CompTIA Security+ Crash Course Bootcamp Notes

## Notes - Suggested prereqs: A+ certification and/or 1 year of experience in security - Follows the guidelines posted by [[CompTIA]] ## Security Goals and Controls ### Objectives - Provide an overview of confidentiality, integrity, availability, and non-repudiation - Describe conceptions of authentication, authorization, and accounting - Describe control categories - Define control types ### CIA Triad - **C**onfidentiality - **I**ntegrity - **A**vailability #### Confidentiality - Measures an attacker's ability to get unauthorized access to data or information from an application or system - At rest - In transit - Involves using techniques, often cryptography, to allow only approved subjects with the ability to view information - Practical cryptography - Includes preserving authorized restrictions on information access and disclosure - A means for protecting PII and PHI - Includes - Passwords - Cryptographic keys - PII - PHI - IP #### Examples of Confidentiality - Using an IPsec VPN - Leveraging mutual [[Transport Layer Security]] (TLS) between a web browser and server/controller - Storing sensitive data or credentials in a mobile device partition or secure enclave - Touch ID - Face ID - Implementing [[Advanced Encryption Standard]] (AES) encryption on data at rest in storage (file, block, object, databases, etc) #### Integrity - Safeguard against improper information modification or destruction - Property that data or information have not been altered or damaged in an unauthorized way - Quality of IT system - Logical correctness and reliability of the operating system - Logical completeness or the hardware and software that implements the protection mechanisms - Consistency of data structures and occurrence of stored data #### Examples of Integrity - OS performs a checksum when files are moved or copied - An Ethernet frame check when sent from one MAC address to another - Generally for TCP (the handshake) and not so much for UDP - A hashed message application code applied to advertisements sent between neighbor systems, such as routers or gateways - Implementation of a mandatory access model technique such as [[Biba]] or [[Clark-Wilson]] #### Availability - The process of ensuring timely and reliable access to and use of information - Property of data, information, applications, systems, or services that are accessible and usable upon demand by an authorized subject - "High availability" is a failover feature to ensure availability during device or component interruptions both, planned and unplanned #### Examples of Availability - Implementing security controls that protect systems and services from spoofing, flooding, denial-of-service, poisoning, and other attacks that negatively affect the ability to deliver data, content, or services - Vulnerabilities that impact availability can affect hardware, software - Flooding network bandwidth, consuming large amounts of memory, CPU cycles, or unnecessary power consumption - Assuring that technical controls such as firewalls, intrusion prevention system (IPS) sensors, anti-virus, and endpoint protection are always reliable and deployed in a failover group or cluster - Determining the best disaster recovery site solution for every scenario or situation for an organization #### Non-Repudiation - Beginning to be the fourth letter - Non-repudiation refers to enforcing the inability of a subject to deny that they participated in a digital transaction, agreement, contract, or communication - The property of agreeing to adhere to an obligation - Inability to refute responsibility - Actors must act within the their duties - Examples - Signing a legal contract: the signature is a "non-repudiation device" - Public/private keys and digitally signed certificates between parties - "Repudiation of Origin" example of a bank - "I didn't send that transfer" - "I didn't send money" - Email - SMIME - DKIM ### AAA Triad #### Overview - Authentication - process of validating that an entity is who or what they claim to be - Mandatory - Authorization - the process of granting an authenticated entity permission to access a resource or perform a specific function - Happens after authentication - Accounting - when did the entity begin, when did it end, how long did they do it? "IDM" - Identity management is becoming more broadly accepted - MFA is an expansion of basic auth #### Character Mode Vs Packet Mode - Character mode sends keystrokes and commands (characters) to a network admission device for the purpose of configuring or administering on THAT same device - Packet (network) mode occurs when the network admission device services as an auth proxy on behalf of services in other networks such as the web, FTP, DNS, etc #### Authentication - Authenticating subject is technically mandatory, even if using open or anonymous