CompTIA CASP+ CAS-004 Certification Guide PDF
Document Details
Uploaded by Deleted User
2022
CompTIA
Mark Birch
Tags
Summary
This CompTIA CASP+ CAS-004 Certification Guide, published in 2022 by Packt Publishing, dives into the key topics needed for certification preparation. It covers security architecture, integration of applications, and includes a table of contents and case studies. The author, Mark Birch, provides a comprehensive resource for aspiring cybersecurity professionals.
Full Transcript
2022. Packt Publishing. All rights reserved. May not be reproduced in any form without permission from the publisher, except fair uses permitted under U.S. or applicable copyright law. Copyright...
2022. Packt Publishing. All rights reserved. May not be reproduced in any form without permission from the publisher, except fair uses permitted under U.S. or applicable copyright law. Copyright EBSCO Publishing : eBook Collection (EBSCOhost) - printed on 12/2/2024 11:32 AM via AN: 3148939 ; Mark Birch.; CompTIA CASP+ CAS-004 Certification Guide : Develop CASP+ Skills and Learn All the Key Topics Needed to Prepare for the Certification Exam Account: ns017578 CompTIA CASP+ CAS-004 Certification Guide Develop CASP+ skills and learn all the key topics needed to prepare for the certification exam Mark Birch BIRMINGHAM—MUMBAI EBSCOhost - printed on 12/2/2024 11:32 AM via. All use subject to https://www.ebsco.com/terms-of-use CompTIA CASP+ CAS-004 Certification Guide Copyright © 2022 Packt Publishing All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews. Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book. Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information. Group Product Manager: Vijin Boricha Publishing Product Manager: Rahul Nair Senior Editor: Sangeeta Purkayastha Content Development Editor: Nihar Kapadia Technical Editor: Nithik Cheruvakodan Copy Editor: Safis Editing Project Coordinator: Shagun Saini Proofreader: Safis Editing Indexer: Hemangini Bari Production Designer: Nilesh Mohite Marketing Coordinator: Hemangi Lotlikar First published: February 2022 Production reference: 3080622 Published by Packt Publishing Ltd. Livery Place 35 Livery Street Birmingham B3 2PB, UK. ISBN 978-1-80181-677-9 www.packt.com EBSCOhost - printed on 12/2/2024 11:32 AM via. All use subject to https://www.ebsco.com/terms-of-use To all my students, both former and present, who motivate me to help them achieve their learning goals. – Mark Birch EBSCOhost - printed on 12/2/2024 11:32 AM via. All use subject to https://www.ebsco.com/terms-of-use Contributors About the author Mark Birch is an experienced courseware developer and lecturer in information systems and cyber security. Mark has been helping students attain their learning goals for over 25 years. He has been developing content and teaching CompTIA CASP since its inception in 2011 and understands the subject area in depth. He began his career working as an engineer within the aerospace industry for BAE Systems (a major defense contractor), gaining a thorough understanding of industrial controls, CAD/CAM systems, and design principles. Graduating from the University of Central Lancashire with a BSc in Information Technology, Mark has also gained accreditation in the following: Microsoft, CompTIA, Citrix, Novell Networking, and ITIL. I want to thank all my family for supporting me, understanding that I could not always be "available" during the past year. EBSCOhost - printed on 12/2/2024 11:32 AM via. All use subject to https://www.ebsco.com/terms-of-use About the reviewers Filip Korngut has over 15 years of experience in information security and systems engineering in the oil and gas, mining, and digital health sectors. He has extensive experience leading the development of major software and digital transformation solutions with primary focus on cybersecurity leadership and technology. Filip has led cybersecurity engagements for the big four consulting firms and has a passion for establishing organizational cybersecurity programs. Filip has two sons with his beautiful wife Erin and a dog named Lily. Arron Stebbing is a Principal, Sales Acceleration, Technical Trainer at Veeam Software. Arron develops and delivers training programs about modern data protection software. Arron also contributes to CompTIA as a member of the Technical Advisory Committee and as a subject matter expert for exam development. Arron is a Certified Facilitator of the LEGO® Serious Play® method. He uses the science- backed process to bring creativity, exuberance, and the inspiration of play to the serious concerns of organizations in the business world. Arron has extensive experience building and operating cloud service provider environments and has been working in the IT industry for more than 17 years. Arron can communicate with executives about business value and outcomes as well as educate technical teams on how to deliver the business value required to meet the requirements. Shubham Mishra is India's youngest cyber security expert and a leading name in the field of ethical hacking. He is the founder and CEO of TOAE Security Solutions and has dedicated his life to the robust development of cyber security methods that are being used worldwide. Shubham has worked with some of the largest companies in the world for more than a decade and continues to provide up-to-date and relevant content for the industry. EBSCOhost - printed on 12/2/2024 11:32 AM via. All use subject to https://www.ebsco.com/terms-of-use EBSCOhost - printed on 12/2/2024 11:32 AM via. All use subject to https://www.ebsco.com/terms-of-use Table of Contents Preface Section 1: Security Architecture 1 Designing a Secure Network Architecture Physical and virtual network Advanced network design 24 and security devices 4 Remote access 24 OSI model 4 VPN24 Unified threat management 5 IPsec 26 IDS/IPS 7 SSH27 Network IDS versus NIPS 8 Remote Desktop Protocol 28 Wireless IPS 9 Virtual Network Computing 29 Inline encryptors 10 Network authentication methods 30 Network access control 11 Placement of hardware and applications 32 SIEM 12 Switches13 Network management and Firewalls14 monitoring tools 42 Routers16 Alert definitions and rule writing 43 Proxy17 Advanced configuration of Network address translation gateway 18 network devices 43 Load balancer 19 Transport security 43 Hardware security module 19 Port security 44 Application- and protocol- Route protection 45 aware technologies 20 Distributed DoS protection 45 DLP 21 Remotely triggered black hole 46 WAF 21 Security zones 46 Database activity monitoring 23 DMZ47 Spam filter 23 EBSCOhost - printed on 12/2/2024 11:32 AM via. All use subject to https://www.ebsco.com/terms-of-use viii Table of Contents Summary48 Answers 54 Questions48 Case study answer 55 Case study 52 2 Integrating Software Applications into the Enterprise Integrating security into the Considerations when development life cycle 58 integrating enterprise Systems development life cycle 58 applications79 Development approaches 62 Customer relationship management Versioning 67 (CRM)80 Enterprise resource planning (ERP) 81 Software assurance 67 Configuration Management Sandboxing/development environment 68 Database (CMDB) 82 Validating third-party libraries 68 Content management systems 82 SecDevOps68 Defining the DevOps pipeline 69 Integration enablers 83 Directory services 84 Baseline and templates 72 