CompTIA Security+ SY0-701 Exam PDF

Summary

This document provides details about the CompTIA Security+ SY0-701 exam syllabus focusing on security controls, governance, risk, and compliance. It covers various security concepts and categories, including managerial, operational, physical, and technical controls.

Full Transcript

CompTIA Security+
EXAM NUMBER SY0-701
Slide Version 1.1

1
SY0-701 Exam Specifications

Number of questions: maximum of 90
Types of questions: multiple choice and performance-based
Time limit of test: 90 minutes
Passing score: 750 (on a scale of 100 – 900)
Domain % of Examination

1.0 General Security Concepts 12%

2.0 Threats, Vulnerabilities, and Mitigations 22%

3.0 Security Architecture 18%

4.0 Security Operations 28%

5.0 Security Program Management and Oversight 20%

Total 100%

2
General Security Concepts
SY0-701 exam objectives covered:
Domain 1.1 Compare and contrast various types of security controls
Domain 1.2 Summarize fundamental security concepts
Domain 3.1 Compare and contrast security implications of different architecture
models
Domain 3.3 Compare and contrast concepts and strategies to protect data

3
Fundamental Security Concepts

Subject Action Object

Identification Non-repudiation Confidentiality

Authentication Integrity

Authorization Availability

Accounting

4
Fundamental Security Concepts

Data state model
Implement security controls that enforce CIA within each of the data states
Data-in-transit state
Data passed between systems
Security control protection examples:
Physical security mechanisms, ACLs, TLS, VPN tunnels
Data-at-rest state
Stored data
Security control protection examples:
Access control permissions, data backups, whole disk encryption, and/or file-level encryption
Data-in-use state
Data being processed within a system
Security control protection examples:
System hardening, secure baselines, application exclusive allow lists and/or application exclusive
deny lists

5
Fundamental Security Concepts

Security zones
Compartmentalize resources based upon their function, level of
criticalness, or level of sensitivity
Segmentation schemes:
Physical: air-gapping, business spaces, network design architecture
Logical examples: sandboxing, VLAN architecture, microsegmentation
Operating environments: test environment, production environment, remote
environment
Define the security goals for the individual security zone
Policies, employee handbook
Implement security controls to achieve security goals
Perform audit checks to ensure zone’s security goals are met

6
Fundamental Security Concepts

Establish baselines
Baselines are critical to anomaly detection
Security baselines
Create integrity measurements
Implement layered security controls
Performance baselines
Utilizes benchmarking and statistics
Configuration baselines
Mitigates misconfigurations and weak configurations
Remove default configurations and unnecessary services

7
Security Control Categories

Managerial controls
Overarching starting point for security that shapes the behavior of
the organization, systems, and personnel
Management-driven controls
Examples:
Security policy
Password policy
Privacy policy
Acceptable Use Policy (AUP)

8
Security Control Categories

Operational controls
Focus is on the day-to-day procedures that ensure the equipment
works as specified in support of organizational objectives
Human being-driven controls
Examples:
Data backups
Security assessments
Incident response
Computer forensics

9
Security Control Categories

Physical control
Focus is on physical protection and safety of organizational assets
and personnel
Examples:
Security guards
Fences
Cable locks
Lighting

10
Security Control Categories

Technical controls
Also known as Logical controls
Works at the bit level
Encryption protocols
Firewall ACLs
Authentication protocols

11
Security Control Types

Directives
Administrative controls that specify an objective that must be
formally accomplished
Promulgated by management
Examples:
Mandated safety training for all staff members
Requiring employees to annually acknowledge and sign the AUP

12
Security Control Types

Deterrent control
Controls that are designed to psychologically discourage an attacker
from attacking
The attacker has a choice to proceed or not
Examples:
No trespassing sign
Barking dog
Warning banners
Privacy policy

13
Security Control Types

Preventative control
Proactive control which acts to neutralize an attack before it starts
Goal is to reduce the likelihood of an incident succeeding
Examples
Anti-malware software
Access control vestibule
Access Control List (ACL)
Encryption

14
Security Control Types

Detective control
Monitoring controls that detect and/or record an event
Aids in recreating the steps of the attack
Examples
Close Circuit Television (CCTV)
Log files
Intrusion Detection System (IDS)
Keystroke monitoring

15
Security Control Types

Corrective control
Follow-up controls used to minimize the harm caused and prevent
recurrence
Re-establishes the security baseline
Examples:
Data backups
Patch management
System snapshots
Fire suppression systems

16
Security Control Types

Compensating
Supportive or collateral controls that reinforces other controls,
especially to fill-in newly identified security gaps
Often designed to be temporary in nature until a proper preventive
control can be implemented
Examples:
Defense in depth
Sandboxing
Temporary port blocking
Temporarily disabling a service

17
Security Control Types

Security control failure modes
Fail-open
Security control reverts to a state that minimizes negative impact to
surrounding resources
Would support emergency egress of personnel
Fail-closed
Security control reverts to a state in which all flow of traffic through the
security control is halted

18
Question

Which of the following security controls is designed to stop
the attacker from gaining access to a resource before the
attacker begins their attack?
a) Detective control
b) Preventative control
c) Compensating control
d) Corrective control
e) Deterrent control

19
Governance, Risk, and Compliance
SY0-701 exam objectives covered:
Domain 4.2 Explain the security implications of proper hardware, software, and
data asset management
Domain 5.1 Summarize elements of effective security governance
Domain 5.2 Explain elements of the risk management process
Domain 5.3 Explain the processes associated with third-party risk assessment and
management
Domain 5.4 Summarize elements of effective security compliance

20
Security Governance

Regulations
External authoritative legal constraints imposed on an organization
based upon a sector of business the organization operates within
Applicable regulations are compulsory
Industry regulations
Example: PCI DSS
Governmental regulations: varying levels of government entities
that may impose regulations on an organization
Local, regional (state/tribal), national, global

21
Security Governance

Regulatory compliance
Audit checks help verify compliance
Compliance reports
Internal: gathered from department(s) and delivered to management or an audit
committee working on behalf on management
Self-assessments
External: delivered to an authoritative body
Formal assessment
Independent third-party audit
Non-compliance consequences
Sanctions, fines, loss of license(s), loss of contracts
Damage to reputation: a non-compliance status may additionally be reported
to clients, customers, news agencies, or posted to social media

22
Security Governance

Governance structure and key components
Management
Board: provides broad strategy or goals for the management task
Examples: change management board, risk management board
Committee: oversees mission to fulfill the board’s vision
Examples: audit and finance committee, risk analysis committee
Government agency
Receives organizational reports to verify operations are meeting regulatory
compliance
Examples: HHS, Treasury
Levies punitive actions for non-compliance
Some or all actions are available to the public for review
Centralized managerial body
Single-body decision making
Decentralized managerial body
Decisions are made by multiple oversight bodies and put to a vote/consensus

23
Security Governance

Security hierarchy of documents
Policies
Statement(s) of generalized security or operational goals
Compulsory organization-wide
Addresses punitive actions for non-compliance
Standards
Minimum baseline of acceptable knowledge, action, or skillset
Procedures
Step-by-step instructions how to complete a task
Guidelines
Industry or government recommendations pertaining to a topic
Non-compulsory

24
Security Governance

Organizational policies
Information Security policy
Overall organizational policy that prescribes how an organization will manage
and protect information
Sometimes called Organization Security policy
Defines roles and responsibilities
Privacy policy
Defines the expectations of privacy within the company regarding their
employees
Subject-centric: accounting ground rules
Acceptable Use Policy (AUP)
Defines the conditions in which company resources may be used
Object-centric: authorization ground rules

25
Security Governance

Organizational policies
Employment policy
Covers the employee-employer lifecycle
Addresses acknowledgement, and adherence to, of required company
documents such as the privacy policy, Acceptable Use Policy (AUP), Non-
Disclosure Agreement, etc. throughout lifetime of employment
Onboarding procedures
Provisioning of accounts, devices, credentials, and other resources
Offboarding procedures
Recouping of allocated resources during the employment termination phase
Exit interview

