01 CompTIA+ .pdf

Full Transcript

Exam SY0-601
Dr. Hayam MOUSA
 When most people think of cybersecurity,
they imagine hackers trying to break into an
organization's system and steal sensitive
information, ranging from Social Security
numbers and credit cards to top-secret
military information. Although protecting
sensitive information from unauthorized
disclosure is certainly one element of a
cybersecurity program, it is important to
understand that cybersecurity actually has
three complementary objectives, as shown:
 Confidentiality ensures that unauthorized individuals are not able to gain
access to sensitive information. Cybersecurity professionals develop and
implement security controls, including firewalls, access control lists, and
encryption, to prevent unauthorized access to information. Attackers
may seek to undermine confidentiality controls to achieve one of their
goals: the unauthorized disclosure of sensitive information.
 Integrity ensures that there are no unauthorized modifications to
information or systems, either intentionally or unintentionally. Integrity
controls, such as hashing and integrity monitoring solutions, seek to
enforce this requirement. Integrity threats may come from attackers
seeking the alteration of information without authorization or
nonmalicious sources, such as a power spike causing the corruption of
information.
 Availability ensures that information and systems are ready to meet the
needs of legitimate users at the time those users request them.
Availability controls, such as fault tolerance, clustering, and backups,
seek to ensure that legitimate users may gain access as needed. Similar
to integrity threats, availability threats may come either from attackers
seeking the disruption of access or nonmalicious sources, such as a fire
destroying a datacenter that contains valuable information or services.
 Cybersecurity analysts often refer to these
three goals, known as the CIA Triad, when
performing their work.
 They often characterize risks, attacks, and
security controls as meeting one or more of
the three CIA triad goals when describing
them.
 Security incidents occur when an organization
experiences a breach of the confidentiality, integrity,
and/or availability of information or information
systems. These incidents may occur as the result of
malicious activity, such as an attacker targeting the
organization and stealing sensitive information, as
the result of accidental activity, such as an employee
leaving an unencrypted laptop in the back of a
rideshare, or as the result of natural activity, such as
an earthquake destroying a datacenter.
 Security professionals are responsible for
understanding these risks and implementing controls
designed to manage those risks to an acceptable
level. To do so, they must first understand the effects
that a breach might have on the organization and the
impact it might have on an ongoing basis.
 Earlier in this chapter, we introduced the CIA
triad, used to describe the three main goals
of cybersecurity: confidentiality, integrity, and
availability.
 There is a related model: the DAD triad. This
model explains the three key threats to
cybersecurity efforts: disclosure, alteration,
and denial.
 Each of these three threats maps directly to
one of the main goals of cybersecurity.
 Disclosure is the exposure of sensitive information to unauthorized
individuals, otherwise known as data loss. Disclosure is a violation of the
principle of confidentiality. Attackers who gain access to sensitive
information and remove it from the organization are said to be
performing data exfiltration. Disclosure may also occur accidentally,
such as when an administrator misconfigures access controls or an
employee loses a device.
 Alteration is the unauthorized modification of information and is a
violation of the principle of integrity. Attackers may seek to modify
records contained in a system for financial gain, such as adding
fraudulent transactions to a financial account. Alteration may occur as
the result of natural activity, such as a power surge causing a bit flip that
modifies stored data. Accidental alteration is also a possibility, if users
unintentionally modify information stored in a critical system as the
result of a typo or other unintended activity.
 Denial is the unintended disruption of an authorized user's legitimate
access to information. Denial events violate the principle of availability.
This availability loss may be intentional, such as when an attacker
launches a distributed denial-ofservice (DDoS) attack against a website.
Denial may also occur as the result of accidental activity, such as the
failure of a critical server, or as the result of natural activity, such as a
natural disaster impacting a communications circuit.
 CIA and DAD are very useful tools for cybersecurity planning and risk
analysis. Whenever you find yourself tasked with a broad goal of
assessing the security controls used to protect an asset or the threats to
an organization, you can turn to the CIA and DAD triads for guidance.
For example, if you're asked to assess the threats to your organization's
website, you may apply the DAD triad in your analysis:
 Does the website contain sensitive information that would damage the
organization if disclosed to unauthorized individuals?