Domain name system 84 Secure coding standards 74 Service-oriented architecture 88 Application vetting processes 74 Enterprise service bus 88 Hypertext Transfer Protocol (HTTP) headers 75 Summary89 Application Programming Interface Questions90 (API) management 77 Answers 95 3 Enterprise Data Security, Including Secure Cloud and Virtualization Solutions Implementing data loss Implementing data prevention98 loss detection 102 Blocking the use of external media 98 Watermarking 102 Print blocking 100 Digital rights management 102 Remote Desktop Protocol blocking 100 Network traffic decryption/deep packet inspection 103 Network traffic analysis 103 EBSCOhost - printed on 12/2/2024 11:32 AM via. All use subject to https://www.ebsco.com/terms-of-use Table of Contents ix Enabling data protection 103 Hybrid cloud 128 Data classification 103 Hosting models 128 Metadata/attributes104 Service models 129 Obfuscation 107 Software as a service 129 Anonymization 108 Platform as a service 130 Encrypted versus unencrypted 108 Infrastructure as a service 131 Data life cycle 108 Cloud provider limitations 132 Data inventory and mapping 110 Extending appropriate Data integrity management 110 on-premises controls 132 Data storage, backup, and recovery 110 Micro-segmentation 133 Redundant array of inexpensive disks 112 Jump box 134 Implementing secure cloud and virtualization solutions 116 Examining cloud storage models 135 Virtualization strategies 117 File-based storage 135 Security considerations for virtualization119 Database storage 135 Block storage 136 Investigating cloud Blob storage 137 deployment models 125 Key/value pairs 137 Deployment models and considerations 125 Summary137 Private cloud 127 Questions138 Public cloud 127 Answers144 4 Deploying Enterprise Authentication and Authorization Controls Credential management 148 Authentication and Hardware key manager 150 authorization protocols 161 Password policies 151 Multi-Factor Authentication (MFA)166 Identity federation 154 Summary171 Access control 157 Questions172 Answers177 EBSCOhost - printed on 12/2/2024 11:32 AM via. All use subject to https://www.ebsco.com/terms-of-use x Table of Contents Section 2: Security Operations 5 Threat and Vulnerability Management Intelligence types 182 ATT&CK for industrial control systems 193 Tactical intelligence 182 The Diamond model of intrusion Strategic intelligence 182 analysis194 Operational intelligence 183 Cyber Kill Chain 194 Commodity malware 183 Threat hunting 195 Targeted attacks 183 Threat emulation 195 Actor types 183 Indicators of compromise 196 Advanced persistent threat – Packet capture 196 nation-state184 Logs 197 Insider threat 184 Network logs 198 Competitor184 Vulnerability logs 198 Hacktivist 185 Operating system logs 200 Script kiddie 185 Access logs 200 Organized crime 185 NetFlow logs 201 Notifications 201 Threat actor properties 186 File integrity monitoring alerts 201 Resources186 SIEM alerts 202 Time186 Data loss prevention alerts 202 Money186 Intrusion detection system and Supply chain access 186 intrusion prevention system alerts 203 Capabilities and sophistication 187 Antivirus alerts 203 Identifying techniques 187 Notification severity and priorities 203 Intelligence collection methods 187 Responses203 Intelligence feeds 188 Firewall rules 204 Deep web 190 Intrusion prevention system and Proprietary intelligence 191 intrusion detection system rules 204 Open source intelligence 191 Access control list rules 204 Human intelligence 191 Signature rules 205 Behavior rules 205 Frameworks191 Data loss prevention rules 206 MITRE adversarial tactics, techniques, Scripts/regular expressions 207 and common knowledge (ATT&CK) 192 EBSCOhost - printed on 12/2/2024 11:32 AM via. All use subject to https://www.ebsco.com/terms-of-use Table of Contents xi Summary207 Answers 215 Questions208 6 Vulnerability Assessment and Penetration Testing Methods and Tools Vulnerability scans 218 News reports 226 Credentialed versus non-credentialed Testing methods 226 scans218 Static analysis 226 Agent-based/server-based 219 Dynamic analysis 227 Criticality ranking 219 Side-channel analysis 227 Active versus passive scans 220 Wireless vulnerability scan 227 Security Content Automation Software Composition Analysis (SCA) 228 Protocol (SCAP) 220 Fuzz testing 228 Extensible Configuration Checklist Description Format (XCCDF) 220 Penetration testing 229 Open Vulnerability and Assessment Requirements 229 Language (OVAL) 220 Box testing 230 Common Platform Enumeration (CPE) 221 Post-exploitation232 Common Vulnerabilities and Persistence 232 Exposures (CVE) 222 Pivoting 232 Common Vulnerability Scoring Rescanning for corrections/changes 233 System (CVSS) 222 Common Configuration Security tools 233 Enumeration (CCE) 223 SCAP scanner 233 Asset Reporting Format (ARF) 224 Network traffic analyzer 235 Self-assessment versus third-party Vulnerability scanner 236 vendor assessment 224 Protocol analyzer 237 Patch management 224 Port scanner 238 HTTP interceptor 239 Information sources 224 Exploit framework 240 Advisories 225 Dependency management tools 242 Bulletins 225 Vendor websites 225 Summary242 Information Sharing and Analysis Questions243 Centers (ISACs) 226 Answers249 EBSCOhost - printed on 12/2/2024 11:32 AM via. All use subject to https://www.ebsco.com/terms-of-use xii Table of Contents 7 Risk Mitigation Controls Understanding application Cross-site scripting 264 vulnerabilities 252 Cross-site request forgery 265 Race conditions 252 Injection attacks 265 Buffer overflows 252 Sandbox escape 268 Broken authentication 253 VM hopping 268 Insecure references 253 VM escape 269 Poor exception handling 253 Border Gateway Protocol and route Security misconfiguration 253 hijacking 269 Information disclosure 253 Interception attacks 269 Certificate errors 254 Denial of service and distributed denial of service 270 Use of unsafe functions 258 Social engineering 270 Third-party libraries 258 VLAN hopping 271 Dependencies 258 End-of-support and end-of-life 259 Proactive and detective risk Regression issues 259 reduction272 Assessing inherently vulnerable Hunts272 systems and applications 259 Developing countermeasures 272 Client-side processing and Deceptive technologies 272 server-side processing 259 Security data analytics 273 JSON and representational state transfer 260 Applying preventative risk Browser extensions 260 reduction276 Hypertext Markup Language 5 (HTML5) 261 Application control 278 Asynchronous JavaScript and Security automation 279 XML (AJAX) 261 Physical security 283 Simple Object Access Protocol (SOAP) 261 Summary284 Recognizing common attacks 262 Questions 285 Directory traversal 263 Answers291 8 Implementing Incident Response and Forensics Procedures Understanding incident Event classifications 295 response planning 294 Triage event 295 EBSCOhost - printed on 12/2/2024 11:32 AM via. All use subject to https://www.ebsco.com/terms-of-use Table of Contents xiii Understanding the incident Memory snapshots 307 response process 296 Images 307 Preparation296 Evidence preservation 308 Detection297 Cryptanalysis308 Analysis298 Steganalysis 308 Containment299 Using forensic analysis tools 308 Eradication and recovery 299 File carving tools 308 Lessons learned 300 Binary analysis tools 310 Specific response playbooks/processes 300 Analysis tools 314 Non-automated response methods 300 Imaging tools 315 Automated response methods 