CompTIA Security+ Certification Guide E-Book

Ian Neil

CompTIA Security+ Certification Guide

Copyright © 2018 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

Commissioning Editor: Gebin GeorgeAcquisition Editor:Rahul NairContent Development Editor:Arjun JoshiTechnical Editor:Varsha ShivhareCopy Editor:Safis EditingProject Coordinator:Kinjal BariProofreader: Safis EditingIndexer:Tejal Daruwale SoniGraphics:Jisha ChirayilProduction Coordinator: Shraddha Falebhai

First published: September 2018

Production reference: 1290918

Published by Packt Publishing Ltd. Livery Place 35 Livery Street Birmingham B3 2PB, UK.

ISBN 978-1-78934-801-9

www.packtpub.com

Mapt is an online digital library that gives you full access to over 5,000 books and videos, as well as industry leading tools to help you plan your personal development and advance your career. For more information, please visit our website.

Why subscribe?

Spend less time learning and more time coding with practical eBooks and Videos from over 4,000 industry professionals

Improve your learning with Skill Plans built especially for you

Get a free eBook or video every month

Mapt is fully searchable

Copy and paste, print, and bookmark content

Packt.com

Did you know that Packt offers eBook versions of every book published, with PDF and ePub files available? You can upgrade to the eBook version at www.packt.com and as a print book customer, you are entitled to a discount on the eBook copy. Get in touch with us at [email protected] for more details.

At www.packt.com, you can also read a collection of free technical articles, sign up for a range of free newsletters, and receive exclusive discounts and offers on Packt books and eBooks. 

Contributor

About the author

Ian Neil is one of the world’s top trainers of Security+ 501 who has the ability to break down the information in manageable chunks helping no background knowledge. Ian was a finalist of the Learning and Performance Institute Trainer of the Year Awards. He has worked for the US Army in Europe and designed a Security+ course that catered to people from all backgrounds and not just the IT professional, with an extremely successful pass rate.

He was instrumental in helping Microsoft get their office in Bucharest off the ground, where he won a recognition award for being one of their top trainers. Ian is a MCT, MCSE, A+, Network+, Security+, CASP, and RESILIA practitioner who over the past 20 years has worked with highend training providers. 

Packt is searching for authors like you

If you're interested in becoming an author for Packt, please visit authors.packtpub.com and apply today. We have worked with thousands of developers and tech professionals, just like you, to help them share their insight with the global tech community. You can make a general application, apply for a specific hot topic that we are recruiting an author for, or submit your own idea.

Table of Contents

Title Page

Ian Neil

Copyright and Credits

CompTIA Security+ Certification Guide

Packt Upsell

Why subscribe?

Packt.com

Contributor

About the author

Packt is searching for authors like you

Preface

Who this book is for

What this book covers

To get the most out of this book

Download the color images

Conventions used

Get in touch

Reviews

Understanding Security Fundamentals

CIA triad concept

Identifying security controls

Administrative controls

Technical controls

Physical controls

Preventative controls

Deterrent controls

Detective controls

Corrective controls

Compensating controls

Access controls

Discretionary access control

Least privilege

Mandatory access control

Linux permissions (not SELinux)

Role-based access control

Rule-based access control

Attribute-based access control

Group-based access

Hashing and data integrity

Hash practical

Hash exercise

Defense in depth model

Review questions

Answers and explanations

Conducting Risk Analysis

Risk management

Importance of policy, plans, and procedures

Standard operating procedures

Agreement types

Personnel management—policies and procedures

Role—based awareness training

General security policies

Business impact analysis concepts

Privacy threshold assessment/privacy impact assessment

Mission—essential functions/identification of critical systems

Example

Supply chain risk assessment

Example

Business impact analysis concepts

Calculating loss

Example

Risk procedures and concepts

Threat assessment

Threat actors

Risk treatment

Risk register

Qualitative/quantitative risk analysis

Review questions

Answers and explanations

Implementing Security Policies and Procedures

Industry standard frameworks and reference architecture

OSI reference model

TCP/IP model

Types of frameworks

Benchmarks/secure configuration guides

Policies and user guides

Security configuration guides – web servers

Network infrastructure device user guides

General purpose guides

Implementing data security and privacy practices

Destroying data and sanitizing media 

Data sensitivity labeling and handling

Data retention – legal and compliance

Data roles

Practical – creating a baseline

Review questions

Answers and explanations

Delving into Identity and Access Management

Understanding identity and access management concepts

Passwords

Default/administrator password

Passwords—group policy

Password recovery

Authentication factors

Number of factor examples

Transitive trust

Federation services

Shibboleth

Single sign-on

Installing and configuring identity and access services

LDAP

Kerberos

Internet-based open source authentication

Authentication, authorization, and accounting (AAA) servers

Authentication

Learning about Identity and access management controls

Biometrics

Security tokens and devices

Certification-based authentication

Port-based authentication

Common account management practices

Account types

Account creation

Employees moving departments

Disabling an account

Account recertification

Account maintenance

Account monitoring

Security Information and Event Management

Group based access control

Credential management

User account reviews

Practical exercise – password policy

Review questions

Answers and explanations

Understanding Network Components

OSI – reference model

Installing and configuring network components

Firewall

Router

Access control list– network devices

Intrusion-prevention system

Intrusion-detection system

Modes of detection

Modes of operation

Monitoring data

Switch

Layer 3 switch

Proxy server

Reverse proxy

Remote access

Virtual private network using L2TP/IPSec

IPSec

IPSec – handshake

VPN concentrator

Site-to-site VPN

VPN always on versus on-demand

SSL VPN

Split tunnelling

Load balancer

Clustering

Data-loss prevention

Security information and event management

Mail gateway

Cloud-based email

Media gateway

Hardware security module

Software-defined network

Secure network architecture concepts

Network address translation

Port address translation

Network access control (NAC)

