CompTIA Security+ Study Guide:
Use case: A goal that an organization wants to achieve.

Elements in a use case: Actor, Precondition, Trigger, Postcondition, Normal Flow, Alternative flow
Ensure Confidentiality:
Confidentiality ensures the prevention of unauthorized disclosure of data.
Ways to ensure confidentiality:
Encryption: Scrambles data to make it unreadable by unauthorized personnel.
Access Controls: Use these to grant and restrict access.
1. Identification: Username (identity)
2. Authentication: Password (proving identity)
3. Authorization: Permissions (what you can do)
Best way to protect confidentiality is to encrypt the data
Provide Integrity:
Integrity provides assurance that data has not changed (no modification, tampering, or corruption).
However, there are times when unintended or unauthorized changes occur. Those can be from:



Malware
Unauthorized Users
System and Human errors
Hashing:


techniques used to enforce integrity
various versions including Secure Hash Algorithm (SHA) and MD5
A hash is a number created by executing a hashing algorithm against data (such as a file or message).



It creates a fixed length, irreversible output.
If data never changes, the output remains the same.
Variation in data does not tell you what changes the message. It only tells you that it has
changed.
Increase Availability:
Availability indicates that data and services are available when needed.

Some organizations 8-5, Monday to Friday; Others 24/7
Methods to ensure availability:
1. Redundancy & Fault Tolerance
2. Scalability & Elasticity
3. Patching
1. Redundancy: adds duplication to critical systems which provides fault tolerance.
a) If a critical component has a fault, the redundancy's duplication allows the service to
continue without interruption.
b) A system with fault tolerance can suffer a fault, but it can tolerate it and continue to
operate.
c) A common goal of fault tolerance and redundancy techniques is to remove each single
point of failure (SPOF). If an SPOF fails, the entire system can fail.
Ex. if a server has a single drive, the drive is an SPOF because its failure takes down the
server. (Mitigated by disk redundancies, network redundancies, server redundancies,
power redundancies via RAID, failover clusters, backups, and generators)
2. Scalability and Elasticity:
Scalability is a system's ability to handle increased workload either by scaling up or by scaling out.
Systems scale up by adding additional hardware resources (memory, processing power, bandwidth
capability, and/or drive space)
Systems scale out by adding additional nodes or servers.
Systems can also scale down by removing the added resources or servers.
Static systems are scaled up or out manually, while dynamic systems use elasticity to scale up or out.
*What is RAM (random access memory)?
Elasticity is the ability of a system to handle an increased workload by dynamically scaling up or scaling
out as the need arises.


A system may add more memory or more processors when it suddenly experiences high
demand. When the workload decreases, the elasticity allows the system to dynamically remove
the additional resources. (Like a rubber band).
Cloud resources typically have elasticity capabilities.
3. Patching:
Keeping systems up to date with patches.
Resiliency methods help systems heal themselves or recover from faults with minimal downtime.
A current trend is to increase the resiliency of systems rather than seek the highest possible availability.
Resiliency methods expect components to retry failed processes. If it fails at first, it tries again.
**Network protocols have implemented this concept for a long time. When using Transmission Control
Protocol (TCP), packets may fail to reach the destination. If that happens, TCP processes simply ask the
source to resend it.
Resource vs Security Constraints
Why not just encrypt all the data?
The reason is that encryption consumes resources.
260-character plaintext will be 360 characters in ciphertext.
40 percent increase which will take up more disk space, leading to slowing down applications.
Introducing Basic Risk Concepts
A goal of implementing IT Security is to reduce risk.
Risk is the possibility or likelihood of a threat exploiting a vulnerability resulting in a loss.
A threat is any circumstance or event that has the potential to compromise confidentiality, integrity, or
availability.
Vulnerability is a weakness (in the hardware, the software, the configuration, or even the users
operating the system)
A security incident is an adverse event or series of events that can negatively affect the confidentiality,
integrity, or availability of an organization’s information technology (IT) systems and data.
Risk mitigation reduces the chances that a threat will exploit a vulnerability.