302 Hashing utilities 317 Communication plan 303 Using live collection and Understanding forensic post-mortem tools 317 concepts304 Summary324 Forensic process 304 Chain of custody 305 Questions324 Order of volatility 306 Answers331 Section 3: Security Engineering and Cryptography 9 Enterprise Mobility and Endpoint Security Controls Implementing enterprise The digital forensics of collected data 352 mobility management 336 Unauthorized application stores 352 Managed configurations 336 Containerization 352 Original equipment manufacturer Security considerations for (OEM) and carrier differences 354 mobility management 350 Supply chain issues 354 The unauthorized remote activation The use of an eFuse 354 and deactivation of devices or features 350 Encrypted and unencrypted Implementing endpoint communication concerns 351 security controls 355 Physical reconnaissance 351 Hardening techniques 355 Personal data theft 351 Compensating controls 367 Health privacy 351 Summary370 The implications of wearable devices 351 EBSCOhost - printed on 12/2/2024 11:32 AM via. All use subject to https://www.ebsco.com/terms-of-use xiv Table of Contents Questions371 Answers377 10 Security Considerations Impacting Specific Sectors and Operational Technologies Identifying regulated business Historian387 sectors380 Ladder logic 388 Energy sector 380 Safety instrumented system 389 Manufacturing 381 Heating, ventilation, and air Healthcare 382 conditioning 389 Public utilities 382 Understanding OT protocols 389 Public services 383 Controller area network bus 389 Facility services 383 Modbus391 Understanding embedded Distributed Network Protocol 3 391 systems383 Zigbee 392 Internet of things 384 Common Industrial Protocol 393 System on a chip 384 Data Distribution Service 394 Application-specific integrated circuits 384 Summary396 Field-programmable gate array 385 Questions396 Understanding ICS/SCADA 386 Answers400 PLCs 387 11 Implementing Cryptographic Protocols and Algorithms Understanding hashing Block ciphers 405 algorithms 402 Stream ciphers 411 Secure Hashing Algorithm (SHA) 402 Understanding asymmetric Hash-Based Message Authentication encryption algorithms 411 Code (HMAC) 404 Rivest, Shamir, and Adleman (RSA) 412 Message Digest (MD) 404 Digital Signature Algorithm (DSA) 412 RACE integrity primitives evaluation message digest (RIPEMD) 405 Elliptic-curve Digital Signature Algorithm (ECDSA) 413 Understanding symmetric Diffie-Hellman (DH) 413 encryption algorithms 405 Elliptic-curve Cryptography (ECC) 414 EBSCOhost - printed on 12/2/2024 11:32 AM via. All use subject to https://www.ebsco.com/terms-of-use Table of Contents xv Elliptic-curve Diffie-Hellman (ECDH) 414 Password-based key derivation function 2 (PBKDF2) 419 Understanding encryption protocols414 Understanding emerging Secure Sockets Layer (SSL)/Transport security technologies 420 Layer Security (TLS) 415 Quantum computing 420 Secure/Multipurpose Internet Mail Blockchain421 Extensions (S/MIME) 416 Homomorphic encryption 423 Internet Protocol Security (IPSec) 416 Biometric impersonation 423 Secure Shell (SSH) 417 3D printing 424 Key stretching 418 Password salting 418 Summary 425 Questions426 Answers432 12 Implementing Appropriate PKI Solutions, Cryptographic Protocols, and Algorithms for Business Needs Understanding the PKI Certificate pinning 445 hierarchy 434 Certificate stapling 446 Certificate authority 436 CSRs 447 Registration authority 436 Common PKI use cases 449 Certificate revocation list 436 Key escrow 450 Online Certificate Status Protocol 438 Troubleshooting issues with Understanding certificate types438 cryptographic implementations450 Wildcard certificate 438 Key rotation 450 Extended validation 439 Mismatched keys 451 Multi-domain 440 Improper key handling 451 General-purpose441 Embedded keys 451 Certificate usages/templates 441 Exposed private keys 451 Crypto shredding 452 Understanding PKI security and Cryptographic obfuscation 452 interoperability 442 Compromised keys 452 Trusted certificate providers 443 Trust models 443 Summary 452 Cross-certification certificate 444 Questions 453 Life cycle management 445 Answers 457 EBSCOhost - printed on 12/2/2024 11:32 AM via. All use subject to https://www.ebsco.com/terms-of-use xvi Table of Contents Section 4: Governance, Risk, and Compliance 13 Applying Appropriate Risk Strategies Understanding risk Trade-off analysis 476 assessments462 Managing risk with policies and Qualitative risk assessments 463 security practices 477 Quantitative risk assessments 464 Separation of duties (SoD) 477 Implementing risk-handling Job rotation 477 techniques 468 Mandatory vacation 477 Transfer 468 Least privilege 478 Accept 468 Employment and termination Avoid 469 procedures 478 Mitigate 469 Training and awareness for users 478 Risk types 469 Auditing requirements and frequency 479 Understanding the risk Explaining the importance management life cycle 470 of managing and mitigating Department of Defense Risk vendor risk 479 Management Framework 471 Vendor lock-in 480 NIST Cybersecurity Framework (CSF) 472 Vendor viability 480 Understanding risk controls 473 Merger or acquisition risk 480 Meeting client requirements 481 Understanding risk tracking 474 Ongoing vendor assessment tools 482 Key performance indicators 475 Key risk indicators 476 Summary484 Risk appetite 476 Questions 485 Risk tolerance 476 Answers489 14 Compliance Frameworks, Legal Considerations, and Their Organizational Impact Security concerns associated Data considerations 493 with integrating diverse Understanding geographic industries492 considerations 496 EBSCOhost - printed on 12/2/2024 11:32 AM via. All use subject to https://www.ebsco.com/terms-of-use Table of Contents xvii Third-party attestation of compliance 497 Application of contract and agreement types 508 Understanding regulations, Summary 510 accreditations, and standards 497 Questions 511 Understanding legal considerations 507 Answers 516 15 Business Continuity and Disaster Recovery Concepts Conducting a business Content Delivery Network (CDN) 530 impact analysis 518 Testing plans 530 Maximum Tolerable Downtime (MTD) 519 Explaining how cloud Recovery Time Objective (RTO) 519 technology aids enterprise Recovery Point Objective (RPO) 519 resilience 531 Recovery service level 520 Using cloud solutions for Mission-essential functions 520 business continuity and disaster Privacy Impact Assessment (PIA) 521 recovery (BCDR) 532 Preparing a Disaster Recovery Plan/ Infrastructure versus serverless Business Continuity Plan 522 computing 532 Backup and recovery methods 525 Collaboration tools 533 Planning for high availability Storage configurations 533 and automation 526 Cloud Access Security Broker (CASB) 534 Scalability 526 Summary 535 Resiliency 527 Questions 535 Automation 529 Answers 541 16 Mock Exam 1 Questions 543 Assessment test answers 559 EBSCOhost - printed on 12/2/2024 11:32 AM via. All use subject to https://www.ebsco.com/terms-of-use xviii Table of Contents 17 Mock Exam 2 Questions 566 Answers 584 Index Other Books You May Enjoy EBSCOhost - printed on 12/2/2024 11:32 AM via. All use subject to https://www.ebsco.com/terms-of-use Preface In this book, you will learn how to architect, engineer, integrate, and implement secure solutions across complex environments to support a resilient enterprise. You will find out how to monitor, detect, and implement incident response, and use