CompTIA Security+ Student Guide (Exam SY0-701) PDF
Document Details
Uploaded by Deleted User
2023
CompTIA
James Pengelly, Gareth Marchant
Tags
Summary
This guide provides a comprehensive overview of CompTIA Security+ certification. It covers security concepts, threat types, cryptographic solutions and more, aligning with CompTIA exam objectives. It's designed for students preparing for the SY0-701 exam.
Full Transcript
The Official CompTIA Security+ Student Guide (Exam SY0-701) Course Edition: 2.0 Acknowledgments James Pengelly, Author Gareth Marchant, Author Michael Olsen, Director, Content Development Danielle Andries, Senior Manager, Content Development Notices Disclaimer While CompTIA, Inc. takes...
The Official CompTIA Security+ Student Guide (Exam SY0-701) Course Edition: 2.0 Acknowledgments James Pengelly, Author Gareth Marchant, Author Michael Olsen, Director, Content Development Danielle Andries, Senior Manager, Content Development Notices Disclaimer While CompTIA, Inc. takes care to ensure the accuracy and quality of these materials, we cannot guarantee their accuracy, and all materials are provided without any warranty whatsoever, including, but not limited to, the implied warranties of merchantability or fitness for a particular purpose. The use of screenshots, photographs of another entity’s products, or another entity’s product name or service in this book is for editorial purposes only. No such use should be construed to imply sponsorship or endorsement of the book by nor any affiliation of such entity with CompTIA. This courseware may contain links to sites on the Internet that are owned and operated by third parties (the “External Sites”). CompTIA is not responsible for the availability of, or the content located on or through, any External Site. Please contact CompTIA if you have any concerns regarding such links or External Sites. Trademark Notice CompTIA®, Security+®, and the CompTIA logo are registered trademarks of CompTIA, Inc., in the U.S. and other countries. All other product and service names used may be common law or registered trademarks of their respective proprietors. Copyright Notice Copyright © 2023 CompTIA, Inc. All rights reserved. Screenshots used for illustrative purposes are the property of the software proprietor. Except as permitted under the Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of CompTIA, 3500 Lacey Road, Suite 100, Downers Grove, IL 60515-5439. This book conveys no rights in the software or other products about which it was written; all use or licensing of such software or other products is the responsibility of the user according to terms and conditions of the owner. If you believe that this book, related materials, or any other CompTIA materials are being reproduced or transmitted without permission, please call 1-866-835-8020 or visit https://help.comptia.org. Table of Contents | iii Table of Contents Lesson 1: Summarize Fundamental Security Concepts................................................... 1 Topic 1A: Security Concepts..................................................................................... 2 Topic 1B: Security Controls....................................................................................... 8 Lesson 2: Compare Threat Types................................................................................15 Topic 2A: Threat Actors........................................................................................... 16 Topic 2B: Attack Surfaces....................................................................................... 23 Topic 2C: Social Engineering.................................................................................. 30 Lesson 3: Explain Cryptographic Solutions..................................................................... 37 Topic 3A: Cryptographic Algorithms...................................................................... 38 Topic 3B: Public Key Infrastructure........................................................................ 47 Topic 3C: Cryptographic Solutions......................................................................... 60 Lesson 4: Implement Identity and Access Management...........................................69 Topic 4A: Authentication....................................................................................70 Topic 4B: Authorization......................................................................................81 Topic 4C: Identity Management.........................................................................89 Lesson 5: Secure Enterprise Network Architecture..................................................99 Topic 5A: Enterprise Network Architecture....................................................100 Topic 5B: Network Security Appliances............................................................... 115 Topic 5C: Secure Communications...................................................................... 129 Lesson 6: Secure Cloud Network Architecture.............................................................. 141 Topic 6A: Cloud Infrastructure.............................................................................. 142 Topic 6B: Embedded Systems and Zero Trust Architecture.............................. 158 Table of Contents iv | Table of Contents Lesson 7: Explain Resiliency and Site Security Concepts........................................... 171 Topic 7A: Asset Management............................................................................... 172 Topic 7B: Redundancy Strategies........................................................................ 182 Topic 7C: Physical Security.................................................................................. 198 Lesson 8: Explain Vulnerability Management.......................................................... 209 Topic 8A: Device and OS Vulnerabilities........................................................ 210 Topic 8B: Application and Cloud Vulnerabilities........................................... 220 Topic 8C: Vulnerability Identification Methods................................................... 231 Topic 8D: Vulnerability Analysis and Remediation....................................... 242 Lesson 9: Evaluate Network Security Capabilities.................................................. 251 Topic 9A: Network Security Baselines................................................................. 252 Topic 9B: Network Security Capability Enhancement.................................. 263 Lesson 10: Assess Endpoint Security Capabilities................................................. 273 Topic 10A: Implement Endpoint Security....................................................... 274 Topic 10B: Mobile Device Hardening.............................................................. 292 Lesson 11: Enhance Application Security Capabilities................................................ 303 Topic 11A: Application Protocol Security Baselines.......................................... 304 Topic 11B: Cloud and Web Application Security Concepts......................... 318 Lesson 12: Explain Incident Response and Monitoring Concepts........................ 327 Topic 12A: Incident Response.............................................................................. 328 Topic 12B: Digital Forensics................................................................................. 340 Topic 12C: Data Sources....................................................................................... 347 Topic 12D: Alerting and Monitoring Tools..................................................... 358 Table of Contents Table of Contents | v Lesson 13: Analyze Indicators of Malicious Activity...............................................371 Topic 13A: Malware Attack Indicators............................................................372 Topic 13B: Physical and Network Attack Indicators.....................................385 Topic 13C: Application Attack Indicators.......................................................399 Lesson 14: Summarize Security Governance Concepts............................................... 409 Topic 14A: Policies, Standards, and Procedures................................................ 410 Topic 14B: Change Management.......................................................................... 425 Topic 14C: Automation and Orchestration.....................................................433 Lesson 15: Explain Risk Management Processes......................................................... 439 Topic 15A: Risk Management Processes and Concepts.................................... 440 Topic 15B: Vendor Management Concepts.......................................................... 453 Topic 15C: Audits and Assessments.................................................................... 460 Lesson 16: Summarize Data Protection and Compliance Concepts......................469 Topic 16A: Data Classification and Compliance................................................... 470 Topic 16B: Personnel Policies............................................................................... 