CompTIA Security+ 501 Summary Part 1

Feb. 27, 2023, 5:23 a.m.

This is a summary of my notes on Chapter 1 of the CompTIA Security+ Get Certified Get Ahead by Darril Gibson, 5th Edition

Things to keep in mind:

CompTIA is releasing an updated version of the Security+ Exam in November 2020 so this edition will soon be outdated. 90% of the book will remain the same in accordance with the updated exam. New threats and cloud-computing technology will probably make up the majority of that new 10% of content.

Synthesizing paragraphs with a huge list of facts sometimes results in dreadful sentences. It also results in some streams of thought that end abruptly. In any case, these are just notes and not an essay.

Switches, parameters, arguments, or flags can all be used interchangeably when referring to the structuring of console commands and when referring to console I also mean command line or terminal.

Some things are repeated but this is simply to reinforce.

1.Terms.

Confidentiality keeps data secret from unauthorized audiences. Encryption provides confidentiality by making data unreadable by unauthorized audiences. Authorization makes data accessible by the intended audiences. Integrity proves that data has not been tampered with. PPI is the acronym for Personally Identifiable Information. Identification, an email address, Authentication, a password, and Authorization, the file permissions, combined equal a suite of Access Controls.

You can hide data within data using a technique called Steganography. Message Digest 5 (MD5), Secure Hash Algorithm (SHA), and Hash-Based Message Authentication Code (HMAC) are all algorithms used for proving data integrity. Virus-infected files can be discovered by using a hash to verify data integrity. You would do this by comparing the original file with the newer file. If the hashes are different, you know that the newer file has been altered – It could be the simple removal of a period or a complete alteration, you can’t tell that from the hash alone. In that case you would look at file size etc. and/or open the new file in an isolated containment machine to see what happens.

There are three relevant MAC acronyms: Media Access Control, Mandatory Access Control, and Message Authentication Code. Mandatory Access Control refers to several access control models while Message Authentication Code is used by various email programs to verify data integrity.

Emails commonly use Digital Signatures to provide proof of Identification and Authentication. These signatures are also used to provide non-repudiation meaning that senders cannot deny that they sent an email. They require a Public Key Infrastructure (PKI) which manages certificates and those certificates encrypt the signature to make it irreversible and therefore unreproducible.

2. Hardware Controls.

Single points of failure (SPOF) are combated with Redundancy and Fault-Tolerance which help ensure high levels of availability. RAID-1(mirroring), RAID-5(striping with parity), and RAID-10(striping with a mirror) are all fault-tolerant disks as opposed to your regular hard drive which if fails renders you out of all your non-backed-up data. In the realm of servers, Failover Clusters, or more simply a cluster of servers, use redundant servers to ensure high availability so that when a server fails, there are other servers to pick up the pace. Load Balancing is a method of Fault-Tolerance where many servers support a single service. The load is spread across several servers instead of just one; one would be the SPOF. Uninterruptible Power Supplies (UPS) and generators provide more SPOF fault tolerance if the office power goes out. Ventilation and HVAC systems also keep service availability high by keeping machines cool. Hot Sites are always ready for operation and can be switched to at a moments notice, Cold Sites are ready to be moved into and turned on with much legwork, and Warm Sites are somewhere in between.

Encrypting all data within a company would increase disk-space-usage by up to approximately 40% and therefore encrypting only the very important data should be considered.

Countermeasures and safeguards are controls that reduce risks and their impact. Security controls are divided into technical(software), administrative(permission management), and physical(locks). Giving users only the privileges they need to perform their prescribed function is called The Principle of Least Privilege. It’s similar to having a firewall come preconfigured with all ports closed, and only after turning it on does the admin open the necessary ports for functionality. Hardening is the term for making something more secure past its default configuration.

Change management helps avoid unintended outages. Account disablement policies force accounts to be disabled if an employee leaves.

SP 800 Documents are worth reading.

Detective Controls include log monitoring, trend analysis, and security audits. Prevention Controls include guards, locks, and cameras. Corrective Controls include anything that corrects an issue. Intrusion Prevention Systems (IPS) detect attacks and try to block them. Compensating Controls such as Time-based One-Time Passwords (TOTP) are used in place of primary controls when timeliness is of issue and you still require a high level of security. Deterrent Controls deter. Control Types, technical, administrative, physical, and Control Goals, preventive, detective, corrective, deterrent, are not mutually exclusive. Most controls fall under several categories. A camera, for example, is a deterrent, prevention, detection, and a technical control.

Virtualization’s selling point is the ability to scale according to need; elasticity and scalability. Virtual Machines (VM) are created, ran, and managed by a Hypervisor. Hosts used for VM’s usually have much more powerful resources, ram, storage, etc, for operation. Guests run on the host. Several Guest VM’s can run on a single Host. Type I Hypervisors run directly on a hosts hardware. Type II Hypervisors run as software on top of a host’s operating system. A Kernel is the central part of the operating system. Type I is primarily used in large data centers. Type II, for example, would be you running a VirtualBox VM within your windows machine.

Application Cell Virtualization or Container Virtualization run services within isolated cells. In this set-up, cells must use the operating system of the host. Virtual Machines can easily be isolated and controlled. For example, you can disable a NIC on the VM and prevent data leakage. Snapshots are backups of VM’s at specific moments in time. In a Virtual Desktop Infrastructure (VDI) or Virtual Desktop Environment (VDE), a user’s desktop system runs as a VM on a server. VM’s can be persistent or non-persistent. Non-persistent VM’s wipe any changes made to the snapshot after a user logs out. This type of set up, for example, would be used in a Library or School where persistence would not work. Persistence wouldn’t work because the school might have a thousand students, but only twenty computers.

VM Escape is an attack that allows an actor access to the host system from within a VM. Unorganized, poorly manages VM setups result in what’s called a VM Sprawl.

3. Command Line.

Switches, parameters, arguments, or flags can all be used interchangeably when referring to the structuring of console commands. The most common argument is the “-h” or “help” or “?” which provides information about the command in question. For example:

ping -h

will print out a bunch of helpful information about ping and all of its useful arguments. Most windows commands are not case sensitive. This is not true for Linux, however. Ping uses Internet Control Message Protocol (ICMP) echo request packets to check for connectivity. If the target system replies than you know it is up. The “-t” argument here makes your ping request continue until you manually stop it:

Ping -t 192.168.52.1

During the name resolution process a computers queries a Domain Name System (DNS) with a name and it will respond with an IP address. Remember that all websites names have an IP address behind them. You can ping google.com and in the reply you will get the IP address of the google.com webserver In fact, every system connected to the internet has an IP address. Denial of Service (DoS) attacks use ICMP to disrupt systems. To counter this, most systems simply block ICMP traffic.

“ipconfig” shows TCP/IP configuration for a Windows machine. “ifconfig” does the same for a Linux machine, however, “ifconfig” has been deprecated(use discouraged but tolerated) and simply “ip” is now used instead. “netstat” can be used to see all active TCP/IP connections on your system. “tracert” lists the routers between your system and a target system. All routers between you and your target are considered Hops. You can use “tracert” to pinpoint broken routers and see if configured paths for routing have been changed. For example, bad actors can route traffic through a middle-man-device they planted and capture all the data. “arp” is another tool that you can use to view and manipulate the ARP cache which is a place where IP addresses are resolved into the correct MAC addresses. ARP Cache Poisoning is an attack where actors manipulate the ARP cache.