automation to proactively support ongoing security operations. You will learn how to apply security practices to cloud, on-premises, endpoint, and mobile infrastructure. You will also discover the impact of governance, risk, and compliance requirements throughout the enterprise. Who this book is for This book is aimed at CASP+ CAS 004 exam candidates. Many candidates will be using the certification for career enhancement. It will also be of interest to managers who want to gain additional knowledge in the field of cybersecurity and technical implementers who want to understand the operational elements of cybersecurity. What this book covers Chapter 1, Designing a Secure Network Architecture, covers designing and understanding both traditional network architectures and complex hybrid networks. Chapter 2, Integrating Software Applications into the Enterprise, covers the software life cycle, software assurance, and supporting enterprise software applications. Chapter 3, Enterprise Data Security, Including Secure Cloud and Virtualization Solutions, looks at the challenges facing an enterprise when protecting data in hybrid environments. Chapter 4, Deploying Enterprise Authentication and Authorization Controls, examines credential management, identity federation, and secure single sign-on. It also covers multi-factor authentication. Chapter 5, Threat and Vulnerability Management, covers methods used to gather threat intelligence, understand the different threat actors (and adversaries), and prepare appropriate responses. EBSCOhost - printed on 12/2/2024 11:32 AM via. All use subject to https://www.ebsco.com/terms-of-use xx Preface Chapter 6, Vulnerability Assessment and Penetration Testing Methods and Tools, looks at methods used to help assess an enterprise's security posture, including SCAP scans, penetration testing, and an introduction to a wide range of security tools. Chapter 7, Risk Mitigation Controls, looks at typical vulnerabilities that may be present within an organization and controls to reduce risk. Chapter 8, Implementing Incident Response and Forensics Procedures, covers incident response preparation, including the creation of documentation and a Computer Security Incident Response (CSIRT) in P-keyword except for brackets team. It also covers forensic concepts and the use of forensic analysis tools. Chapter 9, Enterprise Mobility and Endpoint Security Controls, examines enterprise mobility management, including mobile device management tools. It also covers endpoint security and host hardening techniques. Chapter 10, Security Considerations Impacting Specific Sectors and Operational Technologies, looks at regulated business sectors, challenges facing enterprises that must support embedded systems, SCADA systems, and operational technology. Chapter 11, Implementing Cryptographic Protocols and Algorithms, looks at protecting enterprise data using hashing algorithms and encrypting data using both symmetric and asymmetric algorithms. It also looks at implementing cryptography within security protocols. Chapter 12, Implementing Appropriate PKI Solutions, Cryptographic Protocols, and Algorithms for Business Needs, covers Public Key Architecture (PKI), different certificate types, and troubleshooting issues with cryptographic implementations. Chapter 13, Applying Appropriate Risk Strategies, examines risk assessment types, risk response strategies, including implementing policies, and security best practices. Chapter 14, Compliance Frameworks and, Legal Considerations, and Their Organizational Impact, covers the challenges of operating within diverse industries, regulatory compliance, and legal regulations. Chapter 15, Business Continuity and Disaster Recovery Concepts, teaches you how to conduct a business impact analysis and develop business and disaster recovery plans. It also covers high availability and deploying cloud solutions for enterprise resilience. Chapter 16, Mock Exam 1 and Chapter 17, Mock Exam 2, test your knowledge with final assessment tests, comprising accurate CASP+ questions. EBSCOhost - printed on 12/2/2024 11:32 AM via. All use subject to https://www.ebsco.com/terms-of-use Preface xxi To get the most out of this book CASP+ is an advanced certification building on existing knowledge gathered within a cybersecurity environment. To fully appreciate the concepts covered, it is recommended that you have some baseline cybersecurity practical skills or have gained a baseline security certification such as CompTIA Security+. Candidates who have experience in pen testing and ethical hacking will also have a good base knowledge that is suitable for this book. It would benefit you to have access to a Windows operating system and a recent build of Kali Linux (to practice with tools and commands). Additional practical exercises and learning content is available on the companion site: https://casp.training. Download the color images We also provide a PDF file that has color images of the screenshots and diagrams used in this book. You can download it here: https://static.packt-cdn.com/ downloads/9781801816779_ColorImages.pdf. Conventions used There are a number of text conventions used throughout this book. Code in text: Indicates code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles. Here is an example: "A file would be created that would be of interest to the attacker, Passwords.doc." Any command-line input or output is written as follows: dsquery user "ou=it admin,dc=classroom,dc=local" EBSCOhost - printed on 12/2/2024 11:32 AM via. All use subject to https://www.ebsco.com/terms-of-use xxii Preface Bold: Indicates a new term, an important word, or words that you see onscreen. For instance, words in menus or dialog boxes appear in bold. Here is an example: "The certificate's Subject Name value must be valid." Tips or Important Notes Appear like this. Get in touch Feedback from our readers is always welcome. General feedback: If you have questions about any aspect of this book, email us at [email protected] and mention the book title in the subject of your message. Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you have found a mistake in this book, we would be grateful if you would report this to us. Please visit www.packtpub.com/support/errata and fill in the form. Piracy: If you come across any illegal copies of our works in any form on the internet, we would be grateful if you would provide us with the location address or website name. Please contact us at [email protected] with a link to the material. If you are interested in becoming an author: If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, please visit authors.packtpub.com. EBSCOhost - printed on 12/2/2024 11:32 AM via. All use subject to https://www.ebsco.com/terms-of-use Preface xxiii Share Your Thoughts Once you've read CompTIA CASP+ CAS-004 Certification Guide, we'd love to hear your thoughts! Please click here to go straight to the Amazon review page for this book and share your feedback. Your review is important to us and the tech community and will help us make sure we're delivering excellent quality content. EBSCOhost - printed on 12/2/2024 11:32 AM via. All use subject to https://www.ebsco.com/terms-of-use EBSCOhost - printed on 12/2/2024 11:32 AM via. All use subject to https://www.ebsco.com/terms-of-use Section 1: Security Architecture In this section, you will learn about the challenges