Honeypot

Secure Socket Layer accelerators

SSL/TLS decryptor

Sensor/collector

Tap/port mirror

DDoS mitigator

Segregation/segmentation/isolation

Security device/technology placement

DMZ device placement

LAN device placement

Aggregation switches

Implementing secure protocols

Use case

File transfer – use case

Remote access – use case

Email – use case

Name resolution – use case

Hostname

DNSSEC

NETBIOS

Web – use case

Voice and video – use case

Network address allocation – use case

IP version 4

IP version 4 – lease process

IP version 4 lease process – troubleshooting

IP version 6 addressing

Subscription services – use case

Routing – use case

Time synchronization – use case

Directory services – use case

Active Directory

Switching – use case

Simple network management protocol – use case

Implementing wireless security

Wireless access points – controllers

Securing access to your wireless access point

Wireless bandwidth/band selection

Wireless channels

Wireless antenna types and signal strength

Wireless coverage

Wireless encryption

Wireless – open system authentication

Wireless – WPS

Wireless – captive portal

Wireless attacks

Wireless authentication protocols

Review questions

Answers and explanations

Understanding Cloud Models and Virtualization

Cloud computing

Implementing different cloud deployment models

Cloud service models

Disk resiliency and redundancy

Redundant array of independent disks

Storage area network

Understanding cloud storage concepts

Exploring virtual networks

Virtual desktop infrastructure

VDE

Heating, ventilation, and air-conditioning

Network environments

On-premises

Hosted services

Cloud-hosting services

Practical exercise – is the cloud cost-effective?

Review questions

Answer and explanations

Managing Hosts and Applications Deployment

Deploying mobile devices securely

Bring your own device

Choose your own device

Corporate-owned personally-enabled

Virtual desktop infrastructure

Mobile device connection methods

Mobile device management concepts

Accessing the device

Device management

Device protection

Device data

Mobile device enforcement and monitoring

Industrial control system

Supervisory control and data acquisition

Mobile devices – security implications of embedded systems

Special-purpose devices

Secure application development and deployment concepts

Development life cycle models – waterfall vs agile

Waterfall

Agile

Agile versus waterfall

DevOps

Secure DevOps

Secure coding techniques

Code quality and testing

Server-side versus client-side execution and validation

Review questions

Answers and explanations

Protecting Against Attacks and Vulnerabilities

Virus and malware attacks

Social engineering attacks

Common attacks

Application/service attacks

Programming attacks

Example 1—JavaScript—creating a money variable

Example 2—Javascript—setting the day of the month

Hijacking related attacks

Driver manipulation

Cryptographic attacks

Password attacks

Wireless attacks

Penetration testing

Penetration testing techniques

Vulnerability scanning concepts

Credentialed versus non-credentialed scans

Penetration testing versus vulnerability scanning

Practical exercise—running a vulnerability scanner

Review questions

Answers and explanations

Implementing Public Key Infrastructure

Public key infrastructure concepts

Certificate hierarchy

Certificate trust

Certificate validity

Certificate management concepts

Certificate types

Asymmetric and symmetric encryption

Encryption explained

Digital signature explained

Cryptography algorithms and their characteristics

Symmetric algorithms

Asymmetric algorithms

Symmetric versus asymmetric analogy

XOR encryption

Key stretching algorithms

Cipher modes

Stream versus block cipher analogy

Hashing and data integrity

Comparing and contrasting basic concepts of cryptography

Asymmetric – PKI

Asymmetric – weak/depreciated algorithms

Asymmetric – ephemeral keys

Symmetric algorithm – modes of operation

Symmetric encryption – stream versus block cipher

Symmetric encryption – confusion

Symmetric encryption – secret algorithm

Symmetric – session keys

Hashing algorithms

Crypto service provider

Crypto module

Protecting data

Basic cryptographic terminology

Obfuscation

Pseudo random number generator

Nonce

Perfect forward secrecy

Security through obscurity

Collision

Steganography

Diffusion

Implementation versus algorithm

Common use cases for cryptography

Supporting confidentiality

Supporting integrity

Supporting non-repudiation

Supporting obfuscation

Low-power devices

Low latency

High resiliency

Supporting authentication

Resource versus security constraints

Practical exercises

Practical exercise 1 – building a certificate server

Practical exercise 2—encrypting data with EFS and steal certificates

Practical exercise 3 – revoking the EFS certificate

Review questions

Answers and explanations

Responding to Security Incidents

Incident response procedures

Incident response process

Understanding the basic concepts of forensics

Five minute practical

Software tools to assess the security posture of an organization

Backup utilities

Backup types

Command-line tools

Analyzing and interpreting output from security technologies

Review questions

Answers and explanations

Managing Business Continuity

Implementing secure systems design

Hardware/firmware security

Operating systems

Securing IT systems

Peripherals

Importance of secure staging deployment concepts

Troubleshooting common security issues

Misconfigured devices

Personnel issues

Software issues

Disaster recovery and continuity of operations concepts

Review questions

Answers and explanations

Mock Exam 1

Mock Exam 2

Preparing for the CompTIA Security+ 501 Exam

Tips on taking the exam

Exam preparation

Practical 1—drag and drop—attacks

Practical 2—drag and drop—certificates

Practical 3—drag and drop—ports/protocol

Practical 4—drag and drop—authentication factors

Practical 5—drag and drop—general

Drag and drop—answers

Linux information

Acronyms

Assessment

Mock Exam 1

Mock Exam 2

Other Books You May Enjoy

Leave a review - let other readers know what you think

Preface

This book will help you to understand security fundamentals, ranging from the CIA triad right through to identity and access management. This book describes network infrastructure and how it is evolving with the implementation of virtualization and different cloud models and their storage. You will learn how to secure devices and applications that are used by a company. 