techniques - Clients would initiate a TCP three-way communication handshake before the authentication process - "three way" is 1. client talks to server 2. server responds to client 3. client gets data - This is sub-optimal and a violation of "zero trust" principles #### Authorization - Technically optional but practically mandatory - Desirable to implement session-based (tokens) and attribute-based mechanisms #### Accounting - Generally for two use-cases - Monitoring, visibility, and reporting - Billing, chargeback, and reporting - Remote Authentication Dial-in User Service (RADIUS) is a popular Internet Engineering Task For (IETF) AAA service - Diameter is the next generation #### Authenticating People - Authenticating a person means confirming that they are who the claim to be - This confirms only those with authorized credentials gain access to secure systems - Username/webmail/email and a password is still the most common - Should add another robust factor #### Common Ways of Authenticating People - Password, PIN, passphrase - Smart card, token, fob - Digital certificate - Biometric attribute - QR or other code on a device #### Authenticating Devices and Systems - Many different types of entities or principals that can be authenticated other than people - These subjects are called NPEs (non-person entities) - Laptops and pads - Mobile devices - Gateways and load balances - Robotics systems - Embedded devices - IoT endpoints - Service accounts #### Endpoint Authentication - Endpoint (or device) authentication is a security technique designed to ensure that only authorized devices can connect to a given network, site, or service - Endpoint security management is rapidly emerging as an important area in machine-to-machine (M2M) communications and IoT - *Endpoint fingerprinting* is one way to enable authentication of non-traditional network endpoints such as smart card readers, HVAC systems, medical equipment, and IP-related door locks #### Common Device Authentication Methods - A shared secret key stored on endpoints (wireless) or infrastructure devices - An X.509 v3 device certificate stored in a software application - A cryptographic key, certificate or other credential stored at the hardware level in a trusted platform module - A key store in a hardware security module (HSM) - Server rack - A protected access file (PAC) in a Cisco infrastructure #### Authorization Models ##### Discretionary Access Control - DAC grants access control decisions to the resource owners and custodians - Each resource typically has an owner who determines the access permissions and shared - The owner can grant or revoke access rights for other users or groups - DAC offers flexibility and allows resource owners to have fine-grained control over access, but it can also result in inconsistent access control decisions - It is the most prone to "privilege creep" - Permissions can linger ##### Role-Based Access Control - RBAC grants access based on predefined roles or job titles - Users are assigned roles, and access rights are associated with these roles - Instead of directly assigning permissions to individual users, permissions are assigned to rules, and users inherit the access rights associated with their assigned roles - Various roles in a hospital - Built-in roles in a DBMS - RBAC streamlines administration by grouping users with similar job functions and offering a scalable approach to access management ##### Mandatory Access Control - Non-discretionary model - MAC is a strict mathematical model where access to resources is determined by the system based on predefined security labels and rules - Principals are assigned security clearances or classification levels (top secret, secret, confidential, etc) - Resource objects are labeled with sensitivity levels - Access is granted or defined by comparing these labels and rules ensuring strict control and preventing unauthorized access ##### Attribute-Based Access Control - ABAC grants access based on a combination of characteristics associated with users, resources, and environmental conditions - Attributes can include user attributes (job title, department), resource attributes (sensitivity level, classification), and environmental attributes (time of access, location) - Authorization policies are defined using these combinations, and decisions are made based on evaluating the attributes against the defined policies ##### Attribute-Based Dynamic Access Control - ABDAC uses AI and behavior-driven analytics - It considers dynamic factors such as risk assessment, user attributes, resource attributes, and contextual information to make access control decisions in real time - ADBAC provides more fine-grained and context-aware access control needed in "zero trust" environments when compared to traditional static access control models ##### Rule-Based Access Control - Uses