lOMoARcPSD|36915131
SEC+ 601 Notes - abc
Introduction to Artificial Intelligence (University of Science - VNUHCM)
Scan to open on Studocu
Studocu is not sponsored or endorsed by any college or university
Downloaded by Yeduri Vamsi Mani Prasad (vamsiprasad321@gmail.com)
lOMoARcPSD|36915131
Professor Messer’s
SY0-601 CompTIA
Security+ Course Notes
James “Professor” Messer
h琀琀p://www.ProfessorMesser.com
Downloaded by Yeduri Vamsi Mani Prasad (vamsiprasad321@gmail.com)
lOMoARcPSD|36915131
Professor Messer’s SY0-601 CompTIA Security+ Course Notes
Wri琀琀en by James “Professor” Messer
Copyright © 2020 by Messer Studios, LLC
h琀琀p://www.ProfessorMesser.com
All rights reserved. No part of this book may be reproduced or transmi琀琀ed in any form or by any means,
electronic or mechanical, including photocopying, recording, or by any informa琀椀on storage and retrieval
system, without wri琀琀en permission from the publisher.
First Edi琀椀on: November 2020
This is version 1.02
Trademark Acknowledgments
All product names and trademarks are the property of their respec琀椀ve owners,
and are in no way associated or a昀케liated with Messer Studios, LLC.
“Professor Messer” is a registered trademark of Messer Studios LLC.
“CompTIA” and “Security+” are registered trademarks of CompTIA, Inc.
Warning and Disclaimer
This book is designed to provide informa琀椀on about the CompTIA SY0-601 Security+ cer琀椀昀椀ca琀椀on exam.
However, there may be typographical and/or content errors. Therefore, this book should serve only as a
general guide and not as the ul琀椀mate source of subject informa琀椀on. The author shall have no liability or
responsibility to any person or en琀椀ty regarding any loss or damage incurred, or alleged to have incurred,
directly or indirectly, by the informa琀椀on contained in this book.
Downloaded by Yeduri Vamsi Mani Prasad (vamsiprasad321@gmail.com)
lOMoARcPSD|36915131
Contents
1.0 - A琀琀acks, Threats, and Vulnerabili琀椀es
1.1 - Phishing
1.1 - Impersona琀椀on
1.1 - Dumpster Diving
1.1 - Shoulder Sur昀椀ng
1.1 - Hoaxes
1.1 - Watering Hole A琀琀acks
1.1 - Spam
1.1 - In昀氀uence Campaigns
1.1 - Other Social Engineering A琀琀acks
1.1 - Principles of Social Engineering
1.2 - An Overview of Malware
1.2 - Viruses and Worms
1.2 - Ransomware and Crypto-malware
1.2 - Trojans and RATs
1.2 - Rootkits
1.2 - Spyware
1.2 - Bots and Botnets
1.2 - Logic Bombs
1.2 - Password A琀琀acks
1.2 - Physical A琀琀acks
1.2 - Adversarial Ar琀椀昀椀cial Intelligence
1.2 - Supply Chain A琀琀acks
1.2 - Cloud-based vs. On-Premises A琀琀acks
1.2 - Cryptographic A琀琀acks
1.3 - Privilege escala琀椀on
1.3 - Cross-site Scrip琀椀ng
1.3 - Injec琀椀on A琀琀acks
1.3 - Bu昀昀er Over昀氀ows
1.3 - Replay A琀琀acks
1.3 - Request Forgeries
1.3 - Driver Manipula琀椀on
1.3 - SSL Stripping
1.3 - Race Condi琀椀ons
1.3 - Other Applica琀椀on A琀琀acks
1.4 - Rogue Access Points and Evil Twins
1.4 - Bluejacking and Bluesnar昀椀ng
1.4 - Wireless Disassocia琀椀on A琀琀acks
1.4 - Wireless Jamming
1.4 - RFID and NFC A琀琀acks
1.4 - Randomizing Cryptography
1.4 - On-Path A琀琀acks
1.4 - MAC Flooding and Cloning
1.4 - DNS A琀琀acks
1.4 - Denial of Service
Downloaded by Yeduri Vamsi Mani Prasad (vamsiprasad321@gmail.com)
1
1
1
2
2
3
3
3
4
4
5
5
6
7
7
8
8
8
9
9
10
11
11
12
12
12
13
13
14
14
15
16
17
17
18
19
19
19
20
20
20
21
21
21
22
lOMoARcPSD|36915131
1.4 - Malicious Scripts
1.5 - Threat Actors
1.5 - A琀琀ack Vectors
1.5 - Threat Intelligence
1.5 - Threat Research
1.6 - Vulnerability Types
1.6 - Third-party Risks
1.6 - Vulnerability Impacts
1.7 - Threat Hun琀椀ng
1.7 - Vulnerability Scans
1.7 - Security Informa琀椀on and Event Management
1.8 - Penetra琀椀on Tes琀椀ng
1.8 - Reconnaissance
1.8 - Security Teams
2.0 - Architecture and Design
2.1 - Con昀椀gura琀椀on Management
2.1 - Protec琀椀ng Data
2.1 - Data Loss Preven琀椀on
2.1 - Managing Security
2.1 - Site Resiliency
2.1 - Honeypots and Decep琀椀on
2.2 - Cloud Models
2.2 - Edge and Fog Compu琀椀ng
2.2 - Designing the Cloud
2.2 - Infrastructure as Code
2.2 - Virtualiza琀椀on Security
2.3 - Secure Deployments
2.3 - Provisioning and Deprovisioning
2.3 - Secure Coding Techniques
2.3 - So昀琀ware Diversity
2.3 - Automa琀椀on and Scrip琀椀ng
2.4 - Authen琀椀ca琀椀on Methods
2.4 - Biometrics
2.4 - Mul琀椀-factor Authen琀椀ca琀椀on
2.5 - Disk Redundancy
2.5 - Network Redundancy
2.5 - Power Redundancy
2.5 - Replica琀椀on
2.5 - Backup Types
2.5 - Resiliency
2.6 - Embedded Systems
2.6 - Embedded Systems Communica琀椀on
2.6 - Embedded Systems Constraints
2.7 - Physical Security Controls
2.7 - Secure Areas
Downloaded by Yeduri Vamsi Mani Prasad (vamsiprasad321@gmail.com)
23
23
24
25
26
27
28
29
30
30
31
32
32
33
33
33
34
35
35
36
37
37
38
39
40
41
41
42
42
43
44
44
45
46
47
47
47
48
48
49
50
51
52
52
54
lOMoARcPSD|36915131
2.7 - Secure Data Destruc琀椀on
2.8 - Cryptography Concepts
2.8 - Symmetric and Asymmetric Cryptography
2.8 - Hashing and Digital Signatures
2.8 - Cryptographic Keys
2.8 - Steganography
2.8 - Quantum Compu琀椀ng
2.8 - Stream and Block Ciphers
2.8 - Blockchain Technology
2.8 - Cryptography Use Cases
2.8 - Cryptography Limita琀椀ons
3.0 - Implementa琀椀on
3.1 - Secure Protocols
3.2 - Endpoint Protec琀椀on
3.2 - Boot Integrity
3.2 - Database Security
3.2 - Applica琀椀on Security
3.2 - Applica琀椀on Hardening
3.3 - Load Balancing
3.3 - Network Segmenta琀椀on
3.3 - Virtual Private Networks
3.3 - Port Security
3.3 - Secure Networking
3.3 - Firewalls
3.3 - Network Access Control
3.3 - Intrusion Preven琀椀on
3.3 - Other Network Appliances
3.4 - Wireless Cryptography
3.4 - Wireless Authen琀椀ca琀椀on Methods
3.4 - Wireless Authen琀椀ca琀椀on Protocols
3.4 - Installing Wireless Networks
3.5 - Mobile Networks
3.5 - Mobile Device Management
3.5 - Mobile Device Security
3.5 - Mobile Device Enforcement
3.5 - Mobile Deployment Models
3.6 - Cloud Security Controls
3.6 - Securing Cloud Storage
3.6 - Securing Cloud Networks
3.6 - Securing Compute Clouds
3.6 - Cloud Security Solu琀椀ons
3.7 - Iden琀椀ty Controls
3.7 - Account Types
3.7 - Account Policies
3.8 - Authen琀椀ca琀椀on Management
Downloaded by Yeduri Vamsi Mani Prasad (vamsiprasad321@gmail.com)
55
55
56
57
58
59
59
60
61
62
63
63
63
65
65
66
67
68
69
69
70
73
74
75
76
76
77
78
78
79
80
81
82
83
84
85
85
86
86
87
87
88
88
89
90
lOMoARcPSD|36915131
3.8 - PAP and CHAP
3.8 - Iden琀椀ty and Access Services
3.8 - Federated Iden琀椀琀椀es
3.8 - Access Control
3.9 - Public Key Infrastructure
3.9 - Cer琀椀昀椀cates
3.9 - Cer琀椀昀椀cate Formats
3.9 - Cer琀椀昀椀cate Concepts
4.0 - Opera琀椀ons and Incident Response
4.1 - Reconnaissance Tools
4.1 - File Manipula琀椀on Tools
4.1 - Shell and Script Environments
4.1 - Packet Tools
4.1 - Forensic Tools
4.2 - Incident Response Process
4.2 - Incident Response Planning
4.2 - A琀琀ack Frameworks
4.3 - Vulnerability Scan Output
4.3 - SIEM Dashboards
4.3 - Log 昀椀les
4.3 - Log Management
4.4 - Endpoint Security Con昀椀gura琀椀on
4.4 - Security Con昀椀gura琀椀ons
4.5 - Digital Forensics
4.5 - Forensics Data Acquisi琀椀on
4.5 - On-Premises vs. Cloud Forensics
4.5 - Managing Evidence
5.0 - Governance, Risk, and Compliance
5.1 - Security Controls
5.2 - Security Regula琀椀ons and Standards
5.2 - Security Frameworks
5.2 - Secure Con昀椀gura琀椀ons
5.3 - Personnel Security
5.3 - Third-party Risk Management
5.3 - Managing Data
5.3 - Creden琀椀al Policies
5.3 - Organiza琀椀onal Policies
5.4 - Risk Management Types
5.4 - Risk Analysis
5.4 - Business Impact Analysis
5.5 - Privacy and Data Breaches
5.5 - Data Classi昀椀ca琀椀ons
5.5 - Enhancing privacy
5.5 - Data Roles and Responsibili琀椀es
Downloaded by Yeduri Vamsi Mani Prasad (vamsiprasad321@gmail.com)
90
91
92
92
93
94
95
96
97
97
98
99
99
100
100
102
103
103
104
104
105
106
106
107
108
109
110
110
110
111
111
112
113
114
115
115
116
116
117
118
118
119
119
120
lOMoARcPSD|36915131
Introduc琀椀on
Informa琀椀on technology security is a signi昀椀cant concern for every IT specialist. Our systems are under
constant a琀琀ack, and the next genera琀椀on of security professionals will be at the forefront of keeping our
cri琀椀cal informa琀椀on safe.
CompTIA’s Security+ exam tests you on the speci昀椀cs of network security, vulnerabili琀椀es and threats,
cryptography, and much more. I’ve created these Course Notes to help you through the details that you need
to know for the exam. Best of luck with your studies!
- Professor Messer
The CompTIA Security+ cer琀椀昀椀ca琀椀on
To earn the Security+ cer琀椀昀椀ca琀椀on, you must pass a single SY0-601 cer琀椀昀椀ca琀椀on exam. The exam is 90 minutes
in dura琀椀on and includes both mul琀椀ple choice ques琀椀ons and performance-based ques琀椀ons. Performancebased ques琀椀ons can include 昀椀ll-in-the-blank, matching, sor琀椀ng, and simulated opera琀椀onal environments.
You will need to be very familiar with the exam topics to have the best possible exam results.
Here’s the breakdown of each technology sec琀椀on and the percentage of each topic on the SY0-601 exam:
Sec琀椀on 1.0 - A琀琀acks, Threats, and Vulnerabili琀椀es - 24%
Sec琀椀on 2.0 - Architecture and Design - 21%
Sec琀椀on 3.0 - Implementa琀椀on - 25%
Sec琀椀on 4.0 - Opera琀椀ons and Incident Response - 16%
Sec琀椀on 5.0 - Governance, Risk, and Compliance - 14%
CompTIA provides a detailed set of exam objec琀椀ves that provide a list of everything you need to know before
you take your exam. You can 昀椀nd a link to the exam objec琀椀ves here:
h琀琀ps://professormesser.com/objec琀椀ves/
How to use this book
Once you’re comfortable with all of the sec琀椀ons in the o昀케cial CompTIA SY0-601 exam objec琀椀ves, you can
use these notes as a consolidated summary of the most important topics. These Course Notes follow the
same format and numbering scheme as the exam objec琀椀ves, so it should be easy to cross reference these
notes with the Professor Messer video series and all of your other study materials. The CompTIA Security+
video training series can be found on the Professor Messer website at h琀琀ps://ProfessorMesser.com.
Downloaded by Yeduri Vamsi Mani Prasad (vamsiprasad321@gmail.com)
lOMoARcPSD|36915131
Downloaded by Yeduri Vamsi Mani Prasad (vamsiprasad321@gmail.com)
lOMoARcPSD|36915131
Professor Messer’s
CompTIA Security+
SY0-601 Course Notes
h琀琀p://www.ProfessorMesser.com
1.1 - Phishing
Phishing
• Social engineering with a touch of spoo昀椀ng
– O昀琀en delivered by email, text, etc.
– Very remarkable when well done
• Don’t be fooled
– Check the URL
• Usually there’s something not quite right
– Spelling, fonts, graphics
Tricks and misdirec琀椀on
• How are they so successful?
– Digital slight of hand - it fools the best of us
• Typosqua琀�ng
– A type of URL hijacking - h琀琀ps://professormessor.com
– Prepending: h琀琀ps://pprofessormesser.com
• Pretex琀椀ng
– Lying to get informa琀椀on
– A琀琀acker is a character in a situa琀椀on they create
– Hi, we’re calling from Visa regarding an automated
payment to your u琀椀lity service…
Pharming
• Redirect a legit website to a bogus site
– Poisoned DNS server or client vulnerabili琀椀es
• Combine pharming with phishing
– Pharming - Harvest large groups of people
– Phishing - Collect access creden琀椀als
• Di昀케cult for an琀椀-malware so昀琀ware to stop
– Everything appears legi琀椀mate to the user
Phishing with di昀昀erent bait
• Vishing (Voice phishing) is done
over the phone or voicemail
– Caller ID spoo昀椀ng is common
– Fake security checks or bank updates
• Smishing (SMS phishing) is done by text message
– Spoo昀椀ng is a problem here as well
– Forwards links or asks for personal informa琀椀on
• Varia琀椀ons on a theme
– The fake check scam, phone veri昀椀ca琀椀on code scam,
– Boss/CEO scam, advance-fee scam
– Some great summaries on
h琀琀ps://reddit.com/r/Scams
Finding the best spot to phish
• Reconnaissance
– Gather informa琀椀on on the vic琀椀m
• Background informa琀椀on
– Lead genera琀椀on sites
– LinkedIn, Twi琀琀er, Facebook, Instagram
– Corporate web site
• A琀琀acker builds a believable pretext
– Where you work
– Where you bank
– Recent 昀椀nancial transac琀椀ons
– Family and friends
Spear phishing
• Targeted phishing with inside informa琀椀on
– Makes the a琀琀ack more believable
• Spear phishing the CEO is “whaling”
– Targeted phishing with the possibility of a large catch
– The CFO (Chief Financial O昀케cer) is commonly speared
• These execu琀椀ves have direct access to
the corporate bank account
– The a琀琀ackers would love to have those creden琀椀als
1.1 - Impersona琀椀on
The pretext
• Before the a琀琀ack, the trap is set
– There’s an actor and a story
• “Hello sir, my name is Wendy and I’m from Microso昀琀
Windows. This is an urgent check up call for your
computer as we have found several problems with it.”
• Voice mail: “This is an enforcement ac琀椀on executed by
the US Treasury intending your serious a琀琀en琀椀on.”
• “Congratula琀椀ons on your excellent payment history! You
now qualify for 0% interest rates on all of your credit
card accounts.”
© 2020 Messer Studios, LLC
Impersona琀椀on
• A琀琀ackers pretend to be someone they aren’t
– Halloween for the fraudsters
• Use some of those details from reconnaissance
– You can trust me, I’m with your help desk
• A琀琀ack the vic琀椀m as someone higher in rank
– O昀케ce of the Vice President for Scamming
• Throw tons of technical details around
– Catastrophic feedback due to the
depolariza琀椀on of the di昀昀eren琀椀al magnetometer
• Be a buddy
– How about those Cubs?
Professor Messer’s CompTIA SY0-601 Security+ Course Notes - Page 1
Downloaded by Yeduri Vamsi Mani Prasad (vamsiprasad321@gmail.com)
h琀琀ps://ProfessorMesser.com
lOMoARcPSD|36915131
1.1 - Impersona琀椀on (con琀椀nued)
Elici琀椀ng informa琀椀on
• Extrac琀椀ng informa琀椀on from the vic琀椀m
– The vic琀椀m doesn’t even realize this is happening
– Hacking the human
• O昀琀en seen with vishing (Voice Phishing)
– Can be easier to get this informa琀椀on over the phone
• These are well-documented psychological techniques
– They can’t just ask, “So, what’s your password?”
Iden琀椀ty fraud
• Your iden琀椀ty can be used by others
– Keep your personal informa琀椀on safe!
• Credit card fraud
– Open an account in your name, or use your credit card informa琀椀on
• Bank fraud
– A琀琀acker gains access to your account or opens a new account
• Loan fraud
– Your informa琀椀on is used for a loan or lease
• Government bene昀椀ts fraud
– A琀琀acker obtains bene昀椀ts on your behalf
Protect against impersona琀椀on
• Never volunteer informa琀椀on
– My password is 12345
• Don’t disclose personal details
– The bad guys are tricky
• Always verify before revealing info
– Call back, verify through 3rd par琀椀es
• Veri昀椀ca琀椀on should be encouraged
– Especially if your organiza琀椀on owns
valuable informa琀椀on
1.1 - Dumpster Diving
Dumpster diving
• Mobile garbage bin
– United States brand name “Dumpster”
– Similar to a rubbish skip
• Important informa琀椀on thrown out with the trash
– Thanks for bagging your garbage for me!
• Gather details that can be used for a di昀昀erent a琀琀ack
– Impersonate names, use phone numbers
• Timing is important
– Just a昀琀er end of month, end of quarter
– Based on pickup schedule
Is it legal to dive in a dumpster?
• I am not a lawyer.
– In the United States, it’s legal
– Unless there’s a local restric琀椀on
• If it’s in the trash, it’s open season
– Nobody owns it
• Dumpsters on private property or “No Trespassing”
signs may be restricted
– You can’t break the law to get to the rubbish
• Ques琀椀ons? Talk to a legal professional.
Protect your rubbish
• Secure your garbage
– Fence and a lock
• Shred your documents
– This will only go so far
– Governments burn the good stu昀昀
• Go look at your trash
– What’s in there?
1.1 - Shoulder Sur昀椀ng
Shoulder sur昀椀ng
• You have access to important informa琀椀on
– Many people want to see
– Curiosity, industrial espionage, compe琀椀琀椀ve advantage
• This is surprisingly easy
– Airports / Flights
– Hallway-facing monitors
– Co昀昀ee shops
• Surf from afar
– Binoculars / Telescopes
– Easy in the big city
– Webcam monitoring
© 2020 Messer Studios, LLC
• Preven琀椀ng shoulder sur昀椀ng
• Control your input
– Be aware of your surroundings
• Use privacy 昀椀lters
– It’s amazing how well they work
• Keep your monitor out of sight
– Away from windows and hallways
• Don’t sit in front of me on your 昀氀ight
– I can’t help myself
Professor Messer’s CompTIA SY0-601 Security+ Course Notes - Page 2
Downloaded by Yeduri Vamsi Mani Prasad (vamsiprasad321@gmail.com)
h琀琀ps://ProfessorMesser.com
lOMoARcPSD|36915131
1.1 - Hoaxes
Computer hoaxes
• A threat that doesn’t actually exist
– But they seem like they COULD be real
• S琀椀ll o昀琀en consume lots of resources
– Forwarded email messages, printed memorandums, wasted 琀椀me
• O昀琀en an email
– Or Facebook wall post, or tweet, or...
• Some hoaxes will take your money
– But not through electronic means
• A hoax about a virus can waste as much 琀椀me as a regular virus
De-hoaxing
• It’s the Internet. Believe no one.
– Consider the source
• Cross reference
– h琀琀p://www.hoax-slayer.net
– h琀琀p://www.snopes.com
• Spam 昀椀lters can help
– There are so many other ways...
• If it sounds too good to be true...
– So many sad stories
1.1 - Watering Hole A琀琀acks
Watering Hole A琀琀ack
• What if your network was really secure?
– You didn’t even plug in that USB key
from the parking lot
• The a琀琀ackers can’t get in
– Not responding to phishing emails
– Not opening any email a琀琀achments
• Have the mountain come to you
– Go where the mountain hangs out
– The watering hole
– This requires a bit of research
Execu琀椀ng the watering hole a琀琀ack
• Determine which website the vic琀椀m group uses
– Educated guess - Local co昀昀ee or sandwich shop
– Industry-related sites
• Infect one of these third-party sites
– Site vulnerability
– Email a琀琀achments
• Infect all visitors
– But you’re just looking for speci昀椀c vic琀椀ms
– Now you’re in!
Because that’s where the money is
• January 2017
• Polish Financial Supervision Authority, Na琀椀onal Banking
and Stock Commission of Mexico, State-owned
bank in Uruguay
– The watering hole was su昀케ciently poisoned
• Visi琀椀ng the site would download malicious JavaScript 昀椀les
– But only to IP addresses matching banks and
other 昀椀nancial ins琀椀tu琀椀ons
• Did the a琀琀ack work?
– We s琀椀ll don’t know
Watching the watering hole
• Defense-in-depth
– Layered defense
– It’s never one thing
• Firewalls and IPS
– Stop the network tra昀케c before things get bad
• An琀椀-virus / An琀椀-malware signature updates
– The Polish Financial Supervision Authority a琀琀ack code
was recognized and stopped by generic signatures in
Symantec’s an琀椀-virus so昀琀ware
1.1 - Spam
Spam
• Unsolicited messages
– Email, forums, etc.
– Spam over Instant Messaging (SPIM)
• Various content
– Commercial adver琀椀sing
– Non-commercial prosely琀椀zing
– Phishing a琀琀empts
• Signi昀椀cant technology issue
– Security concerns
– Resource u琀椀liza琀椀on
– Storage costs
– Managing the spam
© 2020 Messer Studios, LLC
Mail gateways
• Unsolicited email
– Stop it at the gateway before it reaches the user
– On-site or cloud-based
Iden琀椀fying spam
• Allowed list
– Only receive email from trusted senders
• SMTP standards checking
– Block anything that doesn’t follow RFC standards
• rDNS - Reverse DNS
– Block email where the sender’s domain doesn’t match the IP
address
• Tarpi琀�ng
– Inten琀椀onally slow down the server conversa琀椀on
• Recipient 昀椀ltering
– Block all email not addressed to a valid recipient email address
Professor Messer’s CompTIA SY0-601 Security+ Course Notes - Page 3
Downloaded by Yeduri Vamsi Mani Prasad (vamsiprasad321@gmail.com)
h琀琀ps://ProfessorMesser.com
lOMoARcPSD|36915131
1.1 - In昀氀uence Campaigns
Hacking public opinion
• In昀氀uence campaigns
– Sway public opinion on poli琀椀cal and social issues
• Na琀椀on-state actors
– Divide, distract, and persuade
• Adver琀椀sing is an op琀椀on
– Buy a voice for your opinion
• Enabled through Social media
– Crea琀椀ng, sharing, liking
– Ampli昀椀ca琀椀on
Hybrid warfare
• Military strategy
– A broad descrip琀椀on of the techniques
– Wage war non-tradi琀椀onally
• Not a new concept
– The Internet adds new methods
• Cyberwarfare
– A琀琀ack an en琀椀ty with technology
• In昀氀uence with a military spin
– In昀氀uencing foreign elec琀椀ons
– “Fake news”
1.1 - Other Social Engineering A琀琀acks
Tailga琀椀ng
• Use an authorized person to gain unauthorized
access to a building
– Not an accident
• Johnny Long / No Tech Hacking
– Blend in with clothing
– 3rd-party with a legi琀椀mate reason
– Temporarily take up smoking
– I s琀椀ll prefer bringing doughnuts
• Once inside, there’s li琀琀le to stop you
– Most security stops at the border
Watching for tailga琀椀ng
• Policy for visitors
– You should be able to iden琀椀fy anyone
• One scan, one person
– A ma琀琀er of policy or mechanically required
• Mantrap / Airlock
– You don’t have a choice
• Don’t be afraid to ask
– Who are you and why are you here?
© 2020 Messer Studios, LLC
Invoice scams
• Starts with a bit of spear phishing
– A琀琀acker knows who pays the bills
• A琀琀acker sends a fake invoice
– Domain renewal, toner cartridges, etc.
– From: address is a spoofed version of the CEO
• Accoun琀椀ng pays the invoice
– It was from the CEO, a昀琀er all
• Might also include a link to pay
– Now the a琀琀acker has payment details
Creden琀椀al harves琀椀ng
• Also called password harves琀椀ng
– A琀琀ackers collect login creden琀椀als
• There are a lot of stored creden琀椀als on your computer
– The a琀琀acker would like those
– Chrome, Firefox, Outlook, Windows Creden琀椀al Manager, etc.
• User receives an email with a malicious Microso昀琀 Word doc
– Opening the document runs a macro
– The macro downloads creden琀椀al-harves琀椀ng malware
• User has no idea
– Everything happens in the background
Professor Messer’s CompTIA SY0-601 Security+ Course Notes - Page 4
Downloaded by Yeduri Vamsi Mani Prasad (vamsiprasad321@gmail.com)
h琀琀ps://ProfessorMesser.com
lOMoARcPSD|36915131
1.1 - Principles of Social Engineering
E昀昀ec琀椀ve social engineering
• Constantly changing
– You never know what they’ll use next
• May involve mul琀椀ple people
– And mul琀椀ple organiza琀椀ons
– There are 琀椀es connec琀椀ng many organiza琀椀ons
• May be in person or electronic
– Phone calls from aggressive “customers”
– Emailed funeral no琀椀昀椀ca琀椀ons of a friend or associate
Social engineering principles
• Authority
– The social engineer is in charge
– I’m calling from the help desk/o昀케ce of the CEO/police
• In琀椀mida琀椀on
– There will be bad things if you don’t help
– If you don’t help me, the payroll checks
won’t be processed
• Consensus / Social proof
– Convince based on what’s normally expected
– Your co-worker Jill did this for me last week
• Scarcity
– The situa琀椀on will not be this way for long
– Must make the change before 琀椀me expires
• Urgency
– Works alongside scarcity
– Act quickly, don’t think
• Familiarity / Liking
– Someone you know, we have common friends
• Trust
– Someone who is safe
– I’m from IT, and I’m here to help
How I Lost My $50,000 Twi琀琀er Username
• Naoki Hiroshima - @N
– h琀琀ps://professormesser.link/twi琀琀ername
• A琀琀acker calls PayPal and uses social engineering to get
the last four digits of the credit card on 昀椀le
• A琀琀acker calls GoDaddy and tells them he lost the card,
so he can’t properly validate. But he has the last four,
does that help?
– GoDaddy let the bad guy guess the 昀椀rst
two digits of the card
– He was allowed to keep guessing un琀椀l he got it right
– Social engineering done really, really well
How to steal a $50,000 Twi琀琀er name
• A琀琀acker is now in control of every domain name
– And there were some good ones
• A琀琀acker extorts a swap
– Domain control for @N
– Owner agrees
• Twi琀琀er reviewed the case for a month
– Eventually restored access to @N
• How I Lost My $50,000 Twi琀琀er Username
– h琀琀ps://professormesser.link/twi琀琀ername
1.2 - An Overview of Malware
Malware
• Malicious so昀琀ware
– These can be very bad
• Gather informa琀椀on
– Keystrokes
• Par琀椀cipate in a group
– Controlled over the ‘net
• Show you adver琀椀sing
– Big money
• Viruses and worms
– Encrypt your data
– Ruin your day
Malware Types and Methods
• Viruses
• Crypto-malware
• Ransomware
• Worms
• Trojan Horse
© 2020 Messer Studios, LLC
• Rootkit
• Keylogger
• Adware/Spyware
• Botnet
How you get malware
• These all work together
– A worm takes advantage of a vulnerability
– Installs malware that includes a remote access
backdoor
– Bot may be installed later
• Your computer must run a program
– Email link - Don’t click links
– Web page pop-up
– Drive-by download
– Worm
• Your computer is vulnerable
– Opera琀椀ng system - Keep your OS updated!
– Applica琀椀ons - Check with the publisher
Professor Messer’s CompTIA SY0-601 Security+ Course Notes - Page 5
Downloaded by Yeduri Vamsi Mani Prasad (vamsiprasad321@gmail.com)
h琀琀ps://ProfessorMesser.com
lOMoARcPSD|36915131
1.2 - Viruses and Worms
Virus
• Malware that can reproduce itself
– It needs you to execute a program
• Reproduces through 昀椀le systems or the network
– Just running a program can spread a virus
• May or may not cause problems
– Some viruses are invisible, some are annoying
• An琀椀-virus is very common
– Thousands of new viruses every week
– Is your signature 昀椀le updated?
Virus types
• Program viruses
– It’s part of the applica琀椀on
• Boot sector viruses
– Who needs an OS?
• Script viruses
– Opera琀椀ng system and browser-based
• Macro viruses
– Common in Microso昀琀 O昀케ce
Fileless virus
• A stealth a琀琀ack
– Does a good job of avoiding an琀椀-virus detec琀椀on
• Operates in memory
– But never installed in a 昀椀le or applica琀椀on
Fileless virus
infec琀椀on process
Worms
• Malware that self-replicates
– Doesn’t need you to do anything
– Uses the network as a transmission medium
– Self-propagates and spreads quickly
1
• Worms are pre琀琀y bad things
– Can take over many systems very quickly
• Firewalls and IDS/IPS can mi琀椀gate
many worm infesta琀椀ons
– Doesn’t help much once the worm gets inside
2
Infected computer
searches for
vulnerable system
Vulnerable
computer
is exploited
3
© 2020 Messer Studios, LLC
Professor Messer’s CompTIA SY0-601 Security+ Course Notes - Page 6
Downloaded by Yeduri Vamsi Mani Prasad (vamsiprasad321@gmail.com)
Backdoor is
installed and
downloads worm
h琀琀ps://ProfessorMesser.com
lOMoARcPSD|36915131
1.2 - Ransomware and Crypto-malware
Your data is valuable
• Personal data
– Family pictures and videos
– Important documents
• Organiza琀椀on data
– Planning documents
– Employee personally iden琀椀昀椀able informa琀椀on (PII)
– Financial informa琀椀on
– Company private data
• How much is it worth?
– There’s a number
Ransomware
• The a琀琀ackers want your money
– They’ll take your computer in the mean琀椀me
• May be a fake ransom
– Locks your computer “by the police”
• The ransom may be avoided
– A security professional may be able to remove
these kinds of malware
Crypto-malware
• A newer genera琀椀on of ransomware
– Your data is unavailable un琀椀l you provide cash
• Malware encrypts your data 昀椀les
– Pictures, documents, music, movies, etc.
– Your OS remains available
– They want you running, but not working
• You must pay the bad guys to obtain the decryp琀椀on key
– Untraceable payment system
– An unfortunate use of public-key cryptography
Protec琀椀ng against ransomware
• Always have a backup
– An o昀툀ine backup, ideally
• Keep your opera琀椀ng system up to date
– Patch those vulnerabili琀椀es
• Keep your applica琀椀ons up to date
– Security patches
• Keep your an琀椀-virus/an琀椀-malware signatures up to date
– New a琀琀acks every hour
• Keep everything up to date
1.2 - Trojans and RATs
Trojan horse
• Used by the Greeks to capture
– Troy from the Trojans
– A digital wooden horse
• So昀琀ware that pretends to be something else
– So it can conquer your computer
– Doesn’t really care much about replica琀椀ng
• Circumvents your exis琀椀ng security
– An琀椀-virus may catch it when it runs
– The be琀琀er Trojans are built to avoid and disable AV
• Once it’s inside it has free reign
– And it may open the gates for other programs
Poten琀椀ally Unwanted Program (PUP)
• Iden琀椀昀椀ed by an琀椀-virus/an琀椀-malware
– Poten琀椀ally undesirable so昀琀ware
– O昀琀en installed along with other so昀琀ware
• Overly aggressive browser toolbar
• A backup u琀椀lity that displays ads
• Browser search engine hijacker
Backdoors
• Why go through normal authen琀椀ca琀椀on methods?
– Just walk in the back door
• O昀琀en placed on your computer through malware
– Some malware so昀琀ware can take advantage of
backdoors created by other malware
• Some so昀琀ware includes a backdoor (oops)
– Old Linux kernel included a backdoor
– Bad so昀琀ware can have a backdoor as part of the app
© 2020 Messer Studios, LLC
Remote Access Trojans (RATs)
• Remote Administra琀椀on Tool
– The ul琀椀mate backdoor
– Administra琀椀ve control of a device
• Malware installs the server/service/host
– A琀琀acker connects with the client so昀琀ware
• Control a device
– Key logging
– Screen recording /screenshots
– Copy 昀椀les
– Embed more malware
Protec琀椀ng against Trojans and RATs
• Don’t run unknown so昀琀ware
– Consider the consequences
• Keep an琀椀-virus/an琀椀-malware signatures updated
– There are always new a琀琀acks
• Always have a backup
– You may need to quickly recover
Professor Messer’s CompTIA SY0-601 Security+ Course Notes - Page 7
Downloaded by Yeduri Vamsi Mani Prasad (vamsiprasad321@gmail.com)
h琀琀ps://ProfessorMesser.com
lOMoARcPSD|36915131
1.2 - Rootkits
Rootkits
• Originally a Unix technique
– The “root” in rootkit
• Modi昀椀es core system 昀椀les
– Part of the kernel
• Can be invisible to the opera琀椀ng system
– Won’t see it in Task Manager
• Also invisible to tradi琀椀onal an琀椀-virus u琀椀li琀椀es
– If you can’t see it, you can’t stop it
Kernel drivers
• Zeus/Zbot malware
– Famous for cleaning out bank accounts
• Now combined with Necurs rootkit
– Necurs is a kernel-level driver
• Necurs makes sure you can’t delete Zbot
– Access denied
• Trying to stop the Windows process?
– Error termina琀椀ng process: Access denied
Finding and removing rootkits
• Look for the unusual
– An琀椀-malware scans
• Use a remover speci昀椀c to the rootkit
– Usually built a昀琀er the rootkit is discovered
• Secure boot with UEFI
– Security in the BIOS
1.2 - Spyware
Adware
• Your computer is one big adver琀椀sement
– Pop-ups with pop-ups
• May cause performance issues
– Especially over the network
• Installed accidentally
– May be included with other so昀琀ware
• Be careful of so昀琀ware that claims to remove adware
– Especially if you learned about it from a pop-up
Spyware
• Malware that spies on you
– Adver琀椀sing, iden琀椀ty the昀琀, a昀케liate fraud
• Can trick you into installing
– Peer to peer, fake security so昀琀ware
• Browser monitoring
– Capture sur昀椀ng habits
• Keyloggers - Capture every keystroke
– Send it back to the mother ship
Why is there so much adware and spyware?
• Money
– Your eyeballs are incredibly valuable
• Money
– Your computer 琀椀me and bandwidth
is incredibly valuable
• Money
– Your bank account is incredibly valuable
– Yes, even your bank account
Protec琀椀ng against adware/spyware
• Maintain your an琀椀-virus / an琀椀-malware
– Always have the latest signatures
• Always know what you’re installing
– And watch your op琀椀ons during the installa琀椀on
• Where’s your backup?
– You might need it someday
– Cleaning adware isn’t easy
• Run some scans - Malwarebytes
1.2 - Bots and Botnets
Bots (Robots)
• Once your machine is infected, it becomes a bot
– You may not even know
• How does it get on your computer?
– Trojan Horse (I just saw a funny video of you! Click here.) or...
– You run a program or click an ad you THOUGHT was legit,
but...
– OS or applica琀椀on vulnerability
• A day in the life of a bot
– Sit around. Check in with the Command and Control (C&C)
server. Wait for instruc琀椀ons.
© 2020 Messer Studios, LLC
Botnets
• A group of bots working together
– Nothing good can come from this
• Distributed Denial of service (DDoS)
– The power of many
• Relay spam, proxy network tra昀케c,
distributed compu琀椀ng tasks
• Botnets are for sale
– Rent 琀椀me from the botnet owner
– Not a long-term business proposi琀椀on
Professor Messer’s CompTIA SY0-601 Security+ Course Notes - Page 8
Downloaded by Yeduri Vamsi Mani Prasad (vamsiprasad321@gmail.com)
h琀琀ps://ProfessorMesser.com
lOMoARcPSD|36915131
1.2 - Bots and Botnets (con琀椀nued)
Stopping the bot
• Prevent the ini琀椀al infec琀椀on
– OS and applica琀椀on patches
– An琀椀-virus/an琀椀-malware and updated signatures
• Iden琀椀fy an exis琀椀ng infec琀椀on
– On-demand scans, network monitoring
• Prevent command and control (C&C)
– Block at the 昀椀rewall
– Iden琀椀fy at the worksta琀椀on with a
host-based 昀椀rewall or host-based IPS
1.2 - Logic Bombs
Logic Bomb
• Waits for a prede昀椀ned event
– O昀琀en le昀琀 by someone with grudge
• Time bomb
– Time or date
• User event
– Logic bomb
• Di昀케cult to iden琀椀fy
– Di昀케cult to recover if it goes o昀昀
Real-world logic bombs
• March 19, 2013, South Korea
– Email with malicious a琀琀achment sent to
– South Korean organiza琀椀ons
– Posed as a bank email
– Trojan installs malware
• March 20, 2013, 2 p.m. local 琀椀me
– Malware 琀椀me-based logic-bomb ac琀椀vates
– Storage and master boot record deleted, system
reboots
– Boot device not found.
– Please install an opera琀椀ng system on your hard disk.
• December 17, 2016, 11:53 p.m.
– Kiev, Ukraine, high-voltage substa琀椀on
– Logic bomb begins disabling electrical circuits
– Malware mapped out the control network
– Began disabling power at a predetermined 琀椀me
– Customized for SCADA networks
(Supervisory Control and Data Acquisi琀椀on)
Preven琀椀ng a logic bomb
• Di昀케cult to recognize
– Each is unique
– No prede昀椀ned signatures
• Process and procedures
– Formal change control
• Electronic monitoring
– Alert on changes
– Host-based intrusion detec琀椀on, Tripwire, etc.
• Constant audi琀椀ng
– An administrator can circumvent exis琀椀ng systems
1.2 - Password A琀琀acks
Plaintext / unencrypted passwords
• Some applica琀椀ons store passwords “in the clear”
– No encryp琀椀on. You can read the stored password.
– This is rare, thankfully
• Do not store passwords as plaintext
– Anyone with access to the password 昀椀le or database
has every creden琀椀al
• What to do if your applica琀椀on saves
passwords as plaintext:
– Get a be琀琀er applica琀椀on
Linux Account
Hashes
© 2020 Messer Studios, LLC
Hashing a password
• Hashes represent data as a 昀椀xed-length string of text
– A message digest, or “昀椀ngerprint”
• Will not have a collision (hopefully)
– Di昀昀erent inputs will not have the same hash
• One-way trip
– Impossible to recover the original message
from the digest
– A common way to store passwords
The password 昀椀le
• Di昀昀erent across opera琀椀ng systems and applica琀椀ons
– Di昀昀erent hash algorithms
Jumper Bay:1001::42e2f19c31c9ff73cb97eb1b26c10f54:::
Carter:1007::cf4eb977a6859c76efd21f5094ecf77d:::
Jackson:1008::e1f757d9cdc06690509e04b5446317d2:::
O’Neill:1009::78a8c423faedd2f002c6aef69a0ac1af:::
Teal’c:1010::bf84666c81974686e50d300bc36aea01:::
Professor Messer’s CompTIA SY0-601 Security+ Course Notes - Page 9
Downloaded by Yeduri Vamsi Mani Prasad (vamsiprasad321@gmail.com)
h琀琀ps://ProfessorMesser.com
lOMoARcPSD|36915131
1.2 - Password A琀琀acks (con琀椀nued)
Spraying a琀琀ack
• Try to login with an incorrect password
– Eventually you’re locked out
• There are some common passwords
– h琀琀ps://en.wikipedia.org/wiki/List_of_the_most_
common_passwords
• A琀琀ack an account with the top three (or more) passwords
– If they don’t work, move to the next account
– No lockouts, no alarms, no alerts
Brute force
• Try every possible password combina琀椀on
un琀椀l the a hash is matched
• This might take some 琀椀me
– A strong hashing algorithm slows things down
• Brute force a琀琀acks - Online
– Keep trying the login process
– Very slow
– Most accounts will lockout a昀琀er a number
of failed a琀琀empts
• Brute force the hash - O昀툀ine
– Obtain the list of users and hashes
– Calculate a password hash, compare it to a stored hash
– Large computa琀椀onal resource requirement
Dic琀椀onary a琀琀acks
• Use a dic琀椀onary to 昀椀nd common words
– Passwords are created by humans
• Many common wordlists available on the ‘net
– Some are customized by language or line of work
• The password crackers can subs琀椀tute le琀琀ers
– p&ssw0rd
• This takes 琀椀me
– Distributed cracking and GPU cracking is common
• Discover passwords for common words
– This won’t discover random character passwords
Rainbow tables
• An op琀椀mized, pre-built set of hashes
– Saves 琀椀me and storage space
– Doesn’t need to contain every hash
– Contains pre-calculated hash chains
• Remarkable speed increase
– Especially with longer password lengths
• Need di昀昀erent tables for di昀昀erent hashing methods
– Windows is di昀昀erent than MySQL
Adding some salt
• Salt
– Random data added to a password when hashing
• Every user gets their own random salt
– The salt is commonly stored with the password
• Rainbow tables won’t work with salted hashes
– Addi琀椀onal random value added to the
original password
• This slows things down the brute force process
– It doesn’t completely stop the reverse engineering
• Each user gets a di昀昀erent random hash
– The same password creates a di昀昀erent hash
When the hashes get out
• January 2019 - Collec琀椀on #1
– A collec琀椀on of email addresses and passwords
– 12,000+ 昀椀les and 87 GB of data
• 1,160,253,228 unique emails and passwords
– A compila琀椀on of data breach results
• 772,904,991 unique usernames
– That’s about 773 million people
• 21,222,975 unique passwords
– You really need a password manager
• h琀琀ps://haveibeenpwned.com/
1.2 - Physical A琀琀acks
Malicious USB cable
• It looks like a normal USB cable
– It has addi琀椀onal electronics inside
• Opera琀椀ng system iden琀椀昀椀es it as a HID
– Human Interface Device
– It looks like you’ve connected a keyboard or mouse
– A keyboard doesn’t need extra rights or permissions
• Once connected, the cable takes over
– Downloads and installs malicious so昀琀ware
• Don’t just plug in any USB cable
– Always use trusted hardware
Malicious 昀氀ash drive
• Free USB 昀氀ash drive!
– Plug it in and see what’s on it
– That’s a bad idea
© 2020 Messer Studios, LLC
• Older opera琀椀ng systems would automa琀椀cally run 昀椀les
– This has now been disabled or removed by default
• Could s琀椀ll act as a HID (Human Interface Device) /
Keyboard
– Start a command prompt and type anything
without your interven琀椀on
• A琀琀ackers can load malware in documents
– PDF 昀椀les, spreadsheets
• Can be con昀椀gured as a boot device
– Infect the computer a昀琀er a reboot
• Acts as an Ethernet adapter
– Redirects or modi昀椀es Internet tra昀케c requests
– Acts as a wireless gateway for other devices
• Never connect an untrusted USB device
Professor Messer’s CompTIA SY0-601 Security+ Course Notes - Page 10
Downloaded by Yeduri Vamsi Mani Prasad (vamsiprasad321@gmail.com)
h琀琀ps://ProfessorMesser.com
lOMoARcPSD|36915131
1.2 - Physical a琀琀acks (con琀椀nued)
Skimming
• Stealing credit card informa琀椀on,
usually during a normal transac琀椀on
– Copy data from the magne琀椀c stripe:
– Card number, expira琀椀on date, card holder’s name
• ATM skimming
– Includes a small camera to also watch for your PIN
• A琀琀ackers use the card informa琀椀on for other 昀椀nancial
transac琀椀ons
– Fraud is the responsibility of the seller
• Always check before using card readers
Card cloning
• Get card details from a skimmer
– The clone needs an original
• Create a duplicate of a card
– Looks and feels like the original
– O昀琀en includes the printed CVC (Card Valida琀椀on Code)
• Can only be used with magne琀椀c stripe cards
– The chip can’t be cloned
• Cloned gi昀琀 cards are common
– A magne琀椀c stripe technology
1.2 - Adversarial Ar琀椀昀椀cial Intelligence
Machine learning
• Our computers are ge琀�ng smarter
– They iden琀椀fy pa琀琀erns in data and improve
their predic琀椀ons
• This requires a lot of training data
– Face recogni琀椀on requires analyzing a lot of faces
– Driving a car requires a lot of road 琀椀me
• In use every day
– Stop spam
– Recommend products from an online retailer
– What movie would you like to see? This one.
– Prevent car accidents
Poisoning the training data
• Confuse the ar琀椀昀椀cial intelligence (AI)
– A琀琀ackers send modi昀椀ed training data that causes
the AI to behave incorrectly
• Microso昀琀 AI cha琀琀er bot named Tay
• (Thinking About You)
– Joins Twi琀琀er on March 23, 2016
– Designed to learn by interac琀椀ng with Twi琀琀er users
– Microso昀琀 didn’t program in an琀椀-o昀昀ensive behavior
– Tay quickly became racist, sexist, and inappropriate
Evasion a琀琀acks
• The AI is only as good as the training
– A琀琀ackers 昀椀nd the holes and limita琀椀ons
• An AI that knows what spam looks like can be
fooled by a di昀昀erent approach
– Change the number of good and bad words in the
message
• An AI that uses real-world informa琀椀on can release
con昀椀den琀椀al informa琀椀on
– Trained with data that includes social security
numbers
– AI can be fooled into revealing those numbers
Securing the learning algorithms
• Check the training data
– Cross check and verify
• Constantly retrain with new data
– More data
– Be琀琀er data
• Train the AI with possible poisoning
– What would the a琀琀acker try to do?
1.2 - Supply Chain A琀琀acks
Supply chain
• The chain contains many moving parts
– Raw materials, suppliers, manufacturers,
distributors, customers, consumers
• A琀琀ackers can infect any step along the way
– Infect di昀昀erent parts of the chain without suspicion
– People trust their suppliers
• One exploit can infect the en琀椀re chain
– There’s a lot at stake
Supply chain security
• Target Corp. breach - November 2013
– 40 million credit cards stolen
• Hea琀椀ng and AC 昀椀rm in Pennsylvania was infected
– Malware delivered in an email
– VPN creden琀椀als for HVAC techs was stolen
© 2020 Messer Studios, LLC
• HVAC vendor was the supplier
– A琀琀ackers used a wide-open Target network to
infect every cash register at 1,800 stores
• Do these technicians look like an IT security issue?
Supply chain security
• Can you trust your new
server/router/switch/昀椀rewall/so昀琀ware?
– Supply chain cybersecurity
• Use a small supplier base
– Tighter control of vendors
• Strict controls over policies and procedures
– Ensure proper security is in place
• Security should be part of the overall design
– There’s a limit to trust
Professor Messer’s CompTIA SY0-601 Security+ Course Notes - Page 11
Downloaded by Yeduri Vamsi Mani Prasad (vamsiprasad321@gmail.com)
h琀琀ps://ProfessorMesser.com
lOMoARcPSD|36915131
1.2 - Cloud-based vs. On-Premises A琀琀acks
A琀琀acks can happen anywhere
• Two categories for IT security
– The on-premises data is more secure!
– The cloud-based data is more secure!
• Cloud-based security is centralized and costs less
– No dedicated hardware, no data center to secure
– A third-party handles everything
• On-premises puts the security burden on the client
– Data center security and infrastructure costs
• A琀琀ackers want your data
– They don’t care where it is
On-premises security
• Customize your security posture
– Full control when everything is in-house
• On-site IT team can manage security be琀琀er
– The local team can ensure everything is secure
– A local team can be expensive and di昀케cult to sta昀昀
• Local team maintains up琀椀me and availability
– System checks can occur at any 琀椀me
– No phone call for support
• Security changes can take 琀椀me
– New equipment, con昀椀gura琀椀ons, and addi琀椀onal costs
Security in the cloud
• Data is in a secure environment
– No physical access to the data center
– Third-party may have access to the data
• Cloud providers are managing large-scale security
– Automated signature and security updates
– Users must follow security best-prac琀椀ces
• Limited down琀椀me
– Extensive fault-tolerance and 24/7/365 monitoring
• Scalable security op琀椀ons
– One-click security deployments
– This may not be as customizable as necessary
1.2 - Cryptographic A琀琀acks
Cryptographic a琀琀acks
• You’ve encrypted data and sent it to another person
– Is it really secure? How do you know?
• The a琀琀acker doesn’t have the combina琀椀on (the key)
– So they break the safe (the cryptography)
• Finding ways to undo the security
– There are many poten琀椀al cryptographic shortcomings
– The problem is o昀琀en the implementa琀椀on
Birthday a琀琀ack
• In a classroom of 23 students, what is the chance of
two students sharing a birthday? About 50%.
– For a class of 30, the chance is about 70%
• In the digital world, this is a hash collision
– A hash collision is the same hash value for two
di昀昀erent plaintexts
– Find a collision through brute force
• The a琀琀acker will generate mul琀椀ple versions of
plaintext to match the hashes
– Protect yourself with a large hash output size
Collisions
• Hash digests are supposed to be unique
– Di昀昀erent input data should never create the same hash
• MD5 hash
– Message Digest Algorithm 5
– Published in April 1992, Collisions iden琀椀昀椀ed in 1996
• December 2008: Researchers created CA cer琀椀昀椀cate
that appeared legi琀椀mate when MD5 is checked
– Built other cer琀椀昀椀cates that appeared to be legit
and issued by RapidSSL
Downgrade a琀琀ack
• Instead of using perfectly good encryp琀椀on, use
something that’s not so great
– Force the systems to downgrade their security
• 2014 - TLS vulnerability - POODLE (Padding Oracle
On Downgraded Legacy Encryp琀椀on)
– On-path a琀琀ack
– Forces clients to fall back to SSL 3.0
– SSL 3.0 has signi昀椀cant cryptographic vulnerabili琀椀es
– Because of POODLE, modern browsers won’t fall back
to SSL 3.0
1.3 - Privilege escala琀椀on
Privilege escala琀椀on
• Gain higher-level access to a system
– Exploit a vulnerability - Might be a bug or design 昀氀aw
• Higher-level access means more capabili琀椀es
– This commonly is the highest-level access
– This is obviously a concern
• These are high-priority vulnerability patches
– You want to get these holes closed very quickly
– Any user can be an administrator
• Horizontal privilege escala琀椀on
– User A can access user B resources
© 2020 Messer Studios, LLC
Mi琀椀ga琀椀ng privilege escala琀椀on
• Patch quickly
– Fix the vulnerability
• Updated an琀椀-virus/an琀椀-malware so昀琀ware
– Block known vulnerabili琀椀es
• Data Execu琀椀on Preven琀椀on
– Only data in executable areas can run
• Address space layout randomiza琀椀on
– Prevent a bu昀昀er overrun at a known
memory address
Professor Messer’s CompTIA SY0-601 Security+ Course Notes - Page 12
Downloaded by Yeduri Vamsi Mani Prasad (vamsiprasad321@gmail.com)
h琀琀ps://ProfessorMesser.com
lOMoARcPSD|36915131
1.3 - Cross-site Scrip琀椀ng
Cross-site scrip琀椀ng
• XSS
– Cascading Style Sheets (CSS) are something else en琀椀rely
• Originally called cross-site because of browser security 昀氀aws
– Informa琀椀on from one site could be shared with another
• One of the most common web applica琀椀on
development errors
– Takes advantage of the trust a user has for a site
– Complex and varied
• Malware that uses JavaScript - Do you allow scripts? Me too.
Non-persistent (re昀氀ected) XSS a琀琀ack
• Web site allows scripts to run in user input
– Search box is a common source
• A琀琀acker emails a link that takes advantage of this
vulnerability
– Runs a script that sends creden琀椀als/session IDs/cookies
to the a琀琀acker
• Script embedded in URL executes in the vic琀椀m’s browser
– As if it came from the server
• A琀琀acker uses creden琀椀als/session IDs/cookies to steal
vic琀椀m’s informa琀椀on without their knowledge
– Very sneaky
Persistent (stored) XSS a琀琀ack
• A琀琀acker posts a message to a social network
– Includes the malicious payload
• It’s now “persistent” - Everyone gets the payload
• No speci昀椀c target - All viewers to the page
• For social networking, this can spread quickly
– Everyone who views the message can have it
posted to their page
– Where someone else can view it and propagate it further...