Who this book is for

This book is designed for anyone who is seeking to pass the CompTIA Security+ SY0-501 exam. It is a stepping stone for anyone who wants to become a security professional or move into cyber security.

What this book covers

Chapter 1, Understanding Security Fundamentals, covers some security fundamentals that will be expanded upon in later chapters.

Chapter 2, Conducting Risk Analysis,looks at the types of threats and vulnerabilities, and at the roles that different threat actors play.

Chapter 3, Implementing Security Policies and Procedures, looks at reference architectures, different guides, and how best to dispose of data.

Chapter 4, Delving into Identity and Access Management, looks at different types of authentication and how to dispose of data. We will first look at the concepts of identity and access management.

Chapter 5, Understanding Network Components, examines networking components and how they could affect the security of your network. We will look at firewalls, switches, and routers. 

Chapter 6, Understanding Cloud Models and Virtualization, teaches about virtualization, deployment, and security issues. We will get acquainted with various cloud models, looking at their deployment and storage environments. 

Chapter 7, Managing Hosts and Applications Deployment, looks at different mobile devices and their characteristics, as well as the applications that run on these devices.

Chapter 8, Protecting Against Attacks and Vulnerabilities, explores attacks and vulnerabilities, taking in turn each type of attack and its unique characteristics. This module is probably the most heavily tested module in the Security+ exam. 

Chapter 9, Implementing Public Key Infrastructure, gets into the different encryption types and how certificates are issued and used. 

Chapter 10, Responding to Security Incidents, deals with incident response, focusing on the collection of volatile evidence for forensic analysis.

Chapter 11, Managing Business Continuity, turns its attention toward our business environment to consider the provision of systems availability, looking at selecting the most appropriate method for recovery following a disaster. 

Chapter 12, Mock Exam 1, includes mock questions, along with explanations, which will help in assessing whether you're ready for the test.

Chapter 13, Mock Exam 2, includes more mock questions, along with explanations, which will help in assessing whether you're ready for the test.

Appendix A, Preparing for the CompTIA Security+ 501 Exam, is included to help students pass the Security+ exam first time.

Appendix B, Acronyms, contains full forms of the abbreviations used in all the chapters. 

To get the most out of this book

This certification guide assumes no prior knowledge of the product. 

Download the color images

We also provide a PDF file that has color images of the screenshots/diagrams used in this book. You can download it here: http://www.packtpub.com/sites/default/files/downloads/9781789348019_ColorImages.pdf.

Conventions used

There are a number of text conventions used throughout this book.

CodeInText: Indicates code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles. Here is an example: "For example, if we take the word pass in plaintext it may then be converted to UDVV; this way it is difficult to understand."

Bold: Indicates a new term, an important word, or words that you see onscreen. For example, words in menus or dialog boxes appear in the text like this. Here is an example: "The most common asymmetric algorithms include the Diffie Hellman, which creates a secure session so that symmetric data can flow securely. "

Get in touch

Feedback from our readers is always welcome.

General feedback: If you have questions about any aspect of this book, mention the book title in the subject of your message and email us at [email protected].

Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you have found a mistake in this book, we would be grateful if you would report this to us. Please visit www.packt.com/submit-errata, selecting your book, clicking on the Errata Submission Form link, and entering the details.

Piracy: If you come across any illegal copies of our works in any form on the Internet, we would be grateful if you would provide us with the location address or website name. Please contact us at [email protected] with a link to the material.

If you are interested in becoming an author: If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, please visit authors.packtpub.com.

Reviews

Please leave a review. Once you have read and used this book, why not leave a review on the site that you purchased it from? Potential readers can then see and use your unbiased opinion to make purchase decisions, we at Packt can understand what you think about our products, and our authors can see your feedback on their book. Thank you!

For more information about Packt, please visit packt.com.

Understanding Security Fundamentals

In this chapter we will look at a number of security fundamentals, some of these will be expanded upon in later chapters. For the exam you will need to know all of the information in this book as the exam is fairly tricky. 

We will cover the following exam objectives in this chapter:

Explaining the importance of physical security controls: 

Lighting—signs—fencing/gate/cage—security guards—alarms—safe—secure cabinets/enclosures—protected distribution/protected cabling—Airgap—Mantrap—Faraday cage—lock types—Biometrics—Barricades/bollards—tokens/cards—environmental controls—HVAC—hot and cold aisles—fire suppression—cable locks—screen filters—cameras—motion detection—logs—infrared detection—key management

Given a scenario, implement identity and access management controls: 

Access control models—MAC—DAC—ABAC—role-based access control—rule-based access control—physical access control—proximity cards—smart cards

Comparing and contrasting various types of controls: 

Deterrent—preventive—detective—corrective—compensating—technical—administrative—physical

Explaining cryptography algorithms and their basic characteristics: 

Hashing algorithms—MD5—SHA—HMAC—RIPEMD

CIA triad concept

Most security books start with the basics of security by featuring the CIA triad—this is a model designed to guide policies for information security within an organization. It is a widely used security model and it stands for confidentiality, integrity, and availability; the three key principles that should be used to guarantee having a secure system:

Confidentiality

: Prevents the disclosure of data to unauthorized people so that only authorized people have access to data—this is known as the need to know basis. Only those who should know the contents should be given access. An example would be that your medical history is only available to your doctor and nobody else. We also tend to encrypt data to keep it confidential.