rules to determine access - Access control rules define conditions or criteria that must be met for access to be granted - Rules can be based on several factors, such as user attributes, resources, attributes, time of access, etc - Access decisions are made by comparing these rules against the context of the access request--usually IP transport and network layer header metadata | Protocol | Port | Source | Destination | Name | Action | | -------- | ------- | ----------------- | -------------- | -------------------- | ------ | | UDP | 53 | Any | 192.16.10.200 | Allow DNS queries | Allow | | TCP | 80, 443 | Any | 192.168.10.201 | Allow HTTP and HTTPS | Allow | | TCP | 3, 389 | IT_Admin_IP_Range | Any | Allow RDP | Allow | | Any | Any | Any | Any | Default | Deny | Interpreting an access control list is question type that appears on the exam ## Security Control Categories ### Security Controls - Technical - New firewall - Managerial (administrative) - Security policy, "no tailgating" - Operational - Ongoing, continual - Maintenance - Physical - Fences, gates, locks, cameras #### Technical Controls - Terraform and IoC - Mechanisms that the specific system implements #### Common Technical Controls - Device hardening - IAM engine - Cryptographic keys - Cloud-based thread modeling tools #### Managerial Controls - Defined policies, procedures, best practices - Published or printed - Acceptable-use - Best practices - Password policies - Mandatory vacation policies - Training and awareness - Often combined with technical controls #### Operational Controls - Support ongoing maintenance, due care, and continual improvement - Optimizing the change and configuration management database - Performing tested patch management - Conducting awareness and training - Monitoring physical and environmental controls - Conducting incident response and disaster planning drills - Performing software assurance initiative - Managing mobile devices and mobile applications on an ongoing basis #### Physical Controls - Physical barriers - Guards and security teams - Cameras and surveillance equipment - etc ### Security Control Types - Preventative - Deterrent - Detective - Corrective - Restores a system to a state before the negative event occurred (recovery) - Can rectify or correct an identified problem - Compensating - Aids controls that are already in place or provides a temporary stopgap solution - Directive - Consists of mandatory policies and regulations that are in place to maintain consistency and compliance - Directing someone ## Fundamental Security Concepts ### Objectives - Gap analysis - Zero trust initiatives - Deception technologies - Preventative and detective physical controls - Change management business and technical processes - Documentation and version control ### Gap Analysis - To know where you are and where you need to go as a secure organization, conduct gap analysis - This technique will be applied to several security projects, plans, and initiatives throughout an entire career - Information security gap analysis is a comprehensive appraisal that helps organizations determine the difference between the current state of their information security to specific industry requirements guidance and best practices - When performing security gap analysis, one will better understand the status of the cybersecurity risks and vulnerabilities in the organization - This type of risk assessment indicates where the technical, physical, managerial, and continuing operation controls need to be deployed - It involves knowing what the residual risks are and what further physical and logical (if any) need to be acquired and implemented ### Common Security Gaps - Weak or shared credentials - Lack of tested patch management - Violation of the least privilege principle - Having no/unenforced acceptable use policies - Poor physical security - Configuration and deployment errors due to lack of change and configuration management - Poor visibility and lack of proper auditing ### Zero Trust - The term for an evolving set of cybersecurity initiatives that move defenses from static, network-based perimeters to focus on users, assets, and resources - ZT assumes there is no implicit trust granted to assets or use accounts based solely on their physical or network location or based on asset ownership - Authentication and authorization (subject and object) are discrete functions performed before a session to an enterprise resource is establish - ZT establishes the principle of least privilege consistently across all resource classes and locations - Segregation (separation) of duties and high visibility (SIEM/SOAR) #### Zero Trust Adaptive Identity - Adaptive identity/authentication or risk-based authentication - Method of access to data that matches user credentials with the risk of the requested authorization - It delivers support