CompTIA Security+ 501 Summary Part 4

Feb. 27, 2023, 5:27 a.m.

This is a summary of my notes on Chapter 4 of the CompTIA Security+ Get Certified Get Ahead by Darril Gibson, 5th Edition

Things to keep in mind:

CompTIA is releasing an updated version of the Security+ Exam in November 2020 so this edition will soon be outdated. 90% of the book will remain the same in accordance with the updated exam. New threats and cloud-computing technology will probably make up the majority of that new 10% of content.

Synthesizing paragraphs with a huge list of facts sometimes results in dreadful sentences. It also results in some streams of thought that end abruptly. Some notes cannot be digested any further and remain identical in this summary. In any case, these are just notes and not an essay.

Some things are repeated but this is simply to reinforce.

I use the term “actor” to refer to a hacker or bad actor.

AP’s are Access Points.

1. Detection Systems

HIDS, Host-Based Intrusion Detection System, is software installed on a host on top of an IDS and primarily monitors network traffic coming into that host. NIDS, Network-Based Intrusion Detection System, is an appliance or software placed at strategic points, routers or firewalls, to monitor both inbound and outbound traffic for network-based attacks. Capturing network traffic for duplication is called Port Mirroring. You can “duplicate” all traffic and send it to a designated port number. A NIDS can utilize port mirroring to monitor all traffic.

Any detection system that uses signatures is known as signature-based and pulls known vulnerabilities(signatures) from a database to look for attack patterns. Behavioral or Heuristic-based detection relies on first identifying normal behavior and then comparing current system or network behavior against that baseline.

Sending multiple SYN packets but never completing the handshake with the final ACK packet is known as a SYN Flood Attack. Both IDSs and IPSs can detect a SYN Flood; IPSs and Firewalls with flood guards can prevent them. Crowdstrike uses behavioral analysis to alert when anomalies are detected. An example would be a user running several unusual powershell scripts when they never typically run any scripts at all.

HIPS, Host-based Intrusion Prevention Systems, and NIPS, Network-based Intrusion Prevention Systems, are similar to HIDS and NIPS except that IPSs are inline with traffic meaning that all traffic must first pass through them before going to a destination; in-band. This is why the statement “Out of Ban” describes an IDS, the traffic doesn’t go through the IDS.

SSL/TLS accelerators refer to hardware devices that are equipped to optimally handle TLS traffic. They are placed between a client and server and handle TLS offloading. The purpose is that separate hardware curated for processing the algorithms behind connection encryption is used instead of the main server that a client is trying to access resources on. In most setups, the TLS accelerator handles the handshake entirely and sends off decrypted traffic to the destination server.

SSL/TLS decryptors help transform traffic into readable text for a NIPS to prevent attacks. Even though the NIPS is in-band, if the traffic is encrypted it can’t read it and therefore cannot prevent anything.

2. Network Security Protocols & Attacks

Software Defined Networks, SDN, use virtualization tech to route traffic. A honeypot is a purposefully-left vulnerable server and a honeynet is a group of honeypots within a network wholly separated from an organization’s primary network.

IEEE 802.1X, a port-based network access control, PNAC, is a network authentication protocol that ensures that devices connecting to your environment are first authenticated before they gain access to anything. We are talking about physical ports here(plugging into LAN or connecting via WLAN). 802.1X uses Extensible Authentication Protocol, EAP, and a RADIUS, Remote Authentication Dial-In User Service, Server. Say you walk into a meeting room at a new company and connect to LAN through Ethernet – your identity is based on either credentials or a certificate on the device which is confirmed by the RADIUS server. To encrypt this authentication communication, 802.1X uses EAP to encrypt a tunnel between your device and the RADIUS server, or an authentication middle-man that does all the talking to the RADIUS server it self. RADIUS is what grants a user specific access. It is the access control. It opens up guest systems or infrastructure to the device depending on the policies set forth by an admin.

The Service Set Identifier, SSID, is basically the visible name of a network that you can disable to thwart low-effort hackers. You can also thwart low-effort hackers by using MAC Filtering so that only specific MACs are allowed to connect. It is important to note that these two thwarting measures can be circumvented using a sniffer and simply spoofing a MAC address.