Integrity

: This means that you know that data has not been altered or tampered with. We use a technique called hashing that takes the data and converts it into a numerical value. If you run the hash when you suspect changes have taken place, and if the numerical value has changed, then the data has been tampered with. Common hashing algorithms in the exam are

Secure Hash Algorithm version 1

(

SHA1

) and

Message Digest version 5

(

MD5

).

Availability

: Ensures that data is always available; if you wanted to purchase an airplane ticket and the system came back with an error and you could not purchase it, this could be frustrating.

Identifying security controls

There are a wide variety of different security controls that are used to mitigate the risk of being attacked; the three main security controls are technical, administrator, and physical. In this section, we are going to look at these in more detail; you need to be familiar with each of these controls and when each of them should be applied. Let's start by looking at the three main controls.

Administrative controls

Administrative controls are mainly written by managers to create organizational policies to reduce the risk within companies. Examples could be an internet-use policy so that the employees realize that the internet can only be used for company business and not used for social media during the working day. Another administrative control would be completing a form if you want to apply for a holiday; the form would be available from the forms library:

Annual security awareness training

: This is an annual event where you are reminded about what you should be doing on a daily basis to keep the company safe. An example would be when you are finished for the day that you clear your desk and lock all documents away; another would remind you that your identity badge should be worn at all times and you should challenge anyone not wearing a badge. Another example is that companies now need their employees to complete cyber security training as the risk is getting greater each day.

Annual risk assessment

: A company will have a risk register where the financial director will look at all of the risks associated with money and the IT manager will look at all of the risks posed by the IT infrastructure. As technology changes and the hackers get more sophisticated, the risks can become greater.

Penetration testing/vulnerability scanning

: A vulnerability scan is not intrusive as it merely checks for vulnerabilities, whereas a penetration test is more intrusive and can exploit vulnerabilities. These will be explained further into this book.

Change management

: This is a process that a company adopts so that any changes don't cause any security risks to the company. A change to one department could impact another department. The

Change Advisory Board

(

CAB

) assists with the prioritization and priority of changes; they also look at the financial benefits of the change and they may accept or reject the changes proposed for the benefit of the company.

Information technology

(

IT

) evolves rapidly and our processes will need to change to cope with potential security risks associated with the newer technology.

Technical controls

Technical controls are those implemented by the IT team to reduce risk to the business. These could include the following:

Firewall rules

: Firewalls prevent unauthorized access to the network by IP address, application, or protocol. These are covered in-depth later in this book.

Antivirus/antimalware

: This is the most common threat to the business and we must ensure that all servers and desktops are protected and up to date.

Screen savers

: These log computers off when they are idle, preventing access.

Screen filters

: These prevent people walking past from reading the data on your screen.

Intrusion Prevention Systems (IPS)/Intrusion Detection Systems (IDS)

:

The intrusion detection system monitors the network for any changes and the intrusion prevention system stops the attacks.

Physical controls

Physical controls are controls that you can touch, for examples:

Cable locks

: These are attached for laptops to secure them so that nobody can steal them.

Laptop safe

:

Laptops and tablets are expensive, but the data they hold could be priceless, therefore there are safes for the storage of laptops and tablets.

Biometric locks

: Biometrics are unique to each person; examples would be their fingerprint, voice, iris scanner, and facial recognition. 

Fences/gates

: The first line of defense should be a perimeter fence as the openness of many sites renders them highly vulnerable to intruders. The access to the site can be controlled by using a gate either manned by a security guard or with a proximity reader. A timber fence does not provide as much protection as a high steel fence.

Burglar alarms

: These are set when the premises is not occupied, so when someone tries to break into your premises, it will trigger the alarm and notify the monitoring company or local police.

Fire alarms/smoke detectors

: In a company, there will be fire alarms or smoke detectors in every room so that when a fire breaks out, and the alarms go off, the people inside the premises are given the opportunity to escape.

Lighting

: Lighting is installed for two main reasons: the first reason is so that anyone trying to enter your site at night can be seen and the second reason is for safety.

Security guards

: They check the identity cards of people entering the building to stop unauthorized access. This also helps deter people trying to enter a building illegally.

Mantraps

: These are turnstile devices that only allow one person in at a time. They maintain a safe and secure environment mainly for a data center. A data center hosts many servers for different companies.

Perimeter protection

: Fences, gates, and lights could protect the perimeter of your company. We could place bollards in front of a building to stop a car driving through the entrance. These normally protect ATM cash machines from being hit by a vehicle.

Internal protection

: We could have safes and secure enclosures; the first example would be a toughened glass container or a sturdy mesh both with locks to reduce access. We could also have protected distribution for cabling; this looks like metal poles that would have network cables inside. Screen filters used on a desktop could prevent someone from reading the screen.

Faraday cage

: This is a metal structure like a metal mesh used to house chickens. The cage prevents wireless or cellular phones from working inside the company. This could be built into the structure of a room used as a secure area.

Key management

: This is where departmental keys are signed out and signed back in daily to prevent someone taking the keys away and cutting copies of them.

Proximity card

: These are contactless devices where a smart card or token is put near the proximity card to gain access to a door or building.

