3 - SSL Stripping
........................17
1.3 - Race Conditions.................................................................................................................................................................................................................17
1.3 - Other Application Attacks................................................................................................................................................................................18
1.4 - Rogue Access Points and Evil Twins....................................................................................................................................................19
1.4 - Bluejacking and Bluesnarfing ············ ...........................................................................................................................................................19
1.4 - Wireless Disassociation Attacks.
......19
1.4 - Wireless Jamming.........................................................................................................................................................................................................20
1.4 - RFID and NFC Attacks................................................................................................................................................................................................20
1.4 - Randomizing Cryptography ............................................................................................................................................................................20
1.4 - On-Path Attacks ................................................................................................................................................................................................................21
1.4 - MAC Flooding and Cloning_
21
1.4 - DNS Attacks
........ .21
1.4 - Denial of Service...............................................................................................................................................................................................................22
1.4 - Malicious Scripts
..........23
......................23
1.5 - Attack Vect ors.......................................................................................................................................................................................................................24
1.5 - Threat Intelligence .........................................................................................................................................................................................................25
1.5 - Threat Research...............................................
26
1.6 - Vulnerability Types........................................................................................................................................................................................................27
1.6 - Third- party Risks...............................................................................................................................................................................................................28
1.6 - Vulnerability Impacts...............................................................................................................................................................................................29
1.7 - Threat Hunting ..................................................................................................................................................................................................................30
1.7 - Vulnerability Scans
.30
1.5 - Threat Actors............................
1.7 1.8 1.8 1.8 -
Securit y Information and Event Management ..................................................................................................................31
Penetration Testing.....................................................................................................................................................................................................32
Reconnaissance...............................................................................................................................................................................................................32
Securit y Teams ....................................................................................................................................................................................................................33
2.0 - Architecture and Design.............................................................................................................................................................................33
2.1
2.1
2.1
2.1
-
Configuration Management........................................................................................................................................................... .. .33
Protecting Dat a...................................................................................................................................................................................................................34
Data Loss Prevention .................................................................................................................................................................................................35
Managing Security
..
.35
2.1
2.1
2.2
2.2
-
Site Resiliency
..........................................................................................................36
Honeypots and Deception................................................................................................................................................................................37
Cloud Models.......................................................................................................................................................................................................................37
Edge and Fog Computing
....................................38
2.2
2.2
2.2
2.3
2.3
2.3
2.3
- Designing the Cloud ................................................................................................................................................................................................... 39
- Infrastructure as Code.......................................................................................................................................................................................... 40
- Virtualization Securit y ............................................................................................................................................................................................41
- Secure Deployments................................................................................................................................................................................................. 41
- Provisioning and Deprovisioning ........................................................................................................................................................... 42
- Secure Coding Techniques
............................................................................................................................................................ 42
- Software Diversity
.............. ...............
43
2.3 - Automation and Scripting.................................................................................................................................................. ........ ... ...44
2.4 - Authentication Methods..................................................................................................................................................................................... 44
2.4 - Biometrics .................................................................................................................................................................................................................................. 45
2.4 - Multi-fact or Authentication ..........................................................................................................................................................................46
2.5 - Disk Redundancy ............................................................................................................................................................................................................ 47
2.5 - Network Redundancy ........................................................................................................................................................................................... 47
2.5 - Power Redundancy.................................................................................................................................................................................................... 47
2.5 - Replication.
48
2.5 - Backup Types ..................................................................................................................................................................................................................... 48
2.5 - Resiliency
49
2.6 - Embedded Systems............................................................................................................................ ......
...... ........ ... ............50
2.6 - Embedded Systems Communication...............................................................................................................................................51
2.6 - Embedded Systems Constraints
..........
............ .52
2.7 - Physical Security Controls
................................................................................................................................................................52
2. 7 - Secure Areas...........................................................................................................................................................................................................................54
2. 7 - Secure Data Destruction.
... ...
55
2.8 - Cryptography Concepts..................................................................................................................... ..... . ........................................................55
2.8 - Symmetric and Asymmetric Cryptography_ .................................................................................................................................56
2.8 - Hashing and Digital Signatures.
57
2.8 - Cryptographic Keys
2.8 - Steganography_
58
................ ...............
59
2.8 - Quantum Computing................................................................................................................................................................ ... ....................59
2.8 - Stream and Block Ciphers......................................................................................................................................................................................60
2.8 - Blockchain Technology_ .................................................................................................................................................................................................61
2.8 - Cryptography Use Cases ............................................................................................................................................................................................62
2.8 - Cryptography Limitations .........................................................................................................................................................................................63
3.0 - Implementation
3.1 - Secure Protocols ....................................................................................................................................................................................................................63
3.2 - Endpoint Protection ..........................................................................................................................................................................................................65
3.2 - Boot Integrit y_ .............................................................................................................................................................................................................................65
3.2 - Database Security .............................................................................................................................................................................................................66
3.2 - Application Security........................................................................................................................................................................................................67
3.2 - Application Hardening ..................................................................................................................................................................................................68
3.3 - Load Balancing .......................................................................................................................................................................................................................69
3.3 - Network Segmentation ................................................................................................................................................................................................69
3.3 - Virtual Private Networks............................................................................................................................................................................................70
3.3 - Port Security...............................................................................................................................................................................................................................73
3.3 - Secure Networking .........................................................................................................................................................................................................74
3.3 - Firewalls ...........................................................................................................................................................................................................................................75
3.3 - Network Access Control ..............................................................................................................................................................................................76
3.3 - Proxies.
...........................................76
3.3 - Intrusion Prevention.......................................................................................................................................................................................................77
3.3 - Other Network Appliances..................................................................................................................................................................................78
3.4 - Wireless Cryptography ...............................................................................................................................................................................................79
3.4 - Wireless Authentication Methods
...............................................................................................................79
3.4 - Wireless Authentication Protocols.............................................................................................................................................................80
3.4 - Installing Wireless Networks.............................................................................................................................................................................81
3.5 - Mobile Networks...................................................................................................................................................................................................................82
3.5 - Mobile Device Management. ............................................................................................................................................................................83
3.5 - Mobile Device Security_ ................................................................................................................................................................................................84
3.5 - Mobile Device Enforcement.................................................................................................................................................................................85
3.5 - Mobile Deployment Models..............................................................................................................................................................................86
3.6 - Cloud Security Controls ..............................................................................................................................................................................................86
3.6 - Securing Cloud Storage ..............................................................................................................................................................................................87
3.6 - Securing Cloud Networks..........................................................................................................................................................................................87
3.6 - Securing Compute Clouds.................................................
.................................................................................................................................88
3.6 - Cloud Security Solutions...........................................................................................................................................................................................88
3. 7 - Identit y Controls ....................................................................................................................................................................................................................89
3.7 - Account Types............................................................................................................................................................................................................................89
3.7 - Account Policies
3.8
3.8
3.8
3.8
- Authentication Management.............................................................................................................................................................................91
- PAP and CHAP ..............................................................................................................................................................................................................................91
- Identity and Access Services .................................................................................................................................................................................92
- Federated Identities
.........93
3.8
3.9
3.9
3.9
3.9
- Access Control..........................................................................................................................................................................................................................93
- Public Key Infrastructure.........................................................................................................................................................................................94
- Certificates .......................................................................................................................................................................................................................................95
- Certificate Formats..............................................................................................................................................................................................................96
- Certificate Concepts ..........................................................................................................................................................................................................97
4.0 - Operations and Incident Response
4.1 - Reconnaissance Tools
.98
4.1 - File Manipulation Tools.
.............................................................................................................................................................................99
4.1 - Shell and Script Environments.
100
4.1
4.1
4.2
4.2
4.2
- Packet Tools................................................................................................................................................................................................................................100
- Forensic Tools..........................................................................................................................................................................................................................101
- Incident Response Process ..................................................................................................................................................................................101
- Incident Response Planning....
.....103
- Attack Frameworks
104
4.3
4.3
4.3
4.3
4.4
- Vulnerabilit y Scan Output.....................................................................................................................................................................................104
- SIEM Dashboards .................................................................................................................................................................................- -..........105
- Log files ............................................................................................................................................................................................................................................105
- Log Management ...............................................................................................................................................................................................................106
- Endpoint Security Configuration
107
4.4
4.5
4.5
4.5
4.5
- Security Configurations...........................................................................................................................................................................................107
- Digital Forensics...................................................................................................................................................................................................................108
- Forensics Data Acquisition ...................................................................................................................................................................................109
- On-Premises vs. Cloud Forensics
...................................................................................................................110
- Managing Evidence.
111
5.0 - Governance, Risk, and Compliance ...............................................................................................
..111
5.1 - Security Controls .................................................................................................................................................................................................................111
5.2 - Security Regulations and Standards....................................................................................................................................................112
5.2 - Security Frameworks.
112
5.2 - Secure Configurations.................................................................................................................................................................................................113
5.3 - Personnel Security .........................................................................................................................................................................................................114
5.3 - Third-party Risk Management
.115
5.3 - Managing Data ...................................................................................................................................................................................................................116
5.3 - Credential Policies
116
5.3
5.4
5.4
5.4
5.5
5.5
- Organizational Policies.................................................................................................................................................................................................117
- Risk Management Types...........................................................................................................................................................................................117
- Risk Analysis ..............................................................................................................................................................................................................................118
- Business Impact Analysis
.119
- Privacy and Data Breaches
119
- Data Classifications
..... ................................................................................................120
5.5 - Enhancing privacy.............................................................................................................................................................................................................120
5.5 - Data Roles and Res ponsibilities...................................................................................................................................................................121
Introduction
Information technology security is a significant concern for every IT specialist. Our systems are under
const ant attack, and the next generation of security professionals will be at t he forefront of keeping our
critical information safe.
CompTIA's Security+ exam tests you on t he specifics of net work security, vulnerabilities and threats,
cryptography, and much more. I've created these Course Notes t o help you through the det ails t hat you need
to know for the exam. Best of luck with your studies!
- Professor Messer
The Comp TIA Security+ certification
To earn the Security+ certification, you must pass a single SY0-601 certification exam. The exam is 90 minut es
in duration and includes both multiple choice questions and performance-based questions. Performancebased questions can include fill-in-the-blank, mat ching, sorting, and simulated operational environment s.
You will need to be very familiar wit h t he exam topics to have the best possible exam result s.
Here's the breakdown of each technology section and the percentage of each topic on the SY0-601 exam:
Section
Section
Section
Section
Section
1.0 - Attacks, Threats, and Vulnerabilities - 24%
2.0 - Architecture and Design - 21%
3.0 - Implement ation - 25%
4.0 - Operations and Incident Response - 16%
5.0 - Governance, Risk, and Compliance - 14%
CompTIA provides a det ailed set of exam objectives that provide a list of everything you need to know before
you take your exam. You can find a link to t he exam objectives here:
https://professormesser.com/objectives/
How to use this book
Once you're comfortable with all of the sections in the official CompTIA SY0-601 exam objectives, you can
use t hese notes as a consolidated summary of the most import ant t opics. These Course Notes follow the
same format and numbering scheme as t he exam objectives, so it should be easy to cross reference these
notes wit h t he Professor Messer video series and all of your other study materials. The CompTIA Security+
video training series can be found on the Professor Messer websit e at https://ProfessorMesser.com.
Professor Messer's
CompTIA Security+
SY0-601 Course Notes
pJ Professor
http://www.ProfessorMesser.com
1.1 - Phishing
Phishing
• Social engineering with a touch of spoofing
- Oft en del ivered by email, text, etc.
- Very remarkable wh en w ell done
• Smishing (SMS phishing) is done by text message
- Spoofing is a problem here as w ell
- Forward s li nks or asks for personal information
• Usually t here's someth ing not quite right
- Spelling, fon ts, graphics
• Variations on a t heme
- The fake check scam, phone verification code scam,
- Boss/ CEO scam, advance-fee scam
- Some great summaries on
https://reddit.com / r/ Scams
Tricks and misdirection
• How are they so successful?
- Digital slight of hand - it fools the best of us
Finding the best spot to phish
• Reconnaissance
- Gat her information on the victim
• Typosquatting
- A type of URL hijacking - https://professormessor.com
- Prepending: https://pprofe ssormesser.com
• Background information
- Lead generation sites
- Linked In, Tw itter, Facebook, lnstagram
- Corporate w eb sit e
• Don't be fooled
- Check t he URL
• Pret exting
- Lying to get information
- Attacker is a character in a situation they create
- Hi, w e' re calling from Visa regarding an automated
payment to your uti lity service ...
Pharming
• Redirect a legit w ebsite to a bogus site
- Poisoned DNS server or cli ent vulnerabilities
• Combine pharming with phishing
- Pharming - Harvest large groups of people
- Ph ish ing - Coll ect access credentials
• Diffi cu lt for anti-malw are softw are to stop
- Everything ap pears legitimate to the user
Phishing with different bait
• Vishing (Voice phish ing) is done
over the phone or voice mai l
- Caller ID spoofi ng is common
- Fake securit y checks or bank updates
• Attacker builds a bel ievable pret ext
- Where you w ork
- Where you bank
- Recent financial transactions
- Family and frien ds
Spear phishing
• Targeted phish ing w ith inside information
- Makes the attack more beli evab le
• Spear phish ing the CEO is "whaling"
- Targeted phish ing w ith t he possibilit y of a large catch
- The CFO (Chief Financial Offi cer) is commonly speared
• These executives have direct access to
the corporate ba nk account
- The attackers w ou ld love to have those credentials
1.1- Impersonation
The pretext
• Before the attack, the trap is set
- There's an actor and a story
Impersonation
• Attackers pretend to be someone they aren't
- Halloween for t he fraudsters
• "Hello si r, my name is Wendy and I'm from M icroso ft
Windows. Th is is an urgent check up call for your
com puter as w e have found several problems w ith it."
• Use some of t hose details from reconnaissance
- You can trust me, I'm w ith your help desk
• Attack the victim as someone higher in rank
- Office of the Vice President for Scamming
• Voice mail : " This is an enforcement action executed by
the US Treasury intending your serious attention."
• "Congratulations on you r excellent payment history! You
now qualify for 0% interest rates on all of you r credit
card accounts."
© 2020 Messer Studios, LLC
• Throw tons of technical details around
- Catastrophic feedback due to the
depolarization of t he differential magnetometer
• Bea buddy
- How about those Cu bs?
Professor Messer's CompTIA SY<HiOl Security+ Course Notes - Page 1
https://ProfessorMesser.com
1.1 - Impersonation (continued)
Eliciting information
• Extracting information from the victim
- The victim doesn't even reali ze this is happening
- Hacking the human
Protect against impersonation
• Never volunteer information
- My password is 12345
• Don't disclose personal details
- The bad guys are tricky
• Often seen w ith vish ing (Voice Ph ish ing)
- Can be easier to get th is information over the phone
• Alw ays veri fy before revea ling info
- Cal l back, verify through 3rd parties
• These are w ell-documented psychological techniques
- They can't just ask, "So, w hat's your password?"
• Veri fication shou ld be encouraged
- Especially if you r organization ow ns
valua ble information
Identity fraud
• Your identity can be used by others
- Keep your person al information safe !
• Credit card fra ud
- Open an account in you r name, or use your credit card information
• Ban k fraud
- Attacker ga ins access to you r account or opens a new account
• Loan fraud
- Your information is used for a loan or lease
• Government benefits fraud
- Attacker obtains benefits on your behalf
1.1- Dumpster Diving
Dumpster diving
• Mobil e garbage bin
- United States brand name " Dumpster"
- Similar to a rubbish skip
• Important information throw n out with the trash
-Thanks for bagging you r garbage for me !
• Gather details that can be used for a different attack
- Impersonate names, use phone numbers
• Tim ing is important
- Just after end of month, end of quarter
- Based on pickup schedu le
Is it legal to dive in a dumpster?
• I am not a lawyer.
- In the United States, it's legal
- Unless there's a local restriction
• If it's in the trash, it's open season
- Nobody ow ns it
• Dumpsters on pri vate property or "No Trespassing"
signs may be restricted
- You can't break the law to get to the rubbish
• Questions? Talk to a lega l professional.
Protect your rubbish
• Secure your garbage
- Fence and a lock
• Shred your documents
- This w il l on ly go so far
- Governments burn the good stuff
• Go look at your trash
- What's in there?
1.1- Shoulder Surfing
Shoulder surfing
• You have access to important information
- Many people w ant to see
- Curiosity, industrial espionage, competitive advantage
• Th is is surprisingly easy
- Airports/ Flights
- Hallway-facing monitors
- Coffee shops
• Surf from afar
- Binocu lars/ Telescopes
- Easy in the big city
- Webcam monitoring
© 2020 Messer Studios, LLC
• Preventing shoulder surfing
• Control your input
- Be aw are of your surroundings
• Use privacy filters
- It's amazing how w ell they w ork
• Keep your monitor out of sight
- Aw ay from w indow s and hallways
• Don't sit in front of me on your flight
- I can't hel p myself
Professor Messer's CompTIA SY<HiOl Security+ Course Notes - Page 2
https://ProfessorMesser.com
1.1- Hoaxes
Computer hoaxes
• A threat that doesn't actually exist
- But they seem like they COU LD be real
De-hoaxing
• It's the Internet. Believe no one.
- Consider the source
• Sti ll often consume lots of resources
- Forwarded email messages, printed memorandums, w asted time
• Cross reference
- http://www. hoax-slayer.net
- http://www.snopes.com
• Spam filters can help
- There are so many other w ays .. .
• Often an email
- Or Face book w all post, or t weet, or...
• Some hoaxes w ill take your money
- But not through electronic means
• A hoax about a virus can w aste as much time as a regular vi rus
• If it sounds too good to be true .. .
- So many sad stories
1.1- Watering Hole Attacks
Watering Hole Attack
• What if your netw ork w as really secure?
- You didn't even plug in that USB key
from the parking lot
Because that's where the money is
• January 2017
• Polish Fin ancia l Supervision Authorit y, National Banking
and Stock Comm ission of Mexico, State-ow ned
bank in Uruguay
- The w atering hole w as sufficiently poisoned
• The attackers can't get in
- Not responding to phishing emails
- Not opening any email attachments
• Visiting the site w ould download ma li cious JavaScript files
- But on ly to IP addresses matching ban ks and
other financial institutions
• Have the mountain come to you
- Go where the mountain hangs out
- The w atering hole
- This req uires a bit of research
• Did the attack w ork?
- We still don't know
Executing the watering hole attack
• Determ ine w hich w ebsite the victim group uses
- Educated guess - Local coffee or sandw ich shop
- Industry-related sites
Watching the watering hole
• Defense-in-depth
- Layered defense
- It 's never one th ing
• Infect one of these th ird-party sites
- Site vulnerabil ity
- Email attachments
• Infect all visitors
- But you're just looking for specific victims
- Now you're in!
• Firew alls and IPS
- Stop the netw ork traffic before things get bad
• Anti-virus/ Anti-ma lw are signature updates
- The Polish Financial Supervision Authority attack code
w as r ecognized and stopped by generic signatures in
Syma ntec's anti-virus softwar e
1.1- Spam
Spam
• Unsol icited messages
- Email, forums, etc.
- Spam over Instant Messaging ($PIM }
Mail gateways
• Unsoli cited email
- Stop it at the gatew ay before it reaches the user
- On-site or cloud-based
• Various content
- Commercial advertising
- Non-commercia l proselytizing
- Ph ish ing attempts
Identifying spam
• Allow ed list
- Only receive email from trusted senders
• Significant technology issue
- Security concerns
- Resource utilization
- Storage costs
- Managing the spam
• SMTP standard s checking
- Block anything that doesn't follow RFC standards
• rDNS - Reverse DNS
- Block ema il w here the sender's domain doesn't match the IP
address
• Tarpitting
- Intentionally slow dow n the server conversation
• Recipient filtering
- Block all email not addressed to a valid recipient ema il address
© 2020 Messer Studios, LLC
Professor Messer's CompTIA SY<HiOl Security+ Course Notes - Page 3
https://ProfessorMesser.com
1.1 - Influence Campaigns
Hacking public opinion
• Influence cam paigns
- Sw ay public opinion on political and social issues
Hybrid warfare
• Milit ary strategy
- A broad description of the techniques
- Wage w ar non-t raditionally
• Nation-state actors
- Divide, distract, and persuade
• Not a new concept
- The Internet adds new methods
• Advertising is an option
- Buy a voice for you r opinion
• Cyberwarfare
- Attack an entity w ith technology
• Enabled through Social media
- Creating, sha ring, liking
- Ampl ifi cation
• Influence w ith a m ilitary spin
- Influencing foreign elections
- " Fa ke new s"
-....
Create fake users
Post on social media
Real users share the message
\ I
I
Amplify message
\
Mass media picks up the story
1.1 - Other Social Engineering Attacks
Tailgating
• Use an authorized pers on to gain unauthorized
access to a building
- Not an accident
• Johnny Long / No Tech Hacking
- Blend in with cloth ing
- 3rd-party with a legitimate reason
- Temporarily take up smoki ng
- I sti ll prefer bringing doughnuts
• Once inside, there's little to stop you
- Most security stops at the border
Watching for tailgating
• Policy for visitors
- You should be able t o identify anyone
• One scan, one person
- A matter of policy or mechanica lly required
• Mant rap / Airlock
- You don't have a choice
• Don't be afraid to ask
- Who are you and w hy are you here?
© 2020 Messer Studios, LLC
Invoice scams
• Starts w ith a bit of spear phish ing
- Attacker know s w ho pays the bills
• Attacker sends a fake invoice
- Domain renew al, toner cartridges, etc.
- From : address is a spoofed version of the CEO
• Accounting pays the invoice
- It w as from the CEO, after all
• M ight also include a lin k to pay
- Now the attacker has payment details
Credential harvesting
• Also called passw ord harvesting
- Attackers col lect login credentials
• Ther e are a lot of stor ed credentials on your computer
- The attacker w ould like those
- Chrome, Firefox, Outlook, Windows Credential M anager, etc.
• User receives an email wit h a ma licious M icrosoft Word doc
- Opening the document runs a macro
- The macro downloads credentia l-ha rvesting ma lw are
• User has no idea
- Everything happens in the background
Professor Messer's CompTIA SY<HiOl Security+ Course Notes - Page 4
https://ProfessorMesser.com
1.1 - Principles of Social Engineering
Effective social engineering
• Constantly changing
- You never know what they'll use next
• May involve mu ltiple people
- And mu ltiple organizations
- There are ties connecting many organizations
• May be in person or electronic
- Phone calls from aggressive "customers"
- Emai led funeral notifications of a friend or associate
Socia l engineering principles
• Authorit y
- The social engineer is in charge
- I'm calling from the help desk/ office of the CEO/police
• Intimidation
- There will be bad things if you don' t help
- If you don't help me, the payroll checks
w on't be processed
• Consensus / Social proof
- Convince based on what's norma lly expected
- Your co-w orker Jill did th is for me last w eek
• Scarcity
- The situation will not be this w ay for long
- Must make the change before time expires
How I Lost My $50,000 Twitter Username
• Naoki Hiroshima - @N
- https :// professormesser.l i nk/tw ittername
• Attacker calls PayPal and uses socia l engineering to get
the last four digits of the credit card on fil e
• Attacker calls GoDaddy and tells them he lost the card,
so he can' t properly validate. But he has the last four,
does that help?
- GoDaddy let the bad guy guess the first
t w o digits of the card
- He w as allow ed to keep guessing until he got it right
- Social engineering done really, really w ell
How to st ea l a $50,000 Tw itter name
• Attacker is now in control of every domain name
- And there w ere some good ones
• Attacker extorts a sw ap
- Domain control for @N
- Ow ner agrees
• Tw itter review ed the case for a month
- Eventually restored access to @N
• How I Lost My $50,000 Tw itter Username
- https :// professormesser.l i nk/tw ittername
• Urgency
- Works alongside scarcity
- Act quickl y, don't think
• Familiarity/ Liking
- Someone you know, w e have common friends
• Trust
- Someone w ho is safe
- I'm from IT, and I'm here to help
1.2 - An Overview of Malware
Malware
• Malicious software
- These can be very bad
• Rootki t
• Keylogger
• Gather information
- Keystrokes
• Botnet
• Participate in a group
- Controll ed over the ' net
• Show you advertising
- Big money
• Viruses and w orms
- Encrypt you r data
- Ruin you r day
Malware Types and Methods
• Viruses
• Crypto-malware
• Ransomw are
• Worms
• Trojan Horse
© 2020 Messer Studios, LLC
• Ad w are/ Spyware
How you get malware
• These all w ork together
- A w orm takes advantage of a vu lnerability
- Insta lls malw are that includes a remote access
backdoor
- Bot may be installed later
• Your computer must run a program
- Email link - Don't click links
- Web page pop-up
- Drive-by dow nload
- Worm
• Your computer is vulnerable
- Operating system - Keep your OS updated !
- Applications - Check with the publisher
Professor Messer's CompTIA SY<HiOl Security+ Course Notes - Page 5
https://ProfessorMesser.com
1.2 - Viruses and Worms
Virus
• Malware that can r epro duce itself
- It needs you to execute a program
• Scri pt viruses
- Operating system and browser-based
• Reproduces through file systems or t he netw ork
- Just running a program can spr ead a virus
• M acro viruses
- Common in M icroso ft Office
• M ay or may not cause problems
- Some viruses are invisible, some ar e annoying
Fileless virus
• A stealth attack
- Does a good j ob of avoidi ng anti-virus detection
• Anti-virus is very common
- Thousands of new viruses every w eek
- Is you r signature file updated ?
• Operates in memory
- But never installed in a file or application
Virus types
• Program viruses
- It 's part of the application
• Boot sector viruses
- Who needs an OS?
Fileless virus
infection process
---+
User clicks on
malicious
website link
---+
Website exploits a
Flash/Java/Windows
vulnerability
Launches PowerShell
and downloads
payload in RAM
Worms
• Malware that self-repl icates
- Doesn't need you to do anything
- Uses the netw ork as a transm ission medium
- Self-propagates and spreads quickly
0
Infected computer
searches for
vu lnerable system
a-
!
~.
--~·
;r
r
....
.,,
•;
..
~
,
~
~
-. ,~_~
"
-
,,
.
-~
,
-
-.
Runs PowerShell scripts
and executables in memory,
exfi ltrates data, damages files
Adds an
auto-start
to Registry
• Worms are pretty bad things
- Can take over many systems very quickly
• Firew alls and IDS/IPS can mitigate
many w orm infestations
- Doesn't help much once t he w orm gets inside
. . Vulnerable
--------------1►► ~ computer
is exploited
---- ~½~
0
© 2020 Messer Studios, LLC
Professor Messer's CompTIA SY<HiOl Security+ Course Notes· Page 6
https://ProfessorMesser.com
1.2 - Ransomware and Crypto-malware
Your data is valuable
• Personal data
- Family pictur es and videos
- Important documents
Crypto-malware
• A new er generation of ransom w are
- Your data is unavailable until you provide cash
• Organization data
- Planning documents
- Employee persona lly identifiable information (PII)
- Financial information
- Company private data
• How much is it w orth?
- There's a number
Ransomware
• The attackers w ant your money
- They'll take you r computer in the meantime
• May be a fake ransom
- Locks your computer "by the police"
• The ransom may be avoided
- A security professional may be able to r emove
these kinds of malwar e
• Ma lw are encrypts your data files
- Pictures, documents, music, movies, etc.
- Your OS r emains available
- They w ant you runn ing, but not w orking
• You must pay the bad guys to obtain the decryption key
- Untraceable paym ent system
- An unfortunate use of public-key cryptography
Protecting against ransomware
• Al w ays have a backup
- An offline backu p, idea lly
• Keep you r operating system up to date
- Patch those vulnerabil ities
• Keep you r applications up to date
- Security patches
• Keep you r anti-virus/ anti-malware signatur es up to date
- New attacks every hou r
• Keep everything up to date
1.2 - Trojans and RATs
Trojan horse
• Used by the Greeks to capture
- Troy from the Trojans
- A digital w ooden horse
Remote Access Trojans (RATs)
• Remote Administration Tool
- The ultimate backdoor
- Administrative control of a device
• Softw are that pretends to be something else
- So it can conquer you r computer
- Doesn' t reall y care much about r eplicating
• Malw are installs the server/ service/host
- Attacker connects w ith the client softwar e
• Circumvents your existing security
- Anti-virus may catch it w hen it runs
- The better Trojans ar e built to avoid and disa ble AV
• Once it's inside it has free reign
- And it may open the gates for other programs
Potentially Unwanted Program (PUP)
• Identifi ed by anti-virus/anti-mal w are
- Potentially undesirable softw are
- Often insta lled along with other softw are
• Overly aggressive browser tool bar
-..
rb~•~.W,,ituw~iouol • ~
::~~ ·,i:.="" •-i..- ~-...-
~----··-.
....... 'Si.~
· :-:.:
.
arr cr •
...... ,., . .'l
_ _ _ _ _,:,..
are
a
4
,_.,
·~·-.~": --- -J.i;~c.-
.-
• A backup utility that displays ads
!=.:
;
0',(#
·
-
GII.C-
·
-
19:,--=.-
• Brow ser search engine hijacker
Backdoors
• Why go throu gh normal authentication methods?
- Just w alk in the back door
• Often placed on you r computer through malware
- Some malware software can take advantage of
backdoors created by other malw are
• Some softw are includes a backdoor (oops)
- Old Linux kernel included a backdoor
- Bad softw are can have a backdoor as part of the app
© 2020 Messer Studios, LLC
• Control a device
- Key logging
- Screen recording / screenshots
- Copy files
- Embed more malwar e
Protecting against Trojans and RATs
• Don' t run unknow n softw are
- Consider the consequences
• Keep anti-virus/ anti-malware signatur es updated
- There are always new attacks
• Alw ays have a backup
- You may need to quickly r ecover
Professor Messer's CompTIA SY<HiOl Security+ Course Notes - Page 7
https://ProfessorMesser.com
1.2 - Rootkits
Rootkits
• Originally a Un ix technique
- The "root" in root kit
Finding and removing rootkits
• Look for the unusua l
- Anti-malware scans
• Modifies core system fil es
- Part of the kernel
• Use a remover specific to the rootkit
- Usually bu ilt after the rootki t is discovered
• Can be invisible to the opera ting system
- Won't see it in Task Manager
• Secure boot w ith UEFI
- Secu rity in the BIOS
• Also invisible to traditional anti-virus utilities
- If you can' t see it, you can't stop it
....
,,.. Otttrw; . .
, IHKLN'o$EQ . f t ~ \ S C '
. HIQ.N\SECl.A~\SM-lt\lMOel
Kernel drivers
• Zeus/ Zbot malwar e
- Famous for cleaning out bank accounts
SIC,,,._
,.,,... Hllffln,._...,.,._..,,
~..,,,.~----""""
uoi;a
4/ZZfl01 111$7AH
0~• H-"Wl-~J.PI
:::IC..,._
4/ZV20l11157AM
l(N)i;J H°'9rl ....Ww-odooolN'I
Hd:WI.._WincloMAPt
:ic-•
.t/2V20111157H4
Obret H'"'"*\lflf'ldOilllNl"!
'1_C\JC...-o\tl)..ol•
4/ZV2011 11$7AM
:ic - •
.t/22/2011 11 57 AM
0 ~ Ho:»litl._W.,..1'Pl
4/22/20l 1 11 $7 AH
Sl 1$),9 HdilnNaW..._.M't
:IC"'61
.t/Z2f201111$7AW
lt)t• Ho;wliloa~J.PI
4(N)IJHllffln'-'W..,_..,,
Ot,.• HdilrlMWindollllAA
,le,,_
u c,sc~
S.9'GI H.:fflnllo,a,Windoool.tl'I
Jll'61J HQ:WI ...WwldD,,,eJ.PI
◄nl/201 1 1157.tH
~c,~..
• Necurs makes sure you can't delete Zbot
- Access denied
S.cit OetCIIIPl.cn
Oe,,.• ~_,,.ODl"&llnl~M,M
.tl%2f20ll 11$7AW
4/ZZl201 1 11$7AH
4/22120l l 11$7AW
~ t\18.dl:M-• ..,
• Now combined w ith Necurs rootki t
- Necu rs is a kernel-level driver
,_
4/22/20l 14 1ll'W
.t/W2011 • 18 PM
-it\$WflMt1
4/WlOl l 1157 ....
:lC\ISeN•
.t/ZZl20ll 11$7AM
c-
4/ZZ/201 1 11$7.IH
4nl/20l 1 11 57 AM
-..c\JUDC...
o.,,...
o.,,...
Hdfilrl.._W~l,flt
1a.oou Hd:h'l111oaw...,...,,
0~• HQaf'l-~J.Pt
• Trying to stop the Win dow s process?
- Error terminating process : Access denied
1.2 - Spyware
Adware
• Your computer is one big advertisement
- Pop-ups with pop-ups
Why is there so much adware and spyware?
• Money
- Your eyeballs ar e incredibly valuable
• May cause performance issues
- Especially over the netw ork
• Money
- Your computer time and bandwidth
is incr edibly valuable
• Instal led accidental ly
- May be included with other software
• Be careful of softw are that claims to r emove adware
- Especially if you learned about it from a pop-up
• Money
- Your bank account is incredibly valuable
- Yes, even you r bank account
Spyware
• Malware that spies on you
- Advertising, identity theft, affiliate fraud
Protecting against adware/spyware
• Maintain your anti-virus/ anti-malware
- Al w ays have the latest signatu re s
• Can trick you into installing
- Peer to peer, fake security softw are
• Always know w hat you're insta lli ng
- And w atch your options during the installation
• Brow ser mon itoring
- Capture su rfing habits
• Where's your backup?
- You might need it someday
- Cleaning adw are isn' t easy
• Keyloggers - Captu re every keystroke
- Send it back to the mother ship
• Run some scans - M alw arebytes
1.2 - Bots and Botnets
Bots (Robots)
• Once your machine is infected, it becomes a bot
- You may not even know
Botnets
• A group of bots w orking together
- Nothing good can come from th is
• How does it get on you r com puter?
- Trojan Horse (I just saw a funny video of you! Click her e.) or...
- You run a program or click an ad you THOUGHT w as legit,
but...
- OS or application vu lnerabi lity
• Distributed Denial of service (DDoS)
- The pow er of many
• A day in the life of a bot
- Sit around. Check in w ith the Command and Control (C&C)
server. Wait for instructions.
© 2020 Messer Studios, LLC
• Relay spam, proxy netw ork traffic,
di stributed computing tasks
• Botnets are for sale
- Rent time from the botnet ow ner
- Not a long-term business proposition
Professor Messer's CompTIA SY<HiOl Security+ Course Notes· Pages
https://ProfessorMesser.com
1.2 - Bots and Botnets (continued)
Stopping the bot
• Prevent the initial infection
- OS and application patches
- Anti-virus/anti-malwar e and updated signatu re s
• Prevent command and control (C&C)
- Block at the firewall
- Identify at the w orkstation with a
host-based firew all or host-based IPS
• Identify an existing infection
- On-d emand scans, netw ork monit oring
1.2 - Logic Bombs
Logic Bomb
• Waits for a predefined event
- Often left by someone with grudge
• Time bom b
-Time or date
• User event
- Logic bomb
• Diffi cu lt to identify
- Difficult to recover if it goes off
Real-world logic bombs
• March 19, 2013, South Korea
- Email w ith malicious attachment sent to
- South Korean organizations
- Posed as a bank email
- Trojan installs malw are
• M arch 20, 2013, 2 p.m. local time
- Malware time-based logic-bomb activates
- Storage and master boot record deleted, system
reboots
- Boot device not found.
- Please install an operating system on you r hard disk.
• December 17, 2016, 11:53 p.m.
- Kiev, Ukraine, high-voltage substation
- Logic bomb begins disabling electrical circuits
- Malware mapped out the control network
- Began disabling power at a predetermined time
- Custom ized for $CADA netw orks
(Supervisory Control and Data Acquisition)
Preventing a logic bomb
• Difficult to recogni ze
- Each is unique
- No predefined signatures
• Process and procedu re s
- Formal change control
• Electronic monitoring
- Alert on changes
- Host-based intrusion detection, Tripwire, etc.
• Constant aud iting
- An administrator ca n circumvent existing systems
1.2 - Password Attacks
Plaintext / unencrypted passwords
• Some applications store passw ords " in the clear"
- No encryption. You can read the stored password.
- This is rare, thankfully
• Do not store passwords as plaintext
- Anyone with access to the password file or database
has every credential
• What to do if you r application saves
passwords as plaintext :
- Get a better application
Linux Account
Hashes
© 2020 Messer Studios, LLC
Hashing a password
• Hashes represent data as a fixe d-length string of text
- A message digest, or " fingerprint"
• Will not have a collision (hopefu lly)
- Different inputs will not have the same hash
• One-w ay trip
- Impossible to recover the original message
from the digest
-A common w ay to store passwords
The password file
• Different across operating systems and applications
- Different hash algorithms
Jumper Bay : ·
Ca rter : 1 007 : : cf4eb977a6859c76e f d2lf5094ec f 77d :::
Jackson : 1008 :: elf757d9cdc06690509e04b5446317d2 : ::
O' Ne il l : 1009 :: 78a8c423 f aedd2 f 002c6 aef 69 a 0acl af : ::
Teal' c : 1 0 1 0 : : bf8 4 666c8 1 974686e50d300bc36aea0 1 :::
Professor Messer's CompTIA SY<HiOl Security+ Course Notes· Page 9
https://ProfessorMesser.com
1.2 - Password Attacks (continued)
Spraying attack
• Try to login with an incorrect passw ord
- Eventually you' re locked out
• There are some common passw ords
- https://en.wikipedia.org/w iki/list_of_the_most_
common_passw ords
• Attack an account with the top three (or more) passw ords
- If they don't w ork, move to the next account
- No lockouts, no alarms, no alerts
Rainbow tables
• An optim ized, pre-bui lt set of hashes
- Saves time and storage space
- Doesn' t need to contain every hash
- Contains pre-calculated hash chains
• Remarkable speed increase
- Especially with longer passw ord lengths
• Need different tables for different hashing methods
- W indow s is different than MySQL
Brute force
• Try every possible passw ord combination
until the a hash is matched
Adding some salt
• Salt
- Random data added to a passw ord w hen hashing
• This might take some time
-A strong hashing algorithm slow s things dow n
• Every user gets their ow n random salt
- The salt is commonly stored w ith the passw ord
• Brute force attacks - Online
- Keep trying the login process
-Very slow
- Most accounts will lockout after a number
of failed attempts
• Rainbow tables w on't w ork with salted hashes
- Additional random value added to the
original passw ord
• Brute force the hash - Offline
- Obtain the list of users and hashes
- Calculate a passw ord hash, compare it to a stored hash
- large computational resource requirement
• Each user gets a differ ent random hash
- The same passw ord creates a different hash
Dictionary attacks
• Use a dictionary to find common w ords
- Passw ords are cr eated by humans
• Many common w ordlists available on the 'net
- Some are customized by language or line of w ork
• The password crackers can substitute letters
- p&ssw 0rd
• This takes time
- Distributed cracking and GPU cracking is common
• This slows things dow n the brute force process
- It doesn' t completely stop the reverse engineering
When the hashes get out
• January 2019 - Collection #1
- A collection of email addresses and passw ords
- 12,000+ files and 87 GB of data
• 1,160,253,228 unique emails and passw ords
- A compilation of data breach results
• 772,904,991 unique usernames
-That's about 773 mil lion people
• 21,222,975 unique passw ords
- You really need a passw ord manager
• https://haveibeenpw ned.com/
• Discover passw ords for common w ords
- This w on't discover random character passw ords
1.2 - Physical Attacks
Malicious USB cable
• It looks like a normal USB cable
- It has additional electronics inside
• Operating system identifies it as a HID
- Human Interface Device
- It looks like you've connected a keyboard or mouse
-A keyboard doesn't need extra rights or permissions
• Once connected, the cable takes over
- Dow nloads and insta lls malicious softw are
• Don't just plug in any USB cable
-Alw ays use t rusted hardware
Malicious flash drive
• Free USB flash drive !
- Plug it in and see w hat's on it
- That's a bad idea
© 2020 Messer Studios, LLC
• Older operating systems w ould automatically run files
- This has now been disabled or removed by default
• Could still act as a HID (Human Interface Device) /
Keyboard
- Start a command prompt and type anything
without your intervention
• Attackers can load malware in documents
- PDF files, spreadsheets
• Can be configur ed as a boot device
- Infect the computer after a reboot
• Acts as an Ethernet adapter
- Redirects or modifies Internet t raffic requests
- Acts as a wireless gatew ay for other devices
• Never connect an untrusted USB device
Professor Messer's CompTIA SY<HiOl Security+ Course Notes· Page 10
https://ProfessorMesser.com
1.2 - Physical attacks (continued)
Skimming
Card cloning
• Stealing credit card information,
usually during a normal transaction
- Copy data from the magnetic stripe:
- Card number, expiration date, card holder's name
• ATM skimming
- Includes a small camera to also w atch for your PIN
• Get card detai ls from a skim mer
- The clone needs an original
• Attackers use the ca rd information for other financial
transactions
- Fraud is the responsibility of the seller
• Create a dupl icate of a card
- Looks and fe els like the original
- Often includes the printed eve (Card Validation Code)
• Can only be used with magnetic st ripe cards
- The chip can't be cloned
• Cloned gift cards are common
- A magnetic st ripe technology
• Always check before using card readers
1.2 - Adversarial Artificial Intelligence
Machine learning
Evasion attacks
• Our computers are getting smarter
- They identify patterns in data and improve
their predictions
• The Al is only as good as the t raining
- Attackers find the holes and limitations
• This requires a lot of t raining data
- Face r ecognition requires analyzing a lot of faces
- Driving a car requires a lot of road time
• In use every day
-Stop spam
- Recommend products from an on line retailer
-What movie w ould you like to see? This one.
- Pr event car accidents
Poisoning the training data
• Confuse the artificial intelligence (Al)
-Attackers send modified training data that causes
the Al to behave incorrectly
• Microsoft Al chatter bot named Tay
• (Thinking About You)
- Joins Twitter on March 23, 2016
- Designed to learn by interacting w ith Twitter users
- Microsoft didn't program in anti-offensive behavior
- Tay quickly became racist, sexist, and inappropriate
• An Al that know s w hat spam looks like can be
fooled by a different approach
- Change the number of good and bad w ords in the
message
• An Al that uses r eal-w orld information can release
confidential information
- Trained w ith data that includes social security
numbers
- Al can be fooled into revealing those numbers
Securing the learning algorithms
• Check the training data
- Cross check and verify
• Constantly retrain w ith new data
- More data
- Better data
• Train the Al with possible poisoning
-What w ould the attacker try to do?
1.2 - Supply Chain Attacks
Supply chain
• The chain conta ins many moving parts
- Ra w materials, suppliers, manufactur ers,
distributors, customers, consumers
• HVAC vendor w as the supplier
- Attackers used a w ide-open Ta rget netw ork to
infect every cash register at 1,800 stores
• Attackers can infect any step along the w ay
- Infect different parts of the chain without suspicion
- People t rust their suppliers
• One exploit can infect the entir e chain
- There's a lot at stake
Supply chain security
• Can you trust your new
server/router/ sw itch/ ft rew all/softw are?
- Supply chain cybersecurity
Supply chain security
• Target Corp. breach - November 2013
- 40 mi llion credit cards stolen
• Heating and AC firm in Pennsylvania w as infected
- Malware delivered in an email
- VPN cr edentials for HVAC techs w as stolen
© 2020 Messer Studios, LLC
• Do these technicians look like an IT security issue?
• Use a small supplier base
- Tighter control of vendors
• Strict controls over policies and procedures
- Ensure proper security is in place
• Security should be part of the overall design
- There's a limit to trust
Professor Messer's CompTIA SY<HiOl Security+ Course Notes - Page 11
https://ProfessorMesser.com
1.2 - Cloud-based vs. On-Premises Attacks
Attacks can happen anywhere
• Tw o categories for IT security
- The on-pr emises data is more secure !
- The cloud-based data is more secure!
• Cloud-based security is centralized and costs less
- No dedicated hardw are, no data center to secure
- A third-party handles everything
• On-premises puts the security burden on the client
- Data center security and infrastructure costs
• Attackers w ant your data
- They don't care w here it is
On-premises security
• Custom ize you r secu rity post ure
- Full control w hen everyth ing is in-house
• On-site IT t eam can manage security better
- The local team can ensur e everything is secure
- A local team can be expensive and difficult to staff
• local team maint ains uptime and ava ilabilit y
- System checks can occur at any time
- No phone call for support
• Security changes can take time
- New equipment, configurations, and additional costs
Security in the cloud
• Dat a is in a secure environment
- No physica l access to the data center
- Third-party may have access to the data
• Cloud providers are managing large-sca le security
-Automated signature and security updates
- Users must follow security best-practices
• lim it ed dow ntime
- Extensive fault-tolerance and 24/7/365 monitoring
• Sca lable security options
- One-click security deployments
- This may not be as customizable as necessary
1.2 - Cryptographic Attacks
Cryptographic attacks
• You've encrypted data and sent it to another person
- Is it really secure? How do you know ?
Collisions
• Hash digests are supposed to be unique
- Different input data should never cr eate the same hash
• The attacker doesn' t have the combination (the key)
- So they break the safe (the cryptography)
• Finding w ays to undo the security
- There are many potential cryptographic shortcomings
- The problem is often the implementation
• MOS hash
- Message Digest Algorithm 5
- Published in April 1992, Collisions identified in 1996
Birthday attack
• In a classroom of 23 students, w hat is the chance of
t w o students sharing a birthday? About 50%.
