CompTIA Security+ Study Guide: Use case: A goal that an organization wants to achieve. Elements in a use case: Actor, Precondition, Trigger, Postcondition, Normal Flow, Alternative flow Ensure Confidentiality: Confidentiality ensures the prevention of unauthorized disclosure of data. Ways to ensure confidentiality: Encryption: Scrambles data to make it unreadable by unauthorized personnel. Access Controls: Use these to grant and restrict access. 1. Identification: Username (identity) 2. Authentication: Password (proving identity) 3. Authorization: Permissions (what you can do) Best way to protect confidentiality is to encrypt the data Provide Integrity: Integrity provides assurance that data has not changed (no modification, tampering, or corruption). However, there are times when unintended or unauthorized changes occur. Those can be from: Malware Unauthorized Users System and Human errors Hashing: techniques used to enforce integrity various versions including Secure Hash Algorithm (SHA) and MD5 A hash is a number created by executing a hashing algorithm against data (such as a file or message). It creates a fixed length, irreversible output. If data never changes, the output remains the same. Variation in data does not tell you what changes the message. It only tells you that it has changed. Increase Availability: Availability indicates that data and services are available when needed. Some organizations 8-5, Monday to Friday; Others 24/7 Methods to ensure availability: 1. Redundancy & Fault Tolerance 2. Scalability & Elasticity 3. Patching 1. Redundancy: adds duplication to critical systems which provides fault tolerance. a) If a critical component has a fault, the redundancy's duplication allows the service to continue without interruption. b) A system with fault tolerance can suffer a fault, but it can tolerate it and continue to operate. c) A common goal of fault tolerance and redundancy techniques is to remove each single point of failure (SPOF). If an SPOF fails, the entire system can fail. Ex. if a server has a single drive, the drive is an SPOF because its failure takes down the server. (Mitigated by disk redundancies, network redundancies, server redundancies, power redundancies via RAID, failover clusters, backups, and generators) 2. Scalability and Elasticity: Scalability is a system's ability to handle increased workload either by scaling up or by scaling out. Systems scale up by adding additional hardware resources (memory, processing power, bandwidth capability, and/or drive space) Systems scale out by adding additional nodes or servers. Systems can also scale down by removing the added resources or servers. Static systems are scaled up or out manually, while dynamic systems use elasticity to scale up or out. *What is RAM (random access memory)? Elasticity is the ability of a system to handle an increased workload by dynamically scaling up or scaling out as the need arises. A system may add more memory or more processors when it suddenly experiences high demand. When the workload decreases, the elasticity allows the system to dynamically remove the additional resources. (Like a rubber band). Cloud resources typically have elasticity capabilities. 3. Patching: Keeping systems up to date with patches. Resiliency methods help systems heal themselves or recover from faults with minimal downtime. A current trend is to increase the resiliency of systems rather than seek the highest possible availability. Resiliency methods expect components to retry failed processes. If it fails at first, it tries again. **Network protocols have implemented this concept for a long time. When using Transmission Control Protocol (TCP), packets may fail to reach the destination. If that happens, TCP processes simply ask the source to resend it. Resource vs Security Constraints Why not just encrypt all the data? The reason is that encryption consumes resources. 260-character plaintext will be 360 characters in ciphertext. 40 percent increase which will take up more disk space, leading to slowing down applications. Introducing Basic Risk Concepts A goal of implementing IT Security is to reduce risk. Risk is the possibility or likelihood of a threat exploiting a vulnerability resulting in a loss. A threat is any circumstance or event that has the potential to compromise confidentiality, integrity, or availability. Vulnerability is a weakness (in the hardware, the software, the configuration, or even the users operating the system) A security incident is an adverse event or series of events that can negatively affect the confidentiality, integrity, or availability of an organization’s information technology (IT) systems and data. Risk mitigation reduces the chances that a threat will exploit a vulnerability. You can’t prevent most threats. For example, you can’t stop a tornado or prevent a criminal from writing malware. However, you can reduce risk by reducing vulnerabilities to the threat or reducing the threat’s impact. You reduce risks by implementing controls (also called countermeasures and safeguards). Control Categories Managerial controls- primarily administrative in function. Typically documented in an organization’s security policy and focus on managing risk. Operational controls- help ensure that the day-to-day operations of an organization comply with the security policy. People implement them. Technical controls- use technology such as hardware, software, and firmware to reduce vulnerabilities. ***NIST and SP 800 Documents ***SP 800-53 Revision 5 1. Managerial Controls: administrative controls; usually outlined in security policy. a. Risk Assessments: help organizations quantify (cost and asset values) and qualify (probability & impact) risks. b. Vulnerability Assessment: attempts to discover current vulnerabilities. 