Hacking a Subaru
• June 2017, Aaron Guzman
– Security researcher
• When authen琀椀ca琀椀ng with Subaru, users get a token
– This token never expires (bad!)
• A valid token allowed any service request
– Even adding your email address to someone
else’s account
– Now you have full access to someone else’s car
• Web front-end included an XSS vulnerability
– A user clicks a malicious link, and you have
their token
Protec琀椀ng against XSS
• Be careful when clicking untrusted links
– Never blindly click in your email inbox. Never.
• Consider disabling JavaScript
– Or control with an extension
– This o昀昀ers limited protec琀椀on
• Keep your browser and applica琀椀ons updated
– Avoid the nasty browser vulnerabili琀椀es
• Validate input
– Don’t allow users to add their own scripts to an
input 昀椀eld
1.3 - Injec琀椀on A琀琀acks
Code injec琀椀on
• Code injec琀椀on
– Adding your own informa琀椀on into a data stream
• Enabled because of bad programming
– The applica琀椀on should properly handle
input and output
• So many di昀昀erent data types
– HTML, SQL, XML, LDAP, etc.
SQL injec琀椀on
• SQL - Structured Query Language
– The most common rela琀椀onal database
management system language
• SQL Injec琀椀on
– Modifying SQL requests
– Your applica琀椀on shouldn’t really allow this
© 2020 Messer Studios, LLC
XML injec琀椀on and LDAP injec琀椀on
• XML - Extensible Markup Language
– A set of rules for data transfer and storage
• XML injec琀椀on
– Modifying XML requests - a good applica琀椀on will validate
• LDAP - Lightweight Directory Access Protocol
– Created by the telephone companies
– Now used by almost everyone
• LDAP injec琀椀on
– Modify LDAP requests to manipulate applica琀椀on results
DLL injec琀椀on
• Dynamic-Link Library
– A Windows library containing code and data
– Many applica琀椀ons can use this library
• Inject a DLL and have an applica琀椀on run a program
– Runs as part of the target process
Professor Messer’s CompTIA SY0-601 Security+ Course Notes - Page 13
Downloaded by Yeduri Vamsi Mani Prasad (vamsiprasad321@gmail.com)
h琀琀ps://ProfessorMesser.com
lOMoARcPSD|36915131
1.3 - Bu昀昀er Over昀氀ows
Bu昀昀er over昀氀ows
• Overwri琀椀ng a bu昀昀er of memory
– Spills over into other memory areas
• Developers need to perform bounds checking
– The a琀琀ackers spend a lot of 琀椀me looking for openings
• Not a simple exploit
– Takes 琀椀me to avoid crashing things
– Takes 琀椀me to make it do what you want
• A really useful bu昀昀er over昀氀ow is repeatable
– Which means that a system can be compromised
Variable(A(and(B(before(buffer(overflow
Variable(Name
A
Value
Hex(Value
B
[null(string]
00
00
00
00
00
1979
00
00
00
07
BB
Overflowing(variable(A(changes(variable(B
Variable(Name
B
A
Value
'e'
'x'
'c'
'e'
's'
's'
'i'
'v'
Hex(Value
65
78
63
65
73
73
69
76
25856
65
00
1.3 - Replay A琀琀acks
Replay a琀琀ack
• Useful informa琀椀on is transmi琀琀ed over the network
– A cra昀琀y hacker will take advantage of this
• Need access to the raw network data
– Network tap, ARP poisoning, malware on the vic琀椀m computer
• The gathered informa琀椀on may help the a琀琀acker
– Replay the data to appear as someone else
• This is not an on-path a琀琀ack
– The actual replay doesn’t require
the original worksta琀椀on
• Avoid this type of replay a琀琀ack with a salt
– Use a session ID with the password hash to
create a unique authen琀椀ca琀椀on hash each 琀椀me
Pass the Hash
1
Client authen,cates to
the server with a username
and hashed password
Client
2
Server
During authen,ca,on,
the a:acker captures
the username
and password hash
3
A+acker
Header manipula琀椀on
• Informa琀椀on gathering
– Wireshark, Kismet
• Exploits
– Cross-site scrip琀椀ng
• Modify headers
– Tamper, Firesheep, Scapy
• Modify cookies
– Cookies Manager+ (Firefox add-on)
© 2020 Messer Studios, LLC
A:acker sends his own
authen,ca,on request
using the captured creden,als
Prevent session hijacking
• Encrypt end-to-end
– They can’t capture your session ID if they can’t see it
– Addi琀椀onal load on the web server (HTTPS)
– Firefox extension: HTTPS Everywhere, Force-TLS
– Many sites are now HTTPS-only
• Encrypt end-to-somewhere
– At least avoid capture over a local wireless network
– S琀椀ll in-the-clear for part of the journey
– Personal VPN (OpenVPN, VyprVPN, etc.)
Professor Messer’s CompTIA SY0-601 Security+ Course Notes - Page 14
Downloaded by Yeduri Vamsi Mani Prasad (vamsiprasad321@gmail.com)
h琀琀ps://ProfessorMesser.com
lOMoARcPSD|36915131
1.3 - Replay A琀琀acks (con琀椀nued)
• Could be considered be a privacy risk
– Lots of personal data in there
• Session IDs are o昀琀en stored in the cookie
– Maintains sessions across mul琀椀ple browser sessions
Browser cookies and session IDs
• Cookies
– Informa琀椀on stored on your computer by the browser
• Used for tracking, personaliza琀椀on, session management
– Not executable, not generally a security risk
– Unless someone gets access to them
Session hijacking (Sidejacking)
Vic*m authen*cates
to the server
1
Vic*m
Client authen*ca*on
2
Your session ID: 3B0027A38FDF37
3
A"acker intercepts
the session ID and
uses it to access the
server with the
vic*m’s creden*als
Server provides
a session ID
to the client
ID:
Session
7
38FDF3
A
7
2
0
0
3B
A"acker
Web Server
1.3 - Request Forgeries
Cross-site requests
• Cross-site requests are common and legi琀椀mate
– You visit ProfessorMesser.com
– Your browser loads text from the
ProfessorMesser.com server
– Your browser loads a video from YouTube
– Your browser loads pictures from Instagram
• HTML on ProfessorMesser.com directs
requests from your browser
– This is normal and expected
– Most of these are unauthen琀椀cated requests
The client and the server
• Website pages consist of client-side
code and server-side code
– Many moving parts
• Client side
– Renders the page on the screen
– HTML, JavaScript
• Server side
– Performs requests from
the client - HTML, PHP
– Transfer money from one
account to another
– Post a video on YouTube
Cross-site request forgery
• One-click a琀琀ack, session riding - XSRF, CSRF (sea surf)
• Takes advantage of the trust that a web applica琀椀on
has for the user
– The web site trusts your browser
– Requests are made without your consent or your knowledge
– A琀琀acker posts a Facebook status on your account
• Signi昀椀cant web applica琀椀on development oversight
– The applica琀椀on should have an琀椀-forgery techniques added
– Usually a cryptographic token to prevent a forgery
Cross-site request forgery
2
Request is sent as a
hyperlink to a user who
may already be logged
into the bank web site
3
Bank Site Visitor
creates a
1 A"acker
funds transfer request
A2acker
© 2020 Messer Studios, LLC
Visitor clicks the link and
unknowingly sends the
transfer request to
the bank web site
4
Bank Web Server
Bank validates the transfer
and sends the visitor’s funds
to the a"acker
Professor Messer’s CompTIA SY0-601 Security+ Course Notes - Page 15
Downloaded by Yeduri Vamsi Mani Prasad (vamsiprasad321@gmail.com)
h琀琀ps://ProfessorMesser.com
lOMoARcPSD|36915131
1.3 - Request Forgeries (con琀椀nued)
Server-side request forgery (SSRF)
• A琀琀acker 昀椀nds a vulnerable web applica琀椀on
– Sends requests to a web server
– Web server performs the request on
behalf of the a琀琀acker
• Caused by bad programming
– Never trust the user input
– Server should validate the input
and the responses
– These are rare, but can be
cri琀椀cal vulnerabili琀椀es
Capital One SSRF breach - March 2019
• A琀琀acker is able to execute commands
on the Capital One website
– This is normally stopped by a WAF
(Web Applica琀椀on Firewall)
– The WAF was miscon昀椀gured
• A琀琀acker obtained security creden琀椀als for the WAF role
• WAF-Role account listed the buckets on Amazon S3
• A琀琀acker retrieved the data from the Amazon buckets
• Credit card applica琀椀on data from 2005 through 2019
– 106 million names, address, phone, email, DoB
– 140,000 Social Security numbers,
80,000 bank accounts
Server-side request forgery (SSRF)
1
A)acker sends a request
that controls a web applica9on
A)acker
2
Web server sends request
to another service,
such as cloud file storage
Web Server
4
Web Server forwards
response to a)acker
3
Cloud storage
sends response
to Web Server
Database
Cache
File Storage
Directory
Services
1.3 - Driver Manipula琀椀on
Malware hide-and-go-seek
• Tradi琀椀onal an琀椀-virus is very good at iden琀椀fying
known a琀琀acks
– Checks the signature
– Block anything that matches
• There are s琀椀ll ways to infect and hide
– It’s a constant war
– Zero-day a琀琀acks, new a琀琀ack types, etc.
Your drivers are powerful
• The interac琀椀on between the hardware and your
opera琀椀ng system
– They are o昀琀en trusted
– Great opportunity for security issues
• May 2016 - HP Audio Drivers
– Conexant audio chips
– Driver installa琀椀on includes audio control so昀琀ware
– Debugging feature enables a keylogger
• Hardware interac琀椀ons contain sensi琀椀ve informa琀椀on
– Video, keyboard, mouse
© 2020 Messer Studios, LLC
Shimming
• Filling in the space between two objects
– A middleman
• Windows includes it’s own shim
– Backwards compa琀椀bility with previous
Windows versions
– Applica琀椀on Compa琀椀bility Shim Cache
• Malware authors write their own shims
– Get around security (like UAC)
• January 2015 Microso昀琀 vulnerability
– Elevates privilege
Refactoring
• Metamorphic malware
– A di昀昀erent program each 琀椀me it’s downloaded
• Make it appear di昀昀erent each 琀椀me
– Add NOP instruc琀椀ons
– Loops, pointless code strings
• Can intelligently redesign itself
– Reorder func琀椀ons
– Modify the applica琀椀on 昀氀ow
– Reorder code and insert unused data types
• Di昀케cult to match with signature-based detec琀椀on
– Use a layered approach
Professor Messer’s CompTIA SY0-601 Security+ Course Notes - Page 16
Downloaded by Yeduri Vamsi Mani Prasad (vamsiprasad321@gmail.com)
h琀琀ps://ProfessorMesser.com
lOMoARcPSD|36915131
1.3 - SSL Stripping
SSL stripping / HTTP downgrade
• Combines an on-path a琀琀ack with a downgrade a琀琀ack
– Di昀케cult to implement, but big returns for the a琀琀acker
• A琀琀acker must sit in the middle of the conversa琀椀on
– Must modify data between the vic琀椀m and web server
– Proxy server, ARP spoo昀椀ng, rogue Wi-Fi hotspot, etc.
• Vic琀椀m does not see any signi昀椀cant problem
– Except the browser page isn’t encrypted
– Strips the S away from HTTPS
• This is a client and server problem
– Works on SSL and TLS
SSL stripping
SSL and TLS
• SSL (Secure Sockets Layer) 2.0 - Deprecated in 2011
• SSL 3.0
– Vulnerable to the POODLE a琀琀ack
– Deprecated in June 2015
• Transport Layer Security (TLS) 1.0
– Upgrade to SSL 3.0, and a name change
from SSL to TLS
– Can downgrade to SSL 3.0
• TLS 1.1
– Deprecated in January 2020 by modern browsers
• TLS 1.2 and TLS 1.3 - The latest standards
GET h.p://example.com
GET h.p://example.com
Web site
Visitor
301 Moved
A.acker
Web Server
GET h.ps://example.com
200 OK (HTTPS)
200 OK (HTTP)
POST h.p://example.com
user: professor & password: ninja1
Man-in-the-middle
Rewrites URLs
HTTP/HTTPS
POST h.ps://example.com
user: professor & password: ninja1
1.3 - Race Condi琀椀ons
Race condi琀椀on
– Problem is with the 昀椀le system, so reboot because
• A programming conundrum
of the 昀椀le system problem
– Some琀椀mes, things happen at the same 琀椀me
– Reboot loop was the result
– This can be bad if you’ve not planned for it
• GE Energy - Energy Management System
• Time-of-check to 琀椀me-of-use a琀琀ack (TOCTOU)
– Three power lines failed at the same 琀椀me
– Check the system
– Race condi琀椀on delayed alerts
– When do you use the results of your last check? – Caused the Northeast Blackout of 2003
– Something might happen between the check
• Therac-25 radia琀椀on therapy machine in the 1980s
and the use
– Used so昀琀ware interlocks instead of hardware
Race condi琀椀ons can cause big problems
– Race condi琀椀on caused 100 琀椀mes the normal dose of radia琀椀on
• January 2004 - Mars rover “Spirit”
– Six pa琀椀ents injured, three deaths
– Reboot when a problem is iden琀椀昀椀ed
© 2020 Messer Studios, LLC
Professor Messer’s CompTIA SY0-601 Security+ Course Notes - Page 17
Downloaded by Yeduri Vamsi Mani Prasad (vamsiprasad321@gmail.com)
h琀琀ps://ProfessorMesser.com
lOMoARcPSD|36915131
1.3 - Other Applica琀椀on A琀琀acks
Memory vulnerabili琀椀es
• Manipula琀椀ng memory can be advantageous
– Rela琀椀vely di昀케cult to accomplish
• Memory leak
– Unused memory is not properly released
– Begins to slowly grow in size
– Eventually uses all available memory
– System crashes
• NULL Pointer dereference
– Programming technique that references a
por琀椀on of memory
– What happens if that reference points to nothing?
– Applica琀椀on crash, debug informa琀椀on displayed, DoS
• Integer over昀氀ow
– Large number into a smaller sized space
– Where does the extra number go?
– You shouldn’t be able to manipulate
memory this way
Directory traversal
• Directory traversal / path traversal
– Read 昀椀les from a web server that are outside of
the website’s 昀椀le directory
– Users shouldn’t be able to browse
the Windows folder
• Web server so昀琀ware vulnerability
– Won’t stop users from browsing past the
web server root
• Web applica琀椀on code vulnerability
– Take advantage of badly wri琀琀en code
Improper error handling
• Errors happen
– And you should probably know about it
• Messages should be just informa琀椀onal enough
– Avoid too much detail
– Network informa琀椀on, memory dump,
stack traces, database dumps
• This is an easy one to 昀椀nd and 昀椀x
– A development best-prac琀椀ce
Improper input handling
• Many applica琀椀ons accept user input
– We put data in, we get data back
• All input should be considered malicious
– Check everything. Trust nobody.
• Allowing invalid input can be devasta琀椀ng
– SQL injec琀椀ons, bu昀昀er over昀氀ows,
denial of service, etc.
• It takes a lot of work to 昀椀nd input that
can be used maliciously
– But they will 昀椀nd it
API a琀琀acks
• API - Applica琀椀on Programming Interface
• A琀琀ackers look for vulnerabili琀椀es in this new
communica琀椀on path
– Exposing sensi琀椀ve data, DoS, intercepted
communica琀椀on, privileged access
Resource exhaus琀椀on
• A specialized DoS (Denial of Service) a琀琀ack
– May only require one device and low bandwidths
• ZIP bomb
– A 42 kilobyte .zip compressed 昀椀le
– Uncompresses to 4.5 petabytes (4,500 terabytes)
– An琀椀-virus will iden琀椀fy these
• DHCP starva琀椀on
– A琀琀acker 昀氀oods a network with IP address requests
– MAC address changes each 琀椀me
– DHCP server eventually runs out of addresses
– Switch con昀椀gura琀椀ons can rate limit DHCP requests
Tradi琀椀onal vs. API-based applica琀椀ons
© 2020 Messer Studios, LLC
Professor Messer’s CompTIA SY0-601 Security+ Course Notes - Page 18
Downloaded by Yeduri Vamsi Mani Prasad (vamsiprasad321@gmail.com)
h琀琀ps://ProfessorMesser.com
lOMoARcPSD|36915131
1.4 - Rogue Access Points and Evil Twins
Rogue access points
• An unauthorized wireless access point
– May be added by an employee or an a琀琀acker
– Not necessarily malicious
– A signi昀椀cant poten琀椀al backdoor
• Very easy to plug in a wireless AP
– Or enable wireless sharing in your OS
• Schedule a periodic survey
– Walk around your building/campus
– Use third-party tools / WiFi Pineapple
• Consider using 802.1X (Network Access Control)
– You must authen琀椀cate, regardless of the
connec琀椀on type
Wireless evil twins
• Looks legi琀椀mate, but actually malicious
– The wireless version of phishing
• Con昀椀gure an access point to look like an exis琀椀ng network
– Same (or similar) SSID and security se琀�ngs/cap琀椀ve portal
• Overpower the exis琀椀ng access points
– May not require the same physical loca琀椀on
• WiFi hotspots (and users) are easy to fool
– And they’re wide open
• You encrypt your communica琀椀on, right?
– Use HTTPS and a VPN
1.4 - Bluejacking and Bluesnar昀椀ng
Bluejacking
• Sending of unsolicited messages to another
device via Bluetooth
– No mobile carrier required!
• Typical func琀椀onal distance is about 10 meters
– More or less, depending on antenna and interference
• Bluejack with an address book object
– Instead of contact name, write a message
– “You are Bluejacked!”
– “You are Bluejacked! Add to contacts?”
• Third-party so昀琀ware may also be used
– Blooover, Bluesni昀昀
Bluesnar昀椀ng
• Access a Bluetooth-enabled device and transfer data
– Contact list, calendar, email, pictures, video, etc.
• First major security weakness in Bluetooth
– Marcel Holtmann in September 2003 and
– Adam Laurie in November 2003
– This weakness was patched
• Serious security issue
– If you know the 昀椀le, you can download it without
authen琀椀ca琀椀on
1.4 - Wireless Disassocia琀椀on A琀琀acks
It started as a normal day
• Sur昀椀ng along on your wireless network
– And then you’re not
• And then it happens again
– And again
• You may not be able to stop it
– There’s (almost) nothing you can do
– Time to get a long patch cable
• Wireless disassocia琀椀on
– A signi昀椀cant wireless
denial of service (DoS) a琀琀ack
802.11 management frames
• 802.11 wireless includes a number of
management features
– Frames that make everything work
– You never see them
• Important for the opera琀椀on of 802.11 wireless
– How to 昀椀nd access points, manage QoS, associate/
disassociate with an access point, etc.
• Original wireless standards did not add
protec琀椀on for management frames
– Sent in the clear
– No authen琀椀ca琀椀on or valida琀椀on
© 2020 Messer Studios, LLC
Protec琀椀ng against disassocia琀椀on
• IEEE has already addressed the problem
– 802.11w - July 2014
• Some of the important management frames
are encrypted
– Disassociate, deauthen琀椀cate,
channel switch announcements, etc.
• Not everything is encrypted
– Beacons, probes, authen琀椀ca琀椀on, associa琀椀on
• 802.11w is required for 802.11ac compliance
– This will roll out going forward
Professor Messer’s CompTIA SY0-601 Security+ Course Notes - Page 19
Downloaded by Yeduri Vamsi Mani Prasad (vamsiprasad321@gmail.com)
h琀琀ps://ProfessorMesser.com
lOMoARcPSD|36915131
1.4 - Wireless Jamming
Radio frequency (RF) jamming
• Denial of Service
– Prevent wireless communica琀椀on
• Transmit interfering wireless signals
– Decrease the signal-to-noise ra琀椀o at
the receiving device
– The receiving device can’t hear the good signal
• Some琀椀mes it’s not inten琀椀onal
– Interference, not jamming
– Microwave oven, 昀氀uorescent lights
• Jamming is inten琀椀onal
– Someone wants your network to not work
Wireless jamming
• Many di昀昀erent types
– Constant, random bits / Constant, legi琀椀mate frames
• Data sent at random 琀椀mes
– Random data and legi琀椀mate frames
• Reac琀椀ve jamming
– Only when someone else tries to communicate
• Needs to be somewhere close
– Di昀케cult to be e昀昀ec琀椀ve from a distance
• Time to go fox hun琀椀ng
– You’ll need the right equipment to hunt down the jam
– Direc琀椀onal antenna, a琀琀enuator
1.4 - RFID and NFC A琀琀acks
RFID (Radio-frequency iden琀椀昀椀ca琀椀on)
• It’s everywhere
– Access badges
– Inventory/Assembly line tracking
– Pet/Animal iden琀椀昀椀ca琀椀on
– Anything that needs to be tracked
• Radar technology
– Radio energy transmi琀琀ed to the tag
– RF powers the tag, ID is transmi琀琀ed back
– Bidirec琀椀onal communica琀椀on
– Some tag formats can be ac琀椀ve/powered
RFID A琀琀acks
• Data capture
– View communica琀椀on
– Replay a琀琀ack
• Spoof the reader - Write your own data to the tag
• Denial of service - Signal jamming
• Decrypt communica琀椀on
– Many default keys are on Google
Near 昀椀eld communica琀椀on (NFC)
• Two-way wireless communica琀椀on
– Builds on RFID, which is mostly one-way
• Payment systems
– Many op琀椀ons available
• Bootstrap for other wireless
– NFC helps with Bluetooth pairing
• Access token, iden琀椀ty “card”
– Short range with encryp琀椀on support
NFC Security Concern
• Remote capture
– It’s a wireless network
– 10 meters for ac琀椀ve devices
• Frequency jamming
– Denial of service
• Relay / Replay a琀琀ack
– On-path a琀琀ack
• Loss of RFC device control
– Stolen/lost phone
1.4 - Randomizing Cryptography
Cryptographic nonce
• Arbitrary number
– Used once
– “For the nonce” - For the 琀椀me being
• A random or pseudo-random number
– Something that can’t be reasonably guessed
– Can also be a counter
• Use a nonce during the login process
– Server gives you a nonce
– Calculate your password hash using the nonce
– Each password hash sent to the host will be
di昀昀erent, so a replay won’t work
© 2020 Messer Studios, LLC
Ini琀椀aliza琀椀on Vectors (IV)
• A type of nonce
– Used for randomizing an encryp琀椀on scheme
– The more random the be琀琀er
• Used in encryp琀椀on ciphers, WEP, and some
SSL implementa琀椀ons
Salt
• A nonce most commonly associated with password
randomiza琀椀on
– Make the password hash unpredictable
• Password storage should always be salted
– Each user gets a di昀昀erent salt
• If the password database is breached, you can’t correlate
any passwords
– Even users with the same password have di昀昀erent
hashes stored
Professor Messer’s CompTIA SY0-601 Security+ Course Notes - Page 20
Downloaded by Yeduri Vamsi Mani Prasad (vamsiprasad321@gmail.com)
h琀琀ps://ProfessorMesser.com
lOMoARcPSD|36915131
1.4 - On-Path A琀琀acks
On-path browser a琀琀ack
On-path network a琀琀ack
• How can an a琀琀acker watch without you knowing? • What if the middleman was on the same computer as the vic琀椀m?
– Malware/Trojan does all of the proxy work
– Formerly known as man-in-the-middle
– Formerly known as man-in-the-browser
• Redirects your tra昀케c
• Huge advantages for the a琀琀ackers
– Then passes it on to the des琀椀na琀椀on
– Rela琀椀vely easy to proxy encrypted tra昀케c
– You never know your tra昀케c was redirected
– Everything looks normal to the vic琀椀m
• ARP poisoning
• The malware in your browser waits for you to login to your bank
– ARP has no security
– And cleans you out
– On-path a琀琀ack on the local IP subnet
1.4 - MAC Flooding and Cloning
The MAC address
• Ethernet Media Access Control address
– The “physical” address of a network adapter
– Unique to a device
• 48 bits / 6 bytes long
– Displayed in hexadecimal
LAN switching
• Forward or drop frames
– Based on the des琀椀na琀椀on MAC address
• Gather a constantly upda琀椀ng list of MAC addresses
– Builds the list based on the source MAC address of
incoming tra昀케c
– These age out periodically, o昀琀en in 5 minutes
• Maintain a loop-free environment
– Using Spanning Tree Protocol (STP)
Learning the MACs
• Switches examine incoming tra昀케c
– Makes a note of the source MAC address
• Adds unknown MAC addresses to the MAC address table
– Sets the output interface to the received interface
MAC 昀氀ooding
• The MAC table is only so big
• A琀琀acker starts sending tra昀케c with di昀昀erent source
MAC addresses
– Force out the legi琀椀mate MAC addresses
• The table 昀椀lls up
– Switch begins 昀氀ooding tra昀케c to all interfaces
• This e昀昀ec琀椀vely turns the switch into a hub
– All tra昀케c is transmi琀琀ed to all interfaces
– No interrup琀椀on in tra昀케c 昀氀ows
• A琀琀acker can easily capture all network tra昀케c!
• Flooding can be restricted in the switch’s port
security se琀�ngs
MAC cloning / MAC spoo昀椀ng
• An a琀琀acker changes their MAC address to match
the MAC address of an exis琀椀ng device
– A clone / a spoof
• Circumvent 昀椀lters
– Wireless or wired MAC 昀椀lters
– Iden琀椀fy a valid MAC address and copy it
• Create a DoS
– Disrupt communica琀椀on to the legi琀椀mate MAC
• Easily manipulated through so昀琀ware
– Usually a device driver op琀椀on
1.4 - DNS A琀琀acks
DNS poisoning
• Modify the DNS server
– Requires some cra昀琀y hacking
• Modify the client host 昀椀le
– The host 昀椀le takes precedent over DNS queries
• Send a fake response to a valid DNS request
– Requires a redirec琀椀on of the original request
or the resul琀椀ng response
Domain hijacking
• Get access to the domain registra琀椀on,
and you have control where the tra昀케c 昀氀ows
– You don’t need to touch the actual servers
– Determines the DNS names and DNS IP addresses
© 2020 Messer Studios, LLC
• Many ways to get into the account
– Brute force
– Social engineer the password
– Gain access to the email address that manages the account
– The usual things
Domain hijacking
• Saturday, October 22, 2016, 1 PM
• Domain name registra琀椀ons of
36 domains are changed
– Brazilian bank
– Desktop domains, mobile domains, and more
• Under hacker control for 6 hours
– The a琀琀ackers became the bank
• 5 million customers, $27 billion in assets
– Results of the hack have not been publicly released
Professor Messer’s CompTIA SY0-601 Security+ Course Notes - Page 21
Downloaded by Yeduri Vamsi Mani Prasad (vamsiprasad321@gmail.com)
h琀琀ps://ProfessorMesser.com
lOMoARcPSD|36915131
1.4 - DNS A琀琀acks (con琀椀nued)
URL hijacking
• Make money from your mistakes
– There’s a lot of adver琀椀sing on the ‘net
• Sell the badly spelled domain to the actual owner
– Sell a mistake
• Redirect to a compe琀椀tor
– Not as common, legal issues
• Phishing site
– Looks like the real site, please login
• Infect with a drive-by download
– You’ve got malware!
Types of URL hijacking
• Typosqua琀�ng / brandjacking
– Take advantage of poor spelling
• Outright misspelling
– professormesser.com vs. professormessor.com
• A typing error
– professormeser.com
• A di昀昀erent phrase
– professormessers.com
• Di昀昀erent top-level domain
– professormesser.org
Domain reputa琀椀on
• The Internet is tracking your security posture
– They know when things go sideways
• Email reputa琀椀on
– Suspicious ac琀椀vity
– Malware origina琀椀ng from the IP address
• A bad reputa琀椀on can cause email delivery to fail
– Email rejec琀椀on or simply dropped
• Check with the email or service provider to check
the reputa琀椀on
– Follow their instruc琀椀ons to remediate
• Infected systems are no琀椀ced by the search engines
– Your domain can be 昀氀agged or removed
• Users will avoid the site
– Sales will drop
– Users will avoid your brand
• Malware might be removed quickly
– Recovery takes much longer
1.4 - Denial of Service
Denial of Service
• Force a service to fail
– Overload the service
• Take advantage of a design failure or vulnerability
– Keep your systems patched!
• Cause a system to be unavailable
– Compe琀椀琀椀ve advantage
• Create a smokescreen for some other exploit
– Precursor to a DNS spoo昀椀ng a琀琀ack
• Doesn’t have to be complicated
– Turn o昀昀 the power
A “friendly” DoS
• Uninten琀椀onal DoSing - It’s not always a ne’er-do-well
• Network DoS - Layer 2 loop without STP
• Bandwidth DoS - Downloading mul琀椀-gigabyte Linux
distribu琀椀ons over a DSL line
• The water line breaks
– Get a good shop vacuum
Distributed Denial of Service (DDoS)
• Launch an army of computers to bring down a service
– Use all the bandwidth or resources - tra昀케c spike
• This is why the a琀琀ackers have botnets
– Thousands or millions of computers at your command
– At its peak, Zeus botnet infected over 3.6 million PCs
– Coordinated a琀琀ack
• Asymmetric threat
– The a琀琀acker may have fewer resources than the vic琀椀m
© 2020 Messer Studios, LLC
DDoS ampli昀椀ca琀椀on
• Turn your small a琀琀ack into a big a琀琀ack
– O昀琀en re昀氀ected o昀昀 another device or service
• An increasingly common DDoS technique
– Turn Internet services against the vic琀椀m
• Uses protocols with li琀琀le (if any) authen琀椀ca琀椀on or checks
– NTP, DNS, ICMP
– A common example of protocol abuse
Applica琀椀on DoS
• Make the applica琀椀on break or work harder
– Increase down琀椀me and costs
• Fill the disk space
– A 42 kilobyte .zip compressed 昀椀le
– Uncompresses to 4.5 petabytes (4,500 terabytes)
– An琀椀-virus will iden琀椀fy these
• Overuse a measured cloud resource
– More CPU/memory/network is more money
• Increase the cloud server response 琀椀me
– Vic琀椀m deploys a new applica琀椀on instance - repeat
Opera琀椀onal Technology (OT) DoS
• The hardware and so昀琀ware for industrial equipment
– Electric grids, tra昀케c control, manufacturing plants, etc.
• This is more than a web server failing
– Power grid drops o昀툀ine
– All tra昀케c lights are green
– Manufacturing plant shuts down
• Requires a di昀昀erent approach
– A much more cri琀椀cal security posture
Professor Messer’s CompTIA SY0-601 Security+ Course Notes - Page 22
Downloaded by Yeduri Vamsi Mani Prasad (vamsiprasad321@gmail.com)
h琀琀ps://ProfessorMesser.com
lOMoARcPSD|36915131
1.4 - Malicious Scripts
Scrip琀椀ng and automa琀椀on
• Automate tasks
– You don’t have to be there
– Solve problems in your sleep
– Monitor and resolve problems before they happen
• The need for speed
– The script is as fast as the computer
– No typing or delays
– No human error
• Automate the a琀琀ack
– The hacker is on borrowed 琀椀me
Windows PowerShell
• Command line for system administrators
– .ps1 昀椀le extension
– Included with Windows 8/8.1 and 10
• Extend command-line func琀椀ons
– Uses cmdlets (command-lets)
– PowerShell scripts and func琀椀ons
– Standalone executables
• A琀琀ack Windows systems
– System administra琀椀on
– Ac琀椀ve Domain administra琀椀on
– File share access
Python
• General-purpose scrip琀椀ng language
– .py 昀椀le extension
• Popular in many technologies
– Broad appeal and support
• Commonly used for cloud orchestra琀椀on
– Create and tear down applica琀椀on instances
• A琀琀ack the infrastructure
– Routers, servers, switches
Shell script
• Scrip琀椀ng the Unix/Linux shell
– Automate and extend the command line
– Bash, Bourne, Korn, C
• Starts with a shebang or hash-bang #!
– O昀琀en has a .sh 昀椀le extension
• A琀琀ack the Linux/Unix environment
– Web, database, virtualiza琀椀on servers
• Control the OS from the command line
– Malware has a lot of op琀椀ons
Macros
• Automate func琀椀ons within an applica琀椀on
– Or opera琀椀ng system
• Designed to make the applica琀椀on easier to use
– Can o昀琀en create security vulnerabili琀椀es
• A琀琀ackers create automated exploits
– They just need the user to open the 昀椀le
– Prompts to run the macro
Visual Basic for Applica琀椀ons (VBA)
• Automates processes within Windows applica琀椀ons
– Common in Microso昀琀 O昀케ce
• A powerful programming language
– Interacts with the opera琀椀ng system
• CVE-2010-0815 / MS10-031
– VBA does not properly search for Ac琀椀veX
controls in a document
– Run arbitrary code embedded in a document
– Easy to infect a computer
1.5 - Threat Actors
Threat actors and a琀琀ributes
• The en琀椀ty responsible for an event that has
an impact on the safety of another en琀椀ty
– Also called a malicious actor
• Broad scope of actors
– And mo琀椀va琀椀ons vary widely
• Advanced Persistent Threat (APT)
– A琀琀ackers are in the network and undetected
– 2018 FireEye report:
Americas: 71 days,
EMEA: 177 days,
APAC: 204 days
Insiders
• More than just passwords on s琀椀cky notes
– Some insiders are out for no good
© 2020 Messer Studios, LLC
• Sophis琀椀ca琀椀on may not be advanced,
but the insider has ins琀椀tu琀椀onal knowledge
– A琀琀acks can be directed at vulnerable systems
– The insider knows what to hit
• Extensive resources
– Ea琀椀ng away from the inside
Na琀椀on states
• Governments
• Na琀椀onal security, job security
• Always an external en琀椀ty
• Highest sophis琀椀ca琀椀on
• Military control, u琀椀li琀椀es, 昀椀nancial control
• United States and Israel destroyed 1,000 nuclear
centrifuges with the Stuxnet worm
• Constant a琀琀acks
• Commonly an Advanced Persistent Threat (APT)
Professor Messer’s CompTIA SY0-601 Security+ Course Notes - Page 23
Downloaded by Yeduri Vamsi Mani Prasad (vamsiprasad321@gmail.com)
h琀琀ps://ProfessorMesser.com
lOMoARcPSD|36915131
1.5 - Threat Actors (con琀椀nued)
Hack琀椀vist
• A hacker with a purpose
– Social change or a poli琀椀cal agenda
– O昀琀en an external en琀椀ty
• Can be remarkably sophis琀椀cated
– Very speci昀椀c hacks
– DoS, web site defacing, release of private documents, etc.
• Funding is limited
– Some organiza琀椀ons have fundraising op琀椀ons
Script kiddies
• Runs pre-made scripts without any knowledge
of what’s really happening
– Not necessarily a youngster
• Can be internal or external
– But usually external
• Not very sophis琀椀cated
• No formal funding
– Looking for low hanging fruit
• Mo琀椀vated by the hunt
– Working the ego, trying to make a name
Organized crime
• Professional criminals
– Mo琀椀vated by money
– Almost always an external en琀椀ty
• Very sophis琀椀cated
– Best hacking money can buy
• Crime that’s organized
– One person hacks, one person manages the exploits,
another person sells the data, another handles
customer support
• Lots of capital to fund hacking e昀昀orts
Hackers
• Experts with technology
– O昀琀en driven by money, power, and ego
• Authorized
– An ethical hacker with good inten琀椀ons
– And permission to hack
• Unauthorized
– Malicious, violates security for personal gain
• Semi-authorized
– Finds a vulnerability, doesn’t use it
Shadow IT
• Going rogue
– Working around the internal IT organiza琀椀on
• Informa琀椀on Technology can put up roadblocks
– Shadow IT is unencumbered
– Use the cloud
– Might also be able to innovate
• Not always a good thing
– Wasted 琀椀me and money
– Security risks
– Compliance issues
– Dysfunc琀椀onal organiza琀椀on
Compe琀椀tors
• Many di昀昀erent mo琀椀va琀椀ons
– DoS, espionage, harm reputa琀椀on
• High level of sophis琀椀ca琀椀on
– Based on some signi昀椀cant funding
– The compe琀椀琀椀ve upside is huge (and very unethical)
• Many di昀昀erent intents
– Shut down your compe琀椀tor during an event
– Steal customer lists
– Corrupt manufacturing databases
– Take 昀椀nancial informa琀椀on
1.5 - A琀琀ack Vectors
A琀琀ack vectors
• A method used by the a琀琀acker
– Gain access or infect to the target
• A lot of work goes into 昀椀nding vulnerabili琀椀es in these
vectors
– Some are more vulnerable than others
• IT security professional spend their career watching
these vectors
– Closing up exis琀椀ng vectors
– Finding new ones
Direct access a琀琀ack vectors
• There’s a reason we lock the data center
– Physical access to a system is a signi昀椀cant a琀琀ack
vector
• Modify the opera琀椀ng system
– Reset the administrator password in a few minutes
© 2020 Messer Studios, LLC
• A琀琀ach a keylogger
– Collect usernames and passwords
• Transfer 昀椀les
– Take it with you
• Denial of service
– This power cable is in the way
Wireless a琀琀ack vectors
• Default login creden琀椀als
• Modify the access point con昀椀gura琀椀on
• Rogue access point
• A less-secure entry point to the network
• Evil twin
• A琀琀acker collects authen琀椀ca琀椀on details
• On-path a琀琀acks
• Protocol vulnerabili琀椀es
• 2017 - WPA2 Key Reinstalla琀椀on A琀琀ack (KRACK)
• Older encryp琀椀on protocols (WEP, WPA)
Professor Messer’s CompTIA SY0-601 Security+ Course Notes - Page 24
Downloaded by Yeduri Vamsi Mani Prasad (vamsiprasad321@gmail.com)
h琀琀ps://ProfessorMesser.com
lOMoARcPSD|36915131
1.5 - A琀琀ack Vectors (con琀椀nued)
Email a琀琀ack vectors
• One of the biggest (and most successful) a琀琀ack vectors
– Everyone has email
• Phishing a琀琀acks
– People want to click links
• Deliver the malware to the user
– A琀琀ach it to the message
• Social engineering a琀琀acks
– Invoice scam
Supply chain a琀琀ack vectors
• Tamper with the underlying infrastructure
– Or manufacturing process
• Gain access to a network using a vendor
– 2013 Target credit card breach
• Malware can modify the manufacturing process
– 2010 - Stuxnet disrupts Iran’s uranium enrichment program
• Counterfeit networking equipment
– Install backdoors, substandard performance and availability
– 2020 - Fake Cisco Catalyst 2960-X and WS-2960X-48TS-L
Social media a琀琀ack vectors
• A琀琀ackers thank you for pu琀�ng your personal informa琀椀on
online
– Where you are and when
– Vaca琀椀on pictures are especially telling
• User pro昀椀ling
– Where were you born?
– What is the name of your school mascot?
• Fake friends are fake
– The inner circle can provide addi琀椀onal informa琀椀on
Removable media a琀琀ack vectors
• Get around the 昀椀rewall
– The USB interface
• Malicious so昀琀ware on USB 昀氀ash drives
– Infect air gapped networks
– Industrial systems, high-security services
• USB devices can act as keyboards
– Hacker on a chip
• Data ex昀椀ltra琀椀on
– Terabytes of data walk out the door
– Zero bandwidth used
Cloud a琀琀ack vectors
• Publicly-facing applica琀椀ons and services
– Mistakes are made all the 琀椀me
• Security miscon昀椀gura琀椀ons
– Data permissions and public data stores
• Brute force a琀琀acks
– Or phish the users of the cloud service
• Orchestra琀椀on a琀琀acks
– Make the cloud build new applica琀椀on instances
• Denial of service
– Disable the cloud services for everyone
1.5 - Threat Intelligence
Threat intelligence
• Research the threats - And the threat actors
• Data is everywhere
– Hacker group pro昀椀les, tools used by the a琀琀ackers,
and much more
• Make decisions based on this intelligence
– Invest in the best preven琀椀on
• Used by researchers, security opera琀椀ons teams,
and others
Open-source intelligence (OSINT)
• Open-source
– Publicly available sources
– A good place to start
• Internet
– Discussion groups, social media
• Government data
– Mostly public hearings, reports, websites, etc.
• Commercial data
– Maps, 昀椀nancial reports, databases
© 2020 Messer Studios, LLC
Closed/proprietary intelligence
• Someone else has already compiled the threat informa琀椀on
– You can buy it
• Threat intelligence services
– Threat analy琀椀cs, correla琀椀on across di昀昀erent data sources
• Constant threat monitoring
– Iden琀椀fy new threats
– Create automated preven琀椀on work昀氀ows
Vulnerability databases
• Researchers 昀椀nd vulnerabili琀椀es
– Everyone needs to know about them
• Common Vulnerabili琀椀es and Exposures (CVE)
– A community managed list of vulnerabili琀椀es
– Sponsored by the U.S. Department of Homeland
Security (DHS) and Cybersecurity and Infrastructure
Security Agency (CISA)
• U.S. Na琀椀onal Vulnerability Database (NVD)
– A summary of CVEs
– Also sponsored by DHS and CISA
• NVD provides addi琀椀onal details over the CVE list
– Patch availability and severity scoring
Professor Messer’s CompTIA SY0-601 Security+ Course Notes - Page 25
Downloaded by Yeduri Vamsi Mani Prasad (vamsiprasad321@gmail.com)
h琀琀ps://ProfessorMesser.com
lOMoARcPSD|36915131
1.5 - Threat Intelligence (con琀椀nued)
Public/private informa琀椀on-sharing centers
• Public threat intelligence
– O昀琀en classi昀椀ed informa琀椀on
• Private threat intelligence
– Private companies have extensive resources
• Need to share cri琀椀cal security details
– Real-琀椀me, high-quality cyber threat informa琀椀on sharing
• Cyber Threat Alliance (CTA)
– Members upload speci昀椀cally forma琀琀ed threat intelligence
– CTA scores each submission and validates
across other submissions
– Other members can extract the validated data
Automated indicator sharing (AIS)
• Intelligence industry needs a standard way to share
important threat data
– Share informa琀椀on freely
• Structured Threat Informa琀椀on eXpression (STIX)
– Describes cyber threat informa琀椀on
– Includes mo琀椀va琀椀ons, abili琀椀es, capabili琀椀es, and
response informa琀椀on
• Trusted Automated eXchange of Indicator Informa琀椀on (TAXII)
– Securely shares STIX data
Dark web intelligence
• Dark web
– Overlay networks that use the Internet
– Requires speci昀椀c so昀琀ware and con昀椀gura琀椀ons to access
• Hacking groups and services
– Ac琀椀vi琀椀es
– Tools and techniques
– Credit card sales
– Accounts and passwords
• Monitor forums for ac琀椀vity
– Company names, execu琀椀ve names
Indicators of compromise (IOC)
• An event that indicates an intrusion
– Con昀椀dence is high
– He’s calling from inside the house
• Indicators
– Unusual amount of network ac琀椀vity
– Change to 昀椀le hash values
– Irregular interna琀椀onal tra昀케c
– Changes to DNS data
– Uncommon login pa琀琀erns
– Spikes of read requests to certain 昀椀les
Predic琀椀ve analysis
• Analyze large amounts of data very quickly
– Find suspicious pa琀琀erns
– Big data used for cybersecurity
• Iden琀椀fy behaviors
– DNS queries, tra昀케c pa琀琀erns, loca琀椀on data
• Creates a forecast for poten琀椀al a琀琀acks
– An early-warning system
• O昀琀en combined with machine learning
– Less emphasis on signatures
Threat maps
• Iden琀椀fy a琀琀acks and trends
– View worldwide perspec琀椀ve
• Created from real a琀琀ack data
– Iden琀椀fy and react
File/code repositories
• See what the hackers are building
– Public code repositories, GitHub
• See what people are accidentally releasing
– Private code can o昀琀en be published publicly
• A琀琀ackers are always looking for this code
– Poten琀椀al exploits exist
– Content for phishing a琀琀acks
1.5 - Threat Research
Threat research
• Know your enemy
– And their tools of war
• A never-ending process
– The 昀椀eld is constantly moving and changing
• Informa琀椀on from many di昀昀erent places
– You can’t rely on a single source
Vendor websites
• Vendors and manufacturers
– They wrote the so昀琀ware
• They know when problems are announced
– Most vendors are involved in the disclosure process
• They know their product be琀琀er than anyone
– They react when surprises happen
– Scrambling a昀琀er a zero-day announcement
– Mi琀椀ga琀椀ng and support op琀椀ons
© 2020 Messer Studios, LLC
Vulnerability feeds
• Automated vulnerability no琀椀昀椀ca琀椀ons
• Na琀椀onal Vulnerability Database
(h琀琀ps://nvd.nist.gov)
• CVE Data Feeds (h琀琀ps://cve.mitre.org)
• Third-party feeds
• Addi琀椀onal vulnerability coverage
• Roll-up to a vulnerability management system
• Coverage across teams
• Consolidated view of security issues
Professor Messer’s CompTIA SY0-601 Security+ Course Notes - Page 26
Downloaded by Yeduri Vamsi Mani Prasad (vamsiprasad321@gmail.com)
h琀琀ps://ProfessorMesser.com
lOMoARcPSD|36915131
1.5 - Threat Intelligence (con琀椀nued)
Conferences
• Watch and learn
– An early warning of things to come
• Researchers
– New DDoS methods, intelligence gathering,
hacking the latest technologies
• Stories from the trenches
– Figh琀椀ng and recovering from a琀琀acks
– New methods to protect your data
• Building rela琀椀onships - forge alliances
Academic journals
• Research from academic professionals
– Cu琀�ng edge security analysis
• Evalua琀椀ons of exis琀椀ng security technologies
– Keeping up with the latest a琀琀ack methods
• Detailed post mortem
– Tear apart the latest malware and
see what makes it 琀椀ck
• Extremely detailed informa琀椀on
– Break apart topics into their smaller pieces
Request for comments (RFC)
• Published by the Internet Society (ISOC)
– O昀琀en wri琀琀en by the Internet Engineering
Task Force (IETF)
– Internet Society descrip琀椀on is RFC 1602
• Not all RFCs are standards documents
– Experimental, Best Current Prac琀椀ce,
Standard Track, and Historic
• Many informa琀椀onal RFCs analyze threats
– RFC 3833 - Threat Analysis of the Domain
Name System
– RFC 7624 - Con昀椀den琀椀ality in the Face of
Pervasive Surveillance:
– A Threat Model and Problem Statement
Local industry groups
• A gathering of local peers
– Shared industry and technology, geographical presence
• Associa琀椀ons
– Informa琀椀on Systems Security Associa琀椀on,
Network Professional Associa琀椀on
– Meet others in the area, discuss local challenges
• Industry user groups
– Cisco, Microso昀琀, VMware, etc. - Secure speci昀椀c technologies
Social media
• Hacking group conversa琀椀ons - Monitor the cha琀琀er
• Honeypot monitoring on Twi琀琀er
– Iden琀椀fy new exploit a琀琀empts
• Keyword monitoring - CVE-2020-*, bugbounty, 0-day
• Analysis of vulnerabili琀椀es - Professionals discussing the details
• Command and control - Use social media as the transport
Threat feeds
• Monitor threat announcements - Stay informed
• Many sources of informa琀椀on
– U.S. Department of Homeland Security
– U.S. Federal Bureau of Inves琀椀ga琀椀on
– SANS Internet Storm Center
– VirusTotal Intelligence:
– Google and Facebook correla琀椀on
TTP
• Tac琀椀cs, techniques, and procedures
– What are adversaries doing and how are they doing it?
• Search through data and networks
– Proac琀椀vely look for threats
– Signatures and 昀椀rewall rules can’t catch everything
• Di昀昀erent types of TTPs
– Informa琀椀on on targeted vic琀椀ms (Finance for energy
companies)
– Infrastructure used by a琀琀ackers (DNS and IP addresses)
– Outbreak of a par琀椀cular malware variant on a service type
1.6 - Vulnerability Types
Zero-day a琀琀acks
• Many applica琀椀ons have vulnerabili琀椀es
– We’ve just not found them yet
• Someone is working hard to 昀椀nd the next
big vulnerability
– The good guys share these with developers
• A琀琀ackers keep these yet-to-be-discovered holes
to themselves
– They want to use these vulnerabili琀椀es for
personal gain
• Zero-day
– The vulnerability has not been detected or published
– Zero-day exploits are increasingly common
• Common Vulnerabili琀椀es and Exposures (CVE)
– h琀琀p://cve.mitre.org/
© 2020 Messer Studios, LLC
Open permissions
• Very easy to leave a door open
– The hackers will always 昀椀nd it
• Increasingly common with cloud storage
– Sta琀椀s琀椀cal chance of 昀椀nding an open permission
• June 2017 - 14 million Verizon records exposed
– Third-party le昀琀 an Amazon S3 data repository open
– Researcher found the data before anyone else
• Many, many other examples
– Secure your permissions!
Professor Messer’s CompTIA SY0-601 Security+ Course Notes - Page 27
Downloaded by Yeduri Vamsi Mani Prasad (vamsiprasad321@gmail.com)
h琀琀ps://ProfessorMesser.com
lOMoARcPSD|36915131
1.6 - Vulnerability Types (con琀椀nued)
Unsecured root accounts
• The Linux root account
– The Administrator or superuser account
• Can be a miscon昀椀gura琀椀on
– Inten琀椀onally con昀椀guring an easy-to-hack password
– 123456, ninja, football
• Disable direct login to the root account
– Use the su or sudo op琀椀on
• Protect accounts with root or administrator access
– There should not be a lot of these
Errors
• Error messages can provide useful informa琀椀on
to an a琀琀acker
– Service type, version informa琀椀on, debug data
• September 2015 - Patreon is compromised
– Used a debugger to help monitor and troubleshoot
web site issues
– Was le昀琀 exposed to the Internet
– E昀昀ec琀椀vely allowed for remote code execu琀椀ons
– Gigabytes of customer data was released online
Weak encryp琀椀on
• Encryp琀椀on protocol (AES, 3DES, etc.)
– Length of the encryp琀椀on key (40 bits, 128 bits,
256 bits, etc.)
– Hash used for the integrity check (SHA, MD5, etc.)
– Wireless encryp琀椀on (WEP, WPA)
• Some cipher suites are easier to break than others
– Stay updated with the latest best prac琀椀ces
• TLS is one of the most common issues
– Over 300 cipher suites
• Which are good and which are bad?
– Weak or null encryp琀椀on (less than 128 bit key sizes),
outdated hashes (MD5)
Insecure protocols
• Some protocols aren’t encrypted
– All tra昀케c sent in the clear - Telnet, FTP, SMTP, IMAP
• Verify with a packet capture
– View everything sent over the network
• Use the encrypted versions- SSH, SFTP, IMAPS, etc.
Default se琀�ngs
• Every applica琀椀on and network device has a default login
– Not all of these are ever changed
• Mirai botnet
– Takes advantage of default con昀椀gura琀椀ons
– Takes over Internet of Things (IoT) devices
– 60+ default con昀椀gura琀椀ons
– Cameras, routers, doorbells, garage door openers, etc.
• Mirai released as open-source so昀琀ware
– There’s a lot more where that came from
Open ports and services
• Services will open ports
– It’s important to manage access
• O昀琀en managed with a 昀椀rewall
– Manage tra昀케c 昀氀ows
– Allow or deny based on port number or applica琀椀on
• Firewall rulesets can be complex
– It’s easy to make a mistake
• Always test and audit
– Double and triple check
Improper patch management
• O昀琀en centrally managed
– The update server determine when you patch
– Test all of your apps, then deploy
– E昀케ciently manage bandwidth
• Firmware - The BIOS of the device
• Opera琀椀ng system- Monthly and on-demand patches
• Applica琀椀ons
– Provided by the manufacturer as-needed
Legacy pla琀昀orms
• Some devices remain installed for a long 琀椀me
– Perhaps too long
• Legacy devices
– Older opera琀椀ng systems, applica琀椀ons, middleware
• May be running end-of-life so昀琀ware
– The risk needs to be compared to the return
• May require addi琀椀onal security protec琀椀ons
– Addi琀椀onal 昀椀rewall rules
– IPS signature rules for older opera琀椀ng systems
1.6 - Third-party Risks
Third-party risks
• IT security doesn’t change because it’s a third-party
– There should be more security, not less
• Always expect the worst
– Prepare for a breach
• Human error is s琀椀ll the biggest issue
– Everyone needs to use IT security best prac琀椀ces
• All security is important
– Physical security and cybersecurity work hand-in-hand
© 2020 Messer Studios, LLC
System integra琀椀on risk
• Professional installa琀椀on and maintenance
– Can include elevated OS access
• Can be on-site
– With physical or virtual access to data and systems
– Keylogger installa琀椀ons and USB 昀氀ash drive data
transfers
• Can run so昀琀ware on the internal network
– Less security on the inside
– Port scanners, tra昀케c captures
– Inject malware and spyware, some琀椀mes inadvertently
Professor Messer’s CompTIA SY0-601 Security+ Course Notes - Page 28
Downloaded by Yeduri Vamsi Mani Prasad (vamsiprasad321@gmail.com)
h琀琀ps://ProfessorMesser.com
lOMoARcPSD|36915131
1.6 - Third-party Risks (con琀椀nued)
Lack of vendor support
• Security requires diligence
– The poten琀椀al for a vulnerability is always there
• Vendors are the only ones who can 昀椀x their products
– Assuming they know about the problem
– And care about 昀椀xing it
• Trane Comfortlink II thermostats
– Control the temperature from your phone
– Trane no琀椀昀椀ed of three vulnerabili琀椀es in April 2014
– Two patched in April 2015, one in January 2016
Supply chain risk
• You can’t always control security at a third-party loca琀椀on
– Always maintain local security controls
• Hardware and so昀琀ware from a vendor can contain malware
– Verify the security of new systems
• Counterfeit hardware is out there
– It looks like a Cisco switch…Is it malicious?