for multiple classes of consumers and participants, whose roles and identity may evolve to meet rapidly evolving ecosystems and environments - Offers ease of maintenance an operation while being agile and easy to modify #### Zero Trust Threat Scope Reduction - Reduce threat scope and avoid risk - Reduced scope of threats to support agility and support complexity - Increased complexity and number of communication patterns, increasing difficulty of addressing through data and asset-centric approach #### Zero Trust Control Plane - ZT control plane is separate from the data plane and contains the *policy decision point* - *policy engine*, which uses the enterprise policy-driven access control - *policy admin*, enables and/or shuts down the communication path between a subject and a resource via commands to associated *policy enforcement points* - *PA* communicates with the *PEP* when creating the communication path via the control plane ### Honeypot - A honeypot is a system (web server) or resource (file on a server) that is designed to be attractive to potential attackers and intruders, like honey is eye-catching to bears - Modern systems are often running as a virtual machine in a type-1 hypervisor such as a VMware solution - They are strategically placed in parallel to public access or DMZs where public-facing servers are typically placed ### Honeynets - A network of honeypots - Set up with intentional vulnerabilities hosted on decoy services and services to attract/redirect attackers - Primary purpose is to test network security by inviting attack patterns and "kill chains" - This helps security teams analyze and actual attacker's activities and methods to improve network security - An implementation of active defense - It's like a sandpit - Fake telemetry to DNS servers - Figure out who attackers are - Domains - Can counter attack ### Honey Files and Honey Tokens - Biggest threat is the compromised privileged insider - Files and tokens are strategically placed artifacts and files meant to allure the suspect into exposing themselves as part of an internal investigation - Valuable in the discovery of attackers who are deep into the kill chain - Common examples are access keys and credentials - Fake IAM in AWS ### Preventative Physical Security Controls - Very obvious ### Change Management - Methodical approach to handling the transition or modification of an organization's goals, processes or technologies - Purpose is to implement strategies for carrying out change, controlling transformations, and assisting individuals in adapting to change - Change management is also referred to as the change control practice - Typically, configuration management occurs first to establish a baseline #### Lifecycle 1. Submitting 2. Approving 3. Documenting 4. Testing 5. Implementing 6. Reporting #### Change Control Business Processes - Change impact analysis compares two states - Backout/fallback plan for recovery - Maintenance windows for updates - Standard Operating Procedure ## Practical Cryptography ### Objectives - Compare symmetric and asymmetric cryptography - Encryption levels - Full disk - Partition - File - Volume - Database - Record - Examine hashing, salting, HMACs and key exchange - Digital signatures, certificates, PKI - Cryptographic tools ### Cryptographic Services - Confidentiality - Hide data at rest, in transit - Integrity - Ensure data has not been altered - Non-repudiation - Digitally signing ### Symmetric Key Cryptosystems - Same key to encrypt and decrypt - Computationally inexpensive - Protects data at rest - Key management is more complex unless using hardware security moduls - No built-in origin authentication - Does not scale well ### Block Cipher - Operates on fixed blocks of data (64, 128, 256) ### Stream Cipher - Plaintext bits are XORed with keystream bits ### Asymmetric Key Cryptosystems - Used a mathematically related public and private key - One is used to encrypt - Other is used to decrypt - PKI enables efficient key management and scalability - Slower and more computationally expensive - Uses 4096 key lengths - RSA is most common #### Example - Confidentiality - Encrypt with public key - Decrypt with private key - Origin authentication - Encrypt with private key - Decrypt with public key - Not really a strong guarantee that Alice actually sent a message ### Popular Asymmetric Algorithms - RSA (Rivest, Shamir, Adleman) - most widely used algorithm for securing communication and data encryption - Diffie-Hellman - protocol for securely exchanging cryptographic keys over an untrusted network - Elliptic curve cryptograph (ECC) - algorithm based on algebraic structure of elliptic curves over finite fields - IoT - Stronger security with smaller keyspace - Digital signature algorithm (DSA) - a standard based on the mathematical concept of modular exponentiation and discrete