Full Transcript

CompTIA Security+: SY0-601 Certification Guide Second Edition Complete coverage of the new CompTIA Security+ (SY0-601) exam to help you pass on the first attempt Ian Neil BIRMINGHAM—MUMBAI CompTIA Security+: SY0-601 Certification Guide Second Edition Copyright © 2020 Packt Publishing All rights...

CompTIA Security+: SY0-601 Certification Guide Second Edition Complete coverage of the new CompTIA Security+ (SY0-601) exam to help you pass on the first attempt Ian Neil BIRMINGHAM—MUMBAI CompTIA Security+: SY0-601 Certification Guide Second Edition Copyright © 2020 Packt Publishing All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews. Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book. Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information. Commissioning Editor: Vijin Boricha Acquisition Editor: Rahul Nair Senior Editor: Arun Nadar Content Development Editor: Pratik Andrade Technical Editor: Yoginee Marathe Copy Editor: Safis Editing Project Coordinator: Neil Dmello Proofreader: Safis Editing Indexer: Rekha Nair Production Designer: Vijay Kamble First published: September 2018 Second published: December 2020 Production reference: 1221220 Published by Packt Publishing Ltd. Livery Place 35 Livery Street Birmingham B3 2PB, UK. ISBN 978-1-80056-424-4 www.packt.com Packt.com Subscribe to our online digital library for full access to over 7,000 books and videos, as well as industry leading tools to help you plan your personal development and advance your career. For more information, please visit our website. Why subscribe? Spend less time learning and more time coding with practical eBooks and Videos from over 4,000 industry professionals Improve your learning with Skill Plans built especially for you Get a free eBook or video every month Fully searchable for easy access to vital information Copy and paste, print, and bookmark content Did you know that Packt offers eBook versions of every book published, with PDF and ePub files available? You can upgrade to the eBook version at packt.com and as a print book customer, you are entitled to a discount on the eBook copy. Get in touch with us at [email protected] for more details. At www.packt.com, you can also read a collection of free technical articles, sign up for a range of free newsletters, and receive exclusive discounts and offers on Packt books and eBooks. Contributors About the author Ian Neil is one of the world's top trainers of Security+ he has the ability to break down the information into manageable chunks so that people with no background knowledge can gain the skills required to become certified. He has recently worked for the US Army in Europe and designed a Security+ course that catered for people from all backgrounds (not just the IT professional), with an extremely successful pass rate. He is an MCT, MCSE, A+, Network+, Security+, CASP, and RESILIA practitioner, who over the past 23 years, has worked with high-end training providers and was one of the first technical trainers to train Microsoft internal staff when they opened their Bucharest Office in 2006. About the reviewers Crystal Voiles is an IT specialist with more than 30 years of IT experience ranging from help desk support, desktop support, system administration, and cyber security support. For the last 10 years, she has served as a cyber security specialist, managing several cyber security tools, including Assured Compliance Assessment Solution (ACAS), Host-Based Security System (HBSS), Tanium, System Center Configuration Manager (SCCM), and Enterprise Mission Assurance Support Service (eMASS). Currently serving as the Information Systems Security Manager (ISSM) for a small medical organization responsible for coordination and execution of security policies and controls, as well as assessing vulnerabilities within a medical company. She is responsible for data and network security processing, security systems management, and security violation investigations. She manages backup and security systems, employee training for approximately 900 end user accounts, security planning measures, and recovery of data in disaster testing situations. Her certifications include Certified Information Systems Security Professional (CISSP), CompTIA Advanced Security Practitioner (CASP+), Security +, Microsoft Certified Professional (MCP), SCCM, and ITIL Foundations. Rebecca Moffitt is an experienced information security and risk consultant with 8 years of experience in the industry. Rebecca joined QA in October of 2018, and since then has been working as a cyber security technical specialist. Her areas of training have been primarily related to cyber security, information security, information assurance, and risk management. She most recently obtained her CISM via ISACA, and her CSRM via PECB. She is a certified Information Security Management Systems Lead Implementer and is proficient in ISO 27001, 27002, 27005, and has knowledge of ISO 31000, 27035, and 19011, as well as various cyber, information, and risk frameworks. Rebecca is passionate about her profession and has spent time working with the younger generations, raising their awareness of the field of cyber/information security and sparking enthusiasm in them about a potential career in cyber security. On a personal level, Rebecca is Canadian. The country lifestyle is rooted within her. She loves all things related to the East Coast lifestyle: kitchen parties, country music, and fiddleheads. I would like to thank my family always, for their continual love and support. - Rebecca Moffitt Packt is searching for authors like you If you're interested in becoming an author for Packt, please visit authors. packtpub.com and apply today. We have worked with thousands of developers and tech professionals, just like you, to help them share their insight with the global tech community. You can make a general application, apply for a specific hot topic that we are recruiting an author for, or submit your own idea. Table of Contents Preface Section 1: Security Aims and Objectives 1 Understanding Security Fundamentals Security Fundamentals 4 Role-Based Access Control 12 CIA Triad Concept 4 Rule-Based Access Control 12 Least Privilege 5 Attribute-Based Access Control 12 Defense in Depth Model 5 Group-Based Access Control 13 Linux-Based Access Control 13 Comparing Control Types 6 Managerial Controls 6 Physical Security Controls 14 Operational Controls 7 Perimeter Security 15 Technical Controls 7 Building Security  16 Deterrent Controls 8 Device Protection 17 Detective Controls 8 Understanding Digital Forensics 18 Corrective Controls 9 Five-Minute Practical 20 Compensating Controls 9 Collection of Evidence  20 Preventative Controls 9 Cloud Forensics 25 Access Controls 10 Discretionary Access Control 10 Review Questions 27 Mandatory Access Control 11 ii Table of Contents 2 Implementing Public Key Infrastructure PKI Concepts 30 Protecting Data 51 Certificate Hierarchy 30 Basic Cryptographic Certificate Trust 32 Terminologies51 Certificate Validity 33 Obfuscation52 Certificate Management Concepts 34 Pseudo-Random Number Generator 52 Types of Certificates 35 Nonce52 Asymmetric and Symmetric Perfect Forward Secrecy 52 Encryption37 Security through Obscurity 52 Encryption Explained 37 Collision52 Digital Signatures Explained 40 Steganography52 Cryptography Algorithms and Their Homomorphic Encryption  53 Characteristics41 Diffusion 53 Symmetric Algorithms 41 Implementation Decisions 53 Asymmetric Algorithms 42 Common Use Cases for Symmetric versus Asymmetric Analogy 44 Cryptography53 XOR Encryption 44 Supporting Confidentiality 53 Key Stretching Algorithms 45 Supporting Integrity 54 Cipher Modes 45 Supporting Non-Repudiation 54 Stream versus Block Cipher Analogy 45 Supporting Obfuscation 54 Modes of Operation  46 Low-Power Devices 54 High Resiliency 54 Quantum Computing  47 Supporting Authentication 55 Blockchain and the Public Resource versus Security Constraints 55 Ledger  47 Practical Exercises 55 Hashing and Data Integrity 48 Practical Exercise 1 – Building a Comparing and Contrasting the Certificate Server 55 Basic Concepts of Cryptography 49 Practical Exercise 2 – Encrypting Data Asymmetric – PKI 49 with EFS and Stealing Certificates 56 Symmetric Algorithm – Modes of Practical Exercise 3 – Revoking the EFS Operation49 Certificate 57 Hashing Algorithms 50 Crypto Service Provider 50 Review Questions 57 Crypto Module 51 Table of Contents iii 3 Investigating Identity and Access Management Understanding Identity and Cloud Versus On-Premises Access Management Concepts  62 Authentication92 Identity Types 62 On-Premises92 Account Types 63 In the Cloud 92 Authentication Types 66 Common Account Management Security Tokens and Devices 66 Policies  93 Certification-Based Authentication 67 Account Creation 93 Employees Moving Departments 94 Implementing Authentication Account Recertification 95 and Authorization Solutions 69 Account Maintenance 95 Authentication Management 69 Account Monitoring 95 Authentication Protocols 70 Security Information and Event Authentication, Authorization, and Management95 Accounting (AAA) Servers 71 Group-Based Access Control 98 Access Control Schemes 73 Practical Exercise – Password Summarizing Authentication Policy102 and Authorization Design Concepts79 Review Questions 102 Directory Services  79 4 Exploring Virtualization and Cloud Concepts Overview of Cloud Computing 108 Understanding Cloud Implementing Different Cloud Computing Concepts 119 Deployment Models 110 Understanding Cloud Storage Understanding Cloud Service Concepts122 Models113 Selecting Cloud Security Infrastructure as a Service (IaaS) 114 Controls124 Software as a Service (SaaS) 115 High Availability Access Zones  124 Platform as a Service (PaaS) 118 Resource Policies 124 Security as a Service (SECaaS) 118 Secret Management 124 Anything as a Service (XaaS)  119 Integration and Auditing 125 iv Table of Contents Storage125 Exploring the Virtual Network Networks126 Environments130 Compute128 Review Questions 134 Solutions128 Section 2: Monitoring the Security Infrastructure 5 Monitoring, Scanning, and Penetration Testing Penetration Testing Concepts 140 Performed  147 Rules of Engagement (ROE) 140 Penetration Testing versus Network Exploitation Techniques 141 Vulnerability Scanning 147 Passive and Active Syslog/Security Information Reconnaissance142 and Event Management 147 Reconnaissance Tools 142 Security Orchestration, Automation, and Response 150 Exercise Types 143 Threat Hunting 151 Vulnerability Scanning Concepts144 Practical Exercise – Running Credentialed versus Non-Credentialed Scans146 a Credentialed Vulnerability Intrusive versus Non-Intrusive Scanner152 Vulnerability Scans  146 Review Questions  156 Other Types of Scans That Can Be 6 Understanding Secure and Insecure Protocols Introduction to Protocols 160 Subscription Services and Their Protocols170 Insecure Protocols and Their Use Cases 161 Routing and Its Protocols 171 Switching and Its Protocols 172 Secure Protocols and Their Use Active Directory (Directory Services) Cases165 and Its Protocols 173 Additional Use Cases and Their Protocols170 Review Questions 174 Table of Contents v 7 Delving into Network and Security Concepts Installing and Configuring Network Segmentation 197 Network Components 178 Intrusion Prevention System 199 Firewall178 Intrusion Detection System 199 Network Address Translation Gateway  180 Modes of Operation 200 Router181 Sensor/Collector200 Access Control List – Network Devices 181 Monitoring Data 200 Switch182 Network Access Control 201 Tap/Port Mirror 184 The Domain Name System 202 Aggregation Switches 184 DNS Poisoning 204 Honeypot 184 Network Reconnaissance and Proxy Server 185 Discovery205 Jump Servers 187 Exploitation Frameworks  219 Load Balancer 187 Forensic Tools  219 Remote Access Capabilities  190 IPSec191 IP Addressing 221 VPN Concentrator 192 IP Version 4 221 Split Tunneling 193 Subnet Mask 222 Remote Support  194 CIDR Mask 222 DHCP  222 Secure Network Architecture IP Version 6 Addressing 224 Concepts195 Software-Defined Network 195 Review Questions 226 8 Securing Wireless and Mobile Solutions Implementing Wireless Security229 Wireless – Open System Authentication235 Wireless Access Point Controllers230 Wireless Encryption 235 Wireless Captive Portals 237 Securing Access to Your WAP 231 Wireless Attacks 237 Wireless Bandwidth/Band Selection 232 Wireless Authentication Protocols 237 Wireless Channels  233 Wireless Antenna Types  233 Deploying Mobile Devices Wireless Coverage 233 Securely238 vi Table of Contents Mobile Device Management 238 Mobile Device Management Concepts 242 Bring Your Own Device 239 Device Management 244 Choose Your Own Device  240 Device Protection 244 Corporate-Owned Personally-Enabled 240 Device Data 245 Mobile Device Enforcement and Mobile Device Connection Monitoring246 Methods  240 Review Questions 248 Section 3: Protecting the Security Environment 9 Identifying Threats, Attacks, and Vulnerabilities Virus and Malware Attacks 254 Network Attacks 270 Social Engineering Attacks 257 Application/Programming Attacks 273 Hijacking-Related Attacks 280 Threat Actors 263 Driver Manipulation 282 Advanced Attacks 264 Cryptographic Attacks 282 Password Attacks 265 Physical Attacks 267 Review Questions 283 On-Path Attacks 268 10 Governance, Risk, and Compliance Risk Management Processes Threat Actors 297 and Concepts  288 Attack Vectors  299 Risk Types 289 Threat Intelligence Sources  300 Risk Management Strategies  290 Research Sources  303 Risk Analysis  291 The Importance of Policies for Calculating Loss 294 Organizational Security 304 Disasters295 Personnel305 Business Impact Analysis Concepts 295 Diversity of Training Techniques 308 Threat Actors, Vectors, and Third-Party Risk Management 309 Intelligence Concepts 297 Data  310 Table of Contents vii Credential Policies 311 Privacy Breaches  317 Organizational Policies  312 Notifications of Breaches 318 Data Types  318 Regulations, Standards, and Privacy-Enhancing Technologies  320 Legislation  312 Data Roles and Responsibilities  321 Key Frameworks  313 Information Life Cycle 322 Benchmarks/Secure Configuration Impact Assessment 322 Guides  316 Terms of Agreement 323 Privacy and Sensitive Data Privacy Notice 323 Concepts317 Review Questions 323 Organizational Consequences of 11 Managing Application Security Implementing Host or Supervisory Control and Data Application Security  328 Acquisition (SCADA) 344 Boot Integrity 328 Industrial Control System 344 Endpoint Protection  329 Communication Considerations 345 Databases330 Constraints345 Application Security 332 Understanding Secure Hardening 334 Application Development, Full Disk Encryption (FDE) 336 Deployment, and Automation 346 Self-Encrypting Drives (SEDs) 337 Software Diversity  346 Understanding the Security Elasticity347 Implications of Embedded and Scalability  347 Specialist Systems 337 Environment347 Internet of Things (IoT) 338 Automation/Scripting348 Real-Time Operating System (RTOS) 340 Provisioning and Deprovisioning 349 Multifunctional Printers (MFPs) 340 Integrity Measurement 349 Surveillance Systems 340 Secure Coding Techniques 349 System on a Chip (SoC) 341 Open Web Application Security Project (OWASP)352 Heating, Ventilation, and Air Conditioning (HVAC)  341 Review Questions 353 Specialized Devices 342 Embedded Systems 343 viii Table of Contents 12 Dealing with Incident Response Procedures Incident Response Procedures  356 Knowing How to Apply Disaster Recovery Exercises 357 Mitigation Techniques Attack Frameworks 357 or Controls to Secure an Stakeholder Management  360 Environment  367 Continuity of Operations Planning Application Approved List 367 (COOP)361 Application Block List/Deny List 368 Quarantine368 Utilizing Data Sources to Configuration Changes 368 Support Investigations362 Isolation369 Vulnerability Scan Output 363 Containment369 SIEM Dashboards 363 Segmentation369 Log Files 364 Security Orchestration, Automation, Log Managers 365 and Response (SOAR) 369 Journalctl366 Implementing Cybersecurity Nxlog366 Resilience369 Bandwidth Monitors 366 Redundancy369 Metadata366 Network Monitoring 367 Review Questions 379 Protocol Analyzer Output 367 Section 4: Mock Tests 13 Mock Exam 1 Mock Exam 1 Assessment Table of Contents ix 14 Mock Exam 2 Mock Exam 2 Assessment Assessment Chapter 1 – Understanding Secure and Insecure Protocols 440 Security Fundamentals 427 Chapter 7 – Delving into Chapter 2 – Implementing Network and Security Concepts 441 Public Key Infrastructure 429 Chapter 8 – Securing Wireless Chapter 3 – Investigating and Mobile Solutions 444 Identity and Access Chapter 9 – Identifying Threats, Management432 Attacks, and Vulnerabilities 446 Chapter 4 – Exploring Chapter 10 – Governance, Risk, Virtualization and Cloud and Compliance 450 Concepts436 Chapter 11 – Managing Chapter 5 – Monitoring, Application Security 453 Scanning, and Penetration Chapter 12 – Dealing with Testing438 Incident Response Procedures 456 Chapter 6 – Understanding Other Books You May Enjoy Index Preface This book will help you to understand security fundamentals, ranging from the CIA triad right through to identity and access management. This book describes network infrastructure and how it is evolving with the implementation of virtualization and different cloud models and their storage. You will learn how to secure devices and applications that are used by a company. Who this book is for This book is designed for anyone who is seeking to pass the CompTIA Security+ SY0-601 exam. It is a stepping-stone for anyone who wants to become a security professional or move into cybersecurity. What this book covers Chapter 1, Understanding Security Fundamentals, covers some security fundamentals that will be expanded upon in later chapters. Chapter 2, Implementing Public Key Infrastructure, goes into the different encryption types and teaches how certificates are issued and used. Chapter 3, Investigating Identity and Access Management, looks at different types of authentication. We will look at the concepts of identity and access management. Chapter 4, Exploring Virtualization and Cloud Concepts, gets you acquainted with various cloud models and cloud security, looking at their deployment and storage environments. Chapter 5, Monitoring, Scanning, and Penetration Testing, looks at penetration testing, exercise types, scanning, threat hunting, and SIEM systems. Chapter 6, Understanding Secure and Insecure Protocols, looks at when to use certain secure protocols. Chapter 7, Delving into Network and Security Concepts, looks at network components, remote access, and network reconnaissance tools. xii Preface Chapter 8, Securing Wireless and Mobile Solutions, looks at wireless solutions and secure mobile solutions. Chapter 9, Identifying Threats, Attacks, and Vulnerabilities, explores attacks and vulnerabilities, taking each type of attack in turn and its unique characteristics. This chapter is probably the most heavily tested module in the Security+ exam. Chapter 10, Governance, Risk, and Compliance, looks at risk management and regulations and frameworks. Chapter11, Managing Application Security, looks at application development and security. Chapter 12, Dealing with Incident Response Procedures, looks at preparing for disaster recovery incidents and how to recover. Chapter 13, Mock Exam 1, includes mock questions, along with explanations, which will help assess whether you're ready for the test. Chapter 14, Mock Exam 2, includes more mock questions, along with explanations, which will help assess whether you're ready for the test. To get the most out of this book This certification guide assumes no prior knowledge of the product. You need to understand the information fully to become certified. Download the color images We also provide a PDF file that has color images of the screenshots/diagrams used in this book. You can download it here: http://www.packtpub.com/sites/default/ files/downloads/9781800564244_ColorImages.pdf. Conventions used There are a number of text conventions used throughout this book. Code in text: Indicates code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles. Here is an example: "The problem that arises is that strcpy cannot limit the size of characters being copied." Preface xiii A block of code is set as follows: int fun (char data ) { int I char tmp ; strcpy (tmp, data); } Any command-line input or output is written as follows: Set-ExecutionPolicy Restricted Bold: Indicates a new term, an important word, or words that you see onscreen. For example, words in menus or dialog boxes appear in the text like this. Here is an example: "The SSID is still enabled. The administrator should check the box next to Disable Broadcast SSID." Tips or important notes Appear like this. Get in touch Feedback from our readers is always welcome. General feedback: If you have questions about any aspect of this book, mention the book title in the subject of your message and email us at [email protected]. Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you have found a mistake in this book, we would be grateful if you would report this to us. Please visit www.packtpub.com/support/errata, selecting your book, clicking on the Errata Submission Form link, and entering the details. Piracy: If you come across any illegal copies of our works in any form on the Internet, we would be grateful if you would provide us with the location address or website name. Please contact us at [email protected] with a link to the material. If you are interested in becoming an author: If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, please visit authors. packtpub.com. xiv Preface Reviews Please leave a review. Once you have read and used this book, why not leave a review on the site that you purchased it from? Potential readers can then see and use your unbiased opinion to make purchase decisions, we at Packt can understand what you think about our products, and our authors can see your feedback on their book. Thank you! For more information about Packt, please visit packt.com. Section 1: Security Aims and Objectives In this section, you will learn about security fundamentals, from the CIA triad through to identify and access management. This section comprises the following chapters: Chapter 1, Understanding Security Fundamentals Chapter 2, Implementing Public Key Infrastructure Chapter 3, Investigating Identity and Access Management Chapter 4, Exploring Virtualization and Cloud Concepts 1 Understanding Security Fundamentals In this chapter, we are going to look at some security fundamentals that will help you identify security threats in the system and mitigate them. With cybercrime increasing day by day, as an Information Technology (IT) professional, it is essential to first understand these fundamental concepts. In this chapter, we will be covering the following topics: Security Fundamentals Comparing Control Types Physical Security Controls Understanding Digital Forensics Let's start off by looking at security fundamentals. 4 Understanding Security Fundamentals Security Fundamentals The fundamentals of security are the foundation of protecting our assets, and there must be a strategy or methodology that we adapt for security. This is the CIA triad; let's look at its breakdown. CIA Triad Concept Most security books start with the basics of security by featuring the CIA triad—this is a conceptual model designed to help those writing information security policies within an organization. It is a widely used security model and it stands for confidentiality, integrity, and availability, the three key principles that should be used to guarantee you have a secure system: Figure 1.1 – CIA triad We'll discuss these principles in more depth here: Confidentiality: Prevents the disclosure of data to unauthorized people so that only authorized people have access to data. This is known as the need-to-know basis. Only those who should know the contents should be given access. An example would be that your medical history is only available to your doctor and nobody else. We also tend to encrypt data to keep it confidential. There are two types of encryption, known as symmetric and asymmetric. Symmetric encryption uses one key, known as the private key or shared key. Asymmetric encryption uses two keys, known as the private key and the public key. Security Fundamentals 5 Integrity: This means that you know that data has not been altered or tampered with. We use a technique called hashing that takes the data and converts it into a numerical value called a hash or message digest. When you suspect changes have taken place, you would check the hash value against the original. If the hash value has changed, then the data has been tampered with. Common hashing algorithms covered in the exam are Secure Hash Algorithm Version 1 (SHA1) 160-bit, SHA2 256-bit, SHA3 512-bit, and Message Digest Version 5 (MD5) 128-bit. SHA1 is more secure than MD5; however, MD5 is faster. The higher the number of bits, the more secure, and the lower the number, the faster it is. Availability: Availability ensures that data is always available; an example would be if you wanted to purchase an airplane ticket and the system came back with an error saying that you could not purchase it. This could be frustrating and hence, availability is important. Examples of availability could be using Redundant Array of Independent Disks (RAID), maybe a fail-over cluster, a data backup, or Heating Ventilation Air Conditioning (HVAC) to regulate the system for critical servers. Least Privilege Least Privilege is where you give someone only the most limited access required so that they can perform their job role; this is known as a need-to-know basis. The company will write a least privilege policy so that the administrators know how to manage it. Defense in Depth Model Defense in Depth is the concept of protecting a company's data with a series of protective layers so that if one layer fails, another layer will already be in place to thwart an attack. We start with our data, then we encrypt it to protect it: The data is stored on a server. The data has file permissions. The data is encrypted. The data is in a secure area of the building. There is a security guard at the building entrance checking identification. There is CCTV around the perimeter. There is a high fence around the perimeter. 6 Understanding Security Fundamentals Let's look at this from the intruder's perspective, trying to jump the fence, and see how many layers they have to circumvent: Figure 1.2 – Defense in Depth model Let's now compare the different control types. Comparing Control Types There is a wide variety of different security controls that are used to mitigate the risk of being attacked; the three main categories are managerial, operational, and technical. We are going to look at these in more detail; you need to be familiar with each of these controls and when each of them should be applied. Let's start by looking at the three main controls. Managerial Controls Managerial Controls are written by managers to create organizational policies and procedures to reduce risk within companies. They incorporate regulatory frameworks so that the companies are legally compliant. The following are examples of management controls: Annual Risk Assessment: A company will have a risk register where the financial director will look at all of the risks associated with money and the IT manager will look at all of the risks posed by the IT infrastructure. As technology changes and hackers get more sophisticated, the risks can become greater. Each department will identify their risks and the risk treatments, and place them in the risk register. These should be reviewed annually. Comparing Control Types 7 Penetration Testing/Vulnerability Scanning: A vulnerability scan is not intrusive as it merely checks for vulnerabilities, whereas a penetration test is more intrusive and can exploit vulnerabilities. These will be explained further later in this book. Operational Controls Operational controls are executed by company personnel during their day-to-day operations. Examples of these are the following: Annual Security Awareness Training: This is an annual event where you are reminded about what you should be doing on a daily basis to keep the company safe: a. Example 1 – When you are finished for the day, you clear your desk and lock all documents away; another employee would remind you that your identity badge should be worn at all times and you should challenge anyone not wearing a badge. b. Example 2 – Companies need their employees to complete annual cybersecurity training as the risk is getting greater each day. Change Management: This is a process that a company adopts so that changes made don't cause any security risks to the company. A change to one department could impact another department. The Change Advisory Board (CAB) assists with the prioritization of changes; they also look at the financial benefits of the change and they may accept or reject the changes proposed for the benefit of the company. IT evolves rapidly and our processes will need to change to cope with the potential security risks associated with newer technology. Business Continuity Plan: This is contingency planning to keep the business up and running when a disaster occurs by identifying any single point of failure that would prevent the company from remaining operational. Technical Controls Technical Controls are those implemented by the IT team to reduce the risk to the business. These could include the following: Firewall Rules: Firewalls prevent unauthorized access to the network by IP address, application, or protocol. These are covered in depth later in this book. Antivirus/Antimalware: This is the most common threat to a business, and we must ensure that all servers and desktops are protected and up to date. 8 Understanding Security Fundamentals Screen Savers: These log computers off when they are idle, preventing access. Screen Filters: These prevent people that are walking past from reading the data on your screen. Intrusion Prevention Systems (IPS)/Intrusion Detection Systems (IDS): An IDS monitors the network for any changes and an IPS stops the attacks. If you do not have an IDS, the IPS has the ability to fulfill the role of the IDS. Let's now look at other control types, from deterrents to physical controls, when we try and stop attacks at the source. Deterrent Controls Deterrent Controls could be CCTV and motion sensors. When someone is walking past a building and the motion sensors detect them, it turns the lights on to deter them. A building with a sign saying that it is being filmed with CCTV prevents someone from breaking into your premises, even though there may not be film inside the camera—but they don't know that! Detective Controls Detective Controls are used to investigate an incident that has happened and needs to be investigated; these could include the following: CCTV records events as they happen and from that, you can see who has entered a particular room or has climbed through a window at the rear of a building. CCTV can capture motion and provide non-repudiation. Log Files are text files that record events and the times that they occurred; they can log trends and patterns over a period of time. For example, servers, desktops, and firewalls all have event logs that detail actions that happen. Once you know the time and date of an event, you can gather information from various log files. These can be stored in Write-Once Read-Many (WORM) drives so that they can be read but not tampered with. Comparing Control Types 9 