CompTia Security+.pdf

Full Transcript

CompTIA Security+:
SY0-601 Certification
Guide
Second Edition

Complete coverage of the new CompTIA Security+
(SY0-601) exam to help you pass on the first attempt

Ian Neil

BIRMINGHAM—MUMBAI
CompTIA Security+: SY0-601 Certification Guide
Second Edition
Copyright © 2020 Packt Publishing
All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in
any form or by any means, without the prior written permission of the publisher, except in the case of brief
quotations embedded in critical articles or reviews.
Every effort has been made in the preparation of this book to ensure the accuracy of the information presented.
However, the information contained in this book is sold without warranty, either express or implied. Neither
the author, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused
or alleged to have been caused directly or indirectly by this book.
Packt Publishing has endeavored to provide trademark information about all of the companies and products
mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the
accuracy of this information.

Commissioning Editor: Vijin Boricha
Acquisition Editor: Rahul Nair
Senior Editor: Arun Nadar
Content Development Editor: Pratik Andrade
Technical Editor: Yoginee Marathe
Copy Editor: Safis Editing
Project Coordinator: Neil Dmello
Proofreader: Safis Editing
Indexer: Rekha Nair
Production Designer: Vijay Kamble

First published: September 2018
Second published: December 2020
Production reference: 1221220

Published by Packt Publishing Ltd.
Livery Place
35 Livery Street
Birmingham
B3 2PB, UK.

ISBN 978-1-80056-424-4

www.packt.com
Packt.com
Subscribe to our online digital library for full access to over 7,000 books and videos, as
well as industry leading tools to help you plan your personal development and advance
your career. For more information, please visit our website.

Why subscribe?
Spend less time learning and more time coding with practical eBooks and Videos
from over 4,000 industry professionals
Improve your learning with Skill Plans built especially for you
Get a free eBook or video every month
Fully searchable for easy access to vital information
Copy and paste, print, and bookmark content

Did you know that Packt offers eBook versions of every book published, with PDF and
ePub files available? You can upgrade to the eBook version at packt.com and as a print
book customer, you are entitled to a discount on the eBook copy. Get in touch with us at
[email protected] for more details.
At www.packt.com, you can also read a collection of free technical articles, sign up
for a range of free newsletters, and receive exclusive discounts and offers on Packt books
and eBooks.
 Contributors
About the author
Ian Neil is one of the world's top trainers of Security+ he has the ability to break down the
information into manageable chunks so that people with no background knowledge can
gain the skills required to become certified. He has recently worked for the US Army in
Europe and designed a Security+ course that catered for people from all backgrounds
(not just the IT professional), with an extremely successful pass rate. He is an MCT,
MCSE, A+, Network+, Security+, CASP, and RESILIA practitioner, who over the past
23 years, has worked with high-end training providers and was one of the first technical
trainers to train Microsoft internal staff when they opened their Bucharest Office in 2006.
About the reviewers
Crystal Voiles is an IT specialist with more than 30 years of IT experience ranging from
help desk support, desktop support, system administration, and cyber security support.
For the last 10 years, she has served as a cyber security specialist, managing several
cyber security tools, including Assured Compliance Assessment Solution (ACAS),
Host-Based Security System (HBSS), Tanium, System Center Configuration Manager
(SCCM), and Enterprise Mission Assurance Support Service (eMASS).
Currently serving as the Information Systems Security Manager (ISSM) for a small
medical organization responsible for coordination and execution of security policies and
controls, as well as assessing vulnerabilities within a medical company. She is responsible
for data and network security processing, security systems management, and security
violation investigations. She manages backup and security systems, employee training for
approximately 900 end user accounts, security planning measures, and recovery of data in
disaster testing situations.
Her certifications include Certified Information Systems Security Professional (CISSP),
CompTIA Advanced Security Practitioner (CASP+), Security +, Microsoft Certified
Professional (MCP), SCCM, and ITIL Foundations.

Rebecca Moffitt is an experienced information security and risk consultant with 8 years
of experience in the industry.
Rebecca joined QA in October of 2018, and since then has been working as a cyber
security technical specialist. Her areas of training have been primarily related to cyber
security, information security, information assurance, and risk management. She most
recently obtained her CISM via ISACA, and her CSRM via PECB. She is a certified
Information Security Management Systems Lead Implementer and is proficient in ISO
27001, 27002, 27005, and has knowledge of ISO 31000, 27035, and 19011, as well as
various cyber, information, and risk frameworks.
Rebecca is passionate about her profession and has spent time working with the younger
generations, raising their awareness of the field of cyber/information security and
sparking enthusiasm in them about a potential career in cyber security.
On a personal level, Rebecca is Canadian. The country lifestyle is rooted within her.
She loves all things related to the East Coast lifestyle: kitchen parties, country music,
and fiddleheads.
I would like to thank my family always, for their continual love and support.
- Rebecca Moffitt

Packt is searching for authors like you
If you're interested in becoming an author for Packt, please visit authors.
packtpub.com and apply today. We have worked with thousands of developers and
tech professionals, just like you, to help them share their insight with the global tech
community. You can make a general application, apply for a specific hot topic that we are
recruiting an author for, or submit your own idea.
 Table of Contents

Preface

Section 1:
Security Aims and Objectives
1
Understanding Security Fundamentals
Security Fundamentals 4 Role-Based Access Control 12
CIA Triad Concept 4 Rule-Based Access Control 12
Least Privilege 5 Attribute-Based Access Control 12
Defense in Depth Model 5 Group-Based Access Control 13
Linux-Based Access Control 13
Comparing Control Types 6
Managerial Controls 6 Physical Security Controls 14
Operational Controls 7 Perimeter Security 15
Technical Controls 7 Building Security  16
Deterrent Controls 8 Device Protection 17
Detective Controls 8
Understanding Digital Forensics 18
Corrective Controls 9
Five-Minute Practical 20
Compensating Controls 9
Collection of Evidence  20
Preventative Controls 9
Cloud Forensics 25
Access Controls 10
Discretionary Access Control 10 Review Questions 27
Mandatory Access Control 11
ii Table of Contents

2
Implementing Public Key Infrastructure
PKI Concepts 30 Protecting Data 51
Certificate Hierarchy 30
Basic Cryptographic
Certificate Trust 32
Terminologies51
Certificate Validity 33
Obfuscation52
Certificate Management Concepts 34
Pseudo-Random Number Generator 52
Types of Certificates 35
Nonce52
Asymmetric and Symmetric Perfect Forward Secrecy 52
Encryption37 Security through Obscurity 52
Encryption Explained 37 Collision52
Digital Signatures Explained 40 Steganography52
Cryptography Algorithms and Their Homomorphic Encryption  53
Characteristics41 Diffusion 53
Symmetric Algorithms 41 Implementation Decisions 53
Asymmetric Algorithms 42
Common Use Cases for
Symmetric versus Asymmetric Analogy 44
Cryptography53
XOR Encryption 44
Supporting Confidentiality 53
Key Stretching Algorithms 45 Supporting Integrity 54
Cipher Modes 45 Supporting Non-Repudiation 54
Stream versus Block Cipher Analogy 45 Supporting Obfuscation 54
Modes of Operation  46 Low-Power Devices 54
High Resiliency 54
Quantum Computing  47 Supporting Authentication 55
Blockchain and the Public Resource versus Security Constraints 55
Ledger  47
Practical Exercises 55
Hashing and Data Integrity 48
Practical Exercise 1 – Building a
Comparing and Contrasting the Certificate Server 55
Basic Concepts of Cryptography 49 Practical Exercise 2 – Encrypting Data
Asymmetric – PKI 49 with EFS and Stealing Certificates 56
Symmetric Algorithm – Modes of Practical Exercise 3 – Revoking the EFS
Operation49 Certificate 57
Hashing Algorithms 50
Crypto Service Provider 50
Review Questions 57
Crypto Module 51
 Table of Contents iii

3
Investigating Identity and Access Management
Understanding Identity and Cloud Versus On-Premises
Access Management Concepts  62 Authentication92
Identity Types 62 On-Premises92
Account Types 63 In the Cloud 92

Authentication Types 66 Common Account Management
Security Tokens and Devices 66 Policies  93
Certification-Based Authentication 67 Account Creation 93
Employees Moving Departments 94
Implementing Authentication
Account Recertification 95
and Authorization Solutions 69
Account Maintenance 95
Authentication Management 69
Account Monitoring 95
Authentication Protocols 70
Security Information and Event
Authentication, Authorization, and
Management95
Accounting (AAA) Servers 71
Group-Based Access Control 98
Access Control Schemes 73
Practical Exercise – Password
Summarizing Authentication
Policy102
and Authorization Design
Concepts79 Review Questions 102
Directory Services  79