2. Operational Controls: compliance of day-to-day operations with security policy; implemented by people. a. Awareness & Training: password security, clean desk policy, understanding malware, phishing. b. Configuration/Change Management: config: baselines to ensure starting in a hardened state; change: ensure changes don’t result in configuration errors. c. Media Protection: physical media d. Physical and environmental protection: cameras, locks, ventilating/heating systems. 3. Technical Controls: use of technology (hardware, software, firmware) to reduce vulnerabilities. a. Encryption- for both data transferred over a network and data stored on devices. b. Anti-virus software- protects against malware. c. IDS, IPS d. Firewall e. Least Privilege Control Types 1. Preventive: a. Hardening: making system more secure than default configuration. b. Training c. Security Guards d. Change management e. Account disablement policy f. IPS 2. Detective a. Log monitoring b. SIEM c. Security Audit d. Video Surveillance e. Motion Detection f. IDS 3. Corrective a. Backups and system recovery b. Incident handling processes 4. Deterrent a) Cable locks b) Physical locks 5. Compensating a. OTP 6. Physical Control Categories and Types often overlap. Using Command-Line Tools Ping: command used to test connectivity with remote systems. a. Sends ICMP echo request packets. If there is a response you know that system is operational. b. Also used for name resolution. hping: similar to ping but uses tcp instead of icmp. It is useful when trying to ascertain whether network devices are blocking ping commands that are using icmp traffic. Only available on Linux-like systems. Ipconfig/ifconfig: provides basic information about the NIC, such as the IP address, subnet mask, and default gateway. ARP resolves IP addresses to MAC addresses and stores the result in the ARP cache. a. Without a switch, shows help on Windows. b. Without a switch, shows the ARP cache on Linux. LAMP stack: Linux, Apache, MySQL, and PHP or Perl or Python. Linux Commands cat: used to display the contents of files. sudo: root, or elevated privileges to display the entire log file: sudo cat /var/log/auth.log to display one page at a time: sudo cat /var/log/auth.log | more grep command: used to search for a specific string or pattern of text within a file. Example: to search the auth.log file for that text with the following command: sudo grep "authentication failure"/var/log/auth.log Concatenating the two: sudo cat /var/log/auth.log | grep "authentication failure" head: first 10 lines of a file a. sudo head /var/log/syslog tail: last 10 lines of a file a. sudo tail -n 15 /var/log/message: (-n 15 switch specifies how many lines to display) logger command to add entries in the /var/log/syslogfile journalctl command queries the Linux system logging utility(journald) and displays log entries from several sources. a. b. c. d. journalctl -- since "1 hour ago" journalctl --list-boots (how the available boot logs) journalctl -1 (and retrieve the boot log identified with the number -1) journalctl -- since "1 hour ago"> myjournal.txt (sends the output to the text file named myjournal.txt) chmod: used to modify permissions on Linux system files and folders (read, write, and execute). chmod 760 filename: 7: (owner has read (4) + write (2) + execute (1) permissions on the file.) 6: (group has read (4) + write (2) permissions on the file.) 0: (no permissions (neither read, write, nor execute) are granted to others.) it is possible to assign permissions using the text method u. Indicates the file owner g. Indicates the owner group o Indicates all others permissions with these letters and the r, w, x permissions. chmod g=r filename chmod o-x filename: removes execute permission from all others: Windows Logs Security log: records auditable events such as successes or failures. System log: events related to functioning of operating system. Application log: related to events sent by applications and programs running on the system. Network Logs: Record traffic on network. on a variety of devices such as routers, firewalls, web servers, and network intrusion detection/prevention systems. You can typically manipulate these devices to log specific information, such as logging all traffic that the device passes, all traffic that the device blocks, or both. information on where the packet came from (the source) and where it is going (the destination). This includes IP addresses, MAC addresses, and ports. Centralized Logging Methods challenging to routinely check all of the logs on a network. Solution: centralized system to collect log entries. Two types: 1. SIEM System 2. Syslog protocol 1. SIEM System: security information and event management (SIEM) system a. provides a centralized solution for collecting, analyzing, and managing data from multiple sources. b. combines the services of security event management (SEM) and security information management (SIM) solutions. c. very useful in large enterprises that have massive amounts of data and activity to monitor. Capabilities shared by most SIEMs 1. 