Corrective Controls Corrective Controls are the actions you take to recover from an incident. You may lose a hard drive that contained data; in that case, you would replace the data from a backup you had previously taken. Fire Suppression Systems are another form of corrective control. There may have been a fire in your data center that destroyed many servers, therefore when you purchase a replacement, you may install an oxygen suppressant system that will starve a fire of the oxygen needed. This method uses argon/nitrogen and carbon dioxide to displace the oxygen in the server room. Compensating Controls Compensating Controls can also be called Alternative or Secondary Controls and can be used instead of a primary control that has failed or is not available. Once a primary control has failed, we need a secondary control. This is similar to when you go shopping and you have $100 in cash—once you have spent your cash, you will have to use a credit card as a compensating control. Example: When a new employee arrives, they should log in using a smart card and PIN. It may take 3–5 days to get a new smart card, so during the waiting period, they may log in using a username and password. Preventative Controls Preventative Controls are in place to deter any attack; this could be having a security guard with a large dog walking around the perimeter of your building. This would make someone trying to break in think twice about doing so. Some of the preventive measures that can be taken are as follows: Disable User Accounts: When someone leaves a company, the first thing that happens is that their account is disabled, as we don't want to lose information that they have access to, and then we change the password so that they cannot access it. We may also disable an account while people are on secondment or maternity leave. Operating System Hardening: This makes a computer more secure, where we ensure that the operating system is fully patched and turn off unused features and services. This will ensure that there will be no vulnerabilities. 10 Understanding Security Fundamentals Access Controls The three main parts of access controls are identifying an individual, authenticating them when they insert a password or PIN, and then authorization, where an individual is granted permission to the different forms of data. For example, someone working in finance will need a higher level of security clearance and have to access different data than a person who dispatches an order in finished goods: Identification: This is similar to everyone having their own bank account; the account is identified by the account details on the bank card. Identification in a security environment may involve having a user account, a smart card, or maybe a fingerprint reader—this is unique to each individual. Each person has their own Security Identifier (SID) for their account, which is like an account serial number. Authentication: Once the individual inserts their method of identification, they next have to be authenticated, for example, by inserting a password or a PIN. Authorization: This is the level of access or permissions that you have to apply to selected data. You are normally a member of certain groups, for example, a sales manager could access data from the sales group and then access data from the managers group. You will only be given the minimum amount of access required to perform your job; this is known as least privilege. Discretionary Access Control Discretionary Access Control involves New Technology File System (NTFS) file permissions, which are used in Microsoft operating systems. The user is only given the access that they need to perform their job. They are sometimes referred to as user-based or user-centric. The permissions are as follows: Full Control: Full access. Modify: Change data, read, and read and execute. Read and Execute: Read the file and run a program if one is inside it. List Folder Contents: Expand a folder to see the subfolders inside it. Read: Read the contents. Write: Allows you to write to the file. Special Permissions: Allows granular access; for example, it breaks each of the previous permissions down to a more granular level. Data Creator/Owner: The person that creates the unclassified data is called the owner and they are responsible for authorizing who has access to that data. Comparing Control Types 11 The following diagram shows a user called Ian who had Read and Read & execute permissions: Figure 1.3 – DAC file permissions Mandatory Access Control Mandatory Access Control (MAC) is based on the classification level of the data. MAC looks at how much damage could be inflicted to the interests of the nation. These are as follows: Top secret: Highest level, exceptionally grave damage Secret: Causes serious damage Confidential: Causes damage Restricted: Undesirable effects Examples of MAC based on the classification level of data are as follows: Top secret: Nuclear energy project Secret: Research and development Confidential: Ongoing legal issues 12 Understanding Security Fundamentals MAC Roles Once classified data has been written, it is owned by the company. For example, if a Colonel writes a classified document, it belongs to the Army. Let's look at three roles: Owner: This is the person who writes data, and they are the only person that can determine the classification. For example, if they are writing a secret document, they will pitch it at that level, no higher. Steward: This is the person responsible for labeling the data. Custodian: The custodian is the person who stores and manages classified data. Security Administrator: The security administrator is the person who gives access to classified data once clearance has been approved. Role-Based Access Control Role-based access control is a subset of the department carrying out a subset of duties within a department. An example would be two people within the finance department who only handle petty cash. In IT terms, it could be that only two people of the IT team administer the email server. Rule-Based Access Control In Rule-Based Access Control (RBAC), a rule is applied to all of the people within a department, for example, contractors will only have access between 8 a.m. and 5 p.m., and the help desk people will only be able to access building 1, where their place of work is. It can be time-based or have some sort of restriction, but it applies to the whole department. Attribute-Based Access Control In Attribute-Based Access Control (ABAC), access is restricted based on an attribute in the account. John could be an executive and some data could be restricted to only those with the executive attribute. This is a user attribute from the directory services, such as a department or a location. You may wish to give different levels of control to different departments. Comparing Control Types 13 Group-Based Access Control To control access to data, people may be put into groups to simplify access. An example would be if there were two people who worked in IT who needed access to IT data. For example, let's call them Bill and Ben. We first of all place them into the IT group, and then that group is given access to the data: Figure 1.4 – Group-based access Another example is where members of a sales team may have full control of the sales data by using group-based access, but you may need two new starters to have only read access. In this case, you would create a group called new starters and give those people inside that group only read permission to the data. Linux-Based Access Control In this section, we are going to look at Linux file permissions. These appear frequently in the Security+ exam even though they are not covered in the exam objectives. Linux File Permissions (not SELinux) Linux file permissions come in a numerical format; the first number represents the owner, the second number represents the group, and the third number represents all other users: a. Permissions: Owner: First number Group: Second number All other users: Third number b. Numerical values: 4: Read 2: Write 1: Execute 14 Understanding Security Fundamentals Unlike a Windows permission that will execute an application, the execute function in Linux allows you to view or search. A permission of 6 would be read and write. A value of 2 would be write, and a value of 7 would be read, write, and execute. Some examples are as follows: Example 1: If I have 764 access to File A, this could be broken down as follows: a. Owner: Read, write, and execute b. Group: Read and write c. All other users: Read Another way the permissions can be set is by alphabetical values, as shown: a. R: Read b. W: Write c. X: Execute When using alphabetical values, each set of permission is shown as three dashes. Full control for the three entities are as follows: a. Owner Full Control: rwx --- --- b. Group Full Control: --- rwx --- c. User Full Control: --- --- rwx Example 2: If a file has an access level of rwx rwx rw-, what does this mean? a. Owner has read, write, and execute (full control). b. Group has read, write, and execute (full control). c. Others have only read and write permissions. Physical Security Controls Physical security controls are put in place to stop unauthorized access to the company or accessing the data. Physical security controls are easily identifiable as you can touch them. Let's look at each of them in turn. Physical Security Controls 15 Perimeter Security In this section, we will look at different types of perimeter security systems: Signage: Before anyone reaches your main entrance, there should be highly visible signs warning them that they are entering a secure area with armed guards and dogs. This is used as a deterrent to prevent possible intruders. Fences/Gates: The first line of defense should be a perimeter fence as the openness of many sites renders them highly vulnerable to intruders. Access to the site can be controlled by using a gate either manned by a security guard or with a proximity reader. You could place bollards in front of a building to stop a car driving through the entrance. You may even have different zones, such as a research and development department, with their own perimeter security. Access Control: Armed guards at the gates should be checking the identity of those entering. There should be an access control list for visitors who are sponsored by an internal department. The guards checking identities should be behind one-way toughened glass so that visitors cannot see inside the gatehouse. Lighting: Lighting is installed for two main