4
Exploring Virtualization and Cloud Concepts
Overview of Cloud Computing 108 Understanding Cloud
Implementing Different Cloud Computing Concepts 119
Deployment Models 110 Understanding Cloud Storage
Understanding Cloud Service Concepts122
Models113 Selecting Cloud Security
Infrastructure as a Service (IaaS) 114 Controls124
Software as a Service (SaaS) 115 High Availability Access Zones  124
Platform as a Service (PaaS) 118 Resource Policies 124
Security as a Service (SECaaS) 118 Secret Management 124
Anything as a Service (XaaS)  119 Integration and Auditing 125
iv Table of Contents

Storage125 Exploring the Virtual Network
Networks126 Environments130
Compute128 Review Questions 134
Solutions128

Section 2:
Monitoring the Security Infrastructure
5
Monitoring, Scanning, and Penetration Testing
Penetration Testing Concepts 140 Performed  147
Rules of Engagement (ROE) 140 Penetration Testing versus
Network Exploitation Techniques 141 Vulnerability Scanning 147

Passive and Active Syslog/Security Information
Reconnaissance142 and Event Management 147
Reconnaissance Tools 142 Security Orchestration,
Automation, and Response 150
Exercise Types 143 Threat Hunting 151
Vulnerability Scanning Concepts144
Practical Exercise – Running
Credentialed versus Non-Credentialed
Scans146
a Credentialed Vulnerability
Intrusive versus Non-Intrusive
Scanner152
Vulnerability Scans  146 Review Questions  156
Other Types of Scans That Can Be

6
Understanding Secure and Insecure Protocols
Introduction to Protocols 160 Subscription Services and Their
Protocols170
Insecure Protocols and Their
Use Cases 161 Routing and Its Protocols 171
Switching and Its Protocols 172
Secure Protocols and Their Use
Active Directory (Directory Services)
Cases165
and Its Protocols 173
Additional Use Cases and Their
Protocols170 Review Questions 174
 Table of Contents v

7
Delving into Network and Security Concepts
Installing and Configuring Network Segmentation 197
Network Components 178 Intrusion Prevention System 199
Firewall178 Intrusion Detection System 199
Network Address Translation Gateway  180 Modes of Operation 200
Router181 Sensor/Collector200
Access Control List – Network Devices 181 Monitoring Data 200
Switch182 Network Access Control 201
Tap/Port Mirror 184 The Domain Name System 202
Aggregation Switches 184 DNS Poisoning 204
Honeypot 184
Network Reconnaissance and
Proxy Server 185
Discovery205
Jump Servers 187
Exploitation Frameworks  219
Load Balancer 187
Forensic Tools  219
Remote Access Capabilities  190
IPSec191
IP Addressing 221
VPN Concentrator 192 IP Version 4 221
Split Tunneling 193 Subnet Mask 222
Remote Support  194 CIDR Mask 222
DHCP  222
Secure Network Architecture IP Version 6 Addressing 224
Concepts195
Software-Defined Network 195
Review Questions 226

8
Securing Wireless and Mobile Solutions
Implementing Wireless Security229 Wireless – Open System
Authentication235
Wireless Access Point
Controllers230 Wireless Encryption 235
Wireless Captive Portals 237
Securing Access to Your WAP 231
Wireless Attacks 237
Wireless Bandwidth/Band Selection 232
Wireless Authentication Protocols 237
Wireless Channels  233
Wireless Antenna Types  233 Deploying Mobile Devices
Wireless Coverage 233 Securely238
vi Table of Contents

Mobile Device Management 238 Mobile Device Management Concepts 242
Bring Your Own Device 239 Device Management 244
Choose Your Own Device  240 Device Protection 244
Corporate-Owned Personally-Enabled 240 Device Data 245
Mobile Device Enforcement and
Mobile Device Connection Monitoring246
Methods  240
Review Questions 248

Section 3:
Protecting the Security Environment
9
Identifying Threats, Attacks, and Vulnerabilities
Virus and Malware Attacks 254 Network Attacks 270
Social Engineering Attacks 257 Application/Programming Attacks 273
Hijacking-Related Attacks 280
Threat Actors 263
Driver Manipulation 282
Advanced Attacks 264 Cryptographic Attacks 282
Password Attacks 265
Physical Attacks 267 Review Questions 283
On-Path Attacks 268

10
Governance, Risk,
and Compliance
Risk Management Processes Threat Actors 297
and Concepts  288 Attack Vectors  299
Risk Types 289 Threat Intelligence Sources  300
Risk Management Strategies  290 Research Sources  303
Risk Analysis  291
The Importance of Policies for
Calculating Loss 294
Organizational Security 304
Disasters295
Personnel305
Business Impact Analysis Concepts 295
Diversity of Training Techniques 308
Threat Actors, Vectors, and Third-Party Risk Management 309
Intelligence Concepts 297 Data  310
 Table of Contents vii

Credential Policies 311 Privacy Breaches  317
Organizational Policies  312 Notifications of Breaches 318
Data Types  318
Regulations, Standards, and Privacy-Enhancing Technologies  320
Legislation  312
Data Roles and Responsibilities  321
Key Frameworks  313 Information Life Cycle 322
Benchmarks/Secure Configuration Impact Assessment 322
Guides  316
Terms of Agreement 323
Privacy and Sensitive Data Privacy Notice 323
Concepts317
Review Questions 323
Organizational Consequences of

11
Managing Application Security
Implementing Host or Supervisory Control and Data
Application Security  328 Acquisition (SCADA) 344
Boot Integrity 328 Industrial Control System 344
Endpoint Protection  329 Communication Considerations 345
Databases330 Constraints345
Application Security 332
Understanding Secure
Hardening 334 Application Development,
Full Disk Encryption (FDE) 336 Deployment, and Automation 346
Self-Encrypting Drives (SEDs) 337
Software Diversity  346
Understanding the Security Elasticity347
Implications of Embedded and Scalability  347
Specialist Systems 337 Environment347
Internet of Things (IoT) 338 Automation/Scripting348
Real-Time Operating System (RTOS) 340 Provisioning and Deprovisioning 349
Multifunctional Printers (MFPs) 340 Integrity Measurement 349
Surveillance Systems 340 Secure Coding Techniques 349
System on a Chip (SoC) 341 Open Web Application Security Project
(OWASP)352
Heating, Ventilation, and Air
Conditioning (HVAC)  341
Review Questions 353
Specialized Devices 342
Embedded Systems 343
viii Table of Contents

12
Dealing with Incident Response Procedures
Incident Response Procedures  356 Knowing How to Apply
Disaster Recovery Exercises 357 Mitigation Techniques
Attack Frameworks 357 or Controls to Secure an
Stakeholder Management  360 Environment  367
Continuity of Operations Planning Application Approved List 367
(COOP)361 Application Block List/Deny List 368
Quarantine368
Utilizing Data Sources to Configuration Changes 368
Support Investigations362 Isolation369
Vulnerability Scan Output 363 Containment369
SIEM Dashboards 363 Segmentation369
Log Files 364 Security Orchestration, Automation,
Log Managers 365 and Response (SOAR) 369
Journalctl366
Implementing Cybersecurity
Nxlog366
Resilience369
Bandwidth Monitors 366
Redundancy369
Metadata366
Network Monitoring 367 Review Questions 379
Protocol Analyzer Output 367

Section 4:
Mock Tests
13
Mock Exam 1
Mock Exam 1 Assessment
 Table of Contents ix

14
Mock Exam 2
Mock Exam 2 Assessment
Assessment
Chapter 1 – Understanding Secure and Insecure Protocols 440
Security Fundamentals 427 Chapter 7 – Delving into
Chapter 2 – Implementing Network and Security Concepts 441
Public Key Infrastructure 429 Chapter 8 – Securing Wireless
Chapter 3 – Investigating and Mobile Solutions 444
Identity and Access Chapter 9 – Identifying Threats,
Management432 Attacks, and Vulnerabilities 446
Chapter 4 – Exploring Chapter 10 – Governance, Risk,
Virtualization and Cloud and Compliance 450
Concepts436
Chapter 11 – Managing
Chapter 5 – Monitoring, Application Security 453
Scanning, and Penetration
Chapter 12 – Dealing with
Testing438
Incident Response Procedures 456
Chapter 6 – Understanding
Other Books You May Enjoy
Index
 Preface
This book will help you to understand security fundamentals, ranging from the CIA
triad right through to identity and access management. This book describes network
infrastructure and how it is evolving with the implementation of virtualization and
different cloud models and their storage. You will learn how to secure devices and
applications that are used by a company.

Who this book is for
This book is designed for anyone who is seeking to pass the CompTIA Security+ SY0-601
exam. It is a stepping-stone for anyone who wants to become a security professional
or move into cybersecurity.