26
Security Governance

Organizational policies
Change Management policy
Defines the change management approach, roles, and responsibilities
Change Management procedures
Formal method to manage change without unnecessarily increasing risk
Change Management approval process
1. Change request
Cost/benefit analysis, impact analysis
2. Change approval
Establish version control
Test the change
3. Change implementation
Install/upgrade and update pertinent documentation (policies, procedures, diagrams)

27
Security Governance

Operational agreements:
Master Service Agreement (MSA)
Comprehensive contract that establishes the overarching legal relationship
between a service provider and a customer/client
Varying services will be provided
Service-Level Agreement (SLA)
A formal definition of a service provided between a service provider and a
service customer/client
Establishes minimum required performance baselines, equipment
responsibility, and response times

28
Security Governance

Operational agreements:
Statement of Work (SoW) / Work Order (WO)
Contract that specifies actions to be performed within a project
Defines who is responsible for which project milestone and supporting actions
Business Partnership Agreement (BPA)
A written agreement defining the general relationship between business
partners with a focus on financial matters
Non-Disclosure Agreement (NDA)
Legal agreement outlining proprietary or confidential information that may
not be disclosed

29
Security Governance

Operational agreements:
Memorandum of Agreement (MOA)
Establishes a relationship of cooperation to achieve one or more specific goals
Establishes detailed responsibilities and actions for each individual party in
support of the agreed upon objectives
Memorandum of Understanding (MOU)
Outlines a relationship of cooperation
Often is used to establish preliminary intent until more concrete specifications are
required
Does not have as much legal weight as an MOA
Comparable to a handshake between associates

30
Data Policy

Data policy components
Data policy roles and responsibilities
Data owner: directly involved with the harvesting of generated data
Data custodian / steward: delegated responsibility to protect data
Data controller: handler of employee PII and PHI
Data processor: performs calculations on the data
General Data Protection Regulation (GDPR)
Data subject: information that pertains to a customer or citizen
Data Privacy Officer (DPO): responsible for the care and protection of data
subject information in compliance with GDPR

31
Data Policy

Information life-cycle model
Creation
Data acquisition, including metadata
Processing
Transform data into information
Dissemination
Authorized access list / distribution tree
Usage
Information likely to be in an unencrypted state
Storage
Readily available, network, cloud, or archived
Disposal
Destruction and/or deletion

32
Data Policy

Information classification
Apply security labels to resources based upon its level of
criticalness, sensitivity, or business value
Classification labels covered by CompTIA Security+ SY0-701
Critical
Restricted
Sensitive Generic Schema Security Label
Private High Critical, Restricted
Confidential Medium Sensitive, Private, Confidential
Public
Low Public

33
Data Policy

Types of protected data
Regulated data
Data that is mandatory protected by a government or industry regulation
Trade secret
Confidential practice or process unknown outside the organization
Intellectual Property (IP)
Product of invention or creative work
Legal information
Financial information

34
Data Policy

Data protection methods
Obfuscation
Disguising the data so that it’s meaning isn’t obvious to the casual observer
Tokenization
A token represents the real data
Data masking
Means of discarding the meaningfulness of the data without discarding the
structure of the data
Encryption / hashing
Assurances of confidentiality / integrity
Permission restrictions
Deny read assures confidentiality, deny write assures integrity

35
Asset Management

Maintain positive control throughout the asset’s lifetime
Acquisition and procurement of assets
Supports business goal and has business value
Assignment and accountability of assets
Establish ownership
Asset monitoring and tracking
Geolocation, RFID, reverse IP lookups, visual verifications, etc.
Decommissioning and disposal of assets
Retention of relevant data, sanitization of media, and destruction of hardware
Certify the destruction or decommissioning to satisfy accounting practices

36
Risk Management

Risk management is the process of identifying, monitoring,
and reducing risk to an acceptable level
Can’t eliminate all risk, but lower it to an acceptable level
Management establishes risk appetite
Risk pursued to enhance strategic, long-term success
Expansionary: aggressive with a goal of significant gains
Neutral: moderate approach to risk
Conservative: goal is to minimize loss as much as possible
Determination of risk tolerance
Acceptable variance in business objective performance

37
Risk Management

Risk Identification
Process of finding, recognizing, and describing risks
Due diligence vs due care
Create a risk ID for discovered risk
Methods of discovery:
Process analysis: flow diagramming
Interviews: soliciting or canvassing knowledge and experience
Asset tracking and monitoring
Cognitive computing: user behavior analytics, vendor monitoring
Workshops: case-studies
Risk reporting

38
 Risk Management

Risk register
Document for identifying, tracking, and assigning risk
Unique ID
Key risk indicator(s)
Risk owner
Risk priority level (based on impact and likelihood)
Risk threshold (inaction vs action / response)

Priority
ID Key Risk Indicator Category Owner Risk Response Remarks Notes
(L x I)
5-1001 Loss of power to network 5 – Power loss Network engineer group 6 (2 x 3) UPS and Verify batteries quarterly Last updated
generator 1/10/2024

5-1002 Loss of power to workstations 5 – Power loss Helpdesk level 1 2 (2 x 1) UPS Verify batteries yearly Last updated
1/10/2021

39
Risk Management

Risk matrix
Probability: based on statistics
Likelihood: based on threat assumptions and threat data
Impact: extent an undesirable event disrupts the organization

Impact
1 2 3 4 5
1 1 2 3 4 5
Likelihood

2 2 4 6 8 10
3 3 6 9 12 15
4 4 8 12 16 20
5 5 10 15 20 25

40
Risk Management

Risk Assessments
One-time:
Initial risk assessment of a specific business interest
Ad hoc
Purpose is to bring clarity to anticipated or new circumstances
Recurring:
Occurs on a regular schedule due to a contractual or regulatory requirement
Continuous:
Appropriate for rapidly changing environments such as cloud data centers

41
Risk Management

Qualitative risk analysis
Based on human opinion or judgement derived from interviews,
surveys and questionnaires, benchmarking, scenario-based exercise
lessons learned analysis, or cross-functional workshops
Advantages:
Impact is easily understood by a large population of employees
Can provide rich information beyond financial impact, such as impact to
perceived safety, health, or reputation
Disadvantages:
Prone to inaccuracy or exaggeration
Limited usefulness towards cost-benefit analysis

42
Risk Management

Quantitative risk analysis
Requires numerical values for both impact and likelihood using data
from a variety of sources
Can be used to support cost-benefit analysis calculations
Advantages:
Supports cost-benefit analysis of risk response options
Allows computation of necessary capital to achieve business goals
Disadvantages:
Use of numbers may imply greater precision than what truly exists
Requires concrete units of measure that may cause obscure, or infrequent risk
from being recognized

43
Risk Management

Single Loss Expectancy (SLE)
SLE = Asset Value (AV) * Exposure Factor (EF%)
Annualized Loss Expectancy (ALE)
ALE = SLE * Annual Rate of Occurrence (ARO)
Scenario:
A building is worth $1,000,000 and a fire breaks out, consuming
70% of the building. A fire occurs about once every 7 years in this
geographical area. What is the SLE and what is the ALE?
SLE = $1,000,000 * 70% = $700,000
ALE = $700,000 * 1/7 = $700,000 / 7 = $100,000

44
Risk Management

Risk management strategies:
Acceptance: identified risk is within organizational risk tolerance
Example: accepting the risk of earthquakes due to unlikelihood
Exception: conditions that don’t warrant acceptance
Exemption: not liable
Avoidance: removing the activity that creates risk
Example: Air gapping important systems
Transference: offloading the risk to an external party
Example: Cybersecurity insurance
Mitigation: reducing risk by installing security controls, safeguards,
or countermeasures
Example: patch management

45
Business Continuity Planning

Business continuity planning is the preventative and
proactive strategic plan to mitigate disruptive incidents to
business operations
Business Continuity Plan (BCP): anticipating business
operation disruptions
Identify mission essential functions
Identify critical systems
Identify single points of failure
Includes risk analysis, controls, and business restoration
procedures