reasons: the first reason is so that anyone trying to enter your site at night can be seen and the second reason is for safety. Cameras: Cameras can be set up at areas around the perimeter and on doorways to detect motion. They can be set up to detect objects in both day and night to alert the security team by raising an alarm. Robot Sentries: These can be set up to patrol the perimeter and can shout out warnings to deter any intruders. These sentries patrol the DMZ between North and South Korea and they can be armed: Figure 1.5 – Robot sentry 16 Understanding Security Fundamentals Tip Robot sentries can shout out warnings to deter intruders. They could also be armed. Industrial Camouflage: When you are trying to protect a highly secure area, you would design the building so that it is obscured from aerial photographs by making some of the building look like residential housing. You would disguise the entrances as well. This would make it difficult for surveillance operatives to spot it. Building Security In this section, we will look at different types of building security systems: Security Guards: They work at the entrance reception desk to check the identity cards of people entering the building to stop unauthorized access. These guards should be armed and one of the guards should be a dog handler. An access control list is provided to them to ensure that unauthorized personnel is denied access. Two-Person Integrity/Control: This increases the security level at the entrance to a building, ensuring that someone is available to deal with visitors even when the other person is on the phone. This would also reduce the risk of a malicious insider attack. Badges: Visitors sign the visitor book and are allocated a badge that is a different color to that of employees. These badges should have a photograph, name, and signature of the holder. These badges should be visible at all times and anyone that isn't displaying a badge should be challenged. Key Management: This is where departmental keys are signed out and signed back in daily to prevent someone from taking the keys away and cutting copies of them. Mantraps: These are turnstile devices that only allow one person in at a time. They maintain a safe and secure environment, mainly for a data center. A data center hosts many servers for different companies. Proximity Cards: These are contactless devices where a smart card is put near the proximity card device to gain access to a door or building. Tokens: Tokens are small physical devices where you touch the proximity card to enter a restricted area of a building. Some tokens allow you to open and lock doors by pressing the middle of the token itself; others display a code for a number of seconds before it expires. Physical Security Controls 17 Biometric Locks: Biometrics are unique to each person; examples would be using their fingerprint, retina, palm, voice, an iris scanner, or facial recognition. Electronic Locks: With electronic locks, you no longer need a key to access a building; you only need a PIN. They can be set to fail open, where the door opens when a power cut is detected, or fail safe, where the door remains locked. Burglar Alarms: These are set when the premises are not occupied, so when someone tries to break into your premises, it will trigger the alarm and notify the monitoring company or local police. Fire Alarms/Smoke Detectors: In a company building, there will be fire alarms or smoke detectors in every room so that when a fire breaks out and the alarms go off, the people inside the premises are given the opportunity to escape. Internal Protection: You could have safe areas and secure enclosures; the first example would be a toughened glass container or a sturdy mesh, both with locks to reduce access. You could also have protected distribution for cabling; this looks like metal poles that would have network cables inside. Screen filters used on a desktop could prevent someone from reading the screen. Conduits: Conduits or cable distribution have cables placed inside. This protects the cables from tampering or being chewed by rodents. Tip Conduits and cable distribution protect the Ethernet cable between the wall jack and the patch panel. Environmental Controls: HVAC and fire suppression systems are also security controls. In a data center or a server room, the temperature needs to be kept cool or the servers inside will overheat and fail. They use a technique called hot and cold aisles to regulate the temperature. Device Protection In this section, we will look at different device protection systems: Cable Locks: These are attached to laptops or tablets to secure them so that nobody can steal them. Air Gap: A computer is taken off the network and has no cable or wireless connection to ensure that the data is not stolen. An example of this would be a computer in the research and development department, as we want to prevent access to it via a network cable. 18 Understanding Security Fundamentals Tip An air gap is an isolated computer; the only way to extract data is by using a USB or CD ROM. Laptop Safe: Laptops and tablets are expensive, but the data they hold could be priceless, therefore there are safes for the storage of laptops and tablets. USB Data Blocker: This device blocks the data pins on the USB device, which prevents a hacker from juice jacking, where data is stolen when you are charging your USB device. Vault: This is where data can be encrypted and stored in the cloud, giving you an extra-secure storage area. Faraday Cage: This is a metal structure, like a metal mesh used to house chickens. The cage prevents wireless or cellular phones from working inside the company. This could be built into the structure of a room used as a secure area. They would also prevent any kind of emissions from escaping from your company. Understanding Digital Forensics Digital forensics is used by the police when they are investigating crimes and need to find digital evidence so that they can secure a conviction. We will be looking at computer- and web-based attacks. In 2006, Forensic Process 19, proposed by NIST, consisted of four different phases: collection, examination, analysis, and reporting. Here's a diagram showing these phases: Figure 1.6 – Forensics cycle Understanding Digital Forensics 19 Let's look at each of these phases: Collection: Here, the data is examined, then extracted from the media that it is on, and then converted into a format that can be examined by forensic tools. Examination: Prior to examination, the data will be hashed, and then an investigation will be carried out with the relevant forensic tool. When the examination has concluded, the data is once again hashed to ensure that the examiner or the tools have not tampered with it. We could use a USB write blocker that allows only read access to storage media. Analysis: When all of the forensic data has been collected, it is analyzed and then transformed into information that can be used as evidence. Reporting: A report is compiled that can be used as evidence for conviction. There are many different components to a forensic investigation; we will look at each of them in turn: Admissibility: All evidence relevant to the case is deemed admissible only if it is relevant to the disputed facts of the case and does not violate any laws or legal statutes. Order of Volatility: Say you are a firefighter and you arrive at a house on fire; you can only save items one at a time and there are two items inside. The first is a snowman, and the second is a rib of beef. You now have a dilemma: which one should you choose? Easy! You save the snowman first as it is melting, and you let the rib of beef cook some more so that the other firefighters can have a nice supper! So, when we want to ascertain the order of volatility, we are looking to secure the most perishable evidence first. We do not try and stop the attack until we have secured the volatile evidence so that the source can be identified. This is known as the order of volatility. Let's look at a few examples. Example 1 – Web-Based Attack: An attacker is attacking the company website and the security team is trying to capture the network traffic to find the source of the attack. This is the most volatile evidence. Example 2 – Attack inside a Computer: When someone has attacked your computer, you need to capture the evidence in accordance with the order of volatility: a. CPU Cache: Fast block of volatile memory used by the CPU b. Random Access Memory (RAM): Volatile memory used to run applications 20 Understanding Security Fundamentals c. Swap/Page File/Virtual Memory: Used for running applications when RAM is totally exhausted. d. Hard Drive: Data at rest for storing data Example 3 – Removable Storage Drive Attached to a Computer/Server: Someone has left a USB flash drive plugged into your fileserver. When it is in use, programs such as Word are launched in RAM, so we would capture the volatile memory first. Example 4 – Command-Line Tools: You need to know which command-line tool provides information that could disappear if you reboot the computer, and that would be netstat. With netstat -an, the listening and established ports are shown. If you reboot the computer, all of the established connections will be lost. Tip Order of volatility is collecting the most perishable evidence first. In a web-based attack, we should collect the network traffic with a packet sniffer. Five-Minute Practical Open up Command Prompt on your computer and type netstat -an. You should now see the listening and established ports; count them, and write the numbers down. Run the shutdown /r /t 0 command to immediately reboot the machine. Log back in, go to Command Prompt, and run netstat -an; what is the difference? You will see that you have lost information that could have been used as evidence. Collection of Evidence In this section, we will look at different types of evidence collection: E-Discovery: During e-discovery, companies may be subpoenaed so that we can collect, review, and interpret electronic documents located on hard disks, USB drives, and other forms of storage. Chain of Custody: The chain of custody is one of the most crucial aspects of digital forensics, ensuring the evidence has been collected and there is not a break in the chain. It starts when the evidence has been collected, bagged, tied, and tagged, ensuring the evidence has not been tampered with. It lists the evidence and who has handled it along the way. For example, Sergeant Smith handed 15 kg of illegal substance to Sergeant