- For a class of 30, the chance is about 70%
• In the digital w orld, this is a hash coll ision
-A hash collision is the same hash value for t w o
different plaintexts
- Find a collision through brute force
• The attacker w ill generate mu ltiple versions of
plaintext to match the hashes
- Protect yourself with a large hash output size
• December 2008: Researchers created CA certificate
that appeared legitimate w hen MOS is checked
- Built other certificates that appeared to be legit
and issued by RapidSSL
Downgrade attack
• Instead of using perfectly good encryption, use
something that's not so great
- Force the systems to dow ngrade their security
• 2014 - TLS vulnerability - POODLE (Padding Oracle
On Dow ngraded Legacy Encryption)
- On-path attack
- Forces cl ients to fall back to SSL 3.0
- SSL 3.0 has significant cryptographic vulnerabilities
- Because of POODLE, modern brow sers w on't fall back
to SSL 3.0
1.3 - Privilege escalation
Privilege escalation
• Gain higher-level access to a system
- Exploit a vulnerability - Might be a bug or design fla w
Mitigating privilege escalation
• Patch quickly
- Fix the vulnerabi lity
• Higher-level access means mor e capabilities
- This common ly is the highest-level access
- This is obviously a concern
• Updated anti-virus/anti-malw are softw are
- Block know n vulnerabilities
• These are high-priority vulnerabil ity patches
- You w ant to get these holes closed very quickly
-Any user can be an adm inistrator
• Horizontal privilege escalation
- User A can access user B resources
© 2020 Messer Studios, LLC
• Data Execution Prevention
- Only data in executable ar eas can run
• Address space layout randomization
- Pr event a buffer overrun at a know n
memory address
Professor Messer's CompTIA SY<HiOl Security+ Course Notes - Page 12
https://ProfessorMesse r.com
1.3 - Cross-site Scripting
Cross-site scripting
Hacking a Subaru
• xss
• June 2017, Aaron Guzman
- Security researcher
- Cascading Style Sheets (CSS) ar e something else entirely
• Originally called cross-site because of brow ser security fla ws
- Information from one site could be shared with another
• When authenticating with Subaru, users get a token
-This token never expires (bad!)
• One of the most common w eb application
development errors
- Takes advantage of the trust a user has for a site
- Complex and varied
• Malw are that uses JavaScript - Do you allow scripts? Me too.
• A valid token allow ed any service request
- Even adding your email addr ess to someone
else's account
- Now you have ful l access to someone else's car
Non-persistent (reflected) XSS attack
• Web site allow s scripts to run in user input
- Search box is a common source
• Web front-end included an XSS vu lnerability
-A user clicks a malicious link, and you have
their token
Protecting against XSS
• Attacker emails a li nk that takes advantage of this
vulnerabi lity
- Runs a script that sends credentials/session IDs/cookies
to the attacker
• Script embedded in URL executes in the victim's brow ser
- As if it came from the server
• Be carefu l w hen clicki ng untrusted links
- Never bl indly click in your ema il in box. Never.
• Consider disabling JavaScript
- Or control with an extension
- This offers limited protection
• Keep your brow ser and applications updated
-Avoid the nasty brow ser vulnerabilities
• Attacker uses credentials/ session IDs/cookies to steal
victim's information without their knowledge
- Very sneaky
• Validate input
- Don't allow users to add their ow n scripts to an
input field
Persistent (stored) XSS attack
• Attacker posts a message to a social netw ork
- Includes the malicious payload
• It's now "persistent" - Everyone gets the payload
• No specific target - All view ers to the page
• For social netw orking, this can spread quickly
- Everyone w ho view s the message can have it
posted to their page
- Where someone else can view it and propagate it further...
1.3 - Injection Attacks
Code injection
• Code injection
- Adding your ow n information into a data stream
XML injection and LDAP injection
• XML - Extensible Markup Language
- A set of rules for data transfer and storage
• Enabled because of bad programming
- The application should properly handle
input and output
• XML injection
- Modifying XML requests - a good application w ill validate
• So many different data types
- HTML, SQL, XML, LDAP, etc.
SQL injection
• SQL - Structured Query Language
- The most common relational database
management system language
• SQL Injection
- Modifying SQL requests
- Your application shouldn't really allow this
© 2020 Messer Studios, LLC
• LDAP - Lightw eight Directory Access Protocol
- Created by the telephone companies
- Now used by almost everyone
• LDAP injection
- Modify LDAP requests to manipulate application r esults
DLL injection
• Dynam ic-Link Library
- A W indow s library containing code and data
- Many applications can use this library
• Inject a DLL and have an application run a program
- Runs as part of the target process
Professor Messer's CompTIA SY<HiOl Security+ Course Notes · Page 13
https://ProfessorMesser.com
1.3 - Buffer Overflows
Buffer overflows
• Overw riting a buffer of memory
- Spills over into other memory areas
Variable A and B before buffer overflow
• Developers need to perform bounds checking
- The attackers spend a lot of time looking for openings
• Not a simple exploit
- Takes time to avoid crash ing things
- Takes time to make it do w hat you w ant
• A really useful buffer overflow is repeatable
- Wh ich means that a system can be compromised
Variable Name
A
Value
(null string]
Hex Value
00
8
1979
I oo I oo I oo I oo I oo I oo I
00
I
07
88
Overflowing variable A changes variable B
Variable Name
A
8
Value
'e'
·x·
'c'
'e'
'$ '
'$ '
'i'
'v'
Hex Value
65
78
63
65
73
73
69
76
25856
65
I
00
1.3 - Replay Attacks
Replay attack
• Useful information is transmitted over the netw ork
- A crafty hacker will take advantage of this
• This is not an on-path attack
- The actual replay doesn't r equire
the original w orkstation
• Need access to the ra w netw ork data
- Network tap, ARP poisoning, malware on the victim computer
• Avoid this type of r eplay attack w ith a salt
- Use a session ID w ith the passw ord hash to
create a unique authentication hash each time
• The gathered information may help the attacker
- Replay the data to appear as someone else
Pass the Hash
~
Client authenticates to
. . the server with a username
and hashed password
------==--------Server
During authentication,
~ the attacker captures
~ the username
and password hash
Attacker
Header manipulation
• Information gathering
-Wireshark, Kismet
• Exploits
- Cross-site scripting
• Modify headers
- Tamper, Firesheep, Scapy
• Modify cookies
- Cookies Manager+ (Firefox add-on )
© 2020 Messer Studios, LLC
Attacker sends his own
authentication request
using the captured credentials
Prevent session hijacking
• Encrypt end-to-end
- They can't capture your session ID if they can't see it
- Additional load on the w eb server (HTTPS)
- Firefox extension: HTTP$ Everyw here, Force-TL$
- Many sites are now HTTPS-only
• Encrypt end-to-somew here
-At least avoid capture over a local wireless network
- Still in-the-clear for part of the journey
- Personal VPN (OpenVPN, VyprVPN, etc.)
Professor Messer's CompTIA SY<HiOl Security+ Course Notes - Page 14
https://ProfessorMesser.com
1.3 - Replay Attacks (continued)
Browser cookies and session IDs
• Cookies
- Information stored on your computer by the brow ser
• Could be considered be a privacy risk
- lots of personal data in there
• Used for tracking, personalization, session management
- Not executable, not generally a security risk
- Unless someone gets access to them
• Session IDs ar e often stored in t he cookie
- Maintains sessions across multiple brow ser sessions
Session hijacking (Sidejacking)
Victim authenticates
to the serve r
0
Client authentication
A
Your session ID: 3B0027A38FDF37
◄•-------------------- v
Server provides
a session ID
to the client
•
Victim
Attacker intercepts
the session ID and
uses it to access the
se rver with the
victim's credentials
Attacker
Web Server
1.3 - Request Forgeries
Cross-site requests
• Cross-site requests ar e common and legitimate
- You visit ProfessorM esser.com
- Your brow ser loads text from t he
ProfessorMesser.com server
- Your brow ser loads a video from You Tube
- Your brow ser loads pictures from lnstagram
• HTML on ProfessorMesser. com directs
requests from your brow ser
- This is normal and expected
- M ost of these are unauthenticated requests
The client and the server
• Website pages consist of client-side
code and server-side code
- Many moving parts
• Client side
- Renders the page on the screen
- HTML, JavaScript
• Server side
- Performs requests from
the client - HTML, PHP
- Transfer money from one
account to another
- Post a video on YouTube
Cross-site request forgery
• One-click attack, session riding - XSRF, CSRF (sea surf)
• Takes advantage of the t rust that a w eb application
has for the user
- The w eb site trusts your brow ser
- Requests are made w ithout your consent or your know ledge
- Attacker posts a Facebook status on your account
• Significant w eb application development oversight
- The application should have anti-forgery techniques added
- Usually a cryptographic token to pr event a forgery
Cross-site request forgery
A
V
Re q uest is se nt as a
hyperlink to a user wh o
may a lready be logge d
io<o<heba,k 7
0
~ ◄
~
~
8
'":~::,,ito,~
Attacke, " "" "
funds t ra nsfer req uest
~~
~
Attacker
© 2020 Messer Studios, LLC
Professor Messer's CompTIA SY<HiOl Security+ Course Notes - Page 15
•
A
V
Visito r clicks the link a nd
un knowi ngly sends th e
t ra nsfer req uest to
•i<e
0
__,-/ Bank Web Server
Bank validat es the tra nsfer
and se nds the visitor's funds
to th e attacker
https://ProfessorMesser.com
1.3 - Request Forgeries (continued)
Server-side request forgery (SSRF)
• Attacker fin ds a vulnerable w eb application
- Sends requests to a w eb server
- Web server performs the request on
behalf of the attacker
• Caused by bad programming
- Never trust the user input
- Server should validate the input
and the responses
- These are rare, but can be
critical vulnerabilities
Capital One SSRF breach - March 2019
• Attacker is able to execute commands
on the Capital One w ebsite
- This is normally stopped by a WAF
(Web Application Firew all)
- The WAF w as misconfigured
• Attacker obtained security credentials for the WAF role
• WAF-Role account listed the buckets on Amazon S3
• Attacker retrieved the data from the Amazon buckets
• Credit card application data from 2005 through 2019
- 106 million names, address, phone, email, DoB
- 140,000 Social Security numbers,
80,000 bank accounts
O0
Server-side request forgery (SSRF)
0
Attacker sends a request
•
t hat cont rols a web application
----------------
~
~
Web server sends request
t o another service,
. _. 0
~
~,
Web Server
Attacker
. . Web Server fo rwards
~ response t o attacker
~
such as cloud fi le st orage
~
•
::::::
•
=
Cloud st orage
~ sends response
. , to Web server
~
•
~
Dat abase
Cache
o~o::::::
•
~
File Storage
•
~
Di rect ory
Services
1.3 - Driver Manipulation
Malware hide-and-go-seek
• Traditional anti-virus is very good at identifying
know n attacks
- Checks the signatur e
- Block anything that matches
• There are still w ays to infect and hide
- It 's a constant w ar
- Zero-day attacks, new attack types, etc.
Your drivers are powerful
• The interaction betw een the hardw are and your
operating system
- They ar e often t rusted
- Great opportunity for security issues
• May 2016 - HP Audio Drivers
- Conexant audio chips
- Driver installation includes aud io control softw are
- Debugging feature enables a keylogger
• Hardw are interactions contain sensitive information
- Video, keyboard, mouse
Shimming
• Fi lling in the space betw een t w o objects
- A middleman
• W indow s includes it's ow n shim
- Backw ards compatibility with previous
W indow s versions
- Application Compatibility Shim Cache
• Malw are authors w rite their ow n shims
- Get around security (like UAC)
• January 2015 Microsoft vulnerability
- Elevates privilege
Refactoring
• Metamorphic malw are
- A differ ent program each time it's dow nloaded
• Make it appear different each time
- Add NOP instructions
- Loops, pointless code strings
• Can intelligently redesign itself
- Reorder functions
- Modify the application flow
- Reorder code and insert unused data types
• Difficult to match w ith signature-based detection
- Use a layered approach
© 2020 Messer Studios, LLC
Professor Messer's CompTIA SY<HiOl Security+ Course Notes - Page 16
https://ProfessorMesser.com
1.3 - SSL Stripping
SSL stripping/ HTTP downgrade
• Com bin es an on-pat h attack w ith a downgrade attack
- Difficult t o im plement, but big returns for the attacker
SSL and TLS
• SSL (Secu re Socket s Layer) 2.0 - Deprecated in 2011
• SSL 3.0
- Vulnerable to the POODLE attack
- Deprecated in June 2015
• Tra nsport Layer Securit y (TLS) 1.0
- Upgrade to SSL 3.0, and a name change
from SSL to TLS
- Can downgrade to SSL 3.0
• Attacker must sit in the m iddle of t he conversation
- Must modify data betw een the victim and w eb server
- Proxy server, ARP spoofing, rogue Wi-Fi hotspot, etc.
• Victim does not see any signifi cant problem
- Except the browser page isn't encrypted
- Strips the S away from HTTP$
• Th is is a client and server problem
- Works on SSL and TLS
• TLS 1.1
- Deprecated in January 2020 by modern brow sers
• TLS 1.2 and TLS 1.3 - The latest standards
SSL stripping
4iJ
GET http://examp le.com
(J
_ .
GET http://example.com
Web site
Visitor
Web Server
301 Moved
Attacker
GET https://example.com
200 O K {HTTPS)
200 OK {H TTP)
POST http://examp le.com
M an-in-the -m idd le
Rewrites URls
HTTP/HTTPS
POST https://exam ple.com
user: professor & password: ninjal
_
user: professor & password : ninja l
1.3 - Race Conditions
Race condition
• A programmin g conundrum
- Sometimes, th ings happen at the same time
- This can be bad if you've not planned for it
• Time-of-check to time-of-use attack (TOCTOU)
- Check the system
- When do you use the r esults of your last check?
- Something might happen between the check
and the use
Race conditions can cause big problems
• January 2004 - Mars rover " Spirit"
- Reboot when a problem is identified
- Problem is w ith the file system, so reboot because
of t he file system problem
- Reboot loop w as the re sult
• GE Energy - Energy Management System
- Three pow er lines failed at the same time
- Race con dition delayed alerts
- Caused the Northeast Blackout of 2003
• Therac-25 radiation thera py machine in t he 1980s
- Used software interlocks instead of hardware
- Race con dition caused 100 times the normal dose of ra diation
- Six patients inj ured, th ree deaths
Transfer $50 from
User 1
AccountAto
Acco unt B
-
-
Account A= $100
Account 8 = $100
Add $50 to
Account B
-
Account A = $100
Account 8+50 = $150
Remove $50 from Account A
~
~
Account A-SO= $50
Account 8 = $200
Transfer $50 from
User 2
Account A to
Account B
-
-
Account A = $100
Account 8 = $100
© 2020 Messer Studios, LLC
Add$50to
Account B
-
Account A = $100
Account 8+50 = $200
Professor Messer's CompTIA SY<HiOl Security+ Course Notes - Page 17
Remove$50from
Account A
Account A-SO= $50
Account 8 = $200
-
~
~
Ending Account Value
Account A= $50
Account 8 = $200
https://ProfessorMesser.com
1.3 - Other A plication Attacks
Memory vulnerabilities
• Manipulating memory can be advantageous
- Relatively difficult to accomplish
• Memory leak
- Unused memory is not properly released
- Begins to slow ly grow in size
- Eventually uses all available memory
- System crashes
• NULL Pointer dereference
- Programming technique t hat references a
portion of memory
- W hat happens if that reference points to nothing?
- Application crash, debug information displayed, DoS
• Integer overflow
- Large number into a smaller sized space
-Where does t he extra number go?
- You shouldn't be able to manipulate
memory this w ay
Directory traversal
• Directory traversal/ path t raversal
- Read files from a w eb server t hat are outside of
the w ebsite's file directory
- Users shouldn't be able to brow se
the W indow s folder
• Web server software vulnerability
- Won't stop users from browsing past the
w eb server root
• Web application code vulnerability
- Take advantage of badly w ritten code
Improper error handling
• Errors happen
- And you should probably know about it
• Messages should be j ust informational enough
-Avoid too much deta il
- Netw ork information, memory dump,
stack t races, database dumps
• This is an easy one to find and fix
-A development best-practice
Improper input handling
• Many applications accept user input
- We put data in, w e get data back
• All input should be considered malicious
- Check everything. Trust nobody.
• Allowing invalid input can be devastating
- SQL inj ections, buffer overflow s,
denial of service, etc.
• It takes a lot of w ork to find input that
can be used maliciously
- But they w ill find it
API attacks
• API - Application Programming Interface
• Attackers look for vulnerabilities in this new
communication path
- Exposing sensitive data, DoS, intercepted
communication, privileged access
Resource exhaustion
• A specialized DoS (Denial of Service) attack
- May only r equire one device and low bandw idths
• ZIP bomb
-A 42 ki lobyte .zip compr essed fil e
- Uncompresses to 4.5 petabytes (4,500 terabytes)
-Anti-virus w ill identify t hese
• DHCP starvation
-Attacker floods a network w ith IP address requests
- MAC address changes each time
- DHCP server eventually runs out of addresses
- Switch configurations can rate limit DHCP requests
Traditional vs. APl-based applications
HTTP GET
Traditional
Application
HTTP Response
Browser
Web Server
Database
Server
Database
API Requests
AP I-based
App
API Responses
Mobile
Devices
•
Messer Studios
LLC
Professor Messer's CompTIA SY<HiOl Security+ Course Notes· Page 18
https://ProfessorMesser.com
1.4 - Rogue Access Points and Evil Twins
Rogue access points
• An unaut horized wireless access poi nt
- May be added by an employee or an attacker
- Not necessarily malicious
- A signifi cant potential backdoor
Wireless evil twins
• Looks legitimate, but actually malicious
- The w ireless version of phishing
• Very easy to plug in a wireless AP
- Or enable wireless sharing in your OS
• Overpow er the existing access points
- M ay not req uire the same physical location
• Schedule a periodic survey
- Walk around your buildi ng/campus
- Use third-party tools/ WiFi Pineapple
• Consider using 802.lX (Network Access Control)
- You must authenticate, regardless of the
connection t ype
• W iFi hotspots (and users) are easy to fool
- And they're w ide open
• Configure an access point to look like an existing network
- Same (or sim ilar) SSID and security settings/ca ptive portal
• You encrypt you r communication, right?
- Use HTTP$ and a VPN
1.4 - Bluejacking and Bluesnarfing
Bluejacking
• Send ing of unsolicited messages to another
device via Bluetooth
- No mobile carrier req uired !
Bluesnarfing
• Access a Blu etooth-enabled device and transfer data
- Contact list, calendar, email, pictures, video, etc.
• First major security w eakn ess in Bluetooth
- Ma rcel Holtmann in September 2003 and
- Adam Laurie in November 2003
- This w eakn ess was patched
• Typical fun ctional distance is about 10 meters
- More or less, dependi ng on antenna and interference
• Bl uejack w ith an address book object
- Instead of contact name, w ri te a message
- "You are Bl uejacked !"
- "You are Bluejacked ! Add to contacts?"
• Serious security issue
- If you know the file, you can down load it without
authentication
• Third-party softwar e may also be used
- Blooover, Bluesniff
1.4 - Wireless Disassociation Attacks
It started as a normal day
• Surfing along on you r wireless netw ork
- And then you're not
Protecting against disassociation
• IEEE has already addressed the problem
- 802.llw - July 2014
• Some of the importa nt management frame s
are encrypted
- Disassociate, deauthenticate,
channel switch announcements, etc.
• And then it happens agai n
- And again
• You may not be able to stop it
- There's (almost) noth ing you can do
- Time to get a long patch cable
• Not everything is encrypted
- Beacons, probes, authentication, association
• 802.llw is require d for 802.llac compliance
- This wil l roll out going forward
• Wireless disassociation
- A signifi cant w ireless
denial of service (DoS) attack
802.11 management frames
• 802.11 w ireless includes a number of
management featu re s
- Frames that make everything w ork
- You never see them
• Important for the operation of 802.11 w ireless
- How to find access points, manage QoS, associate/
disassociate w ith an access point, etc.
• Original wireless standards did not add
protection for management frames
- Sent in the clear
- No authentication or validation
© 2020 Messer Studios, LLC
• IEEE 802 . 11 wireless LAN management f rane
• Fixed parameters ( 4 bytes)
► Capabilities Information: 0x0011
Listen Interval: 0x0014
• Tagged parameters ( 146 bytes )
Tag:
Tag:
Tag :
• Tag:
► Tag:
► Tag:
► Tag :
► Tag:
► Tag:
►
►
►
Supported Rates 6(8) , 9, 12(8), 18, 24(8), 36, 48, 54, (Mbit/sec)
Power Capability Min: 2, Max : 17
Suppo rted Channels
RSN I nformation
HT Capabilities (802 .lln 01.10 )
Vendor Specific Apple
Vendor Specific Epigram : HT Capabilities (802. lln 01.10)
Vendor Specific Broadcom
Vendor Specific Mic rosof: \ofolM/ WME: Information Element
Professor Messer's CompTIA SY<HiOl Security+ Course Notes - Page 19
https://ProfessorMesser.com
1.4 - Wireless Jamming
Radio frequen cy (RF) j amming
• Denial of Service
- Prevent w ireless communication
W ireless jamming
• Many different types
- Constant, random bits/ Constant, legitimate frames
• Transmit interfering w ireless signals
- Decrease the signa l-to-noise ratio at
the receiving device
- The receiving device can't hear the good signa l
• Dat a sent at ran dom times
- Random data and legitimate fram es
• Sometimes it's not intentional
- Interference, not jamming
- Microw ave oven, fluorescent lights
• Needs to be somew here close
- Difficult t o be effective from a distance
• Jamming is intentional
- Someone w ants your net w ork to not w ork
• Reactive jamm ing
- On ly w hen someone else tries to communicate
• Time to go fox hunting
- You'll need the right eq uipment to hunt dow n the jam
- Directiona l antenna, attenuator
1.4 - RFID and NFC Attacks
RFID (Radio-frequency identification)
• It 's everyw here
- Access badges
- Inventory/Assembly li ne tracking
- Pet/ An imal identifi cation
- Anything that needs to be t racked
• Radar technology
- Radio energy transmitted to t he t ag
- RF pow ers t he tag, ID is t ransmitted back
- Bidirectional communication
- Some tag format s can be active/ pow ered
RFID Attacks
• Data capt ur e
- View commun ication
- Replay attack
• Spoof the reader - Writ e your ow n data to the tag
Near field communication (NFC)
• Tw o-w ay w ireless communication
- Builds on RFID, w hich is mostly one-w ay
• Payment systems
- Many options available
• Bootstrap for ot her w ireless
- NFC helps with Bluetooth pairing
• Access token, identity "card"
- Short range wit h encryption su pport
NFC Security Concern
• Remote capture
- It 's a w ireless net w ork
- 10 meters for active devices
• Fre quency jamm ing
- Denial of service
• Denial of service - Signal jamming
• Relay / Replay attack
- On-path attack
• Decrypt commun ication
- Many defau lt keys are on Google
• Loss of NFC device control
- Stolen/lost phone
1.4 - Randomizing Cryptography
Cryptographic nonce
• Arbitrary number
- Used once
- "For the nonce" - For the time being
Initialization Vectors (IV)
• A type of nonce
- Used for random izing an encryption scheme
- The mor e random the better
• A random or pseudo-random number
- Someth ing that can't be reasonably guessed
- Can also be a counter
• Use a nonce du ring t he login process
- Server gives you a nonce
- Calcu lat e your passw ord hash using t he nonce
- Each passw ord hash sent t o the host wi ll be
different , so a replay w on't w ork
• Used in encryption ciphers, WEP, and some
SSL im plement ations
Salt
• A nonce most commonly associated w ith passw ord
ran domization
- Make the passw ord hash unpredictable
• Passw ord storage should alw ays be salt ed
- Each user gets a different salt
• If the passw ord database is br eached, you can't corr elate
any passw ord s
- Even users with the same passw ord have different
hashes stored
© 2020 Messer Studios, LLC
Professor Messer's CompTIA SY<HiOl Security+ Course Notes· Page 20
https://ProfessorMesser.com
1.4 - On-Path Attacks
On-path network attack
On-path browser attack
• How can an attacker w atch without you knowing? • What if the middleman w as on the same computer as the victim?
- Formerly known as man-in-the-middle
- Malw are/ Trojan does all of the proxy w ork
- Formerly know n as man-in-the-browser
• Redirects your traffic
- Then passes it on to the destination
• Huge advantages for the attackers
- You never know your t raffic w as redirected
- Relatively easy to proxy encrypted traffic
- Everything looks normal to the victim
• ARP poisoning
- ARP has no security
- On-path attack on the local IP subnet
• The malware in your brow ser w aits for you to login to your bank
- And cleans you out
1.4 - MAC Flooding and Cloning
The MAC address
• Ethernet Media Access Control address
- The "physical" address of a netw ork adapter
- Unique to a device
MAC flooding
• The MAC table is only so big
• Attacker starts sending traffic with different source
MAC addresses
- Force out the legitimate MAC addresses
• 48 bits / 6 bytes long
- Displayed in hexadecimal
• The table fills up
- Sw itch begins flooding traffic to all interfaces
8c:2d:aa : 4b:98:a7
Organizationally Unique
Identifier (OUI)
(the manufacturer)
• This effectively turns the sw itch into a hub
- All traffic is transmitted to all interfaces
- No interruption in traffic flows
Network Interface
Controller-Specific
(the serial number)
• Attacker can easily capture all netw ork t raffic!
LAN switching
• Forwa rd or drop frames
- Based on the destination MAC address
• Flooding can be restricted in the switch's port
security settings
MAC cloning/ MAC spoofing
• An attacker changes their MAC address to match
the MAC address of an existing device
- A clone / a spoof
• Circumvent filters
- W ireless or w ired MAC filters
- Identify a va lid MAC address and copy it
• Gather a constantly updating list of MAC addresses
- Builds the list based on the source MAC addr ess of
incoming traffic
- These age out periodica lly, often in 5 minutes
• Mainta in a loop-free environment
- Using Spanning Tree Protocol (STP)
Learning the MACs
• Switches examine incoming t raffic
- Makes a note of the source MAC address
• Create a DoS
- Disrupt communication to the legitimate MAC
• Adds unknow n MAC addresses to the MAC address table
- Sets the output interface to the r eceived interface
• Easily manipulated through softw are
- Usually a device driver option
1.4 - DNS Attacks
DNS poisoning
• Modify the DNS server
- Requires some crafty hacking
• Modify the client host file
- The host file takes precedent over DNS queries
• Send a fake response to a va lid DNS request
- Requires a redirection of the original request
or the resulting response
Domain hijacking
• Get access to the doma in r egistration,
and you have control w here the traffic flow s
- You don't need to touch the actual servers
- Determines the DNS names and DNS IP addresses
• Many w ays to get into the account
- Brute force
- Social engineer the passw ord
- Gain access to the email address that manages the account
- The usual things
Domain hijacking
• Saturday, October 22, 2016, 1 PM
• Domain name r egistrations of
36 domains are changed
- Brazilian bank
- Desktop doma ins, mobile domains, and more
• Under hacker control for 6 hou rs
- The attackers became the bank
• 5 million customers, $27 bill ion in assets
- Results of the hack have not been publi cly released
© 2020 Messer Studios, LLC
Professor Messer's CompTIA SY<HiOl Security+ Course Notes· Page 21
https://ProfessorMesser.com
1.4 - DNS Attacks (continued)
URL hijacking
• Make money from your mistakes
- There's a lot of advertising on the 'net
Domain reputation
• The Internet is t racking your security posture
- They know w hen things go sidew ays
• Sell the badly spelled domain to the actual ow ner
- Sell a m istake
• Email reputation
- Suspicious activity
- Malware originating from the IP address
• Redirect to a competitor
- Not as common, legal issues
• Phishing site
- Looks like the real site, please login
• Infect with a drive-by dow nload
-You've got malware !
•A bad reputation can cause email delivery to fail
- Email rej ection or simply dropped
• Check w ith the email or service provider to check
the r eputation
- Follow their instructions to remediate
• Infected systems are noticed by the search engines
- Your doma in can be flagged or removed
Types of URL hijacking
• Typosquatting / brandjacki ng
- Take advantage of poor spelling
• Outright misspelling
- professormesser.com vs. professormessor.com
• A typing error
- professormeser.com
• Users w ill avoid the site
- Sales w ill drop
- Users will avoid your brand
• Malw are might be r emoved quickly
- Recovery ta kes much longer
• A different phrase
- professormessers.com
• Differ ent top-level domain
- professormesser.org
1.4 - Denial of Service
Denial of Service
• Force a service to fail
- Overload the service
DDoS amplification
• Turn your small attack into a big attack
- Often reflected off another device or service
• Take advantage of a design failure or vulnerabil ity
- Keep your systems patched !
• An increasingly common DDoS technique
-Turn Internet services against t he victim
• Cause a system to be unavailable
- Competitive advantage
• Create a smokescreen for some other exploit
- Precursor to a DNS spoofing attack
• Doesn't have to be complicated
- Turn off the pow er
• Uses protocols w ith little (if any) authentication or checks
- NTP, DNS, ICMP
-A common example of protocol abuse
A "friendly" Dos
• Unintentional DoSing - It 's not always a ne'er-do-w ell
• Netw ork DoS - Layer 2 loop w ithout STP
• Bandw idth DoS - Dow nloading multi-gigabyte Linux
distributions over a DSL line
• The w ater line br eaks
- Get a good shop vacuum
Distributed Denial of Service (DDoS)
• Launch an army of computers to bring dow n a service
- Use all the bandw idth or resources - t raffic spike
• This is w hy the attackers have botnets
- Thousands or mill ions of computers at your command
- At its peak, Zeus botnet infected over 3.6 mil lion PCs
- Coordinated attack
• Asymmetric threat
- The attacker may have few er resou rces than the victim
© 2020 Messer Studios, LLC
Application DoS
• Make the application break or w ork harder
- Increase dow ntime and costs
• Fill the disk space
- A 42 kilobyte .zip compressed file
- Uncompr esses to 4.5 petabytes (4,500 terabytes)
- Anti-virus will identify these
• Overuse a measured cloud resource
- More CPU/ memory/ netw ork is more money
• Increase the cloud server response time
- Victim deploys a new application instance - repeat
Operational Technology (OT) DoS
• The hardw are and softw are for industrial equipment
- Electric grids, traffic control, manufacturing plants, etc.
• This is more than a w eb server failing
- Pow er grid drops offline
- All t raffic lights are green
- Manufacturing plant shuts dow n
• Requires a different approach
- A much more critical security posture
Professor Messer's CompTIA SY<HiOl Security+ Course Notes· Page 22
https://ProfessorMesser.com
1.4 - Malicious Scripts
Scripting and automation
• Automate tasks
- You don't have to be there
- Solve problems in you r sleep
- Mon itor and re solve problems before they happen
• The need for speed
- The script is as fast as the computer
- No typing or delays
- No human error
• Automate the attack
- The hacker is on borrow ed time
Windows PowerShell
• Command line for system administrators
- .psl file extension
- Included w ith W indow s 8/8. 1 and 10
• Extend command-line functions
- Uses cmdlets (command-lets)
- Pow erShell scripts and functions
- Standalone executables
Shell script
• Scripting the Unix/Li nux shell
- Automate and extend the command line
- Bash, Bourne, Korn, C
• Starts w ith a shebang or hash-bang #!
- Often has a .sh file extension
• Attack the Linux/Un ix environment
- Web, database, virtualization servers
• Control the OS from the command line
- Ma lware has a lot of options
Macros
• Automate functions wit hin an application
- Or operati ng system
• Designed to make the application easier to use
- Can often create security vu lnerabilities
• Attackers create automated exploits
- They j ust need the user to open the file
- Prompts to run the macro
Visual Basic for Applications (VBA)
• Automates processes wit hin W indow s applications
- Common in Microsoft Offi ce
• Attack W indows systems
- System administration
- Active Domain administration
- File share access
• A pow erful programming language
- Interacts with t he operating system
Python
• General-purpose scripting language
- .py file extension
• Popular in many technologies
- Broad appeal and support
• Commonly used for cloud orchestration
- Create and tear dow n application instances
• CVE-2010-0815 / MSl0-03 1
- VBA does not properly search for ActiveX
controls in a document
- Run arbitrary code embedded in a document
- Easy to infect a computer
• Attack t he infrastruct ure
- Routers, servers, sw itches
1.5 - Threat Actors
Threat actors and attributes
• The entity responsible for an event t hat has
an impact on the safety of anot her entity
- Also called a malicious actor
• Sophistication may not be advanced,
but t he insider has instit utional knowledge
- Attacks can be directed at vu lnerable systems
- The insider know s w hat to hit
• Broad scope of act ors
- And motivations vary w idely
• Extensive resources
- Eating aw ay from the inside
• Advanced Persistent Threat (APT)
- Attackers are in the net w ork and undetected
- 2018 FireEye report:
Americas : 71 days,
EMEA: 177 days,
APAC: 204 days
Nation states
• Governments
• Nationa l security, job security
• Always an external entity
Insiders
• More t han just passw ords on sticky notes
- Some insiders are out for no good
© 2020 Messer Studios, LLC
• Highest sophistication
• M ilit ary control, utilities, financial control
• United States and Israel destroyed 1,000 nuclea r
centrifuges w ith the Stuxnet w orm
• Constant attacks
• Commonly an Advanced Persistent Threat (APT)
Professor Messer's CompTIA SY<HiOl Security+ Course Notes - Page 23
https://ProfessorMesser.com
1.5 - Threat Actors (continued)
Hacktivist
• A hacker wit h a purpose
- Social change or a political agenda
- Oft en an external entity
• Can be remarkably sophisticated
- Very specifi c hacks
- DoS, w eb site defacing, release of private documents, et c.
• Funding is li mited
- Some organizations have fund raising options
Script kiddies
• Runs pre-ma de scripts wit hout any knowledge
of w hat's r eally happening
- Not necessarily a youngster
• Can be internal or external
- But usua lly external
• Not very sophisticated
Hackers
• Experts with technology
- Often driven by money, pow er, and ego
• Au t horized
- An et hica l hacker with good intentions
- And perm ission to hack
• Unauthorized
- Malicious, violates security for persona l gain
• Semi-authorized
- Finds a vulnerability, doesn't use it
Shadow IT
• Going rogue
- Working around the int ernal IT organization
• Information Technology can put up roadblocks
- Shadow IT is unencumbered
- Use the cloud
- M ight also be able t o innovate
• No forma l funding
- Looking for low hanging fru it
• Motivated by the hunt
- Working the ego, trying t o make a name
Organized crime
• Professiona l criminals
- Motivat ed by money
- Almost always an external entity
• Very sophisticated
- Best hacking money can buy
• Crime that's organized
- One person hacks, one person manages the exploit s,
another person sells the data, anot her handles
customer support
• Lot s of capital to fund hacking efforts
• Not alw ays a good th ing
- Wasted time and money
- Security risks
- Compl iance issues
- Dysfunctiona l organization
Competitors
• Many different motivations
- DoS, espionage, harm reputation
• High level of soph istication
- Based on some significant funding
- The com petitive upside is huge (and very uneth ical)
• Many different intents
- Shut dow n your com petitor during an event
- St ea l customer lists
- Corrupt manufacturing databases
- Take fi nancial information
1.5 - Attack Vectors
• Attach a keylogger
- Collect usernames and passw ords
Attack vectors
• A method used by the attacker
- Gain access or infect to t he ta rget
• A lot of w ork goes into fin ding vu lnerabilities in t hese
vectors
- Some are more vu lnerable than ot hers
• IT security professiona l spend their career w atch ing
these vectors
- Closing up existing vectors
- Finding new ones
Direct access attack vectors
• There's a r eason w e lock t he data center
- Physical access to a system is a significant attack
vector
• Modify t he operating system
- Reset the administrator passw ord in a few minutes
© 2020 Messer Studios, LLC
• Transfer files
- Take it with you
• Denial of service
- This pow er cable is in the w ay
W ireless attack ve ctors
• Default login cred entia ls
• Modify the access point configuration
• Rogue access point
• A less-secu re entry point t o the net w ork
• Evil t win
• Attacker collect s aut hentication deta ils
• On-path attacks
• Prot ocol vulnerabilities
• 2017 - WPA2 Key Reinstallation Attack (KRACK}
• Older encryption prot ocols (W EP, WPA)
Professor Messer's CompTIA SY<HiOl Security+ Course Notes· Page 24
https://ProfessorMesser.com
1.5 - Attack Vectors (continued)
Email attack vectors
• One of the biggest (and most successful) attack vectors
- Everyone has email
Removable media attack vectors
• Get around the firew all
- The USB interface
• Phishing attacks
- People w ant to click links
• Malicious software on USB flash drives
- Infect air gapped networks
- Industri al systems, high-security services
• Deliver the malware to the user
- Attach it to the message
• Social engineering attacks
- Invoice scam
• USB devices can act as keyboards
- Hacker on a chip
• Data exfiltration
- Tera bytes of data w alk out the door
- Zero bandwidth used
Supply chain attack vectors
• Tamper w ith the underlying infrastructure
- Or manufacturing process
• Gain access to a netw ork using a vendor
- 2013 Target credit card br each
Cloud attack vectors
• Publicly-facing applications and services
- M istakes are made all the time
• Malw are can modify the manufacturing process
- 2010 - Stuxnet disrupts Iran's uranium enrichment program
• Security misconfigurations
- Data permissions and publ ic data stores
• Counterfeit netw orking equipment
- Instal l backdoors, substandard performance and availability
- 2020 - Fake Cisco Catalyst 2960-X and WS-2960X-48TS-L
• Brute force attacks
- Or phish the users of the cloud service
Social media attack vectors
• Attackers thank you for putting your personal information
online
- Where you are and w hen
- Vacation pictures are especially telling
• Orchestration attacks
- Make the cloud bu ild new application instances
• Denial of service
- Disable the cloud services for everyone
• User profiling
-Where w ere you born?
- What is the name of your school mascot?
• Fake friends ar e fake
- The inner circle can provide additional information
1.5 - Threat Intelligence
Threat intelligence
• Research the threats - And the threat actors
• Data is everyw here
- Hacker group profiles, tools used by the attackers,
and much more
• Make decisions based on this intelligence
- Invest in the best prevention
• Used by researchers, security operations teams,
and others
Open-source intelligence (OSINT)
• Open-source
- Publicly available sources
- A good place to start
• Internet
- Discussion groups, social media
• Government data
- Mostly public hearings, reports, w ebsites, etc.
• Commercial data
- Maps, financial reports, databases
Closed/proprietary intelligence
• Someone else has already compiled the threat information
- You can buy it
• Threat intelligence services
- Threat analytics, correlation across different data sources
• Constant threat monitoring
- Identify new threats
- Cr eate automated prevention w orkflows
Vulnerability databases
• Researchers find vulnerabilities
- Everyone needs to know about them
• Common Vulnerabilities and Exposur es (CVE)
-A community managed list of vulnerabilities
- Sponsored by the U.S. Department of Homeland
Security (OHS) and Cybersecurity and Infrastructure
Security Agency (CISA)
• U.S. National Vulnerability Database (NVD)
-A summary of CVEs
- Also sponsored by OHS and CISA
• NVD provides additional details over the CVE list
- Patch availability and severity scoring
© 2020 Messer Studios, LLC
Professor Messer's CompTIA SY<HiOl Security+ Course Notes - Page 25
https://ProfessorMesser.com
1.5 - Threat Intelligence (continued)
Public/private information-sharing centers
• Public t hr eat intelligence
- Oft en classifi ed information
• Private threat intelligence
- Private compan ies have extensive resources
• Need t o share critica l security details
- Rea l-time, high-qua lity cyber threat information sharing
• Cyber Threat Alliance (CTA)
- Members upload specifically formatted th reat intelligence
- CTA scores each submission and validat es
across ot her submissions
- Ot her members can extract the validated data
Automated indicator sharing (AIS)
• Intelligence industry needs a st andard w ay to shar e
important t hreat data
- Share information freely
• Structured Threat Information eXpr ession (STIX)
- Describes cyber t hr eat information
- Includes motivations, abilities, capabilities, and
response information
• Trusted Aut omated exchange of Indicator Information (TAXII)
- Secu rely sha res STIX data
Dark w eb intelligence
• Dark w eb
- Overlay net w orks that use t he Internet
- Requires specific softw are and configurations to access
• Hacking grou ps and services
- Activities
- Tools and techniques
- Credit card sales
- Accounts and passw ords
• Monitor forums for activity
- Com pany names, executive names
Indicators of compromise (IOC)
• An event that indicates an intrusion
- Confi dence is high
- He's calling from inside t he house
• Indicat ors
- Unusual amount of network activit y
- Change to file hash values
- Irregu lar international traffi c
- Changes to DNS data
- Uncommon login patterns
- Spikes of read request s t o certain fil es
Predictive analysis
• Analyze large amounts of data very qu ickly
- Find suspicious patterns
- Big data used for cybersecu rity
• Identify behaviors
- DNS queri es, t raffi c patterns, location dat a
• Creates a forecast for potential attacks
- An early-w arning system
• Often com bined wit h machine learning
- Less emphasis on signat ures
Threat maps
• Identify attacks and trends
- View w orldw ide perspective
• Created from r eal attack data
- Identify and react
File/code repositorie s
• See w hat the hackers are building
- Publi c code repositori es, GitHub
• See w hat people are accidentally releasing
- Private code can often be published publicly
• Attackers are always looking for th is code
- Potential exploits exist
- Content for phishing attacks
1.5 - Threat Research
Threat re search
• Know your enemy
- And their tools of w ar
• A never-ending process
- The fi eld is constantly moving and changing
• Information from many different places
- You can't rely on a single source
Vendor w ebsites
• Vendors and manufactur ers
- They w rote the softw are
Vulnerability feeds
• Automat ed vulnerabilit y notifi cations
• National Vulnerability Dat abase
(https:// nvd.nist.gov)
• CVE Data Feeds (https:// cve.m it r e.org)
• Third-party feeds
• Additiona l vulnerability coverage
• Roll-up t o a vulnerability management system
• Coverage across teams
• Consolidated view of security issues
• They know w hen problems are announced
- Most vendors are involved in t he disclosure process
• They know t heir product better than anyone
- They react w hen surprises happen
- Scrambling after a zero-day announcement
- Mitigating and support options
© 2020 Messer Studios, LLC
Professor Messer's CompTIA SY<HiOl Security+ Course Notes - Page 26
https://ProfessorMesser.com
1.5 - Threat Intelligence (continued)
Conferences
• Watch and learn
- An early warning of things to come
Local industry groups
• A gathering of local peers
- Shared industry and technology, geographical pre sence
• Researchers
- New DDoS methods, intelligence gathering,
hacking the latest technologies
• Associations
- Information Systems Securit y Association,
Network Professional Association
- Meet others in the area, discuss loca l challenges
• Stories from the trenches
- Fighting and recovering from attacks
- New methods to protect your data
• Building relationsh ips - forge alliances
Academic journals
• Research from academic professionals
- Cutting edge secu rity analysis
• Evaluations of existing security technologies
- Keeping up with the latest attack methods
• Detailed post mortem
- Tear apart the latest malw are and
see what makes it tick
• Industry user groups
- Cisco, Microsoft, VMware, etc. - Secure specific technologies
Social media
• Hacking group conversations - Mon itor the chatter
• Honeypot monitoring on Tw itter
- Identify new exploit attem pts
• Keyw ord monitoring - CVE-2020-*, bugbounty, 0-day
• Analysis of vulnerabilities - Professionals discussing the details
• Command and control - Use social media as the transport
Threat feeds
• Monitor threat announcements - Stay informed
• Extremely detailed information
- Break apart topics into their smal ler pieces
Request for comments (RFC)
• Published by the Internet Society (ISOC)
- Often w ritten by the Internet Engineering
Task Force {IETF}
- Internet Society description is RFC 1602
• Not all RFCs are standards documents
- Experimental, Best Current Practice,
Standard Track, and Historic
• M any informational RFCs analyze threats
- RFC 3833 - Threat Analysis of the Domain
Name System
- RFC 7624 - Confidentiality in the Face of
Pervasive Surveillance :
- A Threat Model and Problem Statement
• M any sources of information
- U.S. Department of Homeland Security
- U.S. Federal Bureau of Investigation
- SANS Internet Storm Center
- VirusTotal Intelligence:
- Google and Facebook correlation
TTP
• Tactics, techniques, and procedures
- Wh at are adversaries doing and how are they doing it?
• Search through data and netw orks
- Proactively look for threats
- Signatures and firewall rules can't catch everything
• Differ ent t ypes of TTPs
- Information on targeted victi ms (Finance for energy
compan ies)
- Infrastructure used by attackers (DNS and IP addr esses)
- Outbreak of a particular malw are variant on a service type
1.6 - Vulnerability Types
Zero-day attacks
• M any applications have vulnerabilities
- We've just not found them yet
Open permissions
• Very easy to leave a door open
- The hackers will alw ays find it
• Someone is w orking hard to find the next
big vulnerability
- The good guys share these with developers
• Increasingly common w ith cloud storage
- Statistical chance of finding an open permission
• Attackers keep these yet-to-be-discovered holes
to themselves
- They w ant to use these vulnerabilities for
personal gain
• June 2017 - 14 million Verizon records exposed
- Third-party left an Amazon S3 data repository open
- Researcher found the data before anyone else
• M any, many other examples
- Secure your permissions!