46
Business Continuity Planning

Business Impact Analysis (BIA)
Management tool that helps determine the financial impact of
business or organizational changes
Supports BCP by projecting financial loss of operational disruptions
Supports cost-benefit analysis of potential system design changes
Aids in clarifying risk management solutions
Aids in regulation and policy compliance
Business impact assessment
Report of findings

47
Business Continuity Planning

Terminology:
Maximum Tolerable Downtime (MTD)
Point of no return
Recovery Time Objective (RTO)
Acceptable downtime
Recovery Point Objective (RPO)
Acceptable loss
Mean Time Between Failures (MTBF)
Anticipated time frame of operational longevity
Mean Time To Repair (MTTR)
Anticipated time frame to return to operational status

48
Business Continuity Planning

Contingency planning
Disaster Recovery Plan (DRP)
Detailed tactical response plan to prolonged disruption to the primary facility
so mission essential business processes can be brought back online
Focuses on the prioritized restoration of business processes
Implements failover measures that are geographically distant
Continuity Of Operations Plan (COOP)
Provides a means for an individual business process to continue operating
during times of reduced capabilities
Focuses on sustaining business operations
Implements failover measures per business process that could be local or
geographically distant

49
Business Continuity Planning

Contingency planning using alternate sites
Alternate sites need to be geographically distant from the main site so as
not to be exposed to the same threat(s) as the main site
Designed to be temporary solutions
Ideally, alternate sites are placed in stable geographical environments
Cold site:
Utilities are present
Warm site:
Processing architecture is present
Hot site:
All hardware, firmware, and software is present
Reciprocal site:
Mutual agreement of support
Memorandum of Understanding (MOU)

50
Business Continuity Planning

Testing and reviewing the contingency plan
Tabletop exercises
Examines potential pitfalls and issues within a round table discussion
Fail-over exercises
Ensures backup equipment and data is at the ready
Simulation exercises
Ensures key stakeholders are aware of their responsibilities and actions to be
taken during an outage
Parallel exercises
Provides highest assurance of no business operational interruptions
Most costly

51
Question

Which of the following organizational plans would be
exercised when key business services, along with the data
center, fail to no longer be available due to some kind of
catastrophe and is designed to get the key essential services
back online?
a) Business Continuity Plan (BCP)
b) Continuity of Operations Plan (COOP)
c) Incident Response Plan
d) Disaster Recovery Plan (DRP)
e) Service Level Agreement (SLA)

52
Cryptography
Domain 1.4 Explain the importance of using appropriate cryptographic
solutions
Domain 2.5 Explain the purpose of mitigation techniques used to secure
the enterprise
Domain 3.2 Given a scenario, apply security principles to secure enterprise
infrastructure
Domain 4.5 Given a scenario, modify enterprise capabilities to enhance
security

53
Steganography

Hidden writing
Greek compound word: ‘steganos’ means “covered, or hidden” and
‘graphein’ means “to write”
“Message inside a message”
Manipulation of least significant bits
Steganography and cryptography are different
methodologies but could complement each other
Example: cellphone pictures with embedded metadata

54
Cryptography Concepts

Cryptography: science of transforming plaintext data into
ciphertext data
Encryption algorithms provide the step-by-step instructions how to
transform the data to a plaintext/ciphertext state
Supports four security goals:
1. Confidentiality: symmetric, asymmetric algorithms
2. Integrity: hashing algorithms
3. Authentication: password hashes, digital signatures
4. Non-repudiation: digital signatures

55
Cryptography Concepts

Key length
Expected key size(s) to be utilized by a cryptosystem
Larger key lengths provide higher assurances of achieving the
security goal
Creates a greater work factor that could impede system
performance
Key stretching
Adding/padding a crypto-variable to meet cryptosystem
requirements
Salt

56
Cryptography Concepts

Algorithms
Mathematical process that prescribes specific steps how to
transform data from one state to another
Examples:
Symmetric: AES, Twofish
Asymmetric: ECC, RSA
Hashing: SHA2, Whirlpool

57
Cryptography Concepts

Key exchange
Formal process to deliver a cryptographic key to another party
Protocols:
Rivest, Shamir, Adleman (RSA) exchange protocol
Diffie Hellman Ephemeral (DHE) exchange protocol
Elliptical Curve Diffie Hellman Ephemeral (ECDHE) exchange protocol
Perfect Forward Secrecy (PFS) requires ephemeral keys

58
Hashing

Algorithm that takes a variable-length input and generates a
one-way function, fixed-length output
One-way encryption
Primary purpose: data integrity baseline
Message digests
Cryptographic checksums
Authentication: password hashes Warning:
Example algorithms No match!!!
SHA1, SHA2, RIPEMD, Whirlpool
Hello 8B1A9953C4611296A827ABF8C47804D7 ‘ello 5E242C7F1AA63F7496902ACB134FED33

59
Hashing

Hash vulnerabilities
Brute force attack
Hash collision
Two different hash inputs happen to create the same hash
Collision resistance: using algorithms with larger digest sizes, without
documented collisions
Example: use SHA-256 instead of SHA1
Birthday attack
Rainbow tables
Salt: arbitrary number added to the data before being encrypted

60
Symmetric Cryptography

Uses a single key to encrypt and decrypt
Key must be shared between parties
Must use “out of band” key distribution
Best for supporting confidentiality of bulk or streamed data
Faster than asymmetric
Synonyms for the cryptographic key:
Session Key, Secret Key, Shared Key, Same Key
Example algorithms
AES, Twofish, RC6, RC4

61
Symmetric Cryptography

Advantages
Less computationally intensive
Best suited for providing confidentiality to communication lines or
bulk data
Faster than asymmetric
Disadvantages
Shared key issue: can you trust the other party?
Lacks inherent secure key distribution Data
fjil xdis
ncxtrdse
encrypted
Lacks non-repudiation Session Key nvc
and
Key management dxcurwa
decrypted
mcihthe
with scz
ksad qyk.
same key.

62
Asymmetric Cryptography

Also known as Public Key Cryptography (PKC)
Each user is assigned a mathematically related key pair
Public Key is available to everyone, Private Key is kept secret
Whatever is encrypted with one key, must be decrypted with the other key
Encrypting with the Public Key supports confidentiality
Encrypting with the Private Key supports digital signing
Authentication, integrity, non-repudiation
Supports all 4 cryptographic goals: authentication, confidentiality,
integrity, and non-repudiation
Example algorithms:
DH, RSA, ECC

63
Asymmetric Cryptography

Advantages:
More simplified key management (N * 2)
Public key provides “in-band” distribution
Provides:
Confidentiality, digital signatures, integrity checks, key exchange,
authentication, and non-repudiation
Disadvantages: Public Key Datagjis
ftdt
Generally slower hcxprdmef
encrypted
onmcone
with rch
File size increases qhz and
key tcf
fhxprdmef
decrypted
Private Key
onmcthe
with mch
rmchpkey.
other
ghz.

64
Asymmetric Cryptography

Digital Signatures
Digital version of someone’s paycheck signature
Three components to a digital signature:
1. Data to be signed (email, pdf file, device driver, or Java applet)
2. Hashing algorithm (creates the hash)
Provides the integrity baseline
3. Sender’s Asymmetric Private Key
Provides authentication
Provides non-repudiation
Validate with the asymmetric public key

65
 Digital Signature process illustrated

Source Destination
Hello Hello Hello Hash
World World World Function
Encrypted Encrypted
Hash Hash Hash HASH
Function
Asymmetric
HASH Algorithm HASH

Are the hashes
Sender’s Asymmetric Sender’s
Encrypted identical?
Private Key Algorithm Hash Public Key
Next >

66
Blockchain

Publicly available, immutable digital ledger of transactions
Linked list of hashed transaction history
Each block provides authenticity of the previous block
Asymmetric private key
Digitally signs transactions
Asymmetric public key
Validates digital signature and can be used to derive an address

- Block 3 - - Block 2 - - Block 1 -
Hash of block 2 Hash of block 1 Hash of block (n-1)
Nonce (timestamp) Nonce (timestamp) Nonce (timestamp)
Hash of data Hash of data Hash of data
Block data Block data Block data