Tokens

: Tokens are small physical devices where you either touch the proximity card to enter a restricted area of a building. Some tokens allow you to open and lock doors by pressing the middle of the token itself; others display a code for a number of seconds before it expires.

Environmental controls

: 

Heating, ventilation, and Air-Conditioning

(

HVAC

), and fire-suppression systems are also security controls. In a data center or a server room, the temperature needs to be kept cool or the servers inside will overheat and fail.

AirGap

: This is where a device is on your network, but it has a device between it and the other devices on your network. For example, you may want to isolate a computer that can complete a BACS transfer from the other computers in the finance department.

Motion detection/cameras

: These could be deemed physical controls, but the exam is focused on these being deterrent controls. Log files also note the events and could also be deemed a physical control, but the exam deems them to be detective controls.

Barricades

: Barricades can be erected across roads to stop traffic entering your site, but will not stop someone getting out of a car and jumping over them. You will need to use them in conjunction with security guards to fully protect your site.

Bollards

: Bollards are becoming very common as they control access by cars and stop them ramming through a front door. They stop ram raiders from stealing a cash machine or crashing into a jeweler's shop. They can be made from steel or concrete and are placed about four feet apart. In some countries, they are installed to prevent car bombers driving their vehicle into a group of people, maybe inside a shopping mall.

Preventative controls

Preventative controls are in place to deter any attack; this could be having a security guard with a large dog walking around the perimeter of your company. This would make someone trying to break in think twice:

Disable user accounts

: When someone leaves a company, the first thing that happens is that their account is disabled, as we don't want to lose information that they have access to, and then we change the password so that they cannot access it. We may disable an account while people are on secondment or maternity leave.

Operating system hardening

: This makes a computer's operating system more secure. It often requires numerous actions such as configuring system and network components properly, turning off features and services that it does not use, and applying the latest software and antivirus updates.

Deterrent controls

Deterrent controls could be CCTV and motions sensors. When someone is walking past a building and the motion sensors detect them, it turns lights on to deter them.

A building with a sign saying that it is being filmed with CCTV prevents someone from breaking into your premises, as they think they are being filmed, even though there may not be a camera inside—but they don't know that.

Detective controls

Detectivecontrols are used to investigate an incident that has happened and needs to be investigated; these could include the following:

CCTV

records events as they happen and from that you can see who has entered a particular room or has climbed through a window at the rear of a building.

Log files

are text files that record events and the times that they occurred; they can log trends and patterns over a period of time. For example, servers, desktops, and firewalls are all events. Once you know the time and date of an event, you can gather information from various log files.

Corrective controls

Corrective controls are the actions you take to recover from an incident. You may lose a hard drive that contained data; in that case, you would replace the data from a backup you had previously taken.

Fire-suppression systems are another form of corrective control. You may have had a fire in your data center that has destroyed many servers, therefore when you purchase a replacement, you may install an oxygen-suppressant system. This method uses argon/nitrogen and sometimes a small element of CO2 to displace the oxygen in the server room. The basis of this method is to reduce the oxygen level to below 15% because it will suppress a fire.

Compensating controls

Compensating controls can be called alternative controls; this is a mechanism that is put in place to satisfy the requirements of a security measure that is deemed too difficult or impractical to implement at the present time. It is similar to when you go shopping and you have $100 in cash—once you have spent your cash, you will have to use a credit card as a compensating control.

An example of this is where a new person has just been employed by the company where the normal way to log in is to use a smart card and PIN. This resembles a bank card with a chip where you insert it into your laptop or keyboard and then insert a PIN to log in. Maybe it takes 3-5 days to get a new smart card, so during the waiting period, they may log in using a username and password:

Access controls

The three main parts of access controls are identifying an individual, authenticating them when they insert a password or PIN, and then authorization, where an individual has different forms of access to different data. For example, someone working in finance will need a higher level of security clearance and have to access different data than the person who dispatched an order in finished goods:

Identification

: This is similar to everyone who has their own bank account; the account is identified by the account details on the bank card. Identification in a security environment may involve having a user account, a smart card, or maybe a fingerprint reader—this is unique to that individual.

Authentication:

 Once the individual inserts their method of identification, they next to be authenticated, for example, by inserting a password or a PIN.

Authorization

: This is the level of access you have to selective data. You are normally a member of certain groups, for example, a sales manager could access data from the sales group and then access data from the managers group. You will only be given the minimum amount of access required to perform your job; this is known as least privilege.

Discretionary access control

Discretionary access control involves New Technology File System (NTFS) file permissions, which are used in Microsoft operating systems. The user is only given the access that he/she needs to perform their job.

The permissions are as follows:

Full control

: Full access

Modify

: Change data, read, and read and execute

Read and execute

: Read the file and run a program if one is inside it

List folder contents

: Expand a folder to see the subfolders inside it

Read

: Read the contents

Write

: Allows you to write to the file

Special permissions

: Allows granular access; for example, it breaks each of the previous permissions into a more granular level

Data creator/owner

: The person that creates the unclassified data is called the owner and they are responsible for checking who has access to that data:

Least privilege

Least privilege is where you give someone only the limited access level required so that they can perform their job role; this is known as the need to know basis. The company will write a least privilege policy so that the administrators know how to manage it.

Mandatory access control

Mandatory Access Control (MAC) is based on the classification level of the data. This looks at how much damage they could cause to the interest of the nation. These are as follows:

Top secret

: Highest level, exceptional grave damage

Secret

: Cause serious damage

Confidential

: Cause damage

Restricted

: Undesirable effects

Examples of Mandatory Access Control (MAC):

Data types

Classification

Nuclear energy project

Top secret

Research and development

Secret

Ongoing legal issues

Confidential

Government payroll

Restricted

Custodian

: The custodian is the person who stores and manages classified data.