Outsourced code development
• Accessing the code base
– Internal access over a VPN
– Cloud-based access
• Verify security to other systems
– The development systems should be isolated
• Test the code security
– Check for backdoors
– Validate data protec琀椀on and encryp琀椀on
Data storage
• Consider the type of data
– Contact informa琀椀on
– Healthcare details, 昀椀nancial informa琀椀on
• Storage at a third-party may need encryp琀椀on
– Limits exposure, adds complexity
• Transferring data
– The en琀椀re data 昀氀ow needs to be encrypted
1.6 - Vulnerability Impacts
Vulnerability impacts
• A琀琀ackers sent secure messages to transfer nearly one
• Malicious cyber ac琀椀vity cost the U.S. economy between
billion dollars in reserves to accounts in Philippines
$57 billion and $109 billion in 2016
and Sri Lanka
– The Cost of Malicious Cyber Ac琀椀vity to the U.S. Economy, – Fortunately, most of the messages were
– The Council of Economic Advisers, February 2018
incorrectly forma琀琀ed
• Many other non-economic impacts - Far reaching e昀昀ects
• Thirty-昀椀ve requests were acted upon
– $81 million lost and laundered through the
• These are the reasons we patch vulnerabili琀椀es
Filipino casino industry
Data loss
• Similar SWIFT vulnerabili琀椀es: $12 million from
• Vulnerability: Unsecured databases
Wells Fargo, $60 million from Taiwanese Far Eastern
– No password or default password
Interna琀椀onal Bank
• July 2020 - Internet-facing databases are being deleted
Reputa琀椀on impacts
– No warning, no explana琀椀on
• Ge琀�ng hacked isn’t a great look
• Thousands of databases are missing
– Organiza琀椀ons are o昀琀en required to disclose
– I hope you had a backup
– Stock prices drop, at least for the short term
• Overwrites data with itera琀椀ons of the word “meow”
• October 2016 - Uber breach
– No messages or mo琀椀va琀椀onal content
– 25.6 million Names, email addresses, mobile numbers
Iden琀椀ty the昀琀
• Didn’t publicly announce it un琀椀l November 2017
• May through July 2017 - Equifax
– Allegedly paid the hackers $100,000 and had them
– Data breach of 147.9 million Americans,
sign an NDA
– 15.2 million Bri琀椀sh ci琀椀zens, 19,000 Canadian ci琀椀zens
–
2018 - Uber paid $148 million in 昀椀nes
– Names, SSNs, birthdates, addresses, some driver’s
• Hackers pleaded guilty in October 2019
license numbers
– August 2020 - Uber’s former Chief Security O昀케cer
• Apache Struts vulnerability from March 7, 2017
Availability
loss
– Breach started March 12th
•
Outages
and
down琀椀me - Systems are unavailable
– Wasn’t patched by Equifax un琀椀l July 30th a昀琀er
discovering “suspicious network tra昀케c”
• The pervasive ransomware threat
– September 7th - Public disclosure
– Brings down the largest networks
• September 15th - CIO and CSO depart Equifax
• September 2020 - BancoEstado
– One of Chile’s three biggest banks
• July 2019 - Equifax pays $575 million in 昀椀nes
– Ransomware a琀琀ack over the weekend
Financial loss
• Bank closed for an extended period
• March 2016 - Bank of Bangladesh
– Segmented network - Only hit internal systems
– Society for Worldwide Interbank Financial
– Wipe and restore everything
Telecommunica琀椀ons (SWIFT)
© 2020 Messer Studios, LLC
Professor Messer’s CompTIA SY0-601 Security+ Course Notes - Page 29
Downloaded by Yeduri Vamsi Mani Prasad (vamsiprasad321@gmail.com)
h琀琀ps://ProfessorMesser.com
lOMoARcPSD|36915131
1.7 - Threat Hun琀椀ng
Threat hun琀椀ng
• The constant game of cat and mouse
– Find the a琀琀acker before they 昀椀nd you
• Strategies are constantly changing
– Firewalls get stronger, so phishing gets be琀琀er
• Intelligence data is reac琀椀ve
– You can’t see the a琀琀ack un琀椀l it happens
• Speed up the reac琀椀on 琀椀me
– Use technology to 昀椀ght
Intelligence fusion
• An overwhelming amount of security data
– Too much data to properly detect, analyze, and react
• Many data types
– Drama琀椀cally di昀昀erent in type and scope
• Separate teams
– Security opera琀椀ons, security intelligence, threat
response
• Fuse the security data together with
big data analy琀椀cs
– Analyze massive and diverse datasets
– Pick out the interes琀椀ng data points
and correla琀椀ons
Fusing the data
• Collect the data
– Logs and sensors, network informa琀椀on,
Internet events, intrusion detec琀椀on
• Add external sources
– Threat feeds, governmental alerts, advisories and
bulle琀椀ns, social media
• Correlate with big data analy琀椀cs
– Focuses on predic琀椀ve analy琀椀cs and user behavior
analy琀椀cs
– Mathema琀椀cal analysis of unstructured data
Cybersecurity maneuvers
• In the physical world, move troops and tanks
– Stop the enemy on a bridge or shore
• In the virtual world, move 昀椀rewalls and opera琀椀ng systems
– Set a 昀椀rewall rule, block an IP address, delete malicious
so昀琀ware
• Automated maneuvers
– Moving at the speed of light
– The computer reacts instantly
• Combine with fused intelligence
– Ongoing combat from many fronts
• Tomorrow it’s a di昀昀erent 昀椀ght
1.7 - Vulnerability Scans
Vulnerability scanning
• Usually minimally invasive
– Unlike a penetra琀椀on test
• Port scan
– Poke around and see what’s open
• Iden琀椀fy systems
– And security devices
• Test from the outside and inside
– Don’t dismiss insider threats
• Gather as much informa琀椀on as possible
– We’ll separate wheat from cha昀昀 later
Scan types
• Scanners are very powerful
– Use many di昀昀erent techniques to iden琀椀fy
vulnerabili琀椀es
• Non-intrusive scans
– Gather informa琀椀on, don’t try to exploit a
vulnerability
• Intrusive scans
– You’ll try out the vulnerability to see if it works
• Non-creden琀椀aled scans
– The scanner can’t login to the remote device
• Creden琀椀aled scan
– You’re a normal user,
emulates an insider a琀琀ack
© 2020 Messer Studios, LLC
Iden琀椀fy vulnerabili琀椀es
• The scanner looks for everything
– Well, not everything - The signatures are the key
• Applica琀椀on scans
– Desktop, mobile apps
• Web applica琀椀on scans
– So昀琀ware on a web server
• Network scans
– Miscon昀椀gured 昀椀rewalls, open ports, vulnerable devices
Vulnerability research
• The vulnerabili琀椀es can be cross-referenced online
– Almost all scanners give you a place to go
• Na琀椀onal Vulnerability Database: h琀琀p://nvd.nist.gov/
• Common Vulnerabili琀椀es and Exposures (CVE):
h琀琀ps://cve.mitre.org/cve/
• Microso昀琀 Security Bulle琀椀ns:
h琀琀p://www.microso昀琀.com/technet/security/current.aspx
• Some vulnerabili琀椀es cannot be de昀椀ni琀椀vely iden琀椀昀椀ed
– You’ll have to check manually to see if a
system is vulnerable
– The scanner gives you a heads-up
Professor Messer’s CompTIA SY0-601 Security+ Course Notes - Page 30
Downloaded by Yeduri Vamsi Mani Prasad (vamsiprasad321@gmail.com)
h琀琀ps://ProfessorMesser.com
lOMoARcPSD|36915131
1.7 - Vulnerability Scans (con琀椀nued)
• Na琀椀onal Vulnerability Database: h琀琀p://nvd.nist.gov/
– Synchronized with the CVE list
– Enhanced search func琀椀onality
• Common Vulnerability Scoring System (VCSS)
– Quan琀椀ta琀椀ve scoring of a vulnerability - 0 to 10
– The scoring standards change over 琀椀me
– Di昀昀erent scoring for VCSS 2.0 vs VCSS 3.x
• Industry collabora琀椀on
– Enhanced feed sharing and automa琀椀on
Vulnerability scan log review
• Lack of security controls
– No 昀椀rewall
– No an琀椀-virus
– No an琀椀-spyware
• Miscon昀椀gura琀椀ons
– Open shares
– Guest access
• Real vulnerabili琀椀es
– Especially newer ones
– Occasionally the old ones
Dealing with false posi琀椀ves
• False posi琀椀ves
– A vulnerability is iden琀椀昀椀ed that doesn’t really exist
• This is di昀昀erent than a low-severity vulnerability
– It’s real, but it may not be your highest priority
• False nega琀椀ves
– A vulnerability exists, but you didn’t detect it
• Update to the latest signatures
– If you don’t know about it, you can’t see it
• Work with the vulnerability detec琀椀on manufacturer
– They may need to update their signatures for your
environment
Con昀椀gura琀椀on review
• Validate the security of device con昀椀gura琀椀ons
– It’s easy to miscon昀椀gure one thing
– A single unlocked window puts the en琀椀re home at risk
• Worksta琀椀ons
– Account con昀椀gura琀椀ons, local device se琀�ngs
• Servers - Access controls, permission se琀�ngs
• Security devices - Firewall rules, authen琀椀ca琀椀on op琀椀ons
1.7 - Security Informa琀椀on and Event Management
SIEM
• Security Informa琀椀on and Event Management
– Logging of security events and informa琀椀on
• Log collec琀椀on of security alerts
– Real-琀椀me informa琀椀on
• Log aggrega琀椀on and long-term storage
– Usually includes advanced repor琀椀ng features
• Data correla琀椀on - Link diverse data types
• Forensic analysis - Gather details a昀琀er an event
Syslog
• Standard for message logging
– Diverse systems, consolidated log
• Usually a central log collector
– Integrated into the SIEM
• You’re going to need a lot of disk space
– No, more. More than that.
– Data storage from many devices over
an extended 琀椀meframe
SIEM data
• Data inputs
– Server authen琀椀ca琀椀on a琀琀empts
– VPN connec琀椀ons
– Firewall session logs
– Denied outbound tra昀케c 昀氀ows
– Network u琀椀liza琀椀ons
• Packet captures
– Network packets
– O昀琀en associated with a cri琀椀cal alert
– Some organiza琀椀ons capture everything
© 2020 Messer Studios, LLC
Security monitoring
• Constant informa琀椀on 昀氀ow
– Important metrics in the incoming logs
• Track important sta琀椀s琀椀cs
– Excep琀椀ons can be iden琀椀昀椀ed
• Send alerts when problems are found
– Email, text, call, etc.
• Create triggers to automate responses
– Open a 琀椀cket, reboot a server
Analyzing the data
• Big data analy琀椀cs
– Analyze large data stores
– Iden琀椀fy pa琀琀erns that would normally remain invisible
• User and en琀椀ty behavior analy琀椀cs (UEBA)
– Detect insider threats
– Iden琀椀fy targeted a琀琀acks
– Catches what the SIEM and DLP systems might miss
• Sen琀椀ment analysis
– Public discourse correlates to real-world behavior
– If they hate you, they hack you
– Social media can be a barometer
SOAR
• Security orchestra琀椀on, automa琀椀on, and response
– Automate rou琀椀ne, tedious, and 琀椀me intensive ac琀椀vi琀椀es
• Orchestra琀椀on
– Connect many di昀昀erent tools together
– Firewalls, account management, email 昀椀lters
• Automa琀椀on - Handle security tasks automa琀椀cally
• Response - Make changes immediately
Professor Messer’s CompTIA SY0-601 Security+ Course Notes - Page 31
Downloaded by Yeduri Vamsi Mani Prasad (vamsiprasad321@gmail.com)
h琀琀ps://ProfessorMesser.com
lOMoARcPSD|36915131
1.8 - Penetra琀椀on Tes琀椀ng
Penetra琀椀on tes琀椀ng
• Pentest
– Simulate an a琀琀ack
• Similar to vulnerability scanning
– Except we actually try to exploit
the vulnerabili琀椀es
• O昀琀en a compliance mandate
– Regular penetra琀椀on tes琀椀ng by a 3rd-party
• Na琀椀onal Ins琀椀tute of Standards and Technology
Technical Guide to Informa琀椀on Security Tes琀椀ng
and Assessment
– h琀琀ps://professormesser.link/800115 (PDF)
Rules of engagement
• An important document
– De昀椀nes purpose and scope
– Makes everyone aware of the test parameters
• Type of tes琀椀ng and schedule
– On-site physical breach, internal test,
external test
– Normal working hours, a昀琀er 6 PM only, etc.
• The rules
– IP address ranges
– Emergency contacts
– How to handle sensi琀椀ve informa琀椀on
– In-scope and out-of-scope devices
or applica琀椀ons
Working knowledge
• How much do you know about the test?
– Many di昀昀erent approaches
• Unknown environment
– The pentester knows nothing about the
systems under a琀琀ack
– “Blind” test
• Known environment
– Full disclosure
• Par琀椀ally known environment
– A mix of black and white
– Focus on certain systems or applica琀椀ons
Exploi琀椀ng vulnerabili琀椀es
• Try to break into the system
– Be careful; this can cause a denial of service or
loss of data
– Bu昀昀er over昀氀ows can cause instability
– Gain privilege escala琀椀on
• You may need to try many di昀昀erent vulnerability types
– Password brute-force, social engineering,
database injec琀椀ons, bu昀昀er over昀氀ows
• You’ll only be sure you’re vulnerable if you can
bypass security
– If you can get through, the a琀琀ackers can get through
The process
• Ini琀椀al exploita琀椀on - Get into the network
• Lateral movement
– Move from system to system
– The inside of the network is rela琀椀vely unprotected
• Persistence
– Once you’re there, you need to make sure there’s a
way back in
– Set up a backdoor, build user accounts, change or
verify default passwords
• The pivot
– Gain access to systems that would normally not
be accessible
– Use a vulnerable system as a proxy or relay
Pentest a昀琀ermath
• Cleanup
– Leave the network in its original state
– Remove any binaries or temporary 昀椀les
– Remove any backdoors
– Delete user accounts created during the test
• Bug bounty
– A reward for discovering vulnerabili琀椀es
– Earn money for hacking a system
– Document the vulnerability to earn cash
1.8 - Reconnaissance
Reconnaissance
• Need informa琀椀on before the a琀琀ack
– Can’t rush blindly into ba琀琀le
• Gathering a footprint
– Learn everything you can
• Understand the security posture
– Firewalls, security con昀椀gura琀椀ons
• Minimize the a琀琀ack area
– Focus on key systems
• Create a network map
– Iden琀椀fy routers, networks, remote sites
© 2020 Messer Studios, LLC
Passive footprin琀椀ng
• Learn as much as you can from open sources
– There’s a lot of informa琀椀on out there
– Remarkably di昀케cult to protect or iden琀椀fy
• Social media
• Corporate web site
• Online forums, Reddit
• Social engineering
• Dumpster diving
• Business organiza琀椀ons
Professor Messer’s CompTIA SY0-601 Security+ Course Notes - Page 32
Downloaded by Yeduri Vamsi Mani Prasad (vamsiprasad321@gmail.com)
h琀琀ps://ProfessorMesser.com
lOMoARcPSD|36915131
1.8 - Reconnaissance (con琀椀nued)
Wardriving or war昀氀ying
• Combine WiFi monitoring and a GPS
– Search from your car or plane
– Search from a drone
• Huge amount of intel in a short period of 琀椀me
– And o昀琀en some surprising results
• All of this is free
– Kismet, inSSIDer
– Wireless Geographic
– Logging Engine
– h琀琀p://wigle.net
Open Source Intelligence (OSINT)
• Gathering informa琀椀on from many open sources
– Find informa琀椀on on anyone or anything
– The name is not related to open-source so昀琀ware
• Data is everywhere - h琀琀ps://osin琀昀ramework.com/
• Automated gathering - Many so昀琀ware tools available
Ac琀椀ve footprin琀椀ng
• Trying the doors
– Maybe one is unlocked
– Don’t open it yet
– Rela琀椀vely easy to be seen
• Visible on network tra昀케c and logs
• Ping scans, port scans, DNS queries,
OS scans, OS 昀椀ngerprin琀椀ng, Service scans, version scans
1.8 - Security Teams
Security teams
• Cybersecurity involves many skills
– Opera琀椀onal security, penetra琀椀on tes琀椀ng,
exploit research, web applica琀椀on hardening, etc.
• Become an expert in your niche
– Everyone has a role to play
• The teams
– Red team, blue team, purple team, white team
Red team
• O昀昀ensive security team - The hired a琀琀ackers
• Ethical hacking - Find security holes
• Exploit vulnerabili琀椀es -Gain access
• Social engineering - Constant vigilance
• Web applica琀椀on scanning - Test and test again
Blue team
• Defensive security - Protec琀椀ng the data
• Opera琀椀onal security - Daily security tasks
• Incident response - Damage control
• Threat hun琀椀ng - Find and 昀椀x the holes
• Digital forensics - Find data everywhere
Purple team
• Red and blue teams
– Working together
• Compe琀椀琀椀on isn’t necessarily useful
– Internal ba琀琀les can s琀椀昀氀e organiza琀椀onal security
– Cooperate instead of compete
• Deploy applica琀椀ons and data securely
– Everyone is on-board
• Create a feedback loop
– Red informs blue, blue informs red
White team
• Not on a side
– Manages the interac琀椀ons between red teams
and blue teams
• The referees in a security exercise
– Enforces the rules
– Resolves any issues
– Determines the score
• Manages the post-event assessments
– Lessons learned
– Results
2.1 - Con昀椀gura琀椀on Management
Con昀椀gura琀椀on management
• The only constant is change
– Opera琀椀ng systems, patches, applica琀椀on updates, network
modi昀椀ca琀椀ons, new applica琀椀on instances, etc.
• Iden琀椀fy and document hardware and so昀琀ware se琀�ngs
– Manage the security when changes occur
• Rebuild those systems if a disaster occurs
– Documenta琀椀on and processes will be cri琀椀cal
Diagrams
• Network diagrams - Document the physical wire and device
• Physical data center layout
– Can include physical rack loca琀椀ons
• Device diagrams - Individual cabling
© 2020 Messer Studios, LLC
Baseline con昀椀gura琀椀on
• The security of an applica琀椀on environment
should be well de昀椀ned
– All applica琀椀on instances must follow this baseline
– Firewall se琀�ngs, patch levels, OS 昀椀le versions
– May require constant updates
• Integrity measurements check for the
secure baseline
– These should be performed o昀琀en
– Check against well-documented baselines
– Failure requires an immediate correc琀椀on
Professor Messer’s CompTIA SY0-601 Security+ Course Notes - Page 33
Downloaded by Yeduri Vamsi Mani Prasad (vamsiprasad321@gmail.com)
h琀琀ps://ProfessorMesser.com
lOMoARcPSD|36915131
2.1 - Con昀椀gura琀椀on Management (con琀椀nued)
Standard naming conven琀椀ons
• Create a standard
– Needs to be easily understood by everyone
• Devices
– Asset tag names and numbers
– Computer names - loca琀椀on or region
– Serial numbers
• Networks - Port labeling
• Domain con昀椀gura琀椀ons
– User account names
– Standard email addresses
IP schema
• An IP address plan or model
– Consistent addressing for network devices
– Helps avoid duplicate IP addressing
• Loca琀椀ons
– Number of subnets, hosts per subnet
• IP ranges
– Di昀昀erent sites have a di昀昀erent subnet
– 10.1.x.x/24, 10.2.x.x/24, 10.3.x.x/24
• Reserved addresses
– Users, printers, routers/default gateways
2.1 - Protec琀椀ng Data
Protec琀椀ng Data
• A primary job task
– An organiza琀椀on is out of business without data
• Data is everywhere
– On a storage drive, on the network, in a CPU
• Protec琀椀ng the data
– Encryp琀椀on, security policies
• Data permissions
– Not everyone has the same access
Data sovereignty
• Data sovereignty
– Data that resides in a country is subject to
the laws of that country
– Legal monitoring, court orders, etc.
• Laws may prohibit where data is stored
– GDPR (General Data Protec琀椀on Regula琀椀on)
– Data collected on EU ci琀椀zens must be stored
in the EU
– A complex mesh of technology and legali琀椀es
• Where is your data stored?
– Your compliance laws may prohibit
moving data out of the country
Data masking
• Data obfusca琀椀on
– Hide some of the original data
• Protects PII
– And other sensi琀椀ve data
• May only be hidden from view
– The data may s琀椀ll be intact in storage
– Control the view based on permissions
• Many di昀昀erent techniques
– Subs琀椀tu琀椀ng, shu昀툀ing, encryp琀椀ng, masking out, etc.
Data encryp琀椀on
• Encode informa琀椀on into unreadable data
– Original informa琀椀on is plaintext, encrypted
form is ciphertext
• This is a two-way street
– Convert between one and the other
– If you have the proper key
© 2020 Messer Studios, LLC
• Confusion
– The encrypted data is dras琀椀cally di昀昀erent
than the plaintext
• Di昀昀usion
– Change one character of the input, and many
characters change of the output
Data at-rest
• The data is on a storage device
– Hard drive, SSD, 昀氀ash drive, etc.
• Encrypt the data
– Whole disk encryp琀椀on
– Database encryp琀椀on
– File- or folder-level encryp琀椀on
• Apply permissions
– Access control lists
– Only authorized users can access the data
Data in-transit
• Data transmi琀琀ed over the network
– Also called data in-mo琀椀on
• Not much protec琀椀on as it travels
– Many di昀昀erent switches, routers, devices
• Network-based protec琀椀on
– Firewall, IPS
• Provide transport encryp琀椀on
– TLS (Transport Layer Security)
– IPsec (Internet Protocol Security)
Data in-use
• Data is ac琀椀vely processing in memory
– System RAM, CPU registers and cache
• The data is almost always decrypted
– Otherwise, you couldn’t do anything with it
• The a琀琀ackers can pick the decrypted informa琀椀on
out of RAM
– A very a琀琀rac琀椀ve op琀椀on
• Target Corp. breach - November 2013
– 110 million credit cards
– Data in-transit encryp琀椀on and data at-rest encryp琀椀on
– A琀琀ackers picked the credit card numbers out of the
point-of-sale RAM
Professor Messer’s CompTIA SY0-601 Security+ Course Notes - Page 34
Downloaded by Yeduri Vamsi Mani Prasad (vamsiprasad321@gmail.com)
h琀琀ps://ProfessorMesser.com
lOMoARcPSD|36915131
2.1 - Protec琀椀ng Data (con琀椀nued)
Tokeniza琀椀on
• Replace sensi琀椀ve data with a non-sensi琀椀ve placeholder
– SSN 266-12-1112 is now 691-61-8539
• Common with credit card processing
– Use a temporary token during payment
– An a琀琀acker capturing the card numbers
can’t use them later
• This isn’t encryp琀椀on or hashing
– The original data and token aren’t mathema琀椀cally related
– No encryp琀椀on overhead
Informa琀椀on Rights Management (IRM)
• Control how data is used
– Microso昀琀 O昀케ce documents,
email messages, PDFs
• Restrict data access to unauthorized persons
– Prevent copy and paste
– Control screenshots
– Manage prin琀椀ng
– Restrict edi琀椀ng
• Each user has their own set of rights
– A琀琀ackers have limited op琀椀ons
2.1 - Data Loss Preven琀椀on
Data Loss Preven琀椀on (DLP)
• Where’s your data?
– Social Security numbers, credit card numbers,
medical records
• Stop the data before the a琀琀ackers get it
– Data “leakage”
• So many sources, so many des琀椀na琀椀ons
– O昀琀en requires mul琀椀ple solu琀椀ons in di昀昀erent places
Data Loss Preven琀椀on (DLP) systems
• On your computer
– Data in use
– Endpoint DLP
• On your network
– Data in mo琀椀on
• On your server
– Data at rest
USB blocking
• DLP on a worksta琀椀on
– Allow or deny certain tasks
• November 2008 - U.S. Department of Defense
– Worm virus “agent.btz” replicates using USB storage
– Bans removable 昀氀ash media and storage devices
• All devices had to be updated
– Local DLP agent handled USB blocking
• Ban was li昀琀ed in February 2010
– Replaced with strict guidelines
Cloud-based DLP
• Located between users and the Internet
– Watch every byte of network tra昀케c
– No hardware, no so昀琀ware
• Block custom de昀椀ned data strings
– Unique data for your organiza琀椀on
• Manage access to URLs
– Prevent 昀椀le transfers to cloud storage
• Block viruses and malware
– Anything traversing the network
DLP and email
• Email con琀椀nues to be the most cri琀椀cal risk vector
– Inbound threats, outbound data loss
• Check every email inbound and outbound
– Internal system or cloud-based
• Inbound - Block keywords, iden琀椀fy impostors,
quaran琀椀ne email messages
• Outbound - Fake wire transfers, W-2 transmissions,
employee informa琀椀on
Emailing a spreadsheet template
• November 2016 - Boeing employee emails spouse a
spreadsheet to use as a template
• Contained the PII of 36,000 Boeing employees
– In hidden columns
– Social security numbers, date of birth, etc.
• Boeing sells its own DLP so昀琀ware
– But only uses it for classi昀椀ed work
2.1 - Managing Security
Geographical considera琀椀ons
• Legal implica琀椀ons
– Business regula琀椀ons vary between states
– For a recovery site outside of the country, personnel
must have a passport and be able to clear immigra琀椀on
– Refer to your legal team
• O昀昀site backup
– Organiza琀椀on-owned site or 3rd-party secure facility
• O昀昀site recovery
– Hosted in a di昀昀erent loca琀椀on, outside the scope of the
disaster
– Travel considera琀椀ons for support sta昀昀 and employees
© 2020 Messer Studios, LLC
Response and recovery controls
• Incident response and recovery has become
commonplace
– A琀琀acks are frequent and complex
• Incident response plan should be established
– Documenta琀椀on is cri琀椀cal
– Iden琀椀fy the a琀琀ack
– Contain the a琀琀ack
• Limit the impact of an a琀琀acker
– Limit data ex昀椀ltra琀椀on
– Limit access to sensi琀椀ve data
Professor Messer’s CompTIA SY0-601 Security+ Course Notes - Page 35
Downloaded by Yeduri Vamsi Mani Prasad (vamsiprasad321@gmail.com)
h琀琀ps://ProfessorMesser.com
lOMoARcPSD|36915131
2.1 - Managing Security (con琀椀nued)
SSL/TLS inspec琀椀on
• Commonly used to examine outgoing SSL/TLS
– Secure Sockets Layer/Transport Layer Security
– For example, from your computer to your bank
• Wait a second. Examine encrypted tra昀케c?
– Is that possible?
• SSL/TLS relies on trust
– Without trust, none of this works
Trust me, I’m SSL
• Your browser contains a list of trusted CAs
– My browser contains about 170 trusted
CAs cer琀椀昀椀cates
• Your browser doesn’t trust a web site unless a CA has
signed the web server’s encryp琀椀on cer琀椀昀椀cate
– The web site pays some money to the CA for this
• The CA has ostensibly performed some checks
– Validated against the DNS record, phone call, etc.
• Your browser checks the web server’s cer琀椀昀椀cate
– If it’s signed by a trusted CA, the encryp琀椀on
works seamlessly
Hashing
• Represent data as a short string of text
– A message digest
• One-way trip
– Impossible to recover the original message
from the digest
– Used to store passwords / con昀椀den琀椀ality
• Verify a downloaded document is the same
as the original
– Integrity
• Can be a digital signature
– Authen琀椀ca琀椀on, non-repudia琀椀on, and integrity
• Will not have a collision (hopefully)
– Di昀昀erent messages will not have the same hash
API considera琀椀ons
• API (Applica琀椀on Programming Interface)
– Control so昀琀ware or hardware programma琀椀cally
• Secure and harden the login page
– Don’t forget about the API
• On-path a琀琀ack
– Intercept and modify API messages,
replay API commands
• API injec琀椀on
– Inject data into an API message
• DDoS (Distributed Denial of Service)
– One bad API call can bring down a system
API security
• Authen琀椀ca琀椀on
– Limit API access to legi琀椀mate users
– Over secure protocols
• Authoriza琀椀on
– API should not allow extended access
– Each user has a limited role
– A read-only user should not be able to make
changes
• WAF (Web Applica琀椀on Firewall)
– Apply rules to API communica琀椀on
2.1 - Site Resiliency
Site resiliency
• Recovery site is prepped
– Data is synchronized
• A disaster is called
– Business processes failover to the alternate
processing site
• Problem is addressed
– This can take hours, weeks, or longer
• Revert back to the primary loca琀椀on
– The process must be documented for both direc琀椀ons
Hot site
• An exact replica
– Duplicate everything
• Stocked with hardware
– Constantly updated
– You buy two of everything
• Applica琀椀ons and so昀琀ware are constantly updated
– Automated replica琀椀on
• Flip a switch and everything moves
– This may be quite a few switches
© 2020 Messer Studios, LLC
Cold Site
• No hardware
– Empty building
• No data
– Bring it with you
• No people
– Bus in your team
Warm site
• Somewhere between cold and hot
– Just enough to get going
• Big room with rack space
– You bring the hardware
• Hardware is ready and wai琀椀ng
– You bring the so昀琀ware and data
Professor Messer’s CompTIA SY0-601 Security+ Course Notes - Page 36
Downloaded by Yeduri Vamsi Mani Prasad (vamsiprasad321@gmail.com)
h琀琀ps://ProfessorMesser.com
lOMoARcPSD|36915131
2.1 - Honeypots and Decep琀椀on
Honeypots
• A琀琀ract the bad guys
– And trap them there
• The “a琀琀acker” is probably a machine
– Makes for interes琀椀ng recon
• Honeypots
– Create a virtual world to explore
• Many di昀昀erent op琀椀ons
– Kippo, Google Hack Honeypot, Wordpot, etc.
• Constant ba琀琀le to discern the real from the fake
Honey昀椀les and honeynets
• Honeynets
– More than one honeypot on a network
– More than one source of informa琀椀on
– Stop spammers - h琀琀ps://projecthoneypot.org
• Honey昀椀les
– Bait for the honeynet (passwords.txt)
– An alert is sent if the 昀椀le is accessed
– A virtual bear trap
Fake telemetry
• Machine learning
– Interpret big data to iden琀椀fy the invisible
• Train the machine with actual data
– Learn how malware looks and acts
– Stop malware based on ac琀椀ons instead of signatures
• Send the machine learning model fake telemetry
– Make malicious malware look benign
DNS sinkhole
• A DNS that hands out incorrect IP addresses
– Blackhole DNS
• This can be bad
– An a琀琀acker can redirect users to a malicious site
• This can be good
– Redirect known malicious domains to a benign IP address
– Watch for any users hi琀�ng that IP address
– Those devices are infected
• Can be integrated with a 昀椀rewall
– Iden琀椀fy infected devices not directly connected
2.2 - Cloud Models
Infrastructure as a service (IaaS)
Anything as a Service (XaaS)
• Some琀椀mes called Hardware as a Service (HaaS)
• A broad descrip琀椀on of all cloud models
– Outsource your equipment
– Use any combina琀椀on of the cloud
• You’re s琀椀ll responsible for the management
• Services delivered over the Internet
– And for the security
– Not locally hosted or managed
• Your data is out there, but more within your control
• Flexible consump琀椀on model
– No large upfront costs or ongoing licensing
• Web server providers
•
IT
becomes more of an opera琀椀ng model
Pla琀昀orm as a service (PaaS)
– And less of a cost-center model
• No servers, no so昀琀ware, no maintenance team,
– Any IT func琀椀on can be changed into a service
no HVAC
– Someone else handles the pla琀昀orm,
Infrastructure
Pla3orm
So5ware
you handle the development
On Premises
as
a
Service
as
a
Service
as
a Service
• You don’t have direct control of the data,
people, or infrastructure
Applica'on
Applica'on
Applica'on
Applica'on
– Trained security professionals are
watching your stu昀昀
Data
Data
Data
Data
– Choose carefully
Run'me
Run'me
Run'me
Run'me
• Put the building blocks together
– Develop your app from what’s
Middleware
Middleware
Middleware
Middleware
available on the pla琀昀orm
– SalesForce.com
OS
OS
OS
OS
So昀琀ware as a service (SaaS)
• On-demand so昀琀ware
Virtualiza'on
Virtualiza'on
Virtualiza'on
Virtualiza'on
– No local installa琀椀on
Servers
Servers
Servers
Servers
– Why manage your own email distribu琀椀on?
– Or payroll?
Storage
Storage
Storage
Storage
• Central management of data and applica琀椀ons
– Your data is out there
Networking
Networking
Networking
Networking
• A complete applica琀椀on o昀昀ering
– No development work required
Client Managed
Provider Managed
– Google Mail
© 2020 Messer Studios, LLC
Professor Messer’s CompTIA SY0-601 Security+ Course Notes - Page 37
Downloaded by Yeduri Vamsi Mani Prasad (vamsiprasad321@gmail.com)
h琀琀ps://ProfessorMesser.com
lOMoARcPSD|36915131
2.2 - Cloud Models (con琀椀nued)
Cloud service providers
• Provide cloud services
– SaaS, PaaS, IaaS, etc.
• Charge a 昀氀at fee or based on use
– More data, more cost
• You s琀椀ll manage your processes
– Internal sta昀昀
– Development team
– Opera琀椀onal support
Managed service providers
• Managed Service Provider (MSP)
– Also a cloud service provider
– Not all cloud service providers are MSPs
• MSP support
– Network connec琀椀vity management
– Backups and disaster recovery
– Growth management and planning
• Managed Security Service Provider (MSSP)
– Firewall management
– Patch management, security audits
– Emergency response
On-premises vs. o昀昀-premises
• On-premises
– Your applica琀椀ons are on local hardware
– Your servers are in your data center in your building
• O昀昀-premises / hosted
– Your servers are not in your building
– They may not even be running on your hardware
– Usually a specialized compu琀椀ng environment
Cloud deployment models
• Public
– Available to everyone over the Internet
• Community
– Several organiza琀椀ons share the same resources
• Private
– Your own virtualized local data center
• Hybrid
– A mix of public and private
2.2 - Edge and Fog Compu琀椀ng
Cloud compu琀椀ng
• Compu琀椀ng on-demand
– Instantly available compu琀椀ng power
– Massive data storage capacity
• Fast implementa琀椀on
– IT teams can adjust rapidly to change
– Smaller startup costs and pay-as-you-go
• Not always the best solu琀椀on
– Latency - the cloud is far away
– Limited bandwidth
– Di昀케cult to protect data
– Requires Internet/network connec琀椀vity
Edge compu琀椀ng
• Over 30 billion IoT devices on the Internet
– Devices with very speci昀椀c func琀椀ons
– A huge amount of data
• Edge compu琀椀ng - “Edge”
– Process applica琀椀on data on an edge server
– Close to the user
• O昀琀en process data on the device itself
– No latency, no network requirement
– Increased speed and performance
– Process where the data is, instead of
processing in the cloud
© 2020 Messer Studios, LLC
Fog compu琀椀ng
• Fog
– A cloud that’s close to your data
– Cloud + Internet of Things - Fog compu琀椀ng
• A distributed cloud architecture - Extends the cloud
• Distribute the data and processing
– Immediate data stays local - No latency
– Local decisions made from local data
– No bandwidth requirements
– Private data never leaves - Minimizes security concerns
– Long-term analysis can occur in the cloud - Internet
only when required
Professor Messer’s CompTIA SY0-601 Security+ Course Notes - Page 38
Downloaded by Yeduri Vamsi Mani Prasad (vamsiprasad321@gmail.com)
h琀琀ps://ProfessorMesser.com
lOMoARcPSD|36915131
2.2 - Designing the Cloud
Applica琀椀on containeriza琀椀on
• Container
– Contains everything you need to run an applica琀椀on
– Code and dependencies
– A standardized unit of so昀琀ware
• An isolated process in a sandbox
– Self-contained
– Apps can’t interact with each other
• Container image
– A standard for portability
– Lightweight, uses the host kernel
– Secure separa琀椀on between applica琀椀ons
Microservices and APIs
• Monolithic applica琀椀ons
– One big applica琀椀on that does everything
• Applica琀椀on contains all decision making processes
– User interface
– Business logic
– Data input and output
• Code challenges
– Large codebase
– Change control challenges
• APIs
– Applica琀椀on Programming Interfaces
• API is the “glue” for the microservices
– Work together to act as the applica琀椀on
• Scalable
– Scale just the microservices you need
• Resilient
– Outages are contained
• Security and compliance
– Containment is built-in
App C
Guest
Opera5ng
System
Guest
Opera5ng
System
Guest
Opera5ng
System
Docker
Hypervisor
Host Opera5ng System
Infrastructure
Infrastructure
© 2020 Messer Studios, LLC
App G
App B
App F
App A
App E
Virtual
Machine
App D
Virtual
Machine
App C
Virtual
Machine
Containerized Applica2ons
App A
Virtualized Applica2ons
App B
Designing the cloud
• On-demand compu琀椀ng power
– Click a bu琀琀on
• Elas琀椀city
– Scale up or down as needed
• Applica琀椀ons also scale
– Access from anywhere
• How does it all happen?
– Planning and technology
Thin client
• Basic applica琀椀on usage
– Applica琀椀ons actually run on a remote server
– Virtual Desktop Infrastructure (VDI),
– Desktop as a Service (DaaS)
– Local device is a keyboard, mouse, and screen.
• Minimal opera琀椀ng system on the client
– No huge memory or CPU needs
• Network connec琀椀vity
– Big network requirement
– Everything happens across the wire
Virtualiza琀椀on
• Virtualiza琀椀on
– Run many di昀昀erent opera琀椀ng systems on the
same hardware
• Each applica琀椀on instance has its
own opera琀椀ng system
– Adds overhead and complexity
– Virtualiza琀椀on is rela琀椀vely expensive
Professor Messer’s CompTIA SY0-601 Security+ Course Notes - Page 39
Downloaded by Yeduri Vamsi Mani Prasad (vamsiprasad321@gmail.com)
h琀琀ps://ProfessorMesser.com
lOMoARcPSD|36915131
2.2 - Designing the Cloud (con琀椀nued)
Serverless architecture
• Func琀椀on as a Service (FaaS)
– Applica琀椀ons are separated into individual, autonomous
func琀椀ons
– Remove the opera琀椀ng system from the equa琀椀on
• Developer s琀椀ll creates the server-side logic
– Runs in a stateless compute container
• May be event triggered and ephemeral
– May only run for one event
• Managed by a third-party
– All OS security concerns are at the third-party
Microservice Architecture
Client
API Gateway
Microservice
Microservice
Microservice
Database Database Database
Transit gateway
• Virtual Private Cloud (VPC)
– A pool of resources created in a public cloud
• Common to create many VPCs
– Many di昀昀erent applica琀椀on clouds
• Connect VPCs with a transit gateway
– And users to VPCs
– A “cloud router”
• Now make it secure
– VPCs are commonly on di昀昀erent IP subnets
– Connec琀椀ng to the cloud is o昀琀en through a VPN
Resource policies
• Assigning permissions to cloud resources
– Not the easiest task
– Everything is in constant mo琀椀on
• Specify which resources can be provisioned (Azure)
– Create a service in a speci昀椀c region,
deny all others
• Specify the resource and what ac琀椀ons are
permi琀琀ed (Amazon)
– Allow access to an API gateway from an
IP address range
• Explicitly list the users who can access the
resource (Amazon)
– Userlist is associated with the resource
Service integra琀椀on
• Service Integra琀椀on and Management (SIAM)
• Many di昀昀erent service providers
– The natural result of mul琀椀sourcing
• Every provider works di昀昀erently
– Di昀昀erent tools and processes
• SIAM is the integra琀椀on of these
diverse providers
– Provide a single business-facing
IT organiza琀椀on
• An evolving set of processes and procedures
Transit Gateway Network Architecture
VPN Connec0on
Transit Gateway
Customer Router
2.2 - Infrastructure as Code
Infrastructure as code
• Describe an infrastructure
– De昀椀ne servers, network, and applica琀椀ons as code
• Modify the infrastructure and create versions
– The same way you version applica琀椀on code
• Use the descrip琀椀on (code) to build other applica琀椀on
instances
– Build it the same way every 琀椀me based on the code
• An important concept for cloud compu琀椀ng
– Build a perfect version every 琀椀me
© 2020 Messer Studios, LLC
SDN (So昀琀ware De昀椀ned Networking)
• Networking devices have two func琀椀onal planes
of opera琀椀on
– Control plane, data plane
• Directly programmable
– Con昀椀gura琀椀on is di昀昀erent than forwarding
• Agile - Changes can be made dynamically
• Centrally managed - Global view, single pane of glass
• Programma琀椀cally con昀椀gured
– No human interven琀椀on
• Open standards / vendor neutral
– A standard interface to the network
Professor Messer’s CompTIA SY0-601 Security+ Course Notes - Page 40
Downloaded by Yeduri Vamsi Mani Prasad (vamsiprasad321@gmail.com)
h琀琀ps://ProfessorMesser.com
lOMoARcPSD|36915131
2.2 - Infrastructure as Code (con琀椀nued)
SDV (So昀琀ware De昀椀ned Visibility)
• You must see the tra昀케c to secure the data
– React and respond
• Dynamic deployments include security and network
visibility devices
– Next-genera琀椀on 昀椀rewalls, web applica琀椀on 昀椀rewalls,
– Security Informa琀椀on and Event Management (SIEM)
• Data is encapsulated and encrypted
– VXLAN and SSL/TLS
• New technologies change what you can see
– Infrastructure as code, microservices
• Security devices monitor applica琀椀on tra昀케c
– SDV provides visibility to tra昀케c 昀氀ows
• Visibility expands as the applica琀椀on instances expand
– Real-琀椀me metrics across all tra昀케c 昀氀ows
• Applica琀椀on 昀氀ows can be controlled via API
– Iden琀椀fy and react to threats
2.2 - Virtualiza琀椀on Security
VM sprawl avoidance
• Click a bu琀琀on
– You’ve built a server
– Or mul琀椀ple servers, networks, and 昀椀rewalls
• It becomes almost too easy to build instances
– This can get out of hand very quickly
• The virtual machines are sprawled everywhere
– You aren’t sure which VMs are related to which applica琀椀ons
– It becomes extremely di昀케cult to deprovision
• Formal process and detailed documenta琀椀on
– You should have informa琀椀on on every virtual object
VM escape protec琀椀on
• The virtual machine is self-contained
– There’s no way out - Or is there?
• Virtual machine escape
– Break out of the VM and interact with the host opera琀椀ng
system or hardware
• Once you escape the VM, you have great control
– Control the host and control other guest VMs
• This would be a huge exploit
– Full control of the virtual world
Escaping the VM
• March 2017 - Pwn2Own compe琀椀琀椀on
– Hacking contest
– You pwn it, you own it - along with some cash
• JavaScript engine bug in Microso昀琀 Edge
– Code execu琀椀on in the Edge sandbox
• Windows 10 kernel bug
– Compromise the guest opera琀椀ng system
• Hardware simula琀椀on bug in VMware
– Escape to the host
• Patches were released soon a昀琀erwards
2.3 - Secure Deployments
Development to produc琀椀on
• Your programming team has been working on a new applica琀椀on
– How will you deploy it safely and reliably?
• Patch Tuesday
– Test and deploy Wednesday? Thursday? Friday?
• Manage the process
– Safely move from a non-produc琀椀on phase to full produc琀椀on
Sandboxing
• Isolated tes琀椀ng environment
– No connec琀椀on to the real world or produc琀椀on system
– A technological safe space
• Use during the development process
– Try some code, break some code, nobody gets hurt
• Incremental development
– Helps build the applica琀椀on
Building the applica琀椀on
• Development
– Secure environment
– Wri琀椀ng code
– Developers test in their sandboxes
© 2020 Messer Studios, LLC
• Test
– S琀椀ll in the development stage
– All of the pieces are put together
– Does it all work?
– Func琀椀onal tests
– If it works in test, then it’s ready for staging
Verifying the applica琀椀on
• Quality Assurance (QA)
– Veri昀椀es features are working as expected
– Validates new func琀椀onality
– Veri昀椀es old errors don’t reappear
• Staging
– Almost ready to roll it out
– Works and feels exactly like the produc琀椀on
environment
– Working with a copy of produc琀椀on data
– Run performance tests
– Test usability and features
Professor Messer’s CompTIA SY0-601 Security+ Course Notes - Page 41
Downloaded by Yeduri Vamsi Mani Prasad (vamsiprasad321@gmail.com)
h琀琀ps://ProfessorMesser.com
lOMoARcPSD|36915131
2.3 - Secure Deployments (con琀椀nued)
Using the applica琀椀on
• Produc琀椀on
– Applica琀椀on is live
– Rolled out to the user community
• A challenging step
– Impacts the users
• Logis琀椀cal challenges
– New servers
– New so昀琀ware
– Restart or interrupt of service
Secure baselines
• The security of an applica琀椀on environment should
be well de昀椀ned
– All applica琀椀on instances must follow this baseline
– Firewall se琀�ngs, patch levels, OS 昀椀le versions
– May require constant updates
• Integrity measurements check for the secure baseline
– These should be performed o昀琀en
– Check against well-documented baselines
– Failure requires an immediate correc琀椀on
2.3 - Provisioning and Deprovisioning
Provisioning
• Deploy an applica琀椀on
– Web server, database server, middleware server, user
worksta琀椀on con昀椀gura琀椀ons, cer琀椀昀椀cate updates, etc.
• Applica琀椀on so昀琀ware security
– Opera琀椀ng system, applica琀椀on
• Network security
– Secure VLAN, internal access, external access
• So昀琀ware deployed to worksta琀椀ons
– Check executables for malicious code, verify security
posture of the worksta琀椀on
Scalability and elas琀椀city
• Handle applica琀椀on workload
– Adapt to dynamic changes
• Scalability
– The ability to increase the workload in a
given infrastructure
– Build an applica琀椀on instance that can handle
– 100,000 transac琀椀ons per second
• Elas琀椀city
– Increase or decrease available resources as the
workload changes
– Deploy mul琀椀ple applica琀椀on instances to handle
– 500,000 transac琀椀ons per second
Orchestra琀椀on
• Automa琀椀on is the key to cloud compu琀椀ng
– Services appear and disappear automa琀椀cally,
or at the push of a bu琀琀on
• En琀椀re applica琀椀on instances can be instantly provisioned
– All servers, networks, switches, 昀椀rewalls, and policies
• Instances can move around the world as needed
– Follow the sun
• The security policies should be part of the orchestra琀椀on
– As applica琀椀ons are provisioned, the proper security is
automa琀椀cally included
Deprovisioning
• Dismantling and removing an applica琀椀on instance
– All good things
• Security deprovisioning is important
– Don’t leave open holes, don’t close important ones
• Firewall policies must be reverted
– If the applica琀椀on is gone, so is the access
• What happens to the data?
– Don’t leave informa琀椀on out there
2.3 - Secure Coding Techniques
Secure coding concepts
• A balance between 琀椀me and quality
– Programming with security in mind is o昀琀en secondary
• Tes琀椀ng, tes琀椀ng, tes琀椀ng
– The Quality Assurance (QA) process
• Vulnerabili琀椀es will eventually be found
– And exploited
Input valida琀椀on
• What is the expected input?
– Validate actual vs. expected
• Document all input methods
– Forms, 昀椀elds, type
© 2020 Messer Studios, LLC
• Check and correct all input (normaliza琀椀on)
– A zip code should be only X characters long with a
le琀琀er in the X column
– Fix any data with improper input
• The fuzzers will 昀椀nd what you missed
– Don’t give them an opening
Stored procedures
• SQL databases
– Client sends detailed requests for data
– ‘SELECT * FROM wp_op琀椀ons WHERE op琀椀on_id = 1’
• Client requests can be complex
– And some琀椀mes modi昀椀ed by the user
– This would not be good
Professor Messer’s CompTIA SY0-601 Security+ Course Notes - Page 42
Downloaded by Yeduri Vamsi Mani Prasad (vamsiprasad321@gmail.com)
h琀琀ps://ProfessorMesser.com
lOMoARcPSD|36915131
2.3 - Secure Coding Techniques (con琀椀nued)
• Stored procedures limit the client interac琀椀ons
– ‘CALL get_op琀椀ons’
– That’s it. No modi昀椀ca琀椀ons to the query are possible.
• To be really secure, use only stored procedures
– The applica琀椀on doesn’t use any SQL queries
Obfusca琀椀on/camou昀氀age
• Obfuscate
– Make something normally understandable very
di昀케cult to understand
• Take perfectly readable code and turn it into nonsense
– The developer keeps the readable code and gives
you the chicken scratch
– Both sets of code perform exactly the same way
• Helps prevent the search for security holes
– Makes it more di昀케cult to 昀椀gure out
what’s happening - But not impossible
Code reuse/dead code
• Code reuse
– Use old code to build new applica琀椀ons
– Copy and paste
• If the old code has security vulnerabili琀椀es, reusing
the code spreads it to other applica琀椀ons
– You’re making this much more di昀케cult for everyone
• Dead code
– Calcula琀椀ons are made, code is executed,
results are tallied
– The results aren’t used anywhere else in the
applica琀椀on
• All code is an opportunity for a security problem
– Make sure your code is as alive as possible
Valida琀椀on points
• Server-side valida琀椀on
– All checks occur on the server
– Helps protect against malicious users
– A琀琀ackers may not even be using your interface
• Client-side valida琀椀on
– The end-user’s app makes the valida琀椀on decisions
– Can 昀椀lter legi琀椀mate input from genuine users
– May provide addi琀椀onal speed to the user
• Use both - But especially server-side valida琀椀on
Memory management
• As a developer, you must be mindful of how memory is used
– Many opportuni琀椀es to build vulnerable code
• Never trust data input
– Malicious users can a琀琀empt to circumvent your code
• Bu昀昀er over昀氀ows are a huge security risk
– Make sure your data matches your bu昀昀er sizes
• Some built-in func琀椀ons are insecure
– Use best prac琀椀ces when designing your code
Third-party libraries and SDKs
• Your programming language does everything - Almost
• Third-party libraries and so昀琀ware development kits
– Extend the func琀椀onality of a programming language
• Security risk
– Applica琀椀on code wri琀琀en by someone else
– Might be secure. Might not be secure.
– Extensive tes琀椀ng is required
• Balancing act - Applica琀椀on features vs. unknown code base
Data exposure
• So much sensi琀椀ve data
– Credit card numbers, social security numbers, medical
informa琀椀on, address details, email informa琀椀on
• How is the applica琀椀on handling the data?
– No encryp琀椀on when stored
– No encryp琀椀on across the network
– Displaying informa琀椀on on the screen
• All input and output processes are important
– Check them all for data exposure
Version control
• Create a 昀椀le, make a change, make another change,
and another change
– Track those changes, revert back to a previous version
• Commonly used in so昀琀ware development
– But also in opera琀椀ng systems, wiki so昀琀ware, and
cloud-based 昀椀le storage
• Useful for security
– Compare versions over 琀椀me
– Iden琀椀fy modi昀椀ca琀椀ons to important 昀椀les
– A security challenge
– Historical informa琀椀on can be a security risk
2.3 - So昀琀ware Diversity
Exploi琀椀ng an applica琀椀on
• A琀琀ackers o昀琀en exploit applica琀椀on vulnerabili琀椀es
– They 昀椀nd the unlocked door and open it
• Once you exploit one binary, you can exploit them all
– The applica琀椀on works the same on all systems
– A Windows 10 exploit a昀昀ects all Windows 10 users
• What if all of the computers were running di昀昀erent
so昀琀ware?