488 Appendix A: Mapping Course Content to CompTIA Security+.................................A-1 Glossary..........................................................................................................................G-1 Index................................................................................................................................ I-1 Table of Contents Presenting the Official CompTIA The Official CompTIA Security+ Student Guides (Exam SY0-701) have been developed by CompTIA for the CompTIA certification candidate. Rigorously evaluated by third-party subject matter experts to validate adequate coverage of the Security+ objectives, The Official CompTIA Security+ Student and Student Guides teach students the knowledge and skills required to assess the security posture of an enterprise environment and recommend and implement appropriate security solutions; monitor and secure hybrid environments, including cloud, mobile, and IoT; operate with an awareness of applicable regulations and policies, including principles of governance, risk, and compliance; identify, analyze, and respond to security events and incidents; and to take the CompTIA Security+ certification exam. The Official CompTIA Security+ Guides are created around several core principles including the following: Focused on Job Roles and Objectives—The Official CompTIA Guides are organized into Courses, Lessons, and Topics that align training to work in the real world. At the course level, the content reflects a real job role, guided by the objectives and content examples in the CompTIA Exam Objectives document. Lessons refer to functional areas within that job role. Topics within each lesson relate to discrete job tasks. Sound Instructional Design—The content within topics is presented in an instructional hierarchy that thoughtfully builds competencies through narrative and graphical learning components. Topics are designed to be delivered as 15–30 minute segments followed by scenario-based review activities. This approach keeps the student engaged, ensures success with the learning outcomes, and reinforces the core concepts to ensure long-term retention of new ideas. Alignment and Consistency Across Course Guide, Labs, and Assessment— The presentation of course topics is designed to integrate with the CertMaster Labs product to provide regular opportunities for hands-on activities and assessment: CertMaster Labs—Hosted labs that require only a browser and Internet connection, saving organizations hours of setup time. Their short durations of 10-20 minutes and modular design allow for labs to be easily integrated into the course presentation. Multiple-choice assessments—Exam-style quizzes for each lesson, available via the CompTIA Learning Center. Final assessment—Multiple-choice questions synthesizing concepts from all lessons, also available via the CompTIA Learning Center. The course guide, labs, and assessments all work together with a similar approach and voice to present a cohesive single-sourced solution for a CompTIA certification course. viii | Student Preface Preparing to Teach The CompTIA Learning Center is an intuitive online platform that provides access to the eBook and all accompanying resources to support The Official CompTIA curriculum. An access key to the CompTIA Learning Center is delivered upon purchase of the print or eBook. The CompTIA Learning Center can be accessed at learn.comptia.org. You can use the following resources to prepare to teach this course: Student Tips—Throughout the Student Guide, you will see in the margins various presentation-focused icons that provide suggestions, answers to problems, and supplemental information to help you to teach the course. The text under these icons is not included in the Student Guide. These notes are also included in the notes section of the Student PowerPoint deck for easy reference while teaching. Resources—Supporting materials for Students are available for downloading from the Resources menu in the CompTIA Learning Center. In addition to course-specific delivery tips, and solutions to activities and discussion questions, you also have access to the following: PowerPoint Slides—A complete set of PowerPoint slides is provided to facilitate the class. Presentation Planners—Several Presentation Planners are provided in the Resources menu. The Planners help you to plan the class schedule and include examples of schedules for different course lengths, whether courses are continuous or offered separately across a multi-session series. Transition Guide—A detailed guide with information on how the exam objectives and training content have changed from SY0-601 to SY0-701. Videos—Videos complement the reading by providing short, engaging discussions and demonstrations of key technologies referenced in the course. Assessments—Practice questions help to verify a student’s understanding of the material for each lesson. Answers and feedback can be reviewed after each question, or at the end of the assessment. A timed Final Assessment provides a practice-test-like experience to help students determine their readiness for the CompTIA certification exam. Students can review correct answers and full feedback after attempting the Final Assessment. Using CertMaster Labs CertMaster Labs allow students to learn on virtual machines configured with a variety of software applications and network topologies via a hosted virtualization environment. The labs align with The Official CompTIA Student and Student Guides and allow students to practice what they are learning using real, hands-on experiences. The labs help students gain experience with the practical tasks that will be expected of them in a job role and on the performance-based items found on CompTIA certification exams. All lab activities include gradable assessments, offer feedback and hints, and provide a score based on learner inputs. There are two types of labs: Assisted Labs provide detailed steps with graded assessment and feedback for the completion of each task. These labs are shorter, focus on a specific task, and typically take 10–15 minutes to complete. Presenting the Official CompTIA Security+ Student Guide (Exam SY0-701) Student Preface | ix Applied Labs are longer activities that provide a series of goal-oriented scenarios with graded assessment and feedback based on a learner’s ability to complete each goal successfully. Applied labs are typically 30–45 minutes long and cover multiple tasks a student has learned over the course of a block of lessons. The position of assisted and applied labs to support lessons and topics within the course is included in the presentation planners. Other features of CertMaster Labs include the following: Browser-Based—The labs can be accessed with a browser and Internet connection, simplifying the setup process and enabling remote students to perform the activities without having to secure any special equipment or software. Graded—Lab activities will more accurately assess a student’s ability to perform tasks (because they will get a score on their work) and will surface that information to Students. Modular—The labs within each course are independent of each other and can be used in any order. Ability to Save Work—Students can save their progress for 48 hours to allow for more flexibility in how you want to use labs during the course event. Find more information about CertMaster Labs and how to purchase them at store.comptia.org. Planning the Presentation The course divides coverage of the exam objectives into blocks based around the following themes: General security concepts, including controls, threats, cryptography, and authentication (Lessons 1–4). Security architecture for on-premises networks, cloud, embedded, and sites (Lessons 5–7). Security operations, including vulnerability management, system hardening, and incident response (Lessons 8–13). Security program management and oversight (Lessons 14–16). Within the instructional design hierarchy, the course structure tries to follow the exam objectives domain structure as far as possible, but some objectives and content examples are split between multiple lessons and topics so as to make the topics flow better and to eliminate duplications. The course is designed to be as modular as possible, so that you can use the content as flexibly as you wish. Presentation planners are available to download from the CompTIA Learning Center on the Resources page. Because the content can be presented in a continuous flow or separately across a multi-session series, several sample timetables are provided. You can use these sample planners to determine how you will conduct the class to meet the needs of your own situation. A presentation planner helps you to structure the course by indicating the maximum amount of time you should spend on any one topic or activity. You will need to adjust these timings to suit your audience. Your presentation timing and flow may vary based on factors such as the size of the class, whether students are in specialized job roles, whether you plan to incorporate videos or other assets from the CompTIA Learning Center into the course, and so on. Presenting the Official CompTIA Security+ Student Guide (Exam SY0-701) x | Student Preface For any given course event, you might need to employ time-saving techniques. Detailed notes are provided as Teaching Tips at the start of each lesson and topic, but consider the following general time-saving strategies: Some topics will require more detailed presentation, with use of the slide deck. Others, such as those that are well covered by prerequisite certifications, would suit a less formal style where you use questioning and lead a discussion to check students’ existing understanding. Some topics may be suitable for self-study, but if students have concerns about this, you will have to reduce the amount of lab activities to compensate. Ask participants to pre-read some of the content as “homework” to reduce class time spent on that topic. Summarize a topic in overview, and then answer questions during a later session when students have had a chance to study it in more detail. Consider a lab-first approach to selected topics, referring students to the study content for review later. If students are struggling with lab activities, consider some of the following approaches: Demonstrate a lab as a walkthrough. Get students to partner up to complete a lab, with one student completing the steps and the other student advising and checking. Summarize the remaining parts of a lab if students do not have time to finish in class. Presenting the Official CompTIA Security+ Student Guide (Exam SY0-701) About This Course CompTIA is a not-for-profit trade association with the purpose of advancing the interests of IT professionals and IT channel organizations; its industry-leading IT certifications are an important part of that mission. CompTIA's Security+ certification