CompTIA Security+ Exam Notes

CompTIA Security+ Exam Notes
Let Us Help You Pass

Friday, October 12, 2018

Security Controls - Preventive

Preventive

What you are trying to do is prevent some form of security breach/incident.

Change management: Making sure that there or no outages that were not planned. Being as I work as an IT administrator, it's easy to want to make changes on the fly. The first step in this process is to submit the change plan and get approval. These changes can be network configuration changes or changing to a more current operating system. We need to plan, test, and practice before attempting the changes to reduce the chances of downtime on a production network.

Security awareness and training: Make users aware of social engineering attacks, email, and social network best practices. Once the users are aware of the tactics a social engineer might use, the less chance of them being fooled into revealing the passwords. For example, Microsoft is not going to call you and ask for your password, which is a threat actor attempting to social engineer you.


Disabling Accounts: Having an account disablement policy when an employee leaves the organization can help prevent the former employee from access their old account and possibly causing a security breach. 

In 2008 a contractor working for Fannie Mae was told during the day that he was being fired for a scripting error he made earlier in the month. He was allowed to work through the end of the day. He then loaded a logic bomb set to launch a few months later. Luckily for the company, the logic bomb was discovered, otherwise, it would have crashed 4000 servers crippling Fannie Mae.

Disabling his account as soon as he was notified would have prevented the contractor from installing the logic bomb.


Hardening systems: This best practice includes systems, applications, and operating systems. Disabling unnecessary services, and protocols. Applying security patches and updating firmware. Changing default usernames and passwords. Disabling unnecessary accounts. Disabling unused ports on switches.

Thursday, October 11, 2018

RAID (Redundant Array of Independent Disks)

RAID

(Redundant Array of Independent Disks)

RAID 0:




RAID 0 provides no fault tolerance or redundancy. Requires a minimum of 2 disks. The information is spread across each drive (for example: as it fills one block then adds data to the next sequential block). 

RAID 0 is striping with no parity. If one drive fails, all the information is lost, unless you have a backup of the data.

This form of RAID is used for performance, multiple heads reading/writing at the same time.

Both drives should be of the same size and speed. If you have two 320 GB drives, theoretically you would have 640 GB of storage space using this configuration. 

RAID 0 is best used for video and audio streaming. It could also be used for something like a backup server. The actual backups are stored on other media than the system running the backup software. 

RAID 1:

RAID 1 requires 2 drives and is known as mirroring. The exact same data is written to both drives. With RAID 1 you can add another disk controller, this eliminates a single point of failure. Using two disk controllers in this configuration is known as duplexing.

If you are using two 320 GB drives, theoretically you will have 320 GB for storage. 

If one drive fails, all the data is retained on the other drive. You do not have to shut this system down to replace the failed drive. Simply remove the drive, take it out of the sled/carrier, and replace it with a new drive. Reinsert the drive, go to the console, and select rebuild array. 

Use this RAID configuration for operating systems, authentication servers. etc. You have minimal drive space to work with. 

RAID 5:


RAID 5 requires a minimum of 3 disks and is striping with one parity stripe. The equivalent of one drive is used for the parity information. This helps provide fault tolerance.

RAID 5 has great read performance as multiple heads read at the same time. As you increase the number of drives, so does the read speed. The write performance is slow due to the parity calculation on the full stripe. 

This RAID setup can afford the loss of only one drive, more than one drive, the data is lost. Remove the failed drive while the system is operational, install a new drive, go to the console, and select rebuild array. The performance will degrade slightly as it rebuilds the array. 

For three 320 GB drives, you will have 640 GB of storage space as the parity data will take up the equivalent of one drive.



RAID 6:

  
RAID 6 requires a minimum of 4 drives. It is configured as striping with dual parity. The equivalent of two drives is used for the parity information. This setup provides fault tolerance.

It has great read speed as multiple heads are reading at the same time. Write speed is even slower than RAID 5 as RAID 6 has to calculate dual parity for each stripe. 

RAID 6 can survive the failure of two simultaneous drives. Again take out the failed drive or dives, replace them with new drives. After reinserting the drives, go to the console and select rebuild array. 