 If an attacker were able to modify information contained on the website,
would this unauthorized alteration cause financial, reputational, or
operational damage to the organization?
 Does the website perform mission-critical activities that could damage
the business significantly if an attacker were able to disrupt the site?
 That's just one example of using the DAD triad to inform a risk
assessment. You can use the CIA and DAD models in almost any
situation to serve as a helpful starting point for a more detailed risk
analysis.
 The impacts of a security incident may be
wide-ranging, depending upon the nature of
the incident and the type of organization
affected.
 We can categorize the potential impact of a
security incident using the same categories
that businesses generally use to describe any
type of risk: financial, reputational, strategic,
operational, and compliance.
 Let's explore each of these risk categories in
greater detail.
 Financial risk is as the name implies, the risk
of monetary damage to the organization as
the result of a data breach.
 Direct: such as the costs of rebuilding a
datacenter after it is physically destroyed or
the costs of contracting experts for incident
 Indirect: For example, if an employee loses
a laptop containing plans for a new product
 Reputational risk occurs when the negative
publicity surrounding a security breach
causes the loss of goodwill among
customers, employees, suppliers, and other
stakeholders.
 It is often difficult to quantify reputational
damage, as these stakeholders may not come
out and directly say that they will reduce or
eliminate their volume of business with the
organization
 Identity Theft : When a security breach strikes an
organization, the effects of that breach often extend
beyond the walls of the breached organization,
affecting customers, employees, and other individual
stakeholders. The most common impact on these
groups is the risk of identity theft posed by the
exposure of personally identifiable information (PII)
to unscrupulous individuals.
 Organizations should take special care to identify,
Inventory, and protect PII elements, especially those
that are prone to use in identity theft crimes. These
include Social Security numbers, bank account and
credit card information, drivers' license numbers,
passport data, and similar sensitive identifiers.
 Strategic risk is the risk that an organization will become
less effective in meeting its major goals and objectives as
a result of the breach. Consider again the example of an
employee losing a laptop that contains new product
development plans. This incident may pose strategic risk
to the organization in two different ways.
 First, if the organization does not have another copy of
those plans, they may be unable to bring the new product
to market or may suffer significant product development
delays.
 Second, if competitors gain hold of those plans, they may
be able to bring competing products to market more
quickly or even beat the organization to market, gaining
first-mover advantage. Both of these effects demonstrate
strategic risk to the organization's ability to carry out its
business plans.
 Compliance risk occurs when a security breach
causes an organization to run afoul of legal or
regulatory requirements. For example, the Health
Insurance Portability and Accountability Act
(HIPAA) requires that health-care providers and
other covered entities protect the confidentiality,
integrity, and availability of protected health
information (PHI). If an organization loses patient
medical records, they violate HIPAA requirements
and are subject to sanctions and fines from the
U.S. Department of Health and Human Services.
That's an example of compliance risk.
 Don't feel like you need to shoehorn every risk into one
and only one of these categories. In most cases, a risk will
cross multiple risk categories.
 For example, if an organization suffers a data breach that
exposes customer PII to unknown individuals, the
organization will likely suffer reputational damage due to
negative media coverage. However, the organization may
also suffer financial damage. Some of this financial
damage may come in the form of lost business due to the
reputational damage.
 Other financial damage may come as a consequence of
compliance risk if regulators impose fines on the
organization.
 Still more financial damage may occur as a direct result of
the breach, such as the costs associated with providing
customers with identity protection services and notifying
them about the breach.
 As an organization analyzes its risk environment,
technical and business leaders determine the
level of protection required to preserve the
confidentiality, integrity, and availability of their
information and systems.
 They express these requirements by writing the
control objectives that the organization wishes to
achieve.
 These control objectives are statements of a
desired security state, but they do not, by
themselves, actually carry out security activities.
 Security controls are specific measures that fulfill
the security objectives of an organization.
 Security controls are categorized based on their mechanism of
action: the way that they achieve their objectives. There are three
different categories of security control:
 Technical controls enforce confidentiality, integrity, and
availability in the digital space. Examples of technical security
controls include firewall rules, access control lists, intrusion
prevention systems, and encryption.
 Operational controls include the processes that we put in place
to manage technology in a secure manner. These include user
access reviews, log monitoring, and vulnerability management.