is a global certification that validates the foundational cybersecurity skills necessary to perform core security functions and pursue an IT security career. This exam will certify the successful candidate has the knowledge and skills required to assess the security posture of an enterprise environment and recommend and implement appropriate security solutions; monitor and secure hybrid environments, including cloud, mobile, and IoT; operate with an awareness of applicable regulations and policies, including principles of governance, risk, and compliance; identify, analyze, and respond to security events and incidents. Security+ is compliant with ISO 17024 standards. Regulators and government rely on ANSI accreditation because it provides confidence and trust in the outputs of an accredited program. CompTIA Security+ Exam Objectives Course Description Course Objectives This course can benefit you in two ways. If you intend to pass the CompTIA Security+ (Exam SY0-701) certification examination, this course can be a significant part of your preparation. But certification is not the only key to professional success in the field of IT security. Today's job market demands individuals with demonstrable skills, and the information and activities in this course can help you build your cybersecurity skill set so that you can confidently perform your duties in any entry-level security role. On course completion, you will be able to do the following: Summarize fundamental security concepts. Compare threat types. Explain appropriate cryptographic solutions. Implement identity and access management. Secure enterprise network architecture. Secure cloud network architecture. Explain resiliency and site security concepts. Explain vulnerability management. Evaluate network security capabilities. Assess endpoint security capabilities. Enhance application security capabilities. Explain incident response and monitoring concepts. Analyze indicators of malicious activity. xii | Preface Summarize security governance concepts. Explain risk management processes. Summarize data protection and compliance concepts. Target Student The Official CompTIA Security+ (Exam SY0-701) is the primary course you will need to take if your job responsibilities include safeguarding networks, detecting threats, and securing data in your organization. You can take this course to prepare for the CompTIA Security+ (Exam SY0-701) certification examination. Prerequisites To ensure your success in this course, you should have a minimum of two years of experience in IT administration with a focus on security, hands-on experience with technical information security, and a broad knowledge of security concepts. CompTIA A+ and CompTIA Network+, or the equivalent knowledge, is strongly recommended. The prerequisites for this course might differ significantly from the prerequisites for the CompTIA certification exams. For the most up-to-date information about the exam prerequisites, complete the form on this page: www.comptia.org/training/resources/ exam-objectives. How to Use the Study Notes The following notes will help you understand how the course structure and components are designed to support mastery of the competencies and tasks associated with the target job roles and will help you to prepare to take the certification exam. As You Learn At the top level, this course is divided into lessons, each representing an area of competency within the target job roles. Each lesson is composed of a number of topics. A topic contains subjects that are related to a discrete job task, mapped to objectives and content examples in the CompTIA exam objectives document. Rather than follow the exam domains and objectives sequence, lessons and topics are arranged in order of increasing proficiency. Each topic is intended to be studied within a short period (typically 30 minutes at most). Each topic is concluded by one or more activities, designed to help you to apply your understanding of the study notes to practical scenarios and tasks. In addition to the study content in the lessons, there is a glossary of the terms and concepts used throughout the course. There is also an index to assist in locating particular terminology, concepts, technologies, and tasks within the lesson and topic content. In many electronic versions of the book, you can click links on key words in the topic content to move to the associated glossary definition, and on page references in the index to move to that term in the content. To return to the previous location in the document after clicking a link, use the appropriate functionality in your eBook viewing software. About This Course Preface | xiii Watch throughout the material for the following visual cues. A Note provides additional information, guidance, or hints about a topic or task. A Caution note makes you aware of places where you need to be particularly careful with your actions, settings, or decisions so that you can be sure to get the desired results of an activity or task. As You Review Any method of instruction is only as effective as the time and effort you, the student, are willing to invest in it. In addition, some of the information that you learn in class may not be important to you immediately, but it may become important later. For this reason, we encourage you to spend some time reviewing the content of the course after your time in the classroom. Following the lesson content, you will find a table mapping the lessons and topics to the exam domains, objectives, and content examples. You can use this as a checklist as you prepare to take the exam and to review any content that you are uncertain about. As a Reference The organization and layout of this book make it an easy-to-use resource for future reference. Guidelines can be used during class and as after-class references when you're back on the job and need to refresh your understanding. Taking advantage of the glossary, index, and table of contents, you can use this book as a first source of definitions, background information, and summaries. How to Use the CompTIA Learning Center The CompTIA Learning Center is an intuitive online platform that provides access to the eBook and all accompanying resources to support The Official CompTIA curriculum. The CompTIA Learning Center can be accessed at learn.comptia.org. An access key to the CompTIA Learning Center is delivered upon purchase of the eBook. Use the CompTIA Learning Center to access the following resources: Online Reader—The interactive online reader provides the ability to search, highlight, take notes, and bookmark passages in the eBook. You can also access the eBook through the CompTIA Learning Center eReader mobile app. Videos—Videos complement the topic presentations in this study guide by providing short, engaging discussions and demonstrations of key technologies referenced in the course. Assessments—Practice questions help to verify your understanding of the material for each lesson. Answers and feedback can be reviewed after each question or at the end of the assessment. A timed Final Assessment provides a practice-test-like experience to help you to determine how prepared you feel to attempt the CompTIA certification exam. You can review correct answers and full feedback after attempting the Final Assessment. Strengths and Weaknesses Dashboard—The Strengths and Weaknesses Dashboard provides you with a snapshot of your performance. Data flows into the dashboard from your practice questions, Final Assessment scores, and your indicated confidence levels throughout the course. About This Course Summarize Fundamental Security Concepts LESSON INTRODUCTION Security is an ongoing process that includes assessing requirements, setting up organizational security systems, hardening and monitoring those systems, responding to attacks in progress, and deterring attackers. If you can summarize the fundamental concepts that underpin security functions, you can contribute more effectively to a security team. You must also be able to explain the importance of compliance factors and best practice frameworks in driving the selection of security controls and how departments, units, and professional roles within different types of organizations implement the security function. Lesson Objectives In this lesson, you will do the following: Summarize information security concepts. Compare and contrast security control types. Describe security roles and responsibilities. 2 | The Official CompTIA Security+ Student Guide (Exam SY0-701) EXAM OBJECTIVES COVERED 1.2 Summarize fundamental security concepts. To be successful and credible as a security professional, you should understand security in business starting from the ground up. You should know the key security terms and ideas used by security experts in technical documents and trade publications. Security implementations are constructed from fundamental building blocks, just like a large building is built from individual bricks. This topic will help you understand those building blocks so that you can use them as the foundation for your security career. Information Security Information security (infosec) refers to the protection of data resources from unauthorized access, attack, theft, or damage. Data may be vulnerable because of the way it is stored, transferred, or processed. The systems used to store, transmit, and process data must demonstrate the properties of security. Secure information has three properties, often referred to as the CIA Triad: Confidentiality means that information can only be read by people who have been explicitly authorized to access it. Integrity means that the data is stored and transferred as intended and that any modification is authorized. Availability means that information is readily accessible to those authorized to view or modify it. The triad can also be referred to as "AIC" to avoid confusion with the Central Intelligence Agency. Some security models and researchers identify other properties of secure systems. The most important of these is