Four 320 GB drives in a RAID 6 will give you 640 GB of storage space.

Wednesday, August 15, 2018

WIRELESS AUTHENTICATION PROTOCOLS

EAP-TLS (Extensible Authentication Protocol-Transport Layer Security) This requires certificates to be installed on both the wireless clients and the server,  making this one of the most secure implementations of EAP.

PEAP (Protected EAP): PEAP only requires the server to have the certificate. PEAP encapsulates the EAP communication in a TLS tunnel.

LEAP (Lightweight EAP): Developed by Cisco, does not require a certificate on either the client or server. Cisco recommends using a stronger version such as EAP-FAST, as LEAP has a known weakness.

EAP-FAST (EAP Flexible Authentication via Secure Tunneling): Developed to replace LEAP. The use of certificates is optional.

EAP-TTLS (EAP Tunneled Transport Layer Security): Needs a certificate on the server, but not the client. The username and password are not sent in plain-text as the transmission is in an encrypted tunnel. PAP can be used for authentication due to the use of Tunneled TLS without the credentials being compromised.

802.1x: PEAP, EAP-TLS, and EAP-TTLS all require an 802.1x server. Some refer to the 802.1x as a RADIUS server.

WPA2/WPA Enterprise: This requires a RADIUS/802.1x server. Enterprise mode also requires the use of a certificate on the server. The user will also need a username and password to authenticate.



MALWARE TYPES - PART 3

Rootkits: Are programmed to provide continuous privileged access to a system. This malware remains hidden to avoid detection from an antivirus program. The rootkit will give access to a remote attacker to control items such as system processes. The controller of the rootkit has the ability to change system configuration, spy on users' actions.

The detection of such an infection is extremely difficult. The best way to remove a rootkit when detected is to wipe the system and reinstall the operating system and applications.

Ransomware: There are two different definitions of the types of ransomware. The first one starts out as scareware. The user clicks on something, a pop-up or web page appears mimicking an antivirus scan. The scan finds infections immediately (even though they don't exist), the number of infections it finds can be anywhere from the teens to the thousands of infections. You click on the button to clean the infections, and you get the notice that this is the Free version, you will need to purchase the Paid version. You pay for the new "Fake Antivirus" and miraculously it removes all the infections that were not there to start.

The second type takes on the name Crypto-malware: This version encrypts all your documents and photos. They give you anywhere from an hour to 7 days to pay them a fee to retrieve a decryption key, otherwise, your information remains encrypted or will be deleted. Most of these end up doubling the fee right after the deadline passes. Most of them require payment through Money Pak or Bitcoin.

Remote Access Trojan (RAT): This gives an attacker total control over the system. This gives the attacker access to any information on the system, the ability to spy on the victim or control the system.

RATs are very difficult to detect as they operate like remote management tools, and use common ports. They are typically delivered through a Trojan, via a phishing attack. The best way to protect against this is to have email opened in plain text rather than HTML.



Sunday, August 12, 2018

MALWARE TYPES - Part 2

Logic Bombs: A piece of code that is on a target PC/Sever until it is triggered by an event. That event can be a specific date or time, or when a certain condition is met. The event is specific to what the programmer coded the malware to run.

  • It could be a script that runs every payday, if their name isn't included (meaning they have been laid off/fired) in the payroll report, the malware is triggered to run a predetermined time afterward.
  • Another event could be when the company hires the 250th (just picked a random number for the example), employee.
  • The date is another possibility, launched on a specific date.
Worms: Worms are a type of malware that self-replicates. The worm moves through the network consuming bandwidth. Worms take advantage of weaknesses in certain networking protocols. 

Worms are known to take advantage of the weakness found in SMBv1, spreading through the network over port 445, Microsoft's file-sharing port.

USB flash drives tend to be one of the easiest ways to introduce a worm into the network. Users will find a USB on a table or floor, pick it up and install it to see what is on the device and to determine the owner. There are vendors that will have out free USBs that are infected at conferences like Def Con.