• Zero-day
- The vulnerabil ity has not been detected or published
- Zero-day exploits are increasingly common
• Common Vulnerabilities and Exposures (CVE)
- http://cve.mitre.org/
© 2020 Messer Studios, LLC
Professor Messer's CompTIA SY<HiOl Security+ Course Notes· Page 27
https://ProfessorMesser.com
1.6 - Vulnerability Types (continued)
Unsecured root accounts
• The Linux root account
- The Administrator or superuser account
Default settings
• Every application and netw ork device has a default login
- Not all of these are ever changed
• Can be a misconfiguration
- Intentionally configuring an easy-to-hack passw ord
- 123456, ninja, football
• Disable direct login to the root account
- Use the su or sudo option
• Protect accounts w ith root or administrator access
- There should not be a lot of these
• M irai botnet
- Takes advantage of default configurations
- Takes over Internet of Things (loT) devices
- 60+ default configurations
- Cameras, routers, doorbells, garage door openers, etc.
Errors
• Error messages can provide useful information
to an attacker
- Service type, version information, debug data
Open ports and services
• Services w ill open ports
- It's important to manage access
• September 2015 - Patreon is compromised
- Used a debugger to help mon itor and troubleshoot
w eb site issues
- Was left exposed to the Internet
- Effectively allow ed for remote code executions
- Gigabytes of customer data w as released online
• M irai released as open-source softw are
- There's a lot more w here that came from
• Often managed with a fir ew all
- Manage traffic flow s
-Allow or deny based on port number or application
• Firew all rulesets can be complex
- It's easy to make a mistake
• Always test and audit
- Double and triple check
Weak encryption
• Encryption protocol (AES, 3DES, etc. )
- Length of the encryption key (40 bits, 128 bits,
256 bits, etc.)
- Hash used for the integrity check (SHA, MD5, etc. )
- W ireless encryption (WEP, WPA)
Improper patch management
• Often centrally managed
- The update server determine w hen you patch
- Test all of your apps, then deploy
- Efficiently manage bandw idth
• Some cipher su ites are easier to break than others
- Stay updated with the latest best practices
• Operating system- Monthly and on-demand patches
• TLS is one of the most common issues
- Over 300 cipher suites
• Which are good and w hich are bad?
- Weak or null encryption (less than 128 bit key sizes),
outdated hashes (MD5)
Insecure protocols
• Some protocols aren't encrypted
- All traffic sent in the clear - Telnet, FTP, SMTP, IMAP
• Verify with a packet capture
- View everything sent over the netw ork
• Use the encrypted versions- SSH, SFTP, IMAPS, etc.
• Firmw are - The BIOS of the device
• Applications
- Provided by the manufactur er as-needed
Legacy platforms
• Some devices remain installed for a long time
- Perhaps too long
• Legacy devices
- Older operating systems, applications, middlew are
• May be running end-of-life softw are
- The risk needs to be compared to the return
• May require additional security protections
-Additional firewall rules
- IPS signatur e ru les for older operating systems
1.6 - Third-party Risks
Third-party risks
• IT security doesn't change because it's a th ird-party
- There should be more security, not less
System integration risk
• Professional installation and maintenance
- Can include elevated OS access
• Always expect the w orst
- Prepare for a breach
• Can be on-site
- With physical or virtual access to data and systems
- Keylogger installations and USB flash drive data
t ransfers
• Human error is still the biggest issue
- Everyone needs to use IT security best practices
• All security is important
- Physical security and cybersecurity w ork hand-in-hand
© 2020 Messer Studios, LLC
• Can run softw are on the internal network
- Less security on the inside
- Port scanners, traffic captur es
- Inject malware and spyw are, sometimes inadvertently
Professor Messer's CompTIA SY<HiOl Security+ Course Notes· Page 28
https://ProfessorMesser.com
1.6 - Third-party Risks (continued)
Lack of vendor support
• Security requires diligence
- The potential for a vu lnerability is always there
• Vendors are the only ones w ho can fi x their products
- Assum ing they know about the problem
- And care about fixing it
• Trane Comfortlink II thermostats
- Control the temperature from your phone
- Trane notified of three vu lnerabilities in April 2014
- Tw o patched in April 2015, one in January 2016
Supply chain risk
• You can't always control security at a third-party location
- Always maintain local security controls
• Hardw are and software from a vendor can contain malware
- Verify the security of new systems
• Counterfeit hardware is out ther e
- It looks like a Cisco switch ... ls it malicious?
Outsourced code development
• Accessing the code base
- Internal access over a VPN
- Cloud-based access
• Verify security to other systems
- The development systems shou ld be isolated
• Test the code security
- Check for backdoors
- Validate data protection and encryption
Data storage
• Consider the type of data
- Contact information
- Healthcare details, financia l information
• Storage at a th ird-party may need encryption
- Limits exposure, adds complexity
• Transferring data
- The entire data flow needs to be encrypted
1.6 - Vulnerability Impacts
• Attackers sent secure messages to t ransfer nearly one
Vulnerability impacts
• Ma licious cyber activity cost the U.S. economy bet w een
billion dollars in reserves to accounts in Phili ppines
$57 billion and $109 billion in 2016
and Sri Lanka
- The Cost of Mal icious Cyber Activity to the U.S. Economy, - Fortunately, most of the messages w ere
- The Council of Econom ic Advisers, February 2018
incorrectl y formatted
• Many other non-economic impacts - Far reaching effects
• These are the reasons w e patch vulnerabilities
Data loss
• Vulnerability: Unsecured databases
- No passw ord or default password
• July 2020 - Internet-facing databases are being deleted
- No w arning, no explanation
• Thousands of databases ar e missing
- I hope you had a backup
• Overwrites data w ith iterations of the w ord "meow"
- No messages or motivational content
Identity theft
• May through July 2017 - Eq uifax
- Data breach of 147.9 million Americans,
- 15.2 million British citizens, 19,000 Canadian citizens
- Names, SSNs, birthdates, addresses, some driver's
license num bers
• Apache Struts vulnerabilit y from March 7, 2017
- Breach started March 12th
- Wasn't patched by Equifax unti l July 30th after
discovering "suspicious network traffic"
- September 7th - Public disclosure
• September 15th - CIO and CSO depart Equifax
• July 2019 - Equifax pays $575 million in fine s
Financial loss
• Ma rch 2016 - Bank of Bangladesh
- Society for Worldwide Interbank Financial
Telecommu nications (SWIFT)
© 2020 Messer Studios, LLC
• Thirty-five requests w er e acted upon
- $81 mill ion lost and launder ed through the
Fi lipino casino industry
• Similar SWIFT vu lnerabilities: $12 mill ion from
Wells Fargo, $60 million from Taiwanese Far Eastern
International Bank
Reputation impacts
• Getting hacked isn't a great look
- Organizations are often req uired to disclose
- Stock prices drop, at least for the short term
• October 2016 - Uber breach
- 25.6 million Names, email addresses, mobile numbers
• Didn't publicly announce it until November 2017
- Allegedly paid the hackers $100,000 and had them
sign an NOA
- 2018 - Uber paid $148 million in fines
• Hackers pleaded guilt y in October 2019
- August 2020 - Ube r's former Ch ief Security Officer
Availability loss
• Outages and downtime - Systems are unavailable
• The pervasive ransom w are th reat
- Brings dow n the largest netw orks
• September 2020 - BancoEstado
- One of Chile's three biggest banks
- Ransom w are attack over the w eekend
• Bank closed for an extended period
- Segmented netw ork - Only hit internal systems
- Wipe and restore everything
Professor Messer's CompTIA SY<HiOl Security+ Course Notes· Page 29
https://ProfessorMesser.com
1. 7 - Threat Hunting
Threat hunting
• The constant game of cat and mouse
- Find the attacker before they fin d you
• Strategies are constantly changing
- Firew alls get stronger, so phishing gets better
• Intelligence data is reactive
- You can't see the attack until it ha ppens
• Speed up the reaction time
- Use technology to fight
Fusing the data
• Collect the dat a
- Logs and sensors, net w ork information,
Internet events, intrusion detection
• Add external sources
- Threat feed s, government al alert s, advisories and
bulletins, socia l media
• Correlat e with big data analytics
- Focuses on predictive ana lytics and user behavior
analytics
- Mathematica l analysis of unst ructured data
Intelligence fu sion
• An overw helming amount of security data
- Too much data t o properly detect, ana lyze, and react
• Many data types
- Dramatica lly different in t ype and scope
Cybersecurity maneuvers
• In the physical w orld, move t roops an d tanks
- Stop t he enemy on a bridge or shore
• Sepa rate t eams
- Secu rity operations, security intelligence, t hreat
re sponse
• In the virt ual w orld, move firew alls and operating systems
- Set a fir ew all ru le, block an IP addr ess, delete ma licious
softw are
• Fuse the security data toget her w ith
big dat a analytics
- Analyze massive and diverse dat aset s
- Pick out the inter esting data point s
and correlations
• Automated maneuvers
- Moving at the speed of light
- The computer react s instant ly
• Combine wit h fused intelligence
- Ongoing combat from many fronts
• Tomorrow it 's a different fight
1. 7 - Vulnerability Scans
Vulnerability scanning
• Usually m inima lly invasive
- Unlike a penetration test
Identify vulnerabilities
• The scanner looks for everything
- Well, not everyt hing - The signatu re s ar e the key
• Port scan
- Poke around and see w hat 's open
• Application scans
- Deskt op, mobi le apps
• Identify systems
- And security devices
• Web application scans
- Softw are on a w eb server
• Test from the outside and inside
- Don't dismiss insider threat s
• Network scans
- M isconfigur ed firew alls, open ports, vulnerable devices
• Gather as much information as possible
- We'll sepa rate w heat from chaff later
Vulnerability research
• The vulnerabilities can be cross-referenced online
- Almost all scanners give you a place t o go
Scan t ypes
• Scanners are very pow erfu l
- Use many different techniques to identify
vulnerabilities
• Non-intrusive scans
- Gather information, don't t ry to exploit a
vulnerabilit y
• Intrusive scans
- You' ll try out the vulnera bil ity to see if it w orks
• Non-cred entia led scans
- The scanner can't login to t he remote device
• Credentialed scan
- You' re a norma l user,
emu lates an insider attack
• National Vu lnerability Data base: http://nvd.nist.gov/
• Common Vulnerabilities and Exposures (CVE):
https://cve.m it r e.org/cve/
• M icroso ft Securit y Bulletins:
http://www.m icroso ft.com/technet/ security/current.aspx
• Some vulnerabilities cannot be defi nitively identifi ed
- You' ll have t o check manua lly to see if a
system is vulnerable
- The scanner gives you a heads-up
CVE-2020-25079 - An issue was discovered on D-Link DCS-2530L before 1.06.01 Hotfix and DCS2670L through 2.02 devices. cgi-bin/ ddns_enc.cgi allows authenticated command injection.
V3. l :V2:-
Published: September 02, 2020; 12:15:12 PM -04:00
© 2020 Messer Studios, LLC
Professor Messer's CompTIA SY<HiOl Security+ Course Notes· Page 30
https://ProfessorMesser.com
1. 7 - Vulnerability Scans (continued)
• National Vulnerability Database: http://nvd.nist.gov/
- Synchronized with the CVE list
- Enhanced search functionality
Dealing with false positives
• False positives
-A vulnerability is identified that doesn't really exist
• Common Vulnerability Scoring System (CVSS)
- Quantitative scoring of a vulnerability - 0 to 10
- The scoring standards change over time
- Different scoring for CVSS 2.0 vs CVSS 3.x
• This is different than a low -severity vulnerability
- It's real, but it may not be your highest priority
• Industry col laboration
- Enhanced feed sharing and automation
• Update to the latest signatures
- If you don't know about it, you can't see it
Vulnerability scan log review
• Lack of security controls
- No firewall
- No anti-virus
- No anti-spyw are
• Work with the vulnerability detection manufacturer
- They may need to update their signatur es for your
environment
• False negatives
-A vulnerability exists, but you didn't detect it
Configuration review
• Validate the security of device configurations
- It's easy to misconfigure one thing
-A single un locked wi ndow puts the entire home at risk
• M isconfigurations
- Open shares
- Guest access
• Real vulnerabilities
- Especially new er ones
- Occasionally the old ones
• Workstations
-Account configurations, local device settings
• Servers - Access controls, permission settings
• Security devices - Firew all rules, authentication options
1. 7 - Security Information and Event Management
SIEM
• Security Information and Event Management
- Logging of security events and information
Security monitoring
• Constant information flow
- Important metrics in the incoming logs
• Log collection of security alerts
- Real-time information
• Track important statistics
- Exceptions can be identified
• Send alerts w hen problems ar e found
- Email, text, call, etc.
• Create t riggers to automate responses
- Open a ticket, reboot a server
• Log aggregation and long-term storage
- Usually includes advanced reporting features
• Data corr elation - Link diverse data types
• Forensic analysis - Gather detai ls after an event
Analyzing the data
• Big data analytics
- Analyze large data stores
- Identify patterns that w ould normally r emain invisible
Syslog
• Standard for message logging
- Diverse systems, consolidated log
• Usually a central log collector
- Integrated into the SIEM
• You' re going to need a lot of disk space
- No, more. More than that.
- Data storage from many devices over
an extended timeframe
SIEM data
• Data inputs
- Server authentication attempts
- VPN connections
- Firew all session logs
- Denied outbound traffic flow s
- Network utilizations
• Sentiment analysis
- Public discourse corr elates to real-w orld behavior
- If they hate you, they hack you
- Social media can be a barometer
SOAR
• Security orchestration, automation, and response
- Automate routine, tedious, and time intensive activities
• Packet captures
- Network packets
- Often associated w ith a critica l alert
- Some organizations capture everything
© 2020 Messer Studios, LLC
• User and entity behavior analytics (UEBA)
- Detect insider threats
- Identify targeted attacks
- Catches w hat the SIEM and OLP systems might miss
• Orchestration
- Connect many different tools together
- Firew alls, account management, email filters
• Automation - Handle security tasks automatically
• Response - Make changes immediately
Professor Messer's CompTIA SY<HiOl Security+ Course Notes· Page 31
https://ProfessorMesser.com
1.8 - Penetration Testing
Penetration testing
• Pentest
- Simulate an attack
Exploiting vulnerabilities
• Try to break into the system
- Be carefu l; th is can cause a den ial of service or
loss of data
- Buffer overflow s can cause instability
- Gain privilege escalation
• Similar to vu lnerabi lity scanning
- Except w e actually try to exploit
the vulnerabilities
• Often a compliance mandate
- Regular penetration testing by a 3rd-party
• National Institute of Standards and Technology
Technical Guide to Information Security Testing
and Assessment
- https://professormesser.link/800115 (PDF}
Rules of engagement
• An important document
- Defines purpose and scope
- Makes everyone aware of the test parameters
• Type of testing and schedu le
- On-site physical breach, internal test,
external test
- Normal w orking hou rs, after 6 PM on ly, etc.
• The ru les
- IP address range s
- Emergency contacts
- How to handle sensitive information
- In-scope and out-of-scope devices
or applications
Working knowledge
• How much do you kn ow about the test?
- Many different approaches
• Unknow n environment
- The pentester knows nothing about the
systems under attack
- "Blind" test
• Know n environment
- Full disclosu re
• Partially know n environment
-A mix of know n and unknow n
- Focus on certain systems or applications
• You may need to try many different vulnerability t ypes
- Passw ord brute-force, social engineering,
database injections, buffer overflows
• You'll only be sur e you're vulnerable if you can
bypass security
- If you can get through, the attackers can get through
The process
• Initial exploitation - Get into the netw ork
• Lateral movement
- Move from system to system
- The inside of the netw ork is relatively unprotected
• Persistence
- Once you're ther e, you need to make sure ther e's a
w ay back in
- Set up a backdoor, build user accounts, change or
verify default passwords
• The pivot
- Gain access to systems that w ould normally not
be accessible
- Use a vulnerable system as a proxy or relay
Pentest aftermath
• Cleanup
- Leave the netw ork in its original state
- Remove any binaries or temporary files
- Remove any backdoors
- Delete user accounts created during the test
• Bug bounty
-A rew ard for discovering vulnerabilities
- Earn money for hacking a system
- Document the vulnera bility to earn cash
1.8 - Reconnaissance
Passive footprinting
• Learn as much as you can from open sources
- There's a lot of information out there
- Remarkably difficult to protect or identify
Reconnaissance
• Need information before the attack
- Can't rush bli ndly into battle
• Gathering a digital footprint
- Learn everything you can
• Social media
• Corporate w eb site
• Understand the security postu re
- Firew alls, security configurations
• Online forums, Reddit
• M inimize the attack area
- Focus on key systems
• Social engineering
• Create a network map
- Identify routers, netw orks, remote sites
© 2020 Messer Studios, LLC
• Dumpster diving
• Business organizations
Professor Messer's CompTIA SY<HiOl Security+ Course Notes· Page 32
https://ProfessorMesse r.com
1.8 - Reconnaissance (continued)
Ward riving or warflying
• Combine W iFi mon itoring and a GPS
- Search from your ca r or plane
- Search from a drone
Open Source Intelligence (OSI NT)
• Gathering information from many open sources
- Find information on anyone or anything
- The name is not related t o open-source softw are
• Huge amount of intel in a short period of time
- And often some su rprising r esu lts
• Data is everyw her e - https:// osintframew ork.com/
• Automated gathering - Many softw are t ools available
• All of this is free
- Kismet , inSSIDer
- W ireless Geographic
- Logging Engine
- http://wigle.net
Active footprinting
• Trying the doors
- Maybe one is unlocked
- Don't open it yet
- Relatively easy t o be seen
• Visib le on network traffi c and logs
• Ping scans, port scans, DNS queries,
OS scans, OS fingerprinting, Service scans, version scans
1.8 - Security Teams
Security teams
• Cybersecurity involves many skills
- Operational secu rity, penetration testing,
exploit research, w eb application hardening, et c.
Purple team
• Red and blue teams
- Working together
• Become an expert in you r niche
- Everyone has a role t o play
• Competition isn't necessarily useful
- Interna l battles can stifl e organizational securit y
- Cooperate instead of com pet e
• The teams
- Red team, blue team, purple team, w hite team
• Deploy applications and data securely
- Everyone is on-board
Red team
• Offensive securit y team - The hired attackers
• Create a feedback loop
- Red informs blue, blue informs red
• Eth ical hacking - Find security holes
White team
• Not on a side
- Manages the int eractions betw een red t eams
and blue teams
• Exploit vu lnerabilities -Ga in access
• Social engineering - Constant vigilance
• Web application scann ing - Test and test again
Blue team
• Defensive security - Protecting the data
• Operational securit y - Daily secu rity tasks
• Incident response - Damage control
• Th reat hunting - Find and fi x the holes
• Digital forensics - Find dat a everyw here
• The referees in a securit y exercise
- Enforces t he rules
- Resolves any issues
- Det erm ines the score
• Manages the post-event assessments
- Lessons learned
- Results
2.1- Configuration Management
Configuration management
• The on ly constant is change
- Operating systems, patches, application updates, netw ork
modifications, new application instances, etc.
• Identify and document ha rd w are and softw are settings
- Manage t he securit y w hen changes occu r
• Rebuild those systems if a disaster occurs
- Documentation and processes will be critica l
Diagrams
• Netw ork diagrams - Document the physical wi re and device
• Physical data center layout
- Can include physical rack locations
Baseline configuration
• The security of an application environment
shou ld be w ell defined
- All application instances must foll ow t his baseli ne
- Firew all settings, pat ch levels, OS file versions
- May require constant updates
• Integrity measurement s check for the
secure baseline
- These shou ld be perform ed often
- Check against w ell-documented baselines
- Fa il ure req uires an immediat e correction
• Device diagrams - Individual cabli ng
© 2020 Messer Studios, LLC
Professor Messer's CompTIA SY<HiOl Security+ Course Notes· Page 33
https://ProfessorMesser.com
2.1 - Configuration Management (continued)
Standard naming conventions
• Create a standard
- Needs to be easily understood by everyone
• Devices
- Asset tag names and numbers
- Com puter names - location or region
- Serial num bers
• Netw orks - Port labeling
• Doma in configurations
- User account names
- Standard email addresses
IP schema
• An IP addr ess plan or model
- Consistent addressing for netw ork devices
- Helps avoid du plicate IP addressing
• Locations
- Number of su bnets, hosts per su bnet
• IP ranges
- Different sit es have a different su bnet
- 10.1.x.x/ 24, 10.2.x.x/24, 10.3.x.x/24
• Reserved addr esses
- Users, printers, routers/default gatew ays
2.1- Protecting Data
Prot ecting Data
• A primary job task
- An organization is out of business w ithout data
• Dat a is everyw here
- On a storage drive, on the net w ork, in a CPU
• Protecting t he data
- Encryption, secu rity policies
• Dat a perm issions
- Not everyone has the same access
Data sovereignty
• Dat a sovereignty
- Data t hat re sides in a country is subject to
the law s of that country
- Legal monit oring, court orders, et c.
• Law s may proh ibit w here dat a is stored
- GDPR (General Data Protection Regulation)
- Data collect ed on EU citizens must be stored
in t he EU
- A com plex mesh of technology and legalities
• Where is your data stored?
- Your compliance laws may prohibit
moving data out of the country
Data masking
• Dat a obfuscation
- Hide some of the original data
• Protect s PII
- And ot her sensitive dat a
• May only be hidden from view
- The data may sti ll be intact in storage
- Control the view based on permissions
• Many different techniques
- Substituting, shuffli ng, encrypting, masking out , etc.
Data encryption
• Encode information into unreadable data
- Original information is plaintext , encrypted
form is ciphertext
• Th is is a tw o-w ay street
- Convert bet w een one and t he other
- If you have t he proper key
© 2020 Messer Studios, LLC
• Confusion
- The encrypted data is drastically different
than the plaintext
• Diffusion
- Change one cha racter of the input , and many
characters change of the output
Data at-rest
• The data is on a storage device
- Hard drive, SSD, fl ash drive, etc.
• Encrypt the data
- Whole disk encryption
- Database encryption
- File- or folder-level encryption
• Apply permissions
- Access control lists
- On ly authorized users can access t he data
Data in-transit
• Dat a t ransm itted over the netw ork
- Also called data in-motion
• Not much protection as it travels
- Many different swit ches, routers, devices
• Netw ork-based prot ection
- Firew all, IPS
• Provide t ransport encryption
- TLS (Transport Layer Securit y)
- IPsec {Internet Protocol Secu rity)
Data in-use
• Dat a is actively processing in memory
- System RAM, CPU registers and cache
• The data is almost alw ays decrypted
- Ot herwise, you cou ld n' t do anyth ing with it
• The attackers can pick the decrypted information
out of RAM
- A very attractive option
• Target Corp. br each - Novem ber 2013
- 110 m ill ion cr edit cards
- Data in-transit encryption and dat a at-rest encryption
- Attackers picked t he credit card numbers out of the
point-of-sale RAM
Professor Messer's CompTIA SY<HiOl Security+ Course Notes· Page 34
https://ProfessorMesser.com
2.1 - Protecting Data (continued)
Tokenization
• Replace sensitive data wit h a non-sensitive placeholder
- SSN 266-1 2-1 112 is now 691-61-8539
• Common w ith credit card processing
- Use a temporary t oken du ring payment
- An attacker captu ring the card numbers
can't use them later
• Th is isn't encryption or hashing
- The original data and token aren't mathematically r elated
- No encryption overhead
Information Rights Management (IRM)
• Cont rol how dat a is used
- Microsoft Offi ce documents,
ema il messages, PDFs
• Restrict data access to unauthori zed persons
- Prevent copy an d paste
- Control screenshot s
- Manage printing
- Restrict editing
• Each user has their ow n set of rights
- Attackers have limited options
2.1- Data Loss Prevention
Data Loss Prevention (DLP)
• Where's your data?
- Social Security numbers, credit card num bers,
medical records
• Stop the data before the attackers get it
- Data " leakage"
• So many sources, so many destinations
- Oft en requires mu ltiple solutions in different places
Data Loss Prevention (DLP) system s
• On your computer
- Data in use
- Endpoint OLP
• On your netw ork
- Data in motion
• On your server
- Data at rest
USB blocking
• OLP on a w orkst ation
- Allow or deny certain tasks
• November 2008 - U.S. Department of Defense
- Worm virus "agent.btz" replicates using USB st orage
- Bans removable flash medi a and storage devices
• All devices had to be updat ed
- local DLP agent handled USB blocking
• Ban w as lifted in Februa ry 2010
- Replaced with st rict gu idelines
Cloud-based DLP
• Located betw een users and the Internet
- Watch every byte of net w ork t raffic
- No hardw are, no softwar e
• Block custom defined data strings
- Unique data for your organization
• Manage access t o URLs
- Prevent file transfers to cloud storage
• Block viruses and malw are
- Anything traversing the net w ork
DLP and email
• Email continues to be the most critical risk vector
- Inbound threat s, outbound data loss
• Check every email inbound and outbound
- Internal system or cloud-based
• Inbound - Block keywords, identify im postors,
quarantine email messages
• Outbound - Fake w ire t ransfers, W-2 t ransm issions,
employee information
Emailing a spreadsheet templat e
• November 2016 - Boeing employee emails spouse a
spreadsheet t o use as a template
• Contai ned the PII of 36,000 Boeing em ployees
- In hidden columns
- Social secu rity numbers, dat e of birth, et c.
• Boeing sells it s ow n DLP softw are
- But on ly uses it for classified w ork
2.1 - Managing Security
Geographical considerations
• Legal im plications
- Business regu lations vary betw een st ates
- For a r ecovery sit e outside of t he country, personnel
must have a passport and be able to clear immigration
- Refer to your legal team
• Offsit e backup
- Organ ization-ow ned site or 3rd-party secure fa cility
• Offsit e r ecovery
- Hosted in a different location, outside the scope of the
disaster
- Travel considerations for su pport staff and employees
© 2020 Messer Studios, LLC
Response and recovery controls
• Incident response and recovery has become
commonplace
- Attacks ar e frequent and complex
• Incident response plan should be established
- Documentation is critical
- Identify t he attack
- Contain the attack
• Li mit the impact of an attacker
- limit data exfiltration
- limit access t o sensitive data
Professor Messer's CompTIA SY<HiOl Security+ Course Notes - Page 35
https://ProfessorMesser.com
2.1 - Managing Security (continued)
SSL/TLS inspection
• Commonly used to examine outgoing SSL/TL$
- Secure Sockets Layer/Transport layer Security
- For example, from your computer to your bank
• Wait a second. Examine encrypted traffic?
- Is that possible?
• SSL/TL$ rel ies on trust
- W ithout t rust, none of this w orks
Trust me, I'm SSL
• Your brow ser contains a list of t rusted CAs
- My brow ser contains about 170 trusted
CAs certificates
• Your brow ser doesn't trust a w eb site unless a CA has
signed the w eb server's encryption certificate
- The w eb site pays some money to the CA for this
• The CA has ostensibly performed some checks
- Validated against the DNS record, phone call, etc.
• Your brow ser checks the w eb server's certificate
- If it's signed by a t rusted CA, the encryption
w orks seamlessly
Hashing
• Represent data as a short string of text
- A message digest
• One-w ay t rip
- Impossible to recover the original message
from the digest
- Used to store passw ords / confidentiality
• Verify a dow nloaded document is the same
as the original
- Integrity
• Can be a digital signature
-Authentication, non-repudiation, and integrity
• Wi ll not have a collision (hopefully)
- Different messages will not have the same hash
API considerations
• API (Application Programm ing Interface)
- Control softwar e or hardw are programmatically
• Secure and harden the login page
- Don't forget about the AP I
• On-path attack
- Intercept and modify AP I messages,
replay API commands
• API injection
- Inject data into an API message
• DDoS (Distributed Denial of Service)
- One bad API call can bring dow n a system
API security
• Authentication
- Limit API access to legitimate users
- Over secure protocols
• Authorization
-API should not allow extended access
- Each user has a lim ited role
-A r ead-only user should not be able to make
changes
• WAF (Web Application Firew all )
-Apply rules to API communication
2.1- Site Resiliency
Site resiliency
• Recovery site is prepped
- Data is synchron ized
Cold Site
• No hardw are
- Empty building
• A disaster is called
- Business processes fa ilover to the alternate
processing site
• Problem is addressed
- This can take hours, w eeks, or longer
• Revert back to the primary location
- The process must be documented for both directions
• No data
- Bring it with you
Hot site
• An exact replica
- Duplicate everything
• Stocked with hardw are
- Constantly updated
- You buy t w o of everything
• Applications and softwar e are constantly updated
- Automated r eplication
• Flip a switch and everything moves
-This may be qu ite a few sw itches
© 2020 Messer Studios, LLC
• No people
- Bus in your team
Warm site
• Somew here betw een cold and hot
- Just enough to get going
• Big room w ith rack space
- You bring the hardw are
• Hardw are is ready and waiting
- You bring the softw are and data
Professor Messer's CompTIA SY<HiOl Security+ Course Notes - Page 36
https://ProfessorMesser.com
2.1- Honeypots and Deception
Honeypots
• Attract the bad guys
- And trap them there
Fake telemetry
• Machin e learning
- Interpret big data to identify the invisible
• The "attacker" is probably a machine
- Makes for interesting recon
• Train the machine w ith actual data
- Learn how malware looks and acts
- Stop ma lw are based on actions instead of signatures
• Honeypots
- Create a virtua l w orld to explor e
• Send the machine learning model fake telemetry
- Make malicious malware look benign
• Many different options
- Kippo, Google Hack Honeypot, Wordpot, etc.
• Constant battle to discern the real from the fake
DNS sinkhole
• A DNS that hands out incorrect IP addresses
- Blackhole DNS
Honeyfiles and honeynets
• Honeynets
- More than one honeypot on a network
- More than one source of information
- Stop spa mmers - https://projecthoneypot.org
• This can be bad
- An attacker can redirect users to a ma licious site
• This can be good
- Redirect known malicious domains to a benign IP addr ess
- Watch for any users hitting that IP address
- Those devices are infected
• Honeyfiles
- Bait for the honeynet (passw ord s.txt)
- An alert is sent if the file is accessed
- A virtual bear trap
• Can be integrated with a firewall
- Identify infected devices not directly connected
2.2 - Cloud Models
Infrastructure as a service (laaS)
• Sometimes called Hardware as a Service (HaaS)
- Outsource your equipment
Anything as a Service (XaaS)
• Abroad description of all cloud models
- Use any combination of the cloud
• You're still respon sible for the management
- And for the security
• Services delivered over the Internet
- Not locally hosted or managed
• You r data is out there, but more within you r control
• Flexible consumption model
- No large upfront costs or ongoing licensing
• Web server providers
• IT becomes more of an operating model
- And less of a cost-center model
- Any IT function can be changed into a service
Platform as a service (PaaS)
• No servers, no softw are, no maintenance team,
no HVAC
- Someone else handles the platform,
you handle the development
as a Service
Application
Application
Application
Application
Data
Data
Data
Data
Runtime
Runtime
Ru ntime
Runtime
Middleware
Middleware
M iddlewa re
Middleware
OS
OS
OS
OS
Virtualization
Virtua lization
Virt ualization
Virtualization
Servers
Servers
Servers
Servers
Storage
Storage
Storage
Storage
Networking
Networking
Networking
Networking
• Put the building blocks together
- Develop you r app from what's
available on the platform
- SalesForce.com
• Centra l management of data and applications
- Your data is out there
• A complete application offering
- No development w ork req uired
- Google Mail
© 2020 Messer Studios, LLC
Software
as a Service
• You don't have direct control of the data,
people, or infrastructure
- Tra ined security professionals are
w atching your stuff
- Choose carefu lly
Software as a service (SaaS)
• On-demand softw are
- No local installation
- Why manage your own email distribution?
- Or payroll?
Infrast ructure
Platform
as a Service
On Premises
I
[
Client Managed
Professor Messer's CompTIA SY<HiOl Security+ Course Notes· Page 37
I
Provider Managed
https://ProfessorMesser.com
2.2 - Cloud Models (continued)
On-premises vs. off-premises
• On-premises
- Your applications ar e on local hardware
- Your servers are in your data center in your building
Cloud service providers
• Provide cloud services
- Saas, PaaS, laaS, etc.
• Charge a flat fee or based on use
- More data, more cost
• You still manage your processes
- Internal staff
- Development team
- Operational support
• Off-premises / hosted
- Your servers are not in your building
- They may not even be running on your hardware
- Usually a specialized computing environment
Cloud deployment models
• Public
-Available to everyone over the Internet
Managed service providers
• Managed Service Provider (MSP)
- Also a cloud service provider
- Not all cloud service providers are MSPs
• Community
- Several organizations share t he same r esources
• MSP support
- Network connectivity management
- Backups and disaster r ecovery
- Growth management and planning
• Private
- Your ow n virtualized local data center
• Hybrid
- A mix of public and private
• Managed Security Service Provider (MSSP)
- Fi rew all management
- Patch management, security audits
- Emergency r esponse
2.2 - Edge and Fog Computing
Cloud computing
• Computing on-demand
- Instantly ava ilable computing pow er
- Massive data storage capacity
Fog computing
• Fog
- A cloud that's close to your data
- Cloud+ Internet of Things - Fog computing
• Fast implementation
- IT teams can adj ust rapidly to change
- Smaller startup costs and pay-as-you-go
• A distributed cloud architecture - Extends the cloud
• Not always the best solution
- Latency - t he cloud is far away
- Limited bandwidth
- Difficult to protect data
- Requires Internet/ netw ork connectivity
• Distribute the data and processing
- Immediate data stays local - No latency
- Local decisions made from local data
- No bandw idth requirements
- Private data never leaves - M inimizes security concerns
- Long-term analysis can occur in the cloud - Internet
on ly w hen required
Edge computing
• Over 30 billion loT devices on the Internet
- Devices w ith very specifi c functions
- A huge amount of data
• Edge computing - " Edge"
- Process application data on an edge server
- Close to the user
• Often process data on the device itself
- No latency, no netw ork r equirement
- Increased speed and performance
- Process wh ere t he data is, instead of
processing in the cloud
© 2020 Messer Studios, LLC
Ill
Cloud / Data Centers
Fog/
Nodes
•
Internet of Things
Professor Messer's CompTIA SY<HiOl Security+ Course Notes - Page 38
https://ProfessorMesser.com
2.2 - Designing the Cloud
Designing t he cloud
• On-d emand computing pow er
- Click a button
Application containerization
• Contai ner
- Contains everything you need t o run an application
- Code and dependencies
- A standardized un it of softwar e
• Elasticity
- Scale up or dow n as needed
• An isolated process in a sandbox
- Self-contained
- Apps can't interact w ith each other
• Applications also scale
- Access from anyw her e
• How does it all happen?
- Plann ing and t echnology
Thin client
• Basic application usage
- Appl ications actually run on a remote server
- Virtual Desktop Infrastructur e (VD I),
- Desktop as a Service (DaaS)
- Local device is a keyboa rd, mouse, and screen.
• M inimal operating system on the client
- No huge memory or CPU needs
• Netw ork connectivity
- Big netw ork requirement
- Everything happens across the wire
Virtualization
• Virtualization
- Run many different operating systems on t he
same hardw are
• Contai ner image
- A standard for portability
- Lightw eight , uses the host kernel
- Secu re separation betw een applications
Microservices and APls
• Monolithic applications
- One big application t hat does everyth ing
• Application cont ains all decision making processes
- User interface
- Business logic
- Data input and output
• Code chall enges
- Large codebase
- Change control challenges
• APls
- Appl ication Programming Interfaces
• API is the "glue" for the m icroservices
- Work together to act as the application
• Each application instance has its
ow n operating system
- Adds overhead and complexit y
- Virtualization is relatively expensive
• Scalable
- Scale j ust the microservices you need
• Resi li ent
- Outages are contai ned
• Security and compliance
- Containment is bui lt-in
Virtualized Applications
Virtual
Machine
Virtual
Machine
Virtual
Machine
App A
App B
AppC
Guest
Operating
System
Guest
Operating
System
Guest
Operati ng
System
Containerized Applications
<(
a.
a.
<(
co
a.
a.
<(
u
0
<(
<(
a.
a.
a.
a.
w
a.
a.
<(
Host Operating System
Infrastructure
Infrastructure
Professor Messer's CompTIA SY<HiOl Security+ Course Notes· Page 39
a.
a.
<(
(.!)
a.
a.
<(
Docker
Hypervisor
© 2020 Messer Studios, LLC
LL
https://ProfessorMesser.com
2.2 - Designing the Cloud (continued)
Serverless architecture
• Function as a Service (FaaS}
- Applications are separated into individual, autonomous
functions
- Remove the operating system from the equation
• Developer still cr eates the server-side logic
- Runs in a stateless compute container
• May be event triggered and ephemeral
- May only run for one event
• Managed by a third-party
- All OS security concerns are at the third-party
Microservice Architecture
Resource policies
• Assigning permissions to cloud r esources
- Not the easiest task
- Everything is in constant motion
• Specify w hich resources can be provisioned (Azu re)
- Create a service in a specific region,
deny all others
• Specify the resource and w hat actions are
permitted (Amazon )
-Allow access to an API gatew ay from an
IP address range
• Explicitly list the users w ho can access the
resource (Amazon)
- Userlist is associated with the resource
Service integration
• Service Integration and Management (SIAM)
• Many different service providers
- The natural result of multisourcing
• Every provider w orks differently
- Different tools and processes
• SIAM is the integration of these
diverse providers
- Provide a single business-facing
IT organization
• An evolving set of processes and procedures
Transit gateway
• Virtual Private Cloud (VPC)
- A pool of resources created in a public cloud
Transit Gateway Network Architecture
• Common to create many VPCs
- Many different application clouds
0
• Connect VPCs w ith a t ransit gatew ay
- And users to VPCs
- A "cloud router"
customer Router
• Now make it secure
- VPCs are commonly on different IP subnets
- Connecting to the cloud is often through a VPN
2.2 - Infrastructure as Code
Infrastructure as code
• Describe an infrastructur e
- Define servers, netw ork, and applications as code
• Modify the infrastructur e and create versions
- The same w ay you version application code
• Use the description (code) to build other application
instances
- Build it the same w ay every time based on the code
• An important concept for cloud computing
- Build a perfect version every time
SDN (Software Defined Networking)
• Netw orking devices have t wo functional planes
of operation
- Control plane, data plane
• Directly programmable
- Configuration is different than forwarding
• Agile - Changes can be made dynamically
• Centrally managed - Global view, single pane of glass
• Programmatica lly configured
- No human intervention
• Open standards / vendor neutral
-A standard interface to the network
© 2020 Messer Studios, LLC
Professor Messer's CompTIA SY<HiOl Security+ Course Notes· Page 40
https://ProfessorMesser.com
2.2 - Infrastructure as Code (continued)
SDV (Software Defined Visibility)
• You must see the traffic to secure the data
- React and respond
• Dynamic deployments include security and network
visibility devices
- Next-generation firew alls, w eb appl ication firew alls,
- Security Information and Event Management (SIEM)
• Data is encapsulated and encrypted
- VXLAN and SSL/TLS
• New technologies change w hat you can see
- Infrastructure as code, microservices
• Security devices monitor application t raffic
- SDV provides visibil ity to t raffic flow s
• Visibility expands as the application instances expand
- Real-time metrics across all t raffic flow s
• Application flow s can be controlled via API
- Identify and react to threats
2.2 - Virtualization Security
VM sprawl avoidance
• Click a button
- You've built a server
- Or multiple servers, networks, and firewalls
• Once you escape the VM, you have great control
- Control the host and control other guest VMs
• It becomes almost too easy to build instances
- This can get out of hand very quickly
Escaping the VM
• March 2017 - Pw n2Ow n competition
- Hacking contest
- You pw n it , you ow n it - along w ith some cash
• The virtual machines are sprawled everyw her e
- You aren't sure w hich VMs ar e related to w hich applications
- It becomes extremely difficult to deprovision
• Formal process and detailed documentation
- You should have information on every virtual object
VM escape protection
• The virtual machine is self-contained
-There's no w ay out - Or is there?
• Virtual machine escape
- Break out of the VM and interact w ith the host operating
system or hardw are
• This w ould be a huge exploit
- Full control of the virtual w orld
• JavaScript engine bug in M icrosoft Edge
- Code execution in the Edge sandbox
• Window s 10 kernel bug
- Compromise the guest operating system
• Hardw are simulation bug in VM war e
- Escape to the host
• Patches w ere released soon afterwards
2.3 - Secure Deployments
Development to production
• Your programming team has been w orking on a new application
- How w ill you deploy it safely and reliably?
• Patch Tuesday
- Test and deploy Wednesday? Thursday? Friday?
• Manage the process
- Safely move from a non-production phase to full production
Sand boxing
• Isolated testing environment
- No connection to the real w orld or production system
- A technological safe space
• Use during the development process
- Try some code, break some code, nobody gets hurt
• Incremental development
- Helps build the application
Building the application
• Development
- Secure environment
- Writing code
- Developers test in their sandboxes
© 2020 Messer Studios, LLC
• Test
- Still in the development stage
-All of the pieces are put together
- Does it all w ork?
- Functional tests
Verifying the application
• Quality Assurance (QA)
- Verifies features are w orking as expected
- Validates new functionality
- Verifies old errors don't r eappear
• Staging
-Almost ready to roll it out
- Works and feels exactly like the production
environment
- Working w ith a copy of production data
- Run performance tests
- Test usability and features
Using the application
Professor Messer's CompTIA SY<HiOl Security+ Course Notes· Page 41
https://ProfessorMesser.com
2.3 - Secure Deployments {continued)
• Production
- Application is live
- Rol led out to the user community
• A challenging step
- Impacts the users
• The security of an application environment should
be w ell defined
-All application instances must follow this baseline
- Firewall settings, patch levels, OS file versions
- May require constant updates
• Logistical challenges
- New servers
- New softwar e
- Restart or interrupt of service
• Integrity measur ements check for the secur e baseline
- These should be performed often
- Check against w ell-documented baselines
- Failure requires an immediate correction
Secure baselines
2.3 - Provisioning and Deprovisioning
Provisioning
• Deploy an application
- Web server, database server, middlew are server, user
w orkstation configurations, certificate updates, etc.
Orchestration
• Automation is the key to cloud computing
- Services appear and disappear automatically,
or at the push of a button
• Application softw are security
- Operating system, application
• Entire application instances can be instantly provisioned
- All servers, netw orks, sw itches, fir ew alls, and policies
• Instances can move around the w orld as needed
- Follow the sun
• Netw ork security
- Secure VLAN, internal access, external access
• Softw are deployed to w orkstations
- Check executables for malicious code, verify security
posture of the w orkstation
• The security policies should be part of the orchestration
- As applications are provisioned, the proper security is
automatically included
Scalability and elasticity
• Handle application w orkload
- Adapt to dynamic changes
Deprovisioning
• Dismantling and removing an application instance
- All good things
• Scalability
- The ability to increase the w orkload in a
given infrastructure
- Build an application instance that can handle
- 100,000 transactions per second
• Security deprovisioning is important
- Don't leave open holes, don't close important ones
• Elasticity
- Increase or decrease available resources as the
w orkload changes
- Deploy multiple application instances to handle
- 500,000 transactions per second
• Firew all policies must be reverted
- If the application is gone, so is the access
• What happens to the data?
- Don't leave information out there
2.3 - Secure Coding Techniques
Secure coding concepts
• A balance betw een time and quality
- Programming with security in mind is often secondary
• Stor ed procedures limit the client interactions
- 'CALL get_options'
- That's it. No modifications to the query are possible.
• Testing, testing, testing
- The Quality Assurance (QA) process
•Tobe r eally secure, use only stored procedures
- The application doesn't use any SQL queries
• Vulnerabi lities w ill eventually be found
- And exploited
Obfuscation/camouflage
• Obfuscate
- Make something normally understandable very
difficult to understand
Stored procedures
• SQL databases
- Client sends detailed requests for data
- 'SELECT* FROM w p_options WHERE option_id = 1'
• Client requests can be complex
- And sometimes modified by the user
- This w ould not be good
© 2020 Messer Studios, LLC
• Take perfectly readable code and turn it into nonsense
- The developer keeps the readable code and gives you
the chicken scratch
- Both sets of code perform exactly the same w ay
Professor Messer's CompTIA SY<HiOl Security+ Course Notes · Page 42
https://ProfessorMesser.com
2.3 - Secure Coding Techniques {continued)
• Helps prevent the search for security holes
- Makes it more difficult to figure out
w hat's happen ing - But not impossible
Memory management
•Asa developer, you must be mindful of how memory is used
- Many opportunities to build vulnerable code
Code reuse/dead code
• Code r euse
- Use old code to build new applications
- Copy and paste
• Never trust data input
- Malicious users can attempt to circumvent your code
• If the old code has security vulnerabilities, reusing
the code spreads it to other applications
- You're making this much more difficult for everyone
• Some built-in functions are insecur e
- Use best practices w hen designing your code
• Dead code
- Calcu lations are made, code is executed,
results are tallied
- The results aren't used anyw her e else in the
application
• All code is an opportunity for a security problem
- Make sure your code is as alive as possible
Input validation
• What is the expected input?
- Validate actua l vs. expected
• Buffer overflow s are a huge security risk
- Make sure your data matches your buffer sizes
Third-party libraries and SDKs
• Your programming language does everything· Almost
• Third-party librari es and softw are development kits
- Extend the functionality of a programming language
• Security risk
- Application code w ritten by someone else
- M ight be secure. Might not be secure.