– Unique binaries
– Func琀椀onally iden琀椀cal
© 2020 Messer Studios, LLC
So昀琀ware diversity
• Alterna琀椀ve compiler paths would result in a di昀昀erent
binary each 琀椀me
– Each compiled applica琀椀on would be a li琀琀le bit
di昀昀erent
– But func琀椀onally the same
• An a琀琀ack against di昀昀erent binaries would only be
successful on a frac琀椀on of the users
– An a琀琀acker wouldn’t know what exploit to use
– Make the game much harder to win
Professor Messer’s CompTIA SY0-601 Security+ Course Notes - Page 43
Downloaded by Yeduri Vamsi Mani Prasad (vamsiprasad321@gmail.com)
h琀琀ps://ProfessorMesser.com
lOMoARcPSD|36915131
2.3 - Automa琀椀on and Scrip琀椀ng
Automa琀椀on and scrip琀椀ng
• Plan for change
– Implement automa琀椀cally
• Automated courses of ac琀椀on
– Many problems can be predicted
– Have a set of automated responses
• Con琀椀nuous monitoring
– Check for a par琀椀cular event, and then react
• Con昀椀gura琀椀on valida琀椀on
– Cloud-based technologies allow for
constant change
– Automa琀椀cally validate a con昀椀gura琀椀on
before going live
– Perform ongoing automated checks
Con琀椀nuous integra琀椀on (CI)
• Code is constantly wri琀琀en
– And merged into the central repository many 琀椀mes a day
• So many chances for security problems
– Security should be a concern from the beginning
• Basic set of security checks during development
– Documented security baselines as the bare minimum
• Large-scale security analysis during the tes琀椀ng phase
– Signi昀椀cant problems will have already been covered
Con琀椀nuous delivery/deployment (CD)
• Con琀椀nuous delivery
– Automate the tes琀椀ng process
– Automate the release process
– Click a bu琀琀on and deploy the applica琀椀on
• Con琀椀nuous deployment
– Even more automa琀椀on
– Automa琀椀cally deploy to produc琀椀on
– No human integra琀椀on or manual checks
2.4 - Authen琀椀ca琀椀on Methods
Directory services
• Keep all of an organiza琀椀on’s usernames and passwords
in a single database
– Also contains computers, printers, and other devices
• Large distributed database
– Constantly replicated
• All authen琀椀ca琀椀on requests reference this directory
– Each user only needs one set of creden琀椀als
– One username and password for all services
• Access via Kerberos or LDAP
Federa琀椀on
• Provide network access to others
– Not just employees - Partners, suppliers, customers, etc.
– Provides SSO and more
• Third-par琀椀es can establish a federated network
– Authen琀椀cate and authorize between the
two organiza琀椀ons
– Login with your Facebook creden琀椀als
• The third-par琀椀es must establish a trust rela琀椀onship
– And the degree of the trust
A琀琀esta琀椀on
• Prove the hardware is really yours
– A system you can trust
• Easy when it’s just your computer
– More di昀케cult when there are 1,000
• Remote a琀琀esta琀椀on
– Device provides an opera琀椀onal report to a
veri昀椀ca琀椀on server
– Encrypted and digitally signed with the TPM
– An IMEI or other unique hardware component can be
included in the report
© 2020 Messer Studios, LLC
Short message service (SMS)
• Text messaging
– Includes more than text these days
• Login factor can be sent via SMS to a prede昀椀ned
phone number
– Provide username and password
– Phone receives an SMS
– Input the SMS code into the login form
• Security issues exist
– Phone number can be reassigned to a
di昀昀erent phone
– SMS messages can be intercepted
Push no琀椀昀椀ca琀椀on
• Similar process to an SMS no琀椀昀椀ca琀椀on
– Authen琀椀ca琀椀on factor is pushed to a specialized app
– Usually on a mobile device
• Security challenges
– Applica琀椀ons can be vulnerable
– Some push apps send in the clear
• S琀椀ll more secure than SMS
– Mul琀椀ple factors are be琀琀er than one factor
Authen琀椀ca琀椀on apps
• Pseudo-random token generators
– A useful authen琀椀ca琀椀on factor
• Carry around a physical hardware token generator
– Where are my keys again?
• Use so昀琀ware-based token generator on your phone
– Powerful and convenient
Professor Messer’s CompTIA SY0-601 Security+ Course Notes - Page 44
Downloaded by Yeduri Vamsi Mani Prasad (vamsiprasad321@gmail.com)
h琀琀ps://ProfessorMesser.com
lOMoARcPSD|36915131
2.4 - Authen琀椀ca琀椀on Methods (con琀椀nued)
TOTP
• Time-based One-Time Password algorithm
– Use a secret key and the 琀椀me of day
– No incremental counter
• Secret key is con昀椀gured ahead of 琀椀me
– Timestamps are synchronized via NTP
• Timestamp usually increments every 30 seconds
– Put in your username, password, and TOTP code
• One of the more common OTP methods
– Used by Google, Facebook, Microso昀琀, etc.
HOTP
• One-琀椀me passwords
– Use them once, and never again
– Once a session, once each authen琀椀ca琀椀on a琀琀empt
• HMAC-based One-Time Password algorithm
– Keyed-hash message authen琀椀ca琀椀on code (HMAC)
– The keys are based on a secret key and a counter
• Token-based authen琀椀ca琀椀on
– The hash is di昀昀erent every 琀椀me
• Hardware and so昀琀ware tokens available
– You’ll need addi琀椀onal technology to make this work
Phone call
• A voice call provides the token
– The computer is talking to you
– “Your code is 1-6-2-5-1-7.”
• Similar disadvantages to SMS
– Phone call can be intercepted or forwarded
– Phone number can be added to another phone
Sta琀椀c codes
• Authen琀椀ca琀椀on factors that don’t change
– You just have to remember
• Personal Iden琀椀昀椀ca琀椀on Number (PIN)
– Your secret numbers
• Can also be alphanumeric
– A password or passphrase
Smart cards
• Integrated circuit card - Contact or contactless
• Common on credit cards - Also used for access control
• Must have physical card to provide digital access
– A digital cer琀椀昀椀cate
• Mul琀椀ple factors
– Use the card with a PIN or 昀椀ngerprint
2.4 - Biometrics
Biometric factors
• Fingerprint scanner
– Phones, laptops, door access
• Re琀椀nal scanner
– Unique capillary structure in
the back of the eye
• Iris scanner
– Texture, color
• Voice recogni琀椀on
– Talk for access
• Facial recogni琀椀on
– Shape of the face and features
• Gait analysis
– Iden琀椀fy a person based on
how they walk
– Many unique measurements
• Veins
– Vascular scanners
– Match the blood vessels visible
from the surface of the skin
© 2020 Messer Studios, LLC
Biometric acceptance rates
• False acceptance rate (FAR)
– Likelihood that an unauthorized user will be accepted
– Not sensi琀椀ve enough
• False rejec琀椀on rate (FRR)
– Likelihood that an authorized user will be rejected
– Too sensi琀椀ve
• Crossover error rate (CER)
– De昀椀nes the overall accuracy of a biometric system
– The rate at which FAR and FRR are equal
– Adjust sensi琀椀vity to equalize both values
Professor Messer’s CompTIA SY0-601 Security+ Course Notes - Page 45
Downloaded by Yeduri Vamsi Mani Prasad (vamsiprasad321@gmail.com)
h琀琀ps://ProfessorMesser.com
lOMoARcPSD|36915131
2.4 - Mul琀椀-factor Authen琀椀ca琀椀on
AAA framework
• Iden琀椀昀椀ca琀椀on
– This is who you claim to be
– Usually your username
• Authen琀椀ca琀椀on
– Prove you are who you say you are
– Password and other authen琀椀ca琀椀on factors
• Authoriza琀椀on
– Based on your iden琀椀昀椀ca琀椀on and authen琀椀ca琀椀on,
what access do you have?
• Accoun琀椀ng
– Resources used: Login 琀椀me, data sent
and received, logout 琀椀me
Cloud vs. on-premises authen琀椀ca琀椀on
• Cloud-based security
– Third-party can manage the pla琀昀orm
– Centralized pla琀昀orm
– Automa琀椀on op琀椀ons with API integra琀椀on
– May include addi琀椀onal op琀椀ons (for a cost)
• On-premises authen琀椀ca琀椀on system
– Internal monitoring and management
– Need internal exper琀椀se
– External access must be granted and managed
Mul琀椀-factor authen琀椀ca琀椀on
• Factors
– Something you know
– Something you have
– Something you are
• A琀琀ributes
– Somewhere you are
– Something you can do
– Something you exhibit
– Someone you know
Something you know
• Password
– Secret word/phrase, string of characters
– Very common authen琀椀ca琀椀on factor
• PIN
– Personal iden琀椀昀椀ca琀椀on number
– Not typically contained anywhere on a
smart card or ATM card
• Pa琀琀ern
– Complete a series of pa琀琀erns
– Only you know the right format
Something you have
• Smart card
– Integrates with devices
– May require a PIN
• USB token - Cer琀椀昀椀cate is on the USB device
• Hardware or so昀琀ware tokens
– Generates pseudo-random authen琀椀ca琀椀on codes
• Your phone -SMS a code to your phone
© 2020 Messer Studios, LLC
Something you are
• Biometric authen琀椀ca琀椀on
– Fingerprint, iris scan, voice print
• Usually stores a mathema琀椀cal representa琀椀on
of your biometric
– Your actual 昀椀ngerprint isn’t usually saved
• Di昀케cult to change
– You can change your password
– You can’t change your 昀椀ngerprint
• Used in very speci昀椀c situa琀椀ons
– Not foolproof
Somewhere you are
• Provide a factor based on your loca琀椀on
– The transac琀椀on only completes if you are in a
par琀椀cular geography
• IP address
– Not perfect, but can help provide more info
– Works with IPv4, not so much with IPv6
• Mobile device loca琀椀on services
– Geoloca琀椀on to a very speci昀椀c area
– Must be in a loca琀椀on that can receive GPS
informa琀椀on or near an iden琀椀昀椀ed mobile
or 802.11 network
– S琀椀ll not a perfect iden琀椀昀椀er of loca琀椀on
Something you can do
• A personal way of doing things
– You’re special
• Handwri琀椀ng analysis
– Signature comparison
– Wri琀椀ng technique
• Typing technique
– Delays between keystrokes
• Very similar to biometrics
– Close to something you are
Other a琀琀ributes
• Something you exhibit
– A unique trait, personal to you
– Gait analysis - the way you walk
– Typing analysis - the way you hit the
enter key too hard
• Someone you know
– A social factor
– It’s not what you know…
– Web of trust
– Digital signature
Professor Messer’s CompTIA SY0-601 Security+ Course Notes - Page 46
Downloaded by Yeduri Vamsi Mani Prasad (vamsiprasad321@gmail.com)
h琀琀ps://ProfessorMesser.com
lOMoARcPSD|36915131
2.5 - Disk Redundancy
Redundancy
• Duplicate parts of the system
– If a part fails, the redundant part can be used
• Maintain up琀椀me
– The organiza琀椀on con琀椀nues to func琀椀on
• No hardware failure
– Servers keep running
• No so昀琀ware failure
– Services always available
• No system failure
– Network performing op琀椀mally
Geographic dispersal
• Bad things can happen in a local area
– Hurricanes, tornadoes, 昀氀ooding,
• Disperse technologies to di昀昀erent geographies
– Use mul琀椀ple data centers
– In di昀昀erent loca琀椀ons
• Data centers might be part of the normal opera琀椀ons
– East coast and west coast opera琀椀ons centers
• May be part of a disaster recovery center
– If Florida gets hit, 昀椀re up the Denver data center
Disk redundancy
• Mul琀椀path I/O (Input/Output)
– Especially useful for network-based storage subsystems
– Mul琀椀ple Fibre Channel interfaces with mul琀椀ple switches
• RAID - Redundant Array of Independent Disks
• Mul琀椀ple drives create redundancy
– Many di昀昀erent designs and implementa琀椀ons
RAID Level
Descrip/on
Details
RAID 0
Striping without parity
High performance, no fault tolerance
RAID 1
Mirroring
RAID 5
Striping with parity
RAID 0+1, RAID 1+0,
RAID 5+1, etc.
Mul=ple RAID types
Duplicates data for fault tolerance,
but requires twice the disk space
Fault tolerant, only requires an
addi=onal disk for redundancy
Combine RAID methods to increase redundancy
2.5 - Network Redundancy
Load balancing
• Some servers are ac琀椀ve - Others are on standby
• If an ac琀椀ve server fails, the passive server takes its place
NIC teaming
• Load Balancing / Fail Over (LBFO)
– Aggregate bandwidth, redundant paths
– Becomes more important in the virtual world
• Mul琀椀ple network adapters
– Looks like a single adapter
– Integrate with switches
• NICs talk to each other
– Usually mul琀椀cast instead of broadcast
– Fails over when a NIC doesn’t respond
The Internet
Load
Balancer
Server A
Server B
Server C
Server D
2.5 - Power Redundancy
UPS - Uninterrup琀椀ble Power Supply
– Short-term backup power
– Blackouts, brownouts, surges
• UPS types
– O昀툀ine/Standby UPS
– Line-interac琀椀ve UPS
– On-line/Double-conversion UPS
• Features
– Auto shutdown, ba琀琀ery capacity, outlets,
phone line suppression
© 2020 Messer Studios, LLC
Generators
• Long-term power backup
– Fuel storage required
• Power an en琀椀re building
– Some power outlets may be marked as
generator-powered
• It may take a few minutes to get the
generator up to speed
– Use a ba琀琀ery UPS while the generator is star琀椀ng
Professor Messer’s CompTIA SY0-601 Security+ Course Notes - Page 47
Downloaded by Yeduri Vamsi Mani Prasad (vamsiprasad321@gmail.com)
h琀琀ps://ProfessorMesser.com
lOMoARcPSD|36915131
2.5 - Power Redundancy (con琀椀nued)
Dual-power supplies
• Redundancy
– Internal server power supplies
– External power circuits
• Each power supply can handle 100% of the load
– Would normally run at 50% of the load
• Hot-swappable
– Replace a faulty power supply without powering down
Power distribu琀椀on units (PDUs)
• Provide mul琀椀ple power outlets
– Usually in a rack
• O昀琀en include monitoring and control
– Manage power capacity
– Enable or disable individual outlets
2.5 - Replica琀椀on
SAN replica琀椀on
• Share data between di昀昀erent devices
– If one device fails, you can s琀椀ll work with the data
– VERY fast recovery 琀椀mes compared to
tradi琀椀onal backups
• Storage area networks (SANs)
– Specialized high-performance network of
storage devices
• SAN-to-SAN replica琀椀on
– Duplicate data from one data center to another
• SAN snapshot
– Create a state of data based on a point in 琀椀me
– Copy that state to other SANs
VM replica琀椀on
• Virtual machine redundancy
– Maintain one VM, replicate to all others
– The virtual machine is really just one big 昀椀le
• Consistent service o昀昀ering
– Maintain copies anywhere in the world
• Recover from a replicated copy
– Provides a backup if needed
• E昀케cient copying
– Only replicates the data that has changed
On premises vs. cloud redundancy
• Speed
– Local devices are connect over very fast networks
– Cloud connec琀椀ons are almost always slower
• Money
– Purchasing your own storage is an expensive
capital investment
– Cloud costs have a low entry point and can scale
• Security
– Local data is private
– Data stored in the cloud requires addi琀椀onal
security controls
2.5 - Backup Types
Backup Types
• The archive a琀琀ribute
– Set when a 昀椀le is modi昀椀ed
• Full - Everything
– You’ll want this one 昀椀rst
• Incremental
– All 昀椀les changed since the last incremental backup
• Di昀昀eren琀椀al
– All 昀椀les changed since the last full backup
Incremental Backup
• A full backup is taken 昀椀rst
• Subsequent backups contain
data changed since the last full
backup and last incremental backup
– These are usually smaller
than the full backup
• A restora琀椀on requires the full
backup and all of the incremental
backups
Data Selec,on
Backup / Restore Time
Archive A;ribute
Full
All selected data
High / Low
(one tape set)
Cleared
Incremental
New files and files
modified since the
last backup
Low / High
(MulAple tape sets)
Cleared
DifferenAal
All data modified
since the last full
backup
Moderate / Moderate
(No more than 2 sets)
Not Cleared
Incremental
Incremental
Incremental
Incremental
Full
Backup
Monday
© 2020 Messer Studios, LLC
Type
Incremental
Incremental
Full
Backup
Tuesday
Wednesday
Professor Messer’s CompTIA SY0-601 Security+ Course Notes - Page 48
Downloaded by Yeduri Vamsi Mani Prasad (vamsiprasad321@gmail.com)
Thursday
Recovery
h琀琀ps://ProfessorMesser.com
lOMoARcPSD|36915131
2.5 - Backup Types (con琀椀nued)
Di昀昀eren琀椀al Backup
• A full backup is taken 昀椀rst
• Subsequent backups contain
data changed since the last
full backup
– These usually grow larger as
data is changed
• A restora琀椀on requires the full
backup and the last di昀昀eren琀椀al
backup
Differen9al
Differen9al
Differen9al
Full
Backup
Monday
Thursday’s
Differen9al
Full
Backup
Tuesday
Backup media
• Magne琀椀c tape
– Sequen琀椀al storage
– 100 GB to mul琀椀ple terabytes per cartridge
– Easy to ship and store
• Disk
– Faster than magne琀椀c tape - Deduplicate and compress
• Copy
– A useful strategy
– May not include versioning - May need to keep o昀昀site
NAS vs. SAN
• Network A琀琀ached Storage (NAS)
– Connect to a shared storage device across the network
– File-level access
• Storage Area Network (SAN)
– Looks and feels like a local storage device
– Block-level access
– Very e昀케cient reading and wri琀椀ng
• Requires a lot of bandwidth
– May use an isolated network and high-speed
network technologies
Wednesday
Thursday
Recovery
Other backups
• Cloud
– Backup to a remote device in the cloud
– Support many devices
– May be limited by bandwidth
• Image
– Capture an exactly replica of everything on a
storage drive
– Restore everything on a par琀椀琀椀on, including
opera琀椀ng system 昀椀les and user documents
Backup loca琀椀ons
• O昀툀ine backup
– Backup to local devices
– Fast and secure
– Must be protected and maintained
– O昀琀en requires o昀昀site storage for disaster recovery
• Online backup
– Remote network-connected third-party
– Encrypted
– Accessible from anywhere
– Speed is limited by network bandwidth
2.5 - Resiliency
Non-persistence
• The cloud is always in mo琀椀on
– Applica琀椀on instances are constantly built
and torn down
• Snapshots can capture the current con昀椀gura琀椀on and data
– Preserve the complete state of a device, or
just the con昀椀gura琀椀on
• Revert to known state
– Fall back to a previous snapshot
• Rollback to known con昀椀gura琀椀on
– Don’t modify the data, but use a previous con昀椀gura琀椀on
• Live boot media
– Run the opera琀椀ng system from removable
media - very portable!
High availability
• Redundancy doesn’t always mean always available
– May need to be powered on manually
© 2020 Messer Studios, LLC
• HA (high availability)
– Always on, always available
• May include many di昀昀erent components
working together
– Ac琀椀ve/Ac琀椀ve can provide scalability advantages
• Higher availability almost always means higher costs
– There’s always another con琀椀ngency you could add
– Upgraded power, high-quality server components,
etc.
Order of restora琀椀on
• Applica琀椀on-speci昀椀c
– Certain components may need to be restored 昀椀rst
– Databases should be restored before the applica琀椀on
• Backup-speci昀椀c
– Incremental backups restore the full backup,
then all subsequent incremental backups
– Di昀昀eren琀椀al backups restore the full backup,
then the last di昀昀eren琀椀al backup
Professor Messer’s CompTIA SY0-601 Security+ Course Notes - Page 49
Downloaded by Yeduri Vamsi Mani Prasad (vamsiprasad321@gmail.com)
h琀琀ps://ProfessorMesser.com
lOMoARcPSD|36915131
2.5 - Resiliency (con琀椀nued)
Diversity
• Technologies
– A zero-day OS vulnerability can cause signi昀椀cant
outages
– Mul琀椀ple security devices
• Vendors
– A single vendor can become a disadvantage
– No op琀椀ons during annual renewals
– A bad support team may not be able to resolve
problems in a 琀椀mely manner
• Cryptographic
– All cryptography is temporary
– Diverse cer琀椀昀椀cate authori琀椀es can provide
addi琀椀onal protec琀椀on
• Controls
– Administra琀椀ve controls
– Physical controls
– Technical controls
– Combine them together
– Defense in depth
2.6 - Embedded Systems
Embedded systems
• Hardware and so昀琀ware designed for a speci昀椀c func琀椀on
– Or to operate as part of a larger system
• Is built with only this task in mind
– Can be op琀椀mized for size and/or cost
• Common examples
– Tra昀케c light controllers
– Digital watches
– Medical imaging systems
SoC (System on a Chip)
• Mul琀椀ple components running on a single chip
– Common with embedded systems
• Small form-factor
– External interface support
– Cache memory, 昀氀ash memory
– Usually lower power consump琀椀on
• Security considera琀椀ons are important
– Di昀케cult to upgrade hardware
– Limited o昀昀-the-shelf security op琀椀ons
Field-programmable gate array (FPGA)
• An integrated circuit that can be con昀椀gured
a昀琀er manufacturing
– Array of logic blocks
– Programmed in the 昀椀eld
• A problem doesn’t require a hardware replacement
– Reprogram the FPGA
• Common in infrastructure
– Firewall logic
– Routers
SCADA/ICS
• Supervisory Control and Data Acquisi琀椀on System
– Large-scale, mul琀椀-site Industrial Control Systems (ICS)
• PC manages equipment
– Power genera琀椀on, re昀椀ning, manufacturing equipment
– Facili琀椀es, industrial, energy, logis琀椀cs
• Distributed control systems
– Real-琀椀me informa琀椀on
– System control
• Requires extensive segmenta琀椀on
– No access from the outside
© 2020 Messer Studios, LLC
Smart devices / IoT (Internet of Things)
• Sensors - Hea琀椀ng and cooling, ligh琀椀ng
• Smart devices - Home automa琀椀on, video doorbells
• Wearable technology - Watches, health monitors
• Facility automa琀椀on - Temperature, air quality, ligh琀椀ng
• Weak defaults
– IOT manufacturers are not security professionals
Specialized
• Medical devices
– Heart monitors, insulin pumps
– O昀琀en use older opera琀椀ng systems
• Vehicles
– Internal network is o昀琀en accessible from
mobile networks
– Control internal electronics
• Aircra昀琀
– DoS could damage the aircra昀琀
– An outage would be problema琀椀c
• Smart meters - Measure power and water usage
VoIP
• Voice over Internet Protocol
– Instead of analog phone line or the
– Plain Old Telephone Service (POTS)
• A rela琀椀vely complex embedded system
– Can be rela琀椀vely important
• Each device is a computer
– Separate boot process
– Individual con昀椀gura琀椀ons
– Di昀昀erent capabili琀椀es and func琀椀onali琀椀es
HVAC
• Hea琀椀ng, Ven琀椀la琀椀on, and Air Condi琀椀oning
– Thermodynamics, 昀氀uid mechanics, and heat transfer
• A complex science
– Not something you can properly design yourself
– Must be integrated into the 昀椀re system
• PC manages equipment
– Makes cooling and hea琀椀ng decisions for workspaces
and data centers
• Tradi琀椀onally not built with security in mind
– Di昀케cult to recover from an infrastructure DoS
Professor Messer’s CompTIA SY0-601 Security+ Course Notes - Page 50
Downloaded by Yeduri Vamsi Mani Prasad (vamsiprasad321@gmail.com)
h琀琀ps://ProfessorMesser.com
lOMoARcPSD|36915131
2.6 - Embedded Systems (con琀椀nued)
Drones
• Flying vehicle
– No pilot on board
• May be manually controlled from the ground
– O昀琀en with some autonomy
– Set it and forget it
• Extensive commercial and non-commercial use
– May require federal licenses
– Security and fail-safes are required
Printers, scanners, and fax machines
• All-in-one or mul琀椀func琀椀on devices (MFD)
– Everything you need in one single device
• No longer a simple printer
– Very sophis琀椀cated 昀椀rmware
• Some images are stored locally on the device
– Can be retrieved externally
• Logs are stored on the device
– Contain communica琀椀on and fax details
RTOS (Real-Time Opera琀椀ng System)
• An opera琀椀ng system with a determinis琀椀c
processing schedule
– No 琀椀me to wait for other processes
– Industrial equipment, automobiles,
– Military environments
• Extremely sensi琀椀ve to security issues
– Non-trivial systems
– Need to always be available
– Di昀케cult to know what type of security is in place
Surveillance systems
• Video/audio surveillance
– Embedded systems in the cameras and the
monitoring sta琀椀ons
• Secure the security system
– Restrict access from others - Prevent a denial of service
• Physically di昀케cult to replace cameras
– Accessible independently over the network
– May allow for 昀椀rmware upgrades
2.6 - Embedded Systems Communica琀椀on
© 2020 Messer Studios, LLC
• Contains mobile details
– IMSI (Interna琀椀onal Mobile Subscriber Iden琀椀ty)
– Authen琀椀ca琀椀on informa琀椀on, contact informa琀椀on
• Important to manage
– Many embedded systems, many SIM cards
Narrowband
Signal
Power
5G
• Fi昀琀h genera琀椀on cellular networking
– Launched worldwide in 2020
• Signi昀椀cant performance improvements
– At higher frequencies
– Eventually 10 gigabits per second
– Slower speeds from 100-900 Mbit/s
• Signi昀椀cant IoT impact
– Bandwidth becomes less of a constraint
– Larger data transfers
– Faster monitoring and no琀椀昀椀ca琀椀on
– Addi琀椀onal cloud processing
Narrowband
• Communicate analog signals over a narrow range
of frequencies
– Over a longer distance - Conserve the frequency use
• Many IoT devices can communicate over long distances
– SCADA equipment - Sensors in oil 昀椀elds
Baseband
• Generally a single cable with a digital signal
– Can be 昀椀ber or copper
• The communica琀椀on signal uses all of the bandwidth
– U琀椀liza琀椀on is either 0% or 100%
• Bidirec琀椀onal communica琀椀on
– But not at the same 琀椀me using the same wire/昀椀ber
• Ethernet standard - 100BASE-TX, 1000BASE-T, 10GBASE-T
Subscriber iden琀椀ty module (SIM)
• SIM card
– A universal integrated circuit card
• Used to provide informa琀椀on to a cellular
network provider
– Phones, tablets, embedded systems
Broadband
Signal
Frequency
Zigbee
• Internet of Things networking
– Open standard - IEEE 802.15.4 PAN
• Alterna琀椀ve to WiFi and Bluetooth
– Longer distances than Bluetooth
– Less power consump琀椀on than WiFi
• Mesh network of all Zigbee devices in your home
– Light switch communicates to light bulbs
– Tell Amazon Echo to lock the door
• Uses the ISM band
– Industrial, Scien琀椀昀椀c, and Medical
– 900 MHz and 2.4 GHz frequencies in the US
Professor Messer’s CompTIA SY0-601 Security+ Course Notes - Page 51
Downloaded by Yeduri Vamsi Mani Prasad (vamsiprasad321@gmail.com)
h琀琀ps://ProfessorMesser.com
lOMoARcPSD|36915131
2.6 - Embedded Systems Constraints
Embedded systems
• Not usually a fully capable computer
– Low cost, purpose-built
• Adds addi琀椀onal constraints
– May have limited or missing features
– Upgradability limita琀椀ons
– Limits in communica琀椀on op琀椀ons
• An ongoing trade o昀昀
– Low cost systems - Unique management challenges
Constraints
• Power - May not have access to a main power source
– Ba琀琀eries may need to be replaced and maintained
• Compute
– Low-power CPUs are limited in speed
– Cost and heat considera琀椀ons
• Network
– May not have the op琀椀on for a wired link
– May be in the middle of a 昀椀eld
– Wireless is the limi琀椀ng factor
• Crypto
– Limited hardware op琀椀ons
– Di昀케cult to change or modify cryptography features
• Inability to patch
– Some IoT devices have no 昀椀eld-upgradable op琀椀ons
– Upgrade op琀椀ons may be limited or di昀케cult to install
• Authen琀椀ca琀椀on
– Security features are o昀琀en an a昀琀erthought
– Limited op琀椀ons, no mul琀椀-factor, limited integra琀椀on
with exis琀椀ng directory services
• Range
– Purpose-built - usually does one thing very well
– May not provide much addi琀椀onal func琀椀onality
• Cost
– Single-purpose func琀椀onality comes at a low cost
– Low cost may a昀昀ect product quality
• Implied trust
– Limited access to the hardware and so昀琀ware
– Di昀케cult to verify the security posture
2.7 - Physical Security Controls
Barricades / bollards
• Prevent access
– There are limits to the preven琀椀on
• Channel people through a speci昀椀c access point
– And keep out other things
– Allow people, prevent cars and trucks
• Iden琀椀fy safety concerns
– And prevent injuries
• Can be used to an extreme
– Concrete barriers / bollards
– Moats
Access control ves琀椀bules
• All doors normally unlocked
– Opening one door causes others to lock
• All doors normally locked
– Unlocking one door prevents others from being
unlocked
• One door open / other locked
– When one is open, the other cannot be unlocked
• One at a 琀椀me, controlled groups
– Managed control through an area
Alarms
• Circuit-based
– Circuit is opened or closed
– Door, window, fence
– Useful on the perimeter
• Mo琀椀on detec琀椀on
– Radio re昀氀ec琀椀on or passive infrared
– Useful in areas not o昀琀en in use
• Duress
– Triggered by a person - The big red bu琀琀on
© 2020 Messer Studios, LLC
Signs
• Clear and speci昀椀c instruc琀椀ons
– Keep people away from restricted areas
– Consider visitors
• Consider personal safety
– Fire exits
– Warning signs
– Chemicals
– Construc琀椀on
– Medical resources
• Informa琀椀onal
– In case of emergency, call this number
Video surveillance
• CCTV (Closed circuit television)
– Can replace physical guards
• Camera features are important
– Mo琀椀on recogni琀椀on can alarm and alert when
something moves
– Object detec琀椀on can iden琀椀fy a license plate or
person’s face
• O昀琀en many di昀昀erent cameras
– Networked together and recorded over 琀椀me
Industrial camou昀氀age
• Conceal an important facility in plain sight
– Blends in to the local environment
• Protect a data center
– No business signs
– No visual clues
– Surround it with a water feature
– Install a guard gate
– Planters out front are bollards
Professor Messer’s CompTIA SY0-601 Security+ Course Notes - Page 52
Downloaded by Yeduri Vamsi Mani Prasad (vamsiprasad321@gmail.com)
h琀琀ps://ProfessorMesser.com
lOMoARcPSD|36915131
2.7 - Physical Security Controls (con琀椀nued)
Guards and access lists
• Security guard
– Physical protec琀椀on at the recep琀椀on area of a
facility
– Validates iden琀椀昀椀ca琀椀on of exis琀椀ng employees
– Provides guest access
• ID badge
– Picture, name, other details
– Must be worn at all 琀椀mes
• Access list
– Physical list of names
– Enforced by security guard
• Maintains a visitor log
Guards
• Two-person integrity/control
– Minimize exposure to an a琀琀ack
– No single person has access to a physical asset
• Robot sentries
– Monitoring
– Rounds / Periodic checks
– An emerging technology
Biometrics
• Biometric authen琀椀ca琀椀on
– Fingerprint, re琀椀na, voiceprint
• Usually stores a mathema琀椀cal representa琀椀on
of your biometric
– Your actual 昀椀ngerprint isn’t usually saved
• Di昀케cult to change
– You can change your password
– You can’t change your 昀椀ngerprint
• Used in very speci昀椀c situa琀椀ons
– Not foolproof
Door access controls
• Conven琀椀onal - Lock and key
• Deadbolt - Physical bolt
• Electronic - Keyless, PIN
• Token-based
– RFID badge, magne琀椀c swipe card, or key fob
• Biometric - Hand, 昀椀ngers or re琀椀na
• Mul琀椀-factor - Smart card and PIN
Cable locks
• Temporary security
– Connect your hardware to something solid
• Cable works almost anywhere
– Useful when mobile
• Most devices have a standard connector
– Reinforced notch
• Not designed for long-term protec琀椀on
– Those cables are pre琀琀y thin
© 2020 Messer Studios, LLC
USB data blocker
• Don’t connect to unknown USB interfaces
– Even if you need a quick charge
– Prevent “juice jacking”
• Use a USB data blocker
– Allow the voltage, reject the data
• Use your power adapter
– Avoid the issue en琀椀rely
Proper ligh琀椀ng
• More light means more security
– A琀琀ackers avoid the light
– Easier to see when lit
– Non IR cameras can see be琀琀er
• Specialized design
– Consider overall light levels
– Ligh琀椀ng angles may be important
– Facial recogni琀椀on
– Avoid shadows and glare
Fencing
• Build a perimeter
– Usually very obvious
– May not be what you’re looking for
• Transparent or opaque
– See through the fence (or not)
• Robust
– Di昀케cult to cut the fence
• Prevent climbing
– Razor wire
– Build it high
Fire suppression
• Electronics require unique responses to 昀椀re
– Water is generally a bad thing
• Detec琀椀on
– Smoke detector, 昀氀ame detector, heat detector
• Suppress with water
– Where appropriate
• Suppress with chemicals
– Halon - No longer manufactured
– Destroys ozone
– Commonly replaced with Dupont FM-200
Sensors
• Mo琀椀on detec琀椀on
– Iden琀椀fy movement in an area
• Noise detec琀椀on
– Recognize an increase in sound
• Proximity reader
– Commonly used with electronic door locks
– Combined with an access card
• Moisture detec琀椀on
– Useful to iden琀椀fy water leaks
• Temperature
– Monitor changes over 琀椀me
Professor Messer’s CompTIA SY0-601 Security+ Course Notes - Page 53
Downloaded by Yeduri Vamsi Mani Prasad (vamsiprasad321@gmail.com)
h琀琀ps://ProfessorMesser.com
lOMoARcPSD|36915131
2.7 - Physical Security Controls (con琀椀nued)
Drones
• Quickly cover large areas
– More than just one building
• More than physical security
– Site surveys, damage assessments
• On-board sensors
– Mo琀椀on detec琀椀on
– Thermal sensors
• Video evidence
– High resolu琀椀on video capture
Faraday cage
• Blocks electromagne琀椀c 昀椀elds
– Discovered by Michael Faraday in 1836
• A mesh of conduc琀椀ve material
– The cage cancels the electromagne琀椀c 昀椀eld’s
e昀昀ect on the interior
– The window of a microwave oven
• Not a comprehensive solu琀椀on
– Not all signal types are blocked
– Some signal types are not blocked at all
• Can restrict access to mobile networks
– Some very speci昀椀c con琀椀ngencies would need to
be in place for emergency calls
Screened subnet
• Formerly known as a demilitarized zone (DMZ)
– An addi琀椀onal layer of security between the
Internet and you
– Public access to public resources
Protected distribu琀椀on
• Protected Distribu琀椀on System (PDS)
– A physically secure cabled network
• Protect your cables and 昀椀bers
– All of the data 昀氀ows through these conduits
• Prevent cable and 昀椀ber taps
– Direct taps and induc琀椀ve taps
• Prevent cable and 昀椀ber cuts
– A physical denial of service (DoS)
• Hardened protected distribu琀椀on system
– Sealed metal conduit, periodic visual inspec琀椀on
2.7 - Secure Areas
Secure areas
• Physically secure the data
– As important as the digital security
• An important part of a security policy
– Not a ques琀椀on to leave unanswered
• Secure ac琀椀ve opera琀椀ons
– Prevent physical access to the systems
• Secure o昀툀ine data
– Backups are an important security concern
Air gap
• Physical separa琀椀on between networks
– Secure network and insecure network
– Separate customer infrastructures
• Most environments are shared
– Shared routers, switches, 昀椀rewalls
– Some of these are virtualized
• Specialized networks require air gaps
– Stock market networks
– Power systems/SCADA
– Airplanes
– Nuclear power plant opera琀椀ons
Vaults and safes
• Vault
– A secure reinforced room
– Store backup media
– Protect from disaster or the昀琀
– O昀琀en onsite
© 2020 Messer Studios, LLC
• Safe
– Similar to a vault, but smaller
– Less expensive to implement
– Space is limited - Install at more loca琀椀ons
Hot and cold aisles
• Data centers
– Lots and lots of equipment
– This equipment generates heat
• Op琀椀mize cooling
– Keep components at op琀椀mal temperatures
• Conserve energy
– Data centers are usually very large rooms
– Focus the cooling
– Lower energy costs
Professor Messer’s CompTIA SY0-601 Security+ Course Notes - Page 54
Downloaded by Yeduri Vamsi Mani Prasad (vamsiprasad321@gmail.com)
h琀琀ps://ProfessorMesser.com
lOMoARcPSD|36915131
2.7 - Secure Data Destruc琀椀on
Data destruc琀椀on and media sani琀椀za琀椀on
• Disposal becomes a legal issue
– Some informa琀椀on must not be destroyed
– Consider o昀昀site storage
• You don’t want cri琀椀cal informa琀椀on in the trash
– People really do dumpster dive
– Recycling can be a security concern
– Physically destroy the media
• Reuse the storage media
– Sani琀椀ze the media for reuse
– Ensure nothing is le昀琀 behind
Protect your rubbish
• Secure your garbage - Fence and a lock
• Shred your documents
– This will only go so far
– Governments burn the good stu昀昀
• Burn documents - No going back
• Pulp the paper
– Large tank washing to remove ink
– Paper broken down into pulp
– Creates recycled paper
Physical destruc琀椀on
• Shredder / pulverizer
– Heavy machinery, complete destruc琀椀on
• Drill / Hammer
– Quick and easy - Pla琀琀ers, all the way through
• Electromagne琀椀c (degaussing)
– Remove the magne琀椀c 昀椀eld
– Destroys the drive data and renders the drive unusable
• Incinera琀椀on - Fire hot.
Cer琀椀昀椀cate of destruc琀椀on
• Destruc琀椀on is o昀琀en done by a 3rd party
– How many drills and degaussers do you have?
• Need con昀椀rma琀椀on that your data is destroyed
– Service should include a cer琀椀昀椀cate
• A paper trail of broken data
– You know exactly what happened
Sani琀椀zing media
• Purge data
– Remove it from an exis琀椀ng data store
– Delete some of the data from a database
• Wipe data
– Unrecoverable removal of data on a storage device
– Usually overwrites the data storage loca琀椀ons
– Useful when you need to reuse or con琀椀nue using
the media
Data security
• July 2013 - UK Na琀椀onal Health Service Surrey
– Provided hard drives to a 3rd-party to be destroyed
– Contained 3,000 pa琀椀ent records
– Received a destruc琀椀on cer琀椀昀椀cate, but not
actually destroyed.
– Sold on eBay. Buyer contacted authori琀椀es,
昀椀ned £200,000
• File level overwri琀椀ng
– Sdelete – Windows Sysinternals
• Whole drive wipe secure data removal
– DBAN - Darik’s Boot and Nuke
– Physical drive destruc琀椀on – One-o昀昀 or industrial removal and destroy
2.8 - Cryptography Concepts
Cryptography
• Greek: “kryptos”
– Hidden, secret
• Con昀椀den琀椀ality
– It’s a secret
• Authen琀椀ca琀椀on and access control
– I know it’s you. I REALLY know it’s you.
• Non-repudia琀椀on - You said it. You can’t deny it.
• Integrity - Tamper-proof
Cryptography terms
• Plaintext - An unencrypted message (in the clear)
• Ciphertext - An encrypted message
• Cipher - The algorithm used to encrypt and/or decrypt
• Cryptanalysis
– The art of cracking encryp琀椀on
– Researchers are constantly trying to 昀椀nd
weaknesses in ciphers
– A mathema琀椀cally 昀氀awed cipher is bad for everyone
© 2020 Messer Studios, LLC
Cryptographic keys
• Keys
– Add the key to the cypher to encrypt
– Larger keys are generally more secure
• Some encryp琀椀on methods use one key
– Some use more than one key
– Every method is a bit di昀昀erent
Give weak keys a workout
• A weak key is a weak key
– By itself, it’s not very secure
• Make a weak key stronger by performing
mul琀椀ple processes
– Hash a password. Hash the hash of the password.
And con琀椀nue…
– Key stretching, key strengthening
• Brute force a琀琀acks would require reversing each
of those hashes
– The a琀琀acker has to spend much more 琀椀me, even
though the key is small
Professor Messer’s CompTIA SY0-601 Security+ Course Notes - Page 55
Downloaded by Yeduri Vamsi Mani Prasad (vamsiprasad321@gmail.com)
h琀琀ps://ProfessorMesser.com
lOMoARcPSD|36915131
2.8 - Cryptography Concepts (con琀椀nued)
Key stretching libraries
• Already built for your applica琀椀on
– No addi琀椀onal programming involved
• bcrypt
– Generates hashes from passwords
– An extension to the UNIX crypt library
– Uses Blow昀椀sh cipher to perform mul琀椀ple
rounds of hashing
• Password-Based Key Deriva琀椀on Func琀椀on 2 (PBKDF2)
– Part of RSA public key cryptography standards
(PKCS #5, RFC 2898)
Lightweight cryptography
• Powerful cryptography has tradi琀椀onally
required strength
– A powerful CPU and lots of 琀椀me
• Internet of Things (IoT) devices have limited power
– Both wa琀琀s and CPU
• New standards are being created
– Na琀椀onal Ins琀椀tute of Standards and Technology (NIST)
leading the e昀昀ort
– Provide powerful encryp琀椀on
– Include integrity features
– Keep costs low
Homomorphic encryp琀椀on (HE)
• Encrypted data is di昀케cult to work with
– Decrypt the data
– Perform a func琀椀on
– Encrypt the answer
• Homomorphic encryp琀椀on
– Perform calcula琀椀ons of data while it’s encrypted
– Perform the work directly on the encrypted data
– The decrypted data can only be viewed with
the private key
• Many advantages
– Securely store data in the cloud
– Perform research on data without viewing the data
2.8 - Symmetric and Asymmetric Cryptography
Symmetric encryp琀椀on
• A single, shared key
– Encrypt with the key
– Decrypt with the same key
– If it gets out, you’ll need another key
• Secret key algorithm
– A shared secret
• Doesn’t scale very well
– Can be challenging to distribute
• Very fast to use
– Less overhead than asymmetric encryp琀椀on
– O昀琀en combined with asymmetric encryp琀椀on
Asymmetric encryp琀椀on
• Public key cryptography
– Two (or more) mathema琀椀cally related keys
• Private key - Keep this private
• Public key - Anyone can see this key - Give it away
• The private key is the only key that can decrypt data
encrypted with the public key
– You can’t derive the private key from the public key
The key pair
• Asymmetric encryp琀椀on
– Public Key Cryptography
• Key genera琀椀on
– Build both the public and private key at the same
琀椀me
– Lots of randomiza琀椀on
– Large prime numbers
– Lots and lots of math
• Everyone can have the public key
– Only Alice has the private key
Ellip琀椀c curve cryptography (ECC)
• Asymmetric encryp琀椀on
– Need large integers composed of two or more large
prime factors
• Instead of numbers, use curves!
– Uses smaller keys than non-ECC asymmetric
encryp琀椀on
– Smaller storage and transmission requirements
– Perfect for mobile devices
Alice’s Key Genera/on
Large
Random
Number
Alice’s
Private Key
Key Genera)on
Program
Alice’s
Public Key
© 2020 Messer Studios, LLC
Professor Messer’s CompTIA SY0-601 Security+ Course Notes - Page 56
Downloaded by Yeduri Vamsi Mani Prasad (vamsiprasad321@gmail.com)
h琀琀ps://ProfessorMesser.com
lOMoARcPSD|36915131
2.8 - Symmetric and Asymmetric Cryptography (con琀椀nued)
Asymmetric encryp琀椀on
sBcBAE
BCAAQ
BQJYtX
ToCRA
Hello,
Alice
sBcBAE
BCAAQ
BQJYtX
ToCRA
Plaintext
Ciphertext
Bob’s Laptop
Ciphertext
Hello,
Alice
Plaintext
Alice’s Computer
Alice’s Public Key
Alice’s Private Key
combines Alice’s public key
1 Bob
with plaintext to create ciphertext
uses her private key to decrypt
2 Alice
the ciphertext into the original plaintext
Symmetric key from asymmetric keys
Alice’s Private Key
Bob’s Private Key
Symmetric Key
Symmetric Key
Alice’s Computer
Bob’s Laptop
Bob’s Public Key
Alice’s Public Key
combines his private key with
1 Bob
Alice’s public key to create a symmetric key
combines her private key with
2 Alice
Bob’s public key to create the same symmetric key
2.8 - Hashing and Digital Signatures
Hashes
• The hash should be unique
• Represent data as a short string of text - A message digest
– Di昀昀erent inputs should never create the same hash
– If they do, it’s a collision
• One-way trip
– Impossible to recover the original message from the digest • MD5 has a collision problem
– Used to store passwords / con昀椀den琀椀ality
– Found in 1996 - Don’t use MD5
• Verify a downloaded document is the same as the original
Prac琀椀cal hashing
– Integrity
• Verify a downloaded 昀椀le
– Hashes may be provided on the download site
• Can be a digital signature
– Compare the downloaded 昀椀le hash with the
– Authen琀椀ca琀椀on, non-repudia琀椀on, and integrity
posted hash value
• Will not have a collision (hopefully)
•
Password
storage
– Di昀昀erent messages will not have the same hash
– Instead of storing the password, store a salted hash
Collision
– Compare hashes during the authen琀椀ca琀椀on process
• Hash func琀椀ons
– Nobody ever knows your actual password
– Take an input of any size - Create a 昀椀xed size string
– Message digest, checksum
© 2020 Messer Studios, LLC
Professor Messer’s CompTIA SY0-601 Security+ Course Notes - Page 57
Downloaded by Yeduri Vamsi Mani Prasad (vamsiprasad321@gmail.com)
h琀琀ps://ProfessorMesser.com
lOMoARcPSD|36915131
2.8 - Hashing and Digital Signatures (con琀椀nued)
Adding some salt
• Salt
– Random data added to a password when hashing
• Every user gets their own random salt
– The salt is commonly stored with the password
• Rainbow tables won’t work with salted hashes
– Addi琀椀onal random value added to the
original password
• This slows things down the brute force process
– It doesn’t completely stop the reverse engineering
• Each user gets a di昀昀erent random hash
– The same password creates a di昀昀erent hash
Digital signatures
• Prove the message was not changed
– Integrity
• Prove the source of the message
– Authen琀椀ca琀椀on
• Make sure the signature isn’t fake
– Non-repudia琀椀on
• Sign with the private key
– The message doesn’t need to be encrypted
– Nobody else can sign this (obviously)
• Verify with the public key
– Any change in the message will invalidate the signature
Crea琀椀ng a Digital Signature
You’re
hired,
Bob
1
Plaintext
sBcBAEBCAA
QBQJZzBIbCR
AW8ZAwUFg
Hash
Alice’s Computer
Hash of
Plaintext
EncrypTon
Hash of
Plaintext
Hashing
Algorithm
creates a hash
1 Alice
of the original plaintext
3
2
sBcBAEBCAA
QBQJZzBIbCR
AW8ZAwUFg
GmdBkELopt
8hF85TetMS
You’re
hired,
Bob
Digital
Signature
GmdBkELopt
8hF85TetMS
2 with her private key
Alice encrypts the hash
The encrypted hash
signature) is
3 (digital
included with the plaintext
Plaintext
and Digital
Signature
Alice’s Private Key
Verifying a Digital Signature
You’re
hired,
Bob
GmdBkELopt
8hF85TetMS
Digital
Signature
GmdBkELopt
8hF85TetMS
Plaintext
and Digital
Signature
DecrypGon
You’re
hired,
Bob
1
sBcBAEBCAA
QBQJZzBIbCR
AW8ZAwUFg
Hash of
Plaintext
Bob’s Laptop
Plaintext
Hash
Hashing
Algorithm
2
sBcBAEBCAA
QBQJZzBIbCR
AW8ZAwUFg
Hash of
Plaintext
1
Bob decrypts the
digital signature
to obtain the
plaintext hash
2
Bob hashes the
plaintext and
compares it to
the decrypted hash
Alice’s Public Key
2.8 - Cryptographic Keys
Cryptographic Keys
• There’s very li琀琀le that isn’t known about the
cryptographic process
– The algorithm is usually a known en琀椀ty
– The only thing you don’t know is the key
• The key determines the output
– Encrypted data
– Hash value
– Digital signature
• Keep your key private!
– It’s the only thing protec琀椀ng your data
Key strength
• Larger keys tend to be more secure
– Prevent brute-force a琀琀acks
– A琀琀ackers can try every possible key combina琀椀on
© 2020 Messer Studios, LLC
• Symmetric encryp琀椀on
– 128-bit or larger symmetric keys are common
– These numbers get larger as 琀椀me goes on
• Asymmetric encryp琀椀on
– Complex calcula琀椀ons of prime numbers
– Larger keys than symmetric encryp琀椀on
– Common to see key lengths of 3,072 bits or larger
Key exchange
• A logis琀椀cal challenge
– How do you transfer an encryp琀椀on key across an
insecure medium without having an encryp琀椀on key?
• Out-of-band key exchange
– Don’t send the symmetric key over the ‘net
– Telephone, courier, in-person, etc.