Security administrator

: The security administrator is the person who gives access to classified data once clearance has been approved.

Security enhanced Linux

: SELinux is a project that was created with the intention of providing stricter security measures for access control and user permits, processes, files, and devices in Linux systems. The

National Security Agency

(

NSA

) in the United States published this as an open code under the GNU PNL license. This project was integrated in Linux's (LSM) security modules from the 2.6.0 version of the Linux kernel that was published in 2003.

Linux permissions (not SELinux)

File permissions: Linux permissions come in a numerical format; the first number represents the owner, the second number represents the group, and the third number represents all other users:

Permissions

:

Owner

: First number

Group

: Second number

All other users

: Third number

Numerical values

:

4

: Read (r)

2

: Write (w)

1

: Execute (x)

Unlike a Windows permission that will execute an application, the execute function in Linux allows you to view or search.

A permission of 6 would be read and write. A value of 2 would be write, and a value of 7 would be read, write, and execute. Some examples are as follows:

Example 1

: If I have 764 access to File A, this could be broken down as:

Owner

: Read, write, and execute

Group

: Read

All other users

: Read

Example 2

: Determine which of the following permissions to File B is the highest and which is the lowest:

776 File B, also shown as

­_rwx _rwx _rw

677 File B

777 File B

577 File B

576 File B

When selecting the highest, you look at the value on the left, therefore the highest is the value of 777 is full control.

When selecting the lowest, you look at the lowest value on the left. There are two options here: d and e start with the lowest number, and then you look at the others. From here, you can see that answer e is the lowest.

You can also change permissions in Linux: If the permission to File C is 654 and we wish to change the permissions, we will run the Chmod 777 File A command, which changes the permissions to File C.

Role-based access control

This is a subset of duties within a department. An example would be two people with the finance department who only handle the petty cash. In IT, terms it could be that only two of the IT team administer the email server.

Rule-based access control

In Rule-Based Access Control (RBAC), a rule is applied to all of the people within, for example, contractors will only have access between 8 a.m. and 5 p.m., and the help desk people will only be able to access Building 1, where their place of work is. It can be time-based or have some sort of restriction, but it applies to the whole department.

Attribute-based access control

In Attribute-Based Access Control (ABAC), access is restricted based on an attribute in the account. John could be an executive and some data could be restricted to only those with the executive attribute.

Group-based access

To control access to data, people may be put into groups to simplify access. An example would be if there were two people who worked in Information Technology (IT) who needed access to the older IT data. These people are called Bill and Ben:

Everyone in the sales team may have full control of the sales data by using group-based access, but you may need two new starters to have only read access. In this case, you would create a group called new starters and give those people inside that group only read permission to the data.

Hashing and data integrity

Hashing

: It is where the data inside a document is hashed using an algorithm such as

Secure Hash Algorithm version 1

(

SHA1

) and

Message Digest version 5

(

MD5

). This turns the data inside the file to a long text string known as a hash value; this is also known as a message digest.

Hashing the same data

: If you copy a file and therefore have two files containing the same data, and if you hash them with the same hashing algorithm, it will always produce the same hash value. Please look at the example that follows.

Verifying integrity

: During forensic analysis, the scientist takes a copy of the data prior to investigation. To ensure that he/she has not tampered with it during investigation, he/she will hash the data before starting and then compare the hash to the data when he/she has finished. If the hash matches, then we know that the integrity of the data is intact.

One-way function

: For the purpose of the exam, hashing is a one-way function and cannot be reversed.

HMAC authentication

:

In cryptography

, an

HMAC

(sometimes known as either keyed-hash message authentication code or hash-based message authentication code) is a specific type of

Message Authentication Code

(

MAC

) involving a cryptographic hash function and a secret cryptographic key.

We can have HMAC-MD5 or HMAC-SHA1; the exam provides both data integrity and data authentication.

Digital signature

: This is used to verify the integrity of an email so that you know it has not been tampered with in transit. The private certificate used to sign the email that creates a one-way hash function and when it arrives at its destination the recipient has already been given a public key to verify that it has not been tampered with in transit. This will be covered more in-depth later in this book.

Can you read data that has been hashed? Hashing does not hide the data as a digitally signed email could still be read—it only verifies integrity. If you wish to stop someone reading the email in transit, you need to encrypt it.

 RACE Integrity Primitives Evaluation Message Digest (

RIPEMD

)

: This is a 128-bit hashing function. RIPEMD

 (

https://en.wikipedia.org/wiki/RACE_(Europe

)

has been replaced by RIPEMD-160, RIPEMD-256, and RIPEMD-320. For the purpose of the exam, you need to know that it can be used to hash data.

Hash practical

The reason that we hash a file is to verify its integrity so that we know if someone has tampered with it.

Hash exercise

In this exercise, we have a file called data.txt. First of all, I use a free MD5 hashing tool and browse to the data.txt file, which generates a hash value. I have also created a folder called Move data to here:

Get the original hash:

Copy the hash from the current hash value to the original hash value.

Copy the

data.txt

file to the

Move data to here

folder, then go to the MD5 hash software and browse to the

data.txt

file in the new location, then press verify. The values should be the same as shown here:

The values are the same, therefore we know the integrity of the data is intact and has not been tampered with during moving the readme.txt file.