What this book covers
Chapter 1, Understanding Security Fundamentals, covers some security fundamentals that
will be expanded upon in later chapters.
Chapter 2, Implementing Public Key Infrastructure, goes into the different encryption types
and teaches how certificates are issued and used.
Chapter 3, Investigating Identity and Access Management, looks at different types of
authentication. We will look at the concepts of identity and access management.
Chapter 4, Exploring Virtualization and Cloud Concepts, gets you acquainted with various
cloud models and cloud security, looking at their deployment and storage environments.
Chapter 5, Monitoring, Scanning, and Penetration Testing, looks at penetration testing,
exercise types, scanning, threat hunting, and SIEM systems.
Chapter 6, Understanding Secure and Insecure Protocols, looks at when to use certain
secure protocols.
Chapter 7, Delving into Network and Security Concepts, looks at network components,
remote access, and network reconnaissance tools.
xii Preface

Chapter 8, Securing Wireless and Mobile Solutions, looks at wireless solutions and secure
mobile solutions.
Chapter 9, Identifying Threats, Attacks, and Vulnerabilities, explores attacks and
vulnerabilities, taking each type of attack in turn and its unique characteristics. This
chapter is probably the most heavily tested module in the Security+ exam.
Chapter 10, Governance, Risk, and Compliance, looks at risk management and regulations
and frameworks.
Chapter11, Managing Application Security, looks at application development and security.
Chapter 12, Dealing with Incident Response Procedures, looks at preparing for disaster
recovery incidents and how to recover.
Chapter 13, Mock Exam 1, includes mock questions, along with explanations, which will
help assess whether you're ready for the test.
Chapter 14, Mock Exam 2, includes more mock questions, along with explanations, which
will help assess whether you're ready for the test.

To get the most out of this book
This certification guide assumes no prior knowledge of the product. You need to
understand the information fully to become certified.

Download the color images
We also provide a PDF file that has color images of the screenshots/diagrams used in this
book. You can download it here: http://www.packtpub.com/sites/default/
files/downloads/9781800564244_ColorImages.pdf.

Conventions used
There are a number of text conventions used throughout this book.
Code in text: Indicates code words in text, database table names, folder names,
filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles.
Here is an example: "The problem that arises is that strcpy cannot limit the size of
characters being copied."
 Preface xiii

A block of code is set as follows:

int fun (char data ) {
int I
char tmp ; strcpy (tmp, data);
}

Any command-line input or output is written as follows:

Set-ExecutionPolicy Restricted

Bold: Indicates a new term, an important word, or words that you see onscreen. For
example, words in menus or dialog boxes appear in the text like this. Here is an example:
"The SSID is still enabled. The administrator should check the box next to Disable
Broadcast SSID."

Tips or important notes
Appear like this.

Get in touch
Feedback from our readers is always welcome.
General feedback: If you have questions about any aspect of this book, mention the book
title in the subject of your message and email us at [email protected].
Errata: Although we have taken every care to ensure the accuracy of our content, mistakes
do happen. If you have found a mistake in this book, we would be grateful if you would
report this to us. Please visit www.packtpub.com/support/errata, selecting your
book, clicking on the Errata Submission Form link, and entering the details.
Piracy: If you come across any illegal copies of our works in any form on the Internet,
we would be grateful if you would provide us with the location address or website name.
Please contact us at [email protected] with a link to the material.
If you are interested in becoming an author: If there is a topic that you have expertise in
and you are interested in either writing or contributing to a book, please visit authors.
packtpub.com.
xiv Preface

Reviews
Please leave a review. Once you have read and used this book, why not leave a review on
the site that you purchased it from? Potential readers can then see and use your unbiased
opinion to make purchase decisions, we at Packt can understand what you think about
our products, and our authors can see your feedback on their book. Thank you!
For more information about Packt, please visit packt.com.
 Section 1:
Security Aims and
Objectives

In this section, you will learn about security fundamentals, from the CIA triad through
to identify and access management.
This section comprises the following chapters:

Chapter 1, Understanding Security Fundamentals
Chapter 2, Implementing Public Key Infrastructure
Chapter 3, Investigating Identity and Access Management
Chapter 4, Exploring Virtualization and Cloud Concepts
 1
Understanding
Security
Fundamentals
In this chapter, we are going to look at some security fundamentals that will help you
identify security threats in the system and mitigate them. With cybercrime increasing day
by day, as an Information Technology (IT) professional, it is essential to first understand
these fundamental concepts.
In this chapter, we will be covering the following topics:

Security Fundamentals
Comparing Control Types
Physical Security Controls
Understanding Digital Forensics

Let's start off by looking at security fundamentals.
4 Understanding Security Fundamentals

Security Fundamentals
The fundamentals of security are the foundation of protecting our assets, and there must
be a strategy or methodology that we adapt for security. This is the CIA triad; let's look at
its breakdown.

CIA Triad Concept
Most security books start with the basics of security by featuring the CIA triad—this is
a conceptual model designed to help those writing information security policies within
an organization. It is a widely used security model and it stands for confidentiality,
integrity, and availability, the three key principles that should be used to guarantee
you have a secure system:

Figure 1.1 – CIA triad
We'll discuss these principles in more depth here:

Confidentiality: Prevents the disclosure of data to unauthorized people so that only
authorized people have access to data. This is known as the need-to-know basis.
Only those who should know the contents should be given access. An example
would be that your medical history is only available to your doctor and nobody else.
We also tend to encrypt data to keep it confidential. There are two types of
encryption, known as symmetric and asymmetric. Symmetric encryption uses one
key, known as the private key or shared key. Asymmetric encryption uses two keys,
known as the private key and the public key.
 Security Fundamentals 5

Integrity: This means that you know that data has not been altered or tampered
with. We use a technique called hashing that takes the data and converts it into
a numerical value called a hash or message digest. When you suspect changes have
taken place, you would check the hash value against the original. If the hash value
has changed, then the data has been tampered with. Common hashing algorithms
covered in the exam are Secure Hash Algorithm Version 1 (SHA1) 160-bit, SHA2
256-bit, SHA3 512-bit, and Message Digest Version 5 (MD5) 128-bit. SHA1 is
more secure than MD5; however, MD5 is faster. The higher the number of bits, the
more secure, and the lower the number, the faster it is.
Availability: Availability ensures that data is always available; an example would
be if you wanted to purchase an airplane ticket and the system came back with an
error saying that you could not purchase it. This could be frustrating and hence,
availability is important. Examples of availability could be using Redundant Array
of Independent Disks (RAID), maybe a fail-over cluster, a data backup, or Heating
Ventilation Air Conditioning (HVAC) to regulate the system for critical servers.

Least Privilege
Least Privilege is where you give someone only the most limited access required so that
they can perform their job role; this is known as a need-to-know basis. The company will
write a least privilege policy so that the administrators know how to manage it.

Defense in Depth Model
Defense in Depth is the concept of protecting a company's data with a series of protective
layers so that if one layer fails, another layer will already be in place to thwart an attack.
We start with our data, then we encrypt it to protect it:

The data is stored on a server.
The data has file permissions.
The data is encrypted.
The data is in a secure area of the building.
There is a security guard at the building entrance checking identification.
There is CCTV around the perimeter.
There is a high fence around the perimeter.
6 Understanding Security Fundamentals

Let's look at this from the intruder's perspective, trying to jump the fence, and see how
many layers they have to circumvent:

Figure 1.2 – Defense in Depth model
Let's now compare the different control types.

Comparing Control Types
There is a wide variety of different security controls that are used to mitigate the risk
of being attacked; the three main categories are managerial, operational, and technical.
We are going to look at these in more detail; you need to be familiar with each of these
controls and when each of them should be applied. Let's start by looking at the three main
controls.

Managerial Controls
Managerial Controls are written by managers to create organizational policies and
procedures to reduce risk within companies. They incorporate regulatory frameworks
so that the companies are legally compliant. The following are examples of management
controls:

Annual Risk Assessment: A company will have a risk register where the financial
director will look at all of the risks associated with money and the IT manager will
look at all of the risks posed by the IT infrastructure. As technology changes and
hackers get more sophisticated, the risks can become greater. Each department will
identify their risks and the risk treatments, and place them in the risk register.
These should be reviewed annually.
 Comparing Control Types 7

Penetration Testing/Vulnerability Scanning: A vulnerability scan is not intrusive
as it merely checks for vulnerabilities, whereas a penetration test is more intrusive
and can exploit vulnerabilities. These will be explained further later in this book.

Operational Controls
Operational controls are executed by company personnel during their day-to-day
operations. Examples of these are the following:

Annual Security Awareness Training: This is an annual event where you are
reminded about what you should be doing on a daily basis to keep the company safe:
a. Example 1 – When you are finished for the day, you clear your desk and lock all
documents away; another employee would remind you that your identity badge
should be worn at all times and you should challenge anyone not wearing a badge.
b. Example 2 – Companies need their employees to complete annual cybersecurity
training as the risk is getting greater each day.
Change Management: This is a process that a company adopts so that changes
made don't cause any security risks to the company. A change to one department
could impact another department. The Change Advisory Board (CAB) assists with
the prioritization of changes; they also look at the financial benefits of the change
and they may accept or reject the changes proposed for the benefit of the company.
IT evolves rapidly and our processes will need to change to cope with the potential
security risks associated with newer technology.
Business Continuity Plan: This is contingency planning to keep the business up
and running when a disaster occurs by identifying any single point of failure that
would prevent the company from remaining operational.