- Extensive testing is required
• Balancing act - Application features vs. unknow n code base
• Document all input methods
- Forms, fields, type
• Check and correct all input (normalization)
- A zip code should be only X characters long w ith a
letter in the X column
- Fix any data with improper input
Data exposure
• So much sensitive data
- Credit card numbers, social security numbers, medical
information, address details, email information
• How is the application handling the data?
- No encryption w hen stored
- No encryption across the netw ork
- Displaying information on the screen
• The fuzzers w ill find w hat you missed
- Don't give them an opening
• All input and output processes are important
- Check them all for data exposure
Validation points
• Server-side validation
- All checks occur on the server
- Helps protect against malicious users
- Attackers may not even be using your interface
Version control
• Create a file, make a change, make another change,
and another change
- Track those changes, revert back to a previous version
• Client-side validation
- The end-user's app makes the validation decisions
- Can filter legitimate input from genuine users
- May provide additional speed to the user
• Use both - But especially server-side va lidation
• Commonly used in softw are development
- But also in operating systems, wiki softw are, and
cloud-based file storage
• Useful for security
- Compare versions over time
- Identify modifications to important files
-A security challenge
- Historical information can be a security risk
2.3 - Software Diversity
Exploiting an application
• Attackers often exploit application vulnerabilities
- They find the unlocked door and open it
• Once you exploit one binary, you can exploit them all
- The application w orks the same on al l systems
- A W indow s 10 exploit affects all W indow s 10 users
• What if all of the computers w ere running different
softwar e?
- Unique binaries
- Functionally identical
© 2020 Messer Studios, LLC
Software diversity
• Alternative compiler paths w ould result in a different
binary each time
- Each compiled application w ould be a little bit
different
- But functionally the same
• An attack against different binaries w ould only be
successful on a fraction of the users
- An attacker w ouldn't know w hat exploit to use
- Make the game much harder to win
Professor Messer's CompTIA SY<HiOl Security+ Course Notes - Page 43
https://ProfessorMesse r.com
2.3 - Automation and Scripting
Automation and scripting
• Plan for change
- Implement automatically
Continuous integration (Cl)
• Code is constantly w ritten
-And merged into the central repository many times a day
• Automated courses of action
- Many problems can be predicted
- Have a set of automated responses
• So many chances for security problems
- Security should be a concern from the beginning
• Continuous monitoring
- Check for a particular event, and then react
• Configuration va lidation
- Cloud-based technologies allow for
constant change
- Automatically validate a configuration
before going live
- Perform ongoing automated checks
• Basic set of security checks during development
- Documented security baselines as the bar e minimum
• Large-scale security analysis during the testing phase
- Significant problems w ill have already been cover ed
Continuous delivery/deployment (CD)
• Continuous delivery
- Automate the testing process
- Automate the release process
- Click a button and deploy the application
• Continuous deployment
- Even more automation
-Automatically deploy to production
- No human integration or manual checks
2.4 - Authentication Methods
Directory services
• Keep all of an organization's usernames and passw ords
in a single database
- Also contains computers, printers, and other devices
• Large distributed database
- Constantly r eplicated
• All authentication requests reference this di rectory
- Each user only needs one set of credentials
- One username and passw ord for all services
• Access via Kerberos or LDAP
Federation
• Provide netw ork access to others
- Not j ust employees - Partners, suppliers, customers, etc.
- Provides SSO and more
• Third-parties can establish a federated netw ork
- Authenticate and authori ze betw een the
tw o organizations
- Login with your Facebook credentials
• The third-parties must establish a t rust r elationship
- And the degr ee of the t rust
Attestation
• Prove the hardware is really yours
- A system you can trust
• Easy w hen it 's j ust your computer
- More difficult w hen there are 1,000
• Remote attestation
- Device provides an operational report to a
verification server
- Encrypted and digitally signed with the TPM
- An IMEI or other unique hardware component can be
included in the report
© 2020 Messer Studios, LLC
Short message service (SMS)
• Text messaging
- Includes more than text these days
• Login factor can be sent via SMS to a predefined
phone number
- Provide username and passw ord
- Phone receives an SMS
- Input the SMS code into the login form
• Security issues exist
- Phone number can be reassigned to a
different phone
- SMS messages can be intercepted
Push notification
• Similar process to an SMS notification
-Authentication factor is pushed to a specia lized app
- Usually on a mobile device
• Security challenges
-Applications can be vulnerable
- Some push apps send in the clear
• Still more secure than SMS
- Multiple factors are better than one factor
Authentication apps
• Pseudo-random token generators
-A useful authentication factor
• Carry around a physical hardw are token generator
- Where are my keys again?
• Use softwar e-based token generator on your phone
- Pow erful and convenient
Professor Messer's CompTIA SY<HiOl Security+ Course Notes - Page 44
https://ProfessorMesser.com
2.4 - Authentication Methods (continued)
TOTP
• Time-based One-Time Passw ord algorithm
- Use a secret key and the time of day
- No incremental counter
• Secret key is configured ahead of time
- Timestamps are synchronized via NTP
• Timestamp usually increments every 30 seconds
- Put in your username, passw ord, and TOTP code
• One of the more common OTP methods
- Used by Google, Facebook, Microsoft, etc.
HOTP
• One-time passw ords
- Use them once, and never again
- Once a session, once each authentication attempt
• HMAC-based One-Time Passw ord algorithm
- Keyed-hash message authentication code (HMAC)
- The keys are based on a secret key and a counter
• Token-based authentication
- The hash is different every time
• Hardw are and software tokens available
- You'll need additional technology to make this w ork
Phone call
• A voice call provides the token
- The computer is talking to you
- " Your code is 1-6-2-5-1-7."
• Similar disadvantages to SMS
- Phone call can be intercepted or forwarded
- Phone number can be added to another phone
Static codes
• Authentication factors that don't change
- You just have to remember
• Personal Identification Number (PIN}
- Your secret numbers
• Can also be alphanumeric
-A passw ord or passphrase
Smart cards
• Integrated circuit card - Contact or contactless
• Common on credit cards - Also used for access control
• Must have physica l card to provide digital access
- A digital certificate
• Multiple factors
- Use the card w ith a PIN or fingerprint
2.4 - Biometrics
Biometric factors
• Fingerprint scanner
- Phones, laptops, door access
• Retinal scanner
- Unique capillary structur e in
the back of the eye
• Iris scanner
- Texture, color
• Voice recogn ition
- Talk for access
• Facial recognition
- Shape of the face and features
• Gait analysis
- Identify a person based on
how they w alk
- Many unique measurements
Biometric acceptance rates
• False acceptance rate (FAR)
- Likelihood that an unauthorized user w ill be accepted
- Not sensitive enough
• False rejection rate (FRR)
- Likelihood that an authori zed user will be rejected
- Too sensitive
• Crossover error rate (CER)
- Defines the overall accuracy of a biometric system
- The rate at w hich FAR and FRR are equal
-Adjust sensitivity to equalize both values
False Acceptance
Rate (FAR)
False Rejection
Rate (FRR)
• Veins
- Vascular scanners
- Match the blood vessels visible
from the surface of the skin
Sensitivity
© 2020 Messer Studios, LLC
Professor Messer's CompTIA SY<HiOl Security+ Course Notes - Page 45
https://ProfessorMesser.com
2.4 - Multi-factor Authentication
AAA framework
• Identification
-This is w ho you claim to be
- Usually your username
Something you are
• Biometric authentication
- Fingerprint, iris scan, voice print
• Authentication
- Prove you are w ho you say you are
- Passw ord and other authentication factors
• Authori zation
- Based on your identification and authentication,
w hat access do you have?
• Accounting
- Resources used: Login time, data sent
and r eceived, logout time
Cloud vs. on-premises authentication
• Cloud-based security
- Third-party can manage the platform
- Centralized platform
- Automation options w ith API integration
- May include additional options (for a cost)
• On-premises authentication system
- Internal monitoring and management
- Need internal expertise
- External access must be granted and managed
Multi-factor authentication
• Factors
- Something you know
- Something you have
- Something you are
• Usua lly stores a mathematical representation
of your biometric
- Your actual fingerprint isn't usually saved
• Difficult to change
- You can change your passw ord
- You can't change your fingerprint
• Used in very specific situations
- Not foolproof
Somewhere you are
• Provide a factor based on your location
-The transaction only completes if you are in a
particular geography
• IP address
- Not perfect, but can help provide more info
- Works with 1Pv4, not so much with 1Pv6
• Mobile device location services
- Geolocation to a very specific area
- Must be in a location that can r eceive GPS
information or near an identified mobile
or 802.11 netw ork
- Still not a perfect identifier of location
Something you can do
• A persona l w ay of doing things
- You' re specia l
• Handwriting analysis
- Signature comparison
- Writing technique
• Attributes
- Somew here you are
- Something you can do
- Something you exhibit
- Someone you know
• Very similar to biometri cs
- Close to something you are
Something you know
• Passw ord
- Secret w ord/ phrase, string of characters
- Very common authentication factor
• PIN
- Personal identification number
- Not typically contained anyw her e on a
smart card or ATM card
Other attributes
• Something you exhibit
-A unique trait, personal to you
- Gait analysis - the w ay you w alk
- Typing analysis - the w ay you hit the
enter key too hard
• Pattern
- Complete a seri es of patterns
- Only you know the right format
Something you have
• Smart card
- Integrates with devices
- May require a PIN
• USB token - Certificate is on the USB device
• Hardw are or softw are tokens
- Generates pseudo-random authentication codes
• Your phone -SMS a code to your phone
© 2020 Messer Studios, LLC
• Someone you know
- A social factor
- It's not w hat you know ...
- Web of t rust
- Digital signature
Professor Messer's CompTIA SY<HiOl Security+ Course Notes - Page 46
https://ProfessorMesser.com
2.5 - Disk Redundancy
Redundancy
• Duplicate parts of the system
- If a part fails, the redundant part can be used
• Disperse technologies to different geograph ies
- Use multiple data centers
- In different locations
• Ma inta in uptime
- The organization continues to function
• Data centers m ight be part of the normal operations
- East coast and w est coast operations centers
• No hardware failure
- Servers keep running
• May be part of a disaster recovery center
- If Florida gets hit, fire up the Denver data center
• No softw are failure
- Services always available
• No system failure
- Network performing optimally
Disk redundancy
• Multipath 1/0 (Input/Output)
- Especially useful for netw ork-based storage subsystems
- Mu ltiple Fibre Channel interfaces with multiple switches
Geographic dispersal
• Bad things can happen in a local area
- Hurricanes, tornadoes, flooding,
• RAID - Redundant Array of Independent Disks
• Multiple drives create redundancy
- Many different designs and implementations
RAIO Level
Description
Details
RAID 0
Striping w ithout parity
High pe rformance, no fault tolerance
RAID 1
Mirroring
Duplicat es data for fau lt tolerance,
but requi res t wice the disk space
RAID 5
Striping wit h parity
Fau lt tolerant , only requires an
add itiona l disk for redundancy
RAID O+l, RAID l+O,
RAID 5+1, etc.
Multiple RAID t ypes
Combine RAID met hods t o increase redundancy
2.5 - Network Redundancy
Load balancing
• Some servers are active - Others are on standby
• If an active server fails, the passive server takes its place
NIC teaming
• Load Ba lancing/ Fa il Over (LBFO)
- Aggregate bandwidth, redundant paths
- Becomes more important in the virtual w orld
~
l oad
Balancer . ~
• Mu ltiple netw ork adapters
- Looks like a single adapter
- Integrate w ith sw itches
I \
• NICs talk to each other
- Usually mu lticast instead of broadcast
- Fa ils over w hen a NIC doesn't respond
Server A
00
Server B
Server C
Server D
2.5 - Power Redundancy
UPS - Uninterruptible Power Supply
- Short-term backup pow er
- Blackouts, brow nouts, surges
Generators
• Long-term pow er backup
- Fuel storage requ ired
• UPS types
- Offline/ Standby UPS
- Line-interactive UPS
- On-l ine/Double-conversion UPS
• Pow er an entire building
- Some pow er outlets may be marked as
generator-pow ered
• Features
- Auto shutdow n, battery capacity, outlets,
phone line suppression
© 2020 Messer Studios, LLC
• It may take a few m inutes to get the
generator up to speed
- Use a battery UPS w hile the generator is starting
Professor Messer's CompTIA SY<HiOl Security+ Course Notes· Page 47
https://ProfessorMesser.com
2.5 - Power Redundancy (continued)
Dual-power supplies
• Redundancy
- Internal server pow er suppli es
- External pow er circu its
Power distribution units (PDUs)
• Provide multi ple pow er outlets
- Usua lly in a rack
• Often include mon itoring and control
- Manage pow er capacity
- Ena ble or disable individual outlets
• Each pow er supply can handle 100% of the load
- Would normally run at 50% of the load
• Hot-sw appable
- Replace a faulty pow er supply without pow ering dow n
2.5 - Replication
SA N replication
• Sha re data betw een different devices
- If one device fails, you can still w ork w ith the data
- VERY fast recovery times com pared to
t raditional backups
• Storage area net works (SANs)
- Specialized high-performance net w ork of
storage devices
• Consistent service offering
- Ma int ain copies anyw her e in t he w orld
• Recover from a replicated copy
- Provides a backup if needed
• Efficient copying
- On ly replicates the data that has changed
On premises vs. cloud redundancy
• Speed
- Local devices are connect over very fast netw orks
- Cloud connections are almost always slow er
• SAN-to-SAN replication
- Du plicate data from one data center to another
• SAN snapshot
- Create a state of data based on a point in time
- Copy that state to ot her SANs
• Money
- Purchasing your ow n storage is an expensive
capital investment
- Cloud costs have a low entry point and can scale
VM replication
• Virtual machine redundancy
- Maintain one VM, replicate to all others
- The virtual machine is really just one big file
• Security
- Local data is private
- Data stored in the clou d requ ires additional
security controls
2.5 - Backup Types
Backup Types
• The archive attribut e
- Set w hen a file is modifi ed
• Full - Everything
- You' ll w ant t his one first
• Incrementa l
- All files changed since the last incrementa l backup
• Differ entia l
- All files changed since the last full backup
Data Selection
Backup / Restore nme
Archive Attribute
Full
All selected data
High /low
(one tape se t )
Cleared
Incre me ntal
New files a nd files
mod ified since t he
last backup
Low /High
(Multiple ta pe sets)
Cleared
Differential
All d ata modified
sinee t he last full
backup
Mod e rate / Moderate
(No more than 2 sets)
Not Cleared
,---
Increment al Backup
• A full backup is t aken first
Incremental
• Subseq uent backups contain
data changed since the last full
backup and last incremental backup
- These are usual ly smaller
than the fu ll backup
• A restoration re quires the full
backup and all of t he increment al
backu ps
...... [ Incremental]
r
__.,.,
r-....
Incremental
Incremental
Incremental
Incremental ]
Full
Backup
Full
Backup
'
Monday
© 2020 Messer Studios, LLC
[
Tuesday
Wednesday
Professor Messer's CompTIA SY<HiOl Security+ Course Notes - Page 48
Thursday
~
Recovery
https://ProfessorMesser.com
2.5 - Backup Types {continued)
Differential Backup
• A full backup is t aken first
• Subseq uent backups contain
data changed since the last
fu ll backup
- These usua lly grow larger as
data is changed
• A restoration re quires the full
backup and t he last differ entia l
backup
[ Differential ]
Differential
Differential
Full
Backup
Monday
Thursday's
Differential
Full
Backup
Tuesday
Wednesday
Thursday
Recovery
Backup media
• Magnetic ta pe
- Sequential storage
- 100 GB to mu ltiple terabytes per cart ridge
- Easy to sh ip and st ore
Other backups
• Cloud
- Backup to a remote device in the cloud
- Su pport many devices
- May be limited by bandwidth
• Disk
- Faster than magnetic t ape - Dedu plicate and com pr ess
• Image
- Captu re an exactly replica of everyt hing on a
storage drive
- Restore everything on a partition, includi ng
operating system fi les and user documents
• Copy
- A useful strategy
- May not include version ing - May need to keep offsite
NAS vs. SAN
• Netw ork Attached Storage (NAS)
- Connect to a sha red storage device across the net w ork
- File-level access
• Storage Area Network (SAN)
- Looks and feels like a local storage device
- Block-level access
- Very efficient r eadi ng and w riting
• Requires a lot of bandw idt h
- May use an isolated netw ork and high-speed
netw ork t echnologies
Backup locations
• Offline backup
- Backup to loca l devices
- Fast and secure
- Must be protected and ma int ained
- Often requires offsite storage for disaster recovery
• Online backup
- Remote net w ork-connected third -party
- Encrypted
- Accessible from anyw her e
- Speed is limited by net work bandwidth
2.5 - Resiliency
Non-pe rsistence
• The cloud is alw ays in motion
- Appl ication instances are constantly built
and t orn dow n
• Sna pshots can ca pture the current confi guration and data
- Preserve the com plet e state of a device, or
just t he con figu ration
• Revert to know n state
- Fa ll back t o a previous sna pshot
• Roll back to know n con figu ration
- Don't modify the data, but use a pr evious con figuration
• Live boot media
- Run the operating system from removable
media - very portable !
High availability
• Redundancy doesn't always mean always ava ilable
- May need to be pow ered on manually
© 2020 Messer Studios, LLC
• HA (high avai lability)
- Alw ays on, alw ays available
• May include many different components
w orking together
- Active/ Active can provide sca lability advantages
• Higher availability almost always means higher costs
- There's alw ays another contingency you cou ld add
- Upgraded pow er, high-quality server components,
etc.
Order of restoration
• Application-specific
- Certain com ponents may need to be rest ored fi rst
- Databases should be restored before the application
• Backu p-specific
- Incr emental backups restor e the fu ll backup,
then all subseq uent incrementa l backups
- Differential backups restore the fu ll backup,
then t he last differ entia l backup
Professor Messer's CompTIA SY<HiOl Security+ Course Notes· Page 49
https://ProfessorMesser.com
2.5 - Resiliency (continued)
Diversity
• Technologies
- A zero-day OS vulnerability can cause significant
outages
- Multiple security devices
• Vendors
- A single vendor can become a disadvantage
- No options du ring annual renewals
- A bad support team may not be able to resolve
problems in a timely manner
• Cryptographic
- All cryptography is temporary
- Diverse certi ficate authorities can provide
add itiona I protection
• Controls
-Administrative controls
- Physical controls
- Technical controls
- Combine them together
- Defense in depth
2.6 - Embedded Systems
Embedded systems
• Hardw are and software designed for a specific function
- Or to operate as part of a larger system
• Is built w ith only this task in m ind
- Can be optim ized for size and/or cost
• Common examples
- Traffic light controllers
- Digital w atches
- Medical imaging systems
Soc {System on a Chip)
• Multiple components running on a single chip
- Common with embedded systems
• Small form-factor
- External interface support
- Cache memory, flash memory
- Usually low er power consumption
• Security considerations are important
- Difficult to upgrade hardw are
- Limited off-the-shelf security options
Field-programmable gate array {FPGA)
• An integrated circuit that can be configured
after manufacturing
- Array of logic blocks
- Programmed in the field
• A problem doesn' t require a hardware replacement
- Reprogram the FPGA
• Common in infrastructu re
- Firew all logic
- Routers
SCADA/I CS
• Supervisory Control and Data Acquisition System
- Large-scale, multi-site Industrial Control Systems (ICS)
• PC manages equipment
- Pow er generation, refin ing, manufacturing equipment
- Facilities, industrial, energy, logistics
• Distributed control systems
- Real-time information
- System control
• Requires extensive segmentation
- No access from the outside
M ser Stu d.,os "C
uc
Smart devices/ loT {Internet of Things)
• Sensors - Heating and cooling, lighting
• Smart devices - Home automation, video doorbells
• Weara ble technology - Watches, health monitors
• Facility automation - Temperature, air quality, lighting
• Weak defaults
- IOT manufacturers are not security professionals
Specialized
• Medical devices
- Heart mon itors, insulin pumps
- Often use older operating systems
• Vehicles
- Internal netw ork is often accessible from
mobile netw orks
- Control internal electronics
• Aircraft
- DoS could damage the aircraft
-An outage w ould be problematic
• Smart meters - Measure pow er and w ater usage
VoIP
• Voice over Internet Protocol
- Instead of analog phone line or the
- Plain Old Telephone Service (POTS}
• A relatively complex embedded system
- Can be relatively important
• Each device is a computer
- Separate boot process
- Individual con figurations
- Different capabilities and functiona lities
HVAC
• Heating, Ventilation, and Air Conditioning
- Thermodynamics, flu id mechanics, and heat transfer
• A complex science
- Not something you can properly design yourself
- Must be integrated into the fire system
• PC manages equipment
- Makes cooling and heating decisions for w orkspaces
and data centers
• Traditionally not built with security in mind
- Difficult to recover from an infrastructure DoS
Professor Messer's CompTIA SY<HiOl Security+ Course Notes - Page SO
https://Pro essor esser.com
2.6 - Embedded Systems (continued)
Drones
• Flying veh icle
- No pilot on board
• May be manual ly controlled from the ground
- Oft en w ith some autonomy
- Set it and forget it
• Extensive commercia l and non-commercial use
- May require federal licenses
- Secu rity and fail-safes are required
Printers, sca nners, and fax machines
• All-in-one or mu ltifunction devices (M FD)
- Everything you need in one single device
RTOS (Real-Time Operating System)
• An operating system wit h a deterministic
processing schedu le
- No time t o w ait for other processes
- Industrial equipment, automobiles,
- Mil itary environments
• Extremely sensitive to secu rity issues
- Non-t rivial systems
- Need to alw ays be available
- Difficult t o know w hat type of security is in place
• No longer a simple print er
- Very sophisticat ed firm w are
Surveillance systems
• Video/ audi o surveillance
- Embedded systems in t he cameras and t he
monitoring st ations
• Some images are stored loca lly on the device
- Can be ret rieved externally
• Secure the security system
- Restrict access from others - Prevent a denial of service
• Logs are stored on t he device
- Contain commun ication and fax details
• Physically difficult to replace cameras
- Accessible independently over the net w ork
- May allow for fi rm w are upgrades
2.6 - Embedded Systems Communication
SG
• Fifth generation cellular networking
- Launched w orldwide in 2020
• Significant performance im provements
- At higher frequenci es
- Eventually 10 giga bit s per second
- Slow er speeds from 100-900 Mbit/s
• Significant loT impact
- Bandwidth becomes less of a constraint
- Larger data t ransfers
- Faster monitoring and notifi cation
- Additional cloud processing
• Bid irectional communication
- But not at t he same time using the same w ire/fiber
• Ethernet standard - 100BASE-TX,
l000BASE-T, 10GBASE-T
Narrowband
Signal
Subscriber identity m odule (SIM)
• SIM card - A universal integrated circu it ca rd
• Used to provide information to a cellular
network provider - Phones, t ablets, embedded systems
• Cont ains mobil e details
- IMSI (Int ernationa l Mobile Subscriber Identity)
- Authentication information, cont act information
• Important to manage
- Many em bedded systems, many SIM cards
Narrowband
• Communicate analog signals over a narrow range
of frequencies
- Over a longer distance - Conserve t he frequency use
• Many loT devices can communicate over long distances
- SCADA eq uipment - Sensors in oil fi elds
Baseband
• Generally a single cable w ith a digita l signa l
- Can be fiber or copper
• The commun ication signa l uses all of t he bandwidth
- Utilization is either 0% or 100%
© 2020 Messer Studios, LLC
Broadband
Signal
Frequency
Zigbee
• Internet of Th ings networking
- Open standard - IEEE 802.15.4 PAN
• Alternative t o Wi Fi and Bluetooth
- Longer distances t han Bluetooth
- Less pow er consum ption than W iFi
• Mesh netw ork of all Zigbee devices in your home
- Light sw itch commun icates to light bulbs
- Tell Amazon Echo to lock the door
• Uses t he ISM band
- Industrial, Scientifi c, and Medical
- 900 MHz and 2.4 GHz frequencies in the US
Professor Messer's CompTIA SY<HiOl Security+ Course Notes - Page 51
https://ProfessorMesser.com
2.6 - Embedded Systems Constraints
Embedded systems
• Not usua lly a fu lly capable computer
- Low cost, purpose-built
• Crypto
- Limited hardware options
- Difficult to change or modify cryptography features
• Adds additional constraints
- May have limited or missing features
- Upgradability limitations
- Limits in communication options
• Inability to patch
- Some loT devices have no fi eld-upgradable options
- Upgrade options may be limited or difficult to install
• An ongoing trade off
- Low cost systems - Unique management challenges
Constraints
• Pow er - May not have access to a main pow er source
- Batteries may need to be replaced and maintained
• Compute
- Low-pow er CPUs are limited in speed
- Cost and heat considerations
• Netw ork
- May not have the option for a w ired link
- May be in the middle of a field
- W ireless is the limiting factor
• Authentication
- Security features are often an afterthought
- Limited options, no multi-factor, limited integration
w ith existing directory services
• Range
- Purpose-bu ilt - usually does one thing very w el l
- May not provide much additional fun ctionality
• Cost
- Single-purpose functionality comes at a low cost
- Low cost may affect product quality
• Implied trust
- Limited access to the hardware and softw are
- Difficult to veri fy the security posture
2.7 - Physical Security Controls
Barricades/ bollards
• Prevent access
- There are limits to the prevention
• Channel people through a specific access point
- And keep out other things
- Allow people, prevent cars and trucks
• Identify safety concerns
- And prevent injuries
• Can be used to an extreme
- Concrete barriers / bollards
- Moats
Access control vestibules
• All doors normal ly unlocked
- Opening one door causes others to lock
• All doors normal ly locked
- Unlocki ng one door prevents others from being
unlocked
• One door open/ other locked
- When one is open, the other cannot be unlocked
• One at a time, controlled groups
- Managed control through an area
• Consider personal safety
- Fire exits
- Warn ing signs
- Chemicals
- Construction
- Medical resources
• Informational
- In case of emergency, call this number
Video surveillance
• CCTV (Closed circuit television)
- Can replace physical guards
• Camera featu res are important
- Motion recogn ition can alarm and alert w hen
something moves
- Object detection can identify a license plate or
person's face
• Often many different cameras
- Netw orked together and recorde d over time
Alarms
• Circuit-based
- Circuit is opened or closed
- Door, w indow, fence
- Useful on the perimeter
Industrial camouflage
• Conceal an important facility in plain sight
- Blends in to the local environment
• Motion detection
- Radio reflection or passive infrared
- Useful in areas not often in use
• Duress
- Triggered by a person - The big red button
© 2020 Messer Studios, LLC
Signs
• Clear and specific instructions
- Keep people aw ay from restricted areas
- Consider visitors
• Protect a data center
- No business signs
- No visual clues
- Surround it with a w ater feature
- Install a guard gate
- Planters out front are bollards
Professor Messer's CompTIA SY<HiOl Security+ Course Notes· Page 52
https://ProfessorMesser.com
2. 7 - Physical Security Controls (continued)
Guards and access lists
USB data blocker
• Security guard
- Physical protection at the reception area of a
facility
- Validates identification of existing employees
- Provides guest access
• Don't connect to unknow n USB interfaces
- Even if you need a quick charge
- Prevent "juice jacking"
• ID badge
- Picture, name, other details
- Must be w orn at al l times
• Use you r pow er adapter
- Avoid the issue entirely
• Use a USB data blocker
- Allow the voltage, reject the data
Proper lighting
• Access list
- Physical list of names
- Enforced by security guard
• More light means more security
- Attackers avoid the light
- Easier to see w hen lit
- Non IR cameras can see better
• Mainta ins a visitor log
Guards
• Tw o-person integrity/control
- Minim ize exposure to an attack
- No single person has access to a physical asset
• Robot sentries
- Mon itoring
- Rounds/ Periodic checks
- An emerging technology
• Specialized design
- Consider overall light levels
- Lighting angles may be important
- Facial recognition
- Avoid shadows and glare
Fencing
Biometrics
• Build a perimeter
- Usually very obvious
- May not be w hat you're looking for
• Biometric authentication
- Fingerprint, retina, voiceprint
• Transparent or opaque
- See through the fence (or not)
• Usually stores a mathematical representation
of your biometric
- Your actual fingerprint isn't usually saved
• Robust
- Difficult to cut the fence
• Prevent climbing
- Razor wire
- Build it high
• Difficult to change
- You can change your passw ord
- You can't change your fingerprint
Fire suppression
• Used in very specific situations
- Not foolproof
• Electronics require unique responses to fire
- Water is generally a bad thing
Door access controls
• Detection
- Smoke detector, flame detector, heat detector
• Conventional - Lock and key
• Deadbolt - Physical bolt
• Electronic - Keyless, PIN
• Token-based
- RFID badge, magnetic sw ipe ca rd, or key fob
• Biometric - Hand, fingers or retina
• Multi-factor - Smart card and PIN
• Suppress with w ater
- Where appropriate
• Suppress with chemicals
- Halon - No longer manufactured
- Destroys ozone
- Commonly replace d with Dupont FM-200
Sensors
Cable locks
• Temporary security
- Connect your hardware to someth ing solid
• Motion detection
- Identify movement in an area
• Noise detection
- Recognize an increase in sound
• Cable w orks almost anyw here
- Useful wh en mobile
• Most devices have a standard connector
- Reinforced notch
• Not designed for long-term protection
- Those cables are pretty thin
• Proximity reader
- Commonly used w ith electronic door locks
- Combined w ith an access card
• Moisture detection
- Useful to identify w ater leaks
• Temperature
- Monitor changes over time
© 2020 Messer Studios, LLC
Professor Messer's CompTIA SY<HiOl Security+ Course Notes · Page 53
https://ProfessorMesser.com
2. 7 - Physical Security Controls (continued)
Drones
• Quickly cover large areas
- More than just one building
• More than physical security
- Site surveys, damage assessments
• On-board sensors
- Motion detection
- Thermal sensors
Screened subnet
• Formerly know n as a demilitari zed zone (DMZ)
-An additional layer of security betw een the
Internet and you
- Public access to public resources
Protected distribution
• Protected Distribution System (PDS)
-A physically secure cabled network
• Video evidence
- High resolution video capture
• Protect your cables and fibers
-All of the data flow s through these conduits
Faraday cage
• Prevent cable and fiber taps
- Direct taps and inductive taps
• Blocks electromagnetic fields
- Discovered by M ichael Faraday in 1836
• A mesh of conductive material
- The cage cancels the electromagnetic field's
effect on the interior
-The w indow of a microw ave oven
• Prevent cable and fiber cuts
-A physical denial of service (DoS)
• Hardened protected distribution system
- Sealed metal conduit , periodic visual inspection
• Not a comprehensive solution
- Not all signal types are blocked
- Some signal types are not blocked at all
• Can r estrict access to mobile networks
- Some very specific contingencies w ould need to
be in place for emergency calls
2. 7 - Secure Areas
Secure areas
• Physically secure the data
- As important as the digital secu rity
• An important part of a security policy
- Not a question to leave unansw ered
• Secure active operations
- Prevent physical access to the systems
• Secure offline data
- Backups are an important security concern
Air gap
• Physical separation betw een networks
- Secure netw ork and insecure network
- Sepa rate customer infrastructures
• Most environments are shared
- Shared routers, switches, firew al ls
- Some of these are virtualized
• Safe
- Similar to a vault, but smaller
- Less expensive to implement
- Space is limited - Install at more locations
Hot and cold aisles
• Data centers
- Lots and lots of equipment
- This equipment generates heat
• Optimize cooling
- Keep components at optimal temperatures
• Conserve energy
- Data centers are usually very large rooms
- Focus the cooling
- Low er energy costs
• Specialized netw orks require air gaps
- Stock market netw orks
- Pow er systems/ SCADA
-Airplanes
- Nuclear pow er plant operations
Vaults and safes
• Vault
- A secure reinforced room
- Store backup media
- Protect from disaster or theft
- Often onsite
© 2020 Messer Studios, LLC
Professor Messer's CompTIA SY<HiOl Security+ Course Notes· Page 54
https://ProfessorMesser.com
2.7 - Secure Data Destruction
Data destruction and media sanitization
• Disposal becomes a legal issue
- Some information must not be destroyed
- Consider offsite storage
• You don't w ant critica l information in the t rash
- People really do dumpster dive
- Recycling can be a security concern
- Physically destroy the media
• Reuse the storage media
- Sanitize the media for r euse
- Ensure nothing is left behind
Protect your rubbish
• Secure your garbage - Fence and a lock
• Shred your documents
- This wi ll only go so far
- Governments burn the good stuff
• Burn documents - No going back
• Pulp the paper
- Large tank w ashing to remove ink
- Paper broken dow n into pulp
- Creates recycled paper
Physical destruction
• Shredder/ pulverizer
- Heavy machinery, complete destruction
• Drill / Hammer
- Quick and easy - Platters, all the w ay through
• Electromagnetic (degaussing)
- Remove the magnetic field
- Destroys the drive data and renders the drive unusable
• Incineration - Fire hot.
Certificate of destruction
• Destruction is often done by a 3rd party
- How many drills and degaussers do you have?
• Need confirmation that your data is destroyed
- Service should include a certificate
• A paper t rail of broken data
- You know exactly w hat happened
Sanitizing media
• Purge data
- Remove it from an existing data stor e
- Delete some of the data from a database
• Wipe data
- Unrecoverable removal of data on a storage device
- Usually overwrites the data storage locations
- Usefu l w hen you need to reuse or continue using
the media
Data security
• July 2013 - UK National Health Service Surr ey
- Provided hard drives to a 3rd-party to be destroyed
- Contained 3,000 patient records
- Received a destruction certificate, but not
actually destroyed.
- Sold on eBay. Buyer contacted authorities,
fined £200,000
• File level overwriting
- $delete - W indow s Sysinternals
• Whole drive wipe secure data removal
- DBAN - Dari k's Boot and Nuke
- Physical drive destruction - One-off or industrial r emova l and destroy
2.8 - Cryptography Concepts
Cryptography
• Greek: " kryptos"
- Hidden, secret
Cryptographic keys
• Keys
- Add the key to the cypher to encrypt
- Larger keys are generally more secure
• Confidentiality
- It 's a secret
• Authentication and access control
- I know it's you. I REALLY know it 's you.
• Non-repudiation - You said it. You can't deny it.
• Integrity- Tamper-proof
Cryptography terms
• Plaintext - An unencrypted message (in the clear)
• Ciphertext - An encrypted message
• Cipher - The algorithm used to encrypt and/ or decrypt
• Cryptanalysis
- The art of cracking encryption
- Researchers are constantly trying to find
w eaknesses in ciphers
- A mathematically flaw ed cipher is bad for everyone
© 2020 Messer Studios, LLC
• Some encryption methods use one key
- Some use more than one key
- Every method is a bit differ ent
Give weak keys a workout
• A w eak key is a w eak key
- By itself, it 's not very secure
• Make a w eak key stronger by performing
multiple processes
- Hash a passw ord. Hash the hash of the passw ord.
And continue ...
- Key stretching, key strengthening
• Brute force attacks w ould r equire reversing each
of those hashes
- The attacker has to spend much more time, even
though the key is small
Professor Messer's CompTIA SY<HiOl Security+ Course Notes - Page 55
https://ProfessorMesser.com
2.8 - Cryptography Concepts (continued)
• New st andards are being created
- National Institute of Standards and Technology (NIST)
lead ing t he effort
- Provide pow erful encryption
- Include int egrity feat ures
- Keep costs low
Key stretching libraries
• Alrea dy built for your appli cation
- No additional programm ing involved
• bcrypt
- Generates hashes from passw ords
- An extension to t he UN IX crypt li bra ry
- Uses Blow fish cipher t o perform multiple
rounds of hashing
Homomorphic encryption (HE)
• Encrypted data is difficu lt t o w ork w ith
- Decrypt the data
- Perform a fun ction
- Encrypt the answ er
• Homomorphic encryption
- Perform calculations of data w hile it's encrypted
- Perform the w ork directly on t he encrypted data
- The decrypted data can only be view ed with
t he private key
• Passw ord-Based Key Derivation Function 2 (PBKDF2)
- Part of RSA public key crypt ography st andards
(PKCS #5, RFC 2898)
Lightweight cryptography
• Pow erful cryptography has traditiona lly
required st rength
- A pow erful CPU and lots of time
• Internet of Things (loT) devices have li mited pow er
- Bot h w atts and CPU
• Many advantages
- Secur ely store data in the cloud
- Perform research on data without viewing the data
2.8 - Symmetric and Asymmetric Cryptography
The key pair
• Asymmetric encryption
- Pu blic Key Cryptography
Symmetric encryption
• A single, shared key
- Encrypt w ith the key
- Decrypt w ith the same key
- If it get s out, you' ll need anot her key
• Key generation
- Build bot h the publ ic and private key at the same
time
- Lots of randomization
- La rge prime num bers
- Lots and lots of mat h
• Secret key algorithm
- A shared secret
• Doesn't scal e very w ell
- Can be challenging t o distribute
• Everyone ca n have the pu blic key
- Only Alice has the private key
• Very fast to use
- Less overhead than asymmet ric encryption
- Oft en combined w ith asymmetric encryption
Elliptic curve cryptography (ECC)
• Asymmetric encryption
- Need large integers composed of t wo or more large
prime factors
Asymmetric encryption
• Public key cryptogra phy
- Tw o (or more) mathematically r elated keys
• Private key - Keep th is private
• Public key - Anyone can see this key - Give it aw ay
• The private key is the only key that can decrypt data
encrypted w ith the pu blic key
- You can't derive the private key from t he public key
• Instead of numbers, use curves !
- Uses smaller keys than non-ECC asymmetric
encryption
- Smaller st orage an d t ransmission req uirements
- Perfect for mobile devices
Alice's Key Generation
Large
Random
Number
© 2020 Messer Studios, LLC
Key Generation
Program
__
.___
______. ~
Professor Messer's CompTIA SY<HiOl Security+ Course Notes· Page 56
https://ProfessorMesser.com
2.8 - Symmetric and Asymmetric Cryptography (continued)
Asymmetric encryption
Hello,
Alice
sBcBAE~
Plaint ext
BCAAQ
BQJYtX
ToCRA
He llo,
Alice
Ciphertext
Plaintext
Bob's Laptop
Alice's Public Key
0
Alice's Private Key
Bob combines Alice's public key
with plaintext t o create ciphertext
~ Al ice uses her private key to decrypt
~ the ciphertext into the original plaintext
Symmetric key from asymmetric keys
~
Bob's P,i"" Key
~
~
Symm&dc Key
Bob's Laptop
Bob's Public Key
Al ice's Public Key
0
Bob combines his private key with
Alice's public key to create a symmetric key
~ Alice combin es her private key with
~ Bob's pu blic key to create the same symmetric key
2.8 - Hashing and Digital Signatures
• The hash should be unique
• Represent data as a short string of text - A message digest
- Different in puts should never crea te the same hash
• One-w ay trip
- If they do, it's a collision
- Im possible to recover the original message from the digest • MOS has a collision problem
- Used to store passwords/ confidentiality
- Found in 1996 - Don't use MOS
• Verify a downloaded document is t he same as the original
Practical hashing
- Integrity
• Veri fy a down loaded file
- Hashes may be provided on the download site
• Can be a digit al signatu re
- Compar e the down loaded file hash with the
- Authentication, non-r epudiation, and integrity
posted hash va lue
• Will not have a collision (hopefully)
Hashes
- Different messages will not have the same hash
Collision
• Hash functions
- Take an input of any size - Create a fi xed size string
- Message digest, checksum
© 2020 Messer Studios, LLC
• Password storage
- Instead of storing the password, store a salted hash
- Compar e hashes during t he authentication process
- Nobody ever know s your actual password
Professor Messer's CompTIA SY<HiOl Security+ Course Notes· Page 57
https://ProfessorMesser.com
2.8 - Hashing and Digital Signatures (continued)
Adding some salt
• Salt
- Random data added to a password when hashing
Digital signatures
• Prove the message w as not changed
- Integrity
• Every user gets their own random salt
- The salt is commonly stored w ith the passw ord
• Prove the source of the message
- Authentication
• Make sure the signature isn't fake
- Non-repudiation
• Rain bow tables w on't w ork with salted hashes
- Additional random va lue added to the
original passw ord
• This slows things dow n the brute force process
- It doesn't completely stop the reverse engineering
• Sign with the private key
- The message doesn't need to be encrypted
- Nobody else can sign this (obviously)
• Each user gets a different random hash
- The same passw ord creates a different hash
• Veri fy with the pu blic key
- Any change in the message will invalidate the signatur e
•
•
Creating a Digital Signature
~~
1
You re
hired,
Bob
sBc BA€8CAA
QBQJZzBlbCR
AWS.ZAwUFg
0
Hash of
Pla intext
Pla intext
Hash
Alice's Com puter
Hashing
Algorithm
sBcBAE8CAA
QBQJZzB bCR
st-~ss-etMS
ft
AWSZAwUFg
Hash of
Plaintext
You're
hired,
GmcBkELopt
D igital
Signature
o
•
Alice encrypts t he hash
with her private key
•
The encrypted hash
(digital signat ure) is
included with t he plaintext
Bob
---.
Alice creates a hash
of the original plaintext
Gl"ld8'ELopt
e~Fss·edYJS
Plaintext
and Digital
Signature
Al ice's Private Key
Verifying a Digital Signature
You're
You 1 re
hired,
GmC:B<E~opt
8"f85TetMS
Bob
D,g,tal
Signature
GmCIB<ELopt
Sh~851'etMS
Oecrvpnon
Pla intext
and Digital
Signature
Bo b's Lap top
ft
hired,
0
Bob
sBcBAEBCAA
QBQJZzBlbCR
AWSZAwUFg
Hash of
Plaintext
Plaintext
Hash
Hash ing
A lgorithm
8
sBcBAEBCAA
QBQJZzBlbCR
AWSZAwUFg
Hash o f
Plaintext
o
Bob decrypts the
digita l signature
to obtain the
plaintext hash
Bob hashes the
8
plaintext and
compa res it to
the decrypted hash
Al ice's Public Key
2.8 - Cryptographic Keys
Cryptographic Keys
• There's very little that isn' t know n about the
cryptogra p hie process
- The algorithm is usually a known entity
- The only thing you don't know is the key
• The key determines the output
- Encrypted data
- Hash value
- Digital signature
• Keep you r key private !
- It 's the only thing protecting you r data
Key strength
• Larger keys tend to be more secure
- Prevent brute-force attacks
- Attackers can try every possible key combination
© 2020 M e sser Studios, LLC
• Symmetric encryption
- 128-bit or larger symmetric keys are common
- These numbers get larger as time goes on
• Asymmetric encryption
- Complex calculations of prime numbers
- Larger keys than symmetric encryption
- Common to see key lengths of 3,072 bits or larger
Key exchange
• A logistical challenge
- How do you transfer an encryption key across an
insecur e medium w ithout having an encryption key?
• Out-of-band key exchange
- Don' t send the symmetric key over the 'net
- Telephone, courier, in-person, etc.