Jones following a drugs raid. However, when it is handed in to the property room, 1 kg is missing. In this event, we would need to investigate the chain of custody. In this scenario, Sergeant Jones would be liable for the loss. Chain of custody examples are as follows: Understanding Digital Forensics 21 Example 1 – Missing Entry on the Chain of Custody Document: On Monday, 15 laptops were collected by the system administrator. The next day, the system administrator passed them on to the IT manager. On Wednesday, the IT director presents the 15 laptops as evidence to the court. The judge looks at the chain of custody document and notices that there was no formal handover between the IT manager and the IT director. With the handover missing, the judge wants to investigate the chain of custody. Example 2 – Evidence Leaves the Detective's Possession: The FBI arrests a known criminal and collects 43 hard drives that they bag and tag, before placing them in two bags. They arrest the criminal and take him from Arizona to New York by airplane. One detective is handcuffed to the criminal while the other carries the two bags. When they arrived at check-in, the airline clerk tells them that the carry-on bags are more than the 8 kg allowance, and therefore they are too heavy and need to go in the hold. The detective complies, but locks the suitcases to prevent theft. Because the evidence is not physically in their possession at all times, the chain of custody is broken as there is a chance that someone working for the airline could tamper with the evidence. Therefore, they cannot prove to the court that the integrity of the evidence has been kept intact at all times. Provenance: When the chain of custody has been carried out properly and the original data presented to the court has not been tampered with, it is known as data provenance. Legal Hold: Legal hold is the process of protecting any documents that can be used in evidence from being altered or destroyed. Sometimes, this is also known as litigation hold. Example: Dr. Death has been prescribing new drugs to patients in a large hospital who have been dying. An auditor has been sent to investigate the possibility of foul play, and then following the audit, the FBI is notified. The doctor has been emailing a pharmaceutical company that has been supplying the drugs for a trial. The FBI does not want the doctor to be alerted, so they have the hospital's IT team put his mailbox on legal hold. When the mailbox is on legal hold, the mailbox limit is lifted; the doctor can still send and receive emails, but cannot delete anything. This way, they are not alerted to the fact that they are under investigation. 22 Understanding Security Fundamentals Data Acquisition: This is the process of collecting all of the evidence from devices, such as USB flash drives, cameras, and computers; as well as data in paper format, such as letters and bank statements. The first step in data acquisition is to collect the volatile evidence so that it is secured. The data must be bagged and tagged and included in the evidence log. Artifacts: This can be log files, registry hives, DNA, fingerprints, or fibers of clothing normally invisible to the naked eye. Time Offset: When we collect evidence from computers, we should record the time offset. This is the regional time so that in a multinational investigation, we can put them into a time sequence—this is known as time normalization. Time Normalization: This is where evidence is collected across multiple time zones, then a common time zone, such as GMT, is used so that it can be put into a meaningful sequence. Example: The police in three separate countries are trying to identify where the data started from in a chain, then who handled the data along the line. They have the following information about when it was first created: a. New York: Created 3 a.m. b. London: Created 4 a.m. c. Berlin: Created 4.30 a.m. By recording the time offset, it looks as if it started off in New York, but if we apply time normalization, when it is 4 a.m. in London, the time in New York is 11 p.m. the day before, so it cannot be New York. When it is 4.30 a.m. in Berlin, it is only 3.30 a.m. in London; therefore, it originated in Berlin. This looked the least unlikely before the time offset of the data collection had time normalization applied. Time Stamps: Each file has time stamps showing when files were created, last modified, and last accessed: Understanding Digital Forensics 23 Figure 1.7 – Time stamps Forensic Copies: If we are going to analyze removable data that we have acquired, we would first of all take a forensic copy and keep the original data intact. We would then use the copy to analyze the data so that we keep the original data unaltered, as it needs to be used in its original state and presented as evidence to the courts. It would be hashed at the beginning and the end to confirm that the evidence has not been tampered with. Capturing System Images: When the police are taking evidence from laptops and desktops, they take a complete system image. The original image is kept intact and the system is analyzed to find evidence of any criminal activity. It would be hashed at the beginning and the end to confirm that the evidence has not been tampered with. Firmware: Firmware, sometimes called embedded systems, could be reversed engineered by an attacker, therefore it is important that we compare the source code that the developer wrote against the current source code in use. We would employ a coding expert to compare both lots of source code in a technique called regression testing. Types of attacks that affect embedded systems could be rootkit and backdoor. 24 Understanding Security Fundamentals Snapshots: If the evidence is from a virtual machine, a snapshot of the virtual machine can be exported for investigation. Screenshots: You may also take screenshots of applications or viruses on the desktops and keep them as evidence. A better way of doing this would be to use a modern smartphone that would geotag the evidence. Tip You should capture a system image from a laptop and take a forensic copy from a removable drive Taking Hashes: When either the forensic copy or the system image is being analyzed, the data and applications are hashed at the beginning of the investigation. It can be used as a checksum to ensure integrity. At the end, it is re-hashed and should match the original hash value to prove data integrity. Network Traffic and Logs: When investigating a web-based or remote attack, we should first capture the volatile network traffic before stopping the attack. This will help us identify the source of the attack. In addition to this, we should look at different log files from the firewall, NIPS, NIDS, and any server involved. If we use a Security Information Event Management (SIEM) system, this can help collate these entries and give a good picture of any attack. However, if it is a rapidly expanding virus, we would quarantine it. Example: Your company uses an account lockout of three attempts. If an attacker tries to log in once to three separate computers, each computer would not identify it as an attack, as it is a single attempt on each computer, but a SIEM system would pick up these attempts as three failed logins attempts and alert the administrators in real time. Tip You should remove a computer with a dynamically expanding virus immediately rather than collect the network traffic. Capturing Video: CCTV can be a good source of evidence for helping to identify attackers and the time the attack was launched. This can be vital in apprehending suspects. Interviews: The police may also take witness statements to try and get a picture of who was involved and maybe then use photo-fits so that they can be apprehended. Understanding Digital Forensics 25 Preservation: Data needs to be preserved in its original state so that it can be produced as evidence in court. This is why we take copies and analyze the copies so that the original data is not altered and is pristine. Putting a copy of the most vital evidence in a WORM drive will prevent any tampering with the evidence, as you cannot delete data from a WORM drive. You could also write-protect the storage drives. Recovery: When the incident has been eradicated, we may have to recover the data from a backup; a faster method would be a hot site that is already up and running with data less than 1 hour old. We may also have to purchase additional hardware if the original hardware was damaged during the incident. Strategic Intelligence/Counterintelligence Gathering: This is where different governments exchange data about cyber criminals so that they can work together to reduce threats. It is also possible for companies who have suffered an attack to log as much information as they can and have a third party who specializes in incident response to help them find a way to prevent re-occurrence. Active Logging: To track incidents, we need to be actively monitoring and actively logging changes to patterns in our log files or traffic patterns in our network. Installing a SIEM system that provides real-time monitoring can help collate all entries in the log files, ensuring that duplicate data is not used so that a true picture can be taken. Alerts based on certain triggers can be set up on our SIEM system so that we are notified as soon as the event happens. Cloud Forensics In the last few years, the growth of cloud computing and resources has been increasing year on year. Cloud forensics has different needs than that of traditional forensics. One of the primary aspects that a cloud provider must provide is security of the data stored in the cloud. In 2012, Cloud Forensic Process 26 was created to focus on the competence and admissibility of evidence. The stages are as follows: Stage A – Verify the purpose of cloud forensics. Stage B – Verify the type of cloud service. Stage C – Verify the type of technology behind the cloud. Stage D – Verify the role of the user and negotiate with the Cloud Service Provider (CSP) to collect the evidence required. 