non-repudiation. Non-repudiation means that a person cannot deny doing something, such as creating, modifying, or sending a resource. For example, a legal document, such as a will, must usually be witnessed when it is signed. If there is a dispute about whether the document was correctly executed, the witness can provide evidence that it was. Lesson 1: Summarize Fundamental Security Concepts | Topic 1A The Official CompTIA Security+ Student Guide (Exam SY0-701) | 3 Cybersecurity Framework Within the goal of ensuring information security, cybersecurity refers specifically to provisioning secure processing hardware and software. Information security and cybersecurity tasks can be classified as five functions, following the framework developed by the National Institute of Standards and Technology (NIST) (nist. gov/cyberframework/online-learning/five-functions): Identify—develop security policies and capabilities. Evaluate risks, threats, and vulnerabilities and recommend security controls to mitigate them. Protect—procure/develop, install, operate, and decommission IT hardware and software assets with security as an embedded requirement of every stage of this operation’s lifecycle. Detect—perform ongoing, proactive monitoring to ensure that controls are effective and capable of protecting against new types of threats. Respond—identify, analyze, contain, and eradicate threats to systems and data security. Recover—implement cybersecurity resilience to restore systems and data if other controls are unable to prevent attacks. Core cybersecurity tasks. NIST’s framework is just one example. There are many other cybersecurity frameworks (CSF). Lesson 1: Summarize Fundamental Security Concepts | Topic 1A 4 | The Official CompTIA Security+ Student Guide (Exam SY0-701) Gap Analysis Each security function is associated with a number of goals or outcomes. For example, one outcome of the Identify function is an inventory of the assets owned and operated by the company. Outcomes are achieved by implementing one or more security controls. Numerous categories and types of security controls cover a huge range of functions. This makes selection of appropriate and effective controls difficult. A cybersecurity framework guides the selection and configuration of controls. Frameworks are important because they save an organization from building its security program in a vacuum, or from building the program on a foundation that fails to account for important security concepts. The use of a framework allows an organization to make an objective statement of its current cybersecurity capabilities, identify a target level of capability, and prioritize investments to achieve that target. This gives a structure to internal risk management procedures and provides an externally verifiable statement of regulatory compliance. Gap analysis is a process that identifies how an organization’s security systems deviate from those required or recommended by a framework. This will be performed when first adopting a framework or when meeting a new industry or legal compliance requirement. The analysis might be repeated every few years to meet compliance requirements or to validate any changes that have been made to the framework. For each section of the framework, a gap analysis report will provide an overall score, a detailed list of missing or poorly configured controls associated with that section, and recommendations for remediation. Summary of gap analysis findings showing number of recommended controls not implemented per function and category; plus risks to confidentiality, integrity, and availability from missing controls; and target remediation date. Lesson 1: Summarize Fundamental Security Concepts | Topic 1A The Official CompTIA Security+ Student Guide (Exam SY0-701) | 5 While some or all work involved in gap analysis could be performed by the internal security team, a gap analysis is likely to involve third-party consultants. Frameworks and compliance requirements from regulations and legislation can be complex enough to require a specialist. Advice and feedback from an external party can alert the internal security team to oversights and to new trends and changes in best practice. Access Control An access control system ensures that an information system meets the goals of the CIA triad. Access control governs how subjects/principals may interact with objects. Subjects are people, devices, software processes, or any other system that can request and be granted access to a resource. Objects are the resources. An object could be a network, server, database, app, or file. Subjects are assigned rights or permissions on resources. Modern access control is typically implemented as an identity and access management (IAM) system. IAM comprises four main processes: Identification—creating an account or ID that uniquely represents the user, device, or process on the network. Authentication—proving that a subject is who or what it claims to be when it attempts to access the resource. An authentication factor determines what sort of credential the subject can use. For example, people might be authenticated by providing a password; a computer system could be authenticated using a token such as a digital certificate. Authorization—determining what rights subjects should have on each resource, and enforcing those rights. An authorization model determines how these rights are granted. For example, in a discretionary model, the object owner can allocate rights. In a mandatory model, rights are predetermined by system-enforced rules and cannot be changed by any user within the system. Accounting—tracking authorized usage of a resource or use of rights by a subject and alerting when unauthorized use is detected or attempted. Lesson 1: Summarize Fundamental Security Concepts | Topic 1A 6 | The Official CompTIA Security+ Student Guide (Exam SY0-701) Differences among identification, authentication, authorization, and accounting. (Images © 123RF.com.) The servers and protocols that implement these functions can also be referred to as authentication, authorization, and accounting (AAA). The use of IAM to describe enterprise security workflows is becoming more prevalent as the importance of the identification process is better acknowledged. For example, if you are setting up an e-commerce site and want to enroll users, you need to select the appropriate controls to perform each function: Identification—ensure that customers are legitimate. For example, you might need to ensure that billing and delivery addresses match and that they are not trying to use fraudulent payment methods. Authentication—ensure that customers have unique accounts and that only they can manage their orders and billing information. Authorization—rules to ensure customers can place orders only when they have valid payment mechanisms in place. You might operate loyalty schemes or promotions that authorize certain customers to view unique offers or content. Accounting—the system must record the actions a customer takes (to ensure that they cannot deny placing an order, for instance). Remember that these processes apply both to people and to systems. For example, you need to ensure that your e-commerce server can authenticate its identity when customers connect to it using a web browser. Lesson 1: Summarize Fundamental Security Concepts | Topic 1A The Official CompTIA Security+ Student Guide (Exam SY0-701) | 7 Answer the following questions: 1. What are the properties of a secure information processing system?. Confidentiality, integrity, and availability (and non-repudiation) 2. What term is used to describe the property of a secure network where a sender cannot deny having sent a message? Non-repudiation 3. A company provides a statement of deviations from framework best practices to a regulator. What process has the company performed? Gap analysis 4. What process within an access control framework logs actions performed by subjects? Accounting 5. What is the difference between authorization and authentication? Authorization means granting the account that has been configured for the user on the computer system the right to make use of a resource. Authorization manages the privileges granted on the resource. Authentication protects the validity of the user account by testing that the person accessing that account is who they say they are. 6. How does accounting provide non-repudiation? A user’s actions are logged on the system. Each user is associated with a unique computer account. As long as the user’s authentication is secure and the logging system is tamperproof, they cannot deny having performed the action. Lesson 1: Summarize Fundamental Security Concepts | Topic 1A 8 | The Official CompTIA Security+ Student Guide (Exam SY0-701) Security Controls EXAM OBJECTIVES COVERED 1.1 Compare and contrast various types of security controls.. Information security and cybersecurity assurance is met by implementing security controls. By identifying basic security control types, you will be better prepared to select and implement the most appropriate controls for a given scenario. You should also be able to describe how specific job roles and organizational structures can implement a comprehensive security program for organizations. Security Control Categories Information and cybersecurity assurance usually takes place within an overall process of business risk management. Implementation of cybersecurity functions is often the responsibility of the IT department. There are many different ways of thinking about how IT services should be governed to fulfill overall business needs. Some organizations have developed IT service frameworks to provide best practice guides to implementing IT and cybersecurity. These frameworks can shape company policies and provide checklists of procedures, activities, and technologies that represent best practice. Collectively, these procedures, activities, and tools can be referred to as security controls. A security control is designed to give a system or data asset the properties of