Fat Access Points, or simply Fat APs, are independently managed and stand alone while Thin APs are controlled by a wireless controller. Limit AP power level to reduce the range. Ad Hoc mode, or As Needed mode, allows for wireless devices to connect to each other without an AP. A Rogue AP is an unauthorized AP placed within a network. Attackers could use a Rogue AP as a sniffer on the network and it will broadcast all the captured traffic typically to the attackers who are parked nearby. An Evil Twin is a Rogue AP that uses the same SSID as a legitimate AP. Attackers can also use Jamming to interfere with a network by transmitting noise at the same frequency as a nearby network.

WPA replaced WEP and WPA2 replaced both WPA and WEP. Temporal Key Integrity Protocol, or TKIP, is encryption used with WPA, whereas CCMP is used with WPA2. CCMP is based on Advanced Encryption Standard, AES. WPA and WPA2 can operate in Pre-Shared Key, PSK, mode or Enterprise mode. PSK is when a user logs into a wireless network anonymously with a PSK or passphrase while Enterprise mode is when a user has unique credentials to login with. Enterprise mode makes use of 802.1X. EAP-FAST supports certificates. PEAP and EAP-TTLS require a certificate on the 802.1X server. EAP-TLS requires certificates on both the 802.1X server and on the client device.

Captive Portals force clients using web browsers to complete specific processes before they are allowed to access a ntwork.

A disassociation attack utilizes unencrypted information that is sent back and forth between a client and a network in order to ultimately block that user from keeping a connection. The attacker spams disassociation packets to the MAC address of the client device in order to interrupt its session by forcing it to reauthenticate and thereby effectively disconnects it from the network. The attack persists forever until it is either stopped or the user somehow changes their MAC address.

Wifi Protected Setup, WPS, allows users to configure devices without typing in a passphrase, but instead by entering an 8-digit pin. A WPS attack guesses the correct 8-digit pin in hours. An IV, Initialization Vector, is a number used by wireless protocols in combination with a pre-shared key to encrypt data-in-transit. WEP uses 24-bit number for the IV which means that the IV will eventually be reused. Hackers could inject frames to produce duplicate IVs with automated software and eventually would be able to find the key that decrypted the traffic. WPA2 is invulnerable to replay attacks while WPA is vulnerable. If a wireless AP is not using WPA2 with AES or CCMP, it is susceptible to many attacks.

Radio Frequency Identification, or RFID, transmits data over specifically tuned frequencies. NFC is part of RFID technology but uses High Frequency, 13.56 MHz to be exact, to act both as a reader and a transmitter. RFID chips can only be read and therefore do not provide much data protection. An actor can walk through a supermarket and swipe a whole bunch of credit cards with unshielded RFID chips on them, but that same actor cannot do so if the credit card is using an NFC chip. If an actor knows the frequency used by the RFID system, they can jam that system by flooding the frequency.

An NFC attack is when an actor uses an NFC reader to capture data from another NFC device such as a phone transferring data to another phone or a person paying for something using their NFC chip that’s embedded on their new fancy credit card. An example of an NFC relay attack(meaning it has to happen at the same time as opposed to a replay attack) is when an actor walks past you with an NFC reader in his pocket and scans your unshielded credit card chip. The data is transferred from the reader to a capable device such as a laptop in a book bag and the laptop then transfers the data to another device, such as a phone some ways away, and the phone is scanned to pay for something else. In essence, the actor lifted your credit card from your pocket invisibly and paid for their groceries a few lanes down without you even knowing it happened. The attack and the payment have to happen concurrently, or peer-to-peer.

A personal area network, or PAN, is a network of devices in close proximity to a person and bluetooth is a short-ranged wireless system that is used in PANs. Bluejacking, bluesnarfing, and bluebugging are known bluetooth attacks. Bluejacking is when an actor sends unsolicited messages to a bluetooth enabled device. Bluesnarfing is when information is stolen over bluetooth, while bluebugging is when an actor installs a backdoor on the device over bluetooth. The latter two attacks have been patched since 2003 but there may be zero-days out there in the wild still unknown to security experts. They were essentially fixed because bluetooth was upgraded to require some sort of acknowledgement on the user’s end when pairing is initialized and if the user doesn’t respond the pair never goes through.