Technical Controls
Technical Controls are those implemented by the IT team to reduce the risk to
the business.
These could include the following:

Firewall Rules: Firewalls prevent unauthorized access to the network by IP address,
application, or protocol. These are covered in depth later in this book.
Antivirus/Antimalware: This is the most common threat to a business, and
we must ensure that all servers and desktops are protected and up to date.
8 Understanding Security Fundamentals

Screen Savers: These log computers off when they are idle, preventing access.
Screen Filters: These prevent people that are walking past from reading the data on
your screen.
Intrusion Prevention Systems (IPS)/Intrusion Detection Systems (IDS): An IDS
monitors the network for any changes and an IPS stops the attacks. If you do not
have an IDS, the IPS has the ability to fulfill the role of the IDS.

Let's now look at other control types, from deterrents to physical controls, when we try
and stop attacks at the source.

Deterrent Controls
Deterrent Controls could be CCTV and motion sensors. When someone is walking
past a building and the motion sensors detect them, it turns the lights on to deter them.
A building with a sign saying that it is being filmed with CCTV prevents someone from
breaking into your premises, even though there may not be film inside the camera—but
they don't know that!

Detective Controls
Detective Controls are used to investigate an incident that has happened and needs to be
investigated; these could include the following:

CCTV records events as they happen and from that, you can see who has entered
a particular room or has climbed through a window at the rear of a building. CCTV
can capture motion and provide non-repudiation.
Log Files are text files that record events and the times that they occurred; they can
log trends and patterns over a period of time. For example, servers, desktops, and
firewalls all have event logs that detail actions that happen. Once you know the time
and date of an event, you can gather information from various log files. These can be
stored in Write-Once Read-Many (WORM) drives so that they can be read but not
tampered with.
 Comparing Control Types 9

Corrective Controls
Corrective Controls are the actions you take to recover from an incident. You may lose
a hard drive that contained data; in that case, you would replace the data from a backup
you had previously taken.
Fire Suppression Systems are another form of corrective control. There may have been
a fire in your data center that destroyed many servers, therefore when you purchase
a replacement, you may install an oxygen suppressant system that will starve a fire of
the oxygen needed. This method uses argon/nitrogen and carbon dioxide to displace the
oxygen in the server room.

Compensating Controls
Compensating Controls can also be called Alternative or Secondary Controls and can
be used instead of a primary control that has failed or is not available. Once a primary
control has failed, we need a secondary control. This is similar to when you go shopping
and you have $100 in cash—once you have spent your cash, you will have to use a credit
card as a compensating control.
Example: When a new employee arrives, they should log in using a smart card and PIN.
It may take 3–5 days to get a new smart card, so during the waiting period, they may log
in using a username and password.

Preventative Controls
Preventative Controls are in place to deter any attack; this could be having a security
guard with a large dog walking around the perimeter of your building. This would make
someone trying to break in think twice about doing so. Some of the preventive measures
that can be taken are as follows:

Disable User Accounts: When someone leaves a company, the first thing that
happens is that their account is disabled, as we don't want to lose information that
they have access to, and then we change the password so that they cannot access it.
We may also disable an account while people are on secondment or maternity leave.
Operating System Hardening: This makes a computer more secure, where
we ensure that the operating system is fully patched and turn off unused features
and services. This will ensure that there will be no vulnerabilities.
10 Understanding Security Fundamentals

Access Controls
The three main parts of access controls are identifying an individual, authenticating
them when they insert a password or PIN, and then authorization, where an individual
is granted permission to the different forms of data. For example, someone working in
finance will need a higher level of security clearance and have to access different data than
a person who dispatches an order in finished goods:

Identification: This is similar to everyone having their own bank account; the
account is identified by the account details on the bank card. Identification in
a security environment may involve having a user account, a smart card, or maybe
a fingerprint reader—this is unique to each individual. Each person has their own
Security Identifier (SID) for their account, which is like an account serial number.
Authentication: Once the individual inserts their method of identification, they
next have to be authenticated, for example, by inserting a password or a PIN.
Authorization: This is the level of access or permissions that you have to apply to
selected data. You are normally a member of certain groups, for example, a sales
manager could access data from the sales group and then access data from the
managers group. You will only be given the minimum amount of access required to
perform your job; this is known as least privilege.

Discretionary Access Control
Discretionary Access Control involves New Technology File System (NTFS) file
permissions, which are used in Microsoft operating systems. The user is only given the
access that they need to perform their job. They are sometimes referred to as user-based or
user-centric. The permissions are as follows:

Full Control: Full access.
Modify: Change data, read, and read and execute.
Read and Execute: Read the file and run a program if one is inside it.
List Folder Contents: Expand a folder to see the subfolders inside it.
Read: Read the contents.
Write: Allows you to write to the file.
Special Permissions: Allows granular access; for example, it breaks each of the
previous permissions down to a more granular level.
Data Creator/Owner: The person that creates the unclassified data is called the
owner and they are responsible for authorizing who has access to that data.
 Comparing Control Types 11

The following diagram shows a user called Ian who had Read and Read & execute
permissions:

Figure 1.3 – DAC file permissions

Mandatory Access Control
Mandatory Access Control (MAC) is based on the classification level of the data. MAC
looks at how much damage could be inflicted to the interests of the nation. These are as
follows:

Top secret: Highest level, exceptionally grave damage
Secret: Causes serious damage
Confidential: Causes damage
Restricted: Undesirable effects

Examples of MAC based on the classification level of data are as follows:

Top secret: Nuclear energy project
Secret: Research and development
Confidential: Ongoing legal issues
12 Understanding Security Fundamentals

MAC Roles
Once classified data has been written, it is owned by the company. For example,
if a Colonel writes a classified document, it belongs to the Army. Let's look at three roles:

Owner: This is the person who writes data, and they are the only person that can
determine the classification. For example, if they are writing a secret document,
they will pitch it at that level, no higher.
Steward: This is the person responsible for labeling the data.
Custodian: The custodian is the person who stores and manages classified data.
Security Administrator: The security administrator is the person who gives access
to classified data once clearance has been approved.

Role-Based Access Control
Role-based access control is a subset of the department carrying out a subset of duties
within a department. An example would be two people within the finance department
who only handle petty cash. In IT terms, it could be that only two people of the IT team
administer the email server.

Rule-Based Access Control
In Rule-Based Access Control (RBAC), a rule is applied to all of the people within
a department, for example, contractors will only have access between 8 a.m. and 5 p.m.,
and the help desk people will only be able to access building 1, where their place of
work is. It can be time-based or have some sort of restriction, but it applies to the whole
department.

Attribute-Based Access Control
In Attribute-Based Access Control (ABAC), access is restricted based on an attribute in
the account. John could be an executive and some data could be restricted to only those
with the executive attribute. This is a user attribute from the directory services, such as
a department or a location. You may wish to give different levels of control to different
departments.
 Comparing Control Types 13

Group-Based Access Control
To control access to data, people may be put into groups to simplify access. An example
would be if there were two people who worked in IT who needed access to IT data. For
example, let's call them Bill and Ben. We first of all place them into the IT group, and then
that group is given access to the data:

Figure 1.4 – Group-based access
Another example is where members of a sales team may have full control of the sales data
by using group-based access, but you may need two new starters to have only read access.
In this case, you would create a group called new starters and give those people inside that
group only read permission to the data.

Linux-Based Access Control
In this section, we are going to look at Linux file permissions. These appear frequently in
the Security+ exam even though they are not covered in the exam objectives.

Linux File Permissions (not SELinux)
Linux file permissions come in a numerical format; the first number represents the owner,
the second number represents the group, and the third number represents all other users:
a. Permissions:

Owner: First number
Group: Second number
All other users: Third number

b. Numerical values:

4: Read
2: Write
1: Execute
14 Understanding Security Fundamentals

Unlike a Windows permission that will execute an application, the execute function in
Linux allows you to view or search. A permission of 6 would be read and write. A value of
2 would be write, and a value of 7 would be read, write, and execute. Some examples are as
follows:

Example 1: If I have 764 access to File A, this could be broken down as follows:
a. Owner: Read, write, and execute
b. Group: Read and write
c. All other users: Read
Another way the permissions can be set is by alphabetical values, as shown:
a. R: Read
b. W: Write
c. X: Execute
When using alphabetical values, each set of permission is shown as three dashes.
Full control for the three entities are as follows:
a. Owner Full Control: rwx --- ---
b. Group Full Control: --- rwx ---
c. User Full Control: --- --- rwx
Example 2: If a file has an access level of rwx rwx rw-, what does this mean?
a. Owner has read, write, and execute (full control).
b. Group has read, write, and execute (full control).
c. Others have only read and write permissions.