confidentiality, integrity, availability, and non-repudiation. Controls can be divided into four broad categories based on the way the control is implemented: Managerial—the control gives oversight of the information system. Examples could include risk identification or a tool allowing the evaluation and selection of other security controls. Operational—the control is implemented primarily by people. For example, security guards and training programs are operational controls. Technical—the control is implemented as a system (hardware, software, or firmware). For example, firewalls, antivirus software, and OS access control models are technical controls. Physical—controls such as alarms, gateways, locks, lighting, and security cameras that deter and detect access to premises and hardware are often placed in a separate category to technical controls. Lesson 1: Summarize Fundamental Security Concepts | Topic 1B The Official CompTIA Security+ Student Guide (Exam SY0-701) | 9 Categories of security controls Although it uses a different scheme, be aware of the way the National Institute of Standards and Technology (NIST) classifies security controls (csrc.nist.gov/publications/ detail/sp/800-53/rev-5/final). Security Control Functional Types As well as a category, a security control can be defined according to the goal or function it performs: Preventive—the control acts to eliminate or reduce the likelihood that an attack can succeed. A preventive control operates before an attack can take place. Access control lists (ACL) configured on firewalls and file system objects are preventive-type technical controls. Antimalware software acts as a preventive control by blocking malicious processes from executing. Detective—the control may not prevent or deter access, but it will identify and record an attempted or successful intrusion. A detective control operates during an attack. Logs provide one of the best examples of detective-type controls. Corrective—the control eliminates or reduces the impact of a security policy violation. A corrective control is used after an attack. A good example is a backup system that restores data that was damaged during an intrusion. Another example is a patch management system that eliminates the vulnerability exploited during the attack. While most controls can be classed functionally as preventive, detective, or corrective, a few other types can be used to define other cases: Directive—the control enforces a rule of behavior, such as a policy, best practice standard, or standard operating procedure (SOP). For example, an employee’s contract will set out disciplinary procedures or causes for dismissal if they do not comply with policies and procedures. Training and awareness programs can also be considered as directive controls. Lesson 1: Summarize Fundamental Security Concepts | Topic 1B 10 | The Official CompTIA Security+ Student Guide (Exam SY0-701) Deterrent—the control may not physically or logically prevent access, but it psychologically discourages an attacker from attempting an intrusion. This could include signs and warnings of legal penalties against trespass or intrusion. Compensating—the control is a substitute for a principal control, as recommended by a security standard, and affords the same (or better) level of protection but uses a different methodology or technology.. Functional types of security controls. (Images © 123RF.com.) Information Security Roles and Responsibilities A security policy is a formalized statement that defines how security will be implemented within an organization. It describes the means the organization will take to protect the confidentiality, availability, and integrity of sensitive data and resources. The implementation of a security policy to support the goals of the CIA triad might be very different for a school, a multinational accountancy firm, or a machine tool manufacturer. However, each of these organizations, or any other organization (in any sector of the economy, whether profit-making or non-profit-making), should have the same interest in ensuring that its employees, equipment, and data are secure against attack or damage. An organization that develops security policies and uses framework-based security controls has a strong security posture. As part of the process of adopting an effective organizational security posture, employees must be aware of their responsibilities. The structure of security responsibilities will depend on the size and hierarchy of an organization, but these roles are typical. Overall responsibility for the IT function lies with a Chief Information Officer (CIO). This role might also have direct responsibility for security. Some organizations will also appoint a Chief Technology Officer (CTO), with more specific responsibility for ensuring effective use of new and emerging IT products and solutions to achieve business goals. In larger organizations, internal responsibility for security might be allocated to a dedicated department, run by a Chief Security Officer (CSO) or Chief Information Security Officer (CISO). Managers may have responsibility for a domain, such as building control, web services, or accounting. Lesson 1: Summarize Fundamental Security Concepts | Topic 1B The Official CompTIA Security+ Student Guide (Exam SY0-701) | 11 Technical and specialist staff have responsibility for implementing, maintaining, and monitoring the policy. Security might be made of a core competency of systems and network administrators, or there may be dedicated security administrators. One such job title is Information Systems Security Officer (ISSO). Nontechnical staff have the responsibility of complying with policy and with any relevant legislation. External responsibility for security (due care or liability) lies mainly with directors or owners, though again it is important to note that all employees share some measure of responsibility. NIST's National Initiative for Cybersecurity Education (NICE) categorizes job tasks and job roles within the cybersecurity industry (gov/itl/applied-cybersecurity/nice/nice- framework-resource-center). Information Security Competencies IT professionals working in a role with security responsibilities must be competent in a wide range of disciplines, from network and application design to procurement and human resources (HR). The following activities might be typical of such a role: Participate in risk assessments and testing of security systems and make recommendations. Specify, source, install, and configure secure devices and software. Set up and maintain document access control and user privilege profiles. Monitor audit logs, review user privileges, and document access controls. Manage security-related incident response and reporting. Create and test business continuity and disaster recovery plans and procedures. Participate in security training and education programs. Information Security Business Units The following units are ofen used to represent the security function within the organizational hierarchy. Security Operations Center (SOC) A security operations center (SOC) is a location where security professionals monitor and protect critical information assets across other business functions, such as finance, operations, sales/marketing, and so on. Because SOCs can be difficult to establish, maintain, and finance, they are usually employed by larger corporations, like a government agency or a healthcare company. Lesson 1: Summarize Fundamental Security Concepts | Topic 1B 12 | The Official CompTIA Security+ Student Guide (Exam SY0-701) A security operations center (SOC) provides resources and personnel to implement rapid incident detection and response, plus oversight of cybersecurity operations. (Image © gorodenkoff 123RF.com.) DevSecOps Network operations and use of cloud computing make ever-increasing use of automation through software code. Traditionally, software code would be the responsibility of a programming or development team. Separate development and operations departments or teams can lead to silos, where each team does not work effectively with the other. Development and operations (DevOps) is a cultural shift within an organization to encourage much more collaboration between developers and systems administrators. By creating a highly orchestrated environment, IT personnel and developers can build, test, and release software faster and more reliably. DevSecOps extends the boundary to security specialists and personnel, reflecting the principle that security is a primary consideration at every stage of software development and deployment. This is also known as shift left, meaning that security considerations need to be made during requirements and planning phases, not grafted on at the end. The principle of DevSecOps recognizes this and shows that security expertise must be embedded into any development project. Ancillary to this is the recognition that security operations can be conceived of as software development projects. Security tools can be automated through code. Consequently, security operations need to take on developer expertise to improve detection and monitoring. Incident Response A dedicated computer incident response team (CIRT)/computer security incident response team (CSIRT)/computer emergency response team (CERT) is a single point of contact for the notification of security incidents. This function might be handled by the SOC or it might be established as an independent business unit. Lesson 1: Summarize Fundamental Security Concepts | Topic 1B The Official CompTIA Security+ Student Guide (Exam SY0-701) | 13 Security Controls Answer the following questions: 1. You have implemented a secure web gateway that blocks access to a social networking site. How would you categorize this type of security control? It is a technical type of control (implemented in software) and acts as a preventive measure. 2. A company has installed motion-activated floodlighting on the grounds around its premises. What class and function is this security control? It would be classed as a physical control, and its function is both detecting and deterring. 