2. 3. 4. Log collectors. Data inputs- various sources Log aggregation- dissimilar items into a single format. Correlation engine: aggregates the data looking for common attributes. analytic tools to detect patterns of potential security events and raises alerts. 5. Reports 6. Packet Capture: 7. User behavior analysis (UBA): focuses on what users are doing, application use or network activity. 8. Sentiment Analysis: using UBA technologies to observe user behaviors to detect unwanted behavior. Typically requires AI. 9. Security monitoring: predefined alerts, notifications for suspicious events 10. Automated triggers: action in response to predefined number of repeated events 11. Time synchronization: All servers sending data to the SIEM should be synchronized at the same time. 12. Event deduplication 13. Logs/WORM: write once read many (WORM) Elements of a SIEM dashboard Sensors: a. agents placed on systems. b. collect logs from devices and send these logs to the SIEM system. c. Dashboards can display this data. Alerts: a. Triggers send out alerts. b. These trigger specific responses (displayed on dashboard). Sensitivity: a. Avoiding false positives & false negatives (1-100) Correlation: a. correlates and analyzes the data. b. Administrators configure the dashboard to display this data in multiple ways. Trends: a. Identify and display trends in graphs. Syslog syslog protocol specifies a general log entry format and the details on how to transport log entries. centralized syslog server to collect syslog entries from a variety of devices in the network, similar to how a SIEM server collects log entries. standard on Unix-like systems systems sending syslog messages are originators. they send them to a collector. important to note that the syslog protocol only defines how to format the syslog messages and send them to a collector. However, it doesn’t define how the syslog server handles these log entries. syslogd daemon: a. the service that handles the syslog messages b. collects the entries and processes them based on entries in the /etc/syslog.conf file. c. Many syslog messages are routed to the/var/syslog file. Other applications can also collect and process syslog entries. Some that use syslog can even perform many of the functions of the SIEM system. Historically syslog messages sent through via UDP using Port 514. (UDP doesn’t provide guaranteed delivery). New implementations use TCP port 6514 with TLS. TCP ensures packets arrive and TLS provides encryption. Syslog-ng and Rsyslog: Open-source software used instead of syslogd on Linux-like systems. Syslog-ng extends syslogd, allowing a system to collect logs from any source. TCP TLS Rsyslog came out later as an improvement over syslog-ng. One significant change is the ability to send log entries directly into database engines. TCP TLS. NXLog: log management tool and is similar to rsyslog and syslog-ng supports log formats for Windows, such as event log entries. Usable for both windows and Linux like systems. Two versions: NXLog Community Edition: proprietary log management tool. NXLog Enterprise Edition: all the features of the Community Edition but adds additionalcapabilities. It provides real-time event correlation and remote administration. Linux Logs Some common Linux logs. These are located in the/var/log/directory. You can view logs using the System Log Viewer on Linux systems or by using the cat command from the terminal. To view authentication log: cat /var/log/auth.log Chapter 2 At least two entities know the credentials: the user, and the authenticator. Authentication is not limited to users, it also includes services, devices, workstations, processes etc. Many computers have mutual authentication where both parties authenticate each other. What is AAA? Authentication, Authorization, and Accounting. All three help provide a comprehensive access management system. Accounting tracks log activity and records it in logs. Audit trail is created by admins and security professionals. Audit trail can be used to recreate the events preceding an attack. Access control systems provide authorization by granting access to resources based on permissions granted to an authenticated entity. Logging provides accounting. Authentication Factors or types: Something you know: password or static code. Complex password is a combination of: Uppercase, Lowercase, Numbers, Special Characters. A complex password isn’t necessarily strong. It must be long too. Currently at least 8 characters is recommended. Understand Password History and Password Age. Password Vault: stores passwords in one place. Like Google Chrome password manager. Password Keys: bootable optical disc or bootable USB flash drive. Useful to someone who forgot their password, forensic experts who are investigating, and even attackers who stole laptop. Knowledge based authentication: Two types: static KBA- when you forget your password, i.e. mother’s maiden name, first dogs name etc. dynamic KBA- high risk transactions, without account, i.e. how much is car your payment, when was your home built? Limited