that are faced by an enterprise when supporting a large, complex, hybrid network architecture. This section will take you through the design of traditional network architectures up to complex hybrid cloud models. You will also understand the importance of authentication and authorization strategies within complex environments. This part of the book comprises the following chapters: Chapter 1, Designing a Secure Network Architecture Chapter 2, Integrating Software Applications into the Enterprise Chapter 3, Enterprise Data Security, Including Secure Cloud and Virtualization Solutions Chapter 4, Deploying Enterprise Authentication and Authorization Controls EBSCOhost - printed on 12/2/2024 11:32 AM via. All use subject to https://www.ebsco.com/terms-of-use EBSCOhost - printed on 12/2/2024 11:32 AM via. All use subject to https://www.ebsco.com/terms-of-use 1 Designing a Secure Network Architecture Security professionals need to analyze security requirements and objectives to ensure an appropriate, secure network architecture for a new or existing network and to provide the appropriate authentication and authorization controls. Designing a modern enterprise network has many practical and security challenges. De-perimeterization means that access to information systems may be made from devices outside of the enterprise network. The types of devices can range from a handheld smartphone used to access a customer record to an Internet of Things (IoT) device transmitting telemetry data to a critical monitoring dashboard. Regulatory or industry compliance may require strict network segmentation between processes and business units (BUs). It is important to consider all the threat actors when you plan your network—think Defense in Depth (DiD). This first chapter is an essential building block for the following chapters. It is the information systems on our networks that provide the data and services for an enterprise. EBSCOhost - printed on 12/2/2024 11:32 AM via. All use subject to https://www.ebsco.com/terms-of-use 4 Designing a Secure Network Architecture In this chapter, we will cover the following topics: Physical and virtual network and security devices Application- and protocol-aware technologies Advanced network design Network management and monitoring tools Advanced configuration of network devices Security zones Physical and virtual network and security devices For the certification exam, it is important that you understand the strengths and weaknesses of all the proposed network devices/appliances, the correct placement of network devices for maximum effect, and the required security configuration. OSI model No introduction to networking would be complete without a brief introduction to the Open Systems Interconnection (OSI) 7-layer model. As we move through the chapters, you will occasionally see references to layers. This has become a standard reference model and it allows for different vendors to implement services, protocols, and hardware using this reference model. Throughout the book, we will discuss applications, services, protocols, and appliances that sit at different layers within the model. Although the CompTIA Advanced Security Professional 004 (CASP 004) exam will not be testing your knowledge specifically (OSI is not a listed objective), it can be useful as a reference aid when we discuss networking subjects. The model is not actually defining a complete working network model—it is a conceptual model. For example, to fully understand the details of the Simple Mail Transport Protocol (SMTP), you would need to gain access to Internet Engineering Task Force (IETF) Request for Comments (RFC) documents. Imagine you are looking to manufacture network cables to meet Category 6 (CAT 6) standards—you could access International Organization for Standardization/ International Electrotechnical Commission (ISO/IEC 11801) standards documentation. See the following screenshot for an overview of the OSI 7-layer model: EBSCOhost - printed on 12/2/2024 11:32 AM via. All use subject to https://www.ebsco.com/terms-of-use Physical and virtual network and security devices 5 Figure 1.1 – OSI 7-layer model Vulnerabilities may exist across multiple layers within the OSI model. For example, we may be vulnerable to Man-in-the-Middle (MITM) attacks on our layer 2 switch. We will take a look at the many different threats that may impact an enterprise network throughout the book. Unified threat management A unified threat management (UTM) appliance offers firewall functionality and many additional security functions; it is deployed as a single security appliance or software solution. This security solution offers a comprehensive suite of security features all in a single package. While this is a good solution for small enterprises with limited resources (limited staff and limited budget), it does not offer the DiD required by enterprise customers. UTMs may include a significant number of converged security features, but not necessarily all of the following: Network firewall Intrusion detection system (IDS) Intrusion prevention system (IPS) EBSCOhost - printed on 12/2/2024 11:32 AM via. All use subject to https://www.ebsco.com/terms-of-use 6 Designing a Secure Network Architecture Deep packet inspection (DPI) Data loss prevention (DLP) Anti-virus capability Web application firewall (WAF) Web proxy and content filtering Spam filtering Security information and event management (SIEM) The following screenshot shows the combined security features supported on a UTM appliance: Figure 1.2 – UTM appliance Advantages UTM has the following advantages: Reduction in management actions (compare the scenario of a small information technology (IT) security team managing and monitoring multiple security appliances) Reduced footprint in the data center (less hardware) Less cost EBSCOhost - printed on 12/2/2024 11:32 AM via. All use subject to https://www.ebsco.com/terms-of-use Physical and virtual network and security devices 7 Disadvantages UTM has the following disadvantages. Risk from a single point of failure (SPOF) (limited hardware resources are providing many services) Negative performance impact on a network due to the workload handled by the device IDS/IPS Intrusion detection is an essential security function, typically implemented on the perimeter to protect your organization from incoming threats. It will alert the security team to inbound threats. Intrusion prevention is the process of performing intrusion detection and then stopping detected incidents. These security measures are available as IDS and IPS. Active protection is the more commonly adopted approach, meaning a network intrusion prevention system (NIPS) will be seen protecting most enterprise networks. IDS and IPS constantly watch your network, identifying possible incidents and logging information about them, stopping incidents, and reporting them to security administrators. In addition, some networks use IDS/IPS for identifying problems with security policies and deterring individuals from violating security policies. IDS/IPS have become a necessary addition to the security infrastructure of most organizations, precisely because they can stop attackers while they are gathering information about your network. Examples of intrusions Indicators of compromise (IOCs) can be unusual traffic, attacks against protocols (such as high volumes of Internet