3. A firewall appliance intercepts a packet that violates policy. It automatically updates its access control list to block all further packets from the source IP. What TWO functions did the security control perform? Preventive and corrective 4. If a security control is described as operational and compensating, what can you determine about its nature and function? The control is enforced by a person rather than a technical system, and the control has been developed to replicate the functionality of a primary control, as required by a security standard. 5. A multinational company manages a large amount of valuable intellectual property (IP) data, plus personal data for its customers and account holders. What type of business unit can be used to manage such important and complex security requirements? A security operations center (SOC) 6. A business is expanding rapidly, and the owner is worried about tensions between its established IT and programming divisions. What type of security business unit or function could help to resolve these issues? Development and operations (DevOps) is a cultural shift within an organization to encourage more collaboration between developers and systems administrators. DevSecOps embeds the security function within these teams as well. Lesson 1: Summarize Fundamental Security Concepts | Topic 1B 14 | The Official CompTIA Security+ Student Guide (Exam SY0-701) Summary. You should be able to compare and contrast security controls using categories and functional types. You should also be able to explain how general security concepts and frameworks are used to develop and validate security policies and control selection. Guidelines for Summarizing Security Concepts and Security Controls Follow these guidelines when you assess the use of security controls and frameworks in your organization: Create a security mission statement and supporting policies that emphasize the importance of the CIA triad: confidentiality, integrity, availability. Assign roles so that security tasks and responsibilities are clearly understood and that impacts to security are assessed and mitigated across the organization. Consider creating business units, departments, or projects to support the security function, such as a SOC, CIRT, and DevSecOps. Identify and assess the laws and industry regulations that impose compliance requirements on your business. Select a framework that meets your organization’s compliance requirements and business needs. Create a matrix of security controls that are currently in place to identify categories and functions—consider deploying additional controls for any unmatched capabilities. Perform a gap analysis to evaluate security capabilities against framework requirements and identify goals for developing additional cybersecurity competencies and improving overall information security assurance. Lesson 1: Summarize Fundamental Security Concepts Compare Threat Types LESSON INTRODUCTION To make an effective security assessment, you must be able to explain strategies for both defense and attack. Your responsibilities are likely to lie principally in defending assets, but to do this you must be able to explain the tactics, techniques, and procedures of threat actors. You must also be able to differentiate the types and capabilities of threat actors and the ways they can exploit the attack surface that your networks and systems expose. Lesson Objectives In this lesson, you will do the following: Compare and contrast attributes and motivations of threat actor types. Explain common threat vectors and attack surfaces. 16 | The Official CompTIA Security+ Student Guide (Exam SY0-701). Threat Actors EXAM OBJECTIVES COVERED 2.1 Compare and contrast common threat actors and motivations. When you assess your organization’s security posture, you must apply the concepts of vulnerability, threat, and risk. Risk is a measure of the likelihood and impact of a threat actor being able to exploit a vulnerability in your organization’s security systems.. To evaluate these factors, you must be able to evaluate the sources of threats or threat actors. This topic will help you to classify and evaluate the motivation and capabilities of threat actor types so that you can assess and mitigate risks more effectively. Vulnerability, Threat, and Risk Security teams must identify ways in which their systems could be attacked. These assessments involve vulnerability, threat, and risk: Vulnerability is a weakness that could be triggered accidentally or exploited intentionally to cause a security breach. Examples of vulnerabilities include improperly configured or installed hardware or software, delays in applying and testing software and firmware patches, poorly designed network architecture, inadequate physical security, insecure password usage, and design flaws in software or operating systems. Factors such as the value of the vulnerable asset and the ease of exploiting the fault determine the severity of vulnerabilities. Threat is the potential for someone or something to exploit a vulnerability and breach security. A threat can have an intentional motivation or be unintentional. The person or thing that poses the threat is called a threat actor or threat agent. The path or tool used by a malicious threat actor is a threat vector. Risk is the level of hazard posed by vulnerabilities and threats. When a vulnerability is identified, risk is calculated as the likelihood of it being exploited by a threat actor and the impact that a successful exploit would have. Relationship between vulnerability, threat, and risk. Lesson 2: Compare Threat Types | Topic 2A The Official CompTIA Security+ Student Guide (Exam SY0-701) | 17 Attributes of Threat Actors Historically, cybersecurity techniques relied on the identification of static known threats, such as viruses or rootkits, Trojans, botnets, and exploits for specific. software vulnerabilities. It is relatively straightforward to identify and scan for these types of threats with automated software. Unfortunately, adversaries were able to develop means of circumventing this type of signature-based scanning. The sophisticated nature of modern cybersecurity threats requires the creation of profiles of threat actor types and behaviors. This analysis involves identifying the attributes of threat actors’ location, capability, resources/funding, and motivation. Internal/External Internal/external refers to the degree of access that a threat actor posseses before initiating an attack. An external threat actor has no account or authorized access to the target system. A malicious external threat must infiltrate the security system using unauthorized access, such as breaking into a building or hacking into a network. Note that an external actor may perpetrate an attack remotely or on-premises. It is the threat actor that is external rather than the attack method. Conversely, an internal/insider threat actor has been granted permissions on the system. This typically means an employee, but insider threats can also arise from contractors and business partners. Level of Sophistication/Capability Level of sophistication/capability refers to a threat actor’s ability to use advanced exploit techniques and tools. The least capable threat actor relies on commodity attack tools that are widely available. More capable actors can fashion new exploits. in operating systems, applications software, and embedded control systems. At the highest level, a threat actor might use non-cyber tools such as political or military assets. Resources/Funding A high level of capability must be supported by resources/funding. Sophisticated threat actor groups need to be able to acquire resources, such as customized attack tools and skilled strategists, designers, coders, hackers, and social engineers. The most capable threat actor groups receive funding from nation-states and organized crime. Motivations of Threat Actors Motivation is the threat actor’s reason for perpetrating the attack. A malicious threat actor could be motivated by greed, curiosity, or some grievance, for instance. Threats can be characterized as structured/targeted or unstructured/opportunistic, depending on how widely an attack is perpetrated. For example, a criminal gang attempting to steal customers’ financial data from a company’s database system is a structured, targeted threat. An unskilled hacker launching some variant of the “I Love You” email worm sent to a stolen mailing list is an unstructured, opportunistic threat. A threat actor with malicious motivation can be contrasted with an accidental or unintentional threat actor. An unintentional threat actor represents accidents, oversights, and other mistakes. Lesson 2: Compare Threat Types | Topic 2A 18 | The Official CompTIA Security+ Student Guide (Exam SY0-701) To help to analyze motivations, it is first useful to consider the general strategies that a threat actor could use to achieve an objective: Service disruption—prevents an organization from working as it does normally. This could involve an attack on their website or using malware to block access to servers and employee workstations. Service disruption can be an end in itself if the threat actor’s motivation is to sow chaos or gain revenge. Service disruption can be used as a blackmail threat, or it can be used as a tactic in the pursuit of some different strategic objective. Data exfiltration—transfers a copy of some type of valuable information from a computer or network without authorization. A threat actor might perform this type of theft because they want the data asset for themselves, because they can exploit its loss as blackmail or to sell it to a third party. Disinformation—falsifies some type of trusted resource, such as changing the content of a website, manipulating search engines to inject fake sites, or using bots to post false information to social media sites. You can relate these strategies to the way they affect the CIA triad: data exfiltration compromises