Professor Messer’s CompTIA SY0-601 Security+ Course Notes - Page 58
Downloaded by Yeduri Vamsi Mani Prasad (vamsiprasad321@gmail.com)
h琀琀ps://ProfessorMesser.com
lOMoARcPSD|36915131
2.8 - Cryptographic Keys (con琀椀nued)
• In-band key exchange
– It’s on the network
– Protect the key with addi琀椀onal encryp琀椀on
– Use asymmetric encryp琀椀on to deliver
a symmetric key
Real-琀椀me encryp琀椀on/decryp琀椀on
• There’s a need for fast security
– Without compromising the security part
• Share a symmetric session key using
asymmetric encryp琀椀on
– Client encrypts a random (symmetric) key with a
server’s public key
– The server decrypts this shared key and uses it to
encrypt data
– This is the session key
• Implement session keys carefully
– Need to be changed o昀琀en (ephemeral keys)
– Need to be unpredictables
Symmetric key from asymmetric keys
• Use public and private key cryptography to create
a symmetric key
– Math is powerful
Tradi琀椀onal web server encryp琀椀on
• SSL/TLS uses encryp琀椀on keys to protect web
server communica琀椀on
– Tradi琀椀onally, this has been based on the web server’s
RSA key pair
– One key that encrypts all symmetric keys
• This server’s private key can rebuild everything
– If you capture all of the tra昀케c, you can decrypt all of
the data
• One point of failure for all of your web site encryp琀椀on
Perfect Forward Secrecy (PFS)
• Change the method of key exchange
– Don’t use the server’s private RSA key
• Ellip琀椀c curve or Di昀케e-Hellman ephemeral
– The session keys aren’t kept around
• Can’t decrypt with the private server key
– Every session uses a di昀昀erent private key for the
exchange
• PFS requires more compu琀椀ng power
– Not all servers choose to use PFS
• The browser must support PFS
– Check your SSL/TLS informa琀椀on for details
2.8 - Steganography
Obfusca琀椀on
• The process of making something unclear
– It’s now much more di昀케cult to understand
• But it’s not impossible to understand
– If you know how to read it
• Make source code di昀케cult to read
– But it doesn’t change the func琀椀onality of the code
• Hide informa琀椀on inside of an image
– Steganography
Steganography
• Greek for “concealed wri琀椀ng”
– Security through obscurity
• Message is invisible
– But it’s really there
• The covertext
– The container document or 昀椀le
Common steganography techniques
• Network based
– Embed messages in TCP packets
• Use an image
– Embed the message in the image itself
• Invisible watermarks
– Yellow dots on printers
Other steganography types
• Audio steganography
– Modify the digital audio 昀椀le
– Interlace a secret message within the audio
– Similar technique to image steganography
• Video steganography
– A sequence of images
– Use image steganography on a larger scale
– Manage the signal to noise ra琀椀o
– Poten琀椀ally transfer much more informa琀椀on
2.8 - Quantum Compu琀椀ng
Quantum compu琀椀ng
• Computers based on quantum physics
– This is not an upgrade to your exis琀椀ng computer
– This is a new compu琀椀ng technology
• Classical mechanics
– Smallest form of informa琀椀on is a bit
– Bits are zeros and ones
• Quantum mechanics
– Smallest form of informa琀椀on is a qubit
© 2020 Messer Studios, LLC
– Bits are zeros, ones, and any combina琀椀on
in-between, at the same 琀椀me
– This is called quantum superposi琀椀on
• Search quickly through large databases
– Index everything at the same 琀椀me
• Simulate the quantum world
– Medical advances, weather predic琀椀on,
astrophysics, and much more
Professor Messer’s CompTIA SY0-601 Security+ Course Notes - Page 59
Downloaded by Yeduri Vamsi Mani Prasad (vamsiprasad321@gmail.com)
h琀琀ps://ProfessorMesser.com
lOMoARcPSD|36915131
2.8 - Quantum Compu琀椀ng (con琀椀nued)
Post-quantum cryptography
• Breaks our exis琀椀ng encryp琀椀on mechanisms
– Quickly factor large prime numbers
• This would cause signi昀椀cant issues
– None of the exis琀椀ng cryptography could be trusted
– No 昀椀nancial transac琀椀ons would be safe
– No data would be private
• Peter Shor invented Shor’s algorithm in 1994
– Given an integer N, 昀椀nd its prime factors
– Tradi琀椀onal computers would take longer than the
life琀椀me of the universe
– Shor’s algorithm would theore琀椀cally be much,
much faster
• Time for updated cryptography
– Not vulnerable to quantum computer based a琀琀acks
• NTRU
– A cryptosystem using la琀�ce theory
– Relies on the “closest-vector” problem
– Instead of 昀椀nding the prime factoriza琀椀ons of
large numbers
• We will need to consider our op琀椀ons for future
cryptography
– This is a problem that can be easily seen and
addressed
Quantum communica琀椀on
• Protect against eavesdropping using quantum
cryptography
– Quantum Key Distribu琀椀on (QKD)
• Create unbreakable encryp琀椀on
– Send a random stream of qubits (the key) across a
quantum network channel
• Both sides can verify the key
– If it’s iden琀椀cal, the key was not viewed during
transmission
• An a琀琀acker eavesdropping on the communica琀椀on
would modify the data stream
– The a琀琀acker would have to violate quantum physics
2.8 - Stream and Block Ciphers
Stream ciphers
• Encryp琀椀on is done one bit or byte at a 琀椀me
– High speed, low hardware complexity
• Used with symmetric encryp琀椀on
– Not commonly used with asymmetric encryp琀椀on
• The star琀椀ng state should never be the same twice
– Key is o昀琀en combined with an ini琀椀aliza琀椀on vector (IV)
Block ciphers
• Encrypt 昀椀xed-length groups
– O昀琀en 64-bit or 128-bit blocks
– Pad added to short blocks
– Each block is encrypted or decrypted independently
• Symmetric encryp琀椀on
– Similar to stream ciphers
• Block cipher modes of opera琀椀on
– Avoid pa琀琀erns in the encryp琀椀on
– Many di昀昀erent modes to choose from
Block cipher mode of opera琀椀on
• Encrypt one 昀椀xed-length group of bits at a 琀椀me
– A block
• Mode of opera琀椀on
– De昀椀nes the method of encryp琀椀on
– May provide a method of authen琀椀ca琀椀on
• The block size is a 昀椀xed size
– Not all data matches the block size perfectly
– Split your plaintext into smaller blocks
– Some modes require padding before encryp琀椀ng
ECB (Electronic Code Book)
• The simplest encryp琀椀on mode
– Too simple for most use cases
• Each block is encrypted with the same key
– Iden琀椀cal plaintext blocks create iden琀椀cal
ciphertext blocks
ECB (Electronic Code book) cipher mode
Key
Plaintext
Plaintext
Plaintext
Block Cipher
Encryp0on
Block Cipher
Encryp0on
Block Cipher
Encryp0on
Ciphertext
© 2020 Messer Studios, LLC
Key
Key
Ciphertext
Professor Messer’s CompTIA SY0-601 Security+ Course Notes - Page 60
Downloaded by Yeduri Vamsi Mani Prasad (vamsiprasad321@gmail.com)
Ciphertext
h琀琀ps://ProfessorMesser.com
lOMoARcPSD|36915131
2.8 - Stream and Block Ciphers (con琀椀nued)
CBC (Cipher Block Chaining)
• A popular mode of opera琀椀on - Rela琀椀vely easy to implement
• Each plaintext block is XORed with the previous
ciphertext block
– Adds addi琀椀onal randomiza琀椀on
– Use an ini琀椀aliza琀椀on vector for the 昀椀rst block
CTR (Counter)
• Block cipher mode / acts like a stream cipher
– Encrypts successive values of a “counter”
• Plaintext can be any size, since it’s part of the XOR i.e., 8 bits
at a 琀椀me (streaming) instead of a 128-bit block
GCM (Galois/Counter Mode)
• Encryp琀椀on with authen琀椀ca琀椀on
– Authen琀椀ca琀椀on is part of the block mode
– Combines Counter Mode with
– Galois authen琀椀ca琀椀on
• Minimum latency, minimum opera琀椀on overhead
– Very e昀케cient encryp琀椀on and authen琀椀ca琀椀on
• Commonly used in packe琀椀zed data
– Network tra昀케c security (wireless, IPsec)
– SSH, TLS
CBC (Cipher Block Chaining) cipher mode
Plaintext
Plaintext
Plaintext
Block Cipher Encryp0on
Block Cipher Encryp0on
Block Cipher Encryp0on
Ini0aliza0on Vector (IV)
Key
Key
Key
Ciphertext
Ciphertext
CTR (Counter) cipher mode
0
0
Ciphertext
Counter
0
0
0
0
0
Counter
0
0
0
0
0
0
0
0
0
Block Cipher Encryp0on
0
0
0
0
0
0
0
0
0
1
Block Cipher Encryp0on
Key
Key
Plaintext
Plaintext
Ciphertext
Ciphertext
2.8 - Blockchain Technology
Blockchain
• A distributed ledger
– Keep track of transac琀椀ons
• Everyone on the blockchain network
maintains the ledger
– Records and replicates to anyone
and everyone
© 2020 Messer Studios, LLC
• Many prac琀椀cal applica琀椀ons
– Payment processing
– Digital iden琀椀昀椀ca琀椀on
– Supply chain monitoring
– Digital vo琀椀ng
Professor Messer’s CompTIA SY0-601 Security+ Course Notes - Page 61
Downloaded by Yeduri Vamsi Mani Prasad (vamsiprasad321@gmail.com)
h琀琀ps://ProfessorMesser.com
lOMoARcPSD|36915131
2.8 - Blockchain Technology (con琀椀nued)
2.8 - Cryptography Use Cases
Finding the balance
• Low power devices
– Mobile devices, portable systems
– Smaller symmetric key sizes
– Use ellip琀椀c curve cryptography (ECC) for
asymmetric encryp琀椀on
• Low latency
– Fast computa琀椀on 琀椀me
– Symmetric encryp琀椀on, smaller key sizes
• High resiliency
– Larger key sizes
– Encryp琀椀on algorithm quality
– Hashing provides data integrity
Use cases
• Con昀椀den琀椀ality
– Secrecy and privacy
– Encryp琀椀on (昀椀le-level, drive-level, email)
© 2020 Messer Studios, LLC
• Integrity
– Prevent modi昀椀ca琀椀on of data
– Validate the contents with hashes
– File downloads, password storage
• Obfusca琀椀on
– Modern malware
– Encrypted data hides the ac琀椀ve malware code
– Decryp琀椀on occurs during execu琀椀on
• Authen琀椀ca琀椀on
– Password hashing
– Protect the original password
– Add salts to randomize the stored password hash
• Non-Repudia琀椀on
– Con昀椀rm the authen琀椀city of data
– Digital signature provides both integrity
and non-repudia琀椀on
Professor Messer’s CompTIA SY0-601 Security+ Course Notes - Page 62
Downloaded by Yeduri Vamsi Mani Prasad (vamsiprasad321@gmail.com)
h琀琀ps://ProfessorMesser.com
lOMoARcPSD|36915131
2.8 - Cryptography Limita琀椀ons
Finding the balance
• Cryptography isn’t a perfect solu琀椀on
– It can have signi昀椀cant limita琀椀ons
• Not all implementa琀椀ons are the same
– Di昀昀erent pla琀昀orms, di昀昀erent cryptographic op琀椀ons
• Cryptography can’t 昀椀x bad technique
– Hashing easily guessed passwords without a salt
• Every situa琀椀on is di昀昀erent
– Do your homework
Limita琀椀ons
• Speed
– Cryptography adds overhead
– A system needs CPU, CPU needs power
– More involved encryp琀椀on increases the load
• Size
– Typical block ciphers don’t increase the size of
encrypted data
– AES block size is 128 bits/16 bytes
– Encryp琀椀ng 8 bytes would poten琀椀ally double the
storage size
• Weak keys
– Larger keys are generally more di昀케cult to brute force
– The weak IV in RC4 resulted in the WEP security issues
• Time
– Encryp琀椀on and hashing takes 琀椀me
– Larger 昀椀les take longer
– Asymmetric is slower than symmetric
• Longevity
– A speci昀椀c cryptographic technology can becomes
less secure over 琀椀me
– Smaller keys are easier to brute force, larger keys
take longer to process
– Key re琀椀rement is a good best prac琀椀ce
• Predictability and entropy
– Random numbers are cri琀椀cal for secure cryptography
– Hardware random number generators can
be predictable
– A passphrase needs to be appropriately random
• Key reuse
– Reusing the same key reduces complexity
– Less cost and e昀昀ort to recer琀椀fy keys
– Less administra琀椀ve overhead
– If the key is compromised, everything using that
key is at risk
– IoT devices o昀琀en have keys embedded in the 昀椀rmware
• Resource vs. security constraints
– IoT devices have limited CPU, memory, and power
– Real-琀椀me applica琀椀ons can’t delay
– Di昀케cult to maintain and update security components
3.1 - Secure Protocols
Voice and video
• SRTP
– Secure Real-Time Transport Protocol / Secure RTP
• Adds security features to RTP
– Keep conversa琀椀ons private
• Encryp琀椀on
– Uses AES to encrypt the voice/video 昀氀ow
• Authen琀椀ca琀椀on, integrity, and replay protec琀椀on
– HMAC-SHA1 - Hash-based message authen琀椀ca琀椀on
code using SHA1
Time synchroniza琀椀on
• Classic NTP has no security features
– Exploited as ampli昀椀ers in DDoS a琀琀acks
– NTP has been around prior to 1985
• NTPsec
– Secure network 琀椀me protocol
– Began development in June of 2015
• Cleaned up the code base
– Fixed a number of vulnerabili琀椀es
© 2020 Messer Studios, LLC
Email
• S/MIME
– Secure/Mul琀椀purpose Internet Mail Extensions
– Public key encryp琀椀on and digital signing
of mail content
– Requires a PKI or similar organiza琀椀on of keys
• Secure POP and Secure IMAP
– Use a STARTTLS extension to encrypt POP3 with
SSL or use IMAP with SSL
• SSL/TLS
– If the mail is browser based, always encrypt with SSL
Web
• SSL/TLS
– Secure Sockets Layer/Transport Layer Security
• HTTPS
– HTTP over TLS / HTTP over SSL / HTTP Secure
• Uses public key encryp琀椀on
– Private key on the server
– Symmetric session key is transferred using
asymmetric encryp琀椀on
– Security and speed
Professor Messer’s CompTIA SY0-601 Security+ Course Notes - Page 63
Downloaded by Yeduri Vamsi Mani Prasad (vamsiprasad321@gmail.com)
h琀琀ps://ProfessorMesser.com
lOMoARcPSD|36915131
3.1 - Secure Protocols (con琀椀nued)
IPSec (Internet Protocol Security)
• Security for OSI Layer 3
– Authen琀椀ca琀椀on and encryp琀椀on for every packet
• Con昀椀den琀椀ality and integrity/an琀椀-replay
– Encryp琀椀on and packet signing
• Very standardized
– Common to use mul琀椀-vendor implementa琀椀ons
• Two core IPSec protocols
– Authen琀椀ca琀椀on Header (AH)
– Encapsula琀椀on Security Payload (ESP)
File transfer
• FTPS
– FTP over SSL (FTP-SSL)
– File Transfer Protocol Secure
– This is not SFTP
• SFTP
– SSH File Transfer Protocol
– Provides 昀椀le system func琀椀onality
– Resuming interrupted transfers, directory lis琀椀ngs,
remote 昀椀le removal
LDAP (Lightweight Directory Access Protocol)
• Protocol for reading and wri琀椀ng directories over
an IP network
– An organized set of records, like a phone directory
• X.500 speci昀椀ca琀椀on was wri琀琀en by the Interna琀椀onal
Telecommunica琀椀ons Union (ITU)
– They know directories!
• DAP ran on the OSI protocol stack
– LDAP is lightweight, and uses TCP/IP
• LDAP is the protocol used to query and update
an X.500 directory
– Used in Windows Ac琀椀ve Directory,
Apple OpenDirectory, OpenLDAP, etc.
Directory services
• LDAP (Lightweight Directory Access Protocol)
• LDAPS (LDAP Secure)
– A non-standard implementa琀椀on of LDAP over SSL
• SASL (Simple Authen琀椀ca琀椀on and Security Layer)
– Provides authen琀椀ca琀椀on using many di昀昀erent
methods, i.e., Kerberos or client cer琀椀昀椀cate
Remote access
• SSH (Secure Shell)
– Encrypted terminal communica琀椀on
– Replaces Telnet (and FTP)
– Provides secure terminal communica琀椀on and
昀椀le transfer features
© 2020 Messer Studios, LLC
Domain name resolu琀椀on
• DNS had no security in the original design
– Rela琀椀vely easy to poison a DNS
• DNSSEC
– Domain Name System Security Extensions
• Validate DNS responses
– Origin authen琀椀ca琀椀on
– Data integrity
• Public key cryptography
– DNS records are signed with a trusted third party
– Signed DNS records are published in DNS
Rou琀椀ng and switching
• SSH - Secure Shell
– Encrypted terminal communica琀椀on
• SNMPv3 - Simple Network
– Management Protocol version 3
– Con昀椀den琀椀ality - Encrypted data
– Integrity - No tampering of data
– Authen琀椀ca琀椀on - Veri昀椀es the source
• HTTPS
– Browser-based management
– Encrypted communica琀椀on
Network address alloca琀椀on
• Securing DHCP
– DHCP does not include any built-in security
– There is no “secure” version of the DHCP protocol
• Rogue DHCP servers
– In Ac琀椀ve Directory, DHCP servers must be authorized
– Some switches can be con昀椀gured with
“trusted” interfaces
– DHCP distribu琀椀on is only allowed from
trusted interfaces
– Cisco calls this DHCP Snooping
– DHCP client DoS - Starva琀椀on a琀琀ack
– Use spoofed MAC addresses to exhaust the DHCP pool
– Switches can be con昀椀gured to limit the number of
MAC addresses per interface
– Disable an interface when mul琀椀ple MAC addresses
are seen
Subscrip琀椀on services
• Automated subscrip琀椀ons
– An琀椀-virus / An琀椀-malware signature updates
– IPS updates
– Malicious IP address databases / Firewall updates
• Constant updates
– Each subscrip琀椀on uses a di昀昀erent update method
• Check for encryp琀椀on and integrity checks
– May require an addi琀椀onal public key con昀椀gura琀椀on
– Set up a trust rela琀椀onship
– Cer琀椀昀椀cates, IP addresses
Professor Messer’s CompTIA SY0-601 Security+ Course Notes - Page 64
Downloaded by Yeduri Vamsi Mani Prasad (vamsiprasad321@gmail.com)
h琀琀ps://ProfessorMesser.com
lOMoARcPSD|36915131
3.2 - Endpoint Protec琀椀on
The endpoint
• The user’s access - Applica琀椀ons and data
• Stop the a琀琀ackers - Inbound a琀琀acks, outbound a琀琀acks
• Many di昀昀erent pla琀昀orms - Mobile, desktop
• Protec琀椀on is mul琀椀-faceted - Defense in depth
An琀椀-virus and an琀椀-malware
• An琀椀-virus is the popular term
– Refers speci昀椀cally to a type of malware
– Trojans, worms, macro viruses
• Malware refers to the broad malicious
so昀琀ware category
– An琀椀-malware stops spyware, ransomware,
昀椀leless malware
• The terms are e昀昀ec琀椀vely the same these days
– The names are more of a marke琀椀ng tool
– An琀椀-virus so昀琀ware is also an琀椀-malware so昀琀ware now
– Make sure your system is using
– a comprehensive solu琀椀on
Endpoint detec琀椀on and response (EDR)
• A di昀昀erent method of threat protec琀椀on
– Scale to meet the increasing number of threats
• Detect a threat
– Signatures aren’t the only detec琀椀on tool
– Behavioral analysis, machine learning,
process monitoring
– Lightweight agent on the endpoint
• Inves琀椀gate the threat
– Root cause analysis
• Respond to the threat
– Isolate the system, quaran琀椀ne the threat, rollback
to a previous con昀椀g
– API driven, no user or technician interven琀椀on required
Data Loss Preven琀椀on (DLP)
• Where’s your data?
– Social Security numbers, credit card numbers,
medical records
• Stop the data before the a琀琀acker gets it
– Data “leakage”
• So many sources, so many des琀椀na琀椀ons
– O昀琀en requires mul琀椀ple solu琀椀ons
– Endpoint clients
– Cloud-based systems
– Email, cloud storage, collabora琀椀on tools
Next-genera琀椀on 昀椀rewall (NGFW)
• The OSI Applica琀椀on Layer - All data in every packet
• Can be called di昀昀erent names
– Applica琀椀on layer gateway
– Stateful mul琀椀layer inspec琀椀on, deep packet inspec琀椀on
• Broad security controls
– Allow or disallow applica琀椀on features
– Iden琀椀fy a琀琀acks and malware
– Examine encrypted data
– Prevent access to URLs or URL categories
Host-based 昀椀rewall
• So昀琀ware-based 昀椀rewall
– Personal 昀椀rewall, runs on every endpoint
• Allow or disallow incoming or outgoing
applica琀椀on tra昀케c
– Control by applica琀椀on process
– View all data
• Iden琀椀fy and block unknown processes
– Stop malware before it can start
• Manage centrally
Finding intrusions
• Host-based Intrusion Detec琀椀on System (HIDS)
– Uses log 昀椀les to iden琀椀fy intrusions
– Can recon昀椀gure 昀椀rewalls to block
• Host-based Intrusion Preven琀椀on System (HIPS)
– Recognize and block known a琀琀acks
– Secure OS and applica琀椀on con昀椀gs, validate
incoming service requests
– O昀琀en built into endpoint protec琀椀on so昀琀ware
• HIPS iden琀椀昀椀ca琀椀on
– Signatures, heuris琀椀cs, behavioral
– Bu昀昀er over昀氀ows, registry updates, wri琀椀ng 昀椀les
to the Windows folder
– Access to non-encrypted data
3.2 - Boot Integrity
Hardware root of trust
• Security is based on trust
– Is your data safely encrypted?
– Is this web site legi琀椀mate?
– Has the opera琀椀ng system been infected?
• The trust has to start somewhere
– Trusted Pla琀昀orm Module (TPM),
– Hardware Security Module (HSM)
– Designed to be the hardware root of the trust
• Di昀케cult to change or avoid
– It’s hardware
– Won’t work without the hardware
© 2020 Messer Studios, LLC
Trusted Pla琀昀orm Module (TPM)
• A speci昀椀ca琀椀on for cryptographic func琀椀ons
– Hardware to help with all of this encryp琀椀on stu昀昀
• Cryptographic processor
– Random number generator, key generators
• Persistent memory
– Comes with unique keys burned in during produc琀椀on
• Versa琀椀le memory
– Storage keys, hardware con昀椀gura琀椀on informa琀椀on
• Password protected
– No dic琀椀onary a琀琀acks
Professor Messer’s CompTIA SY0-601 Security+ Course Notes - Page 65
Downloaded by Yeduri Vamsi Mani Prasad (vamsiprasad321@gmail.com)
h琀琀ps://ProfessorMesser.com
lOMoARcPSD|36915131
3.2 - Boot Integrity (con琀椀nued)
Boot integrity
• The a琀琀ack on our systems is constant
– Techniques are constantly changing
• A琀琀ackers compromise a device
– And want it to stay compromised
• The boot process is a perfect infec琀椀on point
– Rootkits run in kernel mode
– Have the same rights as the opera琀椀ng system
• Protec琀椀ng the boot process is important
– Secure boot, trusted boot, and measured boot
– A chain of trust
UEFI BIOS Secure Boot
• Secure Boot
– Part of the UEFI speci昀椀ca琀椀on
• UEFI BIOS protec琀椀ons
– BIOS includes the manufacturer’s public key
– Digital signature is checked during a BIOS update
– BIOS prevents unauthorized writes to the 昀氀ash
• Secure Boot veri昀椀es the bootloader
– Checks the bootloader’s digital signature
– Bootloader must be signed with a trusted cer琀椀昀椀cate
– Or a manually approved the digital signature
Trusted Boot
• Bootloader veri昀椀es digital signature of the OS kernel
– A corrupted kernel will halt the boot process
• The kernel veri昀椀es all of the other startup components
– Boot drivers, startup 昀椀les
• Just before loading the drivers,
– ELAM (Early Launch An琀椀-Malware) starts
– Checks every driver to see if it’s trusted
– Windows won’t load an untrusted driver
Measured Boot
• Nothing on this computer has changed
– There have been no malware infec琀椀ons
– How do you know?
• Easy when it’s just your computer
– More di昀케cult when there are 1,000
• UEFI stores a hash of the 昀椀rmware, boot drivers, and
everything else loaded during the Secure Boot and
– Trusted Boot process
– Stored in the TPM
• Remote a琀琀esta琀椀on
– Device provides an opera琀椀onal report to a
veri昀椀ca琀椀on server
– Encrypted and digitally signed with the TPM
• A琀琀esta琀椀on server receives the boot report
– Changes are iden琀椀昀椀ed and managed
3.2 - Database Security
Database security
• Protec琀椀ng stored data
– And the transmission of that data
• Intellectual property storage
– Data is valuable
• Compliance issues
– PCI DSS, HIPAA, GDPR, etc.
• Keep the business running
– Security provides con琀椀nuity
• Breaches are expensive - Keep costs low
Tokeniza琀椀on
Tokeniza琀椀on
• Replace sensi琀椀ve data with a non-sensi琀椀ve placeholder
– SSN 266-12-1112 is now 691-61-8539
• Common with credit card processing
– Use a temporary token during payment
– An a琀琀acker capturing the card numbers
can’t use them later
• This isn’t encryp琀椀on or hashing
– The original data and token aren’t mathema琀椀cally related
– No encryp琀椀on overhead
Remote Token
Service Server
4545 **** **** 5678
token for
7 4111is the
1111 1111 1234
Card is registered
the token
2 with
service server
3
Token Service
Server provides a
token instead:
4545 **** **** 5678
Phone is used
4 at a store
during checkout
using NFC
registers a credit card
1 User
on their mobile phone:
Token is
8 validated
number validaHon:
6 Card
4545 **** **** 5678
with:
5 Pay
4545 **** **** 5678
Merchant Payment
Processing Server
9 TransacHon approved
4111 1111 1111 1234
© 2020 Messer Studios, LLC
Professor Messer’s CompTIA SY0-601 Security+ Course Notes - Page 66
Downloaded by Yeduri Vamsi Mani Prasad (vamsiprasad321@gmail.com)
h琀琀ps://ProfessorMesser.com
lOMoARcPSD|36915131
3.2 - Database Security (con琀椀nued)
Hashing a password
• Hashes represent data as a 昀椀xed-length string of text
– A message digest, or “昀椀ngerprint”
• Will not have a collision (hopefully)
– Di昀昀erent inputs will not have the same hash
• One-way trip
– Impossible to recover the original message
from the digest
– A common way to store passwords
Adding some salt
• Salt
– Random data added to a password when hashing
• Every user gets their own random salt
– The salt is commonly stored with the password
• Rainbow tables won’t work with salted hashes
– Addi琀椀onal random value added to the original
password
• This slows things down the brute force process
– It doesn’t completely stop the reverse engineering
3.2 - Applica琀椀on Security
Secure coding concepts
• A balance between 琀椀me and quality
• Programming with security in mind is o昀琀en secondary
• Tes琀椀ng, tes琀椀ng, tes琀椀ng
• The Quality Assurance (QA) process
• Vulnerabili琀椀es will eventually be found
• And exploited
Input valida琀椀on
• What is the expected input?
• Validate actual vs. expected
• Document all input methods
• Forms, 昀椀elds, type
• Check and correct all input (normaliza琀椀on)
• A zip code should be only X characters long
with a le琀琀er in the X column
• Fix any data with improper input
• The fuzzers will 昀椀nd what you missed
• Don’t give them an opening
Secure cookies
• Cookies
• Informa琀椀on stored on your computer by the browser
• Used for tracking, personaliza琀椀on, session management
• Not executable, not generally a security risk
• Unless someone gets access to them
• Secure cookies have a Secure a琀琀ribute set
• Browser will only send it over HTTPS
• Sensi琀椀ve informa琀椀on should not be saved in a cookie
• This isn’t designed to be secure storage
HTTP secure headers
• An addi琀椀onal layer of security
• Add these to the web server con昀椀gura琀椀on
• You can’t 昀椀x every bad applica琀椀on
• Enforce HTTPS communica琀椀on
• Ensure encrypted communica琀椀on
• Only allow scripts, stylesheets, or images from
the local site
• Prevent XSS a琀琀acks
• Prevent data from loading into an inline frame (iframe)
• Also helps to prevent XSS a琀琀acks
© 2020 Messer Studios, LLC
Code signing
• An applica琀椀on is deployed
• Users run applica琀椀on executable or scripts
• So many security ques琀椀ons
• Has the applica琀椀on been modi昀椀ed in any way?
• Can you con昀椀rm that the applica琀椀on was wri琀琀en
by a speci昀椀c developer?
• The applica琀椀on code can be digitally signed by the
developer
• Asymmetric encryp琀椀on
• A trusted CA signs the developer’s public key
• Developer signs the code with their private key
• For internal apps, use your own CA
Allow list / deny list
• Any applica琀椀on can be dangerous
• Vulnerabili琀椀es, trojan horses, malware
• Security policy can control app execu琀椀on
• Allow list, deny/block list
• Allow list
• Nothing runs unless it’s approved
• Very restric琀椀ve
• Deny list
• Nothing on the “bad list” can be executed
• An琀椀-virus, an琀椀-malware
Examples of allow and deny lists
• Decisions are made in the opera琀椀ng system
• O昀琀en built-in to the opera琀椀ng system management
• Applica琀椀on hash
• Only allows applica琀椀ons with this unique iden琀椀昀椀er
• Cer琀椀昀椀cate
• Allow digitally signed apps from certain publishers
• Path
• Only run applica琀椀ons in these folders
• Network zone
• The apps can only run from this network zone
Professor Messer’s CompTIA SY0-601 Security+ Course Notes - Page 67
Downloaded by Yeduri Vamsi Mani Prasad (vamsiprasad321@gmail.com)
h琀琀ps://ProfessorMesser.com
lOMoARcPSD|36915131
3.2 - Applica琀椀on Security (con琀椀nued)
Sta琀椀c code analyzers
Fuzzing engines and frameworks
• Sta琀椀c Applica琀椀on Security Tes琀椀ng (SAST)
• Many di昀昀erent fuzzing op琀椀ons
• Help to iden琀椀fy security 昀氀aws
• Pla琀昀orm speci昀椀c, language speci昀椀c, etc.
• Many security vulnerabili琀椀es found easily
• Very 琀椀me and processor resource heavy
• Bu昀昀er over昀氀ows, database injec琀椀ons, etc.
• Many, many di昀昀erent itera琀椀ons to try
• Many fuzzing engines use high-probability tests
• Not everything can be iden琀椀昀椀ed through analysis
• Authen琀椀ca琀椀on security, insecure cryptography, etc.
• Carnegie Mellon Computer
• Don’t rely on automa琀椀on for everything
• Emergency Response Team (CERT)
• CERT Basic Fuzzing Framework (BFF)
• S琀椀ll have to verify each 昀椀nding
• h琀琀ps://professormesser.link/b昀昀
• False posi琀椀ves are an issue
Dynamic analysis (fuzzing)
Fuzzing engine results
• Send random input to an applica琀椀on
• Fault-injec琀椀ng, robustness tes琀椀ng,
syntax tes琀椀ng, nega琀椀ve tes琀椀ng
• Looking for something out of the ordinary
• Applica琀椀on crash, server error, excep琀椀on
• 1988 class project at the University of Wisconsin
• “Opera琀椀ng System U琀椀lity Program Reliability”
• Professor Barton Miller
• The Fuzz Generator
3.2 - Applica琀椀on Hardening
Applica琀椀on hardening
• Minimize the a琀琀ack surface
– Remove all possible entry points
• Remove the poten琀椀al for all known vulnerabili琀椀es
– As well as the unknown
• Some hardening may have compliance mandates
– HIPAA servers, PCI DSS, etc.
• There are many di昀昀erent resources
– Center for Internet Security (CIS)
– Network and Security Ins琀椀tute (SANS)
– Na琀椀onal Ins琀椀tute of Standards and Technology (NIST)
Open ports and services
• Every open port is a possible entry point
– Close everything except required ports
• Control access with a 昀椀rewall
– NGFW would be ideal
• Unused or unknown services
– Installed with the OS or from other applica琀椀ons
• Applica琀椀ons with broad port ranges
– Open port 0 through 65,535
• Use Nmap or similar port scanner to verify
– Ongoing monitoring is important
Registry
• The primary con昀椀gura琀椀on database for Windows
– Almost everything can be con昀椀gured from the registry
• Useful to know what an applica琀椀on modi昀椀es
– Many third-party tools can show registry changes
• Some registry changes are important security se琀�ngs
– Con昀椀gure registry permissions
– Disable SMBv1
© 2020 Messer Studios, LLC
Disk encryp琀椀on
• Prevent access to applica琀椀on data 昀椀les
– File system encryp琀椀on
• Full disk encryp琀椀on (FDE)
– Encrypt everything on the drive
– BitLocker, FileVault, etc.
• Self-encryp琀椀ng drive (SED)
– Hardware-based full disk encryp琀椀on
– No opera琀椀ng system so昀琀ware needed
• Opal storage speci昀椀ca琀椀on
– The standard for of SED storage
Opera琀椀ng system hardening
• Many and varied
– Windows, Linux, iOS, Android, et al.
• Updates
– Opera琀椀ng system updates/service packs,
security patches
• User accounts
– Minimum password lengths and complexity
– Account limita琀椀ons
• Network access and security
– Limit network access
• Monitor and secure
– An琀椀-virus, an琀椀-malware
Professor Messer’s CompTIA SY0-601 Security+ Course Notes - Page 68
Downloaded by Yeduri Vamsi Mani Prasad (vamsiprasad321@gmail.com)
h琀琀ps://ProfessorMesser.com
lOMoARcPSD|36915131
3.2 - Applica琀椀on Hardening (con琀椀nued)
Patch management
• Incredibly important
– System stability, security 昀椀xes
• Monthly updates
– Incremental (and important)
• Emergency out-of-band updates
– Zero-day and important security discoveries
• Third-party updates
– Applica琀椀on developers, device drivers
• Auto-update - Not always the best op琀椀on
Sandboxing
• Applica琀椀ons cannot access unrelated resources
– They play in their own sandbox
• Commonly used during development
– Can be a useful produc琀椀on technique
• Used in many di昀昀erent deployments
– Virtual machines
– Mobile devices
– Browser iframes (Inline Frames)
– Windows User Account Control (UAC)
3.3 - Load Balancing
Balancing the load
• Distribute the load
– Mul琀椀ple servers
– Invisible to the end-user
• Large-scale implementa琀椀ons
– Web server farms, database farms
• Fault tolerance
– Server outages have no e昀昀ect
– Very fast convergence
Load balancer
• Con昀椀gurable load
– Manage across servers
• TCP o昀툀oad
– Protocol overhead
• SSL o昀툀oad
– Encryp琀椀on/Decryp琀椀on
• Caching
– Fast response
• Priori琀椀za琀椀on
– QoS
• Content switching
– Applica琀椀on-centric balancing
Scheduling
• Round-robin
– Each server is selected in turn
• Weighted round-robin
– Priori琀椀ze the server use
• Dynamic round-robin
– Monitor the server load and distribute to the server
with the lowest use
• Ac琀椀ve/ac琀椀ve load balancing
A昀케nity
• A昀케nity
– A kinship, a likeness
• Many applica琀椀ons require communica琀椀on to the same
instance
– Each user is “stuck” to the same server
– Tracked through IP address or session IDs
– Source a昀케nity / s琀椀cky session / session persistence
• Ac琀椀ve/ac琀椀ve load balancing
Ac琀椀ve/passive load balancing
• Some servers are ac琀椀ve
– Others are on standby
• If an ac琀椀ve server fails, the passive server takes its place
3.3 - Network Segmenta琀椀on
Segmen琀椀ng the network
• Physical, logical, or virtual segmenta琀椀on
– Devices, VLANs, virtual networks
• Performance
– High-bandwidth applica琀椀ons
• Security
– Users should not talk directly to database servers
– The only applica琀椀ons in the core are SQL and SSH
• Compliance
– Mandated segmenta琀椀on (PCI compliance)
– Makes change control much easier
© 2020 Messer Studios, LLC
Physical segmenta琀椀on
• Devices are physically separate - Switch A and Switch B
• Must be connected to provide communica琀椀on
– Direct connect, or another switch or router
• Web servers in one rack
– Database servers on another
• Customer A on one switch, customer B on another
– No opportunity for mixing data
• Separate devices
– Mul琀椀ple units, separate infrastructure
Logical segmenta琀椀on with VLANs
• Virtual Local Area Networks (VLANs)
– Separated logically instead of physically
– Cannot communicate between VLANs without
a Layer 3 device / router
Professor Messer’s CompTIA SY0-601 Security+ Course Notes - Page 69
Downloaded by Yeduri Vamsi Mani Prasad (vamsiprasad321@gmail.com)
h琀琀ps://ProfessorMesser.com
lOMoARcPSD|36915131
3.3 - Network Segmenta琀椀on (con琀椀nued)
Screened subnet
• Previously known as the demilitarized zone (DMZ)
– An addi琀椀onal layer of security between
the Internet and you
– Public access to public resources
East-west tra昀케c
• Tra昀케c 昀氀ows within a data center
– Important to know where tra昀케c starts and ends
• East-west
– Tra昀케c between devices in the same data center
– Rela琀椀vely fast response 琀椀mes
• North-south tra昀케c
– Ingress/egress to an outside device
– A di昀昀erent security posture than east-west tra昀케c
Extranet
• A private network for partners
– Vendors, suppliers
• Usually requires addi琀椀onal authen琀椀ca琀椀on
– Only allow access to authorized users
Intranet
• Private network - Only available internally
• Company announcements, important documents,
other company business
– Employees only
• No external access
– Internal or VPN access only
Zero-trust
• Many networks are rela琀椀vely open on the inside
– Once you’re through the 昀椀rewall, there are few
security controls
• Zero trust is a holis琀椀c approach to network security
– Covers every device, every process, every person
• Everything must be veri昀椀ed
– Nothing is trusted
– Mul琀椀factor authen琀椀ca琀椀on, encryp琀椀on, system
permissions, addi琀椀onal 昀椀rewalls, monitoring and
analy琀椀cs, etc.
3.3 - Virtual Private Networks
VPNs
• Virtual Private Networks
– Encrypted (private) data traversing a public network
• Concentrator
– Encryp琀椀on/decryp琀椀on access device
– O昀琀en integrated into a 昀椀rewall
• Many deployment op琀椀ons
– Specialized cryptographic hardware
– So昀琀ware-based op琀椀ons available
• Used with client so昀琀ware
– Some琀椀mes built into the OS
© 2020 Messer Studios, LLC
SSL VPN (Secure Sockets Layer VPN)
• Uses common SSL/TLS protocol (tcp/443)
– (Almost) No 昀椀rewall issues!
• No big VPN clients
– Usually remote access communica琀椀on
• Authen琀椀cate users
– No requirement for digital cer琀椀昀椀cates or shared
passwords (like IPSec)
• Can be run from a browser or from a
(usually light) VPN client
– Across many opera琀椀ng systems
Professor Messer’s CompTIA SY0-601 Security+ Course Notes - Page 70
Downloaded by Yeduri Vamsi Mani Prasad (vamsiprasad321@gmail.com)
h琀琀ps://ProfessorMesser.com
lOMoARcPSD|36915131
3.3 - Virtual Private Networks (con琀椀nued)
Remote access VPN
• On-demand access
from a remote device
– So昀琀ware
connects to a VPN
concentrator
• Some so昀琀ware can
be con昀椀gured as
always-on
Internet
Corporate
Network
Site-to-site VPN
1
VPN Concentrator
Traffic is encrypted
as it passes through the
local VPN concentrator
2
Remote User
Traffic is decrypted
in the VPN concentrator
on the other side of
the tunnel
Remote
Site
Corporate
Network
Firewall /
VPN Concentrator
Firewall /
VPN Concentrator
Full VPN Tunnel
2
VPN concentrator
decrypts the tunneled
traffic and routes it
into the corporate network
Remote user creates
tunnel to
1 athesecure
VPN concentrator
Corporate
Network
Remote
User
VPN Concentrator
process is reversed
3 The
for the return traffic
Split VPN Tunnel
Traffic to all other
sites is “split” from
the tunnel and is
not decrypted
Internet
2
professormesser.com
Only traffic to
corporate
1 the
network traverses
the VPN tunnel
Corporate
Network
VPN Concentrator
Internet
© 2020 Messer Studios, LLC
Professor Messer’s CompTIA SY0-601 Security+ Course Notes - Page 71
Downloaded by Yeduri Vamsi Mani Prasad (vamsiprasad321@gmail.com)
Remote
User
h琀琀ps://ProfessorMesser.com
lOMoARcPSD|36915131
3.3 - Virtual Private Networks (con琀椀nued)
IPSec (Internet Protocol Security)
• Security for OSI Layer 3
– Authen琀椀ca琀椀on and encryp琀椀on for every packet
• Con昀椀den琀椀ality and integrity/an琀椀-replay
– Encryp琀椀on and packet signing
• Very standardized
– Common to use mul琀椀-vendor implementa琀椀ons
• Two core IPSec protocols
– Authen琀椀ca琀椀on Header (AH)
– Encapsula琀椀on Security Payload (ESP)
L2TP
• Layer 2 Tunneling Protocol
– Connec琀椀ng sites over a layer 3 network as if they
were connected at layer 2
• Commonly implemented with IPsec
– L2TP for the tunnel, IPsec for the encryp琀椀on
– L2TP over IPsec (L2TP/IPsec)
AH (Authen琀椀ca琀椀on Header)
• Data integrity
• Origin authen琀椀ca琀椀on
• Replay a琀琀ack protec琀椀on
• Keyed-hash mechanism
• No con昀椀den琀椀ality/encryp琀椀on
AH
Header
New IP Header
IP Packet with Authen/ca/on (tunnel mode)
IP Header
Data
Authen/cated
ESP (Encapsula琀椀ng Security Payload)
• Data con昀椀den琀椀ality (encryp琀椀on)
• Limited tra昀케c 昀氀ow con昀椀den琀椀ality
• Data integrity
• An琀椀-replay protec琀椀on
IPsec Datagram with ESP (tunnel mode)
New IP Header
ESP
Header
IP Header
ESP
Trailer
Data
Integrity
Check Value
Encrypted
Authen;cated
IPsec Transport mode and Tunnel mode
AH and ESP
• Combine the data integrity of AH
with the con昀椀den琀椀ality of ESP
Original Packet
IP Header
Data
IPsec Datagram with AH and ESP (transport mode)
IP Header
AH
Header
ESP
Header
Data
ESP
Trailer
Integrity
Check Value
ESP
Trailer
Integrity
Check Value
Encrypted
Authen;cated
IPsec Datagram with AH and ESP (tunnel mode)
New IP Header
AH
Header
ESP
Header
IP Header
Data
Encrypted
Authen;cated
© 2020 Messer Studios, LLC
Professor Messer’s CompTIA SY0-601 Security+ Course Notes - Page 72
Downloaded by Yeduri Vamsi Mani Prasad (vamsiprasad321@gmail.com)
h琀琀ps://ProfessorMesser.com
lOMoARcPSD|36915131
3.3 - Virtual Private Networks (con琀椀nued)
Authen琀椀ca琀椀on Header (AH)
• Hash of the packet and a shared key
– SHA-2 is common
– Adds the AH to the packet header
• This doesn’t provide encryp琀椀on
– Provides data integrity (hash)
– Guarantees the data origin (authen琀椀ca琀椀on)
– Prevents replay a琀琀acks (sequence numbers)
Encapsula琀椀on Security Payload (ESP)
• Encrypts and authen琀椀cates the tunneled data
– Commonly uses SHA-2 for hash, AES for encryp琀椀on
– Adds a header, a trailer, and an Integrity Check Value
• Combine with Authen琀椀ca琀椀on Header (AH) for integrity
and authen琀椀ca琀椀on of the outer header
IPsec Transport mode and Tunnel mode
• Tunnel mode is the most common
– Transport mode may not even be an op琀椀on
HTML5 VPNs
• Hypertext Markup Language version 5
– The language commonly used in web browsers
• Includes comprehensive API support
– Applica琀椀on Programming Interface
– Web cryptography API
• Create a VPN tunnel without a separate VPN applica琀椀on
– Nothing to install
• Use an HTML5 compliant browser
– Communicate directly to the VPN concentrator
3.3 - Port Security
Port security
• There’s a lot of security that happens at the
physical switch interface
– O昀琀en the 昀椀rst and last point of transmission
• Control and protect
– Limit overall tra昀케c
– Control speci昀椀c tra昀케c types
– Watch for unusual or unwanted tra昀케c
• Di昀昀erent op琀椀ons are available
– Manage di昀昀erent security issues
Broadcasts
• Send informa琀椀on to everyone at once
– One frame or packet, received by everyone
– Every device must examine the broadcast
• Limited scope - The broadcast domain
• Rou琀椀ng updates, ARP requests - Can add up quickly
• Malicious so昀琀ware or a bad NIC
– Not always normal tra昀케c
• Not used in IPv6
– Focus on mul琀椀cast
Broadcast storm control
• The switch can control broadcasts
– Limit the number of broadcasts per second
• Can o昀琀en be used to control mul琀椀cast and unknown
unicast tra昀케c
– Tight security posture
• Manage by speci昀椀c values or by percentage
– Or the change over normal tra昀케c pa琀琀erns
Loop protec琀椀on
• Connect two switches to each other
– They’ll send tra昀케c back and forth forever
– There’s no “coun琀椀ng” mechanism at the MAC layer
• This is an easy way to bring down a network
– And somewhat di昀케cult to troubleshoot
– Rela琀椀vely easy to resolve
© 2020 Messer Studios, LLC
• IEEE standard 802.1D to prevent loops in bridged
(switched) networks (1990)
– Created by Radia Perlman
– Used prac琀椀cally everywhere
BPDU Guard
• Spanning tree takes 琀椀me to determine if a switch port
should forward frames
– Bypass the listening and learning states
– Cisco calls this PortFast
• BPDU (Bridge Protocol Data Unit)
– The spanning tree control protocol
• If a BPDU frame is seen on a PortFast con昀椀gured
interface (i.e., a worksta琀椀on), shut down the interface
– This shouldn’t happen - Worksta琀椀ons don’t send BPDUs
DHCP Snooping
• IP tracking on a layer 2 device (switch)
– The switch is a DHCP 昀椀rewall
– Trusted: Routers, switches, DHCP servers
– Untrusted: Other computers, uno昀케cial DHCP servers
• Switch watches for DHCP conversa琀椀ons
– Adds a list of untrusted devices to a table
• Filters invalid IP and DHCP informa琀椀on
– Sta琀椀c IP addresses
– Devices ac琀椀ng as DHCP servers
– Other invalid tra昀케c pa琀琀erns
MAC 昀椀ltering
• Media Access Control
– The “hardware” address
• Limit access through the physical hardware address
– Keeps the neighbors out
– Addi琀椀onal administra琀椀on with visitors
• Easy to 昀椀nd working MAC addresses through wireless
LAN analysis
– MAC addresses can be spoofed
– Free open-source so昀琀ware
• Security through obscurity
Professor Messer’s CompTIA SY0-601 Security+ Course Notes - Page 73
Downloaded by Yeduri Vamsi Mani Prasad (vamsiprasad321@gmail.com)
h琀琀ps://ProfessorMesser.com
lOMoARcPSD|36915131
3.3 - Secure Networking
Domain Name Resolu琀椀on
• DNS had no security in the original design
– Rela琀椀vely easy to poison a DNS
• DNSSEC
– Domain Name System Security Extensions
• Validate DNS responses
– Origin authen琀椀ca琀椀on
– Data integrity
• Public key cryptography
– DNS records are signed with a trusted third party
– Signed DNS records are published in DNS
Using a DNS for security
• Stop end users from visi琀椀ng dangerous sites
– The DNS resolves to a sinkhole address
• A query to a known-malicious address can iden琀椀fy
infected systems
– And prevent further exploita琀椀on
• Content 昀椀ltering
– Prevent DNS queries to unwanted or
suspicious sites
Out-of-band management
• The network isn’t available
– Or the device isn’t accessible from the network
• Most devices have a separate management interface
– Usually a serial connec琀椀on / USB
• Connect a modem
– Dial-in to manage the device
• Console router / comm server
– Out-of-band access for mul琀椀ple devices
– Connect to the console router, then choose
where you want to go
The need for QoS
• Many di昀昀erent devices
– Desktop, laptop, VoIP phone, mobile devices
• Many di昀昀erent applica琀椀ons
– Mission cri琀椀cal applica琀椀ons, streaming video,
streaming audio
• Di昀昀erent apps have di昀昀erent network requirements
– Voice is real-琀椀me
– Recorded streaming video has a bu昀昀er
– Database applica琀椀on is interac琀椀ve
• Some applica琀椀ons are “more important” than others
– Voice tra昀케c needs to have priority over YouTube
QoS (Quality of Service)
• Priori琀椀ze tra昀케c performance
– Voice over IP tra昀케c has priority over web-browsing
– Priori琀椀ze by maximum bandwidth, tra昀케c rate,
VLAN, etc.
• Quality of Service
– Describes the process of controlling tra昀케c 昀氀ows
• Many di昀昀erent methods
– Across many di昀昀erent topologies
© 2020 Messer Studios, LLC
IPv6 security is di昀昀erent
• More IP address space
– More di昀케cult to IP/port scan (but not impossible)
– The tools already support IPv6
• No need for NAT
– NAT is not a security feature
• Some a琀琀acks disappear
– No ARP, so no ARP spoo昀椀ng
• New a琀琀acks will appear
– For example, Neighbor Cache Exhaus琀椀on
• IPsec built in / IPsec ready
Taps and port mirrors
• Intercept network tra昀케c
– Send a copy to a packet capture device
• Physical taps
– Disconnect the link, put a tap in the middle
– Can be an ac琀椀ve or passive tap
• Port mirror
– Port redirec琀椀on, SPAN (Switched Port ANalyzer)
– So昀琀ware-based tap
– Limited func琀椀onality, but can work well in a pinch
Monitoring services
• Constant cybersecurity monitoring
– Ongoing security checks
– A sta昀昀 of cybersecurity experts at a
Security Opera琀椀ons Center (SoC)
• Iden琀椀fy threats
– A broad range of threats across many di昀昀erent
organiza琀椀ons
• Respond to events
– Faster response 琀椀me
• Maintain compliance
– Someone else ensures PCI DSS, HIPAA compliance, etc.
FIM (File Integrity Monitoring)
• Some 昀椀les change all the 琀椀me
– Some 昀椀les should NEVER change
• Monitor important opera琀椀ng system and applica琀椀on 昀椀les
– Iden琀椀fy when changes occur
• Windows - SFC (System File Checker)
• Linux - Tripwire
• Many host-based IPS op琀椀ons
Professor Messer’s CompTIA SY0-601 Security+ Course Notes - Page 74
Downloaded by Yeduri Vamsi Mani Prasad (vamsiprasad321@gmail.com)
h琀琀ps://ProfessorMesser.com
lOMoARcPSD|36915131
3.3 - Firewalls
The universal security control
• Standard issue
– Home, o昀케ce, and in your opera琀椀ng system
• Control the 昀氀ow of network tra昀케c
– Everything passes through the 昀椀rewall
• Corporate control of outbound and inbound data
– Sensi琀椀ve materials
• Control of inappropriate content
– Not safe for work, parental controls
• Protec琀椀on against evil
– An琀椀-virus, an琀椀-malware
Network-based 昀椀rewalls
• Filter tra昀케c by port number or applica琀椀on
– Tradi琀椀onal vs. NGFW 昀椀rewalls
• Encrypt tra昀케c - VPN between sites
• Most 昀椀rewalls can be layer 3 devices (routers)
– O昀琀en sits on the ingress/egress of the network
– Network Address
– Transla琀椀on (NAT) func琀椀onality
– Authen琀椀cate dynamic rou琀椀ng communica琀椀on
Stateless 昀椀rewall
• Does not keep track of tra昀케c 昀氀ows
– Each packet is individually examined, regardless
of past history
– Tra昀케c sent outside of an ac琀椀ve session will
traverse a stateless 昀椀rewall
Stateful 昀椀rewall
• Stateful 昀椀rewalls remember the “state” of the session
– Everything within a valid 昀氀ow is allowed
UTM / All-in-one security appliance
• Uni昀椀ed Threat Management (UTM) /
• Web security gateway
• URL 昀椀lter / Content inspec琀椀on
• Malware inspec琀椀on
• Spam 昀椀lter
• CSU/DSU
• Router, Switch
• Firewall
• IDS/IPS
• Bandwidth shaper
• VPN endpoint
Next-genera琀椀on 昀椀rewall (NGFW)
• The OSI Applica琀椀on Layer
– All data in every packet
• Can be called di昀昀erent names
– Applica琀椀on layer gateway
– Stateful mul琀椀layer inspec琀椀on
– Deep packet inspec琀椀on
• Requires some advanced decodes
– Every packet must be analyzed and categorized
before a security decision is determined
© 2020 Messer Studios, LLC
NGFWs
• Network-based Firewalls
– Control tra昀케c 昀氀ows based on the applica琀椀on
– Microso昀琀 SQL Server, Twi琀琀er, YouTube
• Intrusion Preven琀椀on Systems
– Iden琀椀fy the applica琀椀on
– Apply applica琀椀on-speci昀椀c vulnerability signatures
to the tra昀케c
• Content 昀椀ltering
– URL 昀椀lters
– Control website tra昀케c by category
Web applica琀椀on 昀椀rewall (WAF)
• Not like a “normal” 昀椀rewall
– Applies rules to HTTP/HTTPS conversa琀椀ons
• Allow or deny based on expected input
– Unexpected input is a common method of
exploi琀椀ng an applica琀椀on
• SQL injec琀椀on
– Add your own commands to an applica琀椀on’s
SQL query
• A major focus of Payment Card Industry
– Data Security Standard (PCI DSS)
Firewall rules
• Access control lists (ACLs)
– Allow or disallow tra昀케c based on tuples
– Groupings of categories
– Source IP, Des琀椀na琀椀on IP, port number, 琀椀me of day,
applica琀椀on, etc.
• A logical path
– Usually top-to-bo琀琀om
• Can be very general or very speci昀椀c
– Speci昀椀c rules are usually at the top
• Implicit deny
– Most 昀椀rewalls include a deny at the bo琀琀om
– Even if you didn’t put one
Firewall characteris琀椀cs
• Open-source vs. proprietary
– Open-source provides tradi琀椀onal 昀椀rewall func琀椀onality
– Proprietary features include applica琀椀on control and
high-speed hardware
• Hardware vs. so昀琀ware
– Purpose-built hardware provides e昀케cient and
昀氀exible connec琀椀vity op琀椀ons
– So昀琀ware-based 昀椀rewalls can be installed
almost anywhere
• Appliance vs. host-based vs. virtual
– Appliances provide the fastest throughput
– Host-based 昀椀rewalls are applica琀椀on-aware and
can view non-encrypted data
– Virtual 昀椀rewalls provide valuable East/West
network security
Professor Messer’s CompTIA SY0-601 Security+ Course Notes - Page 75
Downloaded by Yeduri Vamsi Mani Prasad (vamsiprasad321@gmail.com)
h琀琀ps://ProfessorMesser.com
lOMoARcPSD|36915131
3.3 - Network Access Control
Edge vs. access control
• Control at the edge
– Your Internet link
– Managed primarily through 昀椀rewall rules
– Firewall rules rarely change
• Access control
– Control from wherever you are - Inside or outside
– Access can be based on many rules
– By user, group, loca琀椀on, applica琀椀on, etc.
– Access can be easily revoked or changed
– Change your security posture at any 琀椀me
Posture assessment
• You can’t trust everyone’s computer
– BYOD (Bring Your Own Device)
– Malware infec琀椀ons / missing an琀椀-malware
– Unauthorized applica琀椀ons
• Before connec琀椀ng to the network, perform a health check
– Is it a trusted device?
– Is it running an琀椀-virus? Which one? Is it updated?
– Are the corporate applica琀椀ons installed?
– Is it a mobile device?
– Is the disk encrypted?
– The type of device doesn’t ma琀琀er - Windows, Mac,
Linux, iOS, Android
Health checks/posture assessment
• Persistent agents
– Permanently installed onto a system
– Periodic updates may be required
• Dissolvable agents
– No installa琀椀on is required
– Runs during the posture assessment
– Terminates when no longer required
• Agentless NAC
– Integrated with Ac琀椀ve Directory
– Checks are made during login and logo昀昀
– Can’t be scheduled
Failing your assessment
• What happens when a posture
assessment fails?
– Too dangerous to allow access
• Quaran琀椀ne network, no琀椀fy administrators
– Just enough network access to 昀椀x the issue
• Once resolved, try again
– May require addi琀椀onal 昀椀xes
3.3 - Intrusion Preven琀椀on
NIDS and NIPS
• Intrusion Detec琀椀on System /
– Intrusion Preven琀椀on System
– Watch network tra昀케c
• Intrusions
– Exploits against opera琀椀ng systems,
applica琀椀ons, etc.