 Managerial controls are procedural mechanisms that focus on
the mechanics of the risk management process. Examples of
administrative controls include periodic risk assessments,
security planning exercises, and the incorporation of security
into the organization's change management, service acquisition,
and project management practices.
 Organizations should select a set of security controls that
meets their control objectives based on the criteria and
parameters that they either select for their environment or
have imposed on them by outside regulators.
 For example, an organization that handles sensitive
information might decide that confidentiality concerns
surrounding that information require the highest level of
control. At the same time, they might conclude that the
availability of their website is not of critical importance.
 Given these considerations, they would dedicate
significant resources to the confidentiality of sensitive
information while perhaps investing little, if any, time and
money protecting their website against a denial-of-service
attack.
 Many control objectives require a combination of
technical, operational, and management controls.
For example, an organization might have the
control objective of preventing unauthorized
access to a datacenter.
 They might achieve this goal by implementing
biometric access control (technical control),
performing regular reviews of authorized access
(operational control), and conducting routine risk
assessments (managerial control).
 CompTIA also divides security into types, based on their desired
effect.
 Preventivee controls intend to stop a security issue before it
occurs. Firewalls and encryption are examples of preventive
controls.
 Detective controls identify security events that have already
occurred. Intrusion detection systems are detective controls.
 Corrective controls remediate security issues that have already
occurred. Restoring backups after a ransomware attack is an
example of a corrective control.
 Deterrent controls seek to prevent an attacker from attempting
to violate security policies. Vicious guard dogs and barbed
wirefences are examples of deterrent controls.
 Physical controls are security controls that impact the physical
world. Examples of physical security controls include fences,
perimeter lighting, locks, fire suppression systems, and burglar
alarms.
 Compensating controls are controls designed to mitigate the risk
associated with exceptions made to a security policy.
 The Payment Card Industry Data Security
Standard (PCI DSS) includes one of the most
formal compensating control processes in use
today. It sets out three criteria that must be met
for a compensating control to be satisfactory:
 The control must meet the intent and rigor of the
original requirement.
 The control must provide a similar level of
defense as the original requirement, such that
the compensating control sufficiently offsets the
risk that the original PCI DSS requirement was
designed to defend against.
 The control must be above and beyond other PCI
DSS requirements.
 For example, an organization might find that it needs to run an outdated version
of an operating system on a specific machine because software necessary to run
the business will only function on that operating system version. Most security
policies would prohibit using the outdated operating system because it might be
susceptible to security vulnerabilities. The organization could choose to run this
system on an isolated network with either very little or no access to other systems
as a compensating control.
 The general idea is that a compensating control finds alternative means to achieve
an objective when the organization cannot meet the original control requirement.
Although PCI DSS offers a very formal process for compensating controls, the use
of compensating controls is a common strategy in many different organizations,
even those not subject to PCI DSS.
 Compensating controls balance the fact that it simply isn't possible to implement
every required security control in every circumstance with the desire to manage
risk to the greatest feasible degree.
 In many cases, organizations adopt compensating controls to address a temporary
exception to a security requirement. In those cases, the organization should also
develop remediation plans designed to bring the organization back into
compliance with the letter and intent of the original control.
 Security professionals spend significant amounts of their time focusing
on the protection of sensitive data. We serve as stewards and guardians,
protecting the confidentiality, integrity, and availability of the sensitive
data created by our organizations and entrusted to us by our customers
and other stakeholders. As we think through data protection techniques,
it's helpful to consider the three states where data might exist:
 Data at rest is stored data that resides on hard drives, tapes, in the
cloud, or on other storage media. This data is prone to pilfering by
insiders or external attackers who gain access to systems and are able to
browse through their contents.
 Data in motion is data that is in transit over a network. When data travels
on an untrusted network, it is open to eavesdropping attacks by anyone
with access to those networks.
 Data in processing is data that is actively in use by a computer system.
This includes the data stored in memory while processing takes place.
An attacker with control of the system may be able to read the contents
of memory and steal sensitive information.
 We can use different security controls to safeguard data in all of these
states, building a robust set of defenses that protects our organization's
vital interests.