You can’t prevent most threats. For example, you can’t stop a tornado or prevent a criminal from
writing malware. However, you can reduce risk by reducing vulnerabilities to the threat or
reducing the threat’s impact.
You reduce risks by implementing controls (also called countermeasures and safeguards).
Control Categories
Managerial controls- primarily administrative in function. Typically documented in an organization’s
security policy and focus on managing risk.
Operational controls- help ensure that the day-to-day operations of an organization comply with the
security policy. People implement them.
Technical controls- use technology such as hardware, software, and firmware to reduce vulnerabilities.
***NIST and SP 800 Documents
***SP 800-53 Revision 5
1. Managerial Controls: administrative controls; usually outlined in security policy.
a. Risk Assessments: help organizations quantify (cost and asset values) and qualify
(probability & impact) risks.
b. Vulnerability Assessment: attempts to discover current vulnerabilities.
2. Operational Controls: compliance of day-to-day operations with security policy; implemented by
people.
a. Awareness & Training: password security, clean desk policy, understanding malware,
phishing.
b. Configuration/Change Management: config: baselines to ensure starting in a hardened state;
change: ensure changes don’t result in configuration errors.
c. Media Protection: physical media
d. Physical and environmental protection: cameras, locks, ventilating/heating systems.
3. Technical Controls: use of technology (hardware, software, firmware) to reduce vulnerabilities.
a. Encryption- for both data transferred over a network and data stored on devices.
b. Anti-virus software- protects against malware.
c. IDS, IPS
d. Firewall
e. Least Privilege
Control Types
1. Preventive:
a. Hardening: making system more secure than default configuration.
b. Training
c. Security Guards
d. Change management
e. Account disablement policy
f. IPS
2. Detective
a. Log monitoring
b. SIEM
c. Security Audit
d. Video Surveillance
e. Motion Detection
f. IDS
3. Corrective
a. Backups and system recovery
b. Incident handling processes
4. Deterrent
a) Cable locks
b) Physical locks
5. Compensating
a. OTP
6. Physical
Control Categories and Types often overlap.
Using Command-Line Tools
Ping: command used to test connectivity with remote systems.
a. Sends ICMP echo request packets. If there is a response you know that system is operational.
b. Also used for name resolution.
hping: similar to ping but uses tcp instead of icmp. It is useful when trying to ascertain whether network
devices are blocking ping commands that are using icmp traffic. Only available on Linux-like systems.
Ipconfig/ifconfig: provides basic information about the NIC, such as the IP address, subnet mask, and
default gateway.
ARP resolves IP addresses to MAC addresses and stores the result in the ARP cache.
a. Without a switch, shows help on Windows.
b. Without a switch, shows the ARP cache on Linux.
LAMP stack: Linux, Apache, MySQL, and PHP or Perl or Python.
Linux Commands
cat: used to display the contents of files.
sudo: root, or elevated privileges
to display the entire log file: sudo cat /var/log/auth.log
to display one page at a time: sudo cat /var/log/auth.log | more
grep command: used to search for a specific string or pattern of text within a file.
Example: to search the auth.log file for that text with the following command: sudo grep
"authentication failure"/var/log/auth.log
Concatenating the two: sudo cat /var/log/auth.log | grep "authentication failure"
head: first 10 lines of a file
a. sudo head /var/log/syslog
tail: last 10 lines of a file
a. sudo tail -n 15 /var/log/message: (-n 15 switch specifies how many lines to display)
logger command to add entries in the /var/log/syslogfile
journalctl command queries the Linux system logging utility(journald) and displays log entries from
several sources.
a.
b.
c.
d.
journalctl -- since "1 hour ago"
journalctl --list-boots (how the available boot logs)
journalctl -1 (and retrieve the boot log identified with the number -1)
journalctl -- since "1 hour ago"> myjournal.txt (sends the output to the text file named
myjournal.txt)
chmod: used to modify permissions on Linux system files and folders (read, write, and execute).
chmod 760 filename: 7: (owner has read (4) + write (2) + execute (1) permissions on the file.)
6: (group has read (4) + write (2) permissions on the file.)
0: (no permissions (neither read, write, nor execute) are granted to others.)
it is possible to assign permissions using the text method
u. Indicates the file owner
g. Indicates the owner group
o Indicates all others
permissions with these letters and the r, w, x permissions.
chmod g=r filename
chmod o-x filename: removes execute permission from all others:
Windows Logs
Security log: records auditable events such as successes or failures.
System log: events related to functioning of operating system.
Application log: related to events sent by applications and programs running on the system.
Network Logs:
Record traffic on network.
on a variety of devices such as routers, firewalls, web servers, and network intrusion
detection/prevention systems.
You can typically manipulate these devices to log specific information, such as logging all traffic that the
device passes, all traffic that the device blocks, or both.
information on where the packet came from (the source) and where it is going (the destination). This
includes IP addresses, MAC addresses, and ports.
Centralized Logging Methods
challenging to routinely check all of the logs on a network.
Solution: centralized system to collect log entries.
Two types:
1. SIEM System
2. Syslog protocol
1. SIEM System: security information and event management (SIEM) system
a. provides a centralized solution for collecting, analyzing, and managing data from multiple
sources.
b. combines the services of security event management (SEM) and security information
management (SIM) solutions.
c. very useful in large enterprises that have massive amounts of data and activity to monitor.
Capabilities shared by most SIEMs
1.
2.
3.
4.
Log collectors.
Data inputs- various sources
Log aggregation- dissimilar items into a single format.
Correlation engine: aggregates the data looking for common attributes. analytic tools to
detect patterns of potential security events and raises alerts.
5. Reports
6. Packet Capture:
7. User behavior analysis (UBA): focuses on what users are doing, application use or network
activity.
8. Sentiment Analysis: using UBA technologies to observe user behaviors to detect unwanted
behavior. Typically requires AI.
9. Security monitoring: predefined alerts, notifications for suspicious events
10. Automated triggers: action in response to predefined number of repeated events
11. Time synchronization: All servers sending data to the SIEM should be synchronized at the
same time.
12. Event deduplication
13. Logs/WORM: write once read many (WORM)
Elements of a SIEM dashboard
Sensors:
a. agents placed on systems.
b. collect logs from devices and send these logs to the SIEM system.
c. Dashboards can display this data.
Alerts:
a. Triggers send out alerts.
b. These trigger specific responses (displayed on dashboard).
Sensitivity:
a. Avoiding false positives & false negatives (1-100)
Correlation:
a. correlates and analyzes the data.
b. Administrators configure the dashboard to display this data in multiple ways.
Trends:
a. Identify and display trends in graphs.
Syslog