Botnets:  A botnet is a collection of Internet-connected devices, PCs, webcams, etc. These devices are normally on 24 hours per day and have decent bandwidth. The owners of these devices are unaware that their device is participating in the botnet. The devices are known as zombies and perform whatever the handler has programmed them to do:
  • DDoS; Distributed Denial of Service attack on a single target
  • Send SPAM from these devices
  • Download other malware like keyloggers
Botnets typically use anywhere from 5,000 to 20,000 devices

One of the largest DDoS attacks happened in November of 2016, which was an attack against DNS servers. This time the bot was comprised mostly of DVR players and digital cameras. 


MALWARE TYPES - Part 1

Virus: This is malicious code that attaches to a host program/application. After a user initiates an action such as launching the application. Some viruses deliver the payload immediately, others wait for the virus to replicate.

Symptoms vary, the virus may open a backdoor for an attacker, delete files, install a zombie and join the system to a botnet, or cause the system to reboot intermittently.

Polymorphic Virus: This type of virus has the ability to change its binary pattern as it replicates or when it is executed. The code is encrypted and uses different encryption after each infection. The ability to change code makes it difficult for an antivirus program to detect this malware.

Armored Virus: This type of malware is able to fool antivirus programs as to its true location, making the antivirus believe it is located in one area while being located in a completely different area. Armored viruses use obfuscated code making it difficult to reverse engineer.

Trojans: Trojans are disguised as something useful, such as a screensaver, or legitimate software. Trojans are added to keygens so that a user activates pirated software. Here are some of the things that occur as a result of a trojan:


  • Backdoor: gives an attacker remote control
  • Email: Be used to harvest emails from the system
  • Usernames & Passwords: Steal this info for bank accounts
  • Download: Can be used to update itself or download other malware
One of the platforms for Trojans to be delivered is through email attachments. The best way to protect against this: to prevent executables from running, open the email in plain text, not HTML



CompTIA SYO-501 Security+ covers all of these in the objectives

Saturday, August 11, 2018

LINUX CLI COMMANDS

Here are the Linux commands that you will need to know for the exam:

cd: change directory - Allows a user to change between directories

chmod: Changes the permissions on the files listed

chown: Allows you to change group & user of a file

cp: copy - Allows a user to make a copy of a file

grep: Search feature to look for a string of text

head: outputs the first 10 lines of a file

locate: this is the find command, used to locate a file

logger: writes input to the local system log or to a remote syslog server

ls: Shows the user a list of the files in the current directory

man: manual - Will show all the information about a particular command

mkdir: make directory - Allows a user to make a new folder or directory

mv: move - Allows a user to move a file to another directory or folder

passwd: changes the users' password

ps: Allows the user to see the processes running on the PC/Server

pwd: Allows a user to know the name of the directory in which they are located

rm: remove - This command allows a user to remove files within a directory

rmdir: remove directory: Allows a user to remove a folder or directory

tail: outputs the last 10 lines of a file

LINUX PERMISSIONS

Linux permission attributes:


r (read)                                                        View file content

w (write)                                                     Modify file content

x (execute)                                                  Run a file (if it's an executable program & is combined
                                                                    with the read attribute)


An example of Linux permissions:

rwxrwxrwx

The first 3 belong to the user or owner: Owner level rwx: Owner can read, write & execute the file

The second 3 belong to the group: Group-level rwx: only members of the group to which the file belongs can read, write, & execute the file

The last 3 belong to other or world: Other level rwx: All users can read, write and execute

To change file permissions using the CLI, you would use "chmod"

Permissions example: rwxrw-r--

The owner has read, write, execute

Groups have read, write

Other have read



SYMMETRIC ENCRYPTION

Symmetric encryption uses the same key to encrypt and decrypt. Because this is a shared key, the keys have to be kept private. Symmetric Encryption is known as Private Key encryption. Remember, "YOU HAVE TO KEEP YOUR PRIVATES: PRIVATE".

With symmetric encryption, you do not want to send the key with the message, if the message were to be intercepted, they would have access to the key and be able to read (decrypt) the message.

The keys are exchanged out-of-band. For a secure exchange of symmetric keys, you would use some form of Diffie Hellman (DH, ECDHE, DHE).