26 Understanding Security Fundamentals Cloud services, because of the nature of their business, create virtual machines and then destroy them on a regular basis. This prevents the collection of forensic evidence. The forensic team needs to prove to the cloud provider their reasons for the collection of the evidence and they have to rely on the cloud provider sending them the correct evidence that they require. Right-to-Audit Clauses By inserting right-to-audit clauses into supply chain contracts, an auditor can visit the premises without notice and inspect the contractor's books and records to ensure that the contractor is complying with its obligation under the contract. This would help them identify the following: Faulty or inferior quality of goods Short shipments Goods not delivered Kickbacks Gifts and gratuities to company employees Commissions to brokers and others Services allegedly performed that weren't needed in the first place, such as equipment repairs Regulatory and Jurisdiction Cloud data should be stored and have data sovereignty in regions. The US introduced the CLOUD Act in 2018 due to the problems that the FBI faced in forcing Microsoft to hand over data stored in Ireland. In 2019, the UK received royal assent for the Overseas Production Act (COPOA), which allows the UK to seek data stored overseas as part of a criminal investigation. In 2019, the US and the UK signed a data-sharing agreement to give law enforcement agencies in each country faster access to evidence held by providers, such as social media or web hosting. In 2016, a similar agreement was set between the US and the EU; however, with the introduction of General Data Protection Regulation (GDPR), all websites in the US that have consumers from the EU have to abide by GDPR. Data Breach Notifications/Laws If a data breach occurs, a company can be fined more than £10 million for failing to report a breach. The EU uses GDPR, and notifications of data breaches must be reported within 72 hours. Other countries have their own reporting timescale. Review Questions 27 Review Questions Now it's time to check your knowledge. Answer these questions and check your answers, found in the Assessment section at the end of the book: 1. What are the three components of the CIA triad? 2. Why might a CCTV camera be situated outside a building without any film inside? 3. What does confidentiality mean? 4. How can we control access of personnel to a data center? 5. What is the purpose of an air gap? 6. Name three main control categories. 7. Name three physical controls. 8. Following an incident, what type of control will be used when researching how the incident happened? 9. How do I know whether the integrity of my data is intact? 10. What is a corrective control? 11. What type of control is it when you change the firewall rules? 12. What is used to log in to a system that works in conjunction with a PIN? 13. What is the name of the person who looks after classified data and who is the person that gives people access to the classified data? 14. When you use a DAC model for access, who determines who gains access to the data? 15. What is least privilege? 16. What is the Linux permission of 764? What access does it give you? 17. The sales team are allowed to log in to the company system between 9 a.m. and 10 p.m. What type of access control is being used? 18. Two people from the finance team are only allowed to authorize the payment of checks; what type of access control are they using? 19. What is the purpose of the defense in depth model? 20. When someone leaves the company, what is the first thing we should do with their user account? 21. What do US companies that host websites in the US have to comply with if customers are based in Poland? 28 Understanding Security Fundamentals 22. How can a company discover that their suppliers are using inferior products? 23. What is one of the most important factors between someone being arrested and their appearance before the judge in court? 24. Can you explain what the purpose of the CLOUD Act and COPOA is? 25. What is Stage C of Cloud Forensic Process 26? 2 Implementing Public Key Infrastructure Public Key Infrastructure (PKI) is asymmetric encryption that has a Certificate Authority and the associated infrastructure to support issuing and managing certificates. Certificates are used for both encryption and authentication, and in this chapter, we are going to look at different encryption types and how certificates are issued and used. This is the most difficult module for students to understand, so we have focused on making the most difficult aspects seem easy. If you are going to be successful in the Security+ exam, you must know this module thoroughly. In this chapter, we are going to cover the following topics: Public Key Infrastructure Concepts Asymmetric and Symmetric Encryption Cryptography Algorithms and Their Characteristics Comparing and Contrasting the Basic Concepts of Cryptography 30 Implementing Public Key Infrastructure PKI Concepts The PKI provides asymmetric techniques using two keys: a public key and a private key. There is a certificate hierarchy, which is called the Certificate Authority, that manages, signs, issues, validates, and revokes certificates. Let's first look at the components of the certificate hierarchy. A certificate is known as an X509 certificate. Certificate Hierarchy The Certificate Authority (CA) is the ultimate authority as it holds the master key, also known as the root key, for signing all of the certificates that it gives the Intermediary, which then, in turn, issues the certificate to the requester. Figure 2.1 – CA Hierarchy Let's look at the CA hierarchy shown in the preceding diagram in more depth: Online CA: An internal online CA is always up and running so that people in the company can request a certificate at any time of the day or night. This would not be the case in a government or top-security environment. Offline CA: An offline CA is for a military or secure environment where clearance and vetting must be completed before someone can be issued with a certificate. The CA is kept offline and locked up when it is not being used. It is switched off so that it cannot issue new certificates. There are different types of CA: Public CA: A public CA is also known as a third-party CA and is commercially accepted as an authority for issuing public certificates. Examples include Sectigo, formerly known as Comodo, Symantec, Go Daddy, and more. PKI Concepts 31 The benefit of using a third-party CA is that all of the management is carried out by them; once you purchase the certificate, all you have to do is install it. They keep an up-to-date Certificate Revocation List (CRL) where you can check whether your certificate is valid. A certificate that is not valid will not work if you are going to sell goods and services to other companies; this is known as a B2B transaction, which requires a public CA. For example, I put gas in my car and go to pay for it. I give the attendant some monopoly money, but they refuse to take it; this would be the equivalent of a private CA. Businesses will not accept it as payment. I then go to the cash machine outside and withdraw $100 and I give this to the attendant; he smiles and accepts it and gives me some change. This is the equivalent of a public CA. If you wish to trade and exchange certificates with other businesses, you need to get your certificate from a public CA. The certificate that follows has been issued to the Bank of Scotland from a public CA called DigiCert Global CA. You can see on the front of the certificate the purpose for use and also the dates that it is valid for. The X509 has an OID, which is basically the certificate's serial number – the same way that paper money has serial numbers: Figure 2.2 – Certificate 32 Implementing Public Key Infrastructure Private CA: A private CA can only be used internally. However, although it is free, you must maintain the CA. Hopefully, your company has the skill set to do so. Registration Authority (RA): The RA validates and accepts the incoming requests for certificates from users on the network and notifies the CA to issue the certificates. The certificates that are issued are known as X509 certificates. Subordinate CA: It could be the RA that issues certificates to users. In the CompTIA exam, the subordinate CA could be called an intermediary. Certificate Pinning: Certificate pinning prevents the compromising of the CA and the issuing of fraudulent X509 certificates. It prevents SSL man-in-the-middle attacks. Tip Certificate pinning prevents the compromising of the CA, certificate fraud, and SSL man-in-the-middle attacks. Certificate Trust Certificates have some form of trust where the certificate can check whether or not it is valid. We are going to look at different trust models. You need to ensure that you know when each is used: Trust Anchor: A trust anchor in a PKI environment is the root certificate from which the whole chain of trust is derived; this is the root CA. Trust Model: A trust model proves the authenticity of a certificate; there are two trust models: a. Hierarchical Trust Model: This uses a hierarchy from the root CA down to the intermediary (also known as a subordinate); this is the normal PKI model. An example can be seen in the certificate hierarchy diagram earlier in this chapter. b. Bridge Trust Model: The bridge trust model is peer-to-peer, where two separate PKI environments trust each other. The certificate authorities communicate with each other, allowing for cross certification. Sometimes, this is referred to as the trust model. Certificate Chaining: This chain of trust is used to verify the validity of a certificate as it includes details of the CRL. The chain normally has three layers, the certificate vendor, the vendor's CA, and the computer where the certificate is installed. PKI Concepts 33 Tip Certificate chaining shows the trust from the vendor, the vendor CA, and the computer. Fewer than three layers results in trust errors Certificate Validity Each time a certificate is used, the first thing that must happen is that it must be checked for validity. The following diagram shows the certificate validity process: Figure 2.3 – Certificate validity There are three separate processes that you must know thoroughly, and these are as follows: Certificate Revocation List (CRL): The first stage in checking whether a certificate is valid, no matter the scenario, is to check the CRL. If the X509 is in the CRL, it is no longer valid and will not be accepted. No matter how obscure the question posed in the exam, unless it is going slow or it is a web server looking for a faster lookup, it will be the CRL that provides certificate validity. Online Certificate Status Protocol (OCSP): Only when the CRL is going slow will the OCSP come into play. It is much faster than the CRL and can take a load from the CRL in a very busy environment. OCSP Stapling/Certificate Stapling: Certificate stapling, also