syslog protocol specifies a general log entry format and the details on how to transport log
entries.
centralized syslog server to collect syslog entries from a variety of devices in the network,
similar to how a SIEM server collects log entries.
standard on Unix-like systems
systems sending syslog messages are originators.
they send them to a collector.
important to note that the syslog protocol only defines how to format the syslog messages and
send them to a collector. However, it doesn’t define how the syslog server handles these log
entries.
syslogd daemon:
a. the service that handles the syslog messages
b. collects the entries and processes them based on entries in the /etc/syslog.conf file.
c. Many syslog messages are routed to the/var/syslog file.
Other applications can also collect and process syslog entries. Some that use syslog can even perform
many of the functions of the SIEM system.
Historically syslog messages sent through via UDP using Port 514. (UDP doesn’t provide guaranteed
delivery).
New implementations use TCP port 6514 with TLS. TCP ensures packets arrive and TLS provides
encryption.
Syslog-ng and Rsyslog:
Open-source software used instead of syslogd on Linux-like systems.
Syslog-ng extends syslogd, allowing a system to collect logs from any source. TCP TLS
Rsyslog came out later as an improvement over syslog-ng. One significant change is the ability to send
log entries directly into database engines. TCP TLS.
NXLog:
log management tool and is similar to rsyslog and syslog-ng
supports log formats for Windows, such as event log entries. Usable for both windows and Linux like
systems.
Two versions:
NXLog Community Edition: proprietary log management tool.
NXLog Enterprise Edition: all the features of the Community Edition but adds additionalcapabilities. It
provides real-time event correlation and remote administration.
Linux Logs
Some common Linux logs. These are located in the/var/log/directory. You can view logs using the System
Log Viewer on Linux systems or by using the cat command from the terminal.
To view authentication log:
cat /var/log/auth.log
Chapter 2
At least two entities know the credentials: the user, and the authenticator.
Authentication is not limited to users, it also includes services, devices, workstations, processes etc.
Many computers have mutual authentication where both parties authenticate each other.
What is AAA? Authentication, Authorization, and Accounting. All three help provide a comprehensive
access management system.
Accounting tracks log activity and records it in logs.
Audit trail is created by admins and security professionals. Audit trail can be used to recreate the events
preceding an attack.
Access control systems provide authorization by granting access to resources based on permissions
granted to an authenticated entity. Logging provides accounting.
Authentication Factors or types:
Something you know: password or static code.
Complex password is a combination of: Uppercase, Lowercase, Numbers, Special Characters.
A complex password isn’t necessarily strong. It must be long too. Currently at least 8 characters is
recommended.
Understand Password History and Password Age.
Password Vault: stores passwords in one place. Like Google Chrome password manager.
Password Keys: bootable optical disc or bootable USB flash drive. Useful to someone who forgot their
password, forensic experts who are investigating, and even attackers who stole laptop.
Knowledge based authentication:
Two types:
static KBA- when you forget your password, i.e. mother’s maiden name, first dogs name etc.
dynamic KBA- high risk transactions, without account, i.e. how much is car your payment, when was your
home built? Limited amount of time to answer questions to restrict internet searches.
Know Account Lockout Threshold and Account Lockout Duration
Something you have: something you can hold like a smart card or hardware token.
Smart cards are credit card-sized cards that have an embedded microchip and a certificate. They are
basically digital files that support cryptography for increased security.
•
A token key or (sometimes called a key fob or just a token) is an electronic device about the size
of a remote key for a car.
-
token keys include a liquid crystal display (LCD) that displays a number, and this number
changes periodically, such as every 60 seconds.
HMAC-based One-Time Password (HOTP) is an open standard used for creating one-time passwords, like
those used in tokens or key fobs. The algorithm combines a secret key and an incrementing counter, and
uses HMAC to create a hash of the result. It then converts the result into an HOTP value of six to eight
digits.
Time-based One-Time Password (TOTP) is similar to HOTP, but it uses a timestamp instead of a counter.
One-time passwords created with TOTP typically expire after 30 seconds, but the time is adjustable.
Something you are: uses biometrics for authentication.
Biometric methods are the strongest form of authentication because they are the most difficult for an
attacker to falsify. In comparison, passwords are the weakest form of authentication.
Biometrics uses a physical characteristic, such as a fingerprint, for authentication.
The biometric efficacy rate refers to the performance of the system under ideal conditions
the four possibilities when a biometric system tries to authenticate a user
1. False acceptance
2. False rejection.
3. True acceptance
4. True rejection.
Biometric systems allow you to adjust the sensitivity or threshold level where errors occur. Increasing
sensitivity decreases the number of false matches and increases the number of false rejections. In
contrast, reducing sensitivity increases false matches and decreases false rejections.
It’s worth noting that using two methods of authentication in the same factor is not two-factor
authentication. For example, requiring users to enter a password and a reusable PIN (both in the
something you know factor) is single-factor authentication, not dual-factor authentication.
somewhere you are authentication attribute identifies a user’s location. Geolocation is a group of
technologies used to identify a user’s location and is the most common method used in this factor.
The something you can do authentication factor refers to actions you can take such as gestures on a
touch screen.
A badge worn by an employee is something you can exhibit.
Someone you know indicates that someone is vouching for you.
Authentication log files can track both successful and unsuccessful login attempts.
Account types: End user, Admin/root, service, device, Third-party, Guest, Shared/generic account
Some applications and services need to run under the context of an account, and a service account fills
this need.