amount of time to answer questions to restrict internet searches. Know Account Lockout Threshold and Account Lockout Duration Something you have: something you can hold like a smart card or hardware token. Smart cards are credit card-sized cards that have an embedded microchip and a certificate. They are basically digital files that support cryptography for increased security. • A token key or (sometimes called a key fob or just a token) is an electronic device about the size of a remote key for a car. - token keys include a liquid crystal display (LCD) that displays a number, and this number changes periodically, such as every 60 seconds. HMAC-based One-Time Password (HOTP) is an open standard used for creating one-time passwords, like those used in tokens or key fobs. The algorithm combines a secret key and an incrementing counter, and uses HMAC to create a hash of the result. It then converts the result into an HOTP value of six to eight digits. Time-based One-Time Password (TOTP) is similar to HOTP, but it uses a timestamp instead of a counter. One-time passwords created with TOTP typically expire after 30 seconds, but the time is adjustable. Something you are: uses biometrics for authentication. Biometric methods are the strongest form of authentication because they are the most difficult for an attacker to falsify. In comparison, passwords are the weakest form of authentication. Biometrics uses a physical characteristic, such as a fingerprint, for authentication. The biometric efficacy rate refers to the performance of the system under ideal conditions the four possibilities when a biometric system tries to authenticate a user 1. False acceptance 2. False rejection. 3. True acceptance 4. True rejection. Biometric systems allow you to adjust the sensitivity or threshold level where errors occur. Increasing sensitivity decreases the number of false matches and increases the number of false rejections. In contrast, reducing sensitivity increases false matches and decreases false rejections. It’s worth noting that using two methods of authentication in the same factor is not two-factor authentication. For example, requiring users to enter a password and a reusable PIN (both in the something you know factor) is single-factor authentication, not dual-factor authentication. somewhere you are authentication attribute identifies a user’s location. Geolocation is a group of technologies used to identify a user’s location and is the most common method used in this factor. The something you can do authentication factor refers to actions you can take such as gestures on a touch screen. A badge worn by an employee is something you can exhibit. Someone you know indicates that someone is vouching for you. Authentication log files can track both successful and unsuccessful login attempts. Account types: End user, Admin/root, service, device, Third-party, Guest, Shared/generic account Some applications and services need to run under the context of an account, and a service account fills this need. As an example, SQL Server is a database application that runs on a server, and it needs access to resources on the server and the network. Administrators create a regular user account, name it something like sqlservice, assign it appropriate privileges, and configure SQL Server to use this account. Note that this is like a regular end-user account. The only difference is that it’s used by the service or application, not an end user. Credential policies may require long, complex passwords for these accounts, but they should not expire. If the password expires, the account can no longer log on, and the service application will stop. Privileged access management (PAM, sometimes called privileged account management) allows an organization to apply more stringent security controls over accounts with elevated privileges, such as administrator or root-level accounts. Pam implements just-in-time administration i.e. administrators don’t have administrative privileges until they need them. Capabilities of PAM Allow users to access the privileged account without knowing the password. Automatically change privileged account passwords periodically. Limit the time users can use the privileged account. Allow users to check out credentials. Log all access of credentials. It’s common to require administrators to have two accounts: one for day-to-day work (same privileges as end user), other with administrative privileges only used when doing administrative work. Time-based logins (sometimes referred to as time-of-day restrictions): ensure that users can only log on to computers during specific times. An account audit looks at the rights and permissions assigned to user and helps enforce the least privilege principle. Privilege creep (or permission bloat) occurs when a user is granted more and more privileges due to changing job requirements, but unneeded privileges are never removed. Single sign-on (SSO) refers to a user’s ability to log on once and access multiple systems without logging on again. SSO requires strong authentication. Kerberos is a network authentication mechanism used within Windows Active Directory domains and some Unix environments known as realms. Kerberos is a type of Single Sign-On (SSO) system. Some SSO systems can connect authentication mechanisms from different