Professor Messer's CompTIA SY<HiOl Security+ Course Notes - Page 58
https://ProfessorMesser.com
2.8 - Cryptographic Keys (continued)
• In-band key exchange
- It 's on the netw ork
- Protect the key with additional encryption
- Use asymmetric encryption to deliver
a symmetric key
Real-time encryption/decryption
• There's a need for fast security
- W ithout compromising the security part
Traditional web server encryption
• SSL/TLS uses encryption keys to protect w eb
server communication
- Traditionally, this has been based on the w eb server's
RSA key pair
- One key that encrypts all symmetric keys
• This server's private key can rebuild everyth ing
- If you capture all of the traffic, you can decrypt all of
the data
• Share a symmetric session key using
asymmetric encryption
- Client encrypts a random (symmetric) key with a
server's publ ic key
- The server decrypts this shared key and uses it to
encrypt data
- This is the session key
Perfect Forward Secrecy {PFS)
• Change the method of key exchange
- Don't use the server's private RSA key
• Implement session keys carefully
- Need to be changed often (ephemeral keys)
- Need to be unpr edictables
• Can't decrypt w ith the private server key
- Every session uses a different private key for the
exchange
Symmetric key from asymmetric keys
• Use public and private key cryptography to create
a symmetric key
- Math is pow erfu l
• PFS requires more computing pow er
- Not all servers choose to use PFS
• One point of failure for all of your w eb site encryption
• Elliptic curve or Diffie-Hellman ephemeral
- The session keys aren't kept around
• The brow ser must support PFS
- Check your SSL/TLS information for details
2.8 - Steganography
Obfuscation
• The process of making something unclear
- It 's now much more difficult to understand
Common steganography techniques
• Netw ork based
- Embed messages in TCP packets
• But it 's not impossible to understand
- If you know how to read it
• Use an image
- Embed the message in the image itself
• Make source code difficult to read
- But it doesn't change the functionality of the code
• Invisible w atermarks
- Yel low dots on printers
• Hide information inside of an image
- Steganography
Other steganography types
• Audio steganography
- Modify the digital audio file
- Interlace a secret message within the audio
- Similar technique to image steganography
Steganography
• Greek for "concealed w riting"
- Security through obscurity
• Video steganography
-A sequence of images
- Use image steganography on a larger scale
- Manage the signal to noise ratio
- Potentially transfer much more information
• Message is invisible
- But it's really ther e
• The covertext
- The container document or file
2.8 - Quantum Computing
Quantum computing
• Computers based on quantum physics
- This is not an upgrade to your existing computer
- This is a new computing technology
• Classical mechanics
- Smallest form of information is a bit
- Bits ar e zeros and ones
• Quantum mechanics
- Smallest form of information is a qubit
© 2020 Messer Studios, LLC
- Bits are zeros, ones, and any combination
in-betw een, at the same time
- This is called quantum superposition
• Search quickly through large databases
- Index everything at the same time
• Simulate the quantum w orl d
- Medical advances, w eather prediction,
astrophysics, and much more
Professor Messer's CompTIA SY<HiOl Security+ Course Notes · Page 59
https://ProfessorMesser.com
2.8 - Quantum Computing {continued)
• We w ill need to consider our options for future
cryptography
- This is a problem that can be easily seen and
addressed
Post-quantum cryptography
• Breaks ou r existing encryption mechanisms
- Quickly factor large prime numbers
• Th is w ould cause signifi cant issues
- None of t he existing crypt ography could be t rusted
- No financia l transactions w ould be safe
- No data w ou ld be private
• Pet er Shor invented Shor's algorithm in 1994
- Given an int eger N, fi nd its prime factors
- Traditional com puters w ould take longer than the
lifetime of the un iverse
- Shor's algorithm w ou ld t heoretica lly be much,
much faster
Quant um communication
• Prot ect against eavesdropping using quantum
cryptography
- Quantum Key Distribution (QKD)
• Create un breakable encryption
- Send a ran dom stream of qubit s (the key) across a
quant um net w ork channel
• Both sides can verify the key
- If it's identical, the key w as not view ed du ring
transmission
• Time for upd at ed cryptography
- Not vulnera ble t o quantum com puter based attacks
• An attacker eavesdropping on the communication
w ou ld modify the data stream
- The attacker w ould have to violate quantum physics
• NTRU
- A cryptosystem using lattice t heory
- Relies on the "closest-vector" problem
- Instead of finding t he prime fa ctorizations of
large numbers
2.8 - Stream and Block Ciphers
Stream ciphers
• Encryption is done one bit or byte at a time
- High speed, low ha rd w are complexit y
Block cipher mode of operation
• Encrypt one fixed-lengt h grou p of bit s at a time
- A block
• Used w ith symmetric encryption
- Not common ly used wit h asymmetric encryption
• Mode of operation
- Defi nes the method of encryption
- May provide a method of authentication
• The sta rting stat e shou ld never be the same t wice
- Key is often com bined wit h an initialization vector {IV)
Block ciphers
• Encrypt fixed-length grou ps
- Oft en 64-bit or 128-bit blocks
- Pad added to short blocks
- Each block is encrypted or decrypted independent ly
• Symmetric encryption
- Similar to stream ciphers
• Block cipher modes of operation
- Avoid patterns in the encryption
- Many different modes t o choose from
• The block size is a fi xed size
- Not all data matches the block size perfectly
- Split you r plaintext into smaller blocks
- Some modes requ ire padding befor e encrypting
ECB (Electronic Code Book)
• The simplest encryption mode
- Too simple for most use cases
• Each block is encrypt ed w ith the same key
- Identical plaintext blocks create identical
ciphertext blocks
ECB (Electronic Code book) cipher mode
Pla int ext
ft-
1
Block Cipher
Encryption
Key
Pla int ext
ft-
1
Block Cipher
Encryption
Key
1
Ciphert ext
© 2020 Messer Studios, LLC
Plaint ext
ft-
1
Block Cipher
Encryption
Key
1
Ciphert ext
Professor Messer's CompTIA SY<HiOl Security+ Course Notes· Page 60
1
Ciphert ext
https://ProfessorMesser.com
2.8 - Stream and Block Ciphers (continued)
CBC (Cipher Block Chaining)
• A popular mode of operation - Relatively easy to implement
• Each plaintext block is XORed w ith the previous
ci phertext block
- Adds additional ran dom ization
- Use an initia lization vector for the first block
CTR (Counter)
• Block cipher mode/ act s like a stream cipher
- Encrypt s successive values of a "counter"
• Plaintext can be any size, since it 's part of the XOR i.e., 8 bits
at a time (streaming) instead of a 128-bit block
GCM (Galois/Counter Mode)
• Encryption w ith authentication
- Authentication is part of t he block mode
- Com bines Counter Mode with
- Galois authentication
• M inimum latency, minimum operation overhead
- Very efficient encryption and authentication
• Commonly used in packetized data
- Network t raffi c security (w ireless, IPsec)
- SSH, TLS
CBC (Cipher Block Chaining) cipher mode
?la in text
-~
f;P-
f;P-
e o ck c ph i:~ : ncryption
Pla in text
~
~
f;P-
e oc,: Ci."hr Ef'cry:,tion
Key
Key
I I I I
LI
LI
Ophe ttext
0
Block. c ph e~ : ncryp:-on
Key
LI I I LI
I I
LI
Ciphertext
CTR (Counter) cipher mode
0
Pla int-:xt
Ophe ttext
Counter
Counter
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
31ock Cipher Encryption
Block Cipher Encryption
Ciphertext
Ophertext
0
0
0
1
2.8 - Blockchain Technology
Blockchain
• A dist ribut ed ledger
- Keep t rack of t ransactions
• Everyone on the blockchain net w ork
mainta ins the ledger
- Records and replicates t o anyone
and everyone
© 2020 Messer Studios, LLC
• Many practical applications
- Payment processing
- Digital identification
- Supply cha in monit oring
- Digital voting
Professor Messer's CompTIA SY<HiOl Security+ Course Notes - Page 61
https://ProfessorMesser.com
2.8 - Blockchain Technology {continued)
©
I
-
,----,r---,
\
1 A transaction Is requested. The transaction
2 The transaction Is sent to every computer,
could be any digital transaction from
transferring Bitcoins, medical records, data
backups, to transferring house title
information.
or node, in a d ecentralized network to be
verified.
3 The verified transaction Is added to a new
block of data containing other recently
verified transactions.
-- -- ----- --5 The block Is added to the end of the
4 A secure code, called a Hash, is calculated
from the previous blocks of transaction data
in the Blockchain. The hash is added to the
new block of verified transactions.
Blockchain which is then updated to all nodes
in the network for security. The transaction is
complete.
6
If any blocks are altered, its hash and all
following hashes in the chain are
automa tically recalculated. The altered chain
will no longer match the chains stored by the
rest of the network, and w ill be rejected.
2.8 - Cryptography Use Cases
Finding the balance
• Low power devices
- Mobile devices, portable systems
- Smaller symmetric key sizes
- Use elliptic curve cryptography (ECC} for
asymmetric encryption
• Low latency
- Fast computation time
- Symmetric encryption, smal ler key sizes
• High r esiliency
- La rger key sizes
- Encryption algorit hm qualit y
- Hashing provides data integrity
Use cases
• Confidentia lity
- Secrecy and privacy
- Encryption (file-level, drive-level, email)
© 2020 M esser Studios, LLC
• Integrit y
- Prevent modification of data
- Validate the contents with hashes
- File downloads, passw ord storage
• Obfuscation
- Modern malw are
- Encrypted data hides the active ma lw are code
- Decryption occurs during execution
• Authentication
- Password hashing
- Protect the original password
- Add salt to randomize the stored passw ord hash
• Non-Repudiation
- Confirm the authenticity of data
- Digital signature provides both integrit y
and non-repudiation
Professor Messer's CompTIA SY<HiOl Security+ Course Notes· Page 62
https://ProfessorMesser.com
2.8 - Cryptography Limitations
Finding the balance
• Cryptography isn't a perfect solution
- It can have sign ificant li mitations
• Not all im plement ations are the same
- Different platforms, different cryptogra phic options
• Cryptography can't fi x bad technique
- Hashing easily guessed passw ords w it hout a salt
• Every situation is different
- Do you r homew ork
Limit ations
• Speed
- Cryptography adds overhead
- A system needs CPU, CPU needs pow er
- More involved encryption increases the load
• Size
- Typica l block ciphers don't increase t he size of
encrypted dat a
- AES block size is 128 bits/16 byt es
- Encrypting 8 byt es w ou ld pot entia lly double the
storage size
• Weak keys
- Larger keys are generally more difficult to brute force
- The w eak IV in RC4 resulted in the WEP secu rity issues
• Longevity
- A specific cryptogra phic t echnology can becomes
less secure over time
- Smaller keys are easier t o brute force, larger keys
t ake longer t o process
- Key retirement is a good best practice
• Predictability and entropy
- Random num bers are critical for secure cryptography
- Hardw are random number generators can
be predictable
- A passphrase needs t o be appropriately random
• Key reuse
- Reusing the same key reduces complexity
- Less cost and effort to r ecertify keys
- Less administrative overhead
- If the key is compromised, everything using t hat
key is at risk
- loT devices often have keys embedded in the firmware
• Resource vs. security constraints
- loT devices have li mited CPU, memory, an d pow er
- Real-time applications can't delay
- Diffi cult to ma int ain and update securit y com ponents
• Time
- Encryption and hash ing takes time
- Larger files take longer
- Asymmetric is slow er than symmetric
3.1 - Secure Protocols
Voice and video
• SRTP
- Secu re Real-Time Transport Protocol / Secu re RTP
• Adds security featu res to RTP
- Keep conversations privat e
• Encryption
- Uses AES t o encrypt the voice/video flow
• Authentication, integrit y, and replay protection
- HMAC-SHAl - Hash-based message authentication
code using SHAl
Time synchronization
• Classic NTP has no secu rity feat ures
- Exploit ed as amplifiers in DDoS attacks
- NTP has been around pri or t o 1985
• NTPsec
- Secu re net w ork time protocol
- Began development in June of 2015
• Cleaned up the code base
- Fixed a number of vulnera bil ities
© 2020 Messer Studios, LLC
Email
• S/M IME
- Secur e/Multi purpose Internet Mail Ext ensions
- Publi c key encryption and digit al signing
of ma il content
- Requires a PKI or similar organization of keys
• Secure POP and Secure IMAP
- Use a STARTTLS extension to encrypt POP3 w ith
SSL or use IMAP wit h SSL
• SSL/TLS
- If the mail is brow ser based, alw ays encrypt w ith SSL
Web
• SSL/TLS
- Secur e Sockets Layer/ Transport Layer Secu rity
• HTTP$
- HTTP over TLS / HTTP over SSL/ HTTP Secu re
• Uses public key encryption
- Private key on the server
- Symmetric session key is transferred using
asymmetric encryption
- Security and speed
Professor Messer's CompTIA SY<HiOl Security+ Course Notes · Page 63
https://ProfessorMesser.com
3.1 - Secure Protocols (continued)
IPSec (Internet Protocol Security)
• Security for OSI Layer 3
- Authentication and encryption for every packet
Domain name resolution
• DNS had no security in the original design
- Relatively easy to poison a DNS
• Confidentiality and integrity/anti-replay
- Encryption and packet signing
• DNSSEC
- Domain Name System Security Extensions
• Very standardized
- Common to use multi-vendor im plementations
• Va lidate DNS re sponses
- Origin authentication
- Data integrity
• Tw o core IPSec protocols
- Authentication Header (AH)
- Encapsulation Security Payload (ESP}
File transfer
• FTPS
- FTP over SSL (FTP-SSL}
- File Transfer Protocol Secure
- This is not SFTP
• Public key cryptography
- DNS records ar e signed with a t rusted third party
- Signed DNS record s are published in DNS
Routing and switching
• SSH • Secure Shell
- Encrypted terminal communication
• SFTP
- SSH File Transfer Protocol
- Provides file system functiona lity
- Resuming interrupted t ra nsfers, directory listings,
remot e file removal
LDAP (Lightweight Directory Access Protocol)
• Protocol for rea ding and w riting di rectories over
an IP network
- An organized set of record s, like a phone directory
• X.500 specifi cation w as w ritten by the Internationa l
Telecommunications Union (ITU)
- They know directories !
• DAP ra n on t he OSI protocol stack
- LDAP is lightw eight, and uses TCP/IP
• LDAP is the protocol used to query and update
an X.500 directory
- Used in W indow s Active Directory,
Apple OpenDirectory, Open l DAP, etc.
Directory services
• LDAP (Lightw eight Directory Access Protocol)
• LDAPS (LDAP Secur e)
- A non-sta ndard implementation of LDAP over SSL
• SASL (Sim ple Authentication and Securit y Layer)
- Provides authentication using many different
met hods, i. e., Kerberos or client certifi cate
Remote access
• SSH (Secure Shell)
- Encrypted termina l communication
- Replaces Telnet (and FTP)
- Provides secure terminal communication and
file tra nsfer features
• SNMPv3 • Simple Netw ork
- Management Protocol version 3
- Confidentiality - Encrypted data
- Integrity - No ta mpering of data
- Authentication - Verifies the source
• HTTP$
- Brow ser-based management
- Encrypted commun ication
Network address allocation
• Securing DHCP
- DHCP does not include any built-in security
- There is no "secu re" version of t he DHCP protocol
• Rogue DHCP servers
- In Active Directory, DHCP servers must be authorized
- Some sw itches can be con figured with
" trusted" interfaces
- DHCP distribution is only allow ed from
trusted interfa ces
- Cisco calls th is DHCP Snooping
- DHCP client DoS - Starvation attack
- Use spoofed MAC addresses to exhaust the DHCP pool
- Switches can be configured to limit the number of
MAC addresses per interface
- Disable an interface w hen mu ltiple MAC addr esses
are seen
Subscription services
• Automated su bscriptions
- Anti-virus/ Anti-ma lw are signatu re updates
- IPS updates
- Ma licious IP addr ess databases / Firew all updates
• Constant updates
- Each subscription uses a different update method
• Check for encryption and integrity checks
- May require an additional public key configuration
- Set up a trust relationship
- Certificates, IP addresses
© 2020 Messer Studios, LLC
Professor Messer's CompTIA SY<HiOl Security+ Course Notes · Page 64
https://ProfessorMesser.com
3.2 - Endpoint Protection
The endpoint
• The user's access - Applications and data
• Stop the attackers - Inbound attacks, out bound attacks
• Many different platforms - Mobil e, deskt op
• Protection is multi-facet ed - Defense in depth
Anti-virus and anti-malware
• Anti-virus is the popular t erm
- Refers specifica lly to a type of malwar e
- Trojans, w orms, macro viruses
• Ma lw are refers t o the broa d malicious
softwar e category
- Anti-malware stops spyw are, ransomw ar e,
fileless ma lw are
• The terms are effectively the same t hese days
- The names are more of a marketing t ool
- Anti-virus software is also anti-ma lware softw are now
- Make sure your system is using
- a comprehensive solution
Endpoint detection and response (EDR)
• A different method of th reat protection
- Scale to meet the increasing num ber of t hreats
• Detect a threat
- Signat ures aren't t he only detection tool
- Behaviora l analysis, mach ine learning,
process monitoring
- Lightw eight agent on t he endpoint
• Investigate the threat
- Root cause analysis
• Respond to the thr eat
- Isolate the system, quarantine the threat , rollback
to a previous config
- API driven, no user or technician intervention requ ired
Data Loss Prevention (OLP)
• Where's your data?
- Social Security numbers, credit card num bers,
medical records
• Stop the data before the attacker get s it
- Data " leakage"
• So many sources, so many destinations
- Oft en requires mu ltiple solutions
- Endpoint cli ent s
- Cloud-based systems
- Emai l, cloud storage, collaboration tools
Next-generation firewall (NGFW)
• The OSI Application Layer - All data in every packet
• Can be called different names
- Appl ication layer gat eway
- Stat eful multi layer inspection, deep packet inspection
• Broa d secu rity controls
- Allow or disa llow application feat ures
- Identify attacks and malware
- Exam ine encrypted data
- Prevent access to URLs or URL categories
Host-based firewall
• Softw are-based firew all
- Personal firew all, runs on every en dpoint
• Allow or disallow incom ing or outgoing
application traffi c
- Control by application process
- View all dat a
• Identify and block unknow n processes
- Stop malwar e before it can sta rt
• Manage centra lly
Finding intrusions
• Host-based Intrusion Detection System (H IDS)
- Uses log fi les t o identify int rusions
- Can reconfi gure fi rew alls to block
• Host-based Intrusion Prevention System (H IPS)
- Recogn ize and block know n attacks
- Secu re OS and application confi gs, validate
incom ing service requests
- Oft en built into endpoint protection softw are
• HIPS identifi cation
- Signat ures, heuristics, behaviora l
- Buffer overfl ow s, registry updates, w riting files
to the W indows fold er
- Access t o non-encrypted data
3.2 - Boot Integrity
Hardware root of trust
• Security is based on trust
- Is you r dat a safely encrypted?
- Is th is w eb sit e legitimate?
- Has the operating system been infected ?
Trusted Platform Module (TPM)
• A specification for cryptographic functions
- Hardw are t o help w ith encryption functions
• The trust has to start somew her e
- Trusted Platform Module (TPM),
- Hardw are Security Modu le (HSM)
- Designed t o be the hardware root of the trust
• Persistent memory
- Comes with unique keys burned in during production
• Diffi cu lt to change or avoid
- It 's hardware
- Won't w ork without t he hardwar e
• Passw ord protected
- No dictionary attacks
© 2020 Messer Studios, LLC
• Cryptographic processor
- Random number generator, key generators
• Versatile memory
- Storage keys, hardw are confi guration information
Professor Messer's CompTIA SY<HiOl Security+ Course Notes· Page 65
https://ProfessorMesser.com
3.2 - Boot Integrity (continued)
Boot integrity
• The attack on ou r systems is constant
- Techn iques are constantly changing
Trusted Boot
• Bootloader verifies digital signature of the OS kernel
- A corrupted kernel wil l halt the boot process
• Attackers comprom ise a device
- And w ant it to stay compromised
• The kernel verifies all of the other start up components
- Boot drivers, start up files
• The boot process is a perfect infection point
- Rootkits run in kernel mode
- Have t he same right s as t he operating system
• Just before loading the drivers,
- ELAM (Early Launch Anti-Ma lw are) starts
- Checks every driver to see if it's trusted
- W indow s w on't load an untrusted driver
• Protecting t he boot process is import ant
- Secu re boot, trusted boot, and measured boot
- A cha in of trust
Measured Boot
• Not hing on t his comput er has changed
- There have been no malw are infections
- How do you know ?
UEFI BIOS Secure Boot
• Secure Boot
- Part of the UEFI specifi cation
• Easy w hen it 's just your computer
- More diffi cu lt w hen there are 1,000
• UEFI BIOS protections
- BIOS includes the manufactu rer's public key
- Digital signat ure is checked during a BIOS update
- BIOS prevents unauthori zed w rites to the flash
• UEFI st ores a hash of the firm w are, boot drivers, and
everyth ing else loaded during the Secu re Boot and
- Trusted Boot process
- Stored in the TPM
• Secure Boot verifies the bootloader
- Checks the boot loader's digital signat ure
- Bootloader must be signed w ith a t rusted certifi cate
- Or a manually approved digital signature
• Remote attestation
- Device provides an operational report to a
verification server
- Encrypted and digitally signed wit h t he TPM
• Attestation server r eceives the boot report
- Changes are identified and managed
3.2 - Database Security
Database security
• Protecting stored data
- And the t ransmission of that data
Tokenization
• Replace sensitive data w ith a non-sensitive placeholder
- SSN 266-12-111 2 is now 69 1-61-8539
• Intellectual property storage
- Data is valuable
• Common w ith credit card processing
- Use a temporary token during payment
- An attacker capturing the card numbers
can't use them lat er
• Compliance issues
- PCI DSS, HIPAA, GDPR, etc.
• Keep the business running
- Secu rity provides continuity
• This isn't encryption or hash ing
- The original dat a and token aren't mat hematica lly related
- No encryption overhead
• Breaches ar e expensive - Keep costs low
Tokenization
Remote Token
Service Server
(J
4545 .... . ... 5 678
is the t oken for
111111111111234
~
•
~
f)
Card is regist e red
with t he token
service server
D
A
V
Token Service
Se rver provides a
token instead:
4545 .... .... 5678
A
______ W
A
V
User registers a credit ca rd
o n t heir mobile phone:
411111111111 1234
© 2020 Messer Studios, LLC
Pho ne is used
at a st ore
d uring checkout
usi ng NFC
A
W
Token is
validated
D
A
V
Pay with:
4545 •••• •••• 5678
E)
Lt]
.
Mereha~t Payment
Processing Serve r
Tran sactio n approved
Professor Messer's CompTIA SY<HiOl Security+ Course Notes· Page 66
https://ProfessorMesser.com
3.2 - Database Security {continued)
Hashing a password
• Hashes repr esent data as a fi xed-length string of text
- A message digest, or " fingerprint"
Adding some sa lt
• Salt
- Random data added t o a passw ord w hen hash ing
• W ill not have a collision (hopefu lly)
- Different input s will not have the same hash
• Every user gets their ow n random salt
- The salt is commonly stored with the passw ord
• One-w ay t rip
- Im possible to recover the original message
from the digest
- A common w ay to store passw ords
• Rainbow tables w on' t w ork with salted hashes
- Additiona l random value added to the original
passw ord
• This slow s th ings dow n the brute force process
- It doesn' t completely stop t he reverse engineering
3.2 - Application Security
Secure coding concepts
• A balance bet w een time and quality
• Programm ing w ith secu rity in m ind is oft en secondary
• Testing, testing, testing
• The Quality Assurance (QA) process
• Vulnerabilities w ill eventually be found
• And exploited
Input va lidation
• What is the expected input?
• Validate actual vs. expected
• Used for t racking, personalization, session
management
• Not execut able, not generally a secu rity risk
• Unless someone gets access to them
• Secure cookies have a Secure attribute set
• Brow ser will only send it over HTTP$
• Document all input methods
• Forms, fi elds, t ype
• Check and correct all input (normalization)
• A zip code shou ld be on ly X cha racters long
with a letter in t he X column
• Fix any data w ith improper input
• The fuzzers w ill find w hat you missed
• Don' t give them an opening
Dyna mic analysis (fuzzing)
• Send ran dom input to an application
• Fau lt-injecting, robustness testing,
syntax testing, negative testing
• Looking for someth ing out of the ordinary
• Application crash, server error, exception
• 1988 class proj ect at t he Un iversit y of Wisconsin
• " Operating System Utility Program Reliability"
• Professor Bart on M iller
• The Fuzz Generat or
Fuzzing engines and fra meworks
• Many different fuzzing options
• Platform specifi c, language specific, etc.
• Very time and processor resource heavy
• Many, many different iterations t o try
• Many fuzzing engines use high-probability t ests
• Carnegie Mellon Comput er
• Emergency Response Team (CERT)
• CERT Basic Fuzzing Framew ork (BFF)
• https://profe ssormesser.lin k/ bff
© 2020 Messer Studios, LLC
Secure cookies
• Cookies
• Information stored on your computer by the
brow ser
• Sensitive information shou ld not be saved in a cookie
• This isn' t designed t o be secure storage
HTTP secure headers
• An additional layer of security
• Add these to the w eb server configuration
• You can't fi x every bad application
• Enforce HTTPS communication
• Ensur e encrypted communication
• Only allow scripts, stylesheets, or images from
the local site
• Prevent XSS attacks
• Prevent data from loading into an inline frame
(iframe)
• Also helps to prevent XSS attacks
Code signing
• An application is deployed
• Users run application executa ble or scripts
• So many security questions
• Has the application been modified in any w ay?
• Can you confirm that the application w as w ritten
by a specific developer?
• The application code can be digitally signed by the
developer
• Asymmetric encryption
• A trusted CA signs the developer's public key
• Developer signs the code w ith their privat e key
• For int ernal apps, use you r ow n CA
Professor Messer's CompTIA SY<HiOl Security+ Course Notes - Page 67
https://ProfessorMesser.com
3.2 - Application Security {continued)
Allow list / deny list
• Any application can be dangerous
• Vu lnerabi lities, trojan horses, ma lw are
• Security policy can control app execution
• Allow list, deny/block list
• Allow list
• Nothing runs unless it's approved - Very restrictive
Static code analyzers
• Static Application Security Testing (SAST)
• Help to identify security fla ws
• Many security vu lnerabilities found easily
• Buffer overflows, database injections, etc.
• Not everything can be identified through analysis
• Authentication security, insecure cryptography, etc.
• Don't rely on automation for everyth ing
• Deny list
• Nothing on the "bad list" can be executed
• Anti-virus, anti-malw are
• Still have to verify each fin ding
• False positives are an issue
Examples of allow and deny lists
Static code analyzer results
flaal.RtsullS
• Decisions are made in the operating system
• Often built-in to the operating system management • •l-"ffll....,._ &,,u.., _ _..,,,.
-~••...,.....,""--•-,vA>o,Nllltl;..,.,,..,1/,C, J)AI '"".........., ~-...__..... _ _ , . . , _ ...........
• Application hash
• Only al lows applications w ith this unique identifier
• Certificate
• Allow digitally signed apps from certain publishers
...~.... i....,.-_......... _.,,_"_'"···- • · -.... ..,,.
• ....,.
_,.,,-Cfln,,,M,')
..-.....
" 1._
. ' -l .......
...,...,
_ _ _-_ ..~--'--"'1.,11,•
_ _,.......,._..,
-••
f#. ...,......._,.._,.(,\1$~J ~IJlll, (\..,....,........,..._""'\..... --"").._,.._ it\ol' e ...... a.
• -1-P11-.....~....... l>o,f--,wn,,,r, ....... ~,......... -
••
,,,,....,11-11 ...........w-,-u .....
- - lCU1Jb
• Path - Only run applications in these folders
• Netw ork zone
• The apps can on ly run from this network zone
3.2 - Application Hardening
Application hardening
• M inim ize the attack surface
- Remove all possible entry points
Disk encryption
• Prevent access to application data files
- Fi le system encryption
• Remove the potential for all known vulnerabilities
-As w ell as the unknow n
• Full disk encryption (FDE)
- Encrypt everything on the drive
- Bitlocker, FileVault , etc.
• Self-encrypting drive (SEO)
- Hardw are-based full disk encryption
- No operating system software needed
• Some hardening may have compliance mandates
- HIPAA servers, PCI DSS, etc.
• There are many different resources
- Center for Internet Security (CIS)
- Network and Securit y Institute (SANS)
- National Institute of Standards and Technology (NIST)
• Opal storage specification
- The standard for of SEO storage
Open ports and services
• Every open port is a possible entry point
- Close everything except required ports
Operating system hardening
• Many and va ried
- Windows, Linux, iOS, Android, et al.
• Control access w ith a firew all
- NGFW w ould be ideal
• Unused or unknow n services
- Instal led with the OS or from other applications
• Updates
- Operating system updates/service packs,
security patches
• Applications w ith broad port ranges
- Open port O through 65,535
• Use Nmap or similar port scanner to verify
- Ongoing monitoring is important
Registry
• The primary configuration database for W indow s
- Almost everything can be configured from the registry
• User accounts
- Minimum passw ord lengths and complexity
- Account limitations
• Netw ork access and security
- Limit netw ork access
• Monitor and secure
- Anti-virus, anti-ma lware
• Useful to know w hat an application modifies
- Many third-party tools can show registry changes
• Some registry changes are important securit y settings
- Configure registry permissions
- Disable SMBvl
© 2020 Messer Studios, LLC
Professor Messer's CompTIA SY<HiOl Security+ Course Notes· Page 68
https://ProfessorMesser.com
3.2 - Application Hardening (continued)
Patch management
• Incredibly important
- System stability, secu rity fixes
Sand boxing
• Applications cannot access unrelated r esources
- They play in their ow n sandbox
• Mont hly updates
- Increment al (and important)
• Commonly used du ring development
- Can be a usefu l production t echnique
• Th ird-part y updates
- Appl ication developers, device drivers
• Auto-upd at e - Not alw ays the best option
• Used in many differ ent deployments
- Virtual machines
- Mobil e devices
- Browser ifram es (lnli ne Frames)
- W indow s User Account Control (UAC)
• Emergency out-of-band upd at es
- Zero-day and important secu rity discoveri es
3.3 - Load Balancing
Balancing the load
• Distribute the load
- Multiple servers
- Invisible to t he end-user
Scheduling
• Round-robin
- Each server is selected in turn
• Large-sca le implementations
- Web server farms, database farms
• Fault tolerance
- Server out ages have no effect
- Very fast convergence
• Weighted round -robin
- Prioritize t he server use
• Dynamic round-robin
- Monitor the server load and distribute t o the server
wit h t he low est use
• Active/active load balancing
Load balancer
• Configu rable load
- Manage across servers
Affinity
• Affi nity
- A kinship, a likeness
• TCP offload
- Protocol overhead
• Many applications req uire commun ication to t he same
instance
- Each user is "stuck" t o the same server
- Tracked th rough IP address or session IDs
- Sou rce affinit y/ sticky session/ session persistence
• SSL offload
- Encryption/Decryption
• Caching
- Fast response
Active/ passive load balancing
• Some servers are active
- Others are on st andby
• Prioritization
- QoS
• Content swit ching
- Appl ication-centric balancing
• If an active server fa ils, the passive server takes it s place
3.3 - Network Segmentation
Segmenting the network
• Physical, logical, or virtual segmentation
- Devices, VLANs, virtual netw orks
• Performance
- High-bandwidth applications
Physical segmentation
• Devices are physically separat e - Air gap betw een
Switch A and Switch B
• Security
- Users should not talk directly to database servers
- The only applications in the core ar e SQL and SSH
• Web servers in one rack - Database servers on another
• Compliance
- Mandated segmentation (PCI compliance)
- Makes change control much easier
• Separate devices
- Mu ltiple un its, separate infrastructu re
© 2020 Messer Studios, LLC
• Must be connected to provide communication
- Direct connect , or another sw itch or router
• Customer A on one switch, customer B on anot her
- No opport un ity for mixing data
Logical segment ation with VLAN s
• Virtual Local Area Net w orks (VLANs)
- Sepa rat ed logically instead of physica lly
- Cannot commun icat e betw een VLANs wit hout
a Layer 3 device/ rou ter
Professor Messer's CompTIA SY<HiOl Security+ Course Notes· Page 69
https://ProfessorMesser.com
3.3 - Network Segmentation (continued)
Screened subnet
East-west traffic
• Previously known as the demilitarized zone (DMZ)
- An additional layer of security betw een
the Internet and you
- Public access to public resources
• Traffic flows w ithin a data center
- Important to know wh ere traffic starts and ends
Extra net
• A pri vate network for partners
- Vendors, suppliers
• Usually r equires additional authentication
- Only allow access to authori zed users
• East-w est
- Traffic betw een devices in the same data center
- Relatively fast response times
• North-south traffic
- Ingress/ egress to an outside device
- A differ ent security posture than east-w est t raffic
Zero-trust
Intranet
• Private network - Only available internally
• Company announcements, important documents,
other company business
- Employees only
• No external access
- Internal or VPN access only
• Many netw orks are relatively open on the inside
- Once you're through the firewall, there are few
security controls
• Zero trust is a hol istic approach to network securit y
- Covers every device, every process, every person
• Everything must be verified
- Nothing is trusted
- Multifactor authentication, encryption, system
permissions, additional firewalls, monitoring and
analytics, etc.
North-South
Traffic
East-West
Traffic
Image Server
Directory Services
Web Servers
File Servers
3.3 - Virtual Private Networks
VPNs
SSL VPN (Secure Sockets Layer VPN)
• Virtual Private Netw orks
- Encrypted (private) data traversing a public netw ork
• Uses common SSL/TLS protocol (tcp/443)
- (Almost) No firewall issues!
• Concentrator
- Encryption/decryption access device
- Often integrated into a firewall
• No big VPN clients
- Usually remote access communication
• Many deployment options
- Specialized cryptographic hardw are
- Softw are-based options available
• Used w ith client software
- Sometimes built into the OS
© 2020 Messer Studios, LLC
• Authenticate users
- No requirement for digita l certificates or shared
passwords (like IPSec)
• Can be run from a browser or from a
(usually light) VPN client
- Across many operating systems
Professor Messer's CompTIA SY<HiOl Security+ Course Notes - Page 70
https://ProfessorMesser.com
3.3 - Virtual Private Networks (continued)
Remote access VPN
• On-d emand access
from a remote device
- Softw are
connects to a VPN
concentrator
~
Q
~
orporate
etwork
• Some softw are can
be con figu red as
always-on
0
Site-to-site VPN( ]
Traffic is encrypted
as it passes through the
local VPN concentrator
A
V
~
•
A
V
Traffic is decrypted
in t he VPN concentrator
on the other side of
the tunnel
.....------...
~
,-
1---- -- -Firewall/
VPN Concentrator
Full VPN Tunnel
0
A
V
~
~
•
Firewall /
VPN Concentrator
Remote
Site
~
VPN concentrator
decrypts the tunneled
traffic and routes it
int o the corporate network
A
V
~
®
Remote user creates
a secu re tunnel to
the VPN concentrator
Corporate _ _ _ _ ~__,-- - -;
Netw~rk
~
~
<>
VPN Concentrator
User
A The process is reversed
V' for t he return traffic
Traffic to a ll oth er
sites is "split" from.
the tunnel a nd is
not decrypted
Split VPN Tunnelo
Internet
_
~
professormesser.com
o
A
V
~
~
•
~
~
Only traffic to
th e corporate
network t raverses
th e VPN tunnel
Corporate _ _ _ _ ~
- , - - ----,
Networ~
~
© 2020 Messer Studios, LLC
VPN Concentrator
User
Internet
Professor Messer's CompTIA SY<HiOl Security+ Course Notes· Page 71
https://ProfessorMesser.com
3.3 - Virtual Private Networks (continued)
L2TP
• Layer 2 Tunneling Protocol
- Connecting sites over a layer 3 netw ork as if they
w ere connected at layer 2
• Commonly im plemented w ith IPsec
- L2TP for the tunnel, IPsec for the encryption
- L2TP over IPsec (L2TP/1Psec)
IPSec (Internet Protocol Security)
• Securit y for OSI Layer 3
- Authentication and encryption for every packet
• Confidentiality and integrit y/anti-replay
- Encryption and packet signing
• Very standardi zed
- Common to use multi-vendor implementations
• Tw o core IPSec protocols
- Authentication Header (AH)
- Encapsulation Security Payload (ESP)
AH (Authentication Header)
• Data integrit y
• Origin authentication
• Replay attack protection
• Keyed-hash mechanism
• No confidentiality/ encryption
IP Packet w ith Authentication (tunnel mode)
AH
Header
New IP Header
I
IP Header
Data
Authenticated
ESP (Encapsulating Security Payload)
• Data confidentiality (encryption)
• Limited traffic flow confidentiality
• Data integrit y
• Anti-replay protection
IPsec Datagram w ith ESP (tunnel mode}
New IP Header
ESP
Header
IP Header
ESP
Data
Trailer
Integrity
Check Value
Encrypted
Authenticated
IPsec Transport mode and Tunnel mode
AH and ESP
• Combine the data integrity of AH
w ith the confidentialit y of ESP
Original Packet
IP Header
Data
IPsec Datagram with AH and ESP (transport mode)
IP Header
AH
Header
ESP
Header
Data
ESP
Trailer
Integrity
Check Value
Encrypted
Authenticated
IPsec Datagram with AH and ESP (tunnel mode)
New IP Header
AH
Header
ESP
Header
IP Header
Data
ESP
Tra iler
Integrity
Check Va lue
Encrypted
Authenticated
© 2020 Messer Studios, LLC
Professor Messer's CompTIA SY<HiOl Security+ Course Notes· Page 72
https://ProfessorMesser.com
3.3 - Virtual Private Networks (continued)
Authentication Header {AH)
• Hash of t he packet and a shared key
- SHA-2 is common
- Adds t he AH to t he packet header
IPsec Transport mode and Tunnel mode
• Tunnel mode is the most common
- Transport mode may not even be an option
• Th is doesn't provide encryption
- Provides data integrity (hash)
- Guarantees the data origin (authentication)
- Prevent s r eplay attacks (sequence numbers)
• Hypertext Markup Language version 5
-The language common ly used in w eb brow sers
Encapsulation Security Pay load (ESP)
• Encrypts and authenticates the tunneled data
- Commonly uses SHA-2 for hash, AES for encryption
- Adds a header, a t railer, and an Integrit y Check Va lue
• Combine wit h Authentication Header (AH) for integrity
and aut hentication of the outer header
HTMLS VPN s
• Includes comprehensive AP I support
- Appl ication Programming Interface
- Web cryptography API
• Create a VPN tunnel wit hout a separate VPN application
- Nothing to insta ll
• Use an HTM LS compliant browser
- Communicate direct ly to t he VPN concentrator
3.3 - Port Security
Port security
• There's a lot of security that happens at the
physical sw itch interface
- Oft en the fi rst and last point of transmission
• Cont rol and protect
- Limit overall t raffi c
- Control specific traffi c t ypes
- Watch for unusual or unw ant ed t raffi c
• Differ ent options are available
- Manage different securit y issues
• IEE E standa rd 802.10 to prevent loops in bridged
(sw itched) networks (1990)
- Created by Radia Perlman
- Used practically everyw here
BPDU Gua rd
• Spann ing tree takes time to determine if a swit ch port
shou ld forward frames
- Bypass the listening and learning states
- Cisco calls t his PortFast
Broadcast s
• BPDU (Bridge Protocol Data Unit)
- The spann ing tree control prot ocol
• Send information to everyone at once
- One frame or packet, r eceived by everyone
- Every device must exam ine t he broadcast
• If a BPDU fram e is seen on a PortFast confi gured
interface (i.e., a w orkstation), shut dow n the interface
- This shou ldn' t happen - Workstations don't send BPDUs
• Li mited scope - The broadcast domain
DHCP Snooping
• Routing upd at es, ARP request s - Can add up quickly
• Ma licious softw are or a bad NIC
- Not alw ays normal traffic
• IP t racking on a layer 2 device (sw itch)
- The switch is a DHCP fir ew all
- Trusted: Routers, sw itches, DHCP servers
- Unt rusted : Ot her computers, unofficial DHCP servers
• Not used in I Pv6
- Focus on mu lticast
Broadcast storm control
• The switch can cont rol broadcasts
- Limit the number of broadcasts per second
• Can often be used to control multicast and unknow n
unicast traffi c
- Tight security posture
• Manage by specific values or by percentage
- Or the change over norma l traffic patterns
Loop prot ection
• Connect tw o switches to each other
- They'll send traffic back and fort h forever
- There's no "counting" mechan ism at the MAC layer
• Th is is an easy w ay t o bring dow n a netw ork
- And somew hat difficult to t roubleshoot
- Relatively easy t o resolve
© 2020 Messer Studios, LLC
• Switch w atches for DHCP conversations
- Adds a list of untrusted devices to a table
• Filters invalid IP and DHCP information
- Static IP addr esses
- Devices acting as DHCP servers
- Ot her invalid t raffic patterns
MAC filte ring
• M edia Access Control
- The " hardware" addr ess
• Li mit access through t he physical hardw are address
- Keeps the neighbors out
- Additional administration wit h visitors
• Easy to find w orking MAC add resses through w ireless
LAN analysis
- MAC add resses can be spoofed
- Free open-source softw are
• Security through obscurity
Professor Messer's CompTIA SY<HiOl Security+ Course Notes · Page 73
https://ProfessorMesser.com
3.3 - Secure Networking
Domain Name Resolution
• DNS had no security in the original design
- Relatively easy to poison a DNS
• DNSSEC
- Domain Name System Security Extensions
• Validate DNS responses
- Origin authentication
- Data integrity
• Public key cryptography
- DNS records are signed w ith a trusted third party
- Signed DNS records are published in DNS
1Pv6 security is different
• More IP addr ess space
- More difficult to IP/port scan (but not impossible)
- The tools already support 1Pv6
• No need for NAT
- NAT is not a security feature
• Some attacks disappear
- No ARP, so no ARP spoofing
• New attacks w ill appear
- For example, Neighbor Cache Exhaustion
• IPsec built in/ IPsec ready
Using a DNS for security
• Stop end users from visiting dangerous sites
- The DNS resolves to a sinkhole address
Taps and port mirrors
• Intercept network t raffic
- Send a copy to a packet captur e device
• A query to a know n-malicious addr ess can identify
infected systems
- And prevent further exploitation
• Physical taps
- Disconnect the link, put a tap in the middle
- Can be an active or passive tap
• Content filtering
- Prevent DNS queries to unw anted or
suspicious sites
• Port mirror
- Port redirection, SPAN (Sw itched Port ANalyzer)
- Softw are-based tap
- Limited functionality, but can w ork w ell in a pinch
Out-of-band management
• The netw ork isn't available
- Or the device isn't accessible from the netw ork
• Most devices have a separate management interface
- Usually a serial connection/ USB
• Connect a modem
- Dial-in to manage the device
• Console router/ comm server
- Out-of-band access for multiple devices
- Connect to the console router, then choose
w here you w ant to go
The need for QoS
• Many different devices
- Desktop, laptop, VoIP phone, mobile devices
• Many different applications
- Mission critical applications, streaming video,
stream ing audio
• Differ ent apps have different netw ork requirements
- Voice is real-time
- Recorded streaming video has a buffer
- Database application is interactive
• Some applications are "more important" than others
- Voice traffic needs to have priority over YouTube
QoS (Quality of Service)
• Prioritize traffic performance
- Voice over IP t raffic has priority over w eb-browsing
- Prioritize by maximum bandwidth, t raffic rate,
VLAN, etc.
• Quality of Service
- Describes the process of controlling traffic flows
• Many different methods
- Across many different topologies
© 2020 Messer Studios, LLC
Monitoring services
• Constant cybersecurity monitoring
- Ongoing security checks
- A staff of cybersecurity experts at a
Security Operations Center (SoC)
• Identify threats
- A broad range of threats across many different
organizations
• Respond to events
- Faster response time
• Mainta in compliance
- Someone else ensur es PCI DSS, HIPAA compliance, etc.
FIM (File Integrity Monitoring)
• Some files change all the time
- Some files should NEVER change
• Monitor important operating system and application files
- Identify w hen changes occur
• W indow s - SFC (System File Checker)
• Linux - Tripw ire
• Many host-based IPS options
Professor Messer's CompTIA SY<HiOl Security+ Course Notes - Page 74
https://ProfessorMesser.com
3.3 - Firewalls
The universal security control
• Standa rd issue
- Home, office, and in your operating system
• Cont rol the flow of network traffi c
- Everything passes t hrough the firew all
• Corporat e control of outbound and inbound dat a
- Sensitive materials
• Cont rol of ina ppropriate content
- Not safe for w ork, parental controls
NG FWs
• Netw ork-based Firewalls
- Control t raffi c fl ow s based on the application
- M icrosoft SQL Server, Twitter, YouTube
• Intrusion Pr evention Systems
- Identify t he application
- Apply application-specific vulnerability signat ures
to the t raffic
• Protection against evil
- Anti-virus, anti-ma lware
• Content fil tering
- URL fil ters
- Control w ebsite t raffic by category
Network-based firewalls
• Filter t raffic by port num ber or application
- Traditional vs. NG FW firew alls
Web application firewall (WAF)
• Not like a "norma l" firew all
- Appli es rules t o HTTP/HTTPS conversations
• Encrypt t raffic - VPN betw een sites
• Allow or deny based on expected input
- Unexpected input is a common method of
exploiting an application
• Most fir ew alls can be layer 3 devices (routers)
- Oft en sits on the ingress/ egress of t he netw ork
- Network Address
- Translation (NAT) functionalit y
- Authenticate dynamic routing communication
Stateless firewall
• Does not keep t rack of traffi c fl ow s
- Each packet is individua lly exam ined, r egardless
of past history
- Traffic sent out side of an active session w ill
t raverse a stat eless firew all
Stateful firewall
• Stateful firew alls remember the "state" of t he session
- Everything within a valid fl ow is allow ed
UTM / All-in-one security appliance
• Unifi ed Threat Management (UTM ) /
• Web security gatew ay
• URL filter / Cont ent inspection
• Ma lw are inspection
• Spam fil ter
• CSU/ DSU
• Router, Swit ch
• Firew all
• IDS/I PS
• Bandw idth shaper
• VPN endpoint
Next-generation firewall (NG FW)
• The OSI Application Layer
- All data in every packet
• Can be called different names
- Appl ication layer gat eway
- Stat eful multi layer inspection
- Deep packet inspection
• Requires some advanced decodes
- Every packet must be analyzed and categorized
before a security decision is determined
© 2020 Messer Studios, LLC
• SQL inj ection
- Add your ow n commands t o an application's
SQL query
• A major focus of Payment Card Industry
- Data Security Standa rd (PCI DSS)
Firew all rule s
• Access cont rol lists (ACLs)
- Allow or disallow traffic based on tuples
- Groupings of categories
- Source IP, Destination IP, port number, time of day,
appl ication, etc.
• A logical path
- Usua lly top-to-bottom
• Can be very general or very specific
- Specific rules are usua lly at the t op
• Im plicit deny
- Most firew alls include a deny at the bottom
- Even if you didn't put one
Firew all characteristics
• Open-sou rce vs. proprietary
- Open-source provides traditiona l firew all functiona lity
- Propriet ary feat ures include application control and
high-speed ha rd w are
• Hardw are vs. softw are
- Pu rpose-built hardw are provides efficient and
fl exible connectivity options
- Software-based firewalls can be installed
almost anyw here
• Appliance vs. host-based vs. virtual
- Appliances provide the fastest through put
- Host-based firew alls ar e application-a ware and
can view non-encrypt ed data
- Virt ual fir ew alls provide valuable East/ West
net w ork secu rity
Professor Messer's CompTIA SY<HiOl Security+ Course Notes· Page 75
https://ProfessorMesser.com
3.3 - Network Access Control
Edge vs. access control
• Cont rol at t he edge
- Your Internet link
- Managed primarily th rough firew all rules
- Firew all rules rarely change
Healt h checks/posture assessment
• Persistent agent s
- Permanently installed onto a system
- Periodic updates may be requ ired
• Dissolvable agents
- No installation is r equ ired
- Runs during the post ure assessment
- Terminates w hen no longer req uired
• Access control
- Control from w herever you are - Inside or outside
- Access ca n be based on many rules
- By user, group, location, application, etc.