Control Message Protocol (ICMP) traffic), and malicious payloads. The result could be excess traffic causing denial of service (DoS) or compromised systems through unwanted deployments of Trojans and backdoors. There are two main IDS detection techniques that are routinely used to detect incidents, as outlined here: Signature-based detection compares known signatures against network events to identify possible incidents. This is regarded as the simplest detection technique as it evaluates attacks based on a database of signatures written by the vendor or operator. In the same way as a first-generation firewall, this approach is limited as it is based on known patterns. EBSCOhost - printed on 12/2/2024 11:32 AM via. All use subject to https://www.ebsco.com/terms-of-use 8 Designing a Secure Network Architecture Examples: A Secure Shell (SSH) connection using the root account would be in the ruleset. An email with the subject password reset and an attachment with the name passregen.exe would be identified as malicious. Anomaly-based detection compares definitions of what is considered a normal/ benign activity with observed events to identify significant deviations. This detection method can be very effective at spotting previously unknown threats. This type of detection is also known as heuristics-based detection. Example: The SMTP messaging server usually contributes to 23% of traffic on the network. If the SMTP server is suddenly generating 70% of the network traffic, this would generate alerts. Network IDS versus NIPS The NIPS sits directly behind the firewall (inline) and traffic needs to be forwarded onto the network. The NIPS can block unwanted traffic and payloads. This is illustrated in the following diagram: Figure 1.3 – NIPS placement (inline) EBSCOhost - printed on 12/2/2024 11:32 AM via. All use subject to https://www.ebsco.com/terms-of-use Physical and virtual network and security devices 9 Network IDS (NIDS) does not need to be inline; it can monitor traffic but will need to use port mirroring or spanning on the network switch to be effective, as illustrated in the following diagram: Figure 1.4 – NIDS placement Wireless IPS In addition to fixed or wired networks, many organizations may need the flexibility of a Wi-Fi network. A wireless IPS (WIPS) is designed to detect the use of rogue or misconfigured wireless devices. A rogue device can spoof media access control (MAC) addresses of trusted network devices. A WIPS can build up a database of known trusted hosts on the network and can also be used to prevent DoS attacks. An effective WIPS should mitigate the following types of threats: Ad hoc networks: These use peer-to-peer (P2P) connections to evade security controls and risk exposure to malware. Rogue access points (APs): These allow attackers to bypass perimeter security. Evil-twin APs: Users may connect to this lookalike network and be vulnerable to sniffing. EBSCOhost - printed on 12/2/2024 11:32 AM via. All use subject to https://www.ebsco.com/terms-of-use 10 Designing a Secure Network Architecture Misconfigured APs: These expose a network to possible attacks due to configuration errors. Client misassociation: This risks infection from connecting to other service set identifiers (SSIDs) while in range of the authorized AP. MITM attack: An attacker will route traffic through their network device and sniff the traffic. MAC spoofing: This may allow the attacker to bypass access-control lists (ACLs) on the AP or allow them to impersonate another network device. DoS attack: This happens when a continuous stream of fake requests or messages is sent to the AP. Inline encryptors The High Assurance Internet Protocol Encryptor Interoperability Specification (HAIPE-IS) requires inline network encryption (INE) devices to be interoperable. For example, Tactical Local Area Network Encryptor (TACLANE) is a product used by the United States (US) government and the Department of Defense (DOD); it is military-grade and meets National Security Agency (NSA) security requirements. It is manufactured by General Dynamics. This is a device that enables encrypted communication over untrusted networks. Commercial organizations will use site-to-site virtual private network (VPN) links and not need this technology. The following figure shows a TACLANE INE device: Figure 1.5 – INE device This device meets the high assurance required by government and military remote connections. EBSCOhost - printed on 12/2/2024 11:32 AM via. All use subject to https://www.ebsco.com/terms-of-use Physical and virtual network and security devices 11 Network access control Network access control (NAC) enforces a strong, secure posture for devices that connect to our enterprise networks. A major challenge for many enterprise networks is unmanaged bring your own device (BYOD) devices and guest devices accessing wireless and switched networks. The goal is to control access to the network, ensuring devices are compliant with baseline security policy. You would want to ensure devices had anti-virus installed and had security patches and firewall functionality. Devices typically connect through a registration virtual local area network (VLAN) using a captive portal. If devices are found to be compliant, they could gain network access. Devices found to be uncompliant would be routed through to an isolation VLAN, able to access remediation services. The following diagram shows the components of NAC: Figure 1.6 – NAC PacketFence offers a free and open source NAC solution that is distributed under the General Public License (GPL). The software can be accessed via https://www. packetfence.org/. EBSCOhost - printed on 12/2/2024 11:32 AM via. All use subject to https://www.ebsco.com/terms-of-use 12 Designing a Secure Network Architecture SIEM SIEM allows an organization to centralize security management events, forwarding logs from security appliances to a central system. It provides correlation and normalization for context and alerting, and also provides reporting and alerts based upon real-time logged data inputs. The following diagram shows the architecture of centralized SIEM: Figure 1.7 – SIEM architecture Advanced solutions can use behavioral analytics to detect anomalous user behaviors. Privileged user monitoring is a common requirement for compliance reporting. The following screenshot shows a SIEM dashboard: EBSCOhost - printed on 12/2/2024 11:32 AM via. All use subject to https://www.ebsco.com/terms-of-use Physical and virtual network and security devices 13 Figure 1.8 – AlienVault/AT&T SIEM dashboard SIEM threat intelligence can help security operations center (SOC) teams pinpoint malicious or risk-based events and deliver a response. Analytics and machine learning (ML) are used to produce insights from huge amounts of collated data; they offer automation to identify hidden threats. Benefits include the following: Real-time monitoring: Stop threats that can be fast-moving. Incident response: Quickly identify threats to begin a response. User monitoring: This will identify unusual user behaviors and risky privilege use. Threat intelligence: Build up knowledge of security teams. Advanced analytics: Aid the analysis of large amounts of logged data. Advanced threat detection : SOC analysts need this advanced toolset to detect and address IOCs. Switches A switch is a network device that connects devices on a computer network by