As an example, SQL Server is a database application that runs on a server, and it needs access to
resources on the server and the network. Administrators create a regular user account, name it
something like sqlservice, assign it appropriate privileges, and configure SQL Server to use this
account. Note that this is like a regular end-user account. The only difference is that it’s used by
the service or application, not an end user. Credential policies may require long, complex
passwords for these accounts, but they should not expire. If the password expires, the account
can no longer log on, and the service application will stop.
Privileged access management (PAM, sometimes called privileged account management) allows an
organization to apply more stringent security controls over accounts with elevated privileges, such as
administrator or root-level accounts.






Pam implements just-in-time administration i.e. administrators don’t have administrative
privileges until they need them.
Capabilities of PAM
Allow users to access the privileged account without knowing the password.
Automatically change privileged account passwords periodically.
Limit the time users can use the privileged account.
Allow users to check out credentials.
Log all access of credentials.
It’s common to require administrators to have two accounts: one for day-to-day work (same privileges as
end user), other with administrative privileges only used when doing administrative work.
Time-based logins (sometimes referred to as time-of-day restrictions): ensure that users can only log on
to computers during specific times.
An account audit looks at the rights and permissions assigned to user and helps enforce the least
privilege principle.
Privilege creep (or permission bloat) occurs when a user is granted more and more privileges due to
changing job requirements, but unneeded privileges are never removed.
Single sign-on (SSO) refers to a user’s ability to log on once and access multiple systems without logging
on again.
SSO requires strong authentication.
Kerberos is a network authentication mechanism used within Windows Active Directory domains and
some Unix environments known as realms. Kerberos is a type of Single Sign-On (SSO) system.
Some SSO systems can connect authentication mechanisms from different environments, such as
different operating systems or different networks.
Security Assertion Markup Language (SAML) is an Extensible Markup Language (XML)–based data
format used for SSO on web browser.
SSO does not provide authorization. Authorization is completely separate. However, many federation
SSO systems, including SAML, include the ability to transfer authorization data between their systems. In
other words, it’s possible to use SAML for single sign-on authentication and authorization.
SAML is an XML-based standard used to exchange authentication and authorization information
between different parties. SAML provides SSO for web-based applications.
OAuth is an open standard for authorization many companies use to provide secure access to protected
resources.