- Access ca n be easily revoked or changed
- Change your security posture at any time
• Agentless NAC
- Integrated w ith Active Directory
- Checks are made during login and logoff
- Can't be sched uled
Posture assessment
• You can' t t rust everyone's comput er
- BYOD (Bring You r Ow n Device)
- Malware infections/ missing anti-malw are
- Unauthorized applications
Failing your assessment
• What happens w hen a post ure
assessment fails?
- Too dangerous t o allow access
• Before connecting to t he netw ork, perform a health check
- Is it a t rusted device?
- Is it running anti-virus? Which one? Is it updated ?
- Are the corporate applications instal led?
- Is it a mobile device?
- Is the disk encrypted?
- The type of device doesn' t matter - W indow s, Mac,
Linux, iOS, Android
• Quarantine netw ork, notify adm inistrators
- Just enough network access t o fi x the issue
• Once resolved, t ry again
- M ay requ ire additiona l fixes
3.3 - Proxies
Proxies
• Sits betw een t he users and the external net w ork
• Receives the user requests an d sends the re quest
on their behalf (t he proxy)
• Useful for caching information, access control,
URL filtering, content scanning
• Applications may need to know
how t o use the proxy (explicit )
Application proxies
• One of the simplest " proxies" is NAT
• A netw ork-level proxy
• Most proxies in use are application proxies
• The proxy understands the w ay t he application w orks
• A proxy may on ly know one application
• HTTP
• Many proxies are multipu rpose proxies
• HTTP, HTTPS, FTP, etc.
• Some proxies are invisible (transparent)
'\
~~
I
1
I
I
I
Forward Proxy
• An " int ernal proxy"
• Common ly used to
protect and cont rol
user access
t o the Internet
Internet
User
'
Proxy
' ------------- ----------------- -/
/
w w w. example .com
Internal Netwo rk
© 2020 Messer Studios, LLC
Professor Messer's CompTIA SY<HiOl Security+ Course Notes· Page 76
https://ProfessorMesser.com
3.3 - Proxies (continued)
Reverse Proxy
• Inbound traffic from
the Internet to your
internal service
Proxy
Web Server
',www.example.com
______________________________ _
;
/
Internal Network
Open Proxy
• A third-party,
uncontrolled proxy
• Can be a signifi cant
security concern
• Often used to
circumvent existing
security controls
Internet
Internet
Proxy
www.example.com
3.3 - Intrusion Prevention
NIDS and NIPS
• Intrusion Detection System /
- Intrusion Prevention System
- Watch netw ork traffic
lnline monitoring
• IDS/I P$ sits physically inline
- All t raffic passes through the IDS/I P$
• Intrusions
- Exploits against operating systems,
applications, etc.
- Buffer overflow s, cross-site scripting, other
vulnerabilities
• Detection vs. Prevention
- Detection - Alarm or alert
- Prevention - Stop it before it gets into
the netw ork
Passive monitoring
• Examine a copy of t he t raffic
- Port mi rror (SPAN), netw ork tap
In-band response
• Mal icious t raffic is immediately identified
- Dropped at the IPS
- Does not proceed through the netw ork
Identification technologies
• Signature-based
- Look for a perfect match
• Anomaly-based
- Build a baseline of w hat's " normal"
• Behavior-based
- Observe and report
• Heuristics
- Use artificial intelligence to identify
• No w ay to block (pr event) t raffic
Out-of-band-response
• When malicious traffic is identified,
- IPS sends TCP RST (reset) frames
- After-the-fact
- Limited UDP r esponse available
© 2020 Messer Studios, LLC
Professor Messer's CompTIA SY<HiOl Security+ Course Notes· Page
n
https://ProfessorMesser.com
3.3 - Intrusion Prevention (continued)
Passive monitoring
Network traffic is sent from client to
server through the netw
·
.....
•
lnUne monltodng
0
~
Acopyof
the traffic is
sent to the IDS/ IPS
The in line IPS can allow
or deny t raffic in real-time
Network t raffic is sent
from the Internet to
the core switch, which passes
through the IPS
Internet
•
Sw itch
IPS
Firewa ll
Core Switch
3.3 - Other Network Appliances
Hardware Security Module (HSM )
• High-end cryptographic ha rd wa re
- Plug-i n card or separate hardware device
• Key backup
- Secu red storage
• Cryptographic accelerat ors
- Offload that CPU overhead
from other devices
• Sensors
- Intrusion prevention systems, firew all logs,
authentication logs, w eb server access logs, dat abase
transaction logs, email logs
• Coll ectors
- Proprietary consoles (IPS, firew all),
- SI EM consoles, syslog servers
- Many SIEMs include a correlation engine t o
compare diverse sensor data
• Used in large environments
Clusters, red undant power
Jump server
• Access secure network zones
- Provides an access mechan ism
to a protected network
Private Network
• Highly-secu red device
- Hardened and monit ored
• SSH/ Tunnel / VPN t o
the jum p server
- RDP, SSH, or jump from there
• A sign ificant security concern
- Com prom ise t o the
jump server is
a sign ificant breach
Sensors and collectors
• Aggregate information from netw ork devices
- Built-i n sensors, sepa rat e devices
- Integrated into sw itches, routers, servers, firew alls, etc.
•
App lication Server
Client
Jump Server
W eb Server
Database Se rve r
© 2020 Messer Studios, LLC
Professor Messer's CompTIA SY<HiOl Security+ Course Notes· Page 78
https://ProfessorMesser.com
3.4 - Wireless Cryptography
Securing a wireless network
• An organization's wi reless netw ork can contain confidential
information
- Not everyone is allow ed access
• GCMP security services
- Data confidentiality w ith AES
- Message Integrity Check (M IC) with
- Galois Message Authentication Code (GMAC)
• Authenticate the users before granting access
- Who gets access to the wireless network?
- Username, passw ord, multi-factor authentication
• Ensure that all communication is confidential
- Encrypt the w ireless data
The WPA2 PSK problem
• WPA2 has a PSK brute-force problem
- Listen to the four-w ay handshake
- Some methods can derive the PSK hash w ithout
the handshake
- Capture the hash
• W ith the hash, attackers can brute force the
pre-shared key (PSK)
• Verify the integrity of al l communication
- The received data should be identical to the
original sent data
- A message integrity check (M IC}
Wireless encryption
• All wireless computers are radio t ransmitters and receivers
- Anyone can listen in
• Solution: Encrypt the data - Everyone has an encryption key
• Only people with the right key can t ransmit and listen
- WPA2 and WPA3
WPA2 and CCMP
• W i-Fi Protected Access II (WPA2)
- WPA2 certification began in 2004
• CCMP block cipher mode
- Counter Mode with Cipher Block Chaining
- Message Authentication Code Protocol, or
- Counter/ CBC-MAC Protocol
• CCMP security services
- Data confidentiality w ith AES
- Message Integrity Check (M IC) with CBC-MAC
WPA3 and GCMP
• W i-Fi Protected Access 3 (WPA3) - Introduced in 2018
• GCMP block cipher mode
- Galois/ Counter Mode Protocol
- A stronger encryption than WPA2
• This has become easier as technology improves
- A w eak PSK is easier to brute force
- GPU processing speeds
- Cloud-based passw ord cracking
• Once you have the PSK, you have everyone's
wireless key
- There's no forward secrecy
SAE
• WPA3 changes the PSK authentication process
- Includes mutual authentication
- Creates a shared session key w ithout sending that
key across the network
- No more four-w ay handshakes, no hashes,
no brute force attacks
- Adds perfect forward secrecy
• Simultaneous Authentication of Equals (SAE)
- A Diffie-Hellman derived key exchange w ith an
authentication component
- Everyone uses a different session key, even with
the same PSK
- An IEEE standard - the dragonfly handshake
3.4 - Wireless Authentication Methods
Wireless authentication methods
• Gain access to a w ireless netw ork
- Mobile users
- Temporary users
• Credentials
- Shared passw ord / pre-shared key (PSK}
- Centralized authentication (802.lX}
• Configuration
- Part of the wireless netw ork connection
- Prompted during the connection process
• WPA3-Personal / WPA3-PSK
-WPA3 w ith a pre-shared key
- Everyone uses the same key
- Unique WPA3 session key is derived from the PSK using SAE
(Si mu lta neous Authentication of Eq ua Is)
• WPA3-Enterprise / WPA3-802.1X
-Authenticates users individually with an
authentication server (i.e., RADIUS}
Captive Portal
• Authentication to a network - Common on wireless netw orks
Wireless security modes
• Configure the authentication on your w ireless
access point / w ireless router
• Access table r ecognizes a lack of authentication
- Redirects your w eb access to a captive portal page
• Open System
- No passw ord is r equired
• Once proper authentication is provided, the
w eb session continues
- Until the captive portal removes your access
© 2020 Messer Studios, LLC
• Username / passw ord - And additional authentication factors
Professor Messer's CompTIA SY<HiOl Security+ Course Notes · Page 79
https://ProfessorMesser.com
3.4 - Wireless Authentication Methods (continued)
Using WPS
• W i-Fi Protected Setup
- Originally called Wi-Fi Simple Config
The WPS hack
• December 2011 - WPS has a design fl aw
- It w as built w rong from the beginning
• Allow s "easy" setup of a mobile device
- A passphrase can be complicated to a novice
• PIN is an eight-digit number
- Really seven digits and a checksum
- Seven digits, 10,000,000 possible combinations
• The WPS process validates each half of the PIN
- First half, 4 digits . Second half, 3 digits.
- First half, 10,000 possibilities,
second half, 1,000 possibil ities
• It takes about four hours to go t hrough all of t hem
- Most devices never considered a lockout function
- Brute force lockout features are now the norm
• Differ ent w ays to connect
- PIN configured on access point must be entered
on t he mobile device
- Push a button on the access point
- Near-field communication - Bring the mobile device close to the access point
3.4 - Wireless Authentication Protocols
Wireless authentication
• We've cr eated many authentication methods
through t he years
- A network administrator has many choices
EAP-FAST
• EAP Flexible Authentication via Secure Tunneling
- Authentication server (AS) and supplicant shar e a
protected access credential (PAC) (shared secret)
• Use a username and passw ord
- Other factors can be included
• Supplicant receives the PAC
• Supplicant and AS mutually authenticate and
negotiate a Transport Layer Security (TLS) tunnel
• Commonly used on w ireless netw orks
- Also w orks on w ired netw orks
EAP
• Extensible Authentication Protocol (EAP)
- An authentication framework
• Many different w ays to authenticate based on
RFC standards
- Manufactur ers can build their ow n EAP methods
• EAP integrates w ith 802 .lX
- Prevents access to the netw ork until t he
authentication succeeds
IEEE 802.lX
• IEEE 802.lX
- Port-based Netw ork Access Control (NAC)
- You don't get access to t he netw ork until you
authenticate
• Used in conjunction with an access database
- RADIUS, LDAP, TACACS+
IEEE 802.lX and EAP
• Supplicant
-The client
• Authenticator
- The device that provides access
• Authentication server
- Validates the cl ient credentials
© 2020 Messer Studios, LLC
• User authentication occurs over the TLS tunnel
• Need a RADIUS server
- Provides t he authentication database and
EAP-FAST services
PEAP
• Protected Extensible Authentication Protocol
- Protected EAP
- Created by Cisco, M icrosoft, and RSA Security
• Also encapsulates EAP in a TLS tunnel
- AS uses a digital certi fi cate instead of a PAC
- Client doesn't use a certificate
• User authenticates with MSCHAPv2
- Authenticates to M icrosoft's MS-CHAPv2 databases
• User can also authenticate w ith a GTC
- Generic Token Card, hardw are token generator
EAP-TLS
• EAP Transport Layer Security
- Strong security, wide adoption
- Support from most of the industry
• Requires digital certificates on t he AS and
all other devices
- AS and supplicant exchange certificates for
mutual authentication
- TLS tunnel is then bui lt for t he user
authentication process
• Relatively complex implementation
- Need a public key infrastructure (PKI)
- Must deploy and manage certi fi cates to
all wireless clients
- Not all devices can support t he use of digital certificates
Professor Messer's CompTIA SY<HiOl Security+ Course Notes · Page so
https://ProfessorMesser.com
3.4 - Wireless Authentication Protocols (continued)
EAP-TTLS
• EAP Tunneled Transport Layer Securit y
- Support other aut hentication prot ocols
in a TLS tunnel
RADIUS Federation
• Use RADIUS w ith federation
- M em bers of one organization can authenticate to
t he netw ork of another organization
- Use their normal cred entia ls
• Requires a digital certificate on the AS
- Does not req uire digital certificates on every device
- Builds a TLS tunnel using this digital certificate
• Use 802.lX as the aut hentication method
- And RAD IUS on t he backend - EAP t o authenticate
• Use any authentication method inside t he TLS t unnel
- Ot her EAPs
- MSCHAPv2
- Anything else
• Driven by eduroam (education roaming)
- Educat ors can use t heir norma l authentication
w hen visiting a differ ent campus
- https://www.eduroam.org/
3.4 - Installing Wireless Networks
Site surveys
• Determine existing wireless landsca pe
- Sample the existing w ireless spectrum
Channel selection and overlaps
• Overlapping channels
- Frequency conflicts - use non-overlapping channels
- Automatic or manua l confi gurations
• Identify existing access points
- You may not cont rol all of t hem
Access point placement
• M inima l overlap
- Maxim ize coverage, minimize the number
of access points
• Work around existing freq uencies
- Layout and plan for interference
• Pl an for ongoing sit e surveys
- Things will cert ainly change
• Avoid interference
- Electronic devices (microw aves)
- Bu ilding materials
- Thi rd-party wireless net w orks
• Heat maps - Identify w ireless signal strengt hs
Wireless survey tools
• Signal coverage
• Potential interference
• Built-in tools
• 3rd-party t ools
• Spectrum analyzer
• Signa l control
- Place APs w here the users are
- Avoid excessive signal distance
W ireless infrastructure security
• W ireless controllers
- Centralized management of w ireless access point s
- Manage system confi guration and performance
Wireless packet analysis
• W ireless net w orks are incr edibly easy to mon itor
- Everyone " hears" everyth ing
• Securing wireless controllers
- Control access to management console
- Use strong encryption w ith HTTPS
- Automatic logout after no activity
• You have to be quiet
- You can't hear the network if you' re busy t ransmitting
• Some net w ork drivers w on't capture w ireless information
- You'll need specialized adapters/ chipset s and drivers
• View wireless-specifi c information
- Signal-to-noise ratio, channel information, etc.
• Securing access points
- Use strong passw ord s
- Update to the latest firmw are
• Try it you rself ! - https://www.wireshark.org
2.4 GHz Spectrum for 802.11 - North America
IEEE Channel !
1
6
11
20 MHZ _ _ _
2~12 MHZ
24S2 MHZ
-
Avail able channels
-
New channels added in April 2014
~
Previously indoor channels, usable outdoors aftet April 2014
-
Ftequenciei not available Sor 802.11
5 GHz Spectrum for 802.11 - North America
IEEE Channel If
36
5150 MHz
40
44
48
52
55
60
UNIJ.Z
UNll-1
S250 M HZ
© 2020 Messer Studios, LLC
~
68
5350 MHz
72
75
80
~
SS
92
95
100
104
10!
112
115
120
124
UN11·2
5" 70MHZ
Professor Messer's CompTIA SY<HiOl Security+ Course Notes· Page 81
128
132
13,5
1'-0
14"
149
153
157
161
165
169
173
177
UNIJ.3
5 72:S MHZ
SS2SMH!
5925 MHz
https://ProfessorMesser.com
3.5 - Mobile Networks
Point-to-point
• One-t o-one connection
- Conversation betw een t w o devices
Near field communication {NFC)
• Tw o-w ay w ireless communication
- Builds on RFID
• Connections betw een buildings
- Point-to-point network links
• Payment systems
- Google w allet, Apple Pay
• Bootstrap for ot her w ireless
- NFC helps with Bluet ooth pairing
• W i-Fi repeaters
- Extend t he length of an existing netw ork
Point-to-multipoint
• One of the most popular communication methods
802.11 w ireless
• Does not imply full connectivity betw een nodes
Cellular networks
• Mobile devices
- " Cell" phones
• Access token, identity "card"
- Short range wit h encryption su pport
NFC security concerns
• Remote captur e
- It 's a w ireless net w ork
- 10 meters for active devices
• Freq uency jamm ing - Denial of service
• Sepa rate land int o "cells"
- Antenna coverages a cell w ith certain frequencies
• Relay / Replay attack - Man in the middle
• Security concerns
- Traffic monitoring
- Location t racking
- Worldwide access to a mobile device
IR (Infrared)
• Included on many smartphones, tablets, and sma rtw atches
- Not rea lly used much for printing
Wi-Fi
• Local netw ork access
- Local secu rity problems
• File t ransfers are possible
• Same security concerns as other W i-Fi devices
• Data capture
- Encrypt you r dat a!
• On-pat h attack
- Modify and/ or monit or data
• Denial of service
- Freq uency interfer ence
• Control your entertainment center
- Almost exclusively IR
• Other phones can be used to control you r IR devices
USB (Universal Serial Bus)
• Physical connectivity to your mobile device
- USB to your computer
- USB, Lightning, or proprietary on you r phone
• Physical access is alw ays a concern
- May be easier to gain access than over a remote
connection
Bluetooth
• High speed commun ication over short dista nces
- PAN (Personal Ar ea Net w ork)
• Connects our mobile devices
- Smartphones, tethering, headsets and
headphones, hea lth monit ors, automobile and
phone integration, smartw atches,
external speakers
RFID (Radio-frequency identification)
• It's everyw here
- Access badges
- Inventory/ Assembly li ne tracking
- Pet/ An imal identification
- Anything that needs to be t racked
• Radar technology
- Radio energy t ransmitted to the tag
- RF pow ers t he tag, ID is t ra nsmitted back
- Bidirectional communication
- Some tag formats can be active/ pow ered
© 2020 Messer Studios, LLC
• Loss of RFC device control - St olen/lost phone
• A locked device is relatively secure
- Al w ays auto-lock
• Mobile phones can also exfiltrate
- Phone can appear to be a USB storage device
Global Positioning System (GPS)
• Created by the U.S. Department of Defense
- Over 30 satellites curr ently in orbit
• Precise navigation
- Need to see at least 4 satellites
• Determines location based on tim ing differences
- Longitude, latitude, altitude
• Mobile device location services and geotracking
- Maps, directions
- Determine physica l location based on GPS,
- W iFi, and cellular tow ers
Professor Messer's CompTIA SY<HiOl Security+ Course Notes - Page 82
https://ProfessorMesser.com
3.5 - Mobile Device Management
Mobile Device Management {MOM)
• Manage company-ow ned and user-ow ned mobile devices
- BYOD - Bring You r Ow n Device
• Centra lized management of t he mobil e devices
- Specialized functionalit y
• Set policies on apps, data, camera, etc.
- Control the remote device
- The entire device or a " partition"
• Manage access control
- Force screen locks and PINs on these single user devices
Application management
• Managing mobile apps are a chal lenge
- Mobil e devices install apps constantly
• Not all applications are secu re
- And some are malicious
- Android malwar e is a rapidly grow ing secu rity concern
• Manage application use through allow lists
- On ly approved applications can be installed
- Managed th rough the MOM
• A management challenge
- New applications must be checked and added
Content management
• Mobile Content Management (MCM )
- Secu re access t o data, protect data from outsiders
• File sharing and viewing
- On-sit e content (M icrosoft Sha repoint, file servers)
- Cloud-based storage (Box, Office 365)
• Dat a sent from the mobile device
- DLP (Data Loss Prevention) pr events copy/paste of
sensitive dat a
- Ensure data is encrypted on the mobile device
• Managed from the mobile device manager (M DM )
Remote wipe
• Remove all data from you r mobile device
- Even if you have no idea w here it is
- Oft en managed from t he MDM
• Connect and w ipe from the w eb
- Nuke it from anyw her e
• Need t o plan for this
- Configure your mobi le device now
• Always have a backu p
- Your data can be removed at any time
- As you are w al king out t he door
Geo location
• Precise tracking details - Tracks within feet
Geofencing
• Some MDMs allow for geofencing
- Restrict or allow feat ures w hen the device is in a
particular area
• Cameras
- M ight only w ork w hen outside t he office
• Aut hentication
- Only allow logins w hen the device is locat ed in a
particular area
Screen lock
• All mobile devices can be locked
- Keep people out of your data
• Simple passcode or strong passcode
- Numbers vs. Alphanumeric
• Fail too many times?
- Erase t he phone
• Define a lockout policy
- Create aggressive lockout timers
- Completely lock the phone
Push notification services
• Information appears on the mobile device screen
- The notification is "pushed" to you r device
• No user intervention
- Receive notifi cations from one app w hen using a
completely different app
• Control of displayed notifications can be
managed from the M DM
- Or notifications can be pushed from the MDM
Passwords and PINs
• The universal help desk call
- I need to r eset my passw ord
• Mobile devices use multiple aut hentication methods
- Passw ord/ passphrase, PINs, patterns
• Recovery process can be initiated from the MDM
- Passw ord reset option is provided on the
mobile device
- " What is the name of your favorite car maiden
cat 's color?"
• MDM also has fu ll control
- Completely remove all securit y controls
- Not t he defau lt or best practice
Biometrics
• You are the authentication fact or
- Fingerprint , face
• Can be used for good (or bad)
- Find you r phone, find you
• May not be the most secure aut hentication factor
- Usefu l in some environments
- Completely forbidden in others
• Most phones provide an option to disable
- Limits functiona lity of t he phones
• Availability is managed through the M DM
- Organization determines the security of the device
• May be managed by the MDM
• Can be managed per-app
- Some apps requ ire additiona l biometric
aut hentication
© 2020 Messer Studios, LLC
Professor Messer's CompTIA SY<HiOl Security+ Course Notes · Page 83
https://ProfessorMesser.com
3.5 - Mobile Device Management {continued)
Context-aware authentication
• Who needs 2FA?
- The attackers can get around anything
• Authentication can be contextual
- If it w alks li ke a duck...
• Combine multiple contexts
- Where you norma lly login {IP address
- Where you norma lly frequent (GPS information)
- Other devices that may be
pai red (Bluetooth, etc.)
• And others
- An emerging technology
- Another w ay to keep data safe
Containerization
• Difficult to separate personal from business
- Especially wh en the device is BYOD
- Ow ned by the employee
• Easy to manage offboarding
- Only the company information is deleted
- Personal data is retained
- Keep your pictures, video, music, email, etc.
Full device encryption
• Scramble all of the data on the mobile device
- Even if you lose it, the contents are safe
• Devices han dle this in different w ays
- Strongest/stronger/strong?
• Encryption isn't trivial
- Uses a lot of CPU cycles
- Complex integration between hardware
and software
• Don't lose or forget your password!
- There's no recovery
- Often backed up on the MDM
• Separate enterprise mobile apps and data
- Create a virtual "container" for company data
- A contained area - limit data sharing
- Storage segmentation keeps data separate
3.5 - Mobile Device Security
MicroSD HSM
SEAndroid
• Shrink the PCI Express
- Hardware Security Module - Now in a microSD card form
• Security Enhancements for Android
- SELinux (Secu rity-Enhanced Linux)
in the Android OS
- Supports access control security policies
• Provides security services
- Encryption, key generation, digital signatures,
authentication
• Secure storage
- Protect private keys - Cryptocurrency storage
Unified Endpoint Management (UEM)
• Manage mobile and non-mobile devices
- An evolution of the Mobile Device Manager (M DM)
• End users use different types of devices
- Their use has blended together
• Applications can be used across different platforms
- Work on a laptop and a smartphone
• All of these devices can be used from anywhere
- User's don't stay in one place
Mobile Application Management (MAM)
• Provision, update, and remove apps
- Keep everyone running at the correct version
• A project from the US National Security Agency (NSA)
- Based on the NSA's SE Linux
• Addresses a broad scope of system security
- Kernel, userspace, and policy configuration
• Enabled by default with Android version 4.3
- July 2013
- Protect privileged Android system daemons
- Prevent malicious activity
• Change from Discretionary Access Control (DAC) to
Mandatory Access Control (MAC}
- Move from user-assigned control to object labels
and minimum user access
- Isolates and sandboxes Android apps
• Centralized policy configuration
- Manage Android deployments
• Create an enterprise app catalog
- Users can choose and install the apps they need
• Monitor application use
- Apps used on a device, devices with unauthorized apps
• Remotely wipe application data
- Securely manage remote data
© 2020 Messer Studios, LLC
Professor Messer's CompTIA SY<HiOl Security+ Course Notes - Page 84
https://ProfessorMesser.com
3.5 - Mobile Device Enforcement
Third-party app stores
• Centralized app clea ringhouses
- Apple App Stor e
- Google Play
• Not all applications are secu re
- Vulnerabilities, data leakage
• Not all applications are appropriate for business use
- Games, instant messaging, et c.
• MDM can allow or deny app store use.
Rooting/ jail breaking
• Mobile devices are pu rpose-built systems
- You don't need access to the operating system
• Gaining access - Android - Rooting/ Apple iOS Jailbreaking
• Instal l custom firmw are
- Replaces t he existing operating system
• Uncont rolled access
- Circumvent secu rity feat ures, sideload apps wit hout
using an app store
- The MDM becomes relatively useless
Carrier unlocking
• Most phones are locked to a ca rrier
- You can't use an AT&T phone on Veri zon
- Contract w ith a carrier subsidizes the cost of the phone
• You can unlock the phone
- If you r carrier allow s it
- A carrier lock may be illega l in your country
• Security revolves around connectivity
- Moving to anot her carrier can circumvent the M DM
- Preventing a SIM unlock may not be possible on a
persona l device
Firmware OTA updates
• The operating system of a mobile device is
const antly changing - Similar to a desktop computer
• Updates ar e provided over the air (OTA)
- No cable required
• Security pat ches or entire operating system updates
- Sign ificant changes wit hout connecting the device
• Th is may not be a good thing
-The MDM can manage w hat OTA updates are allow ed
Camera use
• Cameras are controversial
- They' re not alw ays a good t hing
- Corporate espionage, inappropriate use
• Almost im possible to control on the device
- No good w ay to ensure the camera w on't be used
• Camera use can be controlled by the MDM
- Al w ays disabled
- Enabled except for certain locations (gee-fencing)
SMS/ MMS
• Short Message Service / Multimedia Messaging Service
- Text messages, video, audio
© 2020 Messer Studios, LLC
• Control of data can be a concern
- Outboun d dat a leaks, financial disclosu re s
- Inbound notifications, phishing attempt s
• MDM can enable or disa ble SMS/MMS
- Or only allow during certa in timeframes or locations
External media
• Store data onto external or removable drives
- SD flash memory or USS/ light ning drives
• Transfer data from flash
- Connect t o a com puter to r etrieve
• This is very easy to do
- Limit dat a w ritten to r emova ble drives
- Or prevent the use of them from t he MDM
USB OTG
• USB On-The-Go - Connect devices di rectly together
- No computer require d, only a cable
• The mobil e device can be bot h a host and a device
- Read from an external device, t hen act as
a storage device it self
- No need for a th ird-pa rty storage device
• A USB 2.0 standard - Commonly seen on Android devices
• Ext remely convenient
- From a secu rit y perspective, it 's t oo convenient
Recording microphone
• Audio r ecordings
- Ther e are microphones on every mobile device
• Useful for meetings and note taking
- A st andard for col lege classes
• A legal liabilit y
- Every state has different laws
- Every situation is different
• Disable or gee-fence - Manage from the MDM
Geotagging / GPS tagging
• Your phone know s w here you are
- Location Services, GPS
• Adds your location t o document metadat a
- Longitude, latitude - Photos, videos, etc.
• Every document may contain geotagged information
- You can track a user quit e easily
• This may cause securit y concerns
- Take pictu re, upload t o social media
W iFi Direct /ad hoc
• We' re so used to access point s
- SSID configurations
• The w ireless stan dard includes an ad hoc mode
- Connect wireless devices directly
- W ithout an access point
• Wi Fi Direct simplifi es t he process
- Easily connect many devices toget her
- Common to see in home devices
• Simplicity can aid vu lnerabi lities
- Invisible access t o im portant devices
Professor Messer's CompTIA SY<HiOl Security+ Course Notes - Page 85
https://ProfessorMesser.com
3.5 - Mobile Device Enforcement (continued)
Hotspot/tethering
• Turn your phone into a Wi Fi hotspot
- Your ow n personal wireless rout er
- Extend t he cellular dat a net w ork t o all of you r devices
• Dependent on phone type and provider
- May require additional charges and data costs
Paym ent methods
• Send sma ll amounts of data wirelessly over
a limited ar ea (NFC)
- Bu ilt into your phone
- Payment systems, t ransportation, in-person
information exchange
• May provide inadvert ent access t o an internal network
- Ensure proper securit y / passcode
• A few different standa rd s
- Apple Pay, Android Pay, Samsung Pay
• Bypassing primary authentication w ould allow payment
- Use proper secu rity - or disable completely
3.5 - Mobile Deployment Models
BYOD
• Bring Your Ow n Device / Bring Your Ow n Technology
• Em ployee ow ns t he device
- Need to meet t he company's requirement s
• Diffi cu lt to secure
- It 's bot h a home device and a w ork device
- How is dat a prot ected?
- W hat ha ppens to the dat a w hen a device is
sold or t raded in?
COPE
• Corporat e ow ned, personally enabled
- Com pany buys t he device
- Used as bot h a corporate device and a personal device
• Organization keeps full cont rol of t he device
- Similar to com pany-ow ned laptops and desktops
• Information is protected using corporate policies
- Information can be deleted at any time
• CYOD - Choose Your Ow n Device
- Similar to COPE, but with t he user's choice of device
Corporate owned
• The company ow ns t he device
- And cont rols t he content on t he device
• The device is not for personal use
- You'll need to buy you r ow n device for home
• Very specifi c secu rity requirements
- Not able to m ix business w ith home use
VDI/VMI
• Virt ua l Desktop Infrastructu re / Virtual Mobile
Infrastructu re
- The apps are separated from the mobile device
- The data is separated from the mobile device
• Data is stor ed securely, centralized
• Physica l device loss - Risk is minim ized
• Cent ralized app development
- Write for a single VM I platform
• Applications are managed centrally
- No need to update all mobile devices
3.6 - Cloud Security Controls
HA across zones
• Availabilit y zones (AZ)
- Isolated locations wit hin a cloud r egion (geographica l location)
- AZ common ly spans across mu ltiple regions
- Each AZ has independent pow er, HVAC, and net w orki ng
Secret s management
• Cloud com puting includes many secrets
- API keys, passw ords, certi fi cates
• Build applications to be highly ava ilable (HA)
- Run as active/ standby or active/ active
- Appl ication recognizes an outage and moves t o the ot her AZ
• Authorize access to the secrets
- Limit access to the secr et service
• Manage an access control policy
- Limit users to only necessary secrets
• Use load balancers t o provide seamless HA
- Users don' t experience any application issues
Resource policies
• Identit y and access management (1AM )
- Who gets access, w hat t hey get access to
• Ma p job functions to roles
- Com bine users int o grou ps
• Provide access to cloud resources
- Set granular pol icies - Grou p, IP addr ess, dat e and time
• Centralize user accounts, synchronize across all platforms
© 2020 Messer Studios, LLC
• This can quickly become overw helming
- Diffi cult to manage and protect
• Provide an audit t rail
- Know exactly w ho accesses secrets and w hen
Integration and auditing
• Integrate securit y across multi ple platforms
- Different operating systems and appli cations
• Consolidat e log storage and reporting
- Cloud-based Securit y Information and Event
Management (SIEM)
• Auditing - Va lidate the security controls
- Verify compliance wit h fi nancial and user data
Professor Messer's CompTIA SY<HiOl Security+ Course Notes · Page 86
https://ProfessorMesser.com
3.6 - Securing Cloud Storage
Cloud storage
• Data is on a publ ic cloud
- But may not be public data
• Access can be limited
- And protected
• Data may be required in different geographical locations
- A backup is alw ays required
• Availability is alw ays important
- Data is available as the cloud changes?
Encryption
• Cloud data is more accessible than non-cloud data
- More access by more people
Permissions
• A significant cloud storage concern
- One permission mistake can cause a data br each
- Accentur e, Uber, US Department of Defense
• Key management is critical
• Public access
- Should not usually be the default
• Many different options
- Identity and Access Management (1AM)
- Bucket policies
- Globally blocking public access
- Don't put data in the cloud unless it r eally
needs to be there
• Server-side encryption
- Encrypt the data in the cloud
- Data is encrypted w hen stored on disk
• Client-side encryption
- Data is already encrypted w hen it's sent to the cloud
- Performed by the application
Replication
• Copy data from one place to another
- Real-time data duplication in multiple locations
• Disaster recovery, high availability
- Plan for problems
- Maintain uptime if an outage occurs
- Hot site for disaster recovery
• Data analysis
-Analytics, big data analysis
• Backups
- Constant duplication of data
3.6 - Securing Cloud Networks
Cloud Networks
• Connect cloud components
- Connectivity w ithin the cloud
- Connectivity from outside the cloud
• Users communicate to the cloud
- From the public Internet
- Over a VPN tunnel
• Cloud devices communicate betw een each other
- Cloud-based netw ork
- East/w est and north/south communication
- No external traffic flow s
Virtual networks
• A cloud contains virtual devices
- Servers, databases, storage devices
• Virtual sw itches, virtual routers
- Build the netw ork from the cloud console
- The same configurations as a physical device
• The netw ork changes w ith the rest of the infrastructure
-On-demand
- Rapid elasticity
Public and private subnets
• Private cloud
- All internal IP addr esses
- Connect to the private cloud over a VPN
- No access from the Internet
• Public cloud
- External IP addresses
- Connect to the cloud from anyw here
• Hybri d cloud
- Combine internal cloud resources w ith external
- May combine both public and private subnets
Segmentation
• The cloud contains separate VPCs, containers,
and microservices
-Application segmentation is almost guaranteed
• Separation is a security opportunity
- Data is separate from the application
-Add security systems betw een application
components
• Virtualized security technologies
- Web Application Firew all (WAF)
- Next-Generation Firew al l (NGFW)
• Intrusion Prevention System {IPS)
API inspection and integration
• M icroservice architecture is the
underlying application engine
-A significant security concern
• AP I calls can include risk
-Attempts to access critical data
- Geographic origin
- Unusual API calls
• AP I monitoring
- View specific API queries
- Monitor incoming and outgoing data
© 2020 Messer Studios, LLC
Professor Messer's CompTIA SY<HiOl Security+ Course Notes · Page 87
https://ProfessorMesser.com
3.6 - Securing Compute Clouds
Compute cloud instances
• The laaS component for the cloud computing
environment
- Amazon Elastic Compute Cloud (EC2)
- Google Compute Engine (GCE}
- Microsoft Azure Virtual Machines
• Manage computing resources
- Launch a VM or container
- Allocate additional r esources
- Disable/ remove a VM or container
Security groups
• A firew all for compute instances
- Control inbound and outbound t raffic flow s
• Layer 4 port number
-TCP or UDP port
• Layer 3 address
- Individual addresses
- CIDR block notation
- 1Pv4 or 1Pv6
Dynamic resource allocation
• Provision resources w hen they are needed
- Based on demand - Provisioned automatically
• Scale up and dow n
- Allocate compute resources w here and
w hen they are needed
- Rapid elasticity
- Pay for only w hat's used
• Ongoing monitoring
- If CPU utilization hits a particular threshold, provision
a new application instance
Instance awareness
• Granular security controls
- Identify and manage very specific data flows
- Each instance of a data flow is different
• Define and set policies
- Allow uploads to the corporate box.com file shar e
• Corporate file shares can contain PI I
• Any department can upload to the
corporate file share
- Deny certain uploads to a personal box.com file share
• Allow graphics files
• Deny any spreadsheet
• Deny files containing credit card numbers
• Quarantine the file and send an alert
Virtual private cloud endpoints
• M icroservice architectur e is the
VPC gateway endpoints
- Allow private cloud subnets to communicate to other
cloud services
• Keep private resources private
- Internet connectivity not r equired
• Add an endpoint to connect VPC resources
Container security
• Containers have simi lar security concerns as any other
application deployment method
- Bugs, insufficient security controls, misconfigurations
• Use container-specific operating systems
- A minimalist OS designed for containers
• Group container types on the same host
- The same purpose, sensitivity, and thr eat posture
- Limit the scope of any intrusion
3.6 - Cloud Security Solutions
Cloud access security broker (CASB)
• Clients are at w ork, data is in the cloud
- How do you keep everything secure?
- The organization already has w ell-defined
security policies
• How do you make your security policies
w ork in the cloud?
- Integrate a CASB
- Implemented as client softw are, local security
appliances, or cloud-based security solutions
Application security
• Secure cloud-based applications
- Complexity increases in the cloud
• Application misconfigurations
- One of the most common security issues
- Especially cloud storage
• Authorization and access
- Controls should be strong enough for access
from anyw here
• API security - Attackers w ill try to exploit interfaces and APls
• Visibility
- Determine w hat apps are in use
- Are they authorized to use the apps?
Next-Gen Secure Web Gateway (SWG)
• Protect users and devices
- Regardless of location and activity
• Compliance
-Are users complying with HIPAA? PCI?
• Go beyond URLs and GET r equests
- Examine the application API
- Dropbox for personal use or corporate use?
• Examine JSON strings and API requests
-Allow or disallow certain activities
• Threat pr evention
- Allow access by authorized users, prevent attacks
• Data security
- Ensure that all data transfers are encrypted
- Protect the transfer of PII with OLP
© 2020 Messer Studios, LLC
• Instance-awar e security
-A development instance is different than production
Professor Messer's CompTIA SY<HiOl Security+ Course Notes - Page 88
https://ProfessorMesser.com
3.6 - Cloud Security Solutions (continued)
Firewalls in the cloud
• Control traffic fl ows in the cloud
- Inside the cloud and external fl ows
• Cost
- Relatively inexpensive compared to appliances
- Virtual firewalls
- Host-based firew alls
• Segmentation
- Betw een microservices, VMs, or VPCs
• OSI layers
- Layer 4 (TCP/UDP), Layer 7 (Application)
Security controls
• Cloud-native security controls
- Integrated and supported by the cloud provider
- Many configu ration options
- Security is part of the infrastructure
- No additional costs
• Third-party solutions
- Support across multiple cloud providers
- Single pane of glass
- Extend policies outside the scope of the cloud provider
- More extensive reporting
3. 7 - Identity Controls
• Requires an existing public-key infrastructure (PKI)
- The Certificate Authorit y (CA) is the t rusted entity
- The CA digitally signs the certificates
Identity provider {ldP)
• Who are you?
- A service needs to vouch for you
- Authentication as a Service
• A list of entities
- Users and devices
• Commonly used by SSO applications or an
authentication process
- Cloud-based services need to know w ho you are
• Uses standard authentication methods
- SAML, OAuth, Open ID Connect, etc.
Attributes
• An identifier or property of an entity
- Provides identification
• Personal attributes
- Name, email addr ess, phone number, Employee ID
• Other attributes
- Department name, job title, mail stop
• One or more attributes can be used for identification
- Combin e them for more detail
Certificates
• Digital certificate - Assigned to a person or device
Tokens and cards
• Smart card
- Integrates with devices - may require a PIN
• USB token - Certificate is on the USB device
SSH keys
• Secure Shell (SSH) - Secur e term inal communication
• Use a key instead of username and password
- Public/private keys - Critica l for automation
• Key management is critical
- Centralize, control, and audit key use
• SSH key managers - Open source, Commercial
SSH key-based authentication
• Create a public/private key pair
- ssh-keygen
• Copy the public key to the SSH server
-ssh-copy-id user@host
• Try it out
- ssh user@host
- No passw ord prompt !
• Binds the identity of the certificate own er to a
public and private key
- Encrypt data, create digital signatures
3.7 -Account Types
User accounts
• An account on a computer associated w ith a
specific person
- The computer associates the user with a specific
identification number
• Storage and files can be private to that user
- Even if another person is using the same
computer
• No pri vileged access to the operating system
- Specifically not allow ed on a user account
• This is the account type most people w ill use
- Your user community
© 2020 Messer Studios, LLC
Shared and generic accounts
• Shared account
- Used by more than one person
- Guest login, anonymous login
• Very difficu lt to create an audit t rail
- No w ay to know exactly who w as w orking
- Difficult to determine the proper privileges
• Passw ord management becomes difficult
- Passw ord changes re quire notifying everyone
- Difficult to remember so many password changes
- Just w rite it dow n on this yellow sticky paper
• Best practice : Don't use these accounts
Professor Messer's CompTIA SY<HiOl Security+ Course Notes - Page 89
https://ProfessorMesser.com
3. 7 - Account Types (continued)
Guest accounts
• Access to a computer for guests
- No access to change settings, modify applications,
view other user's files, and mor e
- Usually no passw ord
• Th is brings sign ificant security chal lenges
- Access t o the userspace is one step closer to an exploit
• Must be controlled
- Not the defa ult - Removed from W indow s 10 build 10159
Serv ice accounts
• Used exclusively by services running on a computer
- No interactive/ user access (ideally)
- Web server, dat abase server, etc.
• Access can be defi ned for a specifi c service
- Web server right s and permissions will be different than
a dat abase server
• Commonly use usernames and passw ords
- You' ll need to det ermine the best policy for
passw ord updates
Privileged accounts
• Elevated access t o one or more systems
- Administrator, Root
• Com plete access to t he system
- Often used t o manage hardware, drivers, and
softw are install ation
• This account shou ld not be used for normal
administration
- User accounts should be used
• Needs t o be high ly secur ed
- St rong passw ord s, 2FA
- Scheduled passw ord changes
3.7 -Account Policies
Account policies
• Cont rol access to an account
- It 's mor e than j ust username and passw ord
- Det ermine w hat policies are best for an organ ization
• The authentication process
- Passw ord policies, authentication factor policies,
ot her considerations
• Perm issions after login - Another li ne of defense
Perform routine audits
• Is everyth ing following the policy?
- You have t o police yourself
• It's amazing how quickly things can change
- Make sure the routine is scheduled
• Certain actions can be automatically identified
- Consider a tool for log analysis
Auditing
• Perm ission auditing
- Does everyone have the correct perm issions?
- Some Adm inistrators don' t need to be there
- Schedu led r ecertification
• Usage auditing - How are your resou rces used?
- Are your systems and applications secure?
Password complexity and length
• Make your passw ord st rong - Resist brute-force attack
Account lockout and disablement
• Too many incorrect passw ords will cause a lockout
- Prevent s on line brute force attacks
- This shou ld be normal for most user accounts
- This can cause big issues for service accounts
• You might w ant t his
• Disabli ng account s
- Part of the normal change process
- You don't w ant t o delet e accounts
• At least not initially
• May contain important decryption keys
Location-based policies
• Netw ork location
- Identify based on IP subnet
- Can be difficult with mobile devices
• Geolocation - determ ine a user's location
- GPS - mobile devices, very accurate
- 802.11 w ireless, less accu rate
- IP addr ess, not very accu rate
• Geofencing
- Automatical ly allow or restrict access w hen t he
user is in a particular location
- Don't all ow t his app t o run un less you're near the
office
• Increase passw ord entropy
- No single w ords, no obvious passw ords
• What 's the name of you r dog?
- Mix upper and low er case and use special characters
• Don't r eplace a o w ith a 0, t with a 7
• Stronger passw ords are at least 8 characters
- Consider a phrase or set of w ord s
• Geotagging
- Add location metadata to a document or file
- Latitude and longit ude, distance, time stamps
• Location-based access rules
- Your IP address is associat ed w ith an IP block in Russia
- We don't have an offi ce in Russia
- You w ere in Colorado Springs an hou r ago
- Perm ission not grant ed
• Prevent passw ord reuse
- System r emem bers passw ord hist ory, requires
un iq ue passwords
• Time-based access rules
- Nobody needs to access the lab at 3 AM
© 2020 Messer Studios, LLC
Professor Messer's CompTIA SY<HiOl Security+ Course Notes · Page 90
https://ProfessorMesser.com
3.8 - Authentication Management
• Versatile memory
- Storage keys, hardware configuration information
Password keys
• Hardware-based authentication
- Something you have
• Passw ord protected
- No dictionary attacks
• Helps prevent unauthorized logins and
account takeovers
- The key must be present to login
Hardware Security Module (HSM)
• High-end cryptographic hardware
- Plug-in card or separate hardware device
• Doesn't replace other factors
- Passwords are still important
• Key backup
- Secured storage
• Cryptographic accelerators
- Offload that CPU overhead from other devices
Password vaults
• Password managers
- All passwords in one location
- A database of credentials
• Used in large environments
- Clusters, redundant pow ers
• Secure storage
- All credentials are encrypted
- Cloud-based synchronization options
Knowledge-based authentication (KBA)
• Use personal knowledge as an authentication factor
- Something you know
• Create unique passwords
- Passwords are not the same across sites
• Static KBA
- Pre-configured shared secrets
- Often used with account recovery
- What was the make and model of you r first car?
• Personal and enterprise options
- Corporate access
Trusted Platform Module (TPM)
• A specification for cryptographic functions
- Hardware to help w ith all of this encryption stuff
• Dynam ic KBA
- Questions are based on an identity verification service
-What was your street number w hen you lived in
Pembroke Pines, Florida?