known as OCSP stapling, is used when a web server bypasses the CRL to use the OCSP for a faster confirmation, irrespective of whether or not a certificate is valid. Tip Certificate validity can only be done by the CRL or OCSP. OCSP is used only when the CRL is going slow or has been replaced by the OCSP 34 Implementing Public Key Infrastructure Certificate Management Concepts We are now going to look at the different ways in which certificates are managed in a PKI environment, starting with the request for a new certificate and ending with different certificate formats. You must learn all of this information thoroughly as these aspects are heavily tested: Certificate Signing Request (CSR): This is the process of requesting a new certificate. Key Escrow: The key escrow holds the private keys for third parties and stores them in a Hardware Security Module (HSM): Figure 2.4 – Key escrow Hardware Security Module (HSM): The HSM can be a piece of hardware attached to the server or a portable device that is attached to store the keys. See the preceding diagram for more on this. It stores and manages certificates. Data Recovery Agent (DRA): If a user cannot access their data because their private key is corrupted, the DRA will recover the data. The DRA needs to get the private key from the key escrow. Certificates: There are two main certificate types: the public key and the private key. The public key is sent to third parties to encrypt the data, and the private key decrypts the data. If you think of the private key as your bank card, that's a thing you wouldn't give away. The public key is the deposit slip that is tied to your account. If you were in a room with 20 people who wanted to pay $20 into your account, you would definitely give them your deposit slip. You will always give your public key away because when you are encrypting data, you will always use the recipient's public key. PKI Concepts 35 Tip The Data Recovery Agent (DRA) needs a private key from the key escrow to recover data. Object Identifier (OID): The OID on a certificate is similar to a serial number on a bank note. Bank notes are identified by their serial number. The certificate is identified by its OID. Certificate Formats: There are different certificate formats, and these are as follows: Figure 2.5 – Certificate format and file extensions Types of Certificates As a security professional, you will be responsible for purchasing new certificates, and therefore, you must learn the certificate types thoroughly to ensure that you make the correct purchases. We will start with the self-signed certificate, which can roll out with applications such as Microsoft Exchange Server or Skype, and finish with extended validation where the certificate has a high level of trust: Self-Signed Certificate: A self-signed certificate is issued by the same entity that is using it. However, it does not have a CRL and cannot be validated or trusted. Wildcard: For a wildcard certificate for a domain called securityplus. training, the wildcard certification would be *.securityplus.training and could be used for the domain and a subdomain. For example, in the securityplus.training domain, there are two servers called web and mail. The wildcard certification is *.securityplus.training and, when installed, it would work for the Fully Qualified Domain Names (FQDNs) of both of these—web.securityplus.training and mail.securityplus. training. A wildcard can be used for multiple servers in the same domain. Domain Validation: A Domain-Validated (DV) certificate is an X.509 certificate that proves the ownership of a domain name. 36 Implementing Public Key Infrastructure Subject Alternative Name (SAN): An SAN certificate can be used on multiple domain names, such as abc.com or xyz.com. You can also insert other information into an SAN certificate, such as an IP address. Code Signing: Code-signing certificates are used to digitally sign software so that its authenticity is guaranteed. Computer/Machine: A computer or machine certificate is used to identify a computer within a domain. User: A user certificate provides authenticity to a user for the applications that they use. Extended Validation: Extended validation certificates provide a higher level of trust in identifying the entity that is using the certificate. It would normally be used in the financial arena. You may have seen it in action where the background of the URL turns green, as shown in the following screenshot: Figure 2.6 – Extended validation Companies applying for the extended validation certificate would have to provide more detailed information about the company. Tip A wildcard certificate can be installed on multiple public facing websites as a cheaper option. A self-signed certificate can be installed on internal facing websites as a cheaper option. Asymmetric and Symmetric Encryption 37 Asymmetric and Symmetric Encryption There are two main types of encryption that use certificates, and these are asymmetric and symmetric. We need to learn about each thoroughly. Let's start by understanding what encryption is. Please remember that you are taking plaintext and changing it into ciphertext. Encryption Explained Encryption is where we take plaintext that can be easily read and convert it into ciphertext that cannot be easily read: Substitution Cipher: Julius Caesar, who died in 44 BC, invented the first substitution cipher, where he moved each letter of the alphabet three places one way or another. This way, he could make his military plans unreadable if they had been intercepted. What he forgot about was that most people in those days could not read! This was called ROT 13, after the thirteen-letter rotation, and is now known as the Caesar cipher. For example, if I take the word ECHO and move each letter on thirteen places to the right in the alphabet sequence, you will get the word RPUB—that would be difficult for someone to read. To decrypt, you would roll back 13 spaces. ROT 13: ROT 13 is a variation of the Caesar cipher. As there are 26 letters in the alphabet, we are rotating the letters 13 times. The key to ROT 13 would be as follows: Figure 2.7 – Caesar Cipher ROT 13 table When receiving the message, GVZR SBE GRN, then we would apply ROT 13, but instead of going forward 13 places to decipher, we would simply go back 13 places, and the message would be TIME FOR TEA. From the preceding table, select a letter from the top and then the corresponding ROT 13 equivalent below it for both encryption and decryption. 38 Implementing Public Key Infrastructure There are two types of encryption that use certificates: asymmetric and symmetric. Let's look at each of these in turn: Symmetric Encryption: Symmetric encryption only uses one key, which is known as the private or shared key. The same key encrypts and decrypts the data. The danger of symmetric encryption is that if the key is stolen, the attacker gets the keys to the kingdom. The main reason for using symmetric encryption is that it can encrypt large amounts of data very quickly. The Security+ exam does not focus on key exchange, because it only uses one key, but instead focuses on which is the fastest or strongest symmetric key, and which is used for the encryption of large amounts of data. The symmetric encryptions are DES 56 bit, 3DES 168 bit, AES 256 bit, Twofish 128 bit, and Blowfish 64 bit. The smaller the key, the faster it is, but the larger the key, the more secure it is. It also uses block cipher where the data is transferred in blocks making it faster. Diffie Hellman (DH): When symmetric data is in transit, it is protected by Diffie Hellman, whose main purpose is to create a secure tunnel for symmetric data to pass through. It does not encrypt data, but creates a secure tunnel. Asymmetric Encryption: Asymmetric encryption uses two keys—a private key and a public key—and is also known as a PKI, complete with its CA and intermediary authorities. The Security+ exam tests the use of both the private and public keys very thoroughly. I have created the following diagram to help you understand the purpose of each key. See Figure 2.8 below. The first stage in encryption is the key exchange. You will always keep your private key and give away your public key. You will always use the recipient's public key to encrypt: Figure 2.8 – Key exchange Asymmetric and Symmetric Encryption 39 In the preceding diagram, there are two different key pairs: the black key pair and the white key pair. These work together. Remember: the private key is your bank card; you will always retain it, but the public key is your deposit slip; you will give it away so that people can pay money into your account. The person who is sending the data is on the From side, and the person receiving the data is on the To side. A good way to remember the labels would be to think of South-East on the left-hand side and Distinguished-Visitor on the right. These labels stand for the following: S: Sign (digital signature) E: Encryption D: Decryption V: Validation For example, Bob wants to encrypt data and send it to Carol. How is this done? Let's look at the following diagram. We can see that Bob owns the black key pair and Carol owns the white key pair. The first thing that needs to happen before encryption can happen is that they exchange public keys: Figure 2.9 – Encryption You can see under the column for Bob that he has his private key, which he will always keep, and the public key that Carol has given him. In the preceding diagram, you can see the label E, for encryption. Therefore, Bob uses Carol's public key to encrypt the data. Then, under Carol, you can see the letter D, for decryption. Therefore, when the encrypted data arrives, Carol uses the other half of the white key pair, the private key, to decrypt the data. 40 Implementing Public Key Infrastructure Tip Your private key, or a key pair, is never installed on another server. You always retain the private key just like your bank card. You give the public key away or install on another server. Digital Signatures Explained When we send an email or document to someone, it could be intercepted in transit and altered. Your email address could be spoofed, and someone could send an email as if it was from you, but there is no guarantee of integrity. We sign the email or document with our private key and it is validated by our public key. The first stage in digital signatures is to exchange public keys, the same principle as encryption. For example, George wants to send Mary an email and he wants to

Use Quizgecko on...
Browser
Browser