– Bu昀昀er over昀氀ows, cross-site scrip琀椀ng, other
vulnerabili琀椀es
• Detec琀椀on vs. Preven琀椀on
– Detec琀椀on – Alarm or alert
– Preven琀椀on – Stop it before it gets into
the network
Passive monitoring
• Examine a copy of the tra昀케c
– Port mirror (SPAN), network tap
• No way to block (prevent) tra昀케c
Out-of-band-response
• When malicious tra昀케c is iden琀椀昀椀ed,
– IPS sends TCP RST (reset) frames
– A昀琀er-the-fact
– Limited UDP response available
© 2020 Messer Studios, LLC
Inline monitoring
• IDS/IPS sits physically inline
– All tra昀케c passes through the IDS/IPS
In-band response
• Malicious tra昀케c is immediately iden琀椀昀椀ed
– Dropped at the IPS
– Does not proceed through the network
Iden琀椀昀椀ca琀椀on technologies
• Signature-based
– Look for a perfect match
• Anomaly-based
– Build a baseline of what’s “normal”
• Behavior-based
– Observe and report
• Heuris琀椀cs
– Use ar琀椀昀椀cial intelligence to iden琀椀fy
Professor Messer’s CompTIA SY0-601 Security+ Course Notes - Page 76
Downloaded by Yeduri Vamsi Mani Prasad (vamsiprasad321@gmail.com)
h琀琀ps://ProfessorMesser.com
lOMoARcPSD|36915131
3.3 - Intrusion Preven琀椀on (con琀椀nued)
Passive monitoring
Network traffic is sent from client to
server through the network switch
2
IPS
Inline monitoring
1
A copy of
the traffic is
sent to the IDS/IPS
Network traffic is sent
from the Internet to
the core switch, which passes
through the IPS
Internet
1
Switch
2
The inline IPS can allow
or deny traffic in real-Ame
IPS
Firewall
Core Switch
3.3 - Other Network Appliances
Hardware Security Module (HSM)
• High-end cryptographic hardware
– Plug-in card or separate hardware device
• Key backup
– Secured storage
• Cryptographic accelerators
– O昀툀oad that CPU overhead
from other devices
• Used in large environments
Clusters, redundant power
Jump server
• Access secure network zones
– Provides an access mechanism
to a protected network
• Highly-secured device
– Hardened and monitored
• SSH / Tunnel / VPN to
the jump server
– RDP, SSH, or jump from there
• A signi昀椀cant security concern
– Compromise to the
jump server is
External
a signi昀椀cant breach
Client
Sensors and collectors
• Aggregate informa琀椀on from network devices
– Built-in sensors, separate devices
– Integrated into switches, routers, servers, 昀椀rewalls, etc.
• Sensors
– Intrusion preven琀椀on systems, 昀椀rewall logs,
authen琀椀ca琀椀on logs, web server access logs, database
transac琀椀on logs, email logs
• Collectors
– Proprietary consoles (IPS, 昀椀rewall),
– SIEM consoles, syslog servers
– Many SIEMs include a correla琀椀on engine to
compare diverse sensor data
Private Network
Applica1on Server
Jump Server
Web Server
Database Server
© 2020 Messer Studios, LLC
Professor Messer’s CompTIA SY0-601 Security+ Course Notes - Page 77
Downloaded by Yeduri Vamsi Mani Prasad (vamsiprasad321@gmail.com)
h琀琀ps://ProfessorMesser.com
lOMoARcPSD|36915131
3.4 - Wireless Cryptography
Securing a wireless network
• An organiza琀椀on’s wireless network can contain con昀椀den琀椀al
informa琀椀on
– Not everyone is allowed access
• Authen琀椀cate the users before gran琀椀ng access
– Who gets access to the wireless network?
– Username, password, mul琀椀-factor authen琀椀ca琀椀on
• Ensure that all communica琀椀on is con昀椀den琀椀al
– Encrypt the wireless data
• Verify the integrity of all communica琀椀on
– The received data should be iden琀椀cal to the
original sent data
– A message integrity check (MIC)
Wireless encryp琀椀on
• All wireless computers are radio transmi琀琀ers and receivers
– Anyone can listen in
• Solu琀椀on: Encrypt the data - Everyone has an encryp琀椀on key
• Only people with the right key can transmit and listen
– WPA2 and WPA3
WPA2 and CCMP
• Wi-Fi Protected Access II (WPA2)
– WPA2 cer琀椀昀椀ca琀椀on began in 2004
• CCMP block cipher mode
– Counter Mode with Cipher Block Chaining
– Message Authen琀椀ca琀椀on Code Protocol, or
– Counter/CBC-MAC Protocol
• CCMP security services
– Data con昀椀den琀椀ality with AES
– Message Integrity Check (MIC) with CBC-MAC
WPA3 and GCMP
• Wi-Fi Protected Access 3 (WPA3) - Introduced in 2018
• GCMP block cipher mode
– Galois/Counter Mode Protocol
– A stronger encryp琀椀on than WPA2
• GCMP security services
– Data con昀椀den琀椀ality with AES
– Message Integrity Check (MIC) with
– Galois Message Authen琀椀ca琀椀on Code (GMAC)
The WPA2 PSK problem
• WPA2 has a PSK brute-force problem
– Listen to the four-way handshake
– Some methods can derive the PSK hash without
the handshake
– Capture the hash
• With the hash, a琀琀ackers can brute force the
pre-shared key (PSK)
• This has become easier as technology improves
– A weak PSK is easier to brute force
– GPU processing speeds
– Cloud-based password cracking
• Once you have the PSK, you have everyone’s
wireless key
– There’s no forward secrecy
SAE
• WPA3 changes the PSK authen琀椀ca琀椀on process
– Includes mutual authen琀椀ca琀椀on
– Creates a shared session key without sending that
key across the network
– No more four-way handshakes, no hashes,
no brute force a琀琀acks
– Adds perfect forward secrecy
• Simultaneous Authen琀椀ca琀椀on of Equals (SAE)
– A Di昀케e-Hellman derived key exchange with an
authen琀椀ca琀椀on component
– Everyone uses a di昀昀erent session key, even with
the same PSK
– An IEEE standard - the dragon昀氀y handshake
3.4 - Wireless Authen琀椀ca琀椀on Methods
Wireless authen琀椀ca琀椀on methods
• Gain access to a wireless network
– Mobile users
– Temporary users
• Creden琀椀als
– Shared password / pre-shared key (PSK)
– Centralized authen琀椀ca琀椀on (802.1X)
• Con昀椀gura琀椀on
– Part of the wireless network connec琀椀on
– Prompted during the connec琀椀on process
Wireless security modes
• Con昀椀gure the authen琀椀ca琀椀on on your wireless
access point / wireless router
• Open System
– No password is required
© 2020 Messer Studios, LLC
• WPA3-Personal / WPA3-PSK
– WPA3 with a pre-shared key
– Everyone uses the same key
– Unique WPA3 session key is derived from the PSK using SAE
(Simultaneous Authen琀椀ca琀椀on of Equals)
• WPA3-Enterprise / WPA3-802.1X
– Authen琀椀cates users individually with an
authen琀椀ca琀椀on server (i.e., RADIUS)
Cap琀椀ve Portal
• Authen琀椀ca琀椀on to a network - Common on wireless networks
• Access table recognizes a lack of authen琀椀ca琀椀on
– Redirects your web access to a cap琀椀ve portal page
• Username / password - And addi琀椀onal authen琀椀ca琀椀on factors
• Once proper authen琀椀ca琀椀on is provided, the
web session con琀椀nues
– Un琀椀l the cap琀椀ve portal removes your access
Professor Messer’s CompTIA SY0-601 Security+ Course Notes - Page 78
Downloaded by Yeduri Vamsi Mani Prasad (vamsiprasad321@gmail.com)
h琀琀ps://ProfessorMesser.com
lOMoARcPSD|36915131
3.4 - Wireless Authen琀椀ca琀椀on Methods (con琀椀nued)
Using WPS
• Wi-Fi Protected Setup
– Originally called Wi-Fi Simple Con昀椀g
• Allows “easy” setup of a mobile device
– A passphrase can be complicated to a novice
• Di昀昀erent ways to connect
– PIN con昀椀gured on access point must be entered
on the mobile device
– Push a bu琀琀on on the access point
– Near-昀椀eld communica琀椀on – Bring the mobile device close to the access point
The WPS hack
• December 2011 - WPS has a design 昀氀aw
– It was built wrong from the beginning
• PIN is an eight-digit number
– Really seven digits and a checksum
– Seven digits, 10,000,000 possible combina琀椀ons
• The WPS process validates each half of the PIN
– First half, 4 digits. Second half, 3 digits.
– First half, 10,000 possibili琀椀es,
second half, 1,000 possibili琀椀es
• It takes about four hours to go through all of them
– Most devices never considered a lockout func琀椀on
– Brute force lockout features are now the norm
3.4 - Wireless Authen琀椀ca琀椀on Protocols
Wireless authen琀椀ca琀椀on
• We’ve created many authen琀椀ca琀椀on methods
through the years
– A network administrator has many choices
• Use a username and password
– Other factors can be included
• Commonly used on wireless networks
– Also works on wired networks
EAP
• Extensible Authen琀椀ca琀椀on Protocol (EAP)
– An authen琀椀ca琀椀on framework
• Many di昀昀erent ways to authen琀椀cate based on
RFC standards
– Manufacturers can build their own EAP methods
• EAP integrates with 802.1X
– Prevents access to the network un琀椀l the
authen琀椀ca琀椀on succeeds
IEEE 802.1X
• IEEE 802.1X
– Port-based Network Access Control (NAC)
– You don’t get access to the network un琀椀l you
authen琀椀cate
• Used in conjunc琀椀on with an access database
– RADIUS, LDAP, TACACS+
IEEE 802.1X and EAP
• Supplicant
– The client
• Authen琀椀cator
– The device that provides access
• Authen琀椀ca琀椀on server
– Validates the client creden琀椀als
© 2020 Messer Studios, LLC
EAP-FAST
• EAP Flexible Authen琀椀ca琀椀on via Secure Tunneling
– Authen琀椀ca琀椀on server (AS) and supplicant share a
protected access creden琀椀al (PAC) (shared secret)
• Supplicant receives the PAC
• Supplicant and AS mutually authen琀椀cate and
nego琀椀ate a Transport Layer Security (TLS) tunnel
• User authen琀椀ca琀椀on occurs over the TLS tunnel
• Need a RADIUS server
– Provides the authen琀椀ca琀椀on database and
EAP-FAST services
PEAP
• Protected Extensible Authen琀椀ca琀椀on Protocol
– Protected EAP
– Created by Cisco, Microso昀琀, and RSA Security
• Also encapsulates EAP in a TLS tunnel
– AS uses a digital cer琀椀昀椀cate instead of a PAC
– Client doesn’t use a cer琀椀昀椀cate
• User authen琀椀cates with MSCHAPv2
– Authen琀椀cates to Microso昀琀’s MS-CHAPv2 databases
• User can also authen琀椀cate with a GTC
– Generic Token Card, hardware token generator
EAP-TLS
• EAP Transport Layer Security
– Strong security, wide adop琀椀on
– Support from most of the industry
• Requires digital cer琀椀昀椀cates on the AS and
all other devices
– AS and supplicant exchange cer琀椀昀椀cates for
mutual authen琀椀ca琀椀on
– TLS tunnel is then built for the user
authen琀椀ca琀椀on process
• Rela琀椀vely complex implementa琀椀on
– Need a public key infrastructure (PKI)
– Must deploy and manage cer琀椀昀椀cates to
all wireless clients
– Not all devices can support the use of digital cer琀椀昀椀cates
Professor Messer’s CompTIA SY0-601 Security+ Course Notes - Page 79
Downloaded by Yeduri Vamsi Mani Prasad (vamsiprasad321@gmail.com)
h琀琀ps://ProfessorMesser.com
lOMoARcPSD|36915131
3.4 - Wireless Authen琀椀ca琀椀on Protocols (con琀椀nued)
RADIUS Federa琀椀on
• Use RADIUS with federa琀椀on
– Members of one organiza琀椀on can authen琀椀cate to
the network of another organiza琀椀on
– Use their normal creden琀椀als
• Use 802.1X as the authen琀椀ca琀椀on method
– And RADIUS on the backend - EAP to authen琀椀cate
• Driven by eduroam (educa琀椀on roaming)
– Educators can use their normal authen琀椀ca琀椀on
when visi琀椀ng a di昀昀erent campus
– h琀琀ps://www.eduroam.org/
EAP-TTLS
• EAP Tunneled Transport Layer Security
– Support other authen琀椀ca琀椀on protocols
in a TLS tunnel
• Requires a digital cer琀椀昀椀cate on the AS
– Does not require digital cer琀椀昀椀cates on every device
– Builds a TLS tunnel using this digital cer琀椀昀椀cate
• Use any authen琀椀ca琀椀on method inside the TLS tunnel
– Other EAPs
– MSCHAPv2
– Anything else
3.4 - Installing Wireless Networks
Channel selec琀椀on and overlaps
• Overlapping channels
– Frequency con昀氀icts - use non-overlapping channels
– Automa琀椀c or manual con昀椀gura琀椀ons
Access point placement
• Minimal overlap
– Maximize coverage, minimize the number
of access points
• Avoid interference
– Electronic devices (microwaves)
– Building materials
– Third-party wireless networks
• Signal control
– Place APs where the users are
– Avoid excessive signal distance
Wireless infrastructure security
• Wireless controllers
– Centralized management of wireless access points
– Manage system con昀椀gura琀椀on and performance
• Securing wireless controllers
– Control access to management console
– Use strong encryp琀椀on with HTTPS
– Automa琀椀c logout a昀琀er no ac琀椀vity
• Securing access points
– Use strong passwords
– Update to the latest 昀椀rmware
Site surveys
• Determine exis琀椀ng wireless landscape
– Sample the exis琀椀ng wireless spectrum
• Iden琀椀fy exis琀椀ng access points
– You may not control all of them
• Work around exis琀椀ng frequencies
– Layout and plan for interference
• Plan for ongoing site surveys
– Things will certainly change
• Heat maps - Iden琀椀fy wireless signal strengths
Wireless survey tools
• Signal coverage
• Poten琀椀al interference
• Built-in tools
• 3rd-party tools
• Spectrum analyzer
Wireless packet analysis
• Wireless networks are incredibly easy to monitor
– Everyone “hears” everything
• You have to be quiet
– You can’t hear the network if you’re busy transmi琀�ng
• Some network drivers won’t capture wireless informa琀椀on
– You’ll need specialized adapters/chipsets and drivers
• View wireless-speci昀椀c informa琀椀on
– Signal-to-noise ra琀椀o, channel informa琀椀on, etc.
• Try it yourself! - h琀琀ps://www.wireshark.org
2.4 GHz Spectrum for 802.11 - North America
IEEE Channel #
1
6
11
Available channels
New channels added in April 2014
Previously indoor channels, usable outdoors aFer April 2014
Frequencies not available for 802.11
20 MHz
2412 MHz
2482 MHz
5 GHz Spectrum for 802.11 - North America
IEEE Channel #
36
40
44
48
52
56
60
64
68
72
76
80
84
88
92
96
100
104
108
112
116
120
124
128
132
136
140
144
149
153
157
161
165
169
173
177
20 MHz
40 MHz
80 MHz
160 MHz
5150 MHz
UNII-1
5250 MHz
© 2020 Messer Studios, LLC
UNII-2
5350 MHz
5470 MHz
UNII-2
Professor Messer’s CompTIA SY0-601 Security+ Course Notes - Page 80
Downloaded by Yeduri Vamsi Mani Prasad (vamsiprasad321@gmail.com)
5725 MHz
UNII-3
5825 MHz
5925 MHz
h琀琀ps://ProfessorMesser.com
lOMoARcPSD|36915131
3.5 - Mobile Networks
Point-to-point
• One-to-one connec琀椀on
– Conversa琀椀on between two devices
• Connec琀椀ons between buildings
– Point-to-point network links
• Wi-Fi repeaters
– Extend the length of an exis琀椀ng network
Point-to-mul琀椀point
• One of the most popular communica琀椀on methods
802.11 wireless
• Does not imply full connec琀椀vity between nodes
Cellular networks
• Mobile devices
– “Cell” phones
• Separate land into “cells”
– Antenna coverages a cell with certain frequencies
• Security concerns
– Tra昀케c monitoring
– Loca琀椀on tracking
– Worldwide access to a mobile device
Wi-Fi
• Local network access
– Local security problems
• Same security concerns as other Wi-Fi devices
• Data capture
– Encrypt your data!
• On-path a琀琀ack
– Modify and/or monitor data
• Denial of service
– Frequency interference
Bluetooth
• High speed communica琀椀on over short distances
– PAN (Personal Area Network)
• Connects our mobile devices
– Smartphones, tethering, headsets and
headphones, health monitors, automobile and
phone integra琀椀on, smartwatches,
external speakers
RFID (Radio-frequency iden琀椀昀椀ca琀椀on)
• It’s everywhere
– Access badges
– Inventory/Assembly line tracking
– Pet/Animal iden琀椀昀椀ca琀椀on
– Anything that needs to be tracked
• Radar technology
– Radio energy transmi琀琀ed to the tag
– RF powers the tag, ID is transmi琀琀ed back
– Bidirec琀椀onal communica琀椀on
– Some tag formats can be ac琀椀ve/powered
© 2020 Messer Studios, LLC
Near 昀椀eld communica琀椀on (NFC)
• Two-way wireless communica琀椀on
– Builds on RFID, which was one-way
• Payment systems
– Google wallet, Apple Pay
• Bootstrap for other wireless
– NFC helps with Bluetooth pairing
• Access token, iden琀椀ty “card”
– Short range with encryp琀椀on support
NFC security concerns
• Remote capture
– It’s a wireless network
– 10 meters for ac琀椀ve devices
• Frequency jamming - Denial of service
• Relay / Replay a琀琀ack - Man in the middle
• Loss of RFC device control - Stolen/lost phone
IR (Infrared)
• Included on many smartphones, tablets, and smartwatches
– Not really used much for prin琀椀ng
• Control your entertainment center
– Almost exclusively IR
• File transfers are possible
• Other phones can be used to control your IR devices
USB (Universal Serial Bus)
• Physical connec琀椀vity to your mobile device
– USB to your computer
– USB, Lightning, or proprietary on your phone
• Physical access is always a concern
– May be easier to gain access than over a remote
connec琀椀on
• A locked device is rela琀椀vely secure
– Always auto-lock
• Mobile phones can also ex昀椀ltrate
– Phone can appear to be a USB storage device
Global Posi琀椀oning System (GPS)
• Created by the U.S. Department of Defense
– Over 30 satellites currently in orbit
• Precise naviga琀椀on
– Need to see at least 4 satellites
• Determines loca琀椀on based on 琀椀ming di昀昀erences
– Longitude, la琀椀tude, al琀椀tude
• Mobile device loca琀椀on services and geotracking
– Maps, direc琀椀ons
– Determine physical loca琀椀on based on GPS,
– WiFi, and cellular towers
Professor Messer’s CompTIA SY0-601 Security+ Course Notes - Page 81
Downloaded by Yeduri Vamsi Mani Prasad (vamsiprasad321@gmail.com)
h琀琀ps://ProfessorMesser.com
lOMoARcPSD|36915131
3.5 - Mobile Device Management
Mobile Device Management (MDM)
• Manage company-owned and user-owned mobile devices
– BYOD - Bring Your Own Device
• Centralized management of the mobile devices
– Specialized func琀椀onality
• Set policies on apps, data, camera, etc.
– Control the remote device
– The en琀椀re device or a “par琀椀琀椀on”
• Manage access control
– Force screen locks and PINs on these single user devices
Applica琀椀on management
• Managing mobile apps are a challenge
– Mobile devices install apps constantly
• Not all applica琀椀ons are secure
– And some are malicious
– Android malware is a rapidly growing security concern
• Manage applica琀椀on use through whitelists
– Only approved applica琀椀ons can be installed
– Managed through the MDM
• A management challenge
– New applica琀椀ons must be checked and added
Content management
• Mobile Content Management (MCM)
– Secure access to data, protect data from outsiders
• File sharing and viewing
– On-site content (Microso昀琀 Sharepoint, 昀椀le servers)
– Cloud-based storage (Box, O昀케ce 365)
• Data sent from the mobile device
– DLP (Data Loss Preven琀椀on) prevents copy/paste of
sensi琀椀ve data
– Ensure data is encrypted on the mobile device
• Managed from the mobile device manager (MDM)
Remote wipe
• Remove all data from your mobile device
– Even if you have no idea where it is
– O昀琀en managed from the MDM
• Connect and wipe from the web
– Nuke it from anywhere
• Need to plan for this
– Con昀椀gure your mobile device now
• Always have a backup
– Your data can be removed at any 琀椀me
– As you are walking out the door
Geoloca琀椀on
• Precise tracking details - Tracks within feet
• Can be used for good (or bad)
– Find your phone, 昀椀nd you
• Most phones provide an op琀椀on to disable
– Limits func琀椀onality of the phones
• May be managed by the MDM
© 2020 Messer Studios, LLC
Geofencing
• Some MDMs allow for geofencing
– Restrict or allow features when the device is in a
par琀椀cular area
• Cameras
– Might only work when outside the o昀케ce
• Authen琀椀ca琀椀on
– Only allow logins when the device is located in a
par琀椀cular area
Screen lock
• All mobile devices can be locked
– Keep people out of your data
• Simple passcode or strong passcode
– Numbers vs. Alphanumeric
• Fail too many 琀椀mes?
– Erase the phone
• De昀椀ne a lockout policy
– Create aggressive lockout 琀椀mers
– Completely lock the phone
Push no琀椀昀椀ca琀椀on services
• Informa琀椀on appears on the mobile device screen
– The no琀椀昀椀ca琀椀on is “pushed” to your device
• No user interven琀椀on
– Receive no琀椀昀椀ca琀椀ons from one app when using a
completely di昀昀erent app
• Control of displayed no琀椀昀椀ca琀椀ons can be
managed from the MDM
– Or no琀椀昀椀ca琀椀ons can be pushed from the MDM
Passwords and PINs
• The universal help desk call
– I need to reset my password
• Mobile devices use mul琀椀ple authen琀椀ca琀椀on methods
– Password/passphrase, PINs, pa琀琀erns
• Recovery process can be ini琀椀ated from the MDM
– Password reset op琀椀on is provided on the
mobile device
– “What is the name of your favorite car maiden
cat’s color?”
• MDM also has full control
– Completely remove all security controls
– Not the default or best prac琀椀ce
Biometrics
• You are the authen琀椀ca琀椀on factor
– Fingerprint, face
• May not be the most secure authen琀椀ca琀椀on factor
– Useful in some environments
– Completely forbidden in others
• Availability is managed through the MDM
– Organiza琀椀on determines the security of the device
• Can be managed per-app
– Some apps require addi琀椀onal biometric
authen琀椀ca琀椀on
Professor Messer’s CompTIA SY0-601 Security+ Course Notes - Page 82
Downloaded by Yeduri Vamsi Mani Prasad (vamsiprasad321@gmail.com)
h琀琀ps://ProfessorMesser.com
lOMoARcPSD|36915131
3.5 - Mobile Device Management (con琀椀nued)
Context-aware authen琀椀ca琀椀on
• Who needs 2FA?
– The a琀琀ackers can get around anything
• Authen琀椀ca琀椀on can be contextual
– If it walks like a duck…
• Combine mul琀椀ple contexts
– Where you normally login (IP address
– Where you normally frequent (GPS informa琀椀on)
– Other devices that may be
paired (Bluetooth, etc.)
• And others
– An emerging technology
– Another way to keep data safe
Containeriza琀椀on
• Di昀케cult to separate personal from business
– Especially when the device is BYOD
– Owned by the employee
• Separate enterprise mobile apps and data
– Create a virtual “container” for company data
– A contained area - limit data sharing
– Storage segmenta琀椀on keeps data separate
• Easy to manage o昀저oarding
– Only the company informa琀椀on is deleted
– Personal data is retained
– Keep your pictures, video, music, email, etc.
Full device encryp琀椀on
• Scramble all of the data on the mobile device
– Even if you lose it, the contents are safe
• Devices handle this in di昀昀erent ways
– Strongest/stronger/strong ?
• Encryp琀椀on isn’t trivial
– Uses a lot of CPU cycles
– Complex integra琀椀on between hardware
and so昀琀ware
• Don’t lose or forget your password!
– There’s no recovery
– O昀琀en backed up on the MDM
3.5 - Mobile Device Security
MicroSD HSM
• Shrink the PCI Express
– Hardware Security Module - Now in a microSD card form
• Provides security services
– Encryp琀椀on, key genera琀椀on, digital signatures,
authen琀椀ca琀椀on
• Secure storage
– Protect private keys - Cryptocurrency storage
Uni昀椀ed Endpoint Management (UEM)
• Manage mobile and non-mobile devices
– An evolu琀椀on of the Mobile Device Manager (MDM)
• End users use di昀昀erent types of devices
– Their use has blended together
• Applica琀椀ons can be used across di昀昀erent pla琀昀orms
– Work on a laptop and a smartphone
• All of these devices can be used from anywhere
– User’s don’t stay in one place
Mobile Applica琀椀on Management (MAM)
• Provision, update, and remove apps
– Keep everyone running at the correct version
• Create an enterprise app catalog
– Users can choose and install the apps they need
• Monitor applica琀椀on use
– Apps used on a device, devices with unauthorized apps
• Remotely wipe applica琀椀on data
– Securely manage remote data
© 2020 Messer Studios, LLC
SEAndroid
• Security Enhancements for Android
– SELinux (Security-Enhanced Linux)
in the Android OS
– Supports access control security policies
• A project from the US Na琀椀onal Security Agency (NSA)
– Based on the NSA’s SELinux
• Addresses a broad scope of system security
– Kernel, userspace, and policy con昀椀gura琀椀on
• Enabled by default with Android version 4.3
– July 2013
– Protect privileged Android system daemons
– Prevent malicious ac琀椀vity
• Change from Discre琀椀onary Access Control (DAC) to
Mandatory Access Control (MAC)
– Move from user-assigned control to object labels
and minimum user access
– Isolates and sandboxes Android apps
• Centralized policy con昀椀gura琀椀on
– Manage Android deployments
Professor Messer’s CompTIA SY0-601 Security+ Course Notes - Page 83
Downloaded by Yeduri Vamsi Mani Prasad (vamsiprasad321@gmail.com)
h琀琀ps://ProfessorMesser.com
lOMoARcPSD|36915131
3.5 - Mobile Device Enforcement
Third-party app stores
• Centralized app clearinghouses
– Apple App Store
– Google Play
• Not all applica琀椀ons are secure
– Vulnerabili琀椀es, data leakage
• Not all applica琀椀ons are appropriate for business use
– Games, instant messaging, etc.
• MDM can allow or deny app store use.
Roo琀椀ng/jailbreaking
• Mobile devices are purpose-built systems
– You don’t need access to the opera琀椀ng system
• Gaining access - Android - Roo琀椀ng / Apple iOS Jailbreaking
• Install custom 昀椀rmware
– Replaces the exis琀椀ng opera琀椀ng system
• Uncontrolled access
– Circumvent security features, sideload apps without
using an app store
– The MDM becomes rela琀椀vely useless
Carrier unlocking
• Most phones are locked to a carrier
– You can’t use an AT&T phone on Verizon
– Contract with a carrier subsidizes the cost of the phone
• You can unlock the phone
– If your carrier allows it
– A carrier lock may be illegal in your country
• Security revolves around connec琀椀vity
– Moving to another carrier can circumvent the MDM
– Preven琀椀ng a SIM unlock may not be possible on a
personal device
Firmware OTA updates
• The opera琀椀ng system of a mobile device is
constantly changing - Similar to a desktop computer
• Updates are provided over the air (OTA)
– No cable required
• Security patches or en琀椀re opera琀椀ng system updates
– Signi昀椀cant changes without connec琀椀ng the device
• This may not be a good thing
– The MDM can manage what OTA updates are allowed
Camera use
• Cameras are controversial
– They’re not always a good thing
– Corporate espionage, inappropriate use
• Almost impossible to control on the device
– No good way to ensure the camera won’t be used
• Camera use can be controlled by the MDM
– Always disabled
– Enabled except for certain loca琀椀ons (geo-fencing)
SMS/MMS
• Short Message Service / Mul琀椀media Messaging Service
– Text messages, video, audio
© 2020 Messer Studios, LLC
• Control of data can be a concern
– Outbound data leaks, 昀椀nancial disclosures
– Inbound no琀椀昀椀ca琀椀ons, phishing a琀琀empts
• MDM can enable or disable SMS/MMS
– Or only allow during certain 琀椀meframes or loca琀椀ons
External media
• Store data onto external or removable drives
– SD 昀氀ash memory or USB/lightning drives
• Transfer data from 昀氀ash
– Connect to a computer to retrieve
• This is very easy to do
– Limit data wri琀琀en to removable drives
– Or prevent the use of them from the MDM
USB OTG
• USB On-The-Go - Connect devices directly together
– No computer required, only a cable
• The mobile device can be both a host and a device
– Read from an external device, then act as
a storage device itself
– No need for a third-party storage device
• A USB 2.0 standard - Commonly seen on Android devices
• Extremely convenient
– From a security perspec琀椀ve, it’s too convenient
Recording microphone
• Audio recordings
– There are microphones on every mobile device
• Useful for mee琀椀ngs and note taking
– A standard for college classes
• A legal liability
– Every state has di昀昀erent laws
– Every situa琀椀on is di昀昀erent
• Disable or geo-fence - Manage from the MDM
Geotagging / GPS tagging
• Your phone knows where you are
– Loca琀椀on Services, GPS
• Adds your loca琀椀on to document metadata
– Longitude, la琀椀tude - Photos, videos, etc.
• Every document may contain geotagged informa琀椀on
– You can track a user quite easily
• This may cause security concerns
– Take picture, upload to social media
WiFi Direct/ad hoc
• We’re so used to access points
– SSID con昀椀gura琀椀ons
• The wireless standard includes an ad hoc mode
– Connect wireless devices directly
– Without an access point
• WiFi Direct simpli昀椀es the process
– Easily connect many devices together
– Common to see in home devices
• Simplicity can aid vulnerabili琀椀es
– Invisible access to important devices
Professor Messer’s CompTIA SY0-601 Security+ Course Notes - Page 84
Downloaded by Yeduri Vamsi Mani Prasad (vamsiprasad321@gmail.com)
h琀琀ps://ProfessorMesser.com
lOMoARcPSD|36915131
3.5 - Mobile Device Enforcement (con琀椀nued)
Hotspot/tethering
• Turn your phone into a WiFi hotspot
– Your own personal wireless router
– Extend the cellular data network to all of your devices
• Dependent on phone type and provider
– May require addi琀椀onal charges and data costs
• May provide inadvertent access to an internal network
– Ensure proper security / passcode
Payment methods
• Send small amounts of data wirelessly over
a limited area (NFC)
– Built into your phone
– Payment systems, transporta琀椀on, in-person
informa琀椀on exchange
• A few di昀昀erent standards
– Apple Pay, Android Pay, Samsung Pay
• Bypassing primary authen琀椀ca琀椀on would allow payment
– Use proper security - or disable completely
3.5 - Mobile Deployment Models
BYOD
• Bring Your Own Device / Bring Your Own Technology
• Employee owns the device
– Need to meet the company’s requirements
• Di昀케cult to secure
– It’s both a home device and a work device
– How is data protected?
– What happens to the data when a device is
sold or traded in?
COPE
• Corporate owned, personally enabled
– Company buys the device
– Used as both a corporate device and a personal device
• Organiza琀椀on keeps full control of the device
– Similar to company-owned laptops and desktops
• Informa琀椀on is protected using corporate policies
– Informa琀椀on can be deleted at any 琀椀me
• CYOD - Choose Your Own Device
– Similar to COPE, but with the user’s choice of device
Corporate owned
• The company owns the device
– And controls the content on the device
• The device is not for personal use
– You’ll need to buy your own device for home
• Very speci昀椀c security requirements
– Not able to mix business with home use
VDI/VMI
• Virtual Desktop Infrastructure / Virtual Mobile
Infrastructure
– The apps are separated from the mobile device
– The data is separated from the mobile device
• Data is stored securely, centralized
• Physical device loss - Risk is minimized
• Centralized app development
– Write for a single VMI pla琀昀orm
• Applica琀椀ons are managed centrally
– No need to update all mobile devices
3.6 - Cloud Security Controls
HA across zones
• Availability zones (AZ)
– Isolated loca琀椀ons within a cloud region (geographical loca琀椀on)
– AZ commonly spans across mul琀椀ple regions
– Each AZ has independent power, HVAC, and networking
• Build applica琀椀ons to be highly available (HA)
– Run as ac琀椀ve/standby or ac琀椀ve/ac琀椀ve
– Applica琀椀on recognizes an outage and moves to the other AZ
• Use load balancers to provide seamless HA
– Users don’t experience any applica琀椀on issues
Resource policies
• Iden琀椀ty and access management (IAM)
– Who gets access, what they get access to
• Map job func琀椀ons to roles
– Combine users into groups
• Provide access to cloud resources
– Set granular policies - Group, IP address, date and 琀椀me
• Centralize user accounts, synchronize across all pla琀昀orms
© 2020 Messer Studios, LLC
Secrets management
• Cloud compu琀椀ng includes many secrets
– API keys, passwords, cer琀椀昀椀cates
• This can quickly become overwhelming
– Di昀케cult to manage and protect
• Authorize access to the secrets
– Limit access to the secret service
• Manage an access control policy
– Limit users to only necessary secrets
• Provide an audit trail
– Know exactly who accesses secrets and when
Integra琀椀on and audi琀椀ng
• Integrate security across mul琀椀ple pla琀昀orms
– Di昀昀erent opera琀椀ng systems and applica琀椀ons
• Consolidate log storage and repor琀椀ng
– Cloud-based Security Informa琀椀on and Event
Management (SIEM)
• Audi琀椀ng - Validate the security controls
– Verify compliance with 昀椀nancial and user data
Professor Messer’s CompTIA SY0-601 Security+ Course Notes - Page 85
Downloaded by Yeduri Vamsi Mani Prasad (vamsiprasad321@gmail.com)
h琀琀ps://ProfessorMesser.com
lOMoARcPSD|36915131
3.6 - Securing Cloud Storage
Cloud storage
• Data is on a public cloud
– But may not be public data
• Access can be limited
– And protected
• Data may be required in di昀昀erent geographical loca琀椀ons
– A backup is always required
• Availability is always important
– Data is available as the cloud changes?
Permissions
• A signi昀椀cant cloud storage concern
– One permission mistake can cause a data breach
– Accenture, Uber, US Department of Defense
• Public access
– Should not usually be the default
• Many di昀昀erent op琀椀ons
– Iden琀椀fy and Access Management (IAM)
– Bucket policies
– Globally blocking public access
– Don’t put data in the cloud unless it really
needs to be there
Encryp琀椀on
• Cloud data is more accessible than non-cloud data
– More access by more people
• Server-side encryp琀椀on
– Encrypt the data in the cloud
– Data is encrypted when stored on disk
• Client-side encryp琀椀on
– Data is already encrypted when it’s sent to the cloud
– Performed by the applica琀椀on
• Key management is cri琀椀cal
Replica琀椀on
• Copy data from one place to another
– Real-琀椀me data duplica琀椀on in mul琀椀ple loca琀椀ons
• Disaster recovery, high availability
– Plan for problems
– Maintain up琀椀me if an outage occurs
– Hot site for disaster recovery
• Data analysis
– Analy琀椀cs, big data analysis
• Backups
– Constant duplica琀椀on of data
3.6 - Securing Cloud Networks
Cloud Networks
• Connect cloud components
– Connec琀椀vity within the cloud
– Connec琀椀vity from outside the cloud
• Users communicate to the cloud
– From the public Internet
– Over a VPN tunnel
• Cloud devices communicate between each other
– Cloud-based network
– East/west and north/south communica琀椀on
– No external tra昀케c 昀氀ows
Virtual networks
• A cloud contains virtual devices
– Servers, databases, storage devices
• Virtual switches, virtual routers
– Build the network from the cloud console
– The same con昀椀gura琀椀ons as a physical device
• The network changes with the rest of the infrastructure
– On-demand
– Rapid elas琀椀city
Public and private subnets
• Private cloud
– All internal IP addresses
– Connect to the private cloud over a VPN
– No access from the Internet
© 2020 Messer Studios, LLC
• Public cloud
– External IP addresses
– Connect to the cloud from anywhere
• Hybrid cloud
– Combine internal cloud resources with external
– May combine both public and private subnets
Segmenta琀椀on
• The cloud contains separate VPCs, containers,
and microservices
– Applica琀椀on segmenta琀椀on is almost guaranteed
• Separa琀椀on is a security opportunity
– Data is separate from the applica琀椀on
– Add security systems between applica琀椀on
components
• Virtualized security technologies
– Web Applica琀椀on Firewall (WAF)
– Next-Genera琀椀on Firewall (NGFW)
• Intrusion Preven琀椀on System (IPS)
API inspec琀椀on and integra琀椀on
• Microservice architecture is the
underlying applica琀椀on engine
– A signi昀椀cant security concern
• API calls can include risk
– A琀琀empts to access cri琀椀cal data
– Geographic origin
– Unusual API calls
• API monitoring
– View speci昀椀c API queries
– Monitor incoming and outgoing data
Professor Messer’s CompTIA SY0-601 Security+ Course Notes - Page 86
Downloaded by Yeduri Vamsi Mani Prasad (vamsiprasad321@gmail.com)
h琀琀ps://ProfessorMesser.com
lOMoARcPSD|36915131
3.6 - Securing Compute Clouds
Compute cloud instances
• The IaaS component for the cloud compu琀椀ng
environment
– Amazon Elas琀椀c Compute Cloud (EC2)
– Google Compute Engine (GCE)
– Microso昀琀 Azure Virtual Machines
• Manage compu琀椀ng resources
– Launch a VM or container
– Allocate addi琀椀onal resources
– Disable/remove a VM or container
Security groups
• A 昀椀rewall for compute instances
– Control inbound and outbound tra昀케c 昀氀ows
• Layer 4 port number
– TCP or UDP port
• Layer 3 address
– Individual addresses
– CIDR block nota琀椀on
– IPv4 or IPv6
Dynamic resource alloca琀椀on
• Provision resources when they are needed
– Based on demand - Provisioned automa琀椀cally
• Scale up and down
– Allocate compute resources where and
when they are needed
– Rapid elas琀椀city
– Pay for only what’s used
• Ongoing monitoring
– If CPU u琀椀liza琀椀on hits a par琀椀cular threshold, provision
a new applica琀椀on instance
Instance awareness
• Granular security controls
– Iden琀椀fy and manage very speci昀椀c data 昀氀ows
– Each instance of a data 昀氀ow is di昀昀erent
• De昀椀ne and set policies
– Allow uploads to the corporate box.com 昀椀le share
• Corporate 昀椀le shares can contain PII
• Any department can upload to the
corporate 昀椀le share
– Deny certain uploads to a personal box.com 昀椀le share
• Allow graphics 昀椀les
• Deny any spreadsheet
• Deny 昀椀les containing credit card numbers
• Quaran琀椀ne the 昀椀le and send an alert
Virtual private cloud endpoints
• Microservice architecture is the
VPC gateway endpoints
– Allow private cloud subnets to communicate to other
cloud services
• Keep private resources private
– Internet connec琀椀vity not required
• Add an endpoint to connect VPC resources
Container security
• Containers have similar security concerns as any other
applica琀椀on deployment method
– Bugs, insu昀케cient security controls, miscon昀椀gura琀椀ons
• Use container-speci昀椀c opera琀椀ng systems
– A minimalist OS designed for containers
• Group container types on the same host
– The same purpose, sensi琀椀vity, and threat posture
– Limit the scope of any intrusion
3.6 - Cloud Security Solu琀椀ons
Cloud access security broker (CASB)
• Clients are at work, data is in the cloud
– How do you keep everything secure?
– The organiza琀椀on already has well-de昀椀ned
security policies
• How do you make your security policies
work in the cloud?
– Integrate a CASB
– Implemented as client so昀琀ware, local security
appliances, or cloud-based security solu琀椀ons
• Visibility
– Determine what apps are in use
– Are they authorized to use the apps?
• Compliance
– Are users complying with HIPAA? PCI?
• Threat preven琀椀on
– Allow access by authorized users, prevent a琀琀acks
• Data security
– Ensure that all data transfers are encrypted
– Protect the transfer of PII with DLP
© 2020 Messer Studios, LLC
Applica琀椀on security
• Secure cloud-based applica琀椀ons
– Complexity increases in the cloud
• Applica琀椀on miscon昀椀gura琀椀ons
– One of the most common security issues
– Especially cloud storage
• Authoriza琀椀on and access
– Controls should be strong enough for access
from anywhere
• API security - A琀琀ackers will try to exploit interfaces and APIs
Next-Gen Secure Web Gateway (SWG)
• Protect users and devices
– Regardless of loca琀椀on and ac琀椀vity
• Go beyond URLs and GET requests
– Examine the applica琀椀on API
– Dropbox for personal use or corporate use?
• Examine JSON strings and API requests
– Allow or disallow certain ac琀椀vi琀椀es
• Instance-aware security
– A development instance is di昀昀erent than produc琀椀on
Professor Messer’s CompTIA SY0-601 Security+ Course Notes - Page 87
Downloaded by Yeduri Vamsi Mani Prasad (vamsiprasad321@gmail.com)
h琀琀ps://ProfessorMesser.com
lOMoARcPSD|36915131
3.6 - Cloud Security Solu琀椀ons (con琀椀nued)
Firewalls in the cloud
• Control tra昀케c 昀氀ows in the cloud
– Inside the cloud and external 昀氀ows
• Cost
– Rela琀椀vely inexpensive compared to appliances
– Virtual 昀椀rewalls
– Host-based 昀椀rewalls
• Segmenta琀椀on
– Between microservices, VMs, or VPCs
• OSI layers
– Layer 4 (TCP/UDP), Layer 7 (Applica琀椀on)
Security controls
• Cloud-na琀椀ve security controls
– Integrated and supported by the cloud provider
– Many con昀椀gura琀椀on op琀椀ons
– Security is part of the infrastructure
– No addi琀椀onal costs
• Third-party solu琀椀ons
– Support across mul琀椀ple cloud providers
– Single pane of glass
– Extend policies outside the scope of the cloud provider
– More extensive repor琀椀ng
3.7 - Iden琀椀ty Controls
Iden琀椀ty provider (IdP)
• Who are you?
– A service needs to vouch for you
– Authen琀椀ca琀椀on as a Service
• A list of en琀椀琀椀es
– Users and devices
• Commonly used by SSO applica琀椀ons or an
authen琀椀ca琀椀on process
– Cloud-based services need to know who you are
• Uses standard authen琀椀ca琀椀on methods
– SAML, OAuth, OpenID Connect, etc.
A琀琀ributes
• An iden琀椀昀椀er or property of an en琀椀ty
– Provides iden琀椀昀椀ca琀椀on
• Personal a琀琀ributes
– Name, email address, phone number, Employee ID
• Other a琀琀ributes
– Department name, job 琀椀tle, mail stop
• One or more a琀琀ributes can be used for iden琀椀昀椀ca琀椀on
– Combine them for more detail
Cer琀椀昀椀cates
• Digital cer琀椀昀椀cate - Assigned to a person or device
• Binds the iden琀椀ty of the cer琀椀昀椀cate owner to a
public and private key
– Encrypt data, create digital signatures
3.7 - Account Types
User accounts
• An account on a computer associated with a
speci昀椀c person
– The computer associates the user with a speci昀椀c
iden琀椀昀椀ca琀椀on number
• Storage and 昀椀les can be private to that user
– Even if another person is using the same
computer
• No privileged access to the opera琀椀ng system
– Speci昀椀cally not allowed on a user account
• This is the account type most people will use
– Your user community
© 2020 Messer Studios, LLC
• Requires an exis琀椀ng public-key infrastructure (PKI)
– The Cer琀椀昀椀cate Authority (CA) is the trusted en琀椀ty
– The CA digitally signs the cer琀椀昀椀cates
Tokens and cards
• Smart card
– Integrates with devices - may require a PIN
• USB token - Cer琀椀昀椀cate is on the USB device
• Hardware or so昀琀ware tokens
– Generates pseudo-random authen琀椀ca琀椀on codes
• Your phone - SMS a code to your phone
SSH keys
• Secure Shell (SSH) - Secure terminal communica琀椀on
• Use a key instead of username and password
– Public/private keys - Cri琀椀cal for automa琀椀on
• Key management is cri琀椀cal
– Centralize, control, and audit key use
• SSH key managers - Open source, Commercial
SSH key-based authen琀椀ca琀椀on
• Create a public/private key pair
– ssh-keygen
• Copy the public key to the SSH server
– ssh-copy-id user@host
• Try it out
– ssh user@host
– No password prompt!
Shared and generic accounts
• Shared account
– Used by more than one person
– Guest login, anonymous login
• Very di昀케cult to create an audit trail
– No way to know exactly who was working
– Di昀케cult to determine the proper privileges
• Password management becomes di昀케cult
– Password changes require no琀椀fying everyone
– Di昀케cult to remember so many password changes
– Just write it down on this yellow s琀椀cky paper
• Best prac琀椀ce: Don’t use these accounts
Professor Messer’s CompTIA SY0-601 Security+ Course Notes - Page 88
Downloaded by Yeduri Vamsi Mani Prasad (vamsiprasad321@gmail.com)
h琀琀ps://ProfessorMesser.com
lOMoARcPSD|36915131
3.7 - Account Types (con琀椀nued)
Guest accounts
• Access to a computer for guests
– No access to change se琀�ngs, modify applica琀椀ons,
view other user’s 昀椀les, and more
– Usually no password
• This brings signi昀椀cant security challenges
– Access to the userspace is one step closer to an exploit
• Must be controlled
– Not the default - Removed from Windows 10 build 10159
Service accounts
• Used exclusively by services running on a computer
– No interac琀椀ve/user access (ideally)
– Web server, database server, etc.
• Access can be de昀椀ned for a speci昀椀c service
– Web server rights and permissions will be di昀昀erent than
a database server
• Commonly use usernames and passwords
– You’ll need to determine the best policy for
password updates
Privileged accounts
• Elevated access to one or more systems
– Administrator, Root
• Complete access to the system
– O昀琀en used to manage hardware, drivers, and
so昀琀ware installa琀椀on
• This account should not be used for normal
administra琀椀on
– User accounts should be used
• Needs to be highly secured
– Strong passwords, 2FA
– Scheduled password changes
3.7 - Account Policies
Account policies
• Control access to an account
– It’s more than just username and password
– Determine what policies are best for an organiza琀椀on
• The authen琀椀ca琀椀on process
– Password policies, authen琀椀ca琀椀on factor policies,
other considera琀椀ons
• Permissions a昀琀er login - Another line of defense
Perform rou琀椀ne audits
• Is everything following the policy?
– You have to police yourself
• It’s amazing how quickly things can change
– Make sure the rou琀椀ne is scheduled
• Certain ac琀椀ons can be automa琀椀cally iden琀椀昀椀ed
– Consider a tool for log analysis
Audi琀椀ng
• Permission audi琀椀ng
– Does everyone have the correct permissions?
– Some Administrators don’t need to be there
– Scheduled recer琀椀昀椀ca琀椀on
• Usage audi琀椀ng - How are your resources used?
– Are your systems and applica琀椀ons secure?
Password complexity and length
• Make your password strong - Resist brute-force a琀琀ack
• Increase password entropy
– No single words, no obvious passwords
• What’s the name of your dog?
– Mix upper and lower case and use special characters
• Don’t replace a o with a 0, t with a 7
• Stronger passwords are at least 8 characters
– Consider a phrase or set of words
• Prevent password reuse
– System remembers password history, requires
unique passwords
© 2020 Messer Studios, LLC
Account lockout and disablement
• Too many incorrect passwords will cause a lockout
– Prevents online brute force a琀琀acks
– This should be normal for most user accounts
– This can cause big issues for service accounts
• You might want this
• Disabling accounts
– Part of the normal change process
– You don’t want to delete accounts
• At least not ini琀椀ally
• May contain important decryp琀椀on keys
Loca琀椀on-based policies
• Network loca琀椀on
– Iden琀椀fy based on IP subnet
– Can be di昀케cult with mobile devices
• Geoloca琀椀on - determine a user’s loca琀椀on
– GPS - mobile devices, very accurate
– 802.11 wireless, less accurate
– IP address, not very accurate
• Geofencing
– Automa琀椀cally allow or restrict access when the
user is in a par琀椀cular loca琀椀on
– Don’t allow this app to run unless you’re near the
o昀케ce
• Geotagging
– Add loca琀椀on metadata to a document or 昀椀le
– La琀椀tude and longitude, distance, 琀椀me stamps
• Loca琀椀on-based access rules
– Your IP address is associated with an IP block in Russia
– We don’t have an o昀케ce in Russia
– You were in Colorado Springs an hour ago
– Permission not granted
• Time-based access rules
– Nobody needs to access the lab at 3 AM
Professor Messer’s CompTIA SY0-601 Security+ Course Notes - Page 89
Downloaded by Yeduri Vamsi Mani Prasad (vamsiprasad321@gmail.com)
h琀琀ps://ProfessorMesser.com
lOMoARcPSD|36915131
3.8 - Authen琀椀ca琀椀on Management
• Versa琀椀le memory
– Storage keys, hardware con昀椀gura琀椀on informa琀椀on
• Password protected
– No dic琀椀onary a琀琀acks
Hardware Security Module (HSM)
• High-end cryptographic hardware
– Plug-in card or separate hardware device
• Key backup
– Secured storage
• Cryptographic accelerators
– O昀툀oad that CPU overhead from other devices
• Used in large environments
– Clusters, redundant powers
Knowledge-based authen琀椀ca琀椀on (KBA)
• Use personal knowledge as an authen琀椀ca琀椀on factor
– Something you know
• Sta琀椀c KBA
– Pre-con昀椀gured shared secrets
– O昀琀en used with account recovery
– What was the make and model of your 昀椀rst car?
• Dynamic KBA
– Ques琀椀ons are based on an iden琀椀ty veri昀椀ca琀椀on service
– What was your street number when you lived in
Pembroke Pines, Florida?
Password keys
• Hardware-based authen琀椀ca琀椀on
– Something you have
• Helps prevent unauthorized logins and
account takeovers
– The key must be present to login
• Doesn’t replace other factors
– Passwords are s琀椀ll important
Password vaults
• Password managers
– All passwords in one loca琀椀on
– A database of creden琀椀als
• Secure storage
– All creden琀椀als are encrypted
– Cloud-based synchroniza琀椀on op琀椀ons
• Create unique passwords
– Passwords are not the same across sites
• Personal and enterprise op琀椀ons
– Corporate access
Trusted Pla琀昀orm Module (TPM)
• A speci昀椀ca琀椀on for cryptographic func琀椀ons
– Hardware to help with all of this encryp琀椀on stu昀昀
• Cryptographic processor
– Random number generator, key generators
• Persistent memory
– Comes with unique keys burned in
during produc琀椀on
3.8 - PAP and CHAP
PAP (Password Authen琀椀ca琀椀on Protocol)
• A basic authen琀椀ca琀椀on method
– Used in legacy opera琀椀ng systems
– Rare to see singularly used
• PAP is in the clear
– Weak authen琀椀ca琀椀on scheme
– Non-encrypted password exchange
– We didn’t require encryp琀椀on on analog dialup lines
– The applica琀椀on would need to provide any encryp琀椀on
CHAP
• Challenge-Handshake Authen琀椀ca琀椀on Protocol
– Encrypted challenge sent over the network
• Three-way handshake
– A昀琀er link is established, server sends a challenge
– Client responds with a password hash calculated
from the challenge and the password
– Server compares received hash with stored hash
• Challenge-Response con琀椀nues
– Occurs periodically during the connec琀椀on
– User never knows it happens
PAP (Password Authen琀椀ca琀椀on Protocol) - Authen琀椀ca琀椀on process
Username is james, password is password111
Username: james
Password: password111
That’s great! You’re in.
PAP
Server
Client
© 2020 Messer Studios, LLC
Professor Messer’s CompTIA SY0-601 Security+ Course Notes - Page 90
Downloaded by Yeduri Vamsi Mani Prasad (vamsiprasad321@gmail.com)
h琀琀ps://ProfessorMesser.com
lOMoARcPSD|36915131
3.8 - PAP and CHAP (con琀椀nued)
• Security issues related to the use of DES
– Rela琀椀vely easy to brute force the 256 possible keys to
decrypt the NTLM hash
– Don’t use MS-CHAP!
– Consider L2TP, IPsec, 802.1X or some other secure
authen琀椀ca琀椀on method
MS-CHAP
• Microso昀琀’s implementa琀椀on of CHAP
– Used commonly on Microso昀琀’s
– Point-to-Point Tunneling Protocol (PPTP)
– MS-CHAP v2 is the more recent version
request is
1 Login
sent to the server
looks up the credenRals
2 Server
and sends a challenge to the user
I’d like to login, username is james
Here’s your challenge message:
15472a309fe22789efa522d45c7af9ad
password111 +
15472a309fe22789efa522d45c7af9ad
Challenge response:
db3fc40e6439d4d972870252ccc11f99
Username: james
Password: password111
Client
Challenge response:
db3fc40e6439d4d972870252ccc11f99
password111 +
15472a309fe22789efa522d45c7af9ad
CHAP
Server
Expected challenge response:
db3fc40e6439d4d972870252ccc11f99
compares the user’s response
4 Server
with a locally created response
combines the password and
3 User
challenge to create a response
3.8 - Iden琀椀ty and Access Services
RADIUS (Remote Authen琀椀ca琀椀on Dial-in User Service)
• One of the more common AAA protocols
– Supported on a wide variety of pla琀昀orms and devices
– Not just for dial-in
• Centralize authen琀椀ca琀椀on for users
– Routers, switches, 昀椀rewalls, server authen琀椀ca琀椀on,
remote VPN access, 802.1X network access
• RADIUS services available on almost any server OS
TACACS
• Terminal Access Controller
– Access-Control System
– Remote authen琀椀ca琀椀on protocol
– Created to control access to dial-up lines to ARPANET
• XTACACS (Extended TACACS)
– A Cisco-created (proprietary) version of TACACS
– Addi琀椀onal support for accoun琀椀ng and audi琀椀ng
• TACACS+
– The latest version of TACACS, not backwards
compa琀椀ble
– More authen琀椀ca琀椀on requests and response codes
– Released as an open standard in 1993
Kerberos
• Network authen琀椀ca琀椀on protocol
– Authen琀椀cate once, trusted by the system
– No need to re-authen琀椀cate to everything
– Mutual authen琀椀ca琀椀on - the client and the server
– Protect against on-path or replay a琀琀acks
• Standard since the 1980s
– Developed by the Massachuse琀琀s Ins琀椀tute of
Technology (MIT)
• Microso昀琀 star琀椀ng using Kerberos in Windows 2000
– Based on Kerberos 5.0 open standard
– Compa琀椀ble with other opera琀椀ng systems and devices
© 2020 Messer Studios, LLC
SSO with Kerberos
• Authen琀椀cate one 琀椀me
– Lots of backend 琀椀cke琀椀ng
– Cryptographic 琀椀ckets
• No constant username and password input!