• Cryptographic processor
- Random number generator, key generators
• Persistent memory
- Comes with unique keys burned in
during production
3.8 - PAP and CHAP
PAP (Password Authentication Protocol)
• A basic authentication method
- Used in legacy operating systems
- Rare to see singularly used
CHAP
• Challenge-Handshake Authentication Protocol
- Encrypted challenge sent over the network
• PAP is in the clear
- Weak authentication scheme
- Non-encrypted password exchange
- We didn't require encryption on ana log dialup lines
- The application would need to provide any encryption
• Three-way handshake
-After link is established, server sends a challenge
- Client responds w ith a password hash calculated
from the challenge and the password
- Server compares received hash w ith stored hash
• Challenge-Response continues
- Occurs periodically during the connection
- User never know s it happens
PAP (Password Authentication Protocol) - Authentication process
Username is james, password is passwordlll
"""""" ["james
passwordlll
......
That's great! You're in.
Ci
V
Username: james
Password: passwordlll
PAP
Client
Server
© 2020 Messer Studios, LLC
Professor Messer's CompTIA SY<HiOl Security+ Course Notes· Page 91
https://ProfessorMesser.com
3.8 - PAP and CHAP (continued)
MS-CHAP
• M icrosoft's implementation of CHAP
- Used commonly on Microsoft's
- Point-to-Point Tunneling Protocol (PPTP)
- M S-CHAP v2 is the more recent version
• Security issues related to t he use of DES
- Relatively easy to brute force the 256 possible keys to
decrypt the NTLM hash
- Don't use MS-CHAP !
- Consider L2TP, IPsec, 802.lX or some other secure
authentication method
A
V
Jamts
l
Challenge response:
d b3fc40e6439d4d972870252ccc11f99
A
V
Server looks up the credentials
and sends a challenge to the user
I'd like to login, username is james
puswordl ll
~
~
15472a309ie;s;;~:f!!~;d45c7af9ad -
A
V
Login request is
sent to t he server
Client
Username: j ames
(J
He re's your challenge message:
15472a309fe22789efa522d45c7af9ad
Chall enge response:
db3fc40e6439d4d972870252ccc11f99
pa sswordlll +
15472a309fe22789efa522d45c7af9ad
CHA P
Serve r
A
V
User combines the password and
challenge to create a response
Password: password l l l
l
Expected challenge response:
d b3fc40e6439d4d972870252ccc11f99
Server compares t he user's response
wit h a locally created response
3.8 - Identity and Access Services
RADIUS (Remote Authentication Dial-in User Service)
• One of the more common AAA protocols
- Supported on a w ide variety of platforms and devices
- Not j ust for dial-in
• Centralize authentication for users
- Routers, switches, firew alls, server authentication,
remote VPN access, 802.lX netw ork access
• RADIUS services available on almost any server OS
TACACS
• Terminal Access Controller
- Access-Control System
- Remote authentication protocol
- Created to control access to dial-up lines to ARPANET
• XTACACS (Extended TACACS)
- A Cisco-created (proprietary) version of TACACS
- Additional support for accounting and aud iting
• TACACS+
- The latest version of TACACS, not backwards
compatible
- More authentication requests and response codes
- Released as an open standard in 1993
Kerberos
• Netw ork authentication protocol
- Authenticate once, t rusted by t he system
- No need to re-authenticate to everything
- Mutual authentication - the cl ient and the server
- Protect against on-path or replay attacks
SSO with Kerberos
• Authenticate one time
- Lots of backend ticketing
- Cryptographic tickets
• No constant username and passw ord input!
- Save time
• Only w orks wit h Kerberos
- Not everything is Kerberos-friendly
• There are many other SSO methods
- Smart-cards, SAML, etc.
RADIUS, TACACS+, or Kerberos?
• Three differ ent w ays to communicate to an
authentication server
- More t han a simple login process
• Often determined by what is at hand
- VPN concentrator can talk to a RADIUS server
- We have a RADIUS server
• TACACS+
- Probably a Cisco device
• Kerberos
- Probably a M icrosoft network
IEEE 802.lX
• IEEE 802.lX
- Port-based Netw ork Access Control (NAC)
- You don' t get access to the netw ork until you
authenticate
• Standa rd since the 1980s
- Developed by t he Massachusetts Institute of
Technology (M IT)
• EAP integrates with 802.lX
- Extensible Authentication Protocol
- 802.lX pr events access to the netw ork until t he
authentication succeeds
• M icrosoft starting using Kerberos in W indow s 2000
- Based on Kerberos 5.0 open standard
- Compatible with other operating systems and devices
• Used in conj unction w ith an access database
- RAD IUS, LDAP, TACACS+
© 2020 Messer Studios, LLC
Professor Messer's CompTIA SY<HiOl Security+ Course Notes - Page 92
https://ProfessorMesser.com
3.8 - Federated Identities
Federation
• Provide network access to others
- Not j ust employees - Partners, suppliers, customers, etc.
- Provides SSO and more
OAuth
• Authorization framew ork
- Determin es what r esources a user w ill be
able to access
• Third-parties can establish a federated network
- Authenticate and authori ze between the tw o
organizations
- Login with your Facebook credentials
• The thi rd-parties must establish a t rust r elationship
- And the degree of the trust
• Created by Twitter, Google, and many others
- Significant industry support
Security Assertion Markup Language (SAML)
• Open standard for authentication and authorization
- You can authenticate through a th ird-party to ga in access
- One standard does it all, sort of
• Not an authentication protocol
- Open lD Connect handles the single sign-on
authentication
- OAuth provides authorization
betw een applications
• Relatively popular
- Used by Tw itter, Google, Face book,
- Linkedln, and more
• Not origin ally designed for mobile apps
- This has been SAM L's largest roadblock
3.8 - Access Control
Access control
• Authori zation
- The process of ensuring only authorized
rights are exercised
• Policy enforcement
- The process of determ ining rights
• Policy definition
• Users receive rights based on
- Access Control models
- Different busin ess needs or mission requirements
Mandatory Access Control (MAC)
• The operating system limits the operation on an object
- Based on security clearance levels
• Every object gets a label
- Confidential, secret, top secr et, etc.
• Labeling of objects uses predefined rules
- The administ rator decides w ho gets access to
w hat security level
- Users cannot change these settings
Discretionary Access Control (DAC)
• Used in most operating systems
- A fami liar access control model
• In Windows, use Groups to provide role-based
access control
- You ar e in shipping and receiving, so you can
use the shipping softw are
- You ar e the manager, so you can review shipping logs
Attribute-based access control (ABAC)
• Users can have complex relationships to
applications and data
-Access may be based on many different criteria
• ABAC can consider many parameters
-A " next generation" authorization model
- Aw ar e of context
• Combine and eva luate multiple parameters
- Resource information, IP address, time of day, desired
action, r elationship to the data, etc.
Rule-based access control
• Generic term for follow ing rules
- Conditions other than w ho you ar e
• Access is determin ed through system-enforced rules
- System administrators, not users
• The rule is associated w ith the object
- System checks the ACLs for that object
• You create a spreadsheet
- As the own er, you control w ho has access
- You can modify access at any time
• Rule examples
- Lab netw ork access is only available bet w een 9 and 5
- Only Ch rome browsers may complete this w eb form
• Very fl exible access control
- And very w eak security
File system security
• Store fil es and access them
- Hard drive, SSDs, flash drives, DVDs, part of most OSs
Role-based access control (RBAC)
• You have a role in your organization
- Manager, director, team lead, proj ect manager
• Administrators provide access based on the role
of the user
- Rights are gained implicitly instead of explicitly
• Accessing information
- Access control list
- Group/ user rights and perm issions
- Can be centrally admin ister ed and/ or users can
manage files they ow n
• The fil e system handles encryption and decryption
© 2020 Messer Studios, LLC
Professor Messer's CompTIA SY<HiOl Security+ Course Notes· Page 93
https://ProfessorMesser.com
3.8 - Access Control (continued)
Conditional access
• Diffi cu lt to apply old methods of authentication to new
methods of w orking
- Mobil e w orkforce, many different devices,
constantly changing cloud
• Conditions
- Employee or partner, location, type of
application accessed, device
• Cont rols
- Allow or block, require M FA, provide li mit ed access,
req uire passw ord re set
• Administrat ors can build complex access rules
- Com plet e cont rol over dat a access
Privileged access management (PAM )
• Managing superuser access
- Administrator and Root
- You don't w ant t his in t he w rong hands
• Stor e privileged accounts in a digita l vault
- Access is only granted from t he vau lt by re quest
- These privil eges are t empora ry
• PAM advant ages
- Centralized passw ord management
- Enables automation
- Manage access for each user
- Extensive tracking and auditing
3.9 - Public Key Infrastructure
Public Key Infrastructure (PKI)
• Policies, proced ur es, ha rd w are, softwar e, people
- Digital certificates: create, distribute, manage,
store, revoke
• Th is is a big, big, endeavor
- Lots of planning
• Also refers to t he bindi ng of public keys to people
or devices
- The certi ficate aut hority
- It 's all about trust
The key management lifecycle
• Key generation
- Create a key w ith the r equested str engt h using
the proper cipher
• Certifi cate generation
- Allocate a key t o a user
• Distribution
- Make t he key available to the user
• Storage
- Secu rely store and protect against unauthori zed use
• Revocation
- Manage keys that have been compromised
• Expiration
- A certificate may only have a certain "shelf life"
Digit al certificates
• A public key certificate
- Binds a publ ic key w ith a digit al signatu re
- And ot her deta ils about the key holder
• A digit al signatu re adds t rust
- PKI uses Certificate Authority for add itional t rust
- Web of Trust adds ot her users for additional trust
• Certifi cate creation can be built int o the OS
- Part of W indow s Domain services
- 3rd-pa rty Linux options
Commercial certificate authorities
• Built-in to you r brow ser
- Any brow ser
• Purchase your w eb site certifi cate
- It wi ll be t rusted by everyone's brow ser
• Create a key pair, send the public key to t he CA
to be signed
- A certificate signing r equest (CSR)
• May provide different levels of trust and
additional fe atures
- Add a new " tag" to your w eb sit e
Priva te certificate aut horiti es
• You are your ow n CA
- Build it in-house
- Your devices must trust the internal CA
• Needed for medium-to-large organ izations
- Many w eb servers and privacy requ irement s
• Implement as part of you r overall com puting strategy
- W indow s Certificate Services, OpenCA
PKI trust relationships
• Single CA
- Everyone receives their certificates from one authorit y
• Hierarchica l
- Single CA issues certs to intermediate CAs
- Distributes the certificate management load
- Easier to deal w ith t he revocation of an intermediate
CA t han t he root CA
Registration authority (RA)
• The entity re questing the certificate needs t o be verified
- The RA identifies and authenticates t he requester
• Approval or rejection
- The foun dation of t rust in t his model
• Also responsible for revocations
- Administratively revoked or by request
• Manages renewals and re -key requests
- Maintains certificates for curr ent cert holders
© 2020 Messer Studios, LLC
Professor Messer's CompTIA SY<HiOl Security+ Course Notes· Page 94
https://ProfessorMesser.com
3.9 - Public Key Infrastructure (continued)
Important certificate attributes
• Common Name (CN)
- The FQDN (Fu lly Qualified
- Domain Name) for the certifi cate
• Subject alternative name
- Additional host names for the cert
- Common on w eb servers
- professormesser.com and www.professormesser.com
• Expiration
- Limit exposure to compromise
- 398 day browser lim it (13 months)
Key revocation
• Certifi cate Revocation List (CRL)
- Maintained by the Certificate Authority (CA)
• Many different reasons
- Changes all the time
• April 2014 - CVE-2014-0160
- Heartbleed
- OpenSSL flaw put the private key of affected
web servers at risk
- OpenSSL w as patched, every w eb server
certificate w as replaced
- Older certificates w ere moved to the CRL
Getting revocation details to the browser
• OCSP (On li ne Certificate Status Protocol)
- The browser can check certificate revocation
• Messages usua lly sent to an OCSP responder via HTTP
- Easy to support over Internet links
• Not all browsers/apps support OCSP
- Early Internet Explorer versions did not
support OCSP
- Some support OCSP, but don't bother checking
3.9 - Certificates
Web server SSL certificates
• Domain validation certifi cate (DV)
- Owner of the certificate has some control over
a DNS domain
Root certificate
• The public key certificate that identifies the root CA
(Certi ficate Authority)
- Everything starts w ith this certificate
• Extended va lidation certificate (EV)
- Additional checks have verified the certifi cate
owner's identity
- Browsers used to show a green name on the
address bar
- Promoting the use of SSL is now outdated
• The root certificate issues other certificates
- Intermediate CA certificates
- Any other certificates
• Subject Alternative Name (SAN)
- Extension to an X.509 certificate
- Lists additional identification information
- Allow s a certificate to support many
different domains
• Wildcard domain
- Certificates are based on the name of the server
-A wildcard doma in will apply to all server names
in a domain
- * .professormesser.com
Code signing certificate
• Developers can provide a level of trust
- Applications can be signed by the developer
• This is a very im portant certificate
- Take all securit y precautions
- Access to the root certificate allow s for the
creation of any trusted certificate
Self-signed certificates
• Internal certificates don't need to be signed by
a public CA
- Your company is the only one going to use it
- No need to purchase trust for devices that already
trust you
• Build your ow n CA
- Issue you r ow n certificates signed by your own CA
• Install the CA certificate/trusted chain on all devices
- They'll now trust any certificates signed by
your internal CA
- Works exactly like a certifi cate you purchased
• The user's operating system w ill examine
the signat ure
- Checks the developer signature
- Validates that the softw are has not been modified
• Is it from a trusted entity?
- The user w ill have the opportunit y to stop the
application execution
© 2020 Messer Studios, LLC
Professor Messer's CompTIA SY<HiOl Security+ Course Notes· Page 95
https://ProfessorMesser.com
3.9 - Certificates (continued)
Machine and computer certificates
• You have to manage many devices
- Often devices that you'll never physically see
• Digital signatures
- Use your private key to digitally sign an email
- Non-repudiation, integrity
• How can you truly authenticate a device?
- Put a certificate on the device that you signed
User certificates
• Associate a certificate w ith a user
- A pow erful electronic " id card"
• Other business processes rely on the certificate
- Access to the remote access
- VPN from authorized devices
- Management softwar e can validate the end device
Email certificates
• Use cryptography in an emai l platform
- You'll need public key cryptography
• Use as an additional authentication factor
- limit access without the certificate
• Integrate onto smart cards
- Use as both a physical and digital access card
• Encrypting emails
- Use a recipient's public key to encrypt
• Receiving encrypted emai ls
- Use your private key to decrypt
3.9 - Certificate Formats
Certificate file formats
• X.509 digital certificates
- The structure of the certification is standardized
- The format of the actual certificate file can take
many different forms
• There are many certificate file formats
- You can convert betw een many of the formats
- Use openssl or a similar application to view the
certificate contents
DER (Distinguished Encoding Rules)
• Format designed to transfer syntax for data structures
- A very specific encoding format
- Perfect for an X.509 certificate
• Binary format
- Not human-readable
• A common format
- Used across many platforms
- Often used w ith Java certificates
PEM (Privacy-Enhanced Mail)
•Avery common format
- BASE64 encoded DER certificate
- General ly the format provided by CAs
- Supported on many different platforms
• ASCII format
- Letters and numbers
- Easy to email, readable
PKCS #12
• Public Key Cryptography Standards #12
- Personal Information Exchange Syntax Standard
- Developed by RSA Security, now an RFC standard
© 2020 Messer Studios, LLC
• Container format for many certificates
- Store many X.509 certificates in a single
.p12 or .pfx file
- Often used to transfer a private and public key pa ir
- The container can be passw ord protected
• Extended from Microsoft's .pfx format
- Personal Information Exchange (PFX)
- The t wo standards are very similar
- Often refer enced interchangeably
CER (Certificate)
• Primarily a Window s X.509 file extension
- Can be encoded as binary DER format or as the
ASCII PEM format
• Usually contains a public key
- Private keys w ould be t ransferred in the
.pfx file format
• Common format for W indow s certificates
- Look for the .cer extension
PKCS #7
• Public Key Cryptography Standards #7
• Cryptographic Message Syntax Standard
-Associated with the .p7b file
• Stor ed in ASCI I format
- Human-readable
• Contains certificates and chain certificates
- Private keys are not included in a .p7b file
• W ide platform support
- Microsoft W indow s
- Java Tomcat
Professor Messer's CompTIA SY<HiOl Security+ Course Notes· Page 96
https://ProfessorMesser.com
3.9 - Certificates (continued)
Email certificates
• Use cryptography in an emai l platform
- You' ll need public key cryptography
User certificates
• Encrypting emails
- Use a recipient's public key to encrypt
• Receiving encrypted emai ls
- Use your private key to decrypt
• Digital signatures
- Use your private key to digitally sign an email
- Non-repudiation, integrity
• Use as an additional authentication factor
- limit access without the certificate
• Associate a certificate w ith a user
- A pow erful electronic " id card"
• Integrate onto smart cards
- Use as both a physical and digital access card
3.9 - Certificate Concepts
Online and offline CAs
• A compromised certificate authority
- A very, very bad thing
- No certificates issued by that CA can be t rusted
Key escrow
• Someone else holds your decryption keys
- Your private keys are in the hands
of a 3rd-party
• Distribute the load
- Then take the root CA offiine and protect it
• This can be a legitimate business arrangement
-A business might need access to employee
information
- Government agencies may need to decrypt
partner data
OCSP stapling
• Online Certificate Status Protocol
- Provides scalability for OCSP checks
• The CA is responsible for responding to all
client OCSP r equests
- This does not scale w ell
• Instead, have the certificate holder verify their ow n status
- Status information is stored on the certificate holder's server
• OCSP status is "stapled" into the SSL/TLS handshake
- Digitally signed by the CA
Pinning
• You' re communicating over TLS/SSL to a server
- How do you really know it 's a legitimate server?
• " Pin" the expected certificate or public key to an application
- Compiled in the app or added at first run
• If the expected certificate or public key doesn' t match, the
application can decide w hat to do
- Shut dow n, show a message
It's all about the process
• Need clear process and procedures
- Keys ar e incredibly important pieces of
information
• You must be able to trust your 3rd-party
- Access to the keys is at the control of the
3rd-party
• Carefully controlled conditions
- Legal proceedings and court orders
Certificate chaining
• Chain of t rust
- List all of the certs betw een the server
and the root CA
• The cha in starts w ith the SSL certificate
- And ends w ith the Root CA certificate
PKI trust relationships
• Single CA
- Everyone receives their certificates from one authority
• Any certificate betw een the SSL certificate
and the root certificate is a chain certificate
- Or intermediate certificate
• Hierarchical
- Single CA issues certs to intermediate CAs
• The w eb server needs to be configured with
the proper chain
- Or the end user may receive an error
• Mesh
- Cross-certifying CAs - Doesn't scale w ell
• Web-of-trust
- Alternative to t raditional PKI
• Mutual Authentication
- Server authenticates to the client and the client
authenticates to the server
© 2020 Messer Studios, LLC
Professor Messer's CompTIA SY<HiOl Security+ Course Notes · Page 97
https://ProfessorMesser.com
4.1 - Reconnaissance Tools
traceroute
• Determin e the route a packet takes to a destination
- Map the entire path
• tracert (Windows) or traceroute (POSIX)
• Written by Mike Muuss in 1983
- The sound made by sonar
- Not an acronym for Packet INternet Groper
- A backronym
• Takes advantage of ICMP Time to live Exceeded error
message
- The time in TTL r efers to hops, not seconds or minutes
- TTL=l is the first router, TTL=2 is the second router,
etc.
pathping
• Not all devices will r eply with
ICMP Time Exceeded messages
- Some firew alls filter ICMP
- ICMP is low -priority for many devices
• Second phase
- Measu re round trip time and packet loss at each hop
• Combine ping and traceroute
- Included with Window s NT and later
• First phase runs a traceroute
- Bui ld a map
hping
nslookup and dig
• TCP/IP packet assembler/analyzer
-A ping that can send almost anything
• Lookup information from DNS servers
- Canonical names, IP addresses, cache timers, etc.
• Ping a device
- ICMP, TCP, UDP
• nslookup
-#hping3 --destport 80 10.1.10.1
-Both Windows and POSIX-based
- Lookup names and IP addr esses
- Deprecated (use dig instead)
• dig or DiG (Doma in Information Groper)
- More advanced domain information
- Probably your first choice
- Instal l in Windows : https://professormesser.link/
digwin
ipconfig and ifconfig
• Send crafted frames
- Modify all IP, TCP, UDP, and ICMP values
• A pow erful tool
- It's easy to accidentally flood and DoS
- Be careful !
netstat
• Network statistics
- Many different operating systems
• Most of you r troubleshooting starts w ith your IP address
- Ping your local router/gateway
• Determin e TCP/ IP and network adapter information
- And some add itional IP deta ils
• netstat -a
• ipconfig - Windows TCP/IP configuration
• ifconfig - Linux interface configuration
•netstat -n
Nmap
• Netw ork ma pper
- Find and learn more about network devices
• Port scan
- Find devices and identify open ports
• Operating system scan
- Discover the OS without logging in to a device
netcat
• Service scan
- What service is available on a device?
Name, version, deta ils
• Additional scripts
- Nmap Scripting Engine (NSE)
• Extend capabilities, vulnera bility scans
ping
• Test reachability
- Determine round-trip time
- Uses Internet Control Message Protocol (ICMP)
• One of you r primary troubleshooting tools
- Can you ping the host?
- Show all active connections
•netstat -b
- Show bina ries
- Do not resolve names
• "Read" or "write" to the netw ork
- Open a port and send or receive some traffic
• Many different functions
- Listen on a port number
- Transfer data
- Scan ports and send data to a port
• Become a backdoor
- Run a shell from a remote device
• Other alternatives and OSes - Neat
IP scanners
• Search a network for IP addresses
- Locate active devices
-Avoid doing w ork on an IP address that isn't there
• Many different techn iques
- ARP (if on the local subnet)
- ICMP reque sts (ping)
-TCP ACK
- ICMP timestamp req uests
• A re sponse means more recon can be done
- Keep gathering information - Nmap, hping, etc.
© 2020 Messer Studios, LLC
Professor Messer's CompTIA SY<HiOl Security+ Course Notes · Page 98
https://ProfessorMesse r.com
4.1 - Reconnaissance Tools (continued)
Address Resolution Protocol
• Determine a MAC address based on an IP address
- You need the hardw are address to communicate
• Another tool that can cause problems
- Brute force, server scanning, etc
- M ake sure you know what you're doing
• arp -a
scanless
- View local ARP table
• Run port scans from a different host
- Port scan proxy
route
• View the device's routing table
- Find out wh ich w ay the packets will go
• Windows : route print
• M any different services
- Choose the option for scan origination
- You r IP is hidden as the scan source
• Linux and macOS: netstat -r
dnsenum
• Enumerate DNS information
- Find host names
• View host information from DNS servers
- M any services and hosts are listed in DNS
• Find host names in Google
- More hosts can probably be found in the index
curl
• Client URL
- Retrieve data using a URL
- Uniform Resource Locator
- Web pages, FTP, emails, databases, etc.
• Grab the raw data
- Search
- Parse
-Automate
Nessus
• Industry leader in vu lnerabil ity scanning
- Extensive support
- Free and commercial options
• Identify known vulnerabilities
- Find systems before they can be exploited
theHarvester
• Gather OSINT
- Open-Source Intelligence
• Scrape information from Google or Bing
- Find associated IP addresses
• List of people from Linkedln
- Names and titles
• Find PGP keys by email domain
- A list of email contacts
• Extensive reporting
- A checklist of issues
- Filter out the false positives
Cuckoo
• A sandbox for malware
- Test a fil e in a safe environment
• A virtualized environment
- Windows, Linux, macOS, Android
• Track and trace
-API calls, net w ork traffic, memory analysis
- Traffic captures
- Screens hots
• DNS brute force
- Find those unknown hosts; vpn, chat, mail, partner, etc.
snlper
• Combine many recon tools into a single framework
- dnsenum, metasploit, nmap, theHarvester, and much more
• Both non-intrusive and very intrusive scanning options
- You choose the volume
4.1 - File Manipulation Tools
head
cat
• View the first part of a file
- The head, or beginning, of the file
• Concatenate
- Link together in a series
- head [ OP'l'ION] ... [FILE] ...
• Use -n to specify the number of li nes
- head -n 5 sys log
tail
-cat filel.txt file2.txt > both.txt
grep
• Find text in a file
- Search through many files at a time
[FILE]
• Use -n to specify the number of li nes
- tail -n 5 sys log
© 2020 Messer Studios, LLC
-cat filel.txt file2.txt
• Copy a file/ files to another file
• View the last part of a fil e
- The tail, or end, or the file
-tail [OP'l'ION] -
• Copy a file/ files to the screen
•grep PA'l''l'ERN [FILE]
-grep failed auth.log
Professor Messer's CompTIA SY<HiOl Security+ Course Notes · Page 99
https://ProfessorMesser.com
4.1 - File Manipulation Tools (continued)
chmod
logger
• Change mode of a file system object
- r=read, w =w rite, x=execute
- Can also use octal notation
- Set for the file ow ner (u), the group(g),
others(o), or all(a)
• Add entries to the system log
- syslog
• Adding to the local syslog file
- chmod mode P'ILE
- chmod 7 44 script. sh
•chmod 744 first.txt
-logger "'l'his information is added to syslog"
• Useful for including information in a local or remote syslog file
- Include as part of an automation script
- Log an important event
- User; read, w rite execute
- Group; read only
- Other; rea d only
•chmod a-w first.txt
- All users, no w riting to first.txt
•chmod u+x script.sh
- The own er of script.sh can execute the file
4.1 - Shell and Script Environments
SSH {Secure Shell)
• Encrypted console communication - tcp/22
• Looks and acts the same as Telnet
Windows PowerShell
• Command line for system administrators
- .psl fil e extension
- Included w ith Windows 8/8.1 and 10
• Extend command-lin e functions
- Uses cmdlets (comman d-lets)
- Pow erShell scripts and functions
- Standalone executables
• Automate and integrate
- System administration
- Active Domain admin istration
Python
• General-purpose scripting language
- .py file extension
• Popular in many technologies
- Broad appeal and support
OpenSSL
• A toolkit and crypto library for SSL/TLS
- Bui ld certificates, manage SSL/TLS communication
• Create X.509 certificates
- Manage certificate signing req uests (CSRs) and
certificate revocation lists (CRLs)
• Message digests
- Support for many hashing protocols
• Encryption and Decryption
- SSL/TLS for services
•Muchmore
4.1 - Packet Tools
Tcpreplay
• A suite of packet replay utilities
- Replay and edit packet captur es
- Open source
• Test security devices
- Check IPS signat ures and firewall rules
• Test and tune IP Flow/NetFlow devices
- Send hundreds of thousands of traffic flow s
per second
• Eva luate the performance of security devices
- Test throughput and flows per second
Wireshark
• Graphical packet analyzer
- Get into the details
• Gathers frames on the netw ork
- Or in the air
• Sometimes built into the device
- View traffic patterns
- Identify unknow n traffic
- Verify packet filtering and securit y controls
• Extensive decodes
- View the application t raffic
tcpdump
• Capture packets from the command line
- Display packets on the screen
- W rite packets to a file
© 2020 Messer Studios, LLC
Professa< Messer's CompTIA SYo-601 Security+ Course Notes - Page 100
https://ProfessorMesser.com
4.1 - Forensic Tools
dd
• A reference to the DD command in
- IBM mainframe JCL (Job Control Language)
- Data Definition (ASCII to EBCD IC converter)
• Create a bit-by-bit copy of a drive
- Used by many for ensics tools
• Create a disk image
-dd if=/dev /sda of=/ tmp/sda-image.img
• Restore from an image
-dd if=/tmp /sda-image.img of=/ dev/sda
memdump
• Copy information in system memory to the standard
output stream
- Everything that happens is in memory
- Many third-party tools can read a memory dump
• Copy to another host across t he netw ork
- Use netcat, stunnel, openssl, etc.
Winhex
• A universal hexadecimal editor for W indow s OS
• Edit disks, files, RAM
- Includes data r ecovery features
• Disk cloning
- Drive replication
• Secure w ipe
- Hard drive cleaning
•Much more
- A full-featured forensics tool
Autopsy
• Perform digital forensics of hard drives, smart phones
- View and recover data from storage devices
• Extract many different data types
- Dow nloaded fil es
- Brow ser history and cache
- Email messages
- Databases
- Much mor e
Exploitation frameworks
• A pre-built toolkit for exploitations
- Build custom attacks
-Add more tools as vulnerabilities are found
- Incr easingly pow erful utilities
• Metasploit
-Attack know n vulnerabil ities
• The Social-Engineer Toolkit (SET)
- Spear phishing, Infectious media generator
Password crackers
• The keys to the kingdom
- Find the passw ords
• Online cracking
- Try username/ passw ord combinations
• Offline cracking
- Brute force a hash file
FTK imager
• AccessData for ensic drive imaging tool
- Includes file utilities and read-only image mounting
- W indow s executable
• W idely supported in many forensics tools
- Third-party analysis
• Support for many different fil e systems and full disk
encryption methods
- Investigator still needs the passw ord
• Can also import other image formats
- dd, Ghost, Expert Witness, etc.
• Limitations
- Passw ord complexity/ strength (entropy)
- Hashing method and CPU pow er
- Graphics processors are useful hardw are tools
Data sanitization
• Completely remove data
- No usable information r emains
• Many different use cases
- Clean a hard drive for future use
- Permanently delete a single file
• A one-w ay t rip
- Once it 's gone, it's really gone
- No recovery w ith forensics tools
4.2 - Incident Response Process
Security incidents
• User clicks an email attachment and executes malw are
- Malware then communicates w ith external servers
• DDoS
- Botnet attack
• Confidential information is stolen
- Thief w ants money or it goes public
• User installs peer-to-peer softw are and allow s externa l
access to internal servers
© 2020 Messer Studios, LLC
Roles and responsibilities
• Incident response team
- Specialized group, t rained and tested
• IT security management
- Corporate support
• Compliance officers
- Intricate knowledge of compliance rules
• Technical staff
- Your team in the trenches
• User community
- They see everything
Professa< Messer's CompTIA SYo-601 Security+ Course Notes - Page 101
https://ProfessorMesser.com
4.2 - Incident Response Process (continued)
NIST SPS00-61
• National Institute of Standards and Technology
- NIST Special Publication 800-61 Rev. 2
- Computer Security Incident
- Handling Guide
• The incident response lifecycle:
- Preparation
- Detection and Analysis
- Containment, Eradication, and Recovery
- Post-incident Activity
Preparing for an incident
• Communication methods
- Phones and contact information
• Incident handling hardware and softw are
- Laptops, r emovable media, for ensic softw are,
digital cameras, etc.
• Incident analysis resources
- Documentation, netw ork diagrams, baselines,
critical file hash values
• Incident mitigation softw are
- Clean OS and application images
• Policies needed for incident handli ng
- Everyone know s w hat to do
The challenge of detection
• Many different detection sources
- Different levels of detail, different levels of perception
• A large amount of "volume"
- Attacks ar e incoming all the time
- How do you identify the legitimate threats?
• Incidents ar e almost alw ays complex
- Extensive know ledge needed
Incident precursors
• An incident might occur in the future
- This is your heads-up
• Web server log
- Vulnerability scanner in use
• Exploit announcement
- Monthly M icrosoft patch release,
- Adobe Flash update
• Direct threats
- A hacking group doesn't like you
• Sandboxes
- An isolated operating system
- Run malware and analyze the results
- Clean out the sandbox w hen done
• Isolation can be sometimes be problematic
- Malwar e or infections can monitor connectivity
- When connectivity is lost, everything could be
deleted/ encrypted/ damaged
Recovery after an incident
• Get things back to normal
- Remove the bad, keep the good
• Eradicate the bug
- Remove malwar e
- Disable breached user accounts
- Fix vulnerabilities
• Recover the system
- Restore from backups
- Rebuild from scratch
- Replace compromised files
- Tighten dow n the perimeter
Reconstitution
• A phased approach
- It 's difficult to fix everything at once
• Recovery may take months
- Large-scale incidents require a large amount of w ork
• The plan should be efficient
- Start w ith quick, high-value security changes
• Patches, firew all policy changes
- Later phases involve much " heavier lifting"
• Infrastructure changes, large-scale security
rol louts
Lessons learned
• Learn and improve
- No system is perfect
• Post-incident meeting
- Invite everyone affected by the incident
• Don't w ait too long
- Memories fade over time
- Some recommendations can be applied to the
next event
Incident indicators
• An attack is underw ay
- Or an exploit is successful
• Buffer overflow attempt
- Identified by an intrusion detection/ prevention system
• Anti-virus softw are identifies malw are
- Deletes from OS and notifies administrator
• Host-based monitor detects a configu ration change
- Constantly monitors system files
• Netw ork t raffic flow s deviate from the norm
- Requires constant monitoring
© 2020 Messer Studios, LLC
Isolation and containment
• Generally a bad idea to let th ings run their course
-An incident can spread quickly
- It 's your fault at that point
Answer the tough questions
• What happened, exactly?
- Timestamp of the events
• How did your incident plans w ork?
- Did the process operate successfully?
• What w ould you do differently next time?
- Retrospective view s provide context
• Which indicators w ould you w atch next time?
- Different pr ecursors may give you better alerts
Professo, Messer's CompTIA SY0--601 Security+ Course Notes ·
Page 102
https://ProfessorMesser.com
4.2 - Incident Response Planning
Exercise
• Test you rselves before an act ua l event
- Schedu led updat e sessions (annual, sem i-annual, etc. )
Communication plan
• Get your contact list t ogether
- There are a lot of people in the loop
• Use w el l-defined ru les of engagement
- Do not t ouch the production systems
• Very specifi c scena rio
- Limited time to run the event
• Eval uate response
- Document and discuss
Tabletop exercises
• Performing a fu ll-scale disaster drill can be costly
- And time consuming
• Many of t he logistics can be determined through
analysis
- You don't physically have to go t hrough a
disaster or drill
• Corporate / Organ ization
- CIO / Head of Information Secu rity / Internal
Response Teams
• Internal non-IT
- Human resou rces, public affa irs, lega l department
• External contacts
- System ow ner, law enforcement
- US-CERT (for U.S. Government agencies)
• Get key players together for a t abletop exercise
- Talk t hrough a simu lat ed disaster
Walkthrough
• Include responders
- A step beyond a tabletop exercise
- Many moving parts
• Test processes and procedu re s before an event
- Walk through each step
- Involve all groups
- Reference act ual response materials
• Identifi es act ual faults or m issing steps
- The w alkth rough appli es the concepts from the
tabletop exercise
Simulation
• Test w ith a simu lat ed event
- Ph ish ing attack, passw ord r equests, data breaches
• Going phishing
- Create a phishing email attack
- Send to your actual user communit y
- See w ho bites
• Test int ernal securit y
- Did the phishing get past the fi lter?
• Test the users
- Who clicked?
- Additional trai ning may be requ ired
Stakeholder management
• Keeping an good ongoing relationship w ith
customers of IT
- These can be internal or external customers
- An incident response will requ ire teamw ork
- W it hout the stakeholder, IT w ou ld not exist
• Most of th is happens pri or t o an incident
- Ongoing communication and meetings
- Exercises should include the cust omers
• Continues after the incident
- Prepare for t he next event
© 2020 Messer Studios, LLC
Disaster recovery plan
• If a disaster happens, IT should be rea dy
- Part of business continuity planning
- Keep t he organization up and running
• Disasters are many and varied
- Nat ural disasters
- Technology or system failures
- Human-created disasters
• A comprehensive plan
- Recovery location
- Data recovery method
- Appl ication rest oration
- IT team and employee availability
Continuity of operations planning (COOP)
• Not everyth ing goes accordi ng to plan
• Disasters can cause a disru ption to t he norm
• We rely on ou r com puter systems
• Technology is pervasive
• There needs to be an alternative
• Manua l transactions
• Paper r eceipts
• Phone calls for transaction approvals
• These must be documented and tested before
a problem occurs
Incident response team
• Receives, review s, and r esponds
- A predefined group of professionals
• Determine w hat type of events re quire a response
- A virus infection? Ransom w are? DDoS?
• May or may not be part of the organizational structur e
- Pu ll ed t ogether on an as-needed basis
• Focuses on incident handling
- Incident response, incident ana lysis, incident reporting
Retention policies
• Backup your data
- How much and w here? Copies, versions of copies,
lifecycl e of data, purging old dat a
• Regu lat ory compl iance
- A certain amount of data backup may be required
• Operational needs
- Accidenta l deletion, disaster recovery
• Differ entiate by type and application
- Recover t he data you need w hen you need it
Professa< Messer's CompTIA SYo-601 Security+ Course Notes - Page 103
https://ProfessorMesser.com
4.2 -Attack Frameworks
Attacks and responses
• A constantly moving chessboa rd
- The rules ar e also constantly changing
• Response and intelligence teams need assistance
- Gather and maintain ongoing reconnaissance
• Understand attacks
- Many different vectors
• Assess the risk in an organization
- Determine if a risk exists
- Use appropriate mitigation
MITRE ATT&CK framework
• The M ITRE corporation
- US not-for-profit based in Massachusetts and Virginia
- Supports several U.S. government agencies
• The M ITRE ATT&CK framew ork
- https :// attack.mitre.org/
• Determine the actions of an attacker
- Identify point of intrusion
- Understand methods used to move around
- Identify pot ential security t echniques t o
block future attacks
Diamond Model of Intru sion Analysis
• Designed by the intelligence commun ity
- https ://apps.dtic.mil/docs/ citations/ ADA586960
- Guide analysts to help understand intrusions
- Integrates w ell w ith other framew orks
• Apply scientific principles to int rusion analysis
- Measurement, testability, and repeata bilit y
- Appears simple, but is r ema rkably complex
• An adversary deploys a ca pability over some
infrastructure against a victim
- Use the model to analyze and fill in the details
Adversary
Victim
Cyber Kill Chain
• Seven phases of a cyber attack
- A milit ary concept
4.3 - Vulnerability Scan Output
Identify vulnerability
• The scanner looks for everyt hing
- Well, not _everyth ing_
- The signatu re s are the key
Dealing with false positives
• False positives
- A vulnerabil ity is identifi ed t hat doesn' t really exist
• Th is is different than a low -severity vulnerability
- It 's real, but it may not be you r highest pri orit y
• False negatives
- A vulnerabil ity exists, but you didn't detect it
• Update to the latest signatu res
- If you don't know about it, you can't see it
• Work wit h the vulnerability det ection manufact urer
- They may need to update t heir signatures
for your environment
• The vulnerabilities can be cross-referenced on line
- Almost all scanners give you a place to go
- National Vu lnerability Database: http://nvd.nist.gov/
- Microsoft Securit y Bulletins:
- https :// docs. microsoft.com/ en-us/ security-u pdat es/
• Some vulnerabilities cannot be defin itively identified
- You' ll have to check manually to see if a
system is vu lnerable
- But the scanner gives you a heads-up
Vulnerability scan results
• Lack of security controls
- No firewall
- No anti-virus
- No anti-spyw are
• M isconfi gu rations
- Open shares
- Guest access
• Real vulnerabilities
- Especially new er ones
- Occasional ly the old ones
... . .
.......
Scan o1
...... lltS...
• M,_
I ,_.
. ... 0 --
--
---
-
004....,._._,
ac: ....
1-.-i••--
MH 1,1w,,1t..._.1
w-r, ~
........
,o;f'lllllfM~"'-1>•
~----w..-e,1,,
s.. -... ...........
© 2020 Messer Studios, LLC
--
Professo, Messer's CompTIA SYo-601 Security+ Course Notes - Page 104
...
...
_,._
""'
.....
.....
~
,....
u,,_
...,.•~IW
....._.,.,
,,,,,,,
1-
(; ·-·...·---.
https://ProfessorMesser.com
4.3 - SIEM Dashboards
SIEM
• Security Information and Event Management
- Logging of security events and information
• Security alerts
- Real-time information
• Log aggregation and long-term storage
- Usually includes advanced reporting fe atures
• Dat a corr elation
- Link diverse data t ypes
• Forensic analysis
- Gather details after an event
Getting the data
• Sensors and logs
- Operating systems
- Infrastructure devices
- NetFlow sensors
• Sensitivity settings
- Easy to be overwhelmed with data
- Some information is unnecessary
- Informational, Warning, Urgent
Viewing the data
• Trends
- Identify changes over time
- Easily view constant attack metrics
• Alerts
- Identify a security event
- View raw data
- Visualize t he log information
• Correlation
- Com bine and com pare
- View data in different w ays
4.3 - Log files
Network log fil es
• Swit ches, routers, access points, VPN concentrat ors
- And ot her infrastructu re devices
Web log files
• Web server access
- IP address, w eb page URL
• Netw ork changes
- Routing updates
- Authentication issues
- Network security issues
System log files
• Operating system information
- Extensive logs
- File system information
- Authentication details
• Can also include security event s
- Mon itoring apps
- Brute force, fi le changes
• May r equ ire fil tering
- Don't forw ard everyt hing
• Access errors
- Unauthori zed or non-existent folders/files
• Exploit attempts
- Attempt t o access fil es containing know n
vulnera bil ities
• Server activity
- Sta rtup an d shutdow n notices
- Restart messages
DNS log file s
• View lookup req uests
- And ot her DNS queries
• IP address of the req uest
- The request FQDN or IP
• Identify queries to know n bad URLs
- Malwar e sit es, know n command
and control domains
Application log file s
• Specific t o the application
- Information va ries w idely
• W indow s - Event View er/ Application Log
• Li nux/ macOS - /var/log
• Parse the log detai ls on t he SIEM
- Filter out unneeded info
Security log files
• Detailed securit y-related information
- Blocked and al low ed t raffic fl ows
- Exploit attempts
- Blocked URL categories
- DNS sinkhole t raffi c
• Security devices
- IPS, firew all, proxy
• Critica l security information
- Documentation of every t raffi c fl ow
- Summary of attack info
- Correlate wit h other logs
© 2020 Messer Studios, LLC
• Block or modify know n bad r equests
at t he DNS server
- Log the results
- Report on ma lw are activit y
Authentication log fil es
• Know w ho logged in (or didn't)
- Account names
- Source IP addr ess
- Aut hentication method
- Success and fail ure reports
• Identify multiple fa ilures
- Potentia l brute force attacks
• Correlate wit h other events
- File transfers
- Aut hentications t o other devices
- Application installation
Professa< Messer's CompTIA SYo-601 Security+ Course Notes· Page 105
https://ProfessorMesser.com
4.3 - Log files (continued)
Dump files
• Stor e all cont ents of memory into a diagnostic file
- Developers can use this info
• Easy to create from the
- W indow s Task Manager
- Right-dick, Create dump file
• Some applications have t heir ow n dump file process
- Contact the appropriate support team for
additional details
VoIP and Call Manager logs
• View inbound and outbound cal l info
- Endpoint details, gatew ay communication
• Security information
- Authentications, audit t rail
• SIP t raffic logs
- Session Initiation Protocol
- Call setup, management, and teardow n
- Inbound and outbound calls
- Alert on unusual num bers or country codes
4.3 - Log Management
Syslog
• Standard for message logging
- Diverse systems creat e a consolidat ed log
NetFlow
• Gather t raffic statistics from all traffi c flow s
- Shared commun ication bet w een devices
• Usually a central logging receiver
- Integrated into t he SIEM (Security Information and
Event M anager)
• Each log entry is labeled
- Facilit y code (program that created the log) and
severity level
• Syslog daemon options
- Rsyslog -" Rocket-fast System for log processing"
- syslog-ng - A popular syslog daemon w ith add itional
filtering and storage options
- NXLog - Collection from many diverse log types
• NetFlow
- Standard coll ection method
- Many products and options
• Probe and col lector
- Probe w at ches netw ork communication
- Summary record s are sent to t he coll ector
Journalctl
• Li nux has a lot of logs
- The OS, daemons, applications, etc.
• System logs are stored in a binary format
- Optimized for st orage an d queries
- Can't rea d them with a text editor
• Journalctl provides a method for querying the system
journa l
- Search and fil ter
- View as plain text
Bandwidth monitors
• The fundam ental netw ork statistic
- Percentage of net work use over time
• Many different w ays to gather t his met ric
- SNMP, NetFlow, sFlow, IPFIX prot ocol analysis,
softw are agent
• Identify fundamental issues
- Nothing w orks properly if bandw idth is highly utilized
Metadat a
• M etadata
- Data t hat describes other data sources
• Email
- Header details, sending servers, destination addr ess
• Mobile - Type of phone, GPS location,
• Usually a separate reporting app
- Closely tied t o the coll ector
IPFIX
• IP Flow Information Export
- A new er, NetFlow -based sta ndard
- Evolved from NetFlow v9
• Flexib le data support
- Templates are used to describe the data
sFlow
• sFlow (Sampled Flow)
- On ly a portion of the actual netw ork traffic
- So, technica lly not a flow
• Usually em bedded in the infrastructure
- Sw itches, routers
- Sampling usua lly occurs in hardw are/ASICs
• Relatively accurate statistics
- Useful information rega rd ing video str eam ing and
high-t raffi c applications
Protocol analyzer output
• Solve complex application issues
- Get int o the details
• Gathers packets on the net w ork
- Or in the air
- Sometimes built int o the device
• View detai led t raffic information
- Identify unknow n traffic
- Verify packet filt ering an d secu rity controls
- View a plain-language descri ption of the
application dat a
• Web - Operating system, brow ser type, IP address
• Files - Name, addr ess, phone number, tit le
© 2020 Messer Studios, LLC
Professo, Messer's CompTIA SYo-601 Security+ Course Notes ·
Page 106
https://ProfessorMesser.com
4.4 - Endpoint Security Configuration
The endpoint
• The end user device
- Desktop PC, laptop, t ablet, phone, etc.