Instead of creating a different account for each website you access, you can often use the same
account you’ve created with Google, Facebook, PayPal, Microsoft, or Twitter.
The key point is that OAuth focuses on authorization, not authentication
. OpenID is an authentication standard
. OpenID Connection (OIDC) next iteration of OpenID
Role-based access control (role-BAC) uses roles to manage rights and permissions for users. When an
administrator adds a user to a role, the user has all the rights and permissions of that role.

It’s common to document role-based permissions with a matrix listing all of the job titles and
each role’s privileges.
Rule-based access control (rule-BAC) uses rules. The most common example is with rules in routers or
firewalls. However, more advanced implementations cause rules to trigger within applications, too.



rules are typically static.
some rules are dynamic. For example, intrusion prevention systems can detect attacks and then
modify rules to block traffic from attackers.
Another example: you can configure a database rule to trigger a change to these permissions
when the system recognizes that Marge is absent.
Discretionary access control (DAC) scheme, objects (such as files and folders) have an owner, and the
owner establishes access for the objects.




(NTFS) used in Windows.
Microsoft systems identify users with security identifiers (SIDs), though you will rarely see a SID.
Each of these entries (of permissions) is an ACE, and combined, all of the entries are a DACL.
As the owner, users can modify the permissions on the object by adding user or group accounts
to the DACL and assigning the desired permissions.
The mandatory access control (MAC) scheme uses labels (sometimes referred to as sensitivity labels or
security labels) to determine access.


Security administrators assign labels to both subjects (users) and objects (files or folders). When
the labels match, the system can grant a subject access to an object. When the labels don’t
match, the access scheme block access.
access is restricted based on a need to know.


The MAC scheme uses different levels of security to classify both the users and the data. These
levels are defined in a lattice, which can be a complex relationship between different ordered
sets of labels. These labels define the boundaries for the security levels.
An administrator is responsible for establishing access, but only someone at a higher authority
can define the access for subjects and objects.
An attribute-based access control (ABAC) evaluates attributes and grants access based on the value of
these attributes.



Attributes can be almost any characteristic of a user, the environment, or the resource. ABAC
uses policies to evaluate attributes and grant access when the system detects a match in the
policy.
Policy statements typically include four elements:
o Subject: This is typically a user. the subject is identified as being logged on and a
member of the researchers group.
o Object. This is the resource (such as a file, database, or application) that the user is
trying to access. In the example, the object is research sites.
o Action: The action is what the user is attempting to do, such as reading or modifying a
file, accessing specific websites, and accessing website applications. The example allows
access to specific websites.
o Environment: In the example, it specifies the main network as an environmental
attribute.
An ABAC system has a lot of flexibility and can enforce both a DAC and a MAC scheme.
Microsoft has implemented Conditional Access within Azure Active Directory environments. It can be
used with traditional access control schemes but adds additional capabilities to enforce organizational
policies. Conditional Access uses policies, which are if-then statements.
Chapter 3
The Data Link layer is responsible for ensuring that data is transmitted to specific devices on the
network.
Layer 2 attacks attempt to exploit vulnerabilities in MAC addressing and ARP.
Basic Networking Protocols:


TCP and IP provide basic connectivity.
HTTP and SMTP support specific traffic types.
The default port for HTTP is 80.
TCP/IP traffic is either connection-oriented TCP traffic or connectionless UDP.
IP. The Internet Protocol (IP) identifies hosts in a TCP/IP network and delivers traffic from one host to
another using IP addresses.
ICMP. Internet Control Message Protocol (ICMP)is used for testing basic connectivity and includes tools
such as ping, pathping, and tracert.
ARP is required once the packet reaches the destination subnet.
deny