67
Public Key Infrastructure (PKI)

Framework for provisioning, storing, and deprovisioning
asymmetric keys, including X.509 digital certificates
Hierarchical trust model
Centralized
Scalable
Most common asymmetric key management system used by
large organizations and e-commerce

68
Public Key Infrastructure (PKI)

Certificate Authority (CA)
Creates, signs and revokes asymmetric keys
CAs must remain trustworthy: online versus offline CA
Root CA
Root certificates: self-signed
PKI root of trust
Creates and signs keys for Intermediate CA
Certificate chain of trust
Intermediate CA
Creates and signs keys for the leaf objects

69
Public Key Infrastructure (PKI)

X.509 Digital Certificate
Asymmetric public key digitally signed by a CA
Current version: X.509 version 3
A typical certificate contains the following:
Owner’s / Subject’s Common Name (CN)
Asymmetric public key
CA’s Distinguished Name (DN)
CA’s digital signature
Periodicity: when is it usable, when does it expire
Certificate policy: how it can be used
Serial Number

70
Public Key Infrastructure (PKI)

Certificate Signing Request (CSR)
Formal request sent to the CA asking for a certificate to be
generated
Identifying information pertinent to the requesting entity must be
included, such as:
Website domain
Driver’s license
Phone number
Email address

71
Public Key Infrastructure (PKI)

Certificate Revocation List (CRL)
A list housed by the CA that contains the serial numbers of digital
certificates that have been revoked
Certificates are revoked due to:
Key theft or loss
Employee termination
Voluntarily: significant changes in the organization
Revocation is permanent
Not revoked due to normal expiration

72
Public Key Infrastructure (PKI)

Online Certificate Status Protocol (OCSP)
Querying protocol that checks a CA’s CRL file for the digital
certificate’s status
“Good”
“Revoked”
“unknown” (suspended or on hold)
Revocation is permanent, suspension is temporary
CA server must be online/available to receive the OCSP query

73
Public Key Infrastructure (PKI)

Key recovery
Key escrow
Under certain contractual circumstances a third party has access to specified
keys
Allows for key recovery
Keys are stored outside of the organization
Key recovery agent
Internal to the organization
Handling of the asymmetric private key requires some form of M-of-N control

74
Public Key Infrastructure (PKI)

Multi-domain extension
Subject Alternative Name (SAN) extension
One certificate that can be used to identify all domain names owned by a
single organization

DNS Name: www.DOD.mil
DNS Name: www.DOT.gov
DNS Name: www.DOJ.gov
DNS Name: www.HHS.gov

75
Public Key Infrastructure (PKI)

Multi-domain extension
Wildcard certificate
One certificate that can be used to identify all subdomains
Denoted with “*.”
Issues:
Violates the principle of least privilege
The associated asymmetric private would be housed in each individual web server
that uses the wildcard certificate
Hypothetical example:
*.DISA.mil
army. DISA.mil
af. DISA.mil
navy. DISA.mil

76
Virtual Private Network (VPN) Tunneling

Virtual Private Network (VPN) tunneling
Network encapsulation (tunneling) + one or more cryptographic
security services
Private network connections that can securely traverse through a
private or public network
Extends LAN: uses tunneling protocols to establish virtual circuits
LAN through WAN to LAN protection mechanisms
Applies authentication and encryption services

77
Virtual Private Network (VPN) Tunneling

VPN architectures:
Gateway-to-gateway
Communications between two networks is protected
Example: router to router VPN
Host-to-gateway
Communications between the host and a specific network belonging to the
organization is protected
Utilizes a VPN concentrator
Example: remote access VPN
Host-to-host
Communications between two specific computers
Example: web server to database server VPN

78
Virtual Private Network (VPN) Tunneling

VPN tunneling methods:
Full tunnel
All network traffic is passed through the tunnel
Split tunnel
Only network traffic destined to the corporate network is passed through the
tunnel, all other traffic goes directly to the internet
Always-on VPN tunnel
VPN client solution that uses a VPN tunnel whenever the client is connecting
to an untrusted network

79
Illustration – Full vs Split Tunneling

80
Virtual Private Network (VPN) Tunneling

Internet Protocol Security (IPsec)
Network layer communication security service that applies
cryptographic algorithms to protect IPv4 or IPv6 traffic
Required to be part of the IPv6 protocol
Suite of supporting protocols: ESP, AH, IKE, ISAKMP
Common authentication options:
X.509 Digital Certificates
Kerberos
Pre-Shared Key (PSK)
Anti-replay services
HMAC/CMAC

81
Virtual Private Network (VPN) Tunneling

Transport Mode
Designed for end-to-end encryption of data
Packet data is protected, but the header is left intact
IP Data

Tunnel Mode
Designed for link-to-link communications
Both the packet contents and the IP header are encapsulated
New IP header IP Data

“Transport on the LAN and Tunnel on the WAN”

82
Virtual Private Network (VPN) Tunneling

IPsec protocols
Authentication Header (AH)
NAT conflict: integrity hashing issues occur when used on traffic that traverses
a gateway service
Network Address Translation – Traversal (NAT-T)
Data origin authentication: proof of source
HMAC/CMAC
IP header and payload integrity protection
SHA2, SHA, or MD5
Anti-replay protections

AH Transport Mode AH Tunnel Mode
IP AH L4 L4 New IP AH Old IP L4 L4
HDR HDR HDR DATA HDR HDR HDR HDR DATA

Integrity Check Integrity Check

83
Virtual Private Network (VPN) Tunneling

IPsec protocols
Encapsulating Security Payload (ESP)
Payload confidentiality and/or integrity protections
AES, 3DES, DES
Data origin authentication: proof of source ESP Transport Mode
HMAC/CMAC IP ESP L4 L4 ESP ESP
Anti-replay protections HDR HDR HDR DATA Trailer AUTH
Encrypted

Integrity Check

ESP Tunnel Mode
New IP ESP Old IP L4 L4 ESP ESP
HDR HDR HDR HDR DATA Trailer AUTH
Encrypted

Integrity Check

84
Virtual Private Network (VPN) Tunneling

Internet Key Exchange (IKE)
Component of IPsec used for performing mutual authentication and
establishing and maintaining Security Associations within the IPsec-
protected communication channel
Provides Key negotiation and key exchange services
Supports Kerberos, Pre-Shared Keys (PSK), and X.509 digital
certificates for authenticating VPN peers
Current standard: IKEv2
Uses UDP port 500

85
Virtual Private Network (VPN) Tunneling

Internet Security Association and Key Management Protocol
(ISAKMP)
Defines the framework of procedures and packet formats that
establish, negotiate, modify, and delete Security Associations
Manages the Security Parameter Index (SPI)
UDP port 500
Security Association
A unidirectional security agreement package of security parameters
between two IPsec capable systems
Defines IPsec protocol, mode, algorithms, key scheduling
Recorded in the Security Parameter Index (SPI)

86
Virtual Private Network (VPN) Tunneling

TLS VPN tunnel
Web-based VPN solution that implements TLS and PKI
Client’s web browser/app used as the VPN interface
Commonly used for SaaS cloud data-in-transit protection
Ease of client-side configuration
Communicates over TCP port 443
Not likely to be blocked by an organization’s firewall
Certificate-based authentication
Examples: OpenVPN, Secure Socket Tunneling Protocol (SSTP)

87
Hybrid Cryptography

Transport Layer Security (TLS)
Enforces a secure channel between two TCP-based endpoints
Standard created by IETF to replace SSL
Versions TLS 1.0 – TLS 1.3
All TLS versions can perform mutual authentication
Hybrid cryptosystem
Uses a cipher suite to agree on a security package
Security settings are negotiated between endpoints during the TLS handshake
phase
Asymmetric Cryptography
Provides Key Distribution of the symmetric session key
X.509v3 Digital Certificates
Symmetric Cryptography

88
Transport Encryption

TLS is common used to protect the data payload of various
transport protocols:
Protocol Plaintext Port Encrypted Port
HTTP 80 443
SMTP 25 *465/587
LDAP 389 636
FTP 20/21 989/990
IMAP 143 993
POP3 110 995
SIP 5060 5061