confidentiality, disinformation attacks integrity, and service disruption targets availability. Chaotic Motivations In the early days of the Internet, many service disruption and disinformation attacks were perpetrated with the simple goal of causing chaos. Hackers might deface websites or release worms that brought corporate networks to a standstill for no other reason than to gain credit for the hack. This type of vandalism for its own sake is less prevalent now. Attackers might use service disruption and disinformation to further political ends, or nation-states might use it to further war aims. Another risk is threat actors motivated by revenge. Revenge attacks might be perpetrated by an employee or former employee or by any external party with a grievance. Financial Motivations As hacking and malware became both more sophisticated and better commodified, the opportunities to use them for financial gain grew quickly. If an attacker is able to steal data, they might be able to sell it to other parties. Alternatively, they might use an attack to threaten the victim with blackmail or extortion or to perpetrate fraud: Blackmail is demanding payment to prevent the release of information. A threat actor might have stolen information or created false data that makes it appear as though the target has committed a crime. Extortion is demanding payment to prevent or halt some type of attack. For example, a threat actor might have used malware to block access to an organization’s computers and demand payment to unlock them. Fraud is falsifying records. Internal fraud might involve tampering with accounts to embezzle funds or inventing customer details to launder money. Criminals might use disinformation to commit fraud, such as posting fake news to affect the share price of a company, promote pyramid schemes, or to create fake companies. Lesson 2: Compare Threat Types | Topic 2A The Official CompTIA Security+ Student Guide (Exam SY0-701) | 19 Political Motivations A political motivation means that the threat actor uses an attack to bring about some type of change in society or governance. This can cover a very wide range of motivations: An employee acting as a whistleblower because of some ethical concern about the organization’s behavior. A campaign group disrupting the services of an organization that they believe acts in contradiction to their ethical or philosophical beliefs. A nation-state using service disruption, data exfiltration, or disinformation against government organizations or companies in another state in pursuit of war aims. Nation-states commonly perpetrate espionage and disinformation attacks against one another, whether or not they are at war. In cybersecurity, espionage is a type of data exfiltration aimed to learn secrets rather than sell them or use the theft for blackmail. There is also the threat of commercial espionage, where a company attempts to steal the secrets of a competitor. Hackers and Hacktivists Given awareness of the general strategies and motivations, it can also be helpful to. evaluate the risk that well-known threat actor types or profiles pose to a business. Hackers Hacker describes an individual who has the skills to gain access to computer systems through unauthorized or unapproved means. Originally, hacker was a neutral term for a user who excelled at computer programming and computer system administration. Hacking into a system was a sign of technical skill and creativity that gradually became associated with illegal or malicious system intrusions. The terms unauthorized (previously known as black hat) and authorized (previously known as white hat) are used to distinguish these motivations. A white hat hacker always seeks authorization to perform penetration testing of private and proprietary systems. Unskilled Attackers An unskilled attacker is someone who uses hacker tools without necessarily understanding how they work or having the ability to craft new attacks. Unskilled attacks might have no specific target or any reasonable goal other than gaining attention or proving technical abilities. Hacker Teams and Hacktivists The historical image of a hacker is that of a loner, acting as an individual with few resources or funding. While the “lone hacker” remains a threat that must be accounted for, threat actors are now likely to work as part of a team or group. The collaborative team effort means that these threat actors are able to develop sophisticated tools and novel strategies. Lesson 2: Compare Threat Types | Topic 2A 20 | The Official CompTIA Security+ Student Guide (Exam SY0-701) A hacktivist group, such as Anonymous, WikiLeaks, or LulzSec, uses cyber weapons to promote a political agenda. Hacktivists might attempt to use data exfiltration to obtain and release confidential information to the public domain, perform service disruption attacks, or deface websites to spread disinformation. Political, media, and financial groups and companies are most at risk of becoming a target for hacktivists, but environmental and animal advocacy groups may target companies in a wide range of industries. Nation-State Actors. Most nation-states have developed cybersecurity expertise and will use cyber weapons to achieve military and commercial goals. The security company Mandiant’s APT1 report into Chinese cyber espionage units shaped the language and understanding of cyber-attack lifecycles. The term advanced persistent threat (APT) was coined to understand the behavior underpinning modern types of cyber adversaries. Rather than think in terms of systems being infected with a virus or Trojan, an APT refers to the ability of an adversary to achieve ongoing compromise of network security—to obtain and maintain access—using a variety of tools and techniques. Nation-state actors have been implicated in many attacks, particularly on energy, health, and electoral systems. The goals of state actors are primarily disinformation and espionage for strategic advantage, but it is a known for countries—North Korea being a good example—to target companies for financial gain. Researchers such as The MITRE Corporation report on the activities of organized crime and nation-state actors. (Screenshot © 2023 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.) State actors will work at arm’s length from the national government, military, or security service that sponsors and protects them, maintaining “plausible deniability.” They are likely to pose as independent groups or even as hacktivists. They may wage false flag disinformation campaigns that try to implicate other states. Lesson 2: Compare Threat Types | Topic 2A The Official CompTIA Security+ Student Guide (Exam SY0-701) | 21 Organized Crime and Competitors. In many countries, cybercrime has overtaken physical crime in terms of the number of incidents and losses. Organized crime can operate across the Internet from a different jurisdiction than its victim, increasing the complexity of prosecution. Criminals will seek any opportunity for profit, but typical activities are financial fraud—against individuals and companies—and blackmail/extortion. Most espionage is thought to be pursued by state actors, but it is not inconceivable that a rogue business might use cyber espionage against its competitors. Such attacks could aim at theft or to disrupt a competitor’s business or damage their reputation. Competitor attacks might be facilitated by employees who have recently changed companies and bring insider knowledge with them. Internal Threat Actors Many threat actors operate externally from the networks they target. An external actor has to break into the system without having any legitimate permissions. An internal threat (or insider threat) arises from an actor identified by the organization and granted some type of access. Within this group of internal threats, you can distinguish insiders with permanent privileges, such as employees, from insiders with temporary privileges, such as contractors and guests. There is the blurred case of former insiders, such as ex-employees now working at another company or who have been dismissed and now harbor a grievance. These can be classified as internal threats or treated as external threats with insider knowledge, and possibly some residual permissions, if effective offboarding controls are not in place. The main motivators for a malicious internal threat actor are revenge and financial gain. Like external threats, insider threats can be opportunistic or targeted. An employee who plans and executes a campaign to modify invoices and divert funds is launching a structured attack; an employee who tries to guess the password on the salary database a couple of times, having noticed that the file is available on the network, is perpetrating an opportunistic attack. You must also assess the possibility that an insider threat may be working in collaboration with an external threat actor or group. A whistleblower is someone with an ethical motivation for releasing confidential information. While this could be classed as an internal threat in some respects, it is important to realize that whistleblowers making protected disclosures, such as reporting financial fraud through an authorized channel, cannot themselves be threatened or labeled in any way that seems retaliatory or punitive. Insider threats can also arise from unintentional sources. Unintentional or inadvertent insider threat is often caused by lack of awareness or carelessness, such as users demonstrating poor password management. Another example of unintentional insider threat is the concept of shadow IT, where users purchase or introduce computer hardware or software to the workplace without the sanction of the IT department and without going through a procurement and security analysis process. The problem of shadow IT is exacerbated by the proliferation of cloud services and mobile devices, which are easy for users to obtain. Shadow IT creates a new unmonitored attack surface for malicious adversaries to exploit. Lesson 2: Compare Threat Types | Topic 2A 22 | The Official CompTIA Security+ Student Guide (Exam SY0-701) Threat Actors Answer the following questions: 1. Which of the following would be assessed by likelihood and impact: vulnerability, threat, or risk? Risk. To assess likelihood and impact, you must identify both the vulnerability and the threat posed by a potential exploit. 