environments, such as different operating systems or different networks. Security Assertion Markup Language (SAML) is an Extensible Markup Language (XML)–based data format used for SSO on web browser. SSO does not provide authorization. Authorization is completely separate. However, many federation SSO systems, including SAML, include the ability to transfer authorization data between their systems. In other words, it’s possible to use SAML for single sign-on authentication and authorization. SAML is an XML-based standard used to exchange authentication and authorization information between different parties. SAML provides SSO for web-based applications. OAuth is an open standard for authorization many companies use to provide secure access to protected resources. Instead of creating a different account for each website you access, you can often use the same account you’ve created with Google, Facebook, PayPal, Microsoft, or Twitter. The key point is that OAuth focuses on authorization, not authentication . OpenID is an authentication standard . OpenID Connection (OIDC) next iteration of OpenID Role-based access control (role-BAC) uses roles to manage rights and permissions for users. When an administrator adds a user to a role, the user has all the rights and permissions of that role. It’s common to document role-based permissions with a matrix listing all of the job titles and each role’s privileges. Rule-based access control (rule-BAC) uses rules. The most common example is with rules in routers or firewalls. However, more advanced implementations cause rules to trigger within applications, too. rules are typically static. some rules are dynamic. For example, intrusion prevention systems can detect attacks and then modify rules to block traffic from attackers. Another example: you can configure a database rule to trigger a change to these permissions when the system recognizes that Marge is absent. Discretionary access control (DAC) scheme, objects (such as files and folders) have an owner, and the owner establishes access for the objects. (NTFS) used in Windows. Microsoft systems identify users with security identifiers (SIDs), though you will rarely see a SID. Each of these entries (of permissions) is an ACE, and combined, all of the entries are a DACL. As the owner, users can modify the permissions on the object by adding user or group accounts to the DACL and assigning the desired permissions. The mandatory access control (MAC) scheme uses labels (sometimes referred to as sensitivity labels or security labels) to determine access. Security administrators assign labels to both subjects (users) and objects (files or folders). When the labels match, the system can grant a subject access to an object. When the labels don’t match, the access scheme block access. access is restricted based on a need to know. The MAC scheme uses different levels of security to classify both the users and the data. These levels are defined in a lattice, which can be a complex relationship between different ordered sets of labels. These labels define the boundaries for the security levels. An administrator is responsible for establishing access, but only someone at a higher authority can define the access for subjects and objects. An attribute-based access control (ABAC) evaluates attributes and grants access based on the value of these attributes. Attributes can be almost any characteristic of a user, the environment, or the resource. ABAC uses policies to evaluate attributes and grant access when the system detects a match in the policy. Policy statements typically include four elements: o Subject: This is typically a user. the subject is identified as being logged on and a member of the researchers group. o Object. This is the resource (such as a file, database, or application) that the user is trying to access. In the example, the object is research sites. o Action: The action is what the user is attempting to do, such as reading or modifying a file, accessing specific websites, and accessing website applications. The example allows access to specific websites. o Environment: In the example, it specifies the main network as an environmental attribute. An ABAC system has a lot of flexibility and can enforce both a DAC and a MAC scheme. Microsoft has implemented Conditional Access within Azure Active Directory environments. It can be used with traditional access control schemes but adds additional capabilities to enforce organizational policies. Conditional Access uses policies, which are if-then statements. Chapter 3 The Data Link layer is responsible for ensuring that data is transmitted to specific devices on the network. Layer 2 attacks attempt to exploit vulnerabilities in MAC addressing and ARP. Basic Networking Protocols: TCP and IP provide basic connectivity. HTTP and SMTP support specific traffic types. The default port for HTTP is 80. TCP/IP traffic is either connection-oriented TCP traffic or connectionless UDP. IP. The Internet Protocol (IP) identifies hosts in a TCP/IP network and delivers traffic from one host to another using IP addresses. ICMP. Internet Control Message Protocol (ICMP)is used for testing basic connectivity and includes tools such as ping, pathping, and tracert. ARP is required once the packet reaches the destination subnet. deny