– Save 琀椀me
• Only works with Kerberos
– Not everything is Kerberos-friendly
• There are many other SSO methods
– Smart-cards, SAML, etc.
RADIUS, TACACS+, or Kerberos?
• Three di昀昀erent ways to communicate to an
authen琀椀ca琀椀on server
– More than a simple login process
• O昀琀en determined by what is at hand
– VPN concentrator can talk to a RADIUS server
– We have a RADIUS server
• TACACS+
– Probably a Cisco device
• Kerberos
– Probably a Microso昀琀 network
IEEE 802.1X
• IEEE 802.1X
– Port-based Network Access Control (NAC)
– You don’t get access to the network un琀椀l you
authen琀椀cate
• EAP integrates with 802.1X
– Extensible Authen琀椀ca琀椀on Protocol
– 802.1X prevents access to the network un琀椀l the
authen琀椀ca琀椀on succeeds
• Used in conjunc琀椀on with an access database
– RADIUS, LDAP, TACACS+
Professor Messer’s CompTIA SY0-601 Security+ Course Notes - Page 91
Downloaded by Yeduri Vamsi Mani Prasad (vamsiprasad321@gmail.com)
h琀琀ps://ProfessorMesser.com
lOMoARcPSD|36915131
3.8 - Federated Iden琀椀琀椀es
Federa琀椀on
• Provide network access to others
– Not just employees - Partners, suppliers, customers, etc.
– Provides SSO and more
• Third-par琀椀es can establish a federated network
– Authen琀椀cate and authorize between the two
organiza琀椀ons
– Login with your Facebook creden琀椀als
• The third-par琀椀es must establish a trust rela琀椀onship
– And the degree of the trust
Security Asser琀椀on Markup Language (SAML)
• Open standard for authen琀椀ca琀椀on and authoriza琀椀on
– You can authen琀椀cate through a third-party to gain access
– One standard does it all, sort of
• Not originally designed for mobile apps
– This has been SAML’s largest roadblock
OAuth
• Authoriza琀椀on framework
– Determines what resources a user will be
able to access
• Created by Twi琀琀er, Google, and many others
– Signi昀椀cant industry support
• Not an authen琀椀ca琀椀on protocol
– OpenID Connect handles the single sign-on
authen琀椀ca琀椀on
– OAuth provides authoriza琀椀on
between applica琀椀ons
• Rela琀椀vely popular
– Used by Twi琀琀er, Google, Facebook,
– LinkedIn, and more
3.8 - Access Control
Access control
• Authoriza琀椀on
– The process of ensuring only authorized
rights are exercised
• Policy enforcement
– The process of determining rights
• Policy de昀椀ni琀椀on
• Users receive rights based on
– Access Control models
– Di昀昀erent business needs or mission requirements
Mandatory Access Control (MAC)
• The opera琀椀ng system limits the opera琀椀on on an object
– Based on security clearance levels
• Every object gets a label
– Con昀椀den琀椀al, secret, top secret, etc.
• Labeling of objects uses prede昀椀ned rules
– The administrator decides who gets access to
what security level
– Users cannot change these se琀�ngs
Discre琀椀onary Access Control (DAC)
• Used in most opera琀椀ng systems
– A familiar access control model
• You create a spreadsheet
– As the owner, you control who has access
– You can modify access at any 琀椀me
• Very 昀氀exible access control
– And very weak security
Role-based access control (RBAC)
• You have a role in your organiza琀椀on
– Manager, director, team lead, project manager
• Administrators provide access based on the role
of the user
– Rights are gained implicitly instead of explicitly
© 2020 Messer Studios, LLC
• In Windows, use Groups to provide role-based
access control
– You are in shipping and receiving, so you can
use the shipping so昀琀ware
– You are the manager, so you can review shipping logs
A琀琀ribute-based access control (ABAC)
• Users can have complex rela琀椀onships to
applica琀椀ons and data
– Access may be based on many di昀昀erent criteria
• ABAC can consider many parameters
– A “next genera琀椀on” authoriza琀椀on model
– Aware of context
• Combine and evaluate mul琀椀ple parameters
– Resource informa琀椀on, IP address, 琀椀me of day, desired
ac琀椀on, rela琀椀onship to the data, etc.
Rule-based access control
• Generic term for following rules
– Condi琀椀ons other than who you are
• Access is determined through system-enforced rules
– System administrators, not users
• The rule is associated with the object
– System checks the ACLs for that object
• Rule examples
– Lab network access is only available between 9 and 5
– Only Chrome browsers may complete this web form
File system security
• Store 昀椀les and access them
– Hard drive, SSDs, 昀氀ash drives, DVDs, part of most OSs
• Accessing informa琀椀on
– Access control list
– Group/user rights and permissions
– Can be centrally administered and/or users can
manage 昀椀les they own
• The 昀椀le system handles encryp琀椀on and decryp琀椀on
Professor Messer’s CompTIA SY0-601 Security+ Course Notes - Page 92
Downloaded by Yeduri Vamsi Mani Prasad (vamsiprasad321@gmail.com)
h琀琀ps://ProfessorMesser.com
lOMoARcPSD|36915131
3.8 - Access Control (con琀椀nued)
Condi琀椀onal access
• Di昀케cult to apply old methods of authen琀椀ca琀椀on to new
methods of working
– Mobile workforce, many di昀昀erent devices,
constantly changing cloud
• Condi琀椀ons
– Employee or partner, loca琀椀on, type of
applica琀椀on accessed, device
• Controls
– Allow or block, require MFA, provide limited access,
require password reset
• Administrators can build complex access rules
– Complete control over data access
Privileged access management (PAM)
• Managing superuser access
– Administrator and Root
– You don’t want this in the wrong hands
• Store privileged accounts in a digital vault
– Access is only granted from the vault by request
– These privileges are temporary
• PAM advantages
– Centralized password management
– Enables automa琀椀on
– Manage access for each user
– Extensive tracking and audi琀椀ng
3.9 - Public Key Infrastructure
Public Key Infrastructure (PKI)
• Policies, procedures, hardware, so昀琀ware, people
– Digital cer琀椀昀椀cates: create, distribute, manage,
store, revoke
• This is a big, big, endeavor
– Lots of planning
• Also refers to the binding of public keys to people
or devices
– The cer琀椀昀椀cate authority
– It’s all about trust
The key management lifecycle
• Key genera琀椀on
– Create a key with the requested strength using
the proper cipher
• Cer琀椀昀椀cate genera琀椀on
– Allocate a key to a user
• Distribu琀椀on
– Make the key available to the user
• Storage
– Securely store and protect against unauthorized use
• Revoca琀椀on
– Manage keys that have been compromised
• Expira琀椀on
– A cer琀椀昀椀cate may only have a certain “shelf life”
Digital cer琀椀昀椀cates
• A public key cer琀椀昀椀cate
– Binds a public key with a digital signature
– And other details about the key holder
• A digital signature adds trust
– PKI uses Cer琀椀昀椀cate Authority for addi琀椀onal trust
– Web of Trust adds other users for addi琀椀onal trust
• Cer琀椀昀椀cate crea琀椀on can be built into the OS
– Part of Windows Domain services
– 3rd-party Linux op琀椀ons
© 2020 Messer Studios, LLC
Commercial cer琀椀昀椀cate authori琀椀es
• Built-in to your browser
– Any browser
• Purchase your web site cer琀椀昀椀cate
– It will be trusted by everyone’s browser
• Create a key pair, send the public key to the CA
to be signed
– A cer琀椀昀椀cate signing request (CSR)
• May provide di昀昀erent levels of trust and
addi琀椀onal features
– Add a new “tag” to your web site
Private cer琀椀昀椀cate authori琀椀es
• You are your own CA
– Build it in-house
– Your devices must trust the internal CA
• Needed for medium-to-large organiza琀椀ons
– Many web servers and privacy requirements
• Implement as part of your overall compu琀椀ng strategy
– Windows Cer琀椀昀椀cate Services, OpenCA
PKI trust rela琀椀onships
• Single CA
– Everyone receives their cer琀椀昀椀cates from one authority
• Hierarchical
– Single CA issues certs to intermediate CAs
– Distributes the cer琀椀昀椀cate management load
– Easier to deal with the revoca琀椀on of an intermediate
CA than the root CA
Registra琀椀on authority (RA)
• The en琀椀ty reques琀椀ng the cer琀椀昀椀cate needs to be veri昀椀ed
– The RA iden琀椀昀椀es and authen琀椀cates the requester
• Approval or rejec琀椀on
– The founda琀椀on of trust in this model
• Also responsible for revoca琀椀ons
– Administra琀椀vely revoked or by request
• Manages renewals and re-key requests
– Maintains cer琀椀昀椀cates for current cert holders
Professor Messer’s CompTIA SY0-601 Security+ Course Notes - Page 93
Downloaded by Yeduri Vamsi Mani Prasad (vamsiprasad321@gmail.com)
h琀琀ps://ProfessorMesser.com
lOMoARcPSD|36915131
3.9 - Public Key Infrastructure (con琀椀nued)
Important cer琀椀昀椀cate a琀琀ributes
• Common Name (CN)
– The FQDN (Fully Quali昀椀ed
– Domain Name) for the cer琀椀昀椀cate
• Subject alterna琀椀ve name
– Addi琀椀onal host names for the cert
– Common on web servers
– professormesser.com and www.professormesser.com
• Expira琀椀on
– Limit exposure to compromise
– 398 day browser limit (13 months)
Key revoca琀椀on
• Cer琀椀昀椀cate Revoca琀椀on List (CRL)
– Maintained by the Cer琀椀昀椀cate Authority (CA)
• Many di昀昀erent reasons
– Changes all the 琀椀me
• April 2014 - CVE-2014-0160
– Heartbleed
– OpenSSL 昀氀aw put the private key of a昀昀ected
web servers at risk
– OpenSSL was patched, every web server
cer琀椀昀椀cate was replaced
– Older cer琀椀昀椀cates were moved to the CRL
Ge琀�ng revoca琀椀on details to the browser
• OCSP (Online Cer琀椀昀椀cate Status Protocol)
– The browser can check cer琀椀昀椀cate revoca琀椀on
• Messages usually sent to an OCSP responder via HTTP
– Easy to support over Internet links
• Not all browsers/apps support OCSP
– Early Internet Explorer versions did not
support OCSP
– Some support OCSP, but don’t bother checking
3.9 - Cer琀椀昀椀cates
Web server SSL cer琀椀昀椀cates
• Domain valida琀椀on cer琀椀昀椀cate (DV)
– Owner of the cer琀椀昀椀cate has some control over
a DNS domain
• Extended valida琀椀on cer琀椀昀椀cate (EV)
– Addi琀椀onal checks have veri昀椀ed the cer琀椀昀椀cate
owner’s iden琀椀ty
– Browsers used to show a green name on the
address bar
– Promo琀椀ng the use of SSL is now outdated
• Subject Alterna琀椀ve Name (SAN)
– Extension to an X.509 cer琀椀昀椀cate
– Lists addi琀椀onal iden琀椀昀椀ca琀椀on informa琀椀on
– Allows a cer琀椀昀椀cate to support many
di昀昀erent domains
• Wildcard domain
– Cer琀椀昀椀cates are based on the name of the server
– A wildcard domain will apply to all server names
in a domain
– *.professormesser.com
Code signing cer琀椀昀椀cate
• Developers can provide a level of trust
– Applica琀椀ons can be signed by the developer
• The user’s opera琀椀ng system will examine
the signature
– Checks the developer signature
– Validates that the so昀琀ware has not been modi昀椀ed
• Is it from a trusted en琀椀ty?
– The user will have the opportunity to stop the
applica琀椀on execu琀椀on
© 2020 Messer Studios, LLC
Root cer琀椀昀椀cate
• The public key cer琀椀昀椀cate that iden琀椀昀椀es the root CA
(Cer琀椀昀椀cate Authority)
– Everything starts with this cer琀椀昀椀cate
• The root cer琀椀昀椀cate issues other cer琀椀昀椀cates
– Intermediate CA cer琀椀昀椀cates
– Any other cer琀椀昀椀cates
• This is a very important cer琀椀昀椀cate
– Take all security precau琀椀ons
– Access to the root cer琀椀昀椀cate allows for the
crea琀椀on of any trusted cer琀椀昀椀cate
Self-signed cer琀椀昀椀cates
• Internal cer琀椀昀椀cates don’t need to be signed by
a public CA
– Your company is the only one going to use it
– No need to purchase trust for devices that already
trust you
• Build your own CA
– Issue your own cer琀椀昀椀cates signed by your own CA
• Install the CA cer琀椀昀椀cate/trusted chain on all devices
– They’ll now trust any cer琀椀昀椀cates signed by
your internal CA
– Works exactly like a cer琀椀昀椀cate you purchased
Professor Messer’s CompTIA SY0-601 Security+ Course Notes - Page 94
Downloaded by Yeduri Vamsi Mani Prasad (vamsiprasad321@gmail.com)
h琀琀ps://ProfessorMesser.com
lOMoARcPSD|36915131
3.9 - Cer琀椀昀椀cates (con琀椀nued)
Machine and computer cer琀椀昀椀cates
• You have to manage many devices
– O昀琀en devices that you’ll never physically see
• How can you truly authen琀椀cate a device?
– Put a cer琀椀昀椀cate on the device that you signed
• Other business processes rely on the cer琀椀昀椀cate
– Access to the remote access
– VPN from authorized devices
– Management so昀琀ware can validate the end device
Email cer琀椀昀椀cates
• Use cryptography in an email pla琀昀orm
– You’ll need public key cryptography
• Encryp琀椀ng emails
– Use a recipient’s public key to encrypt
• Receiving encrypted emails
– Use your private key to decrypt
• Digital signatures
– Use your private key to digitally sign an email
– Non-repudia琀椀on, integrity
User cer琀椀昀椀cates
• Associate a cer琀椀昀椀cate with a user
– A powerful electronic “id card”
• Use as an addi琀椀onal authen琀椀ca琀椀on factor
– Limit access without the cer琀椀昀椀cate
• Integrate onto smart cards
– Use as both a physical and digital access card
3.9 - Cer琀椀昀椀cate Formats
Cer琀椀昀椀cate 昀椀le formats
• X.509 digital cer琀椀昀椀cates
– The structure of the cer琀椀昀椀ca琀椀on is standardized
– The format of the actual cer琀椀昀椀cate 昀椀le can take
many di昀昀erent forms
• There are many cer琀椀昀椀cate 昀椀le formats
– You can convert between many of the formats
– Use openssl or a similar applica琀椀on to view the
cer琀椀昀椀cate contents
DER (Dis琀椀nguished Encoding Rules)
• Format designed to transfer syntax for data structures
– A very speci昀椀c encoding format
– Perfect for an X.509 cer琀椀昀椀cate
• Binary format
– Not human-readable
• A common format
– Used across many pla琀昀orms
– O昀琀en used with Java cer琀椀昀椀cates
PEM (Privacy-Enhanced Mail)
• A very common format
– BASE64 encoded DER cer琀椀昀椀cate
– Generally the format provided by CAs
– Supported on many di昀昀erent pla琀昀orms
• ASCII format
– Le琀琀ers and numbers
– Easy to email, readable
PKCS #12
• Public Key Cryptography Standards #12
– Personal Informa琀椀on Exchange Syntax Standard
– Developed by RSA Security, now an RFC standard
© 2020 Messer Studios, LLC
• Container format for many cer琀椀昀椀cates
– Store many X.509 cer琀椀昀椀cates in a single
.p12 or .pfx 昀椀le
– O昀琀en used to transfer a private and public key pair
– The container can be password protected
• Extended from Microso昀琀’s .pfx format
– Personal Informa琀椀on Exchange (PFX)
– The two standards are very similar
– O昀琀en referenced interchangeably
CER (Cer琀椀昀椀cate)
• Primarily a Windows X.509 昀椀le extension
– Can be encoded as binary DER format or as the
ASCII PEM format
• Usually contains a public key
– Private keys would be transferred in the
.pfx 昀椀le format
• Common format for Windows cer琀椀昀椀cates
– Look for the .cer extension
PKCS #7
• Public Key Cryptography Standards #7
• Cryptographic Message Syntax Standard
– Associated with the .p7b 昀椀le
• Stored in ASCII format
– Human-readable
• Contains cer琀椀昀椀cates and chain cer琀椀昀椀cates
– Private keys are not included in a .p7b 昀椀le
• Wide pla琀昀orm support
– Microso昀琀 Windows
– Java Tomcat
Professor Messer’s CompTIA SY0-601 Security+ Course Notes - Page 95
Downloaded by Yeduri Vamsi Mani Prasad (vamsiprasad321@gmail.com)
h琀琀ps://ProfessorMesser.com
lOMoARcPSD|36915131
3.9 - Cer琀椀昀椀cates (con琀椀nued)
Email cer琀椀昀椀cates
• Use cryptography in an email pla琀昀orm
– You’ll need public key cryptography
• Encryp琀椀ng emails
– Use a recipient’s public key to encrypt
• Receiving encrypted emails
– Use your private key to decrypt
• Digital signatures
– Use your private key to digitally sign an email
– Non-repudia琀椀on, integrity
User cer琀椀昀椀cates
• Associate a cer琀椀昀椀cate with a user
– A powerful electronic “id card”
• Use as an addi琀椀onal authen琀椀ca琀椀on factor
– Limit access without the cer琀椀昀椀cate
• Integrate onto smart cards
– Use as both a physical and digital access card
3.9 - Cer琀椀昀椀cate Concepts
Online and o昀툀ine CAs
• A compromised cer琀椀昀椀cate authority
– A very, very bad thing
– No cer琀椀昀椀cates issued by that CA can be trusted
• Distribute the load
– Then take the root CA o昀툀ine and protect it
OCSP stapling
• Online Cer琀椀昀椀cate Status Protocol
– Provides scalability for OCSP checks
• The CA is responsible for responding to all
client OCSP requests
– This does not scale well
• Instead, have the cer琀椀昀椀cate holder verify their own status
– Status informa琀椀on is stored on the cer琀椀昀椀cate holder’s server
• OCSP status is “stapled” into the SSL/TLS handshake
– Digitally signed by the CA
Pinning
• You’re communica琀椀ng over TLS/SSL to a server
– How do you really know it’s a legi琀椀mate server?
• “Pin” the expected cer琀椀昀椀cate or public key to an applica琀椀on
– Compiled in the app or added at 昀椀rst run
• If the expected cer琀椀昀椀cate or public key doesn’t match, the
applica琀椀on can decide what to do
– Shut down, show a message
PKI trust rela琀椀onships
• Single CA
– Everyone receives their cer琀椀昀椀cates from one authority
• Hierarchical
– Single CA issues certs to intermediate CAs
• Mesh
– Cross-cer琀椀fying CAs - Doesn’t scale well
• Web-of-trust
– Alterna琀椀ve to tradi琀椀onal PKI
• Mutual Authen琀椀ca琀椀on
– Server authen琀椀cates to the client and the client
authen琀椀cates to the server
© 2020 Messer Studios, LLC
Key escrow
• Someone else holds your decryp琀椀on keys
– Your private keys are in the hands
of a 3rd-party
• This can be a legi琀椀mate business arrangement
– A business might need access to employee
informa琀椀on
– Government agencies may need to decrypt
partner data
It’s all about the process
• Need clear process and procedures
– Keys are incredibly important pieces of
informa琀椀on
• You must be able to trust your 3rd-party
– Access to the keys is at the control of the
3rd-party
• Carefully controlled condi琀椀ons
– Legal proceedings and court orders
Cer琀椀昀椀cate chaining
• Chain of trust
– List all of the certs between the server
and the root CA
• The chain starts with the SSL cer琀椀昀椀cate
– And ends with the Root CA cer琀椀昀椀cate
• Any cer琀椀昀椀cate between the SSL cer琀椀昀椀cate
and the root cer琀椀昀椀cate is a chain cer琀椀昀椀cate
– Or intermediate cer琀椀昀椀cate
• The web server needs to be con昀椀gured with
the proper chain
– Or the end user may receive an error
Professor Messer’s CompTIA SY0-601 Security+ Course Notes - Page 96
Downloaded by Yeduri Vamsi Mani Prasad (vamsiprasad321@gmail.com)
h琀琀ps://ProfessorMesser.com
lOMoARcPSD|36915131
4.1 - Reconnaissance Tools
traceroute
• Determine the route a packet takes to a des琀椀na琀椀on
– Map the en琀椀re path
• tracert (Windows) or traceroute (POSIX)
• Takes advantage of ICMP Time to Live Exceeded error
message
– The 琀椀me in TTL refers to hops, not seconds or minutes
– TTL=1 is the 昀椀rst router, TTL=2 is the second router,
etc.
• Not all devices will reply with
ICMP Time Exceeded messages
– Some 昀椀rewalls 昀椀lter ICMP
– ICMP is low-priority for many devices
nslookup and dig
• Lookup informa琀椀on from DNS servers
– Canonical names, IP addresses, cache 琀椀mers, etc.
• nslookup
-Both Windows and POSIX-based
– Lookup names and IP addresses
– Deprecated (use dig instead)
• dig or DiG (Domain Informa琀椀on Groper)
– More advanced domain informa琀椀on
– Probably your 昀椀rst choice
– Install in Windows: h琀琀ps://professormesser.link/
digwin
ipcon昀椀g and ifcon昀椀g
• Most of your troubleshoo琀椀ng starts with your IP address
– Ping your local router/gateway
• Determine TCP/IP and network adapter informa琀椀on
– And some addi琀椀onal IP details
• ipcon昀椀g – Windows TCP/IP con昀椀gura琀椀on
• ifcon昀椀g – Linux interface con昀椀gura琀椀on
Nmap
• Network mapper
– Find and learn more about network devices
• Port scan
– Find devices and iden琀椀fy open ports
• Opera琀椀ng system scan
– Discover the OS without logging in to a device
• Service scan
– What service is available on a device?
Name, version, details
• Addi琀椀onal scripts
– Nmap Scrip琀椀ng Engine (NSE)
• Extend capabili琀椀es, vulnerability scans
ping
• Test reachability
– Determine round-trip 琀椀me
– Uses Internet Control Message Protocol (ICMP)
• One of your primary troubleshoo琀椀ng tools
– Can you ping the host?
© 2020 Messer Studios, LLC
• Wri琀琀en by Mike Muuss in 1983
– The sound made by sonar
– Not an acronym for Packet INternet Groper
– A backronym
pathping
• Combine ping and traceroute
– Included with Windows NT and later
• First phase runs a traceroute
– Build a map
• Second phase
– Measure round trip 琀椀me and packet loss at each hop
hping
• TCP/IP packet assembler/analyzer
– A ping that can send almost anything
• Ping a device
– ICMP, TCP, UDP
– #hping3 --destport 80 10.1.10.1
• Send cra昀琀ed frames
– Modify all IP, TCP, UDP, and ICMP values
• A powerful tool
– It’s easy to accidentally 昀氀ood and DoS
– Be careful!
netstat
• Network sta琀椀s琀椀cs
– Many di昀昀erent opera琀椀ng systems
• netstat -a
– Show all ac琀椀ve connec琀椀ons
• netstat -b
– Show binaries
• netstat -n
– Do not resolve names
netcat
• “Read” or “write” to the network
– Open a port and send or receive some tra昀케c
• Many di昀昀erent func琀椀ons
– Listen on a port number
– Transfer data
– Scan ports and send data to a port
• Become a backdoor
– Run a shell from a remote device
• Other alterna琀椀ves and OSes - Ncat
IP scanners
• Search a network for IP addresses
– Locate ac琀椀ve devices
– Avoid doing work on an IP address that isn’t there
• Many di昀昀erent techniques
– ARP (if on the local subnet)
– ICMP requests (ping)
– TCP ACK
– ICMP 琀椀mestamp requests
• A response means more recon can be done
– Keep gathering informa琀椀on - Nmap, hping, etc.
Professor Messer’s CompTIA SY0-601 Security+ Course Notes - Page 97
Downloaded by Yeduri Vamsi Mani Prasad (vamsiprasad321@gmail.com)
h琀琀ps://ProfessorMesser.com
lOMoARcPSD|36915131
4.1 - Reconnaissance Tools (con琀椀nued)
Address Resolu琀椀on Protocol
• Determine a MAC address based on an IP address
– You need the hardware address to communicate
• arp -a
– View local ARP table
route
• View the device’s rou琀椀ng table
– Find out which way the packets will go
• Windows: route print
• Linux and macOS: netstat -r
curl
• Client URL
– Retrieve data using a URL
– Uniform Resource Locator
– Web pages, FTP, emails, databases, etc.
• Grab the raw data
– Search
– Parse
– Automate
theHarvester
• Gather OSINT
– Open-Source Intelligence
• Scrape informa琀椀on from Google or Bing
– Find associated IP addresses
• List of people from LinkedIn
– Names and 琀椀tles
• Find PGP keys by email domain
– A list of email contacts
• DNS brute force
– Find those unknown hosts; vpn, chat, mail, partner, etc.
sn1per
• Combine many recon tools into a single framework
– dnsenum, metasploit, nmap, theHarvester, and much more
• Both non-intrusive and very intrusive scanning op琀椀ons
– You choose the volume
• Another tool that can cause problems
– Brute force, server scanning, etc
– Make sure you know what you’re doing
scanless
• Run port scans from a di昀昀erent host
– Port scan proxy
• Many di昀昀erent services
– Choose the op琀椀on for scan origina琀椀on
– Your IP is hidden as the scan source
dnsenum
• Enumerate DNS informa琀椀on
– Find host names
• View host informa琀椀on from DNS servers
– Many services and hosts are listed in DNS
• Find host names in Google
– More hosts can probably be found in the index
Nessus
• Industry leader in vulnerability scanning
– Extensive support
– Free and commercial op琀椀ons
• Iden琀椀fy known vulnerabili琀椀es
– Find systems before they can be exploited
• Extensive repor琀椀ng
– A checklist of issues
– Filter out the false posi琀椀ves
Cuckoo
• A sandbox for malware
– Test a 昀椀le in a safe environment
• A virtualized environment
– Windows, Linux, macOS, Android
• Track and trace
– API calls, network tra昀케c, memory analysis
– Tra昀케c captures
– Screenshots
4.1 - File Manipula琀椀on Tools
head
• View the 昀椀rst part of a 昀椀le
– The head, or beginning, of the 昀椀le
– head [OPTION] … [FILE] …
• Use -n to specify the number of lines
– head -n 5 syslog
tail
• View the last part of a 昀椀le
– The tail, or end, or the 昀椀le
– tail [OPTION] … [FILE] …
• Use -n to specify the number of lines
– tail -n 5 syslog
© 2020 Messer Studios, LLC
cat
• Concatenate
– Link together in a series
• Copy a 昀椀le/昀椀les to the screen
– cat 昀椀le1.txt 昀椀le2.txt
• Copy a 昀椀le/昀椀les to another 昀椀le
– cat 昀椀le1.txt 昀椀le2.txt > both.txt
grep
• Find text in a 昀椀le
– Search through many 昀椀les at a 琀椀me
• grep PATTERN [FILE]
– grep failed auth.log
Professor Messer’s CompTIA SY0-601 Security+ Course Notes - Page 98
Downloaded by Yeduri Vamsi Mani Prasad (vamsiprasad321@gmail.com)
h琀琀ps://ProfessorMesser.com
lOMoARcPSD|36915131
4.1 - File Manipula琀椀on Tools (con琀椀nued)
chmod
• Change mode of a 昀椀le system object
– r=read, w=write, x=execute
– Can also use octal nota琀椀on
– Set for the 昀椀le owner (u), the group(g),
others(o), or all(a)
– chmod mode FILE
– chmod 744 script.sh
• chmod 744 昀椀rst.txt
– User; read, write execute
– Group; read only
– Other; read only
• chmod a-w 昀椀rst.txt
– All users, no wri琀椀ng to 昀椀rst.txt
• chmod u+x script.sh
– The owner of script.sh can execute the 昀椀le
logger
• Add entries to the system log
– syslog
• Adding to the local syslog 昀椀le
– logger “This information is added to syslog”
• Useful for including informa琀椀on in a local or remote syslog 昀椀le
– Include as part of an automa琀椀on script
– Log an important event
4.1 - Shell and Script Environments
SSH (Secure Shell)
• Encrypted console communica琀椀on - tcp/22
• Looks and acts the same as Telnet
Windows PowerShell
• Command line for system administrators
– .ps1 昀椀le extension
– Included with Windows 8/8.1 and 10
• Extend command-line func琀椀ons
– Uses cmdlets (command-lets)
– PowerShell scripts and func琀椀ons
– Standalone executables
• Automate and integrate
– System administra琀椀on
– Ac琀椀ve Domain administra琀椀on
Python
• General-purpose scrip琀椀ng language
– .py 昀椀le extension
• Popular in many technologies
– Broad appeal and support
OpenSSL
• A toolkit and crypto library for SSL/TLS
– Build cer琀椀昀椀cates, manage SSL/TLS communica琀椀on
• Create X.509 cer琀椀昀椀cates
– Manage cer琀椀昀椀cate signing requests (CSRs) and
cer琀椀昀椀cate revoca琀椀on lists (CRLs)
• Message digests
– Support for many hashing protocols
• Encryp琀椀on and Decryp琀椀on
– SSL/TLS for services
• Much more
4.1 - Packet Tools
Tcpreplay
• A suite of packet replay u琀椀li琀椀es
– Replay and edit packet captures
– Open source
• Test security devices
– Check IPS signatures and 昀椀rewall rules
• Test and tune IP Flow/NetFlow devices
– Send hundreds of thousands of tra昀케c 昀氀ows
per second
• Evaluate the performance of security devices
– Test throughput and 昀氀ows per second
tcpdump
• Capture packets from the command line
– Display packets on the screen
– Write packets to a 昀椀le
© 2020 Messer Studios, LLC
Wireshark
• Graphical packet analyzer
– Get into the details
• Gathers frames on the network
– Or in the air
• Some琀椀mes built into the device
– View tra昀케c pa琀琀erns
– Iden琀椀fy unknown tra昀케c
– Verify packet 昀椀ltering and security controls
• Extensive decodes
– View the applica琀椀on tra昀케c
Professor Messer’s CompTIA SY0-601 Security+ Course Notes - Page 99
Downloaded by Yeduri Vamsi Mani Prasad (vamsiprasad321@gmail.com)
h琀琀ps://ProfessorMesser.com
lOMoARcPSD|36915131
4.1 - Forensic Tools
dd
• A reference to the DD command in
– IBM mainframe JCL (Job Control Language)
– Data De昀椀ni琀椀on (ASCII to EBCDIC converter)
• Create a bit-by-bit copy of a drive
– Used by many forensics tools
• Create a disk image
– dd if=/dev/sda of=/tmp/sda-image.img
• Restore from an image
– dd if=/tmp/sda-image.img of=/dev/sda
memdump
• Copy informa琀椀on in system memory to the standard
output stream
– Everything that happens is in memory
– Many third-party tools can read a memory dump
• Copy to another host across the network
– Use netcat, stunnel, openssl, etc.
Winhex
• A universal hexadecimal editor for Windows OS
• Edit disks, 昀椀les, RAM
– Includes data recovery features
• Disk cloning
– Drive replica琀椀on
• Secure wipe
– Hard drive cleaning
• Much more
– A full-featured forensics tool
FTK imager
• AccessData forensic drive imaging tool
– Includes 昀椀le u琀椀li琀椀es and read-only image moun琀椀ng
– Windows executable
• Widely supported in many forensics tools
– Third-party analysis
• Support for many di昀昀erent 昀椀le systems and full disk
encryp琀椀on methods
– Inves琀椀gator s琀椀ll needs the password
• Can also import other image formats
– dd, Ghost, Expert Witness, etc.
Autopsy
• Perform digital forensics of hard drives, smartphones
– View and recover data from storage devices
• Extract many di昀昀erent data types
– Downloaded 昀椀les
– Browser history and cache
– Email messages
– Databases
– Much more
Exploita琀椀on frameworks
• A pre-built toolkit for exploita琀椀ons
– Build custom a琀琀acks
– Add more tools as vulnerabili琀椀es are found
– Increasingly powerful u琀椀li琀椀es
• Metasploit
– A琀琀ack known vulnerabili琀椀es
• The Social-Engineer Toolkit (SET)
– Spear phishing, Infec琀椀ous media generator
Password crackers
• The keys to the kingdom
– Find the passwords
• Online cracking
– Try username/password combina琀椀ons
• O昀툀ine cracking
– Brute force a hash 昀椀le
• Limita琀椀ons
– Password complexity / strength (entropy)
– Hashing method and CPU power
– Graphics processors are useful hardware tools
Data sani琀椀za琀椀on
• Completely remove data
– No usable informa琀椀on remains
• Many di昀昀erent use cases
– Clean a hard drive for future use
– Permanently delete a single 昀椀le
• A one-way trip
– Once it’s gone, it’s really gone
– No recovery with forensics tools
4.2 - Incident Response Process
Security incidents
• User clicks an email a琀琀achment and executes malware
– Malware then communicates with external servers
• DDoS
– Botnet a琀琀ack
• Con昀椀den琀椀al informa琀椀on is stolen
– Thief wants money or it goes public
• User installs peer-to-peer so昀琀ware and allows external
access to internal servers
© 2020 Messer Studios, LLC
Roles and responsibili琀椀es
• Incident response team
– Specialized group, trained and tested
• IT security management
– Corporate support
• Compliance o昀케cers
– Intricate knowledge of compliance rules
• Technical sta昀昀
– Your team in the trenches
• User community
– They see everything
Professor Messer’s CompTIA SY0-601 Security+ Course Notes - Page 100
Downloaded by Yeduri Vamsi Mani Prasad (vamsiprasad321@gmail.com)
h琀琀ps://ProfessorMesser.com
lOMoARcPSD|36915131
4.2 - Incident Response Process (con琀椀nued)
NIST SP800-61
• Na琀椀onal Ins琀椀tute of Standards and Technology
– NIST Special Publica琀椀on 800-61 Rev. 2
– Computer Security Incident
– Handling Guide
• The incident response lifecycle:
– Prepara琀椀on
– Detec琀椀on and Analysis
– Containment, Eradica琀椀on, and Recovery
– Post-incident Ac琀椀vity
Preparing for an incident
• Communica琀椀on methods
– Phones and contact informa琀椀on
• Incident handling hardware and so昀琀ware
– Laptops, removable media, forensic so昀琀ware,
digital cameras, etc.
• Incident analysis resources
– Documenta琀椀on, network diagrams, baselines,
cri琀椀cal 昀椀le hash values
• Incident mi琀椀ga琀椀on so昀琀ware
– Clean OS and applica琀椀on images
• Policies needed for incident handling
– Everyone knows what to do
The challenge of detec琀椀on
• Many di昀昀erent detec琀椀on sources
– Di昀昀erent levels of detail, di昀昀erent levels of percep琀椀on
• A large amount of “volume”
– A琀琀acks are incoming all the 琀椀me
– How do you iden琀椀fy the legi琀椀mate threats?
• Incidents are almost always complex
– Extensive knowledge needed
Incident precursors
• An incident might occur in the future
– This is your heads-up
• Web server log
– Vulnerability scanner in use
• Exploit announcement
– Monthly Microso昀琀 patch release,
– Adobe Flash update
• Direct threats
– A hacking group doesn’t like you
Incident indicators
• An a琀琀ack is underway
– Or an exploit is successful
• Bu昀昀er over昀氀ow a琀琀empt
– Iden琀椀昀椀ed by an intrusion detec琀椀on/preven琀椀on system
• An琀椀-virus so昀琀ware iden琀椀昀椀es malware
– Deletes from OS and no琀椀昀椀es administrator
• Host-based monitor detects a con昀椀gura琀椀on change
– Constantly monitors system 昀椀les
• Network tra昀케c 昀氀ows deviate from the norm
– Requires constant monitoring
© 2020 Messer Studios, LLC
Isola琀椀on and containment
• Generally a bad idea to let things run their course
– An incident can spread quickly
– It’s your fault at that point
• Sandboxes
– An isolated opera琀椀ng system
– Run malware and analyze the results
– Clean out the sandbox when done
• Isola琀椀on can be some琀椀mes be problema琀椀c
– Malware or infec琀椀ons can monitor connec琀椀vity
– When connec琀椀vity is lost, everything could be
deleted/encrypted/damaged
Recovery a昀琀er an incident
• Get things back to normal
– Remove the bad, keep the good
• Eradicate the bug
– Remove malware
– Disable breached user accounts
– Fix vulnerabili琀椀es
• Recover the system
– Restore from backups
– Rebuild from scratch
– Replace compromised 昀椀les
– Tighten down the perimeter
Recons琀椀tu琀椀on
• A phased approach
– It’s di昀케cult to 昀椀x everything at once
• Recovery may take months
– Large-scale incidents require a large amount of work
• The plan should be e昀케cient
– Start with quick, high-value security changes
• Patches, 昀椀rewall policy changes
– Later phases involve much “heavier li昀琀ing”
• Infrastructure changes, large-scale security
rollouts
Lessons learned
• Learn and improve
– No system is perfect
• Post-incident mee琀椀ng
– Invite everyone a昀昀ected by the incident
• Don’t wait too long
– Memories fade over 琀椀me
– Some recommenda琀椀ons can be applied to the
next event
Answer the tough ques琀椀ons
• What happened, exactly?
– Timestamp of the events
• How did your incident plans work?
– Did the process operate successfully?
• What would you do di昀昀erently next 琀椀me?
– Retrospec琀椀ve views provide context
• Which indicators would you watch next 琀椀me?
– Di昀昀erent precursors may give you be琀琀er alerts
Professor Messer’s CompTIA SY0-601 Security+ Course Notes - Page 101
Downloaded by Yeduri Vamsi Mani Prasad (vamsiprasad321@gmail.com)
h琀琀ps://ProfessorMesser.com
lOMoARcPSD|36915131
4.2 - Incident Response Planning
Exercise
• Test yourselves before an actual event
– Scheduled update sessions (annual, semi-annual, etc.)
• Use well-de昀椀ned rules of engagement
– Do not touch the produc琀椀on systems
• Very speci昀椀c scenario
– Limited 琀椀me to run the event
• Evaluate response
– Document and discuss
Tabletop exercises
• Performing a full-scale disaster drill can be costly
– And 琀椀me consuming
• Many of the logis琀椀cs can be determined through
analysis
– You don’t physically have to go through a
disaster or drill
• Get key players together for a tabletop exercise
– Talk through a simulated disaster
Walkthrough
• Include responders
– A step beyond a tabletop exercise
– Many moving parts
• Test processes and procedures before an event
– Walk through each step
– Involve all groups
– Reference actual response materials
• Iden琀椀昀椀es actual faults or missing steps
– The walkthrough applies the concepts from the
tabletop exercise
Simula琀椀on
• Test with a simulated event
– Phishing a琀琀ack, password requests, data breaches
• Going phishing
– Create a phishing email a琀琀ack
– Send to your actual user community
– See who bites
• Test internal security
– Did the phishing get past the 昀椀lter?
• Test the users
– Who clicked?
– Addi琀椀onal training may be required
Stakeholder management
• Keeping an good ongoing rela琀椀onship with
customers of IT
– These can be internal or external customers
– An incident response will require teamwork
– Without the stakeholder, IT would not exist
• Most of this happens prior to an incident
– Ongoing communica琀椀on and mee琀椀ngs
– Exercises should include the customers
• Con琀椀nues a昀琀er the incident
– Prepare for the next event
© 2020 Messer Studios, LLC
Communica琀椀on plan
• Get your contact list together
– There are a lot of people in the loop
• Corporate / Organiza琀椀on
– CIO / Head of Informa琀椀on Security / Internal
Response Teams
• Internal non-IT
– Human resources, public a昀昀airs, legal department
• External contacts
– System owner, law enforcement
– US-CERT (for U.S. Government agencies)
Disaster recovery plan
• If a disaster happens, IT should be ready
– Part of business con琀椀nuity planning
– Keep the organiza琀椀on up and running
• Disasters are many and varied
– Natural disasters
– Technology or system failures
– Human-created disasters
• A comprehensive plan
– Recovery loca琀椀on
– Data recovery method
– Applica琀椀on restora琀椀on
– IT team and employee availability
Con琀椀nuity of opera琀椀ons planning (COOP)
• Not everything goes according to plan
• Disasters can cause a disrup琀椀on to the norm
• We rely on our computer systems
• Technology is pervasive
• There needs to be an alterna琀椀ve
• Manual transac琀椀ons
• Paper receipts
• Phone calls for transac琀椀on approvals
• These must be documented and tested before
a problem occurs
Incident response team
• Receives, reviews, and responds
– A prede昀椀ned group of professionals
• Determine what type of events require a response
– A virus infec琀椀on? Ransomware? DDoS?
• May or may not be part of the organiza琀椀onal structure
– Pulled together on an as-needed basis
• Focuses on incident handling
– Incident response, incident analysis, incident repor琀椀ng
Reten琀椀on policies
• Backup your data
– How much and where? Copies, versions of copies,
lifecycle of data, purging old data
• Regulatory compliance
– A certain amount of data backup may be required
• Opera琀椀onal needs
– Accidental dele琀椀on, disaster recovery
• Di昀昀eren琀椀ate by type and applica琀椀on
– Recover the data you need when you need it
Professor Messer’s CompTIA SY0-601 Security+ Course Notes - Page 102
Downloaded by Yeduri Vamsi Mani Prasad (vamsiprasad321@gmail.com)
h琀琀ps://ProfessorMesser.com
lOMoARcPSD|36915131
4.2 - A琀琀ack Frameworks
A琀琀acks and responses
• A constantly moving chessboard
– The rules are also constantly changing
• Response and intelligence teams need assistance
– Gather and maintain ongoing reconnaissance
• Understand a琀琀acks
– Many di昀昀erent vectors
• Assess the risk in an organiza琀椀on
– Determine if a risk exists
– Use appropriate mi琀椀ga琀椀on
MITRE ATT&CK framework
• The MITRE corpora琀椀on
– US not-for-pro昀椀t based in Massachuse琀琀s and Virginia
– Supports several U.S. government agencies
• The MITRE ATT&CK framework
– h琀琀ps://a琀琀ack.mitre.org/
• Determine the ac琀椀ons of an a琀琀acker
– Iden琀椀fy point of intrusion
– Understand methods used to move around
– Iden琀椀fy poten琀椀al security techniques to
block future a琀琀acks
Diamond Model of Intrusion Analysis
• Designed by the intelligence community
– h琀琀ps://apps.d琀椀c.mil/docs/cita琀椀ons/ADA586960
– Guide analysts to help understand intrusions
– Integrates well with other frameworks
• Apply scien琀椀昀椀c principles to intrusion analysis
– Measurement, testability, and repeatability
– Appears simple, but is remarkably complex
• An adversary deploys a capability over some
infrastructure against a vic琀椀m
– Use the model to analyze and 昀椀ll in the details
Cyber Kill Chain
• Seven phases of a cyber a琀琀ack
– A military concept
4.3 - Vulnerability Scan Output
Iden琀椀fy vulnerability
• The scanner looks for everything
– Well, not _everything_
– The signatures are the key
• The vulnerabili琀椀es can be cross-referenced online
– Almost all scanners give you a place to go
– Na琀椀onal Vulnerability Database: h琀琀p://nvd.nist.gov/
– Microso昀琀 Security Bulle琀椀ns:
– h琀琀ps://docs.microso昀琀.com/en-us/security-updates/
• Some vulnerabili琀椀es cannot be de昀椀ni琀椀vely iden琀椀昀椀ed
– You’ll have to check manually to see if a
system is vulnerable
– But the scanner gives you a heads-up
Vulnerability scan results
• Lack of security controls
– No 昀椀rewall
– No an琀椀-virus
– No an琀椀-spyware
• Miscon昀椀gura琀椀ons
– Open shares
– Guest access
• Real vulnerabili琀椀es
– Especially newer ones
– Occasionally the old ones
© 2020 Messer Studios, LLC
Dealing with false posi琀椀ves
• False posi琀椀ves
– A vulnerability is iden琀椀昀椀ed that doesn’t really exist
• This is di昀昀erent than a low-severity vulnerability
– It’s real, but it may not be your highest priority
• False nega琀椀ves
– A vulnerability exists, but you didn’t detect it
• Update to the latest signatures
– If you don’t know about it, you can’t see it
• Work with the vulnerability detec琀椀on manufacturer
– They may need to update their signatures
for your environment
Professor Messer’s CompTIA SY0-601 Security+ Course Notes - Page 103
Downloaded by Yeduri Vamsi Mani Prasad (vamsiprasad321@gmail.com)
h琀琀ps://ProfessorMesser.com
lOMoARcPSD|36915131
4.3 - SIEM Dashboards
SIEM
• Security Informa琀椀on and Event Management
– Logging of security events and informa琀椀on
• Security alerts
– Real-琀椀me informa琀椀on
• Log aggrega琀椀on and long-term storage
– Usually includes advanced repor琀椀ng features
• Data correla琀椀on
– Link diverse data types
• Forensic analysis
– Gather details a昀琀er an event
Ge琀�ng the data
• Sensors and logs
– Opera琀椀ng systems
– Infrastructure devices
– NetFlow sensors
• Sensi琀椀vity se琀�ngs
– Easy to be overwhelmed with data
– Some informa琀椀on is unnecessary
– Informa琀椀onal, Warning, Urgent
Viewing the data
• Trends
– Iden琀椀fy changes over 琀椀me
– Easily view constant a琀琀ack metrics
• Alerts
– Iden琀椀fy a security event
– View raw data
– Visualize the log informa琀椀on
• Correla琀椀on
– Combine and compare
– View data in di昀昀erent ways
4.3 - Log 昀椀les
Network log 昀椀les
• Switches, routers, access points, VPN concentrators
– And other infrastructure devices
• Network changes
– Rou琀椀ng updates
– Authen琀椀ca琀椀on issues
– Network security issues
System log 昀椀les
• Opera琀椀ng system informa琀椀on
– Extensive logs
– File system informa琀椀on
– Authen琀椀ca琀椀on details
• Can also include security events
– Monitoring apps
– Brute force, 昀椀le changes
• May require 昀椀ltering
– Don’t forward everything
Applica琀椀on log 昀椀les
• Speci昀椀c to the applica琀椀on
– Informa琀椀on varies widely
• Windows - Event Viewer / Applica琀椀on Log
• Linux / macOS - /var/log
• Parse the log details on the SIEM
– Filter out unneeded info
Security log 昀椀les
• Detailed security-related informa琀椀on
– Blocked and allowed tra昀케c 昀氀ows
– Exploit a琀琀empts
– Blocked URL categories
– DNS sinkhole tra昀케c
• Security devices
– IPS, 昀椀rewall, proxy
• Cri琀椀cal security informa琀椀on
– Documenta琀椀on of every tra昀케c 昀氀ow
– Summary of a琀琀ack info
– Correlate with other logs
© 2020 Messer Studios, LLC
Web log 昀椀les
• Web server access
– IP address, web page URL
• Access errors
– Unauthorized or non-existent folders/昀椀les
• Exploit a琀琀empts
– A琀琀empt to access 昀椀les containing known
vulnerabili琀椀es
• Server ac琀椀vity
– Startup and shutdown no琀椀ces
– Restart messages
DNS log 昀椀les
• View lookup requests
– And other DNS queries
• IP address of the request
– The request FQDN or IP
• Iden琀椀fy queries to known bad URLs
– Malware sites, known command
and control domains
• Block or modify known bad requests
at the DNS server
– Log the results
– Report on malware ac琀椀vity
Authen琀椀ca琀椀on log 昀椀les
• Know who logged in (or didn’t)
– Account names
– Source IP address
– Authen琀椀ca琀椀on method
– Success and failure reports
• Iden琀椀fy mul琀椀ple failures
– Poten琀椀al brute force a琀琀acks
• Correlate with other events
– File transfers
– Authen琀椀ca琀椀ons to other devices
– Applica琀椀on installa琀椀on
Professor Messer’s CompTIA SY0-601 Security+ Course Notes - Page 104
Downloaded by Yeduri Vamsi Mani Prasad (vamsiprasad321@gmail.com)
h琀琀ps://ProfessorMesser.com
lOMoARcPSD|36915131
4.3 - Log 昀椀les (con琀椀nued)
Dump 昀椀les
• Store all contents of memory into a diagnos琀椀c 昀椀le
– Developers can use this info
• Easy to create from the
– Windows Task Manager
– Right-click, Create dump 昀椀le
• Some applica琀椀ons have their own dump 昀椀le process
– Contact the appropriate support team for
addi琀椀onal details
VoIP and Call Manager logs
• View inbound and outbound call info
– Endpoint details, gateway communica琀椀on
• Security informa琀椀on
– Authen琀椀ca琀椀ons, audit trail
• SIP tra昀케c logs
– Session Ini琀椀a琀椀on Protocol
– Call setup, management, and teardown
– Inbound and outbound calls
– Alert on unusual numbers or country codes
4.3 - Log Management
Syslog
• Standard for message logging
– Diverse systems create a consolidated log
• Usually a central logging receiver
– Integrated into the SIEM (Security Informa琀椀on and
Event Manager)
• Each log entry is labeled
– Facility code (program that created the log) and
severity level
• Syslog daemon op琀椀ons
– Rsyslog -“Rocket-fast System for log processing”
– syslog-ng - A popular syslog daemon with addi琀椀onal
昀椀ltering and storage op琀椀ons
– NXLog - Collec琀椀on from many diverse log types
Journalctl
• Linux has a lot of logs
– The OS, daemons, applica琀椀ons, etc.
• System logs are stored in a binary format
– Op琀椀mized for storage and queries
– Can’t read them with a text editor
• Journalctl provides a method for querying the system
journal
– Search and 昀椀lter
– View as plain text
Bandwidth monitors
• The fundamental network sta琀椀s琀椀c
– Percentage of network use over 琀椀me
• Many di昀昀erent ways to gather this metric
– SNMP, NetFlow, sFlow, IPFIX protocol analysis,
so昀琀ware agent
• Iden琀椀fy fundamental issues
– Nothing works properly if bandwidth is highly u琀椀lized
Metadata
• Metadata
– Data that describes other data sources
• Email
– Header details, sending servers, des琀椀na琀椀on address
• Mobile - Type of phone, GPS loca琀椀on,
• Web - Opera琀椀ng system, browser type, IP address
• Files - Name, address, phone number, 琀椀tle
© 2020 Messer Studios, LLC
NetFlow
• Gather tra昀케c sta琀椀s琀椀cs from all tra昀케c 昀氀ows
– Shared communica琀椀on between devices
• NetFlow
– Standard collec琀椀on method
– Many products and op琀椀ons
• Probe and collector
– Probe watches network communica琀椀on
– Summary records are sent to the collector
• Usually a separate repor琀椀ng app
– Closely 琀椀ed to the collector
IPFIX
• IP Flow Informa琀椀on Export
– A newer, NetFlow-based standard
– Evolved from NetFlow v9
• Flexible data support
– Templates are used to describe the data
sFlow
• sFlow (Sampled Flow)
– Only a por琀椀on of the actual network tra昀케c
– So, technically not a 昀氀ow
• Usually embedded in the infrastructure
– Switches, routers
– Sampling usually occurs in hardware/ASICs
• Rela琀椀vely accurate sta琀椀s琀椀cs
– Useful informa琀椀on regarding video streaming and
high-tra昀케c applica琀椀ons
Protocol analyzer output
• Solve complex applica琀椀on issues
– Get into the details
• Gathers packets on the network
– Or in the air
– Some琀椀mes built into the device
• View detailed tra昀케c informa琀椀on
– Iden琀椀fy unknown tra昀케c
– Verify packet 昀椀ltering and security controls
– View a plain-language descrip琀椀on of the
applica琀椀on data
Professor Messer’s CompTIA SY0-601 Security+ Course Notes - Page 105
Downloaded by Yeduri Vamsi Mani Prasad (vamsiprasad321@gmail.com)
h琀琀ps://ProfessorMesser.com
lOMoARcPSD|36915131
4.4 - Endpoint Security Con昀椀gura琀椀on
The endpoint
• The end user device
– Desktop PC, laptop, tablet, phone, etc.