 Encryption technology uses mathematical
algorithms to protect information from prying
eyes, both while it is in transit over a network
and while it resides on systems. Encrypted data is
unintelligible to anyone who does not have
access to the appropriate decryption key, making
it safe to store and transmit encrypted data over
otherwise insecure means.
 We'll dive deeply into encryption tools and
techniques in Chapter 7, Cryptography and the
Public Key Infrastructure.
 Data loss prevention (DLP) systems help
organizations enforce information handling
policies and procedures to prevent data loss and
theft.
 They search systems for stores of sensitive
information that might be unsecured and
monitor network traffic for potential attempts to
remove sensitive information from the
organization.
 They can act quickly to block the transmission
before damage is done and alert administrators
to the attempted breach.
 DLP systems work in two different environments:
◦ Host-based DLP
◦ Network DLP
 Host-based DLP uses software agents installed on systems
that search those systems for the presence of sensitive
information. These searches often turn up Social Security
numbers, credit card numbers, and other sensitive
information in the most unlikely places!
 Detecting the presence of stored sensitive information
allows security professionals to take prompt action to
either remove it or secure it with encryption. Taking the
time to secure or remove
 information now may pay handsome rewards down the
road if the device is lost, stolen, or compromised.
 Host-based DLP can also monitor system configuration
and user actions, blocking undesirable actions. For
example, some organizations use host-based DLP to block
users from accessing USB-based removable media devices
that they might use to carry information out of the
organization's secure environment.
 Network-based DLP systems are dedicated
devices that sit on the network and monitor
outbound network traffic, watching for any
transmissions that contain unencrypted sensitive
information. They can then block those
transmissions, preventing the unsecured loss of
sensitive information.
 DLP systems may simply block traffic that
violates the organization's policy, or in some
cases, they may automatically apply encryption to
the content. This automatic encryption is
commonly used with DLP systems that focus on
email.
 DLP systems also have two mechanisms of action:
 Pattern matching, where they watch for the telltale signs of
sensitive information. For example, if they see a number
that is formatted like a credit card or Social Security
number, they can automatically trigger on that. Similarly,
they may contain a database of sensitive terms, such as
Top Secret or Business Confidential, and trigger when they
see those terms in a transmission.
 Watermarking, where systems or administrators apply
electronic tags to sensitive documents and then the DLP
system can monitor systems and networks for unencrypted
content containing those tags. Watermarking technology is
also commonly used in digital rights management (DRM)
solutions that enforce copyright and data ownership
restrictions.
 Data minimization techniques seek to reduce risk by
reducing the amount of sensitive information that we
maintain on a regular basis. The best way to achieve
data minimization is to simply destroy data when it is
no longer necessary to meet our original business
purpose.
 If we can't completely remove data from a dataset, we
can often transform it into a format where the
original sensitive information is de-identified. The
de-identification process removes the ability to link
data back to an individual, reducing its sensitivity.
 An alternative to de-identifying data is transforming
it into a format where the original information can't
be retrieved. This is a process called data obfuscation
 These are several tools that assist with data obfuscation:
 Hashing : uses a hash function to transform a value in our
dataset to a corresponding hash value. If we apply a strong
hash function to a data element, we may replace the value
in our file with the hashed value.
 Tokenization replaces sensitive values with a unique
identifier using a lookup table. For example, we might
replace a widely known value, such as a student ID, with a
randomly generated 10-digit number. We'd then maintain
a lookup table that allows us to convert those back to
student IDs if we need to determine someone's identity. Of
course, if you use this approach, you need to keep the
lookup table secure!
 Masking partially redacts sensitive information by
replacing some or all sensitive fields with blank characters.
For example, we might replace all but the last four digits
of a credit card number with X's or *'s to render the card
number unreadable.
 Although it isn't possible to retrieve the original value
directly from the hashed value, there is one major
flaw to this approach. If someone has a list of
possible values for a field, they can conduct
something called a rainbow table attack. In this
attack, the attacker computes the hashes of those
candidate values and then checks to see if those
hashes exist in our data file.
 For example, imagine that we have a file listing all the
students at our college who have failed courses but
we hash their student IDs. If an attacker has a list of
all students, they can compute the hash values of all
student IDs and then check to see which hash values
are on the list. For this reason, hashing should only
be used with caution.