89
HTTPS Process
Revocation status is checked (optional)
CA
“Client Hello” 1

2
“Server Hello”
3

4 5
Browser generates session key, Server decrypts session
encrypts it with the server’s key using its private key
public key, and sends to server Server

6 Secure Channel Using Session Key
Secure communication proceeds using the session key

90
Remote Administration Security

Secure Shell (SSH)
Secures remote access and remote terminal communications
Secure out-of-band management of network devices
Secure replacement for Telnet and FTP
Mitigates On-Path / Man-in-the-Middle attacks and spoofing attacks
SSH suite (SCP, SSH, SFTP, Slogin)
Uses TCP Port 22
OpenSSH, Putty
Hybrid Cryptosystem
Symmetric cryptography for encryption
PKC for connection/authentication

91
FTP Security

File Transfer Protocol (FTP)
Used to transfer files between systems on the Internet
Ports TCP 20 and TCP 21
File Transfer Protocol Secure (FTPS)
Session is encrypted using TLS protocols
Requires PKI to be implemented
Ports TCP 989 and 990
Secure File Transfer Protocol (SFTP)
Tunneling protocol that uses Secure Shell (SSH)
Port TCP 22

92
Email Security

Email protocols
SMTP 25 – SMTPS 465 or 587
IMAP 143 – IMAPS 993
POP3 110 – POPS 995
Secure/Multipurpose Internet Mail Extensions (S/MIME)
Centralized: PKI – Hierarchical trust model
X.509 Digital Certificates, CA’s Digital Signature
Pretty Good Privacy (PGP) / Gnu Privacy Guard (GPG)
Decentralized: Keys are created by the client’s software
PGP-based Digital Certificates, Peers’ Digital Signatures
Key rings
P2P / Web of Trust model

93
Email Security

Filtering undesirable email traffic
Email Gateway
SMTP relay agent that filters unwanted or suspicious email
Initial recipient of the email message: located in the DMZ
Mail gateway: DMZ resident front-end
Email server: Intranet resident back-end
Spam filter and anti-malware services
Exclusive Allow List (EAL) and/or Exclusive Deny List (EDL)
Enforces DLP on outgoing email traffic
Block HTML-formatted email

94
Email Security

Filtering undesirable email traffic
DNS filtering
Sender Policy Framework (SPF)
DNS TXT record that declares which domains can use SMTP “HELO” or “MAIL
FROM” identities
DomainKeys Identified Mail (DKIM)
Email package is digitally signed by the sending email server and validated by the
receiving email server
Validating public key is stored in a DNS TXT record
Domain-based Message Authentication Reporting and Conformance (DMARC)
DNS/Email policy that defines how to handle emails that failed SPF or DKIM
validation
Reject, accept all, or send to spam quarantine
Generates a report that can be reviewed by the administrator

95
Telephony Security

Telephony protocols
Session Initiation Protocol (SIP)
Establishes, manages, and ends telephony sessions on port 5060
Use SIP over TLS (SIP/S) instead on port 5061
Real-time Transport Protocol (RTP)
Transfers streaming media over networks
Secure Real-time Transport Protocol (SRTP)
Uses its own unique encryption security solution, does not use SSL/TLS
Provides message authentication, integrity, confidentiality, and replay
protection
Uses AES and HMAC-SHA

96
Telephony Security

Voice over Internet Protocol (VoIP)
IP-based protocol that converts analog voice signals into digital
packets.
Implement IEEE 802.1p QoS
Implement VLANs for VoIP segregation
Implement IPsec to protect communications
Implement Voice Firewalls to control network access
Issues:
Eavesdropping
SPIT

97
Question

Which of the following support systems would need to be
established before FTPS could be used in place of FTP within
the organization?
a) PKI
b) Secure key distribution
c) SOAR
d) Reverse proxy
e) IEEE 802.1X

98
Software and Host Architecture
SY0-701 exam objectives covered:
Domain 1.4 Explain the importance of using appropriate cryptographic solutions
Domain 2.5 Explain the purpose of mitigation techniques used to secure the
enterprise
Domain 4.1 Given a scenario, apply common security techniques to computing
resources
Domain 4.3 Explain various activities associated with vulnerability management
Domain 4.5 Given a scenario, modify enterprise capabilities to enhance security

99
Software Security Principles

Software Development Lifecycle (SDLC)
Methodology for designing, creating, and maintaining software with
an emphasis on software security throughout all phases of the
modeling practice
Mitigates number of vulnerabilities that might be released
Lifecycle model
1. Initiation: impact analysis, security planning
2. Development/acquisition: security controls, risk analysis, testing
3. Implementation: evaluated within the operational environment
4. Operation/maintenance: patch management
5. Disposal: data retention, sanitization

100
Software Security Principles

Input validation
Ensuring data is constrained to the data standard expected for a
memory variable’s buffer before the data is accepted
Improper length checking could lead to buffer overflows
Improper values can lead to poor quality of data
Example: non-email formatted characters in an email address field
Improper characters can lead to injection attacks
Various special characters (%, ‘, “, =, , *, ?, etc) should not be allowed into an
input field
Client-side vs server-side validation checks
Input validation must be performed as close to the data store as possible
(server-side)

101
Software Security Principles

Static analysis
Reviewing the source code looking for logic and syntax errors
Manually: code review usually performed by an alternate computer
programming team, such as a debugging team
Programmatically: Software Development Kit (SDK) feature that looks for
coding errors and deprecated programming language library methods
Dynamic analysis
Runtime review of machine code that uses normal and abnormal
data inputs, while examining expected outputs
Fuzzing
Proactively discovering run-time errors

102
Software Security Principles

Package monitoring
Code libraries that are imported and utilized within a software
development project
Software Development Kit (SDK) modules
Prior project code
Third-party modules
Care must be taken to ensure that code does not contain flaws or
requires updates that impact the organization’s compiled code
Changes must go through the Change Management process
Impact to software dependencies
Compliance auditing is dependent on version control, documenting the code
modules used, and vulnerability scanning

103
Software Security Principles

Code-signing
Process of verifying the software or firmware is trustworthy through
the use of cryptographic checksums
Software code that has been digitally signed by the software vendor
Appropriate for installable programs and device drivers downloaded
from trusted websites to verify their integrity and proof of origin
Assures authenticity of the code
Must have the vendor’s digital certificate to perform validation
Code signing doesn’t protect a user from poorly written software
code

104
Software Security Principles

Web cookies
Storable text-based data shared between a web client and web
service that may contain credentials, session-state, or web
transaction information
Web cookies serve two purposes:
1. A means to offload session state to the client
2. Force the client to demonstrate reachability at their supposed address
Types of cookies:
Transient cookies: stored in memory and discarded during session teardown
Permanent cookies: stored in the machine’s hard disk drive and is available
post session teardown

105
Software Security Principles

Secure cookies
Security configuration setting that ultimately disallows a cookie
from being sent to a domain other than the originator
Server config file attribute setting that prevents the cookie from
being sent in clear text (i.e. http)
ASP.NET example: requireSSL = “true”
Must be supported by the web browser to be successful

106
Software Security Principles

Patch management
Methodical way of updating the security baseline of firmware,
applications, or operating systems in order to eliminate known bugs
or flaws, or to add new features and capabilities
Patches, hotfixes, or maintenance releases
Service Packs
Over The Air (OTA) updates
Part of Change Management
Document patch vetoes
Deploy to a sandboxed test platform to verify compatibility and effectiveness
Roll out patches in groups or stages
Prioritize patches based upon mission criticalness

107
Software Security Principles

Patch management tools
Aid in deploying and tracking patches
Decentralized patch management
Client pulls patches from the vendor housing the patches through an installed
update service
Centralized patch management
Patch management server pushes patches to the endpoint devices
Supports compliance auditing
Monitor deployed patches
Baseline monitoring: file integrity checks validates software and firmware
Utilize an attestation service to query running module hashes
Use a vulnerability scanner to verify compliance and effectiveness