• Many ways to exploit a system
– OS vulnerability, malware,
user interven琀椀on
• Security team has to cover all of the bases
– Recognize and react to any
malicious ac琀椀vity
Applica琀椀on approved/deny lists
• Any applica琀椀on can be dangerous
– Vulnerabili琀椀es, trojan horses, malware
– Security policy can control app execu琀椀on
• Approved list
– Nothing runs unless it’s approved
– Very restric琀椀ve
• Blocklist / deny list
– Nothing on the “bad list” can be executed
– An琀椀-virus, an琀椀-malware
• Quaran琀椀ne
– Anything suspicious can be moved to a safe area
Examples of applica琀椀on approval lists
• Decisions are made in the opera琀椀ng system
– O昀琀en built-in to the opera琀椀ng
system management
– Applica琀椀on hash
• Only allows applica琀椀ons with this
unique iden琀椀昀椀er
• Cer琀椀昀椀cate
– Allow digitally signed apps from
certain publishers
• Path
– Only run applica琀椀ons in these folders
• Network zone
– The apps can only run from this network zone
4.4 - Security Con昀椀gura琀椀ons
Con昀椀gura琀椀on changes
• Firewall rules
– Manage applica琀椀on 昀氀ows
– Block dangerous applica琀椀ons
• Mobile Device Manager (MDM)
– Enable or disable phone and tablet func琀椀onality
– Regardless of physical loca琀椀on
• Data Loss Preven琀椀on (DLP)
– Block transfer of personally iden琀椀昀椀able informa琀椀on
(PII) or sensi琀椀ve data
– Credit card numbers, social security numbers, etc.
• Content 昀椀lter/URL 昀椀lter
– Limit access to untrusted websites
– Block known malicious sites
– Large blocklists are used to share suspicious site URLs
• Upda琀椀ng or revoking cer琀椀昀椀cates
– Manage device cer琀椀昀椀cates to verify trust
– Revoking a cer琀椀昀椀cate e昀昀ec琀椀vely removes access
Isola琀椀on
• Administra琀椀vely isolate a compromised device from
everything else
– Prevent the spread of malicious so昀琀ware
– Prevent remote access or C2 (Command and Control)
• Network isola琀椀on
– Isolate to a remedia琀椀on VLAN
– No communica琀椀on to other devices
• Process isola琀椀on
– Limit applica琀椀on execu琀椀on
– Prevent malicious ac琀椀vity but allow device
management
© 2020 Messer Studios, LLC
Containment
• Applica琀椀on containment
– Run each applica琀椀on in its own sandbox
– Limit interac琀椀on with the host opera琀椀ng system
and other applica琀椀ons
– Ransomware would have no method of infec琀椀on
• Contain the spread of a mul琀椀-device security
event, i.e., ransomware
– Disable administra琀椀ve shares
– Disable remote management
– Disable local account access and change local
administrator password
Segmenta琀椀on
• Separate the network
– Prevent unauthorized movement
– Limit the scope of a breach
SOAR
• Security Orchestra琀椀on, Automa琀椀on, and Response
– Integrate third-party tools and data sources
– Make security teams more e昀昀ec琀椀ve
• Runbooks
– Linear checklist of steps to perform
– Step-by-step approach to automa琀椀on
– Reset a password, create a website cer琀椀昀椀cate,
back up applica琀椀on data
• Playbooks
– Condi琀椀onal steps to follow; a broad process
– Inves琀椀gate a data breach, recover
from ransomware
Professor Messer’s CompTIA SY0-601 Security+ Course Notes - Page 106
Downloaded by Yeduri Vamsi Mani Prasad (vamsiprasad321@gmail.com)
h琀琀ps://ProfessorMesser.com
lOMoARcPSD|36915131
4.5 - Digital Forensics
Digital forensics
• Collect and protect informa琀椀on rela琀椀ng to an intrusion
– Many di昀昀erent data sources and protec琀椀on
mechanisms
• RFC 3227 - Guidelines for
– Evidence Collec琀椀on and Archiving
– A good set of best prac琀椀ces
• Standard digital forensic process
– Acquisi琀椀on, analysis, and repor琀椀ng
• Must be detail oriented
– Take extensive notes
Legal hold
• A legal technique to preserve relevant informa琀椀on
– Prepare for impending li琀椀ga琀椀on
– Ini琀椀ated by legal counsel
• Hold no琀椀昀椀ca琀椀on
– Records custodians are instructed to preserve data
• Separate repository for electronically stored
informa琀椀on (ESI)
– Many di昀昀erent data sources and types
– Unique work昀氀ow and reten琀椀on requirements
• Ongoing preserva琀椀on
– Once no琀椀昀椀ed, there’s an ongoing obliga琀椀on to
preserve data
Capture video
• A moving record of the event
– Gathers informa琀椀on external to the computer
and network
• Captures the status of the screen and other
vola琀椀le informa琀椀on
– Today’s mobile video devices are remarkable
• Don’t forget security cameras and your phone
• The video content must also be archived
– May have some of the most important record
of informa琀椀on
Admissibility
• Not all data can be used in a court of law
– Di昀昀erent rules in di昀昀erent jurisdic琀椀ons
• Legal authoriza琀椀on
– Search and seizure of informa琀椀on
• Procedures and tools
– The correct tools used the correct way
• Laboratories
– Proper scien琀椀昀椀c principles used to analyze
the evidence
• Technical and academic quali昀椀ca琀椀ons
– Competence and quali昀椀ca琀椀ons of experts
Chain of custody
• Control evidence
– Maintain integrity
• Everyone who contacts the evidence
– Use hashes
– Avoid tampering
© 2020 Messer Studios, LLC
• Label and catalog everything
– Digitally tag all items for ongoing documenta琀椀on
– Seal and store
Recording 琀椀me o昀昀sets
• The 琀椀me zone determines how the 琀椀me is displayed
– Document the local device se琀�ngs
• Di昀昀erent 昀椀le systems store 琀椀mestamps di昀昀erently
– FAT: Time is stored in local 琀椀me
– NTFS: Time is stored in GMT
• Record the 琀椀me o昀昀set from the opera琀椀ng system
– The Windows Registry
– Many di昀昀erent values (daylight saving 琀椀me,
琀椀me change informa琀椀on, etc.)
Event logs
• System logs
– Documents important opera琀椀ng system and
applica琀椀on events
• Export and store for future reference
– Filter and parse
• Log store
– Linux: /var/log
– Windows: Event Viewer
Interviews
• Who might have seen this?
– You won’t know un琀椀l you ask
• Interview and document
– These folks might not be around later
• Not all witness statements are 100% accurate
– Humans are fallible
Reports
• Document the 昀椀ndings
– For Internal use, legal proceedings, etc.
• Summary informa琀椀on
– Overview of the security event
• Detailed explana琀椀on of data acquisi琀椀on
– Step-by-step method of the process
• The 昀椀ndings
– An analysis of the data
• Conclusion
– Professional results, given the analysis
Professor Messer’s CompTIA SY0-601 Security+ Course Notes - Page 107
Downloaded by Yeduri Vamsi Mani Prasad (vamsiprasad321@gmail.com)
h琀琀ps://ProfessorMesser.com
lOMoARcPSD|36915131
4.5 - Forensics Data Acquisi琀椀on
Most Vola)le
CPU registers, CPU cache
Router table, ARP cache, process table, kernel sta8s8cs, memory
Temporary file systems
Disk
Remote logging and monitoring data
Least Vola)le
Physical configura8on, network topology
Archival media
Order of vola琀椀lity
• How long does data s琀椀ck around?
– Some media is much more vola琀椀le than others
– Gather data in order from the most vola琀椀le to
less vola琀椀le
Disk
• Copy everything on a storage drive
– Hard drive, SSD, 昀氀ash drive
• Drive image prepara琀椀on
– Power down to prevent changes
– Remove storage drive
• Connect to imaging device
– With write-protec琀椀on
• Forensic clone
– Bit-for-bit copy
– Preserve all data (even the “deleted” data)
Random access memory (RAM)
• A di昀케cult target to capture
– Changes constantly
– Capturing data changes the data
• Memory dump
– Grab everything in ac琀椀ve RAM
– Many third-party tools
• Important data
– Browsing history
– Clipboard informa琀椀on
– Encryp琀椀on keys
– Command history
Swap/page昀椀le
• Used by di昀昀erent opera琀椀ng systems
– Slightly di昀昀erent usage in each
• A place to store RAM when memory is depleted
– There’s a lot more space on the storage drive
– Transfer pages of RAM to a storage drive
• Can also contain por琀椀ons of an applica琀椀on
– Page out por琀椀ons that aren’t in use
• Contains data similar to a RAM dump
– Anything ac琀椀ve on the system
© 2020 Messer Studios, LLC
Opera琀椀ng system
• OS 昀椀les and data
– May have been modi昀椀ed
• Core opera琀椀ng system
– Executable 昀椀les and libraries
– Can be compared later to known-good 昀椀les
– Usually captured with a drive image
• Other OS data
– Logged in users
– Open ports
– Processes currently running
– A琀琀ached device list
Device
• Mobile devices and tablets
– A more challenging forensics task
• Capture data
– Use an exis琀椀ng backup 昀椀le
– Transfer image over USB
• Data
– Phone calls
– Contact informa琀椀on
– Text messages
– Email data
– Images and movies
Firmware
• Extract the device 昀椀rmware
– Rootkits and exploited hardware device
– A reprogrammed 昀椀rmware or ROM
• Speci昀椀c to the pla琀昀orm
– Firmware implementa琀椀ons vary widely
• A琀琀acker gains access to the device
– Maintains access through OS updates
• Data discovery
– Exploit data
– Firmware func琀椀onality
– Real-琀椀me data
Professor Messer’s CompTIA SY0-601 Security+ Course Notes - Page 108
Downloaded by Yeduri Vamsi Mani Prasad (vamsiprasad321@gmail.com)
h琀琀ps://ProfessorMesser.com
lOMoARcPSD|36915131
4.5 - Forensics Data Acquisi琀椀on (con琀椀nued)
Snapshot
• Generally associated with virtual machines (VMs)
– A point-in-琀椀me system image
• Incremental between snapshots
– Original image is the full backup
– Each snapshot is incremented from the last
– Restoring requires the original and all snapshots
• Contains all 昀椀les and informa琀椀on about a VM
– Similar to a system image
– Opera琀椀ng system, applica琀椀ons, user data, etc.
Cache
• Store data for use later
– O昀琀en used to increase performance
– Many di昀昀erent caches (CPU, disk, Internet, etc.)
• Can contain specialized data
– CPU cache is very short-term instruc琀椀on storage
• Some data may never be used
– Erased a昀琀er a speci昀椀ed 琀椀meframe or when the cache is full
– Browser caches are o昀琀en long-lived
• Data
– URL loca琀椀ons
– Browser page components (text, images)
Network
• Gather informa琀椀on about and from the network
– Network connec琀椀ons, packet captures
• Inbound and outbound sessions
– OS and applica琀椀on tra昀케c
• Packet data
– Capture raw network data
– May include long-term packet captures
• Third-party packet captures
– Firewalls, IPS, etc.
Ar琀椀facts
• Digital items le昀琀 behind
– Every contact leaves a trace
– May not be obvious to access
• Ar琀椀fact loca琀椀ons
– Log informa琀椀on
– Flash memory
– Prefetch cache 昀椀les
– Recycle Bin
– Browser bookmarks and logins
4.5 - On-Premises vs. Cloud Forensics
Forensics in the cloud
• Adding complexity to the digital forensics process
– Cloud technologies
• Technical challenges
– Devices are not totally in your control
– There may be limited access
– Associate data with a speci昀椀c user
• Legal issues
– Laws are di昀昀erent around the world
– The rules may not be immediately obvious
Right to audit clauses
• Common to work with business partners
– Data sharing
– Outsourcing
• Cloud compu琀椀ng providers
– Can hold all of the data
– Manage Internet access
– Are they secure?
• Right-to-audit should be in the contract
– A legal agreement to have the op琀椀on to perform
a security audit at any 琀椀me
– Everyone agrees to the terms and condi琀椀ons
– Ability to verify security before a breach occurs
© 2020 Messer Studios, LLC
Regulatory/jurisdic琀椀on
• Cloud compu琀椀ng technology appeared rela琀椀vely quickly
– The legal world is scrambling to catch up
• Forensics professionals must know their legal rights
– Data in a di昀昀erent jurisdic琀椀on may be bound by very
di昀昀erent regula琀椀ons
• Data stored in cloud may not be located in the same country
– Loca琀椀on of the data center may determine how data can
be treated
• Loca琀椀on of the data is cri琀椀cal
– Legal frameworks vary widely between countries
– Some countries don’t allow electronic searches outside
of their borders
Data breach no琀椀昀椀ca琀椀on laws
• No琀椀昀椀ca琀椀on laws
– If consumer data is breached, the consumer must be
informed
• Many data breach no琀椀昀椀ca琀椀on laws
– Vary widely across countries and locali琀椀es
– If you’re in the cloud, you’re a global en琀椀ty
• No琀椀昀椀ca琀椀on requirements also vary
– Type of data breached
– Who gets no琀椀昀椀ed
– How quickly
Professor Messer’s CompTIA SY0-601 Security+ Course Notes - Page 109
Downloaded by Yeduri Vamsi Mani Prasad (vamsiprasad321@gmail.com)
h琀琀ps://ProfessorMesser.com
lOMoARcPSD|36915131
4.5 - Managing Evidence
Integrity
• Hashing
– Cryptographic integrity veri昀椀ca琀椀on
– A digital “昀椀ngerprint”
• Checksums
– Protects against accidental changes during transmission
– A rela琀椀vely simple integrity check
– Not designed to replace a hash
• Provenance
– Documenta琀椀on of authen琀椀city
– A chain of custody for data handling
– Blockchain technology
Preserva琀椀on
• Handling evidence
– Isolate and protect the data
– Analyze the data later without any altera琀椀ons
• Manage the collec琀椀on process
– Work from copies
– Manage the data collec琀椀on from mobile devices
• Live collec琀椀on has become an important skill
– Data may be encrypted or di昀케cult to collect a昀琀er
powering down
• Follow best prac琀椀ces to ensure admissibility of
data in court
– What happens now a昀昀ects the future
E-discovery
• Electronic discovery
– Collect, prepare, review, interpret, and produce
electronic documents
• E-discovery gathers data required by the legal process
– Does not generally involve analysis
– There’s no considera琀椀on of intent
• Works together with digital forensics
– The e-discovery process obtains a storage drive
– Data on the drive is smaller than expected
– Forensics experts determine that data was deleted and
a琀琀empt to recover the data
Data recovery
• Extract missing data without a昀昀ec琀椀ng the
integrity of the data
– Requires training and exper琀椀se
• The recovery process can vary
– Deleted 昀椀les
– Hidden data
– Hardware or so昀琀ware corrup琀椀on
– Storage device is physically damaged
Non-repudia琀椀on
• Proof of data integrity and the origin of the data
– The data is unchanged and really did come from the
sender
– Hashing the data
• Authen琀椀ca琀椀on that is genuine with high con昀椀dence
– The only person who could have sent the data is the
sender
• Message Authen琀椀ca琀椀on Code (MAC)
– The two par琀椀es can verify non-repudia琀椀on
• Digital Signature
– The non-repudia琀椀on can be publicly veri昀椀ed
Strategic intelligence/counterintelligence
• Strategic intelligence
– A focus on key threat ac琀椀vity for a domain
– Business sectors, geographical regions, countries
– Gather informa琀椀on from internal threat reports,
third-party data sources, and other data inputs
– Determine the threat landscape based on the trends
• Strategic counterintelligence (CI)
– Prevent hos琀椀le intelligence opera琀椀ons
– Discover and disrupt foreign intelligence threats
– Gather threat informa琀椀on on foreign intelligence
opera琀椀ons
5.1 - Security Controls
Security controls
• Security risks are out there
– Many di昀昀erent types to consider
• Assets are also varied
– Data, physical property, computer systems
• Prevent security events, minimize the impact,
and limit the damage
– Security controls
Control categories
• Managerial controls
– Controls that address security design and implementa琀椀on
– Security policies, standard opera琀椀ng procedures
• Opera琀椀onal controls
– Controls that are implemented by people
– Security guards, awareness programs
© 2020 Messer Studios, LLC
• Technical controls
– Controls implemented using systems
– Opera琀椀ng system controls
– Firewalls, an琀椀-virus
Control types
• Preven琀椀ve
– Physically control access
– Door lock
– Security guard
– Firewall
• Detec琀椀ve
– May not prevent access
– Iden琀椀昀椀es and records any intrusion a琀琀empt
– Mo琀椀on detector, IDS/IPS
Professor Messer’s CompTIA SY0-601 Security+ Course Notes - Page 110
Downloaded by Yeduri Vamsi Mani Prasad (vamsiprasad321@gmail.com)
h琀琀ps://ProfessorMesser.com
lOMoARcPSD|36915131
5.1 - Security Controls (con琀椀nued)
• Correc琀椀ve
– Designed to mi琀椀gate damage
– IPS can block an a琀琀acker
– Backups can mi琀椀gate a ransomware infec琀椀on
– A backup site can provide op琀椀ons when a storm hits
• Deterrent
– May not directly prevent access
– Discourages an intrusion a琀琀empt
– Warning signs, login banner
• Compensa琀椀ng
– Doesn’t prevent an a琀琀ack
– Restores using other means
– Re-image or restore from backup
– Hot site
– Backup power system
• Physical
– Fences, locks, mantraps
– Real-world security
5.2 - Security Regula琀椀ons and Standards
Compliance
• Compliance
– Mee琀椀ng the standards of laws, policies, and regula琀椀ons
• A healthy catalog of regula琀椀ons and laws
– Across many aspects of business and life
– Many are industry-speci昀椀c or situa琀椀onal
• Penal琀椀es
– Fines, incarcera琀椀on, loss of employment
• Scope
– Covers na琀椀onal, territory, or state laws
– Domes琀椀c and interna琀椀onal requirements
GDPR - General Data Protec琀椀on Regula琀椀on
• European Union regula琀椀on
– Data protec琀椀on and privacy for individuals in the EU
– Name, address, photo, email address, bank details, posts
on social networking websites, medical informa琀椀on,
a computer’s IP address, etc.
• Controls export of personal data
– Users can decide where their data goes
• Gives individuals control of their personal data
– A right to be forgo琀琀en
• Site privacy policy
– Details all of the privacy rights for a user
PCI DSS
• Payment Card Industry
– Data Security Standard (PCI DSS)
– A standard for protec琀椀ng credit cards
• Six control objec琀椀ves
– Build and maintain a secure network and
systems
– Protect cardholder data
– Maintain a vulnerability management program
– Implement strong access control measures
– Regularly monitor and test networks
– Maintain an informa琀椀on security policy
5.2 - Security Frameworks
Security frameworks
• Secure your data.
– Where do you start? What are the best prac琀椀ces?
– If only there was a book.
• O昀琀en a complex problem
– Unique organiza琀椀onal requirements
– Compliance and regulatory requirements
– Many di昀昀erent processes and tools are available
• Use a security framework
– Documented processes
– A guide for crea琀椀ng a security program
– De昀椀ne tasks and priori琀椀ze projects
Center for Internet Security (CIS)
• Center for Internet Security
– Cri琀椀cal Security Controls for
– E昀昀ec琀椀ve Cyber Defense
– CIS CSC
• Improve cyber defenses
– Twenty key ac琀椀ons (the cri琀椀cal security controls)
– Categorized for di昀昀erent organiza琀椀on sizes
• Designed for implementa琀椀on - Wri琀琀en for IT professionals
– Includes prac琀椀cal and ac琀椀onable tasks
© 2020 Messer Studios, LLC
NIST RMF
• Na琀椀onal Ins琀椀tute of Standards and Technology
– Risk Management Framework (RMF)
– Mandatory for US federal agencies and
organiza琀椀ons that handle federal data
• Six step process
– Step 1: Categorize - De昀椀ne the environment
– Step 2: Select - Pick appropriate controls
– Step 3: Implement - De昀椀ne proper implementa琀椀on
– Step 4: Assess - Determine if controls are working
– Step 5: Authorize - Make a decision to
authorize a system
– Step 6: Monitor - Check for ongoing compliance
NIST CSF
• Na琀椀onal Ins琀椀tute of Standards and Technology
– Cybersecurity Framework (CSF)
– A voluntary commercial framework
• Framework Core
– Iden琀椀fy, Protect, Detect, Respond, and Recover
• Framework Implementa琀椀on Tiers
– An organiza琀椀on’s view of cybersecurity risk and
processes to manage the risk
• Framework Pro昀椀le - The alignment of standards,
guidelines, and prac琀椀ces to the Framework Core
Professor Messer’s CompTIA SY0-601 Security+ Course Notes - Page 111
Downloaded by Yeduri Vamsi Mani Prasad (vamsiprasad321@gmail.com)
h琀琀ps://ProfessorMesser.com
lOMoARcPSD|36915131
5.2 - Security Frameworks (con琀椀nued)
ISO/IEC frameworks
• Interna琀椀onal Organiza琀椀on for Standardiza琀椀on /
– Interna琀椀onal Electrotechnical Commission
• ISO/IEC 27001
– Standard for an Informa琀椀on Security
Management System (ISMS)
• ISO/IEC 27002
– Code of prac琀椀ce for informa琀椀on security controls
• ISO/IEC 27701
– Privacy Informa琀椀on Management Systems (PIMS)
• ISO 31000
– Interna琀椀onal standards for risk management prac琀椀ces
SSAE SOC 2 Type I/II
• The American Ins琀椀tute of Cer琀椀昀椀ed Public Accountants
(AICPA) audi琀椀ng standard Statement on Standards for
A琀琀esta琀椀on Engagements number 18 (SSAE 18)
• SOC 2 - Trust Services Criteria (security controls)
– Firewalls, intrusion detec琀椀on, and
mul琀椀-factor authen琀椀ca琀椀on
• Type I audit
– Tests controls in place at a par琀椀cular point in 琀椀me
• Type II
– Tests controls over a period of at least six
consecu琀椀ve months
Cloud Security Alliance (CSA)
• Security in cloud compu琀椀ng
– Not-for-pro昀椀t organiza琀椀on
• Cloud Controls Matrix (CCM)
– Cloud-speci昀椀c security controls
– Controls are mapped to standards, best prac琀椀ces,
and regula琀椀ons
• Enterprise Architecture
– Methodology and tools
– Assess internal IT groups and cloud providers
– Determine security capabili琀椀es
– Build a roadmap
5.2 - Secure Con昀椀gura琀椀ons
Secure con昀椀gura琀椀ons
• No system is secure with the default con昀椀gura琀椀ons
– You need some guidelines to keep everything safe
• Hardening guides are speci昀椀c to the so昀琀ware or pla琀昀orm
– Get feedback from the manufacturer or
Internet interest group
– They’ll have the best details
• Other general-purpose guides are available online
Web server hardening
• Access a server with your browser
– The fundamental server on the Internet
– Microso昀琀 Internet Informa琀椀on Server,
Apache HTTP Server, et al.
• Huge poten琀椀al for access issues
– Data leaks, server access
• Secure con昀椀gura琀椀on
– Informa琀椀on leakage: Banner informa琀椀on, directory browsing
– Permissions: Run from a non-privileged account,
con昀椀gure 昀椀le permissions
– Con昀椀gure SSL: Manage and install cer琀椀昀椀cates
– Log 昀椀les: Monitor access and error logs
Opera琀椀ng system hardening
• Many and varied - Windows, Linux, iOS, Android, et al.
• Updates
– Opera琀椀ng system updates/service packs,
security patches
• User accounts
– Minimum password lengths and complexity
– Account limita琀椀ons
• Network access and security
– Limit network access
• Monitor and secure
– An琀椀-virus, an琀椀-malware
© 2020 Messer Studios, LLC
Applica琀椀on server
• Programming languages, run琀椀me libraries, etc.
– Usually between the web server
and the database
– Middleware
• Very speci昀椀c func琀椀onality
– Disable all unnecessary services
• Opera琀椀ng system updates
– Security patches
• File permissions and access controls
– Limit rights to what’s required
– Limit access from other devices
Network infrastructure devices
• Switches, routers, 昀椀rewalls, IPS, etc.
– You never see them, but they’re always there
• Purpose-built devices
– Embedded OS, limited OS access
• Con昀椀gure authen琀椀ca琀椀on
– Don’t use the defaults
• Check with the manufacturer
– Security updates
– Not usually updated frequently
– Updates are usually important
Professor Messer’s CompTIA SY0-601 Security+ Course Notes - Page 112
Downloaded by Yeduri Vamsi Mani Prasad (vamsiprasad321@gmail.com)
h琀琀ps://ProfessorMesser.com
lOMoARcPSD|36915131
5.3 - Personnel Security
Acceptable use policies (AUP)
• What is acceptable use of company assets?
– Detailed documenta琀椀on
– May be documented in the Rules of Behavior
• Covers many topics
– Internet use, telephones, computers,
mobile devices, etc.
• Used by an organiza琀椀on to limit legal liability
– If someone is dismissed, these are the welldocumented reasons why
Business policies
• Job rota琀椀on
– Keep people moving between responsibili琀椀es
– No one person maintains control for long periods
of 琀椀me
• Mandatory vaca琀椀ons
– Rotate others through the job
– The longer the vaca琀椀on, the be琀琀er chance
to iden琀椀fy fraud
– Especially important in high-security environments
• Separa琀椀on of du琀椀es
– Split knowledge
• No one person has all of the details
• Half of a safe combina琀椀on
– Dual control
• Two people must be present to perform
the business func琀椀on
• Two keys open a safe (or launch a missile)
• Clean desk policy
– When you leave, nothing is on your desk
– Limit the exposure of sensi琀椀ve data to third-par琀椀es
Least privilege
• Rights and permissions should be set to
the bare minimum
– You only get exactly what’s needed to complete
your objec琀椀ve
• All user accounts must be limited
– Applica琀椀ons should run with minimal privileges
• Don’t allow users to run with administra琀椀ve privileges
– Limits the scope of malicious behavior
Background checks
• Background checks
– Pre-employment screening
– Verify the applicant’s claims
– Discover criminal history, workers compensa琀椀on
claims, etc.
– Legali琀椀es vary by country
• Adverse ac琀椀ons
– An ac琀椀on that denies employment based on the
background check
– May require extensive documenta琀椀on
– Can also include exis琀椀ng employees
© 2020 Messer Studios, LLC
Personnel security procedures
• NDA (Non-disclosure agreement)
– Con昀椀den琀椀ality agreement / Legal contract
– Prevents the use and dissemina琀椀on of
con昀椀den琀椀al informa琀椀on
• Social media analysis
– Gather data from social media
– Facebook, Twi琀琀er, LinkedIn, Instagram
– Build a personal pro昀椀le
– Another data point when making a hiring decision
On-boarding
• Bring a new person into the organiza琀椀on
– New hires or transfers
• IT agreements need to be signed
– May be part of the employee handbook or
a separate AUP
• Create accounts
– Associate the user with the proper groups
and departments
• Provide required IT hardware
– Laptops, tablets, etc. - Precon昀椀gured and ready to go
O昀昀-boarding
• All good things… (But you knew this day would come)
• This process should be pre-planned
– You don’t want to decide how to do things at this point
• What happens to the hardware and the data?
• Account informa琀椀on is usually deac琀椀vated
– But not always deleted
User training
• Gami昀椀ca琀椀on
– Score points, compete with others, collect badges
• Capture the 昀氀ag (CTF)
– Security compe琀椀琀椀on
– Hack into a server to steal data (the 昀氀ag)
– Can involve highly technical simula琀椀ons
– A prac琀椀cal learning environment
• Phishing simula琀椀on
– Send simulated phishing emails
– Make vishing calls
– See which users are suscep琀椀ble to phishing a琀琀acks
without being a vic琀椀m of phishing
• Computer-based training (CBT)
– Automated pre-built training
– May include video, audio, and Q&A
– Users all receive the same training experience
Role-based security awareness training
• Before providing access, train your users
– Detailed security requirements
• Specialized training
– Each user role has unique security responsibili琀椀es
• Also applies to third-par琀椀es
– Contractors, partners, suppliers
• Detailed documenta琀椀on and records
– Problems later can be severe for everyone
Professor Messer’s CompTIA SY0-601 Security+ Course Notes - Page 113
Downloaded by Yeduri Vamsi Mani Prasad (vamsiprasad321@gmail.com)
h琀琀ps://ProfessorMesser.com
lOMoARcPSD|36915131
5.3 - Third-party Risk Management
Vendors
• Every organiza琀椀on works with vendors
– Payroll, customer rela琀椀onship management,
email marke琀椀ng, travel, raw materials
• Important company data is o昀琀en shared
– May be required for cloud-based services
• Perform a risk assessment
– Categorize risk by vendor and manage the risk
• Use contracts for clear understanding
– Make sure everyone understands the expecta琀椀ons
– Use the contract to enforce a secure environment
Target credit card breach - November 2013
• Every point of sale terminal infected
– A third-party was allowed in through lapses in
security policy
• A vendor was infected through an email a琀琀achment
– The vendor didn’t have or follow a security policy for
their worksta琀椀ons
• Target didn’t segment the vendor network
from the corporate
– The a琀琀ackers jumped from the vendor to the
Target network
• The corporate network was not segmented from
point of sale (POS) terminals
– Once on the inside, it was rela琀椀vely easy to get to
your credit card numbers
– (110 million card numbers)
Supply chain
• The system involved when crea琀椀ng a product
– Involves organiza琀椀ons, people, ac琀椀vi琀椀es, and resources
• Supply chain assessment
– Get a product or service from supplier to customer
– Evaluate coordina琀椀on between groups
– Iden琀椀fy areas of improvement
– Assess the IT systems suppor琀椀ng the opera琀椀on
– Document the business process changes
• New laptops arrive with bundled malware
– Lenovo, August 2014 through early 2015
– Super昀椀sh so昀琀ware added a self-signed root cert (!)
– Allowed for on-path a琀琀acks when browsing any site,
including over HTTPS
Business partners
• Much closer to your data than a vendor
– May require direct access
– May be a larger security concern than an outside hacker
• O昀琀en involves communica琀椀on over a trusted connec琀椀on
– More di昀케cult to iden琀椀fy malicious ac琀椀vity
• Partner risk management should be included
– Requirements for best prac琀椀ces, data handling,
intellectual property
• Include addi琀椀onal security between partners
– Firewalls and tra昀케c 昀椀lters
© 2020 Messer Studios, LLC
Common agreements
• Service Level Agreement (SLA)
– Minimum terms for services provided
– Up琀椀me, response 琀椀me agreement, etc.
– Commonly used between customers and
service providers
• Memorandum of Understanding (MOU)
– Both sides agree on the contents
of the memorandum
– Usually includes statements of con昀椀den琀椀ality
– Informal le琀琀er of intent; not a signed contract
• Measurement system analysis (MSA)
– Don’t make decisions based on incorrect data!
– Used with quality management systems,
i.e., Six Sigma
– Assess the measurement process
– Calculate measurement uncertainty
• Business Partnership Agreement (BPA)
– Going into business together
– Owner stake
– Financial contract
– Decision-making agreements
– Prepare for con琀椀ngencies
Product support life琀椀me
• End of life (EOL)
– Manufacturer stops selling a product
– May con琀椀nue suppor琀椀ng the product
– Important for security patches and updates
• End of service life (EOSL)
– Manufacturer stops selling a product
– Support is no longer available for the product
– No ongoing security patches or updates
– May have a premium-cost support op琀椀on
• Technology EOSL is a signi昀椀cant concern
– Security patches are part of normal opera琀椀on
Non-disclosure agreement (NDA)
• Con昀椀den琀椀ality agreement between par琀椀es
– Informa琀椀on in the agreement should not
be disclosed
• Protects con昀椀den琀椀al informa琀椀on
– Trade secrets
– Business ac琀椀vi琀椀es
– Anything else listed in the NDA
• Unilateral or bilateral (or mul琀椀lateral)
– On-way NDA or mutual NDA
• Formal contract
– Signatures are usually required
Professor Messer’s CompTIA SY0-601 Security+ Course Notes - Page 114
Downloaded by Yeduri Vamsi Mani Prasad (vamsiprasad321@gmail.com)
h琀琀ps://ProfessorMesser.com
lOMoARcPSD|36915131
5.3 - Managing Data
Data governance
• Rules, processes, and accountability associated with
an organiza琀椀on’s data
– Data is used in the right ways
• Data steward
– Manages the governance processes
– Responsible for data accuracy, privacy, and security
– Associates sensi琀椀vity labels to the data
– Ensures compliance with any applicable laws and
standards
• Formal rules for data
– Everyone must know and follow the processes
Data classi昀椀ca琀椀on
• Iden琀椀fy data types
– Personal, public, restricted, etc.
– Use and protect data e昀케ciently
• Associate governance controls to the classi昀椀ca琀椀on levels
– How the data class should be managed
• Data compliance
– Laws and regula琀椀ons regarding certain types of data
– GDPR - General Data Protec琀椀on Regula琀椀on
Data reten琀椀on
• Keep 昀椀les that change frequently for version control
– Files change o昀琀en
– Keep at least a week, perhaps more
• Recover from virus infec琀椀on
– Infec琀椀on may not be iden琀椀昀椀ed immediately
– May need to retain 30 days of backups
• O昀琀en legal requirements for data reten琀椀on
– Email storage may be required over years
– Some industries must legally store certain data types
– Di昀昀erent data types have di昀昀erent
storage requirements
– Corporate tax informa琀椀on, customer PII,
tape backups, etc.
5.3 - Creden琀椀al Policies
Creden琀椀al management
• All that stands between the outside world and
all of the data
– The data is everything
• Passwords must not be embedded in the applica琀椀on
– Everything needs to reside on the server, not the client
• Communica琀椀on across the network should be encrypted
– Authen琀椀ca琀椀on tra昀케c should be impossible to see
Personnel accounts
• An account on a computer associated with
a speci昀椀c person
– The computer associates the user with a speci昀椀c
iden琀椀昀椀ca琀椀on number
• Storage and 昀椀les can be private to that user
– Even if another person is using the same computer
• No privileged access to the opera琀椀ng system
– Speci昀椀cally not allowed on a user account
• This is the account type most people will use
– Your user community
Third-party accounts
• Access to external third-party systems
– Cloud pla琀昀orms for payroll, enterprise resource
planning, etc.
• Third-party access to corporate systems
– Access can come from anywhere
• Add addi琀椀onal layers of security
– 2FA (two factor authen琀椀ca琀椀on)
– Audit the security posture of third-par琀椀es
• Don’t allow account sharing
– All users should have their own account
© 2020 Messer Studios, LLC
Device accounts
• Access to devices
– Mobile devices
• Local security
– Device cer琀椀昀椀cate
– Require screen locks and unlocking standards
– Manage through a Mobile Device Manager (MDM)
• Add addi琀椀onal security
– Geography-based
– Include addi琀椀onal authen琀椀ca琀椀on factors
– Associate a device with a user
Service accounts
• Used exclusively by services running on a computer
– No interac琀椀ve/user access (ideally)
– Web server, database server, etc.
• Access can be de昀椀ned for a speci昀椀c service
– Web server rights and permissions will be
di昀昀erent than a database server
• Commonly use usernames and passwords
– You’ll need to determine the best policy for
password updates
Administrator/root accounts
• Elevated access to one or more systems
– Super user access
• Complete access to the system
– O昀琀en used to manage hardware, drivers, and
so昀琀ware installa琀椀on
• This account should not be used for normal
administra琀椀on
– User accounts should be used
• Needs to be highly secured
– Strong passwords, 2FA
– Scheduled password changes
Professor Messer’s CompTIA SY0-601 Security+ Course Notes - Page 115
Downloaded by Yeduri Vamsi Mani Prasad (vamsiprasad321@gmail.com)
h琀琀ps://ProfessorMesser.com
lOMoARcPSD|36915131
5.3 - Organiza琀椀onal Policies
Change management
• How to make a change
– Upgrade so昀琀ware, change 昀椀rewall con昀椀gura琀椀on,
modify switch ports
• One of the most common risks in the enterprise
– Occurs very frequently
• O昀琀en overlooked or ignored
– Did you feel that bite?
• Have clear policies
– Frequency, dura琀椀on, installa琀椀on process,
fallback procedures
• Some琀椀mes extremely di昀케cult to implement
– It’s hard to change corporate culture
Change control
• A formal process for managing change
– Avoid down琀椀me, confusion, and mistakes
• Nothing changes without the process
– Determine the scope of the change
– Analyze the risk associated with the change
– Create a plan
– Get end-user approval
– Present the proposal to the change control board
– Have a backout plan if the change doesn’t work
– Document the changes
Asset management
• Iden琀椀fy and track compu琀椀ng assets
– Usually an automated process
• Respond faster to security problem
– You know who, what, and where
• Keep an eye on the most valuable assets
– Both hardware and data
• Track licenses
– You know exactly how many you’ll need
• Verify that all devices are up to date
– Security patches, an琀椀-malware signature updates, etc.
5.4 - Risk Management Types
Risk assessment
• Iden琀椀fy assets that could be a昀昀ected by an a琀琀ack
– De昀椀ne the risk associated with each asset
– Hardware, customer data, intellectual property
• Iden琀椀fy threats
– Loss of data, disrup琀椀on of services, etc.
• Determine the risk - High, medium, or low risk
• Assess the total risk to the organiza琀椀on
– Make future security plans
Risk assessments
• External threats
– Outside the organiza琀椀on
– Hacker groups, former employees
• Internal threats
– Employees and partners
– Disgruntled employees
• Legacy systems
– Outdated, older technologies
– May not be supported by the manufacturer
– May not have security updates
– Depending on the age, may not be easily accessible
Mul琀椀-party risk
• Breaches involving mul琀椀ple par琀椀es
– O昀琀en trusted business rela琀椀onships
– Events o昀琀en involve many di昀昀erent par琀椀es
• May 2019 - American Medical Collec琀椀on Agency
– Provided debt collec琀椀on for many di昀昀erent
organiza琀椀ons
– Data breach disclosed personal informa琀椀on on 24
million individuals
– Twenty-three healthcare organiza琀椀ons a昀昀ected by
this single breach
– A single breach can cause a ripple e昀昀ect
© 2020 Messer Studios, LLC
Risk assessments
• Intellectual Property (IP) the昀琀
– The昀琀 of ideas, inven琀椀ons, and crea琀椀ve expressions
– Human error, hacking, employees with access, etc.
– Iden琀椀fy and protect IP
– Educate employees and increase security
• So昀琀ware compliance/licensing
– Opera琀椀onal risk with too few licenses
– Financial risk with budge琀椀ng and over-allocated
licenses
– Legal risk if proper licensing is not followed
Risk management strategies
• Acceptance
– A business decision; we’ll take the risk!
• Risk-avoidance
– Stop par琀椀cipa琀椀ng in a high-risk ac琀椀vity
• Transference
– Buy some cybersecurity insurance
• Mi琀椀ga琀椀on
– Decrease the risk level
– Invest in security systems
Professor Messer’s CompTIA SY0-601 Security+ Course Notes - Page 116
Downloaded by Yeduri Vamsi Mani Prasad (vamsiprasad321@gmail.com)
h琀琀ps://ProfessorMesser.com
lOMoARcPSD|36915131
5.4 - Risk Analysis
Evalua琀椀ng risk
• Risk register
– Every project has a plan, but also has risk
– Iden琀椀fy and document the risk associated
with each step
– Apply possible solu琀椀ons to the iden琀椀昀椀ed risks
– Monitor the results
• Risk matrix / risk heat map
– View the results of the risk assessment
– Visually iden琀椀fy risk based on color
– Combines the likelihood of an event with
the poten琀椀al impact
– Assists with making strategic decisions
Audit risk model
• Inherent risk
– Impact + Likelihood
– Risk that exists in the absence of controls
– Some models include the exis琀椀ng set of controls
• Residual risk
– Inherent risk + control e昀昀ec琀椀veness
– Risk that exists a昀琀er controls are considered
– Some models base it on including addi琀椀onal controls
• Risk appe琀椀te
– The amount of risk an organiza琀椀on is willing to take
Risk control assessment
• Risk has been determined
– Heat maps have been created
• Time to build cybersecurity requirements
– Based on the iden琀椀昀椀ed risks
• Find the gap
– O昀琀en requires a formal audit
– Self-assessments may be an op琀椀on
• Build and maintain security systems based on the
requirements
– The organiza琀椀onal risk determines the proper
controls
• Determine if exis琀椀ng controls are compliant or noncompliant
– Make plans to bring everything into compliance
Risk awareness
• A constantly changing ba琀琀le昀椀eld
– New risks, emerging risks
– A nearly overwhelming amount of informa琀椀on
– Di昀케cult to manage a defense
© 2020 Messer Studios, LLC
• Knowledge is key
– Part of every employee’s daily job role
– Part of the onboarding process for employees
and partners
• Maintaining awareness
– Ongoing group discussions
– Presenta琀椀ons from law enforcement
– A琀琀end security conferences and programs
Regula琀椀ons that a昀昀ect risk posture
• Many of them
– Regula琀椀ons tend to regulate
• Regula琀椀ons directly associated to cybersecurity
– Protec琀椀on of personal informa琀椀on, disclosure of
informa琀椀on breaches
– Requires a minimum level of informa琀椀on security
• HIPAA - Health Insurance Portability and
Accountability Act
– Privacy of pa琀椀ent records
– New storage requirements, network security,
protect against threats
• GDPR - General Data Protec琀椀on Regula琀椀on
– European Union data protec琀椀on and privacy
– Personal data must be protected and managed
for privacy
Qualita琀椀ve risk assessment
• Iden琀椀fy signi昀椀cant risk factors
– Ask opinions about the signi昀椀cance
– Display visually with tra昀케c light grid or
similar method
Quan琀椀ta琀椀ve risk assessment
• Likelihood
– Annualized Rate of Occurrence (ARO)
– How likely is it that a hurricane will hit?
In Montana? In Florida?
• SLE (Single Loss Expectancy)
– What is the monetary loss if a single event occurs?
– Laptop stolen (asset value or AV) = $1,000
• ALE (Annualized Loss Expectancy)
– ARO x SLE
– Seven laptops stolen a year (ARO) x
$1,000 (SLE) = $7,000
• The business impact can be more than monetary
– Quan琀椀ta琀椀ve vs. qualita琀椀ve
Disaster types
• Environmental threats
– Tornado, hurricane, earthquake, severe weather
• Person-made threats
– Human intent, negligence, or error
– Arson, crime, civil disorder, 昀椀res, riots, etc.
• Internal and external
– Internal threats are from employees
– External threats are from outside the organiza琀椀on
Professor Messer’s CompTIA SY0-601 Security+ Course Notes - Page 117
Downloaded by Yeduri Vamsi Mani Prasad (vamsiprasad321@gmail.com)
h琀琀ps://ProfessorMesser.com
lOMoARcPSD|36915131
5.4 - Business Impact Analysis
Recovery
• Recovery 琀椀me objec琀椀ve (RTO)
– Get up and running quickly
– Get back to a par琀椀cular service level
• Recovery point objec琀椀ve (RPO)
– How much data loss is acceptable?
– Bring the system back online; how far back
does data go?
• Mean 琀椀me to repair (MTTR)
– Time required to 昀椀x the issue
• Mean 琀椀me between failures (MTBF)
– Predict the 琀椀me between outages
Func琀椀onal recovery plans
• Recover from an outage
– Step-by-step guide
• Contact informa琀椀on
– Someone is on-call
– Keep everyone up to date
• Technical process
– Reference the knowledge base
– Follow the internal processes
• Recover and test
– Con昀椀rm normal opera琀椀on
Removing single points of failure
• A single event can ruin your day
– Unless you make some plans
• Network con昀椀gura琀椀on
– Mul琀椀ple devices (the “Noah’s Ark” of networking)
• Facility / U琀椀li琀椀es
– Backup power, mul琀椀ple cooling devices
• People / Loca琀椀on
– A good hurricane can disrupt personnel travel
• There’s no prac琀椀cal way to remove all points of failure
– Money drives redundancy
Disaster recovery plan (DRP)
• Detailed plan for resuming opera琀椀ons a昀琀er a disaster
– Applica琀椀on, data center, building, campus, region, etc.
• Extensive planning prior to the disaster
– Backups
– O昀昀-site data replica琀椀on
– Cloud alterna琀椀ves
– Remote site
• Many third-party op琀椀ons
– Physical loca琀椀ons
– Recovery services
Impact
• Life - The most important considera琀椀on
• Property - The risk to buildings and assets
• Safety - Some environments are too dangerous to work
• Finance - The resul琀椀ng 昀椀nancial cost
• Reputa琀椀on
– An event can cause status or character problems
Mission-essen琀椀al func琀椀ons
• If a hurricane blew through, what func琀椀ons would be
essen琀椀al to the organiza琀椀on?
– That’s where you start your analysis
– These are broad business requirements
• What compu琀椀ng systems are required for these
mission-essen琀椀al business func琀椀ons?
– Iden琀椀fy the cri琀椀cal systems
Site risk assessment
• All loca琀椀ons are a bit di昀昀erent
– Even those designed to be similar
• Recovery plans should consider unique environments
– Applica琀椀ons
– Personnel
– Equipment
– Work environment
5.5 - Privacy and Data Breaches
Informa琀椀on life cycle
• Crea琀椀on and receipt
– Create data internally or receive data
from a third-party
• Distribu琀椀on - Records are sorted and stored
• Use
– Make business decisions, create products
and services
• Maintenance
– Ongoing data retrieval and data transfers
• Disposi琀椀on
– Archiving or disposal of data
Consequences
• Reputa琀椀on damage
– Opinion of the organiza琀椀on becomes nega琀椀ve
– Can have an impact on products or services
– Can impact stock price
© 2020 Messer Studios, LLC
• Iden琀椀ty the昀琀
– Company and/or customers informa琀椀on
becomes public
– May require public disclosure
– Credit monitoring costs
• Fines
– Uber
• Data breach in 2016 wasn’t disclosed
• Uber paid the hackers $100,000 instead
• Lawsuit se琀琀lement was $148 million
– Equifax
• 2017 data breach
• Government 昀椀nes were approximately $700 million
• Intellectual Property (IP) the昀琀
– Stealing company secrets
– Can put an organiza琀椀on out of business
Professor Messer’s CompTIA SY0-601 Security+ Course Notes - Page 118
Downloaded by Yeduri Vamsi Mani Prasad (vamsiprasad321@gmail.com)
h琀琀ps://ProfessorMesser.com
lOMoARcPSD|36915131
5.5 - Privacy and Data Breaches (con琀椀nued)
No琀椀昀椀ca琀椀on
• Internal escala琀椀on process
– Breaches are o昀琀en found by technicians
– Provide a process for making those 昀椀ndings known
• External escala琀椀on process
– Know when to ask for assistance from
external resources
– Security experts can 昀椀nd and stop an ac琀椀ve breach
• Public no琀椀昀椀ca琀椀ons and disclosures
– Refer to security breach no琀椀昀椀ca琀椀on laws
– All 50 US states, EU, Australia, etc.
– Delays might be allowed for criminal inves琀椀ga琀椀ons
Privacy impact assessment (PIA)
• Almost everything can a昀昀ect privacy
– New business rela琀椀onships, product updates, website
features, service o昀昀ering
• Privacy risk needs to be iden琀椀昀椀ed in each ini琀椀a琀椀ve
– How could the process compromise customer privacy?
• Advantages
– Fix privacy issues before they become a problem
– Provides evidence of a focus on privacy
– Avoid data breach
– Shows the importance of privacy to everyone
No琀椀ces
• Terms of service
– Terms of use, terms and condi琀椀ons (T&C)
– Legal agreement between service provider and user
– User must agree to the terms to use the service
• Privacy no琀椀ce, privacy policy
– May be required by law
– Documents the handling of personal data
– May provide addi琀椀onal data op琀椀ons and
contact informa琀椀on
5.5 - Data Classi昀椀ca琀椀ons
Labeling sensi琀椀ve data
• Not all data has the same level of sensi琀椀vity
– License tag numbers vs. health records
• Di昀昀erent levels require di昀昀erent security and handling
– Addi琀椀onal permissions
– A di昀昀erent process to view
– Restricted network access
Data classi昀椀ca琀椀ons
• Proprietary
– Data that is the property of an organiza琀椀on
– May also include trade secrets
– O昀琀en data unique to an organiza琀椀on
• PII - Personally Iden琀椀昀椀able Informa琀椀on
– Data that can be used to iden琀椀fy an individual
– Name, date of birth, mother’s maiden name,
biometric informa琀椀on
• PHI - Protected Health Informa琀椀on
– Health informa琀椀on associated with an individual
– Health status, health care records, payments for
health care, and much more
• Public / Unclassi昀椀ed
– No restric琀椀ons on viewing the data
• Private / Classi昀椀ed / Restricted / Internal use only
– Restricted access, may require a non-disclosure
agreement (NDA)
• Sensi琀椀ve - Intellectual property, PII, PHI
• Con昀椀den琀椀al - Very sensi琀椀ve, must be approved to view
• Cri琀椀cal - Data should always be available
• Financial informa琀椀on
– Internal company 昀椀nancial informa琀椀on
– Customer 昀椀nancial details
• Government data
– Open data
– Transfer between government en琀椀琀椀es
– May be protected by law
• Customer data
– Data associated with customers
– May include user-speci昀椀c details
– Legal handling requirements
5.5 - Enhancing privacy
Tokeniza琀椀on
• Replace sensi琀椀ve data with a non-sensi琀椀ve placeholder
– SSN 266-12-1112 is now 691-61-8539
• Common with credit card processing
– Use a temporary token during payment
– An a琀琀acker capturing the card numbers can’t use
them later
• This isn’t encryp琀椀on or hashing
– The original data and token aren’t
mathema琀椀cally related
– No encryp琀椀on overhead
© 2020 Messer Studios, LLC
Data minimiza琀椀on
• Minimal data collec琀椀on
– Only collect and retain necessary data
• Included in many regula琀椀ons
– HIPAA has a “Minimum Necessary” rule
– GDPR - “Personal data shall be adequate, relevant
and not excessive in rela琀椀on to the purpose or
purposes for which they are processed.”
• Some informa琀椀on may not be required
– Do you need a telephone number or address?
• Internal data use should be limited
– Only access data required for the task
Professor Messer’s CompTIA SY0-601 Security+ Course Notes - Page 119
Downloaded by Yeduri Vamsi Mani Prasad (vamsiprasad321@gmail.com)
h琀琀ps://ProfessorMesser.com
lOMoARcPSD|36915131
5.5 - Enhancing privacy (con琀椀nued)
Anonymiza琀椀on
• Make it impossible to iden琀椀fy individual data
from a dataset
– Allows for data use without privacy concerns
• Many di昀昀erent anonymiza琀椀on techniques
– Hashing, masking, etc.
• Convert from detailed customer purchase data
– Remove name, address, change phone number
to ### ### ####
– Keep product name, quan琀椀ty, total, and sale date
• Anonymiza琀椀on cannot be reversed
– No way to associate the data to a user
Data masking
• Data obfusca琀椀on
– Hide some of the original data
• Protects PII
– And other sensi琀椀ve data
• May only be hidden from view
– The data may s琀椀ll be intact in storage
– Control the view based on permissions
• Many di昀昀erent techniques
– Subs琀椀tu琀椀ng, shu昀툀ing, encryp琀椀ng, masking out, etc.
Pseudo-anonymiza琀椀on
• Pseudonymiza琀椀on
– Replace personal informa琀椀on with pseudonyms
– O昀琀en used to maintain sta琀椀s琀椀cal rela琀椀onships
• May be reversible
– Hide the personal data for daily use or in case of breach
– Convert it back for other processes
• Random replacement
– James Messer -> Jack O’Neill -> Sam Carter -> Daniel Jackson
• Consistent replacements
– James Messer is always converted to George Hammond
5.5 - Data Roles and Responsibili琀椀es
Data responsibility
• High-level data rela琀椀onships
– Organiza琀椀onal responsibili琀椀es, not always technical
• Data owner
– Accountable for speci昀椀c data, o昀琀en a senior o昀케cer
– VP of Sales owns the customer rela琀椀onship data
– Treasurer owns the 昀椀nancial informa琀椀on
Data roles
• Data controller
– Manages the purposes and means by which
personal data is processed
• Data processor
– Processes data on behalf of the data controller
– O昀琀en a third-party or di昀昀erent group
• Payroll controller and processor
– Payroll department (data controller) de昀椀nes
payroll amounts and 琀椀meframes
– Payroll company (data processor) processes payroll
and stores employee informa琀椀on
© 2020 Messer Studios, LLC
Addi琀椀onal data roles
• Data custodian/steward
– Responsible for data accuracy, privacy, and security
– Associates sensi琀椀vity labels to the data
– Ensures compliance with any applicable laws
and standards
– Manages the access rights to the data
– Implements security controls
• Data protec琀椀on o昀케cer (DPO)
– Responsible for the organiza琀椀on’s data privacy
– Sets policies, implements processes and procedures
Professor Messer’s CompTIA SY0-601 Security+ Course Notes - Page 120
Downloaded by Yeduri Vamsi Mani Prasad (vamsiprasad321@gmail.com)
h琀琀ps://ProfessorMesser.com