Physical Security Controls
Physical security controls are put in place to stop unauthorized access to the company
or accessing the data. Physical security controls are easily identifiable as you can touch
them. Let's look at each of them in turn.
 Physical Security Controls 15

Perimeter Security
In this section, we will look at different types of perimeter security systems:

Signage: Before anyone reaches your main entrance, there should be highly visible
signs warning them that they are entering a secure area with armed guards and
dogs. This is used as a deterrent to prevent possible intruders.
Fences/Gates: The first line of defense should be a perimeter fence as the openness
of many sites renders them highly vulnerable to intruders. Access to the site can be
controlled by using a gate either manned by a security guard or with a proximity
reader. You could place bollards in front of a building to stop a car driving
through the entrance. You may even have different zones, such as a research and
development department, with their own perimeter security.
Access Control: Armed guards at the gates should be checking the identity of those
entering. There should be an access control list for visitors who are sponsored by
an internal department. The guards checking identities should be behind one-way
toughened glass so that visitors cannot see inside the gatehouse.
Lighting: Lighting is installed for two main reasons: the first reason is so that
anyone trying to enter your site at night can be seen and the second reason is for
safety.
Cameras: Cameras can be set up at areas around the perimeter and on doorways to
detect motion. They can be set up to detect objects in both day and night to alert the
security team by raising an alarm.
Robot Sentries: These can be set up to patrol the perimeter and can shout out
warnings to deter any intruders. These sentries patrol the DMZ between North and
South Korea and they can be armed:

Figure 1.5 – Robot sentry
16 Understanding Security Fundamentals

Tip
Robot sentries can shout out warnings to deter intruders. They could also
be armed.

Industrial Camouflage: When you are trying to protect a highly secure area,
you would design the building so that it is obscured from aerial photographs by
making some of the building look like residential housing. You would disguise the
entrances as well. This would make it difficult for surveillance operatives to spot it.

Building Security
In this section, we will look at different types of building security systems:

Security Guards: They work at the entrance reception desk to check the identity
cards of people entering the building to stop unauthorized access. These guards
should be armed and one of the guards should be a dog handler. An access control
list is provided to them to ensure that unauthorized personnel is denied access.
Two-Person Integrity/Control: This increases the security level at the entrance to
a building, ensuring that someone is available to deal with visitors even when the
other person is on the phone. This would also reduce the risk of a malicious insider
attack.
Badges: Visitors sign the visitor book and are allocated a badge that is a different
color to that of employees. These badges should have a photograph, name, and
signature of the holder. These badges should be visible at all times and anyone that
isn't displaying a badge should be challenged.
Key Management: This is where departmental keys are signed out and signed back
in daily to prevent someone from taking the keys away and cutting copies of them.
Mantraps: These are turnstile devices that only allow one person in at a time.
They maintain a safe and secure environment, mainly for a data center. A data
center hosts many servers for different companies.
Proximity Cards: These are contactless devices where a smart card is put near the
proximity card device to gain access to a door or building.
Tokens: Tokens are small physical devices where you touch the proximity card to
enter a restricted area of a building. Some tokens allow you to open and lock doors
by pressing the middle of the token itself; others display a code for a number of
seconds before it expires.
 Physical Security Controls 17

Biometric Locks: Biometrics are unique to each person; examples would be using
their fingerprint, retina, palm, voice, an iris scanner, or facial recognition.
Electronic Locks: With electronic locks, you no longer need a key to access
a building; you only need a PIN. They can be set to fail open, where the door opens
when a power cut is detected, or fail safe, where the door remains locked.
Burglar Alarms: These are set when the premises are not occupied, so when
someone tries to break into your premises, it will trigger the alarm and notify the
monitoring company or local police.
Fire Alarms/Smoke Detectors: In a company building, there will be fire alarms
or smoke detectors in every room so that when a fire breaks out and the alarms
go off, the people inside the premises are given the opportunity to escape.
Internal Protection: You could have safe areas and secure enclosures; the first
example would be a toughened glass container or a sturdy mesh, both with locks to
reduce access. You could also have protected distribution for cabling; this looks like
metal poles that would have network cables inside. Screen filters used on a desktop
could prevent someone from reading the screen.
Conduits: Conduits or cable distribution have cables placed inside. This protects
the cables from tampering or being chewed by rodents.

Tip
Conduits and cable distribution protect the Ethernet cable between the wall
jack and the patch panel.

Environmental Controls: HVAC and fire suppression systems are also security
controls. In a data center or a server room, the temperature needs to be kept cool
or the servers inside will overheat and fail. They use a technique called hot and cold
aisles to regulate the temperature.

Device Protection
In this section, we will look at different device protection systems:

Cable Locks: These are attached to laptops or tablets to secure them so that nobody
can steal them.
Air Gap: A computer is taken off the network and has no cable or wireless
connection to ensure that the data is not stolen. An example of this would be
a computer in the research and development department, as we want to prevent
access to it via a network cable.
18 Understanding Security Fundamentals

Tip
An air gap is an isolated computer; the only way to extract data is by using
a USB or CD ROM.

Laptop Safe: Laptops and tablets are expensive, but the data they hold could be
priceless, therefore there are safes for the storage of laptops and tablets.
USB Data Blocker: This device blocks the data pins on the USB device, which
prevents a hacker from juice jacking, where data is stolen when you are charging
your USB device.
Vault: This is where data can be encrypted and stored in the cloud, giving you an
extra-secure storage area.
Faraday Cage: This is a metal structure, like a metal mesh used to house chickens.
The cage prevents wireless or cellular phones from working inside the company.
This could be built into the structure of a room used as a secure area. They would
also prevent any kind of emissions from escaping from your company.

Understanding Digital Forensics
Digital forensics is used by the police when they are investigating crimes and need to find
digital evidence so that they can secure a conviction. We will be looking at computer- and
web-based attacks.
In 2006, Forensic Process 19, proposed by NIST, consisted of four different phases:
collection, examination, analysis, and reporting. Here's a diagram showing these phases:

Figure 1.6 – Forensics cycle
 Understanding Digital Forensics 19

Let's look at each of these phases:

Collection: Here, the data is examined, then extracted from the media that it is on,
and then converted into a format that can be examined by forensic tools.
Examination: Prior to examination, the data will be hashed, and then an
investigation will be carried out with the relevant forensic tool. When the
examination has concluded, the data is once again hashed to ensure that the
examiner or the tools have not tampered with it. We could use a USB write blocker
that allows only read access to storage media.
Analysis: When all of the forensic data has been collected, it is analyzed and then
transformed into information that can be used as evidence.
Reporting: A report is compiled that can be used as evidence for conviction.

There are many different components to a forensic investigation; we will look at each of
them in turn:

Admissibility: All evidence relevant to the case is deemed admissible only if it
is relevant to the disputed facts of the case and does not violate any laws or legal
statutes.
Order of Volatility: Say you are a firefighter and you arrive at a house on fire;
you can only save items one at a time and there are two items inside. The first is
a snowman, and the second is a rib of beef. You now have a dilemma: which one
should you choose? Easy! You save the snowman first as it is melting, and you let the
rib of beef cook some more so that the other firefighters can have a nice supper!
So, when we want to ascertain the order of volatility, we are looking to secure the
most perishable evidence first. We do not try and stop the attack until we have
secured the volatile evidence so that the source can be identified. This is known as
the order of volatility. Let's look at a few examples.
Example 1 – Web-Based Attack: An attacker is attacking the company website and
the security team is trying to capture the network traffic to find the source of the
attack. This is the most volatile evidence.
Example 2 – Attack inside a Computer: When someone has attacked your
computer, you need to capture the evidence in accordance with the order
of volatility:
a. CPU Cache: Fast block of volatile memory used by the CPU
b. Random Access Memory (RAM): Volatile memory used to run applications
20 Understanding Security Fundamentals

c. Swap/Page File/Virtual Memory: Used for running applications when RAM is
totally exhausted.
d. Hard Drive: Data at rest for storing data
Example 3 – Removable Storage Drive Attached to a Computer/Server: Someone
has left a USB flash drive plugged into your fileserver. When it is in use, programs
such as Word are launched in RAM, so we would capture the volatile memory first.
Example 4 – Command-Line Tools: You need to know which command-line tool
provides information that could disappear if you reboot the computer, and that
would be netstat. With netstat -an, the listening and established ports are
shown. If you reboot the computer, all of the established connections will be lost.

Tip
Order of volatility is collecting the most perishable evidence first. In
a web-based attack, we should collect the network traffic with a packet sniffer.