Next, we go into the

data.txt

file and change a single character, add an extra dot at the end of a sentence, or even enter a space that cannot be seen. We then take another hash of the data and we will then see that the hash value is different and does not match; this means that the data has been tampered with:

Defense in depth model

Defense in depth is the concept of protecting a company's data with a series of defensive layers so that if one layers fails, another layer will already be in place to thwart an attack. We start with our data, then we encrypt it to protect it:

The data is stored on a server

The data has file permissions

The data is encrypted

The data is in a secure area of the building

There is a security guard at the building entrance checking identification

There is CCTV on the perimeter

There is a high fence on the perimeter

Therefore, before someone can steal the data, they have seven layers of security that they must pass through. The concept of defense in depth is that if one layer fails, then the next layer protects:

Review questions

What are the three components of the CIA triad?

Why might a CCTV camera be sited outside a building without any film inside?

What does confidentiality mean?

How can we protect a data center from people entering it?

What is the purpose of an airgap?

Name three administrative controls.

Name three physical controls.

Following an incident, what type of control will be used when researching how the incident happened?

How do I know if the integrity of my data is intact?

What is a corrective control?

What is the purpose of hashing?

If i hash the same data with different SHA1 applications, what will the output be?

What two things does HMAC provide?

What type of control is it when I change the firewall rules?

What is used to log into a system that works in conjunction with a PIN?

What is the name of the person who looks after classified data and who is the person that gives people access to the classified data?

When you use a DAC model for access, who determines who gains access to the data?

What is least privilege?

What access control method does SELinux utilize?

What is the Linux permission of 777? What access does it give you?

What does the Linux permission execute allow me to do?

The sales are allowed to log into the company between 9 a.m. and 10 p.m. What type of access control is being used?

Two people from the finance team are only allowed to authorize the payment of cheques; what type of access control are they using?

What is the purpose of the defense in depth model?

When someone leaves the company what is the first thing we should do with their user account?

Answers and explanations

Confidentiality means only allowing those authorized to access data gain access. Integrity means that data has not been tampered with. Availability means that data is available when you need it, for example purchasing an airline ticket.

We could place a CCTV camera in a prominent location as a deterrent, people walking past cannot tell if it has film or not, we are using it as a deterrent.

Confidentiality means that we are limiting access to data to only those who should have access.

To stop people entering a datacenter, we would install a mantrap a turnstile device so that we can control who accessed the datacenter one at a time.

An airgap is what it says on the tin, it is a gap between your network and a machinee would use an airgap maybe between Research and Development Machine and the corporate network.

Administrative controls could be writing a new Policy to make the company run smooth; we may have just implemented change management. You could implement a new form to ensure that all of the data required for an application is supplied. We could run an annual security awareness training day, complete risk assessment, or penetration testing.

Physical control is huge. Remember that these can be physically touched. You can choose three from: cable locks, laptop safe, biometric locks, fences, gates, burglar alarms, fire alarms, lights, security guards, bollards, barricades, a faraday cage, key management, proximity cards, tokens, HVAC, an airgap, motions sensors, and cameras and biometric devices such as an iris scanner.

If we investigate an incident, we need to collect all of the facts about the incident; this is a detective control. Think of a detective such as Sherlock Holmes who is always investigating mysteries.

If we hash the data before and after, and the hash value remains the same, then integrity of the data is intact. If the second hash is different, the data has been tampered with.

Corrective control is a one-way function where an incident has happened and we want to redeem the situation. For example, if the hard drive on my laptop fails, then I will purchase a new hard drive, put it into my laptop, install the operating systems and application, then obtain a copy of my data from a backup.

Hashing is a technique that lets you know if data has been tampered with, but it does not hide the data.

If the same data is hashed with two different applications that can hash data with SHA1, then the hash value will be the same.

HMAC provides data integrity and data authentication. You can use HMAC-SHA1 or HMAC-MD5.

If I change firewall rules, I am doing this to reduce risk; it is carried out by administrators, therefore it is a technical control.

A smart card is a credit card-type device that has a chip built in; once inserted into the keyboard or USB card reader, you will then be asked to enter a PIN.

The person who stores and manages classified data is called the custodian. The person who gives access to the classified data is the security administrator. Prior to getting access to the data, the person may well be vetted.

In the DAC model, the data is unclassified and the data creator who is also called the owner will decide who gains access to the data.

Least privilege is a technique that says that people should only get the limited access to data that they need to perform their job.

SELinux uses the MAC model to access data. This is the secure version of Linux.

In Linux 777 give the owner who is the first digit, the group that is the send digit and all users who are the third group read, write, and execute. It could also be should a rwx.

The Linux permission for execute (x) allows you to search for or view data.

An access control method that applies either a time restriction or location restriction is called rule-based access.

A subset of a department with access to a subset of duties is called role-based access.

The defense in depth model has many different layers; the idea behind this is if one layer is broken through, the next layer will provide protection.

When someone leaves the company, we should disable their account so that the keys associated with it are still available. The next stage is to change the password so nobody can access it, especially the person who has just left.

Conducting Risk Analysis

As a security professional, you will need to understand that identifying and managing risks can help to keep your company environment safe from various types of attacks. In this chapter we will look at types of threats and vulnerabilities and the role that different threat actors play.