108
Software Security Principles

Sandboxing
Security concept where a controlled operating environment is
established so that a component can be isolated from other
operational components
Applies access restrictions to system resources such as memory
locations, storage locations, or network locations
Limits or constrains I/O operations
Implemented through technical or physical security controls
Firewall ACLs, hypervisor software, memory managers, air-gapping, etc.
Primary security model used within virtualization environments

109
System Security Principles

Secure boot process
Ensuring the bootloader is trustworthy and loads trustworthy
modules
Non-Volatile RAM (NVRAM) or Read Only Memory (ROM) chips store a
trusted root digital certificate that is used to validate signed code and also
houses the signature database of firmware signatures
Unified Extensible Firmware Interface (UEFI)
Digitally signed motherboard firmware that replaces the obsolete BIOS
firmware
Secure boot must be enabled in UEFI before the operating system is installed
Attestation:
Validates loaded software and firmware
Provides device identification and tracking of network-connected systems

110
System Security Principles

System hardening
Minimize the attack surface
Remove unnecessary software
Bloatware
Disable unnecessary ports and services
Disable unnecessary accounts
Change default passwords
Patch Management
Install endpoint protection services
Anti-malware / anti-virus software
Host-based firewall

111
System Security Principles

System hardening
Group policy
Policy-driven security restrictions applied to enterprise architecture devices
O/S and application security enhancements
SELinux
Extends and modifies the Linux kernel to support the Mandatory Access
Control (MAC) model and enforces policy-driven access
All files and processes are assigned SELinux labels (security labels)
Label contains a format of attributes that must match between subject and object
Attributes: user:role:type:level
Enforces the Principle of Least Privilege: anything not explicitly allowed is denied
Minimizes damage that could potentially be done by malware by sandboxing
applications from the Linux kernel and from each other

112
System Security Principles

System hardening
Application Exclusive Allow List (EAL)
List of specific applications authorized to be executed within an organization’s
production environment
Could be used in conjunction with geofencing
Application Exclusive Deny List (EAL)
Exclusive deny list of applications specifically deemed unauthorized for use
within an organization
Denies installation based upon the name or signature of the executable

113
System Security Principles

System hardening
Data-at-rest: defense-in-depth through encryption
Full-Disk Encryption (FDE)
Critical for mobile device Data Loss Prevention (DLP)
Partition-level encryption
Useful for dual partitioned drives
Volume-level encryption
Use in conjunction with permission restrictions for defense-in-depth
File-level encryption
Create, edit, and save files within an established encrypted folder
Database-level encryption
Appropriate for whole database backups
Record-level encryption
Encrypting an individual entry (tuple)

114
System Security Principles

Hardware Security Module (HSM)
A self-contained cryptosystem that can be added or removed from a
system
Safeguards and manages cryptographic keys used within the system
Provides compartmentalized cryptographic processing
A removable card or externally attached device
Example: SSL/TLS Accelerators
Security module cards that work with servers to offload the demands of
encrypting and decrypting SSL/TLS traffic from the server’s CPU

115
System Security Principles

Trusted Platform Module (TPM)
A microcontroller chip typically found on the motherboard that
stores keys, passwords, and digital certificates
Provides key generation, key storage and cryptographic functions
commonly used by FDE technologies
Houses manufacture-provided root keys that can be used to encrypt
stored passwords and HDD encryption keys
Can store hashes of files loaded at bootup
Attestation service component

116
Host Architecture

Embedded Architecture
A small computer system with a dedicated or integral function
within a larger system
Due to their micro-architecture and limited resources, embedded systems lack
common security features such as firewalls and antivirus software
Adhere to the Principle of Least Functionality in the design architecture
Can be compromised and used within a bot army or for pivot attacks
Examples of where embedded devices can be found:
Modern vehicles
Network-capable entertainment appliances (disk players, TVs)
Printer / Multi-function Devices (MFD)

117
Host Architecture

Internet of Things (IoT) devices
Smart devices that can connect to each other or to general purpose
computers and can perform small tasks or check the status of
hardware
Device embedded with a TCP/IP stack
Human-to-device interactions typically performed through a smart phone app
Common usage:
Sensors
Smart devices
Wearable technology
Home and facility automation systems

118
Host Architecture

Supervisory Control And Data Acquisition (SCADA) /
Industrial Control System (ICS)
Embedded microcontroller within network-attached industrial
equipment
Uses sensors to report on capacity or throughput levels
Devices are often limited to shared credentials
Sandbox testing patches is often not possible
Often used by utility service providers such as electrical and oil
companies to control power generators or oil pipelines
If compromised, could lead to environmental disaster
Implement network segmentation based upon device function
Adhere to Principal of Least Functionality

119
Host Architecture

Real-time Operating System (RTOS)
An operating system that is specifically designed to run with precise
timing and a high degree of reliability
Often associated with time critical processes such as safety
equipment, medical devices, etc.
Concerned less about how much work can be done, but instead
when will it be completed
Focuses on minimal latency
Jitter: the time variance between various tasks being completed

120
Host Architecture

Legacy systems
Systems or applications that have reached their end-of-lifecycle
(EOL) but still serves a necessary function within the organization
Lacks vendor support from the manufacturer
Lacks patch management
May implement weaker cipher suites
May implement weak/deprecated algorithms
May implement inadequate encryption key sizes
Likely limited to weaker password standards

121
Mobile Device Architecture

Mobile device strategy must be policy driven
Organizational security policy
Overarching security framework
Acceptable Use Policy (AUP)
Defines which assets can be used and in which manner
Privacy policy
Defines level of monitoring and tracking
Mobile Device policy
Establishes goals and accountability pertaining to mobile technology
Addresses deployment modeling
Provisioning and de-provisioning
Onboarding and offboarding

122
Mobile Device Architecture

Mobile Device Management (MDM)
A centralized enterprise solution to provision, configure, manage,
restrict, and de-provision mobile devices
Enforces company policies
Carries out onboarding and offboarding tasks
Mobile device registration
Applies a mobile device configuration profile during onboarding process
Security and configuration baseline that is “tagged” to the device
Profile can be based upon the role of the user, purpose of the device, and/or the
applicable security level
Permissions management
Patch management

123
Mobile Device Architecture

Mobile Device Management (MDM)
Proximity and location management
Geofencing, geolocation
Remote wipe, remote lock
Application management:
Exclusive Allow List (EAL)
Exclusive Deny List (EDL)
Containerization: sandboxed, deployable mobile apps
Constrain app permission strings
Storage management
Full Disk Encryption (FDE)
Partition segmentation and encryption
Storage segmentation
Attestation: indication of device jailbreaking /rooting

124
Mobile Device Architecture

Mobile device O/S baselining
SEAndroid: applies SELinux modifications to the Android platform
Replaces DAC with MAC and supports assignment of security labels
Overwriting O/S firmware
Provides complete control over the mobile device’s trusted computing base
Mobile device rooting: Android
Mobile device jailbreaking: Apple iOS
Vendor eFuse
Vendor embedded integrity marker that signals firmware modification attempts
Unauthorized overwriting:
Follow incident response procedures
Will violate the vendor's warranty

125
Mobile Device Architecture

Common mobile device connectivity options
Cellular 4G/5G
Data-in-transit and firmware OTA update feasibility
Wi-Fi capabilities
IEEE 802.11 WLAN interoperability
Bluetooth
IEEE 802.15.1 WPAN device-to-device interoperability
Global Positioning System (GPS)
Supports geolocation requirements
Sideloading
Transferring of firmware, apps, or files between two local devices, such as
from a workstation to a mobile phone

126
Mobile Device Architecture

Mobile device deployment models:
Bring Your Own Device (BYOD)
Device is owned by the employee and is allowed to be used within the
company for business functions
Risk mitigation is significantly aided by encryption and sandboxing
Device could be lost or compromised leading to unauthorized data disclosure
Limit access to company data based on level of criticalness, sensitivity, or purpose
Utilize Virtual Desktop Infrastructure (VDI)
Establish storage segmentation and encryption
Utilize remote wipe and remote lock features when necessary
Device could be used to cause harm to surrounding enterprise devices
Establish network micro-segmentation