logarithm problem ### Full Disk Encryption - FDE is the process of encoding all user data on a device - Also called whole disk encryption ### Partition Encryption - Less overhead - Can still have data in other partitions though ### File Encryption - Encrypting individual files offers more control over access and assures that even if a folder is compromised ### Volume (Block) Encryption - Could be an array of bits ### Database and Record Encryption #### Hashing - Hashing is not encryption - Basically just a checksum - Must be resistant to collisions (no MD5) - Converts data of any size to a fixed-length string - Birthday paradox #### Salting - Technique of adding pseudo random data to a hash - Ephemeral = pepper #### Hash-Based Message Authentication Codes (HMACs) - Diffie Helman can create a shared secret key over an unsecured network - Interleave key with routing update, and hash it - Send it over network ### Key Exchange - RSA key exchange - Diffie-Hellman key exchange - DHKE - RSA can sign public-key certs, but Diffie-Hellman cannot ### DHKE - Modes - DH - Same shared secret is used all the time - Ephemeral - Different shared secret is used each time between parties - Elliptic Curve - Uses EC public/private key pair; same shared secret is used all the time between parties - Smaller keys, lower overhead ### Digital Signature - Like a human signature - SHA algorithms - Digital signatures are legally equivalent to a handwritten signature ### Digitally Signing an API Call 1. API 1. Calls SHA-2 hash 2. RSA using private key 3. Send over untrusted network 2. Recipient uses RSA to unencrypt 1. Uses SHA-2 hash to unencrypt again ### Digital Certificates - Form of a file used to bind cryptographic key pairs to entities - If validity affirmation and/or public trust is needed, then a CA will assume the role of the third party ### X.509V3 Digital Certificates - Fields - Serial number - Now in base 16 because it's so big - Subject name and subject alternative name - Subject public key - Validity period - Hashing algorithm - SHA - Signing algorithm - RSA - Extensions ### Trusted Third Party 1. Alice applies for a driver's license 1. She receives her driver's license after her identity is proven 2. Alice attempts to get a mortgage 1. Her identity is accepted after her driver's license is check - Trust between Bank and Government for identifying people ### Public Key Infrastructure - PKI is a scalable binding of public key with entity identity - Digital certificates are registered and issued by the certificate authority - CA can also generate key pair for the requesting party - Self-signed - Everyone has the CA public key in browser or OS - Certificate Signing Request (CSR) is used by the enrolling party to be granted a certificate by a CA ### CA Trust Models - Single CA - Always online - Hierarchical CA - Combination of root CA and intermediate CAs - Root sends certs to intermediates - Intermediate CAs provide certificates to users ### Certificate Revocation and Suspension - Certs are stamped with validity dates and serial numbers - Serial numbers are revoked or suspended - Certificate Revocation List (CRL) is the original method - Online Certificate Status Protocol is an Internet-enabled DB that CAs and web servers utilize for suspension and revocation ### Trusted Platform Modules - TPM - Microsoft uses BitLocker Drive Encryption - It's a separate chip on the motherboard ### Hardware Security Modules - Hardened, tamper-resistant dedicated appliances or integrated modules in a PC/server - HSMs can be physical or virtualized - A Smart Card HSM is a lightweight HSM - Responsibilities - Managing, processing, generating, storing keys - SSL accelerator - Encrypting sensitive data - Verifying integrity of stored data ### Key Management Service - Usually provided by cloud infrastructure - A managed service that enables the creation and control of customer-managed symmetric and asymmetric cryptographic keys to protect various types of data at rest - These key services integrate with many other cloud services, such as block storage, object storage ### Key Stretching - Tools that apply a pseudorandom function to the input password with a salt value - Can be repeated to create a derived key, which is then used for cryptographic operations ### Secure Enclaves - Separate hardware isolation and OS - Face ID and touch ID ### Steganography - Process of hiding a secret message inside of something not secret - Newspapers - StegHide involve embedding a secret piece of text inside of a picture of hiding a secret message inside documents - Covert communication, but doesn't require a key ### Data Masking - Using characters to hide some or all data - Only displaying last 4 digits of SSN, credit card numbers, bank account numbers - Masking is suboptimal ### Tokenization - Sendings sensitive data through an API call that replaces -