CompTIA Security+ 501 Summary Part 8

Feb. 27, 2023, 5:31 a.m.

This is a summary of my notes on Chapter 8 of the CompTIA Security+ Get Certified Get Ahead by Darril Gibson, 5th Edition

Things to keep in mind:

CompTIA is releasing an updated version of the Security+ Exam in November 2020 so this edition will soon be outdated. 90% of the book will remain the same in accordance with the updated exam. New threats and cloud-computing technology will probably make up the majority of that new 10% of content.

Synthesizing paragraphs with a huge list of facts sometimes results in dreadful sentences. It also results in some streams of thought that end abruptly. Some notes cannot be digested any further and remain identical in this summary. In any case, these are just notes and not an essay.

Some things are repeated but this is simply to reinforce.

Hackers are referred to as actors.

Access Points are referred to as AP

1. Assessments

Threat assessments evaluate potential threats. You cannot entirely eliminate risk but you can manage it by implementing controls. If the cost of controls exceeds the cost of the risk, then residual risk is created and accepted. Risk assessments quantifies and qualifies risks based on ranging values and judgments. They begin with first identifying assets and assigning value to those assets. Assets could be anything from physical systems to subjective company values. All Risk assessments are point-in-time assessments, meaning they are snapshots and need to be repeated when new conditions, like new threats, are introduced. Qualitative risk assessments categorize risks based on probability and impact.

Risk Registers are documents listing known information about risks. The document includes risk scores and security controls that can reduce those scores. Supply Chain assessments evaluate everything needed to produce and sell a product, including the raw materials and processes required to create and distribute that product. Vulnerability assessments assess the security posture of systems and networks. A typical vulnerability assessment includes: Identifying assets and capabilities, Prioritizing assets based on values, identifying and prioritizing vulnerabilities, and recommending controls to mitigate the more serious vulnerabilities.

2. Network Scanning

Network scanners gather information about hosts within networks, including what type of operating system the host is running, what services are being used, and what ports are open. Nmap is a popular example of a network scanner. Network mapping is seeing how hosts are connected within a network. The scanner will the find the SSID, Service Set Identifier, of all access points, the MAC address of all connected hardware, the signal strength of APs, the Channels being broadcast on, and the security posture of the APs, including if the APs are in open mode or are using encryption like WPA2. Wireless scanners can either use passive or active scans. During a passive scan, traffic is passively listened to. During an active scan, the scanner sends queries to APs.

Admins can investigate unknown SSIDs by using the signal strength and walking around an office until you get closer and closer. Banner grabbing is used to gain information about remote systems. It is used to identify the operating system. Banner grabbing works when a queried server returns a Hypertext Markup Language, HTML, banner. You can perform banner grabbing with the tool Netcat.

Vuln scanners utilize a dictionary of known vulnerabilities to test against a system. These dictionaries can be from MITRE which maintains the Common Vulnerabilities and Exposures, CVE, list. The CVE list is public but antivirus software detects malware with signature lists that the vendors maintain themselves. Vuln scanners should abide by the Security Content Automation Protocol, SCAP, which is a standard that utilizes the National Vulnerability Database, NVD, a list of common misconfigurations, security-related software flaws, impact ratings, and risk scores.

Configuration Compliance scans verify that systems are configured correctly. Nessus, another vulnerability scanner, can have its core functionality upgraded through the use of various plugins, including ones that perform configuration compliance scans. Credentialed scans run under the context of a valid account and are typically more accurate than non-credentialed scans. Non-credentialed can result is more false-positives.

Vuln scans are passive. Penetration tests are active. Penetration tests include a passive reconnaissance phase, active reconnaissance phase, and then an exploitation phase where the team tries to break into the system. Passive reconnaissance is the use of open source intelligence(things like google) for gaining information about a target. Active reconnaissance is using vulnerability scanners against the target. You become active because you are interacting with the target and they can detect it. During the exploitation phase, if the team breaches the target, they try to perform privilege escalation and then pivot to target other systems on the network.

Black box testers have zero knowledge of a system before a penetration test. White is the opposite and gray is the inbetween. Black box testers often used fuzzing. Penetration testers often use exploitation frameworks as tools to help automate the process. A popular one is Metasploit which is an open source project that runs on Linux systems with over 1,600 exploits in its database. Exploitation frameworks include methods to develop, test, and use exploit code to penetrate a target. Browser Exploitation Framework, BeEF, is an open source web browser exploitation framework that focuses on identifying web browser vulnerabilities. Web Application Attack and Audit Framework, W3AF, is another open source framework that focuses on web application vulnerabilities.

Key thing here is that both hackers and security administrators use these tools for their efforts. Admins can use protocol analyzers to capture, display, and analyze packets sent over a network. They do this to troubleshoot and to detect attacks that manipulate or fragment packets. NICs must be configured to use promiscuous mode to be able to capture all traffic.

3. Logs

On Linux use tcpdump which can produce packet captures that can be viewed in Wireshark. Netcat can be used for remote administration as well as gaining information about a system. With Netcat you can run a port scan against a single IP address.

It is important to know where to look for logs in both Windows and Linux systems. System Log Viewer in Windows and using the cat command from the terminal in Linux. Here are common locations for logs in Linux:

Security Information and Event Management, SIEM, is a system that centralizes the collecting, analyzing, and managing of data from multiple sources; log collection centralization. Here is a list of capabilities shared by most SIEMs:

A SIEM needs to ensure that it compensates for time offsets. One method is to convert all system times to GMT. Logging information on what users do is called Usage Auditing. Auditing can include much more than when a user accessed a file. It can also include when the user logged on, accessed a network, read or modified a file, printed a file, accessed a web site via a proxy server, etc.