127
Mobile Device Architecture

Mobile device deployment models:
Corporate Owned, Business Only (COBO)
Can only be used for company usage
Employee is forced into carrying multiple devices
Corporate Owned, Personally Enabled (COPE)
Company owns, manages and baselines the device, applies operational
restrictions, and determines the device’s lifecycle
Employees can use the device for personal functions
Establish storage segmentation and encryption
Choose Your Own Device(CYOD)
Employees choose from a list of company supported devices
Devices are corporate enterprise friendly

128
Mobile Device Architecture

Virtual Desktop Infrastructure (VDI)
Mobile device is merely used as an interface to a remote server that
houses the corporate data and applications
Only the desktop is deployed to the device
Data is never stored on the device
If the device is lost or stolen, the data is still safe on the remote
server
Thin-client architecture abstract

129
Question

Which of the following mobile deployment models would an
organization MOST likely be prevented from applying
SEAndroid alterations to the device’s baseline?
a) BYOD
b) COYD
c) COBO
d) COPE

130
Networking Architecture
SY0-701 exam objectives covered:
Domain 1.4 Explain the importance of using appropriate cryptographic solutions
Domain 3.1 Compare and contrast security implications of different architecture
models
Domain 3.2 Given a scenario, apply security principles to secure enterprise
infrastructure
Domain 4.1 Given a scenario, apply common security techniques to computing
resources

131
Networking Architecture

Establish network security zones based upon functionality,
level of sensitivity, or level of criticalness
East-West traffic zone
North-South traffic zone
Network segments
Virtual Local Area Network (VLAN)
Screened subnetworks
Demilitarized Zone (DMZ):
Wireless Local Area Network (WLAN)
Air gapped systems

132
Networking Architecture

Switch architecture
Connects network segments together
Access ports: connects hosts/clients/printers
Trunk ports: connects switches
Partitions the collision domain
Improves network efficiency: MAC lookup table for determining
frame delivery
Managed vs unmanaged
Basic hardening: remove default passwords, down unnecessary
ports, implement IEEE 802.1X, physical security measures

133
Networking Architecture

Switch architecture
Layer 3 switch or multilayer switch
Includes typical services performed at the Data Link layer, including VLANs
IEEE 802.1q capable
Provides gateway and routing services
Utilizes routing protocols for route determination
Network Address Translation (NAT)
VLAN Trunking Protocol (VTP)
Quality of Service (QoS)

134
Networking Architecture

Switch architecture
Virtual Local Area Network (VLAN)
Same physical network is divided into multiple logical networks
VLAN tag: created using IEEE 802.1Q VLAN-capable switches
Segments users or groups on a network
Benefits:
Better management of network assets
Decreases broadcast traffic
Reduces traffic interception

135
Within the same VLAN
VLAN4 VLAN3 VLAN2.22.26
192.168.1.0/24 172.16.2.0/24 192.168.0.0/24.41.3.42

VLAN1
10.10.10.0/24

16-port Managed Switch.43 SRC:192.168.1.43
DST:192.168.1.42
Router

136
Different VLANs

VLAN4 VLAN3 VLAN2.22.26
192.168.1.0/24 172.16.2.0/24 192.168.0.0/24.41.3.42

VLAN1
10.10.10.0/24

16-port Managed Switch.43 SRC:192.168.1.43
DST:172.16.2.3
Router

137
Modifying VLAN Membership
VLAN4 VLAN3 VLAN2.22.26
192.168.1.0/24 172.16.2.0/24 192.168.0.0/24.41.33.3 interface fastethernet 0/2.42 switchport mode access
switchport access vlan 4

VLAN1
10.10.10.0/24

16-port Managed Switch

SRC: 192.168.1.43.43 DST: 192.168.1.33
Router

138
Networking Architecture

Switch architecture attack surface mitigations
Physical security: protected equipment racks
Port security: disable unnecessary ports, implement MAC filtering,
IEEE 802.1X
IEEE 802.1d Spanning Tree Protocol (STP)
Switching loops
Broadcast storms
Offline switches
Monitoring
NIDS/NIPS: Flood attacks, Q-in-Q attacks
Port mirroring

139
Networking Architecture

Router architecture
Provides connectivity between two or more networks (broadcast
domains)
Routes packets based upon IP addressing
Access Control List (ACL) capable
Gateway services
Network Address Translation (NAT)
Typical routing protocols:
Routing Information Protocol (RIP)
Open Shortest Path First (OSPF)
Border Gateway Protocol (BGP)

140
Networking Architecture

Router architecture attack surface mitigations
Physical security: protected equipment racks
Port security: disable unnecessary ports, password protect ports
Administration: use secure remote administration protocols such as
Secure Shell (SSH)
Jump server proxy
Router advertisements
Hash/sign router advertisements to prove their authenticity
Route leaking
Split horizon
Monitor traffic for Key Performance Indicators (KPI) and abnormal traffic
NetFlow or something similar
Remotely Triggered Black Hole (RTBH) / sinkhole: DDoS and spoofing
countermeasures

141
Networking Architecture

Network Address Translation (NAT)
Rewrites the source IP address to satisfy policy requirements
Example: translates a private address into a public address
Records the address and rewritten address in the NAT table
Allows sharing of a single public IP address or a pool of public IP
addresses at the network gateway
Static NAT
Dynamic NAT
PAT/overloaded NAT
Hides internal network address from an external network
IPsec Authentication Header (AH) issue
NAT-T

142
Networking Architecture

Load balancer architecture
Distributes workload across multiple network appliances or network
links to support high availability, elasticity, and scalability
In the event of server or application failure, load balancers facilitate automatic
failover to ensure continuous availability
Active-active load balancing
All components are online
Maximizes capacity
Active-passive load balancing
Necessary components are online, the remainder are on standby
Supports failover
Supports elasticity

143
Networking Architecture

Load balancer architecture
Scheduling and session management
Static load balancing: tasks assigned in turn
Round-robin server clustering
Dynamic load-balancing: scheduler decides task assignment based upon health of
the component
Based upon which component has the most free resources
Virtual IP address
Like services share the IP address seen by the client, but individually have their
own address
Usually involves NAT
IP affinity
Client and load balancer session is tracked by the source IP address
Persistence
Client and load balancer session state is tracked by a cookie

144
Networking Architecture

Zero Trust Architecture
Implicit trust between network nodes operating within a network
security zone is nullified, no matter the device or its location
Continuous validation
Access is evaluated per request, and not granted via inherent or transient
trust relationships
Access is determined by a dynamic access control model such as ABAC
Dynamic security posture assessments are required
Continuous monitoring of the enterprise
Security posture assessment of the requesting device
Communications must be secured, regardless of network location

145
Infrastructure as Code (IaC)

Deployable scripts that provision infrastructure components
such as virtualized servers, routers, and switches
Immutable vs mutable infrastructure
Automation helps minimize configuration mistakes, is repeatable,
and highly measurable
A business function and the underlying, supporting network
components are deployed as one or more files
JSON, XML, or YAML formats - resource : ACME_Virtual_Network
name : prod_environment
addr_space : 10.0.0.0/16
location : United States

- resource : SCADA_subnet
name : SCADA_group
addr_space : 10.0.20.0/24

146
Networking Architecture

Software Defined Networking (SDN)
Concept of abstracting the configuration, management, and flow of
network traffic through software APIs instead of a direct, hands-on,
physical approach
Provides scalable ease-of-management network administration through a
dashboard
Network infrastructure is broken down into administrative planes
differentiated by functionality and controlled by a network
controller
Management plane, control plane, and data plane
SDN resources can be physical or virtual devices and range from a logical port
to an entire network device

147
Networking Architecture

SDN administrative planes
Management plane
Network node configuration traffic
Control plane
Handles the network’s logical traffic flow decision-making
Manages the routing protocols and routing decisions
Manages QoS decisions
Data plane
Set of API instructions used to transfer data, and includes the transported
data as well
Handles traditional network frame delivery
AKA Forwarding plane