Five-Minute Practical
Open up Command Prompt on your computer and type netstat -an. You should now
see the listening and established ports; count them, and write the numbers down. Run the
shutdown /r /t 0 command to immediately reboot the machine. Log back in, go to
Command Prompt, and run netstat -an; what is the difference? You will see that
you have lost information that could have been used as evidence.

Collection of Evidence
In this section, we will look at different types of evidence collection:

E-Discovery: During e-discovery, companies may be subpoenaed so that we can
collect, review, and interpret electronic documents located on hard disks, USB
drives, and other forms of storage.
Chain of Custody: The chain of custody is one of the most crucial aspects of digital
forensics, ensuring the evidence has been collected and there is not a break in the
chain. It starts when the evidence has been collected, bagged, tied, and tagged,
ensuring the evidence has not been tampered with. It lists the evidence and who
has handled it along the way. For example, Sergeant Smith handed 15 kg of illegal
substance to Sergeant Jones following a drugs raid. However, when it is handed in to
the property room, 1 kg is missing. In this event, we would need to investigate the
chain of custody. In this scenario, Sergeant Jones would be liable for the loss. Chain
of custody examples are as follows:
 Understanding Digital Forensics 21

Example 1 – Missing Entry on the Chain of Custody Document: On Monday,
15 laptops were collected by the system administrator. The next day, the system
administrator passed them on to the IT manager. On Wednesday, the IT director
presents the 15 laptops as evidence to the court. The judge looks at the chain of
custody document and notices that there was no formal handover between the
IT manager and the IT director. With the handover missing, the judge wants to
investigate the chain of custody.
Example 2 – Evidence Leaves the Detective's Possession: The FBI arrests a known
criminal and collects 43 hard drives that they bag and tag, before placing them
in two bags. They arrest the criminal and take him from Arizona to New York by
airplane. One detective is handcuffed to the criminal while the other carries the
two bags.
When they arrived at check-in, the airline clerk tells them that the carry-on bags
are more than the 8 kg allowance, and therefore they are too heavy and need to go
in the hold. The detective complies, but locks the suitcases to prevent theft. Because
the evidence is not physically in their possession at all times, the chain of custody
is broken as there is a chance that someone working for the airline could tamper
with the evidence. Therefore, they cannot prove to the court that the integrity of the
evidence has been kept intact at all times.
Provenance: When the chain of custody has been carried out properly and the
original data presented to the court has not been tampered with, it is known as data
provenance.
Legal Hold: Legal hold is the process of protecting any documents that can be
used in evidence from being altered or destroyed. Sometimes, this is also known as
litigation hold.
Example: Dr. Death has been prescribing new drugs to patients in a large hospital
who have been dying. An auditor has been sent to investigate the possibility of foul
play, and then following the audit, the FBI is notified. The doctor has been emailing
a pharmaceutical company that has been supplying the drugs for a trial. The FBI
does not want the doctor to be alerted, so they have the hospital's IT team put his
mailbox on legal hold. When the mailbox is on legal hold, the mailbox limit is lifted;
the doctor can still send and receive emails, but cannot delete anything. This way,
they are not alerted to the fact that they are under investigation.
22 Understanding Security Fundamentals

Data Acquisition: This is the process of collecting all of the evidence from devices,
such as USB flash drives, cameras, and computers; as well as data in paper format,
such as letters and bank statements. The first step in data acquisition is to collect
the volatile evidence so that it is secured. The data must be bagged and tagged and
included in the evidence log.
Artifacts: This can be log files, registry hives, DNA, fingerprints, or fibers of
clothing normally invisible to the naked eye.
Time Offset: When we collect evidence from computers, we should record the time
offset. This is the regional time so that in a multinational investigation, we can put
them into a time sequence—this is known as time normalization.
Time Normalization: This is where evidence is collected across multiple time
zones, then a common time zone, such as GMT, is used so that it can be put into
a meaningful sequence.
Example: The police in three separate countries are trying to identify where the data
started from in a chain, then who handled the data along the line. They have the
following information about when it was first created:
a. New York: Created 3 a.m.
b. London: Created 4 a.m.
c. Berlin: Created 4.30 a.m.
By recording the time offset, it looks as if it started off in New York, but if we apply
time normalization, when it is 4 a.m. in London, the time in New York is 11 p.m.
the day before, so it cannot be New York. When it is 4.30 a.m. in Berlin, it is only
3.30 a.m. in London; therefore, it originated in Berlin. This looked the least unlikely
before the time offset of the data collection had time normalization applied.
Time Stamps: Each file has time stamps showing when files were created, last
modified, and last accessed:
 Understanding Digital Forensics 23

Figure 1.7 – Time stamps
Forensic Copies: If we are going to analyze removable data that we have acquired,
we would first of all take a forensic copy and keep the original data intact. We would
then use the copy to analyze the data so that we keep the original data unaltered,
as it needs to be used in its original state and presented as evidence to the courts.
It would be hashed at the beginning and the end to confirm that the evidence has
not been tampered with.
Capturing System Images: When the police are taking evidence from laptops
and desktops, they take a complete system image. The original image is kept intact
and the system is analyzed to find evidence of any criminal activity. It would be
hashed at the beginning and the end to confirm that the evidence has not been
tampered with.
Firmware: Firmware, sometimes called embedded systems, could be reversed
engineered by an attacker, therefore it is important that we compare the source
code that the developer wrote against the current source code in use. We would
employ a coding expert to compare both lots of source code in a technique called
regression testing. Types of attacks that affect embedded systems could be rootkit
and backdoor.
24 Understanding Security Fundamentals

Snapshots: If the evidence is from a virtual machine, a snapshot of the virtual
machine can be exported for investigation.
Screenshots: You may also take screenshots of applications or viruses on the
desktops and keep them as evidence. A better way of doing this would be to use
a modern smartphone that would geotag the evidence.

Tip
You should capture a system image from a laptop and take a forensic copy from
a removable drive

Taking Hashes: When either the forensic copy or the system image is being
analyzed, the data and applications are hashed at the beginning of the investigation.
It can be used as a checksum to ensure integrity. At the end, it is re-hashed and
should match the original hash value to prove data integrity.
Network Traffic and Logs: When investigating a web-based or remote attack,
we should first capture the volatile network traffic before stopping the attack. This
will help us identify the source of the attack. In addition to this, we should look
at different log files from the firewall, NIPS, NIDS, and any server involved. If
we use a Security Information Event Management (SIEM) system, this can help
collate these entries and give a good picture of any attack. However, if it is a rapidly
expanding virus, we would quarantine it.
Example: Your company uses an account lockout of three attempts. If an attacker
tries to log in once to three separate computers, each computer would not identify
it as an attack, as it is a single attempt on each computer, but a SIEM system would
pick up these attempts as three failed logins attempts and alert the administrators in
real time.

Tip
You should remove a computer with a dynamically expanding virus
immediately rather than collect the network traffic.

Capturing Video: CCTV can be a good source of evidence for helping to identify
attackers and the time the attack was launched. This can be vital in apprehending
suspects.
Interviews: The police may also take witness statements to try and get a picture of
who was involved and maybe then use photo-fits so that they can be apprehended.
 Understanding Digital Forensics 25

Preservation: Data needs to be preserved in its original state so that it can be
produced as evidence in court. This is why we take copies and analyze the copies
so that the original data is not altered and is pristine. Putting a copy of the most
vital evidence in a WORM drive will prevent any tampering with the evidence,
as you cannot delete data from a WORM drive. You could also write-protect the
storage drives.
Recovery: When the incident has been eradicated, we may have to recover the data
from a backup; a faster method would be a hot site that is already up and running
with data less than 1 hour old. We may also have to purchase additional hardware
if the original hardware was damaged during the incident.
Strategic Intelligence/Counterintelligence Gathering: This is where different
governments exchange data about cyber criminals so that they can work together to
reduce threats. It is also possible for companies who have suffered an attack to log
as much information as they can and have a third party who specializes in incident
response to help them find a way to prevent re-occurrence.
Active Logging: To track incidents, we need to be actively monitoring and actively
logging changes to patterns in our log files or traffic patterns in our network.
Installing a SIEM system that provides real-time monitoring can help collate all
entries in the log files, ensuring that duplicate data is not used so that a true picture
can be taken. Alerts based on certain triggers can be set up on our SIEM system so
that we are notified as soon as the event happens.

Cloud Forensics
In the last few years, the growth of cloud computing and resources has been increasing
year on year. Cloud forensics has different needs than that of traditional forensics. One of
the primary aspects that a cloud provider must provide is security of the data stored in
the cloud.
In 2012, Cloud Forensic Process 26 was created to focus on the competence and
admissibility of evidence. The stages are as follows:

Stage A – Verify the purpose of cloud forensics.
Stage B – Verify the type of cloud service.
Stage C – Verify the type of technology behind the cloud.
Stage D – Verify the role of the user and negotiate with the Cloud Service Provider
(CSP) to collect the evidence required.
26 Understanding Security Fundamentals

Cloud services, because of the nature of their business, create virtual machines and then
destroy them on a regular basis. This prevents the collection of forensic evidence. The
forensic team needs to prove to the cloud provider their reasons for the collection of the
evidence and they have to rely on the cloud provider sending them the correct evidence
that they require.