• Many w ays to exploit a system
- OS vu lnerability, malwar e,
user intervention
• Security team has t o cover all of the bases
- Recogn ize and react t o any
ma Iicious activity
Application approved/ deny lists
• Any application can be dangerous
- Vulnerabilities, trojan horses, malware
- Secu rity poli cy can control app execution
• Approved list
- Nothing runs un less it's approved
- Very re strictive
Exa mples of application approval lists
• Decisions are made in the operating system
- Often bui lt-in to the operating
system management
- Application hash
• Only allow s applications wit h this
unique identifi er
• Certificate
- Allow digit ally signed apps from
certa in publishers
• Path
- Only run applications in these folders
• Network zone
- The apps can on ly run from th is netw ork zone
• Blacklist/ deny list
- Nothing on the " bad list" can be executed
- Anti-virus, anti-ma lware
• Quarantine
- Anything suspicious can be moved to a safe area
4.4 - Security Configurations
Configuration changes
• Firew all rules
- Manage application flow s
- Block dangerous applications
• Mobile Device Manager (MOM)
- Enable or disable phone and t ablet functionality
- Rega rdl ess of physica l location
• Dat a loss Pr evention (OLP)
- Block transfer of persona lly identifi able information
(PII ) or sensitive dat a
- Credit card numbers, social security numbers, etc.
• Content fi lter/URL fil ter
- limit access t o untrusted w ebsit es
- Block know n malicious sites
- large blacklists are used to sha re suspicious sit e URls
• Updating or revoking certifi cates
- Manage device certifi cates to verify trust
- Revoking a certifi cate effectively removes access
Isolation
• Administratively isolate a com prom ised device from
everyth ing else
- Prevent the spread of malicious softw are
- Prevent remote access or C2 (Command and Control)
• Netw ork isolation
- Isolate to a remediation VLAN
- No communication to other devices
• Process isolation
- limit appl ication execution
- Prevent ma li cious activity but allow device
management
© 2020 Messer Studios, LLC
Containment
• Application containment
- Run each application in its ow n sandbox
- lim it interaction w ith the host operating system
and ot her applications
- Ransom w are w ould have no method of infection
• Contain the spread of a mu lti-device security
event, i.e., ransomw are
- Disa ble adm inistrative shares
- Disa ble remote management
- Disa ble local account access and change local
administrator passw ord
Segmentation
• Separate the netw ork
- Pr event unauthorized movement
- lim it t he scope of a breach
SOAR
• Securit y Orchestration, Automation, and Response
- Integrate th ird-part y tools and data sources
- Make security teams more effective
• Run books
- linear checklist of steps to perform
- Step-by-step approach to automation
- Reset a passw ord, create a w ebsite certificate,
back up application data
• Playbooks
- Conditional steps to follow ; a broad process
- Investigat e a data breach, recover
from ransomw are
Professo, Messer's CompTIA SYo-601 Security+ Course Notes ·
Page 107
https://ProfessorMesser.com
4.5 - Digital Forensics
Digital forensics
• Collect and protect information relating to an intrusion
- Many different data sources and protection
mechanisms
• RFC 3227 - Guideli nes for
- Evidence Collection and Arch iving
- A good set of best practices
• Standard digital forensic process
- Acqu isition, analysis, and reporting
• Must be detail oriented
- Take extensive notes
Legal hold
• A legal technique to preserve relevant information
- Prepare for impending litigation
- In itiated by legal counsel
• Hold notification
- Records custodians are instructed to preserve data
• Separate repository for electronically stored
information (ESI)
- Many different data sources and types
- Unique w orkflow and retention requirements
• Ongoing preservation
- Once notified, there's an ongoing obligation to
preserve data
Capture video
• A moving record of the event
- Gathers information external to the computer
and network
• Captures the status of the screen and other
volatile information
- Today's mobi le video devices are remarkable
• Don't forget security cameras and your phone
• The video content must also be archived
- May have some of the most important record
of information
Admissibility
• Not all data can be used in a court of law
- Different rules in different ju risdictions
• Legal authorization
- Search and seizure of information
• Procedures and tools
- The correct tools used the correct w ay
• Laboratories
- Proper scientific principles used to analyze
the evidence
• Technical and academic qualifications
- Competence and qualifications of experts
Chain of custody
• Control evidence
- Maintain integrity
Event logs
• System logs
- Documents important operating system and
application events
• Export and store for future reference
- Filter and parse
• Log store
- Linux: /var/log
- W indow s: Event View er
•
0
•
r~i_
---·
·
~
l~
,-s'~~....
.
.
,
_
_.
_
,
.
.
.
.
,
~~ ,-to~-- ---------~
a·-.... z...
,~.-,~
,-i.,·-__
__
...
fk~--tv.
Os...
'1tr-
...
U,.._t_
, ...... s.-
..,.,.~ •..,~
, __ s -
'1~
1-1~~
(.I•-~
·,.,-...-
, ..... s.'--.,._
~
1~.ast,w
'~0S'I""'
1~~'""
....,_.,,..,,..
~
~~M
ff
Mfl"
4),1 •
..iol
1
"
. ...
.,l ~u,p,,
t W20ll)~1N
~&n',ll'W,
,
--...... -.....
..,---
......
-
_,.....,.....__,.., l.,,,..,.
,_
.....
~
t~.c:!IM
t.o•c..p"'~
( ~ c . . . w..
Interviews
• Who might have seen th is?
- You w on't know until you ask
• Interview and document
- These folks might not be around later
• Not al l w itness statements are 100% accurate
- Humans are fallible
Reports
• Document the findings
- For Internal use, legal proceedings, etc.
• Summary information
- Overview of the security event
• Detailed explanation of data acquisition
- Step-by-step method of the process
• Everyone w ho contacts the evidence
- Use hashes
- Avoid tampering
© 2020 Messer Studios, LLC
• Label and catalog everything
- Digitally tag all items for ongoing documentation
- Seal and store
Recording time offsets
• The time zone determines how the time is displayed
- Document the local device settings
• Different file systems store timestamps differently
- FAT: Time is stored in local time
- NTFS: Time is stored in GMT
• Record the time offset from the operating system
- The W indow s Registry
- Many different va lues (daylight saving time,
time change information, etc.)
• The findings
- An analysis of the data
• Conclusion
- Professional results, given the analysis
Professa< Messer's CompTIA SYo-601 Security+ Course Notes· Page 108
https://ProfessorMesser.com
4.5 - Forensics Data Acquisition
CPU registers, CPU cache
Router table, ARP cache, process table, kernel statistics, memory
Temporary file systems
Disk
Remote logging and monitoring data
Physica l configuration, network topology
Archival media
Order of volatility
• How long does data stick around?
- Some media is much mor e volati le than ot hers
- Gather dat a in order from the most volatile to
less volatile
Disk
• Copy everything on a storage drive
- Hard drive, SSD, fl ash drive
• Drive image prepa ration
- Pow er dow n to prevent changes
- Remove storage drive
• Connect to imaging device
- W it h w rite-protection
• Core operating system
- Executable files and libraries
- Can be com pared later to know n-good files
- Usually ca ptured w ith a drive image
• Other OS data
- Logged in users
- Open ports
- Processes currently running
- Attached device list
• Forensic clone
- Bit-for-bit copy
- Preserve all data (even t he "deleted" data)
Random access memory (RAM)
• A difficult target t o capture
- Changes constantly
- Capturing data changes t he data
• M emory dum p
- Grab everyt hing in active RAM
- Many t hird-party tools
• Important data
- Browsing history
- Clipboa rd information
- Encryption keys
- Command history
Device
• Mobile devices and tablets
- A more cha ll enging forensics task
• Capture data
- Use an existing backup file
- Transfer image over USB
• Data
- Phone ca lls
- Contact information
- Text messages
- Email data
- Images and movies
Firmware
• Ext ract the device firmw are
- Rootkit s and exploit ed hardw are device
- A reprogrammed firmw are or ROM
Swap/ pagefile
• Used by different operating systems
- Slightly different usage in each
• A place to store RAM w hen memory is depleted
- There's a lot more space on the storage drive
- Transfer pages of RAM to a storage drive
• Can also cont ain portions of an application
- Page out portions that aren't in use
• Cont ains data sim ilar to a RAM dump
- Anything active on the system
© 2020 Messer Studios, LLC
Operating system
• OS files and dat a
- May have been modifi ed
• Specific to the platform
- Firmw are implementations vary w idely
• Attacker gains access to t he device
- Maintains access through OS updates
• Data discovery
- Exploit data
- Firmw are functiona lity
- Real-time data
Professo, Messer's CompTIA SYo-601 Security+ Course Notes· Page 109
https://ProfessorMesser.com
4.5 - Forensics Data Acquisition (continued)
Snapshot
• Generally associated with virtual machines (VMs)
- A point-in-time system image
• Incremental betw een snapshots
- Original image is the full backup
- Each snapshot is incr emented from the last
- Restoring requires the original and all snapshots
• Contains all files and information about a VM
- Similar to a system image
- Operating system, applications, user data, etc.
Cache
• Stor e data for use later
- Often used to incr ease performance
- Many different caches (CPU, disk, Internet, etc.)
• Can contain specialized data
- CPU cache is very short-term instruction storage
• Some data may never be used
- Erased after a specified timeframe or w hen the cache is full
- Browser caches are often long-lived
• Data
- URL locations
- Browser page components (text, images)
Network
• Gather information about and from the network
- Netw ork connections, packet captures
• Inbound and outbound sessions
- OS and application traffic
• Packet data
- Capture raw netw ork data
- May include long-term packet captures
• Third-party packet captures
- Firew alls, IPS, etc.
Artifacts
• Digital items left behind
- Every contact leaves a trace
- May not be obvious to access
• Artifact locations
- Log information
- Flash memory
- Prefetch cache files
- Recycle Bin
- Brow ser bookmarks and logins
4.5 - On-Premises vs. Cloud Forensics
Forensics in the cloud
• Adding complexity to the digita l forensics process
- Cloud technologies
• Technical challenges
- Devices are not totally in your control
- There may be limited access
- Associate data with a specific user
• Legal issues
- Laws are different around the w orl d
- The rules may not be immediately obvious
Right to audit clauses
• Common to w ork with business partners
- Data sharing
- Outsourcing
• Cloud computing providers
- Can hold all of the data
- Manage Internet access
-Are they secure?
• Right-to-audit should be in the contract
- A legal agreement to have the option to perform
a security audit at any time
- Everyone agrees to the terms and conditions
- Ability to verify security before a br each occurs
© 2020 Messer Studios, LLC
Regulatory/jurisdiction
• Cloud computing technology appeared r elatively quickly
- The legal w orl d is scrambling to catch up
• Forensics professionals must know their legal rights
- Data in a different jurisdiction may be bound by very
different regulations
• Data stored in cloud may not be located in the same country
- Location of the data center may determine how data can
be treated
• Location of the data is critical
- Legal framew orks vary widely betw een countries
- Some countries don't allow electronic searches outside
of their borders
Data breach notification laws
• Notification law s
- If consumer data is breached, the consumer must be
informed
• Many data breach notification law s
- Vary w idely across countri es and localities
- If you' re in the cloud, you' re a global entity
• Notification requirements also vary
- Type of data breached
- Who gets notified
- How quickly
Professa< Messer's CompTIA SYo-601 Security+ Course Notes - Page 110
https://ProfessorMesser.com
4.5 - Managing Evidence
Integrity
• Hashing
- Cryptographic integrity verification
- A digital " fingerprint"
Data recovery
• Extract missing data without affecting the
integrity of the data
- Requires t rain ing and expertise
• Checksums
- Protects against accidental changes during transm ission
- A relatively simple integrity check
- Not designed to replace a hash
• Provenance
- Documentation of authenticity
- A cha in of custody for data handling
- Blockchain technology
• The r ecovery process can va ry
- Deleted files
- Hidden data
- Hardw are or softw are corruption
- Storage device is physically damaged
Preservation
• Handl ing evidence
- Isolate and protect the data
- Analyze the data later w ithout any alterations
• Manage the collection process
- Work from copies
- Manage the data collection from mobile devices
• Live collection has become an important skill
- Data may be encrypted or difficult to collect after
pow erin g dow n
• Follow best practices to ensure admissibil ity of
data in court
- What happens now affects the future
E-discovery
• Electronic discovery
- Collect, prepare, review, interpret, and produce
electronic documents
• E-discovery gathers data required by the legal process
- Does not generally involve analysis
- There's no consideration of intent
• Works together w ith digital forensics
- Thee-discovery process obtains a storage drive
- Data on the drive is smaller than expected
- Forensics experts determ ine that data w as deleted and
attempt to recover the data
Non-repudiation
• Proof of data integrity and the origin of the data
- The data is unchanged and really did come from the
sender
- Hashing the data
• Authentication that is genuin e w ith high confi dence
- The only person who could have sent the data is the
sender
• Message Authentication Code (MAC)
- The tw o parties can verify non-repudiation
• Digital Signature
- The non-repudiation can be publicly verified
Strategic intelligence/counterintelligence
• Strategic intelligence
-A focus on key threat activity for a domain
- Business sectors, geographical regions, countries
- Gather information from internal th reat reports,
third-party data sources, and other data in puts
- Determine the thr eat landscape based on the t r ends
• Strategic counterintelligence (Cl)
- Prevent hostile intelligence operations
- Discover and disrupt foreign intelligence threats
- Gather threat information on for eign intelligence
operations
5.1 - Security Controls
Security controls
• Security risks are out ther e
- Many different types to consider
• Assets are also varied
- Data, physical property, computer systems
• Prevent security events, minimize the im pact,
and limit the damage
- Security controls
Control categories
• Managerial controls
- Controls that address securit y design and implementation
- Security poli cies, standard operating procedures
• Operational controls
- Controls that are implemented by people
- Security guard s, aw areness programs
© 2020 Messer Studios, LLC
• Technical controls
- Controls implemented using systems
- Operating system controls
- Firew alls, anti-virus
Control types
• Preventive
- Physically control access
- Door lock
- Security guard
- Firew all
• Detective
- May not prevent access
- Identifies and records any intrusion attempt
- Motion detector, IDS/IPS
Professa< Messer's CompTIA SYo-601 Security+ Course Notes· Page 111
https://ProfessorMesser.com
5.1 - Security Controls (continued)
• Corrective
- Designed to mitigate damage
- IPS can block an attacker
- Backups can mitigate a ransom w are infection
- A backup site can provide options wh en a storm hits
• Deterrent
- May not directly pr event access
- Discourages an intrusion attempt
- Warning signs, login banner
• Compensating
- Doesn't prevent an attack
- Restores using other means
- Re-image or r estore from backup
- Hot site
- Backup pow er system
• Physica l
- Fences, locks, mantraps
- Real-w orld security
5.2 - Security Regulations and Standards
Compliance
• Compliance
- Meeting the standards of law s, policies, and regulations
• A healthy catalog of regulations and law s
- Across many aspects of business and life
- Many are industry-specific or situational
• Penalties
- Fines, incarceration, loss of employment
• Scope
- Covers national, territory, or state laws
- Domestic and internationa l requirements
GDPR - General Data Protection Regulation
• European Union regulation
- Data protection and privacy for individuals in the EU
- Name, address, photo, email address, bank details, posts
on social netw orking w ebsites, medical information,
a computer's IP address, etc.
• Controls export of personal data
- Users can decide wh ere t heir data goes
• Gives individuals control of their personal data
- A right to be forgotten
• Site privacy policy
- Details all of t he privacy rights for a user
PCIDSS
• Payment Card Industry
- Data Security Standard (PCI DSS)
-A standard for protecting credit cards
• Six control objectives
- Bui ld and maintain a secure netw ork and
systems
- Protect cardholder data
- Maintain a vulnerability management program
- Implement strong access control measures
- Regularly monitor and test networks
- Maintain an information security policy
5.2 - Security Frameworks
Security frameworks
• Secure your data.
- Wh ere do you start? W hat are t he best practices?
- If only there w as a book.
• Often a complex problem
- Unique organizational requirements
- Compliance and r egulatory r equirements
- Many different processes and tools are available
• Use a security framew ork
- Documented processes
- A guide for creating a security program
- Define tasks and prioritize proj ects
Center for Internet Security (CIS)
• Center for Internet Security
- Critical Security Controls for
- Effective Cyber Defense
- CIS CSC
• Improve cyber defenses
- Tw enty key actions (the critical security controls)
- Categorized for different organization sizes
• Designed for implementation - W ritten for IT professionals
- Includes practical and actionable tasks
© 2020 Messer Studios, LLC
NIST RMF
• National Institute of Standards and Technology
- Risk Management Framew ork (RMF)
- Mandatory for US federal agencies and
organizations that handle federal data
• Six step process
- Step 1: Categori ze - Define the environment
- Step 2: Select - Pick appropriate controls
- Step 3: Implement - Define proper implementation
- Step 4: Assess - Determine if controls are w orking
- Step 5: Authorize - Make a decision to
authorize a system
- Step 6: Monitor - Check for ongoing compliance
NIST CSF
• National Institute of Standards and Technology
- Cybersecurity Framew ork (CSF)
-A voluntary commercial framew ork
• Framew ork Core
- Identify, Protect, Detect, Respond, and Recover
• Framew ork Implementation Tiers
-An organization's view of cybersecurity risk and
processes to manage the risk
• Framew ork Profil e - The alignment of standards,
guidelines, and practices to the Framew ork Core
Professa< Messer's CompTIA SYo-601 Security+ Course Notes· Page 112
https://ProfessorMesser.com
5.2 - Security Frameworks {continued)
ISO/IEC frameworks
• International Organization for Standard ization/
- International Electrotechnical Commission
• 1SO/IEC 27001
- Standard for an Information Security
Management System (ISMS)
• 1SO/I EC 27002
- Code of practice for information security controls
• 1SO/I EC 27701
- Privacy Information Management Systems (PIMS)
• ISO 31000
- International standards for risk management practices
SSAE SOC 2 Type 1/11
• The American Institute of Certified Public Accountants
(AICPA) auditing standard Statement on Standards for
Attestation Engagements number 18 (SSAE 18)
• SOC 2 - Trust Services Criteria (security controls)
- Firew alls, intrusion detection, and
mu lti-factor authentication
• Type I audit
- Tests controls in place at a particular point in time
• Type II
- Tests controls over a period of at least six
consecutive months
Cloud Security Alliance (CSA)
• Security in cloud computing
- Not-for-profit organization
• Cloud Controls Matrix (CCM)
- Cloud-specific security controls
- Controls are mapped to standards, best practices,
and regulations
• Enterprise Arch itecture
- Methodology and tools
-Assess interna l IT groups and cloud providers
- Determine security capabilities
- Build a roadmap
5.2 - Secure Configurations
Secure configurations
• No system is secur e with the default configurations
- You need some guidelines to keep everything safe
• Hardening guides are specific to the softw are or platform
- Get feedback from the manufacturer or
Internet interest group
- They'll have the best details
• Other general-purpose guides are available on line
Web server hardening
• Access a server with your brow ser
- The fundamental server on the Internet
- Microsoft Internet Information Server,
Apache HTTP Server, et al.
• Huge potential for access issues
- Data leaks, server access
• Secure configuration
- Information leakage: Banner information, directory brow sing
- Perm issions: Run from a non-privileged account,
configure file permissions
- Configure SSL: Manage and install certificates
- Log files: Monitor access and error logs
Operating system hardening
• Many and varied - W indow s, Linux, iOS, Android, et al.
Application server
• Programming languages, runtime libraries, etc.
- Usually betw een the w eb server
and the database
- Middlew are
• Very specific functionality
- Disable all unnecessary services
• Operating system updates
- Security patches
• File permissions and access controls
- Limit rights to w hat's required
- Limit access from other devices
Network infrastructure devices
• Switches, routers, firew alls, IPS, etc.
- You never see them, but they' re alw ays there
• Purpose-built devices
- Embedded OS, lim ited OS access
• Configure authentication
- Don't use the defau lts
• Check w ith the manufacturer
- Security updates
- Not usually updated frequently
- Updates are usually important
• Updates
- Operating system updates/service packs,
security patches
• User accounts
- Minimum passw ord lengths and complexity
- Account limitations
• Netw ork access and security
- Limit netw ork access
• Monitor and secure
- Anti-virus, anti-ma lware
© 2020 Messer Studios, LLC
Professo, Messer's CompTIA SYo-601 Security+ Course Notes ·
Page 113
https://ProfessorMesser.com
5.3 - Personnel Security
Acceptable use policies (AUP)
• What is acceptable use of company assets?
- Deta il ed document ation
- May be documented in the Rules of Behavior
• Covers many topics
- Internet use, telephones, computers,
mobile devices, etc.
• Used by an organization t o lim it legal liability
- If someone is dismissed, these ar e the w elldocumented r easons w hy
Business policies
• Job rotation
- Keep people moving bet w een responsibil ities
- No one person maintains control for long periods
of time
• Mandat ory vacations
- Rotat e others through the job
- The longer the vacation, t he better chance
to identify fraud
- Especially important in high-securit y environments
• Sepa ration of duties
- Split know ledge
• No one person has all of the detai ls
• Half of a safe combination
- Dual control
• Tw o people must be present to perform
the business function
• Tw o keys open a safe (or launch a m issile)
• Clean desk policy
- When you leave, nothing is on your desk
- Limit the exposur e of sensitive data to th ird-parties
Least privilege
• Right s and permissions shou ld be set to
the bare minimum
- You only get exactly w hat's need ed t o complete
your obj ective
• All user accounts must be li mited
- Appl ications should run w ith minima l privileges
• Don't allow users to run with adm inistrative privil eges
- Limits the scope of ma licious behavior
Background checks
• Background checks
- Pre-em ployment screening
- Verify the applicant 's cla ims
- Discover criminal history, w orkers compensation
cla ims, etc.
- Legalities vary by count ry
• Adverse actions
- An action t hat den ies employment based on the
background check
- May require extensive documentation
- Can also include existing employees
© 2020 Messer Studios, LLC
Personnel security procedures
• NOA (Non-disclosure agreement)
- Confid ential ity agreement/ Legal contract
- Prevent s the use and dissemination of
confidential information
• Socia l media analysis
- Gather dat a from social media
- Facebook, Tw itter, Li nked ln, lnst agram
- Build a personal profile
- Another data point w hen making a hiring decision
On-boarding
• Bring a new person into t he organization
- New hires or transfers
• IT agreements need to be signed
- May be part of t he em ployee handbook or
a sepa rat e AUP
• Create account s
- Associate the user wit h the proper groups
and departments
• Provide req uired IT hardw are
- Laptops, ta blets, etc. - Preconfi gured and ready t o go
Off-boarding
• All good things ... (But you knew t his day w ould come)
• This process should be pre-planned
- You don't w ant to decide how to do things at th is point
• What happens t o the hardw are and the data?
• Account information is usually deactivated
- But not alw ays deleted
User training
• Gamifi cation
- Scor e point s, compet e wit h others, coll ect badges
• Capture t he fl ag (CTF)
- Securit y com petition
- Hack into a server to steal data (t he flag)
- Can involve highly t echnical simulations
- A practica l learning envi ronment
• Phishing simulation
- Send simulated phish ing ema ils
- Make vishing ca lls
- See w hich users are susceptible to phish ing attacks
wit hout being a victim of phishing
• Computer-based training (CBT)
- Automated pre-built training
- May inclu de video, audio, and Q&A
- Users al l receive the same t raining experience
Role-based security awa reness t raining
• Before providing access, t rain your users
- Detailed securit y re quirement s
• Specia lized tra ining
- Each user role has un ique security r esponsibilities
• Also applies to t hird-parties
- Cont ractors, partners, suppliers
• Detailed documentation and records
- Problems later can be severe for everyone
Professa< Messer's CompTIA SYo-601 Security+ Course Notes - Page 114
https://ProfessorMesser.com
5.3 - Third-party Risk Management
Vendors
• Every organization w orks with vendors
- Payroll, customer r elationship management,
email marketing, travel, raw materials
• Important company data is often shared
- May be required for cloud-based services
• Perform a risk assessment
- Categorize risk by vendor and manage the risk
• Use contracts for clear understanding
- Make sure everyone understands the expectations
- Use the contract to enforce a secure environment
Target credit card breach - November 2013
• Every point of sale termina l infected
- A third-party w as allow ed in through lapses in
security policy
• A vendor w as infected through an email attachment
- The vendor didn't have or follow a security policy for
their w orkstations
• Target didn't segment the vendor netw ork
from the corporate
- The attackers jumped from the vendor to the
Target netw ork
• The corporate netw ork was not segmented from
point of sale (POS} terminals
- Once on the inside, it w as r elatively easy to get to
your credit card numbers
- (110 million card numbers)
Supply chain
• The system involved w hen creating a product
- Involves organizations, people, activities, and resources
• Supply chain assessment
- Get a product or service from suppl ier to customer
- Evaluate coordination betw een groups
- Identify areas of improvement
- Assess the IT systems supporting the operation
- Document the business process changes
• New laptops arrive w ith bundled malwar e
- Lenovo, August 2014 through early 2015
- Superfish softw are added a self-signed root cert ( !)
- Allow ed for on-path attacks w hen brow sing any site
including over HTTPS
'
Business partners
• Much closer to your data than a vendor
- May require direct access
- May be a larger security concern than an outside hacker
• Often involves communication over a t rusted connection
- More difficult to identify mal icious activity
• Partner risk management should be included
- Requirements for best practices, data handling,
intellectual property
• Include additional security betw een partners
- Firew alls and traffic filters
© 2020 Messer Studios, LLC
Common agreements
• Service Level Agreement (SLA)
- Minimum terms for services provided
- Uptime, response time agreement, etc.
- Commonly used betw een customers and
service providers
• Memorandum of Understanding (MOU}
- Both sides agree on the contents
of the memorandum
- Usually includes statements of confidentiality
- Informal letter of intent; not a signed contract
• Measurement system analysis (MSA}
- Don't make decisions based on incorrect data !
- Used w ith quality management systems,
i.e., Six Sigma
- Assess the measurement process
- Calcu late measurement uncertainty
• Business Partnership Agreement (BPA)
- Going into business together
- Ow ner stake
- Financial contract
- Decision-making agreements
- Prepare for contingencies
Product support lifetime
• End of life (EOL)
- Manufactur er stops selling a product
- May continue supporting the product
- Important for security patches and updates
• End of service life (EOSL}
- Manufactur er stops selling a product
- Support is no longer available for the product
- No ongoing security patches or updates
- May have a premium-cost support option
• Technology EOSL is a significant concern
- Security patches are part of normal operation
Non-disclosure agreement (NDA)
• Confidentiality agreement betw een parties
- Information in the agreement should not
be disclosed
• Protects confidential information
- Trade secrets
- Business activities
- Anything else listed in the NOA
• Unilateral or bilateral (or multilateral)
- On-w ay NDA or mutual NDA
• Formal contract
- Signatures are usually required
Professa< Messer's CompTIA SYo-601 Security+ Course Notes - Page 115
https://P ro,essor
,
Messer.com
5.3 - Managing Data
Data governance
• Rules, processes, and accountabil ity associated with
an organization's data
- Data is used in the right w ays
• Data steward
- Manages the governance processes
- Responsible for data accuracy, privacy, and security
- Associates sensitivity labels to the data
- Ensures compliance with any applicable law s and
standards
• Formal rules for data
- Everyone must know and follow the processes
Data classification
• Identify data types
- Personal, public, r estricted, etc.
- Use and protect data efficiently
• Associate governance controls to the classification levels
- How the data class should be managed
• Data compliance
- Laws and regulations regarding certain types of data
- GDPR - General Data Protection Regulation
Data retention
• Keep files that change frequently for version control
- Fi les change often
- Keep at least a w eek, perhaps more
• Recover from virus infection
- Infection may not be identified immediately
- May need to r etain 30 days of backups
• Often legal r equirements for data retention
- Email storage may be required over years
- Some industries must legally store certain data types
- Different data types have different
storage requirements
- Corporate tax information, customer PII,
tape backups, etc.
5.3 - Credential Policies
Credential management
• All that stands betw een the outside w orld and
all of the data
- The data is everything
• Passw ords must not be embedded in the application
- Everything needs to reside on the server, not the client
• Communication across the netw ork should be encrypted
- Authentication traffic should be impossible to see
Personnel accounts
• An account on a computer associated w ith
a specific person
- The computer associates the user with a specific
identification number
• Storage and files can be private to that user
- Even if another person is using the same computer
• No privileged access to the operating system
- Specifically not allow ed on a user account
• This is the account type most people w ill use
- Your user community
Third-party accounts
• Access to external third-party systems
- Cloud platforms for payroll, enterprise resource
planning, etc.
• Third-party access to corporate systems
- Access can come from anyw here
• Add additional layers of security
- 2FA (tw o factor authentication)
- Audit the security posture of third-parties
• Don't allow account sharing
- All users should have their ow n account
© 2020 Messer Studios, LLC
Device accounts
• Access to devices
- Mobile devices
• Local security
- Device certificate
- Require screen locks and unlocking standards
- Manage through a Mobile Device Manager (MDM )
• Add additional security
- Geography-based
- Include additional authentication factors
- Associate a device with a user
Service accounts
• Used exclusively by services running on a computer
- No interactive/ user access (ideally}
- Web server, database server, etc.
• Access can be defined for a specific service
- Web server rights and permissions will be
different than a database server
• Commonly use usernames and passw ords
- You' ll need to determine the best policy for
passw ord updates
Administrator/root accounts
• Elevated access to one or more systems
- Super user access
• Complete access to the system
- Often used to manage hardw are, drivers, and
softw are installation
• This account should not be used for normal
administration
- User accounts should be used
• Needs to be highly secured
- Strong passw ords, 2FA
- Scheduled passw ord changes
Professo, Messer's CompTIA SYo-601 Security+ Course Notes ·
Page 116
https://ProfessorMesser.com
5.3 - Organizational Policies
Change management
• How to make a change
- Upgrade softw are, change fir ew all configuration,
modify sw itch ports
• One of the most common risks in the enterprise
- Occurs very frequently
• Often overlooked or ignored
- Did you feel that bite?
• Have clear policies
- Frequency, duration, installation process,
fallback procedures
• Sometimes extremely difficult to implement
- It 's hard to change corporate cultu re
Change control
• A formal process for managing change
- Avoid dow ntime, confusion, and mistakes
• Nothing changes w ithout the process
- Determine the scope of the change
- Analyze the risk associated with the change
- Create a plan
- Get end-user approval
- Present the proposal to the change control board
- Have a backout plan if the change doesn't w ork
- Document the changes
Asset management
• Identify and t rack computing assets
- Usually an automated process
• Respond faster to secu rity problem
- You know w ho, w hat, and w here
• Keep an eye on the most valuable assets
- Both hardwar e and data
• Track licenses
- You know exactly how many you'll need
• Verify that all devices ar e up to date
- Security patches, anti-malw are signature updates, etc.
5.4 - Risk Management Types
Risk assessment
• Identify assets that could be affected by an attack
- Define the risk associated w ith each asset
- Hardw are, customer data, intellectual property
• Identify threats
- Loss of data, disruption of services, etc.
• Determine the risk - High, medium, or low risk
• Assess the total risk to the organization
- Make future security plans
Risk assessments
• External threats
- Outside the organization
- Hacker groups, former employees
• Internal threats
- Employees and partners
- Disgruntled employees
• Legacy systems
- Outdated, older technologies
- May not be supported by the manufactur er
- May not have secu rity updates
- Depending on the age, may not be easily accessible
Risk assessments
• Intellectual Property {I P) theft
- Theft of ideas, inventions, and creative expressions
- Human error, hacking, employees with access, etc.
- Identify and protect IP
- Educate employees and incr ease security
• Softw are compliance/licensing
- Operational risk w ith too few licenses
- Financial risk w ith budgeting and over-allocated
licenses
- Legal risk if proper licensing is not follow ed
Risk management strategies
• Acceptance
-A business decision; w e'll take the risk !
• Risk-avoidance
- Stop participating in a high-risk activity
• Transference
- Buy some cybersecurity insurance
• Mitigation
- Decrease the risk level
- Invest in security systems
Multi-party risk
• Breaches involving multiple parties
- Often trusted business relationships
- Events often involve many different parties
• May 2019 • American Medical Collection Agency
- Provided debt collection for many differ ent
organizations
- Data breach disclosed personal information on 24
mil lion individuals
- Tw enty-th ree healthcare organizations affected by
this single br each
- A single breach can cause a ripple effect
© 2020 Messer Studios, LLC
Professa< Messer's CompTIA SYo-601 Security+ Course Notes - Page 117
https://ProfessorMesser.com
5.4 - Risk Analysis
• Know ledge is key
- Part of every employee's daily job role
- Part of the on boarding process for employees
and pa rtners
Evaluating ri sk
• Risk register
- Every project has a plan, but also has risk
- Identify and document the risk associated
w ith each step
- Apply possible solutions t o the identifi ed risks
- Mon itor t he results
• Maintaining aw areness
- Ongoing grou p discussions
- Pr esentations from law enforcement
- Attend security conferences and programs
• Risk matrix/ risk heat ma p
- View the result s of the risk assessment
- Visually identify risk based on color
- Com bines t he likelihood of an event wit h
the potential impact
- Assists w ith making st rategic decisions
Regulations that affect ri sk posture
• Many of them
- Regulations tend to regu lat e
Consequence
Almostcertain
I
~egllglble
Mtnor
M oderate
Major
1
2
3
4
s
Mode-rate
High
10
Extreme
Elllreme
1S
20
Elllreme
2S
High
12
E-
Ext,-
Hi1h
Hi&h
s
Catostrophlc
..,
4
Moderate
Ukely
4
High
8
l
3
Possible
Low
M oderoilte
3
6
9
12
Elllreme
15
2
Low
Moderate
Moderate
Unlikoly
2
4
6
High
8
High
10
1
Rare
Low
Lo w
Low
Moderat,
Moder-ate
I
2
3
4
s
0
.;
J<
::,
16
20
I
Audit ri sk model
• Inher ent risk
- Impact + Likelihood
- Risk that exists in t he absence of controls
- Some models inclu de the existing set of cont rols
• Residual risk
- Inherent risk+ control effectiveness
- Risk that exists after controls are considered
- Some models base it on including additional controls
• Risk appetite
- The amount of risk an organ ization is willing t o take
Risk control assessment
• Risk has been det erm ined
- Heat maps have been created
• Time to build cybersecurity req uirements
- Based on the identified risks
• Find the gap
- Often r equ ires a form al audit
- Self-assessments may be an option
• Build an d mainta in securit y systems based on the
requirements
- The organizational risk determ ines the proper
controls
• Det ermine if existing controls are compliant or noncompliant
- Make plans to bring everything int o compliance
Risk awareness
• A constantly changing battlefi eld
- New risks, emerging risks
- A nearly overw helming amount of information
- Difficult to manage a defense
© 2020 Messer Studios, LLC
• Regulations directly associated to cybersecurity
- Protection of personal information, disclosure of
information breaches
- Requires a minimum level of information securit y
• HIPAA - Health Insurance Portabilit y and
Account abil ity Act
- Privacy of patient records
- New storage requirement s, netw ork secu rity,
protect against threats
• GDPR - General Data Protection Regulation
- European Union data protection and privacy
- Personal dat a must be protected and managed
for privacy
Qualitative ri sk assessment
• Identify sign ifi cant risk fa ctors
- Ask opinions about t he sign ificance
- Display visually wit h t raffic light grid or
similar method
Quantitative risk assessment
• Likelihood
- Annua lized Rate of Occurrence (ARO}
- How likely is it t hat a hurricane w ill hit ?
In Montana? In Florida?
• SLE (Single Loss Expectancy)
- What is t he monetary loss if a single event occu rs?
- La ptop stolen (asset va lue or AV) = $1,000
• ALE (Annualized Loss Expectancy)
- ARO x SLE
- Seven laptops stolen a year (ARO} x
$1,000 (SLE) = $7,000
• The business impact can be more than monetary
- Quantitative vs. qualitative
Disaster types
• Environmental threat s
- Tornado, hurricane, earthquake, severe w eather
• Person-made th rea ts
- Human int ent, negligence, or error
- Arson, crime, civil disorder, fires, riots, et c.
• Internal and ext ernal
- Internal th reat s are from em ployees
- Ext ernal t hreats are from outside t he organization
Professo, Messer's CompTIA SYQ-601 Security+ Course Notes - Page 118
https://ProfessorMesser.com
5.4 - Business Impact Analysis
Recovery
• Recovery time objective (RTO}
- Get up and runn ing qu ickly
- Get back t o a particular service level
• Recovery point objective (RPO)
- How much data loss is acceptable?
- Bring t he system back on li ne; how far back
does dat a go?
• M ea n time to repair (MTTR)
- Time required t o fi x t he issue
• M ea n time betw een fai lur es (M TBF)
- Predict the time betw een out ages
Functional re covery plans
• Recover from an outage
- Step-by-step gu ide
• Contact information
- Someone is on-call
- Keep everyone up t o date
• Technical process
- Reference t he knowledge base
- Follow the internal processes
• Recover and test
- Confirm normal operation
Removing single points of failure
• A single event can ruin you r day
- Unless you make some plans
• Netw ork configuration
- Multiple devices (the "Noah's Ark" of networking)
• Facility/ Utilities
- Backu p pow er, multiple cooling devices
• People/ Location
- A good hurricane can disru pt personnel travel
• There's no practical w ay to remove all points of failure
- Money drives red undancy
Disast e r re covery plan (DRP)
• Detailed plan for r esuming operations after a disaster
- Appl ication, data center, building, campus, r egion, etc.
• Extensive planning prior to t he disaster
- Backu ps
- Off-site data replication
- Cloud alternatives
- Remote site
• Many th ird-pa rty options
- Physical locations
- Recovery services
Impact
• Life - The most important consideration
• Property - The risk to buildings and assets
• Safety - Some environments are too dangerous to w ork
• Finance - The resu lting fi nancial cost
• Reputation
- An event ca n cause status or character problems
Mission-essential functions
• If a hurricane blew through, w hat functions w ould be
essentia l to the organization?
- That 's w here you start your analysis
- These are broad business r equ irements
• What computing systems are r equ ired for these
mission-essential business functions?
- Identify t he critical systems
Site ri sk assessment
• All locations are a bit different
- Even t hose designed to be similar
• Recovery plans should consider unique environments
- Appl ications
- Personnel
- Equipment
- Work environment
5.5 - Privacy and Data Breaches
Information life cycle
• Creation and receipt
- Create data internally or receive data
from a third -party
• Distribution - Records are sorted an d stored
• Use
- Make business decisions, create products
and services
• Ma int enance
- Ongoing data retrieval and data transfers
• Disposition
- Arch iving or disposal of data
Consequences
• Reputation damage
- Opinion of the organ ization becomes negative
- Can have an impact on products or services
- Can impact stock price
© 2020 Messer Studios, LLC
• Identit y theft
- Com pany and/ or customers information
becomes public
- May require public disclosu re
- Credit monitoring costs
• Fines
- Uber
• Data breach in 2016 w asn't disclosed
• Uber paid the hackers $100,000 instead
• Lawsuit settlement w as $148 m il lion
- Equifax
• 2017 dat a breach
• Government fines w ere approximately $700 mi llion
• Intellectual Property (I P) t heft
- Stealing com pa ny secrets
- Can put an organization out of business
Professo, Messer's CompTIA SYo-601 Security+ Course Notes ·
Page 119
https://ProfessorMesser.com
5.5 - Privacy and Data Breaches {continued)
Notification
• Internal escalation process
- Breaches are often foun d by technicians
- Provide a process for making t hose findings know n
• Externa l esca lation process
- Know w hen t o ask for assistance from
externa l resources
- Secu rity experts can find and stop an active breach
• Public notifications and disclosu res
- Refer to security breach notification laws
- All 50 US states, EU, Austra lia, etc.
- Delays might be allow ed for criminal investigations
Privacy impact assessment (PIA)
• Almost everything can affect privacy
- New business relationships, product updates, w ebsite
feat ures, service offering
• Privacy risk needs to be identifi ed in each initiative
- How cou ld t he process compromise customer privacy?
• Advant ages
- Fix privacy issues before they become a problem
- Provides evidence of a focus on privacy
- Avoid data breach
- Show s the importance of privacy to everyone
Notices
• Terms of service
- Terms of use, terms and conditions (T&C}
- Legal agr eement bet w een service provider and user
- User must agree to the terms to use t he service
• Privacy notice, privacy policy
- May be require d by law
- Documents the handling of personal data
- May provide additional data options and
contact information
5.5 - Data Classifications
Labeling sensitive dat a
• Not all dat a has the same level of sensitivity
- License t ag numbers vs. health r ecords
• Differ ent levels require different securit y and handling
- Additional permissions
- A differ ent process t o view
- Restricted net w ork access
Dat a classifications
• Proprietary
- Data t hat is the property of an organ ization
- May also include trade secrets
- Oft en data un ique to an organization
• PII - Personally Identifiable Information
- Data t hat can be used t o identify an individua l
- Name, dat e of birth, mother's ma iden name,
biometric information
• PH I - Protected Healt h Information
- Health information associated w ith an individual
- Health status, health car e record s, payment s for
health care, and much more
• Public/ Unclassified
- No rest rictions on viewing t he data
• Private/ Classified / Restricted / Internal use only
- Restricted access, may require a non-disclosure
agreement (NDA)
• Sensitive - Int ellectual property, PII, PH I
• Confid ential - Very sensitive, must be approved to view
• Critica l - Data should alw ays be available
• Financial information
- Internal com pany fi nancial information
- Customer financial details
• Government data
- Open dat a
- Transfer bet w een government entities
- May be protected by law
• Cust omer data
- Data associat ed w ith customers
- May include user-specifi c det ails
- Legal handli ng re quirement s
5.5 - Enhancing privacy
Tokenization
• Replace sensitive data wit h a non-sensitive placeholder
- SSN 266-1 2-1 112 is now 691-61-8539
• Common w ith credit card processing
- Use a temporary t oken du ring payment
- An attacker captu ring the card numbers can't use
them later
• Th is isn't encryption or hashing
- The origina l data and token aren't
mathematically r elated
- No encryption overhead
© 2020 Messer Studios, LLC
Data minimization
• M inimal data collection
- On ly collect and reta in necessa ry data
• Included in many r egulations
- HIPAA has a " M inimum Necessa ry" ru le
- GDPR - " Persona l data shall be adequate, relevant
and not excessive in r elation t o the purpose or
purposes for w hich they are processed."
• Some information may not be re quired
- Do you need a telephone number or address?
• Internal dat a use should be lim ited
- On ly access data required for the t ask
Professa< Messer's CompTIA SYo-601 Security+ Course Notes· Page 120
https://ProfessorMesser.com
5.5 - Enhancing privacy (continued)
Anonymization
• Make it impossible to identify individual data
from a dataset
- Allow s for data use without privacy concerns
• Many different anonymization techniques
- Hashing, masking, etc.
• Convert from deta iled customer purchase data
- Remove name, address, change phone number
to ### ### ####
- Keep product name, quantity, total, and sale date
• Anonymization cannot be r eversed
- No w ay to associate the data to a user
• May only be hidden from view
- The data may still be intact in storage
- Control the view based on permissions
• Many different techniques
- Substituting, shuffling, encrypting, masking out, etc.
Pseudo-anonymization
• Pseudonymization
- Replace personal information w ith pseudonyms
- Often used to maintain statistical r elationships
• May be reversible
- Hide the personal data for dai ly use or in case of breach
- Convert it back for other processes
• Random replacement
- James Messer-> Jack O'Neill-> Sam Carter-> Daniel Jackson
Data masking
• Data obfuscation
- Hide some of the original data
• Consistent replacements
- James Messer is always converted to George Hammond
• Protects PI I
- And other sensitive data
5.5 - Data Roles and Responsibilities
Data responsibility
• High-level data relationships
- Organizational responsibilities, not alw ays technical
• Data ow ner
- Accountable for specific data, often a senior officer
- VP of Sales ow ns the customer relationship data
- Treasurer ow ns the financial information
Data roles
• Data controller
- Manages the purposes and means by w hich
personal data is processed
Additional data roles
• Data custod ian/stew ard
- Responsible for data accuracy, privacy, and security
-Associates sensitivity labels to the data
- Ensures compliance w ith any applicable laws
and standards
- Manages the access rights to the data
- Implements security controls
• Data protection officer (DPO)
- Responsible for the organization's data privacy
- Sets policies, implements processes and procedures
• Data processor
- Processes data on behalf of the data controller
- Often a third-party or different group
• Payroll controller and processor
- Payroll department (data controller) defines
payroll amounts and timeframes
- Payroll company (data processor) processes payroll
and stores employee information
© 2020 Messer Studios, LLC
Professo, Messer's CompTIA SYo-601 Security+ Course Notes ·
Page 121
https://ProfessorMesser.com
Continue your journey on
ProfessorMesser.com:
Professor Messer's Free
SY0-601 CompTIA Security+ Training Course
Monthly Security+ Study Group Live Streams
24 x 7 Live Chat
Professor Messer's
SY0-601 CompTIA Security+ Success Bundle
Voucher Discounts