148
Networking Architecture

Software-Defined Wide Area Networking (SD-WAN)
Enterprise-level connectivity to distributed cloud-based services
Organization’s multi-cloud inter-pathway management abstraction
Cloud-based, application-sensitive, Quality of Service (QoS)
Prioritization for mission-critical or latency-sensitive application services
SD-WAN solution has to have the ability to identify different types of
applications in order to determine application priority
SD-WAN solution has to be able to adjust routing priorities based upon
application priority
Artificial intelligence (AI) is used for monitoring the multi-networks’
security and resiliency postures

149
Networking Architecture

Secure Access Service Edge (SASE)
Integrated security services concept that focuses on Zero Trust Network
Access (ZTNA) for endpoint devices connecting to the organization’s multi-
cloud environment
Access is based upon the identity of the device, combined with real-time
context of the connection
Software-Defined Perimeter (SDP)
Necessary bundled services:
SD-WAN
Firewall as a Service (FWaaS) / Next Generation Firewall (NGFW)
Secure Web Gateway (SWG)
Cloud Access Security Broker (CASB)
Zero Trust Network Access (ZTNA)
Anti-malware services

150
Networking Architecture

Abstraction models summarized:
SASE
Focuses on management abstraction of endpoint devices and their
interactions with multi-cloud resources
Example: endpoint conversations to and from the cloud data center
SDN
Focuses on management abstraction between network backbone devices
within the LAN
Example: within the cloud data center
SD-WAN
Focuses on management abstraction of multi-cloud inter-pathways
Example: between the cloud data centers

151
Enterprise Architecture

Centralized management of network-based resources, its
application services, and the technologies needed to
perform the operational mission
Deployed within a trusted network (LAN)
Abstract security perimeter: logical segmentation through OU
membership
Physical security is presumed
Directory service protocols provide managerial structure
LDAP
Centralized credential management
Single Sign On (SSO) authentication

152
Enterprise Architecture

Lightweight Directory Access Protocol (LDAP)
Standardized directory access protocol that allows queries and
general management of enterprise directories
Follows the X.500 standard
Uses a hierarchical design with a Domain Component (DC) root object at the
top, followed by Organization and OU containers for logical organization
Distinguished Name (DN)
Example: CN=Sec+; OU=SY0-701; OU=Objectives; O=Exams; DC=CompTIA
Port 389 LDAP
Port 636 LDAP over TLS/SSL

153
Enterprise Architecture

LDAP vulnerabilities:
On-Path attack / Man-in-the-middle attack issues
Compromise of username/password
LDAP injection attacks: counter with LDAPS
Avoid weak authentication
Evil Twin and poisoning issues
Implement LDAPS for mutual authentication and encryption
Simple Authentication Security Layer (SASL)
Directory traversal violations: improper directory security settings
Tightly manage ACLs
Conduct privilege auditing

154
Wireless Architecture

Infrastructure Mode
Centralized
Basic Service Set (BSS)
Wireless Access Point (WAP)
Serves as wireless gateway
Could be a “mobile hotspot”
Ad Hoc Mode
Decentralized, Peer-to-Peer (P2P)
Independent Basic Service Set (IBSS)
Examples:
WiFi Direct
Device to device, computer to printer

155
Wireless Architecture

Wireless Personal Area Network (WPAN)
Device-to-device connectivity (wireless mice, wireless keyboards,
medical devices, smart home technologies, etc.)
IEEE 802.15.1 Bluetooth is most common
Host (i.e. laptop) and controller (i.e. wireless mouse) communicate over an Ad
Hoc network via the Bluetooth Host Controller Interface (HCI)
Latest Bluetooth versions use AES-CCM for frame confidentiality and
authenticity
Bluetooth Secure authentication: uses HMAC-SHA256 with mutual
authentication

156
Wireless Architecture

Wireless Local Area Network (WLAN)
IEEE 802.11 WLAN protocols are used to deliver data frames,
management frames, and control frames
WLAN phases
Phase 1 Discovery
Management frames such as beacon frames or association frames
Phase 2: Authentication
Authentication protocols such as 802.1X and EAP
Phase 3: Key Generation and Distribution
Cryptographic keys are agreed upon, exchanged, and scheduled
Phase 4: Data Transference
Implement data-in-transit protection protocols
Phase 5: Termination

157
Wireless Architecture

Antennae placement Protocol Frequency Bandwidth Modulation

802.11a 5 GHz 54 Mbps OFDM
Wireless site survey 802.11b 2.4 GHz 11 Mbps DSSS
Wi-Fi analyzer 802.11g 2.4 GHz 54 Mbps OFDM / DSSS
Monitor mode
802.11n 2.4 GHz 600 Mbps OFDM / DSSS
Signal quality 5 GHz
RFI heat maps 802.11ac 5 GHz 3.5 Gbps QAM/OFDM/
DSSS
802.11ax 2.4 GHz 9.6 Gbps QAM/OFDM/
5 GHz DSSS

158
Wireless Encryption

Wi-Fi Protected Access version 2 (WPA2)
National Institute of Standards and Technology (NIST) FIPS 140-2
compliant
Uses CCMP with AES encryption
CBC-MAC for packet authenticity and integrity checking
AES-128 for message confidentiality
Supports Mutual Authentication
EAP-TLS, PEAP, EAP-TTLS, EAP-FAST

159
Wireless Encryption

Wi-Fi Protected Access version 3 (WPA3)
Required to be Wi-Fi certified
AP and client are authenticated before association is accepted
Uses IEEE 802.11w Management Frame Protection (MFP)
CCMP: Data origin authenticity and replay protection
WPA3 Personal mode
Simultaneous Authentication of Equals (SAE)
128-bit AES key size
WPA3 Enterprise mode
192-bit AES key size
Supports Mutual Authentication
EAP-TLS, PEAP, EAP-TTLS

160
 Which type of configuration must be made to a network
switch in order to monitor all network traffic passing
through the switch?
a) The switch must be setup in a star topology
b) STP must be enabled across all switches
c) IEEE 802.1X must be disabled on the monitored ports
d) DHCP snooping must be enabled on the switch
e) A switch port must be configured as a mirroring port

161
Virtualization and Cloud Architecture
Domain 2.3 Explain various types of vulnerabilities
Domain 3.1 Compare and contrast security implications of different
architecture models

162
Virtualization

Technology that is ran entirely wrapped through software
instead of a physical device construct
System abstraction is ultimately stored as a file but presents itself to
an operating environment the same as a physical machine
Can provide security wrapping services to legacy systems
The entire gamut of computing can be virtualized:
Virtualized applications
Virtualized desktops
Virtualized computers
Virtualized switches
Virtualized routers
Virtualized data centers

163
Virtualization

Sandbox security model
A security concept where a restricted, controlled execution
environment is established so that actions, whether desired or
undesired, are constrained to only that environment and any
potential harm is prevented from spreading
Sandboxing
A popular compartmentalization technique that focuses on constraining I/O
operations
In a virtualization environment, a compromised Virtual Machine
(VM) is neither allowed to compromise the host machine nor
neighboring VMs

164
Virtualization

Hypervisor
The virtualization component that manages the guest VMs on a
physical host
AKA Virtual Machine Monitor (VMM)
Controls the flow of instructions between the guest VM and the physical
hardware
Partitions the physical machine’s system resources and isolates the guest VM
operating systems
Type 1 hypervisor implementation: native virtualization
Runs natively within the physical host’s hardware, without a physical host OS
AKA “bare-metal” virtualization
Type 2 hypervisor implementation: hosted virtualization
Runs within the physical machine’s host operating system as a separate sandboxed
instance

165
Virtualization

Type 1: native virtualization Type 2: hosted virtualization
Share Guest Guest
HTTP SMTP HTTP
Point VM1 VM2

Guest Guest Guest Web
Hypervisor
VM1 VM2 VM3 Browser

Hypervisor Host Operating System

Hardware Hardware

166
Virtualization

Physical security
Security of the VMs starts with the physical security controls of the
physical machine
System recovery
VM snapshots: entire VMs can be saved, backed up, and restored
The VM file can be transferred to another