receiving and forwarding data to the destination device. Switches use layer 2 MAC addresses to forward data frames at layer 2 of the OSI model. Many enterprise switches will also combine layer 3 functionality in the switch. Layer 3 switches allow for routing traffic between VLANs. EBSCOhost - printed on 12/2/2024 11:32 AM via. All use subject to https://www.ebsco.com/terms-of-use 14 Designing a Secure Network Architecture Switches are vulnerable to DOS attacks; the content-addressable memory (CAM) is typically overloaded/flooded with spoof MAC addresses. Switches can be used for MITM when using Internet Protocol version 4 (IPV4) Address Resolution Protocol (ARP) broadcasting. They can also suffer performance degradation due to unwanted looping traffic. Mitigation would include the following: Protect the management interface (use strong passwords). Enable Spanning Tree Protocol (STP) (this will block redundant connections) to prevent looping traffic. Connect using SSH (all management traffic is encrypted). Provide an out-of-band (OOB) network (all management is performed on a separate management network). Configure 802.1x (require all network connections to be authenticated). The following screenshot shows what a switch table looks like: Figure 1.9 – Switch table Switches provide essential services on enterprise networks and will be responsible for the bulk of all network traffic. Firewalls Firewalls are there to block unwanted traffic entering your networks; they can also block outbound traffic. They depend upon rules to block IP addresses, protocols, and ports. More sophisticated firewalls will have more granular rules and may slow down traffic. EBSCOhost - printed on 12/2/2024 11:32 AM via. All use subject to https://www.ebsco.com/terms-of-use Physical and virtual network and security devices 15 Firewall types Firewalls can be implemented in many different ways; enterprise deployment will have highly capable hardware solutions from vendors such as Cisco or Check Point. Software or host-based firewalls offer additional security with DiD. Data centers and microsegmentation will accelerate the use of virtual firewall deployment. Different types of firewalls are listed here: Hardware firewalls provide maximum performance. These are typically dedicated appliances with a central processing unit (CPU) and memory dedicated solely to this function. Software firewalls generally run on a host operating system, such as Microsoft Windows Defender Firewall or Linux iptables. They share computing resources with the operating system. Virtual firewalls are appliances running on a virtual host controlled by a hypervisor. The performance is dependent upon the compute resources allocated by the hypervisor. Firewall capability Firewalls have evolved over time, with additional capabilities and functionality. First-generation firewalls use static packet filtering. They inspect packet headers and implement static rules based upon IP addresses and port addresses. Their big advantage is high performance. A router will typically perform as a static packet filter. Second-generation firewalls also use stateful inspection, in addition to packet filtering. This can monitor Transmission Control Protocol (TCP) streams (whole stream, not just handshake) and dynamically open ports and track sessions for bi-directional protocols (such as File Transfer Protocol (FTP)). Next-generation firewalls (NGFWs) have evolved from second-generation firewalls to meet the requirements of a multi-functional security appliance. An NGFW offers all the functionality of the earlier generation, but will typically offer additional functionality in the form of support for VPNs and anti-virus protection. NGFWs have DPI capability, meaning they can offer additional security in the form of DLP and IPS protection. This should not be confused with UTM, although they are similar. NGFWs are designed with performance in mind. EBSCOhost - printed on 12/2/2024 11:32 AM via. All use subject to https://www.ebsco.com/terms-of-use 16 Designing a Secure Network Architecture Routers Routers operate at layer 3 of the OSI model and are interconnection devices (they connect networks together). Routing capability may also be provided by a switch that supports VLANs (it will be called a layer 3 switch). Routing tables Routers are only able to forward packets if they have a route for the traffic or a default gateway. Routing tables will comprise a NETWORK DESTINATION, NETMASK, GATEWAY, INTERFACE, and METRIC value. Here is a simple routing table: Figure 1.10 – Routing table Static routing tables may be acceptable for small networks, but we will need to support automated dynamic routing for larger networks. Dynamic routing In larger, more complex networks, it is normal to use dynamic routing rather than configuring manual static routes. Within an autonomous network (the network managed by your organization), you will be using interior routing protocols. It would be time- consuming to configure routing tables statically and we would miss the resilience offered by dynamic routing protocols. The purpose of dynamic routing protocols includes the following: Discovering available remote networks Maintaining up-to-date routing information Choosing the most efficient path to remote networks Allocating a new path if a route is unavailable EBSCOhost - printed on 12/2/2024 11:32 AM via. All use subject to https://www.ebsco.com/terms-of-use Physical and virtual network and security devices 17 Routing Information Protocol (RIP) is the simplest and easiest routing protocol to configure. It is used for routing over smaller networks (allowing a maximum of 15 hops). It is not considered a secure routing protocol. Enhanced Interior Gateway Routing Protocol (EIGRP) is used on Cisco networks and was developed to work around the drawbacks of using RIP. EIGRP benefits from fast convergence times whenever the network topology is changed. CISCO devices share their capabilities using Cisco Discovery Protocol (CDP) with immediate neighbors. This can be disabled on a network. You can prevent your router from receiving unwanted/poisoned route updates by configuring neighbor router authentication; this uses Message Digest 5 (MD5) authentication. Open Shortest Path First (OSPF) is a good choice for larger networks because it has no restriction on hop counts. OSPF allows routers to communicate securely, and routing information is exchanged through link-state advertisements (LSA). RFC 2328 allows for the use of a keyed MD5 identifier to protect OSPF neighbor updates. Exterior routing To keep internet working routing tables up to date, edge routers will forward route changes via exterior routing protocols. Border Gateway Protocol (BGP) is the routing protocol used between internet service providers (ISPs). BGP can also be used to send routing updates between an enterprise and its ISP. BGP can be secured so that only approved routers can exchange data with each other (this uses MD5 authentication). Proxy A proxy server acts as a gateway between users and the internet services they access online. A proxy protects your users from directly connecting with unsafe sites. It can offer Uniform Resource Locator (URL) filtering and content filtering in addition to performance enhancements. A proxy can be a good choice when protecting our users from threats based upon outbound requests. Firewalls are not designed