2. True or false? Nation-state actors only pose a risk to other states. False. Nation-state actors have targeted commercial interests for theft, espionage, and extortion. 3. You receive an email with a screenshot showing a command prompt at one of your application servers. The email suggests you engage the hacker for a day’s consultancy to patch the vulnerability. How should you categorize this threat? If the consultancy is refused and the hacker takes no further action, it can be classed as for financial gain only. If the offer is declined and the hacker then threatens to sell the exploit or to publicize the vulnerability, then the motivation is criminal. 4. Which type of threat actor is primarily motivated by the desire for political change? Hacktivist 5. Which three types of threat actor are most likely to have high levels of funding? State actors, organized crime, and competitors Lesson 2: Compare Threat Types | Topic 2A The Official CompTIA Security+ Student Guide (Exam SY0-701) | 23 Attack Surfaces. EXAM OBJECTIVES COVERED 2.2 Explain common threat vectors and attack surfaces.. Understanding the methods by which threat actors infiltrate networks and systems is essential for you to assess the attack surface of your networks and deploy controls to block attack vectors. Attack Surface and Threat Vectors The attack surface is all the points at which a malicious threat actor could try to exploit a vulnerability. Any location or method where a threat actor can interact with a network port, app, computer, or user is part of a potential attack surface. Minimizing the attack surface means restricting access so that only a few known endpoints, protocols/ports, and services/methods are permitted. Each of these must be assessed for vulnerabilities and monitored for intrusions. Assessing the attack surface. An organization has an overall attack surface. You can also assess attack surfaces at more limited scopes, such as that of a single server or computer, a web application, or employee identities and accounts. Lesson 2: Compare Threat Types | Topic 2B 24 | The Official CompTIA Security+ Student Guide (Exam SY0-701) To evaluate the attack surface, you need to consider the attributes of threat actors that pose the most risk to your organization. For example, the attack surface for an external actor should be far smaller than that for an insider threat. From a threat actor’s perspective, each part of the attack surface represents a potential vector for attempting an intrusion. A threat vector is the path that a threat actor uses to execute a data exfiltration, service disruption, or disinformation attack. Sophisticated threat actors will make use of multiple vectors. They are likely to plan a multistage campaign, rather than a single “smash and grab” type of raid. Highly capable threat actors will be able to develop novel vectors. This means that the threat actor’s knowledge of your organization’s attack surface may be better than your own. The terms "threat vector" and "attack vector" are often taken to mean the same thing. Some sources distinguish the use of threat vector to refer to analysis of the potential attack surface and attack vector to analyze an exploit that has been successfully executed. Vulnerable Software Vectors. Vulnerable software contains a flaw in its code or design that can be exploited to circumvent access control or to crash the process. Typically, vulnerabilities can only be exploited in quite specific circumstances and are often fixed—patched—swiftly by the vendor. However, because of the complexity of modern software and the speed with which new versions must be released to market, almost no software is free from vulnerabilities. Also, an organization might not have an effective patch management system. Consequently, vulnerable software is a commonly exploited threat vector. A large number of operating systems and applications run on a company’s appliances, servers, clients, and cloud networks directly increases the potential attack surface. This attack surface can be reduced by consolidating to fewer products and by ensuring the same version of a product is deployed across the organization. The impact and consequences of a software vulnerability are varied. As two contrasting examples, consider vulnerabilities affecting Adobe’s PDF document reader versus a vulnerability in the server software underpinning transport security. The former could give a threat actor a foothold on a corporate network via a workstation; the latter could compromise the cryptographic keys used to provide secure web services. Both are potentially high impact for different reasons. Unsupported Systems and Applications Unsupported systems and applications are a particular reason that vulnerable software will be exposed as a threat vector. An unsupported system is one where its vendor no longer develops updates and patches. Unless the organization is able to patch the faulty code itself, these services and apps will be highly vulnerable to exploits. One strategy for dealing with unsupported apps that cannot be replaced is to try to isolate them from other systems. The idea is to reduce opportunities for a threat actor to access the vulnerable app and run exploit code. Using isolation as a substitute for patch management is an example of a compensating control. Lesson 2: Compare Threat Types | Topic 2B The Official CompTIA Security+ Student Guide (Exam SY0-701) | 25 Client-Based versus Agentless Scanning software helps organizations to automate the discovery and classification of software vulnerabilities. These tools can also be used by threat actors as part of reconnaissance against a target. This scanning software can be implemented as a client-based agent. The agent runs as a scanning process installed on each host and reports to a management server. Alternatively, the vulnerability management product might use agentless techniques to scan a host without requiring any sort of installation. Agentless scanning is most likely to be used in threat actor reconnaissance. Network Vectors Vulnerable software gives a threat actor the opportunity to execute malicious code. on a system. To do this, the threat actor must be able to run exploit code on the system or over a network to trigger the vulnerability. An exploit technique for any given software vulnerability can be classed as either remote or local: Remote means that the vulnerability can be exploited by sending code to the target over a network and does not depend on an authenticated session with the system to execute. Local means that the exploit code must be executed from an authenticated session on the computer. The attack could still occur over a network, but the threat actor needs to use some valid credentials or hijack an existing session to execute it. Consequently, to minimize risks from software vulnerabilities, administrators must reduce the attack surface by eliminating unsecure networks. An unsecure network is one that lacks the attributes of confidentiality, integrity, and availability: Lack of Confidentiality—threat actors are able to snoop on network traffic and recover passwords or other sensitive information. These are also described as eavesdropping attacks. Lack of Integrity—threat actors are able to attach unauthorized devices. These could be used to snoop on traffic or intercept and modify it, run spoofed services and apps, or run exploit code against other network hosts. These are often described as on-path attacks. Lack of Availability—threat actors are able to perform service disruption attacks. These are also described as denial of service (DoS) attacks. A secure network uses an access control framework and cryptographic solutions to identify, authenticate, authorize, and audit network users, hosts, and traffic. Some specific threat vectors associated with unsecure networks are as follows: Direct Access—the threat actor uses physical access to the site to perpetrate an attack. Examples could include getting access to an unlocked workstation; using a boot disk to try to install malicious tools; or physically stealing a PC, laptop, or disk drive. Wired Network—a threat actor with access to the site attaches an unauthorized device to a physical network port, and the device is permitted to communicate with other hosts. This potentially allows the threat actor to launch eavesdropping, on-path, and DoS attacks. Lesson 2: Compare Threat Types | Topic 2B 26 | The Official CompTIA Security+ Student Guide (Exam SY0-701) Remote and Wireless Network—the attacker either obtains credentials for a remote access or wireless connection to the network or cracks the security protocols used for authentication. Alternatively, the attacker spoofs a trusted resource, such as an access point, and uses it to perform credential harvesting and then uses the stolen account details to access the network. Cloud Access—many companies now run part or all of their network services via Internet-accessible clouds. The attacker only needs to find one account, service, or host with weak credentials to gain access. The attacker is likely to target the accounts used to develop services in the cloud or manage cloud systems. They may also try to attack the cloud service provider (CSP) as a way of accessing the victim system. Bluetooth Network—the threat actor exploits a vulnerability or misconfiguration to transmit a malicious file to a user’s device over the Bluetooth personal area wireless networking protocol. Default Credentials—the attacker gains control of a network device or app because it has been left configured with a default password. Default credentials are likely to be published in the product’s setup documentation or are otherwise easy to discover.