A virtual private network, or VPN, provide remote access to private networks via tunnels over public networks. You can use a VPN to essentially be within your company’s physical environment but in reality you are sitting in your own living room on a laptop. VPNs usually make use of a Remote Authentication Dial-in User Service, or RADIUS, server to authenticate clients. A client sends credentials to the VPN server, the VPN server sends the credentials to a RADIUS server, and the RADIUS server passes the credentials on to a Lightweight Directory Access Protocol, LDAP, server. Remember, an LDAP server is the domain controller in a Microsoft environment, and a domain controller responds to authentication requests by verifying users. Hackers mainly want to gain access to domain controllers with their attacks because it gives them power over all users being handled by the domain controller they gained access to. This is how ransomware can be so easily spread throughout an environment.

IPsec is a security protocol(standard) that includes an Authentication Header, AH, to allow each of the hosts within an IPsec conversation to authenticate with each other before exchanging data. AH uses protocol 51. For encryption, IPsec uses ESP, or Encapsulating Security Payload, over protocol 50. You might be getting confused over port and protocol being used seemingly interchangeably, but they are different. Protocols in this case are basically “how things should communicate”. Ports are essentially “where you communicate”. You can configure your firewall to filter based on protocol numbers or port numbers. Now even though IPsec uses AH over protocol 51 for authentication, it, at the same time, uses Internet Key Exchange, IKE, over port 500 for authentication. TCP uses protocol 17, for example, and any ports used within a TCP header represent higher level protocols. So it is basically protocols within protocols. For IPsec, you are using port 500 for IKE – within the AH protocol 51. IPsec is used for confidentiality, integrity, and authentication.

VPNs usually make use of Transport Layer Security, TLS, to secure the tunnel. Secure Socket Tunneling Protocol, SSTP, for example, uses TLS over port 443 to ecnrypt a VPN tunnel. A VPN Split Tunnel is when the VPN is configured to only encrypt traffic heading towards the private network. In a VPN Full Tunnel, all traffic is encrypted. A site-to-site VPN includes two VPN servers that act as gateway for two networks separated geographically. So, if a user on their living room couch connects first to a remote office but then they need to access resources in the headquarters, the Site-to-Site model makes this seamless. Without the Site-to-Site model, the user would have to login again to access the headquarters’ resources. Two popular pen source VPN applications are OpenVPN and OpenConnect.

Network Access Controls, NACs, ensure that clients meet health requirements before being granted access to a network. NACs can “quarantine” unhealthy clients. In other words, if a device is rooted or jail-broken, meaning it is missing standard security measures, a NAC may deny that device entry into the network. Some health requirements a NAC may determine are up-to-date anti-virus software and enabled firewalls. The NAC system uses health or system “agents” to inspect clients. These agents are either dissolvable, they remove themselves from the client, or are permanent/persistent, meaning they stay installed on a client. Persistent agents are usually installed on corporate-owned devices like laptops or phones. Agents are just small pieces of software that collect data and report back to the NAC system.

Password Authentication Protocol, PAP, sends passwords in cleartext. Challenge Handshake Authentication Protocol, CHAP, is a process by which a server challenges a client for authentication. CHAP encrpyts passwords and is used instead of PAP. Microsoft CHAP, MS-CHAP, is Microsoft’s implementation of CHAP. MS-CHAPv2 added the ability to perform mutual authentication(both the client AND the server authenticate themselves).

RADIUS, DIAMETER, and TACACS+ all provide centralized authentication and are all considered AAA protocols: authentication, authorization, and accounting protocols. RADIUS encrypts password packets but not the entire authentication process. Diameter encrypts the entire authentication process by using EAP, Extensible Authentication Protocol. Terminal Access Controller Access-Control System Plus, TACACS+, does everything Diameter does but also has the capability to interact with Kerberos.