to deliver this more granular protection. A firewall could block an outbound connection to a port and IP address, but would not offer the same fine-tuning as a proxy server. EBSCOhost - printed on 12/2/2024 11:32 AM via. All use subject to https://www.ebsco.com/terms-of-use 18 Designing a Secure Network Architecture Network address translation gateway Network address translation (NAT) is a networking technique commonly used to give an entire private network access to the internet without needing to assign each host a public IPv4 address. The hosts can create connections to the internet and receive responses but will not receive inbound connections initiated from the internet (as they are, in effect, hidden). The following diagram shows a NAT router forwarding traffic to the internet from an internal host: Figure 1.11 – NAT routing When a host on the internal (private) network sends a request to an external host, the NAT device's public IP address is used as the new source IP address for the outbound traffic. The traffic sent back in reply is returned to the internal host. Most NAT solutions use port address translation (PAT) to keep track of all the private hosts that have sessions. We can see NAT configuration in the following screenshot: EBSCOhost - printed on 12/2/2024 11:32 AM via. All use subject to https://www.ebsco.com/terms-of-use Physical and virtual network and security devices 19 Figure 1.12 – Microsoft Routing and Remote Access Service (RRAS) with connected clients NAT is an important service used in both enterprise and small business deployments. Load balancer A load balancer will be useful to enterprises that host server farms and would be a key requirement for high availability (HA) e-commerce sites. When hosting a Citrix server farm supporting remote applications, it is important that the loading on each member is constantly evaluated to ensure new requests are forwarded to a server with the least load. Hardware security module A hardware security module (HSM) is a special trusted network computer performing a variety of cryptographic operations: key management, key exchange, encryption, and so on. This device can be a rack-mounted appliance secured in your data center or could be a built-in module for high-end server hardware. A trusted platform module (TPM) is typically built into system boards of laptop and desktop computer systems, allowing for the storage of sensitive protected data, including keys and attestation measurements. This is a good example of an HSM incorporated into the system board. EBSCOhost - printed on 12/2/2024 11:32 AM via. All use subject to https://www.ebsco.com/terms-of-use 20 Designing a Secure Network Architecture MicroSD HSM is built into a MicroSD form factor. It is useful when you need to extend the functionality of a mobile device and could be used on a cellular phone for secure communications. The HSM would have its own crypto-processing capability, meaning no changes are required on the mobile device. The following screenshot shows a small form-factor HSM: Figure 1.13 – MicroSD HSM Many of the security applications mentioned up to this point secure the entire network from threats. In the following section, we will examine more targeted/granular approaches to protect particular services or data types. Application- and protocol-aware technologies Some applications will benefit from dedicated security appliances/services operating on sole behalf of those applications. Imagine you wanted to protect your web application server from typical exploits, including cross-site scripting (XSS), cross-site request forgery (XSRF), and Structured Query Language (SQL) injection. In that case, you would not want to filter all traffic for these exploits using the network firewall; it would have a huge workload and would slow down traffic for the entire network. Application- aware security appliances process traffic only being forwarded to that service. The types of security applications that inspect and apply rulesets to application layer traffic are said to be using DPI. It is important to plan for the placement of these devices to ensure traffic can be inspected before entering or leaving the network and to also minimize latency or delay where inspection and filtering are not required. In the following section, we will take a look at some examples of application- and protocol-aware security solutions. EBSCOhost - printed on 12/2/2024 11:32 AM via. All use subject to https://www.ebsco.com/terms-of-use Application- and protocol-aware technologies 21 DLP We must ensure the enterprise does not breach legal or regulatory compliance by exfiltration of sensitive data, either knowingly or unknowingly. It is important that intellectual property and customer data are protected, even when compliance is not a factor. Physical restrictions and/or enforceable policy may be used to block data exfiltration to a removable storage medium. DLP can also be implemented on the edge of the network, or as part of a cloud solution. Microsoft is one of many providers offering DLP as part of the Cloud Access Security Broker (CASB) security suite. In the following screenshot, we are selecting built-in rules to block the exfiltration of financial data: Figure 1.14 – Microsoft 365 DLP rule There are many built-in templates for regulated industries. WAF A WAF is defined as a security solution on the web application level. It allows for HyperText Transfer Protocol/HTTP Secure (HTTP/HTTPS) traffic to be inspected for anomalies without slowing down the rest of the network traffic. A WAF can be implemented as an appliance, plugin, or filter that applies a set of rules to an HTTP connection. A WAF helps prevent attacks, such as the following: SQL injection attacks XSS attacks Malicious file execution EBSCOhost - printed on 12/2/2024 11:32 AM via. All use subject to https://www.ebsco.com/terms-of-use 22 Designing a Secure Network Architecture CSRF attacks Information leakage Broken authentication Insecure communications A WAF can also provide URL encryption and site usage enforcement, as illustrated in the following diagram: Figure 1.15 – WAF Advantages A WAF has the following advantages: Allows for the creation of custom rules Monitors and blocks malicious traffic Can prevent live attacks Protects vulnerable web applications EBSCOhost - printed on 12/2/2024 11:32 AM via. All use subject to https://www.ebsco.com/terms-of-use Application- and protocol-aware technologies 23 Disadvantages A WAF has the following disadvantages: May slow web traffic Could block legitimate traffic Requires frequent tuning Database activity monitoring Database activity monitoring (DAM) tools monitor, capture, and record database activity in near real time and can generate alerts when rules are violated. DAM can be accomplished by doing the following: Network sniffing Reading of database logs Memory analysis DAM tools can correlate data and provide the administrator with the tools to detect anomalous database activity and capture a log of events, should this be required for forensics. As a database is often a critical line-of-business (LOB) solution, often hosting enterprise resource planning (ERP), customer relationship management (CRM), sales order processing, and so on, investing in this additional technology will be worth the cost. Spam filter A spam filter typically scans incoming emails to protect your employee