Right-to-Audit Clauses
By inserting right-to-audit clauses into supply chain contracts, an auditor can visit the
premises without notice and inspect the contractor's books and records to ensure that
the contractor is complying with its obligation under the contract. This would help them
identify the following:

Faulty or inferior quality of goods
Short shipments
Goods not delivered
Kickbacks
Gifts and gratuities to company employees
Commissions to brokers and others
Services allegedly performed that weren't needed in the first place, such as
equipment repairs

Regulatory and Jurisdiction
Cloud data should be stored and have data sovereignty in regions. The US introduced
the CLOUD Act in 2018 due to the problems that the FBI faced in forcing Microsoft to
hand over data stored in Ireland. In 2019, the UK received royal assent for the Overseas
Production Act (COPOA), which allows the UK to seek data stored overseas as part of
a criminal investigation. In 2019, the US and the UK signed a data-sharing agreement to
give law enforcement agencies in each country faster access to evidence held by providers,
such as social media or web hosting. In 2016, a similar agreement was set between the
US and the EU; however, with the introduction of General Data Protection Regulation
(GDPR), all websites in the US that have consumers from the EU have to abide by GDPR.

Data Breach Notifications/Laws
If a data breach occurs, a company can be fined more than £10 million for failing to report
a breach. The EU uses GDPR, and notifications of data breaches must be reported within
72 hours. Other countries have their own reporting timescale.
 Review Questions 27

Review Questions
Now it's time to check your knowledge. Answer these questions and check your answers,
found in the Assessment section at the end of the book:

1. What are the three components of the CIA triad?
2. Why might a CCTV camera be situated outside a building without any film inside?
3. What does confidentiality mean?
4. How can we control access of personnel to a data center?
5. What is the purpose of an air gap?
6. Name three main control categories.
7. Name three physical controls.
8. Following an incident, what type of control will be used when researching how the
incident happened?
9. How do I know whether the integrity of my data is intact?
10. What is a corrective control?
11. What type of control is it when you change the firewall rules?
12. What is used to log in to a system that works in conjunction with a PIN?
13. What is the name of the person who looks after classified data and who is the
person that gives people access to the classified data?
14. When you use a DAC model for access, who determines who gains access to
the data?
15. What is least privilege?
16. What is the Linux permission of 764? What access does it give you?
17. The sales team are allowed to log in to the company system between 9 a.m. and
10 p.m. What type of access control is being used?
18. Two people from the finance team are only allowed to authorize the payment
of checks; what type of access control are they using?
19. What is the purpose of the defense in depth model?
20. When someone leaves the company, what is the first thing we should do with their
user account?
21. What do US companies that host websites in the US have to comply with
if customers are based in Poland?
28 Understanding Security Fundamentals

22. How can a company discover that their suppliers are using inferior products?
23. What is one of the most important factors between someone being arrested and
their appearance before the judge in court?
24. Can you explain what the purpose of the CLOUD Act and COPOA is?
25. What is Stage C of Cloud Forensic Process 26?
 2
Implementing Public
Key Infrastructure
Public Key Infrastructure (PKI) is asymmetric encryption that has a Certificate
Authority and the associated infrastructure to support issuing and managing certificates.
Certificates are used for both encryption and authentication, and in this chapter, we are
going to look at different encryption types and how certificates are issued and used. This
is the most difficult module for students to understand, so we have focused on making the
most difficult aspects seem easy. If you are going to be successful in the Security+ exam,
you must know this module thoroughly.
In this chapter, we are going to cover the following topics:

Public Key Infrastructure Concepts
Asymmetric and Symmetric Encryption
Cryptography Algorithms and Their Characteristics
Comparing and Contrasting the Basic Concepts of Cryptography
30 Implementing Public Key Infrastructure

PKI Concepts
The PKI provides asymmetric techniques using two keys: a public key and a private key.
There is a certificate hierarchy, which is called the Certificate Authority, that manages,
signs, issues, validates, and revokes certificates. Let's first look at the components of the
certificate hierarchy. A certificate is known as an X509 certificate.

Certificate Hierarchy
The Certificate Authority (CA) is the ultimate authority as it holds the master key, also
known as the root key, for signing all of the certificates that it gives the Intermediary,
which then, in turn, issues the certificate to the requester.

Figure 2.1 – CA Hierarchy
Let's look at the CA hierarchy shown in the preceding diagram in more depth:

Online CA: An internal online CA is always up and running so that people in the
company can request a certificate at any time of the day or night. This would not be
the case in a government or top-security environment.
Offline CA: An offline CA is for a military or secure environment where clearance
and vetting must be completed before someone can be issued with a certificate. The
CA is kept offline and locked up when it is not being used. It is switched off so that
it cannot issue new certificates.

There are different types of CA:

Public CA: A public CA is also known as a third-party CA and is commercially
accepted as an authority for issuing public certificates. Examples include Sectigo,
formerly known as Comodo, Symantec, Go Daddy, and more.
 PKI Concepts 31

The benefit of using a third-party CA is that all of the management is carried out by
them; once you purchase the certificate, all you have to do is install it. They keep an
up-to-date Certificate Revocation List (CRL) where you can check whether your
certificate is valid. A certificate that is not valid will not work if you are going to sell
goods and services to other companies; this is known as a B2B transaction, which
requires a public CA.
For example, I put gas in my car and go to pay for it. I give the attendant some
monopoly money, but they refuse to take it; this would be the equivalent of a private
CA. Businesses will not accept it as payment. I then go to the cash machine outside
and withdraw $100 and I give this to the attendant; he smiles and accepts it and
gives me some change. This is the equivalent of a public CA.
If you wish to trade and exchange certificates with other businesses, you need to get
your certificate from a public CA. The certificate that follows has been issued to the
Bank of Scotland from a public CA called DigiCert Global CA. You can see on the
front of the certificate the purpose for use and also the dates that it is valid for. The
X509 has an OID, which is basically the certificate's serial number – the same way
that paper money has serial numbers:

Figure 2.2 – Certificate
32 Implementing Public Key Infrastructure

Private CA: A private CA can only be used internally. However, although it is free,
you must maintain the CA. Hopefully, your company has the skill set to do so.
Registration Authority (RA): The RA validates and accepts the incoming
requests for certificates from users on the network and notifies the CA to issue the
certificates. The certificates that are issued are known as X509 certificates.
Subordinate CA: It could be the RA that issues certificates to users. In the
CompTIA exam, the subordinate CA could be called an intermediary.
Certificate Pinning: Certificate pinning prevents the compromising of the CA
and the issuing of fraudulent X509 certificates. It prevents SSL man-in-the-middle
attacks.

Tip
Certificate pinning prevents the compromising of the CA, certificate fraud, and
SSL man-in-the-middle attacks.

Certificate Trust
Certificates have some form of trust where the certificate can check whether or not it is
valid. We are going to look at different trust models. You need to ensure that you know
when each is used:

Trust Anchor: A trust anchor in a PKI environment is the root certificate from
which the whole chain of trust is derived; this is the root CA.
Trust Model: A trust model proves the authenticity of a certificate; there are two
trust models:
a. Hierarchical Trust Model: This uses a hierarchy from the root CA down to the
intermediary (also known as a subordinate); this is the normal PKI model. An
example can be seen in the certificate hierarchy diagram earlier in this chapter.
b. Bridge Trust Model: The bridge trust model is peer-to-peer, where two separate
PKI environments trust each other. The certificate authorities communicate with
each other, allowing for cross certification. Sometimes, this is referred to as the
trust model.
Certificate Chaining: This chain of trust is used to verify the validity of a certificate
as it includes details of the CRL. The chain normally has three layers, the certificate
vendor, the vendor's CA, and the computer where the certificate is installed.
 PKI Concepts 33

Tip
Certificate chaining shows the trust from the vendor, the vendor CA, and the
computer. Fewer than three layers results in trust errors

Certificate Validity
Each time a certificate is used, the first thing that must happen is that it must be checked
for validity. The following diagram shows the certificate validity process:

Figure 2.3 – Certificate validity
There are three separate processes that you must know thoroughly, and these are as
follows:

Certificate Revocation List (CRL): The first stage in checking whether a certificate
is valid, no matter the scenario, is to check the CRL. If the X509 is in the CRL, it is
no longer valid and will not be accepted. No matter how obscure the question posed
in the exam, unless it is going slow or it is a web server looking for a faster lookup,
it will be the CRL that provides certificate validity.
Online Certificate Status Protocol (OCSP): Only when the CRL is going slow will
the OCSP come into play. It is much faster than the CRL and can take a load from
the CRL in a very busy environment.
OCSP Stapling/Certificate Stapling: Certificate stapling, also known as OCSP
stapling, is used when a web server bypasses the CRL to use the OCSP for a faster
confirmation, irrespective of whether or not a certificate is valid.