We will cover the following exam objectives in this chapter:

Explain threat actor types and attributes

: Types of actors—script kiddies—hacktivist—organized crime—nation states/APT—insiders—competitors. Attributes of actors—internal/external—level of sophistication—resources/funding—intent/motivation. Use of open—source intelligence

Explain the importance of policies, plans and procedures related to organizational security

:

Standard operating procedure—agreement types—BPA—SLA—ISA—MOU/MOA. Personnel management—mandatory vacations—job rotation—separation of duties—clean desk—background checks—exit interviews—role—based awareness training—continuing education—acceptable use policy/rules of behavior—adverse actions. General security policies—social media networks/applications—personal email

Summarize business impact analysis concepts

:

RTO/RPO—MTBF—MTTR—mission—essential functions—identification of critical systems—impact—life—property—safety—finance—reputation. Privacy impact assessment—privacy threshold assessment

Explain risk management processes and concepts

: Threat assessment—environmental—manmade—internal versus external. Risk assessment—SLE—ALE—ARO—asset value—risk register—likelihood of occurrence—supply chain assessment—impact—quantitative—qualitative. Testing—penetration testing authorization—vulnerability testing —authorization. Risk response techniques—accept—transfer—avoid—mitigate

Risk management

Risk management is the process of identifying risks within a company and making decisions about how to reduce the risks so that an incident does not cause harm to the company and its assets. You may not be able to eliminate the risk completely, but you may be able to put procedures in place to reduce it or keep it an acceptable level.

The first step in risk management is to identify the asset. Is it a top—secret document? If that was the case you'd limit the access to the document. The top—secret document would be stored in a secure area at all times; nobody would be able to take copies or photographs of it.

For example, if you had 1 kg of trash and you placed it outside your front door at night, you would be certain that in the morning it would still be there; however, if the asset was 1 kg of 24 carat gold and you left it outside your house at night, it would probably not be there in the morning.

The first step in risk management is identifying the asset because how we classify the asset will then determine how the asset is handled, stored, protected, and who has access to the asset.

Importance of policy, plans, and procedures

Creating policies, plans, and procedures is a part of risk management and helps reduce the attack surface and prevent incidents from happening. Let us look at the different type of policies that can be used.

Standard operating procedures

Standard Operating Procedures (SOP) give us step—by—step instructions as to how an activity is to be carried out. An example would be how to carry out the backing up of data. The SOP will state which data needs to be backed up daily, weekly, or monthly. Critical data would be backed up every two hours whereas archive data may be backed up monthly. The SOP would also state what the medium is to be used for the backup; it may be backed up to a NetApp or network share rather than to tape so that quicker recovery can be carried out.

Agreement types

Contracts between companies that want to purchase or sell services are very common as they protect both partners participating in the contract. We will now look at different agreement types that may be used in those contracts.

Business Partnership Agreement

(BPA)

: A BPA is used between two companies who want to participate in a business venture to make a profit. It sets out how much each partner should contribute, their rights and responsibilities, the rules for the day—to—day running of the business, who makes the decisions, and how the profits are agreed and shared. It also has rules for the partnership ending either over time or if one of the partners dies.

Service—Level Agreement

(SLA)

: A SLA is a contract between a service provider and a company receiving the service that defines the level of service expected from the service provider; it is based on metrics within a specific time frame. The agreement can be either a fix or a response in a certain period of time.

For example, your company has an SLA with a service provider that will fix the printer within 4 hours. If the printer breaks down then the service provider needs to repair the printer within four hours or face a penalty. An SLA only relates to one product or service at one time. A company may have several SLAs in place that cover all of their equipment.

Interconnection Security Agreement (ISA)

:

An ISA states how connections should be made between two business partners. If one of the business partners is a government agency and the connection agreement is not enforced, it could pose a security risk to their network. The connection agreement could specify which type of VPN and tunnel should be used or it could state that a dedicated T3 Line is used to make the connection between them.

Memorandum of Understanding (MOU)

: An MOU is a formal agreement between two or more parties. MOUs are stronger than a gentlemen's agreement and both parties must be willing to make a serious commitment to each other but they are not legally binding.

Memorandum of Agreement (MOA)

: An MOA is similar to an MOU but serves as a legal document and describes the terms and details of the agreement.

Non—Disclosure Agreement (NDA)

: An NDA is a legally binding contract made between an employee or a business partner where they promise not to disclose trade secrets to others without proper authorization. The reason for this is to stop trade secrets or proprietary information being sold onto competitors.

Personnel management—policies and procedures

Employing personnel is a key function in a successful business; however, employing people is high risk as we need to employ the right type of person, who must be bright enough to identify cyber—crime attacks. To help reduce the risk that employees face or to prevent human resources from employing the wrong person and prevent fraud on an ongoing basis the following policies can be adopted:

Job rotation

: Job rotation is used for two main reasons—the first so that all staff can be trained in all aspects of the jobs in the company. Employees may change departments every six months; this way they get fully trained. The second reason is that by rotating jobs any theft or fraudulent activities can be discovered by the new person coming in.

Mandatory vacations

: Mandatory vacation helps detect if an employee has been involved in fraudulent activities by forcing them to take holidays of a week or more. When people are involved in fraudulent activities they tend not to take many holidays so that the fraud cannot be discovered. This is especially rife in jobs in which people have fiscal trust, such as someone working in finance or someone who can authorize credit card payments.

Separation of duties

: Separation of duties is having more than one person participate in completing a task; this is internal control to prevent fraud or error. An example would be where a person who worked in the finance department collected all money being paid in and then authorized all payment being payed out. A charity in the United Kingdom was embezzled out of £1.3 million over a period of six years. if they had two distinct finance jobs one person received the money and another authorized payment, the bedazzlement would have been prevented, this is the aim of separation of duties, no one person does the whole task.