Symmetric encryption uses less overhead than asymmetric encryption and decryption.

Stream ciphers and block ciphers are forms of symmetric encryption, The following are all symmetric encryptions:

Stream Cipher: 
RC4 (encrypts one bit at a time, used for audio & video streaming. WEP, WPA (TKIP), and SSL/TLS are built on RC4). Considered weak encryption and has been deprecated.

Block Ciphers:
DES: Data Encryption Standard - a symmetric block cipher that encrypts in 64-bit blocks. It uses a 56-bit key. Considered weak encryption and has been deprecated.

3DES: Triple-DES - uses 3 different keys to encrypt 3 different times. Encrypts in 64-bit blocks, easy upgrade from DES without changing hardware. 
Considered weak encryption and has been deprecated.

AES: Advanced Encryption Standard - encrypts data in 128-bit blocks. It has 3 different key sizes, 128-bit, 192-bit, and 256-bit. The most widely used encryption.

Blowfish: Encrypts in 64-bit blocks and uses key sizes between 32-bit and 64-bit.

Twofish: Encrypts data in 128-bit blocks and uses key sizes of 128-bit, 192-bit, or 256-bit.

IF THE ENCRYPTION IS A STREAM CIPHER OR BLOCK CIPHER, THEN IT IS SYMMETRIC ENCRYPTION:

ASYMMETRIC ENCRYPTION

Asymmetric encryption uses two different keys, a public key and a private key, which are mathematically paired to work together. Asymmetric encryption is commonly called "Public Key" encryption. You will need a Certificate Authority to use asymmetric encryption.

It only encrypts small bits of data. The data or message must be smaller than the asymmetric key. 

Only used to encrypt symmetric keys (used for encrypting data at rest, and encrypting the hashes (combined this creates the "Digitial Signature".


The Public Key is available to everyone, the Private Key is only available to you. Users are not to share their Private Key with anyone. My way of telling people how to remember who gets the Private Key, "YOU HAVE TO KEEP YOUR PRIVATES: PRIVATE" keys. 

In this blog, we are going to cover the use of asymmetric encryption when it comes to emails or messages, and documents (files). 

ENCRYPTION & DECRYPTION: is performed with the recipient's keys:
1. If you were to send an email (Message, document, or file) to Dave, and you want only Dave to read it, you would encrypt with Dave's Public Key. 

2. Dave would then decrypt the email (Message, document, or file) with his Private Key. 

DIGITAL SIGNATURE: is always perform with the sender's keys.
1. First, the email (Message, document, or file) is hashed, the encrypted (Signed: Digitally signed) whit the sender Private Key. This Digital Signature will include the sender's Public Key.

2. The recipient will use the senders Public Key to verify that the digital signature is valid. The recipient validates the Public key to the issuing Certificate Authority.

Common asymmetric encryptions:
RSA: Typically used with X.509 certificates, it encrypts the certificate
DSA: Digital Signature Algorithm
ECC: Elliptic Curve Cryptography, mainly used with mobile devices due to less processing power

About Us

I am a CompTIA Certified Instructor. I do not work for CompTIA, but rather a technical training school. My main job is as a Network Administrator. My specialty on the teaching side is as a Boot Camp Instructor for CompTIA's A+, Network+, and Security+ classes. Classes begin on Monday morning, and the class takes the exam on Friday at 1:00PM. Over 90% of my students have to pass the class t keep their jobs.

Most of the students work for the Department of Defense contractors and need this certification to comply with the DOD 8570 directive. Eighty-five percent of the individuals do jobs other than network administration. The majority are software engineers. My current pass rate is 93%. 

Unlike most boot camps, I do not teach from a brain dump, but instead, teach concepts. My goal in this blog will be to educate exam candidates on the concepts of what is covered in the SYO-501 exam. 

I hope to add at least two objectives each day until all of the objectives are covered. Hopefully, in September I will be able to have questions with answers and a flashcard program. These will be a different site and will have a charge to access the content. The price will be kept low to make it affordable. This Blog will stay up and running for those looking for free-content. 

I will add free questions with answers, but only a few per week.