Tip
Certificate validity can only be done by the CRL or OCSP. OCSP is used only
when the CRL is going slow or has been replaced by the OCSP
34 Implementing Public Key Infrastructure

Certificate Management Concepts
We are now going to look at the different ways in which certificates are managed in a PKI
environment, starting with the request for a new certificate and ending with different
certificate formats. You must learn all of this information thoroughly as these aspects are
heavily tested:

Certificate Signing Request (CSR): This is the process of requesting a new
certificate.
Key Escrow: The key escrow holds the private keys for third parties and stores them
in a Hardware Security Module (HSM):

Figure 2.4 – Key escrow
Hardware Security Module (HSM): The HSM can be a piece of hardware attached
to the server or a portable device that is attached to store the keys. See the preceding
diagram for more on this. It stores and manages certificates.
Data Recovery Agent (DRA): If a user cannot access their data because their
private key is corrupted, the DRA will recover the data. The DRA needs to get the
private key from the key escrow.
Certificates: There are two main certificate types: the public key and the private
key. The public key is sent to third parties to encrypt the data, and the private
key decrypts the data. If you think of the private key as your bank card, that's
a thing you wouldn't give away. The public key is the deposit slip that is tied to
your account. If you were in a room with 20 people who wanted to pay $20 into
your account, you would definitely give them your deposit slip. You will always give
your public key away because when you are encrypting data, you will always use the
recipient's public key.
 PKI Concepts 35

Tip
The Data Recovery Agent (DRA) needs a private key from the key escrow to
recover data.

Object Identifier (OID): The OID on a certificate is similar to a serial number
on a bank note. Bank notes are identified by their serial number. The certificate is
identified by its OID.
Certificate Formats: There are different certificate formats, and these are as follows:

Figure 2.5 – Certificate format and file extensions

Types of Certificates
As a security professional, you will be responsible for purchasing new certificates, and
therefore, you must learn the certificate types thoroughly to ensure that you make the
correct purchases. We will start with the self-signed certificate, which can roll out with
applications such as Microsoft Exchange Server or Skype, and finish with extended
validation where the certificate has a high level of trust:

Self-Signed Certificate: A self-signed certificate is issued by the same entity that is
using it. However, it does not have a CRL and cannot be validated or trusted.
Wildcard: For a wildcard certificate for a domain called securityplus.
training, the wildcard certification would be *.securityplus.training
and could be used for the domain and a subdomain. For example, in the
securityplus.training domain, there are two servers called web and mail.
The wildcard certification is *.securityplus.training and, when installed,
it would work for the Fully Qualified Domain Names (FQDNs) of both of
these—web.securityplus.training and mail.securityplus.
training. A wildcard can be used for multiple servers in the same domain.
Domain Validation: A Domain-Validated (DV) certificate is an X.509 certificate
that proves the ownership of a domain name.
36 Implementing Public Key Infrastructure

Subject Alternative Name (SAN): An SAN certificate can be used on multiple
domain names, such as abc.com or xyz.com. You can also insert other
information into an SAN certificate, such as an IP address.
Code Signing: Code-signing certificates are used to digitally sign software so that
its authenticity is guaranteed.
Computer/Machine: A computer or machine certificate is used to identify
a computer within a domain.
User: A user certificate provides authenticity to a user for the applications that
they use.
Extended Validation: Extended validation certificates provide a higher level of trust
in identifying the entity that is using the certificate. It would normally be used in the
financial arena. You may have seen it in action where the background of the URL
turns green, as shown in the following screenshot:

Figure 2.6 – Extended validation
Companies applying for the extended validation certificate would have to provide more
detailed information about the company.

Tip
A wildcard certificate can be installed on multiple public facing websites as
a cheaper option. A self-signed certificate can be installed on internal facing
websites as a cheaper option.
 Asymmetric and Symmetric Encryption 37

Asymmetric and Symmetric Encryption
There are two main types of encryption that use certificates, and these are asymmetric
and symmetric. We need to learn about each thoroughly. Let's start by understanding
what encryption is. Please remember that you are taking plaintext and changing it into
ciphertext.

Encryption Explained
Encryption is where we take plaintext that can be easily read and convert it into ciphertext
that cannot be easily read:

Substitution Cipher: Julius Caesar, who died in 44 BC, invented the first
substitution cipher, where he moved each letter of the alphabet three places one way
or another. This way, he could make his military plans unreadable if they had been
intercepted. What he forgot about was that most people in those days could not
read! This was called ROT 13, after the thirteen-letter rotation, and is now known
as the Caesar cipher. For example, if I take the word ECHO and move each letter on
thirteen places to the right in the alphabet sequence, you will get the word
RPUB—that would be difficult for someone to read. To decrypt, you would roll
back 13 spaces.
ROT 13: ROT 13 is a variation of the Caesar cipher. As there are 26 letters in the
alphabet, we are rotating the letters 13 times. The key to ROT 13 would be as
follows:

Figure 2.7 – Caesar Cipher ROT 13 table
When receiving the message, GVZR SBE GRN, then we would apply ROT 13, but
instead of going forward 13 places to decipher, we would simply go back 13 places, and
the message would be TIME FOR TEA. From the preceding table, select a letter from
the top and then the corresponding ROT 13 equivalent below it for both encryption and
decryption.
38 Implementing Public Key Infrastructure

There are two types of encryption that use certificates: asymmetric and symmetric.
Let's look at each of these in turn:

Symmetric Encryption: Symmetric encryption only uses one key, which is known
as the private or shared key. The same key encrypts and decrypts the data. The
danger of symmetric encryption is that if the key is stolen, the attacker gets the
keys to the kingdom. The main reason for using symmetric encryption is that it
can encrypt large amounts of data very quickly. The Security+ exam does not focus
on key exchange, because it only uses one key, but instead focuses on which is the
fastest or strongest symmetric key, and which is used for the encryption of large
amounts of data. The symmetric encryptions are DES 56 bit, 3DES 168 bit, AES
256 bit, Twofish 128 bit, and Blowfish 64 bit. The smaller the key, the faster it is, but
the larger the key, the more secure it is. It also uses block cipher where the data is
transferred in blocks making it faster.
Diffie Hellman (DH): When symmetric data is in transit, it is protected by Diffie
Hellman, whose main purpose is to create a secure tunnel for symmetric data to
pass through. It does not encrypt data, but creates a secure tunnel.
Asymmetric Encryption: Asymmetric encryption uses two keys—a private key and
a public key—and is also known as a PKI, complete with its CA and intermediary
authorities. The Security+ exam tests the use of both the private and public keys
very thoroughly. I have created the following diagram to help you understand the
purpose of each key. See Figure 2.8 below.
The first stage in encryption is the key exchange. You will always keep your private
key and give away your public key. You will always use the recipient's public key to
encrypt:

Figure 2.8 – Key exchange
 Asymmetric and Symmetric Encryption 39

In the preceding diagram, there are two different key pairs: the black key pair and the
white key pair. These work together. Remember: the private key is your bank card; you
will always retain it, but the public key is your deposit slip; you will give it away so that
people can pay money into your account. The person who is sending the data is on the
From side, and the person receiving the data is on the To side. A good way to remember
the labels would be to think of South-East on the left-hand side and Distinguished-Visitor
on the right. These labels stand for the following:

S: Sign (digital signature)
E: Encryption
D: Decryption
V: Validation

For example, Bob wants to encrypt data and send it to Carol. How is this done? Let's look
at the following diagram. We can see that Bob owns the black key pair and Carol owns the
white key pair. The first thing that needs to happen before encryption can happen is that
they exchange public keys:

Figure 2.9 – Encryption
You can see under the column for Bob that he has his private key, which he will always
keep, and the public key that Carol has given him. In the preceding diagram, you can
see the label E, for encryption. Therefore, Bob uses Carol's public key to encrypt the
data. Then, under Carol, you can see the letter D, for decryption. Therefore, when the
encrypted data arrives, Carol uses the other half of the white key pair, the private key, to
decrypt the data.
40 Implementing Public Key Infrastructure

Tip
Your private key, or a key pair, is never installed on another server. You always
retain the private key just like your bank card. You give the public key away
or install on another server.

Digital Signatures Explained
When we send an email or document to someone, it could be intercepted in transit and
altered. Your email address could be spoofed, and someone could send an email as if it
was from you, but there is no guarantee of integrity. We sign the email or document with
our private key and it is validated by our public key.
The first stage in digital signatures is to exchange public keys, the same principle as
encryption. For example, George wants to send Mary an email and he wants to